awsapi/src/com/cloud/bridge/model/SAcl.java

/*
 * Copyright (C) 2011 Citrix Systems, Inc.  All rights reserved.
 * 
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
 * You may obtain a copy of the License at
 * 
 *      http://www.apache.org/licenses/LICENSE-2.0
 * 
 * Unless required by applicable law or agreed to in writing, software
 * distributed under the License is distributed on an "AS IS" BASIS,
 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 * See the License for the specific language governing permissions and
 * limitations under the License.
 */
package com.cloud.bridge.model;

import java.io.Serializable;
import java.util.Date;

import com.cloud.bridge.service.exception.UnsupportedException;
import com.cloud.bridge.util.OrderedPair;
import com.cloud.bridge.util.Triple;

/**
 * @author John Zucker, Kelven Yang
 * A model of stored ACLs to remember the ACL permissions per canonicalUserID per grantee
 * Hold the AWS S3 grantee and permission constants.
 * 
 * This class implements two forms of getCannedAccessControls mappings, as static methods,
 * 
 * (a) an OrderedPair which provides a maplet across
 *         < permission, grantee >
 * when given an aclRequestString and a target (i.e. bucket or object),
 * 
 * (b) a Triplet
 *         < permission1, permission2, symbol >
 * when given an aclRequestString, a target (i.e. bucket or object) and the ID of the owner.
 */
public class SAcl implements Serializable {
	private static final long serialVersionUID = 7900837117165018850L;

	public static final int GRANTEE_USER = 0;
	public static final int GRANTEE_ALLUSERS = 1;
	public static final int GRANTEE_AUTHENTICATED = 2;

	public static final int PERMISSION_PASS = -1;   // No ACL test required
	public static final int PERMISSION_NONE = 0;
	public static final int PERMISSION_READ = 1;
	public static final int PERMISSION_WRITE = 2;
	public static final int PERMISSION_READ_ACL = 4;
	public static final int PERMISSION_WRITE_ACL = 8;
	public static final int PERMISSION_FULL = (PERMISSION_READ | PERMISSION_WRITE | PERMISSION_READ_ACL | PERMISSION_WRITE_ACL);
	
	private Long id;
	
	private String target;
	private long targetId;

	private int granteeType;
	private String granteeCanonicalId;
	
	private int permission;
	private int grantOrder;
	
	private Date createTime;
	private Date lastModifiedTime;
	
	public SAcl() {
	}
	
	public Long getId() {
		return id;
	}
	
	private void setId(Long id) {
		this.id = id;
	}
	
	public String getTarget() {
		return target;
	}
	
	public void setTarget(String target) {
		this.target = target;
	}
	
	public long getTargetId() {
		return targetId;
	}
	
	public void setTargetId(long targetId) {
		this.targetId = targetId;
	}
	
	public int getGranteeType() {
		return granteeType;
	}
	
	public void setGranteeType(int granteeType) {
		this.granteeType = granteeType;
	}
	
	public String getGranteeCanonicalId() {
		return granteeCanonicalId;
	}
	
	public void setGranteeCanonicalId(String granteeCanonicalId) {
		this.granteeCanonicalId = granteeCanonicalId;
	}
	
	public int getPermission() {
		return permission;
	}
	
	public void setPermission(int permission) {
		this.permission = permission;
	}
	
	public int getGrantOrder() {
		return grantOrder;
	}
	
	public void setGrantOrder(int grantOrder) {
		this.grantOrder = grantOrder;
	}
	
	public Date getCreateTime() {
		return createTime;
	}
	
	public void setCreateTime(Date createTime) {
		this.createTime = createTime;
	}
	
	public Date getLastModifiedTime() {
		return lastModifiedTime;
	}
	
	public void setLastModifiedTime(Date lastModifiedTime) {
		this.lastModifiedTime = lastModifiedTime;
	}
	
	/** Return an OrderedPair 
	 *              < permission, grantee >
	 * comprising
	 * a permission - which is one of SAcl.PERMISSION_PASS, SAcl.PERMISSION_NONE, SAcl.PERMISSION_READ,
     *     SAcl.PERMISSION_WRITE, SAcl.PERMISSION_READ_ACL, SAcl.PERMISSION_WRITE_ACL, SAcl.PERMISSION_FULL
     * a grantee - which is one of GRANTEE_ALLUSERS, GRANTEE_AUTHENTICATED, GRANTEE_USER
     * 
	 * Access controls that are specified via the "x-amz-acl:" headers in REST requests for buckets.
	 * The ACL request string is treated as a request for a known cannedAccessPolicy
	 * @param aclRequestString - The requested ACL from the set of AWS S3 canned ACLs
	 * @param target - Either "SBucket" or otherwise assumed to be for a single object item
	 */
	public static OrderedPair <Integer,Integer> getCannedAccessControls ( String aclRequestString, String target )
		     throws UnsupportedException
		{
		    if ( aclRequestString.equalsIgnoreCase( "public-read" )) 
	             // All users granted READ access.
		    	 return new OrderedPair <Integer,Integer> (PERMISSION_READ,GRANTEE_ALLUSERS);
		    else if (aclRequestString.equalsIgnoreCase( "public-read-write" )) 
		    	 // All users granted READ and WRITE access
		    	return new OrderedPair <Integer,Integer> ((PERMISSION_READ | PERMISSION_WRITE),GRANTEE_ALLUSERS);
		    else if (aclRequestString.equalsIgnoreCase( "authenticated-read" )) 
			     // Authenticated users have READ access
		    	return new OrderedPair <Integer,Integer> (PERMISSION_READ,GRANTEE_AUTHENTICATED);
		    else if (aclRequestString.equalsIgnoreCase( "private" )) 
			     // Only Owner gets FULL_CONTROL
		    	return new OrderedPair <Integer,Integer> (PERMISSION_FULL,GRANTEE_USER);
		    else if (aclRequestString.equalsIgnoreCase( "bucket-owner-read" ))
		    {
		    	 // Object Owner gets FULL_CONTROL, Bucket Owner gets READ
		    	 if ( target.equalsIgnoreCase( "SBucket" ))  
		    		 return new OrderedPair <Integer,Integer> (PERMISSION_READ, GRANTEE_USER);
		    	 else
		    		  return new OrderedPair <Integer,Integer> (PERMISSION_FULL, GRANTEE_USER);   		 	    		 
		    }
		    else if (aclRequestString.equalsIgnoreCase( "bucket-owner-full-control" )) 
		    {
		    	 // Object Owner gets FULL_CONTROL, Bucket Owner gets FULL_CONTROL
		    	 // This is equivalent to private when used with PUT Bucket
		    	return new OrderedPair <Integer,Integer> (PERMISSION_FULL,GRANTEE_USER);
		    }
		    else throw new UnsupportedException( "Unknown Canned Access Policy: " + aclRequestString + " is not supported" );
		}
	
	/** Return a Triple 
	 *         < permission1, permission2, symbol >
	 *  comprising
	 * two permissions - which is one of SAcl.PERMISSION_PASS, SAcl.PERMISSION_NONE, SAcl.PERMISSION_READ,
     *     SAcl.PERMISSION_WRITE, SAcl.PERMISSION_READ_ACL, SAcl.PERMISSION_WRITE_ACL, SAcl.PERMISSION_FULL
     * permission1 applies to objects, permission2 applies to buckets.
     * a symbol to indicate whether the principal is anonymous (i.e. string "A") or authenticated user (i.e.
     *     string "*") - otherwise null indicates a single ACL for all users.
     *     
	 * Access controls that are specified via the "x-amz-acl:" headers in REST requests for buckets.
	 * The ACL request string is treated as a request for a known cannedAccessPolicy
	 * @param aclRequestString - The requested ACL from the set of AWS S3 canned ACLs
	 * @param target - Either "SBucket" or otherwise assumed to be for a single object item
	 * @param ownerID - An ID for the owner, if used in place of symbols "A" or "*"
	 */
	public static Triple <Integer,Integer,String> getCannedAccessControls ( String aclRequestString, String target, String ownerID )
	     throws UnsupportedException
	{
	    if ( aclRequestString.equalsIgnoreCase( "public-read" )) 
             // Owner gets FULL_CONTROL and the anonymous principal (the 'A' symbol here) is granted READ access.
	    	 return new Triple <Integer, Integer, String> (PERMISSION_FULL, PERMISSION_READ,"A");
	    else if (aclRequestString.equalsIgnoreCase( "public-read-write" )) 
	    	 // Owner gets FULL_CONTROL and the anonymous principal (the 'A' symbol here) is granted READ and WRITE access
	    	return new Triple <Integer, Integer, String> (PERMISSION_FULL, (PERMISSION_READ | PERMISSION_WRITE),"A");
	    else if (aclRequestString.equalsIgnoreCase( "authenticated-read" )) 
		     // Owner gets FULL_CONTROL and ANY principal authenticated as a registered S3 user (the '*' symbol here) is granted READ access
	    	return new Triple <Integer, Integer, String> (PERMISSION_FULL, PERMISSION_READ,"*");
	    else if (aclRequestString.equalsIgnoreCase( "private" )) 
		     // This is termed the "private" or default ACL, "Owner gets FULL_CONTROL"
	    	return new Triple <Integer, Integer, String> (PERMISSION_FULL, PERMISSION_FULL,null);
	    else if (aclRequestString.equalsIgnoreCase( "bucket-owner-read" ))
	    {
	    	 // Object Owner gets FULL_CONTROL, Bucket Owner gets READ
	    	 // This is equivalent to private when used with PUT Bucket
	    	 if ( target.equalsIgnoreCase( "SBucket" ))  
	    		  return new Triple <Integer, Integer, String> (PERMISSION_FULL,PERMISSION_FULL ,null);   		 
	    	 else 
	    		 return new Triple <Integer, Integer, String> (PERMISSION_FULL,PERMISSION_READ,ownerID);
	    }
	    else if (aclRequestString.equalsIgnoreCase( "bucket-owner-full-control" )) 
	    {
	    	 // Object Owner gets FULL_CONTROL, Bucket Owner gets FULL_CONTROL
	    	 // This is equivalent to private when used with PUT Bucket
	    	 if ( target.equalsIgnoreCase( "SBucket" ))  
	    		 return new Triple <Integer, Integer, String> (PERMISSION_FULL, PERMISSION_FULL, null);    		 
	    	 else 
	    		 return new Triple <Integer, Integer, String> (PERMISSION_FULL,PERMISSION_FULL, ownerID);
	    }
	    else throw new UnsupportedException( "Unknown Canned Access Policy: " + aclRequestString + " is not supported" );
	}
		
}