| /* |
| * Licensed to the Apache Software Foundation (ASF) under one or more |
| * contributor license agreements. See the NOTICE file distributed with |
| * this work for additional information regarding copyright ownership. |
| * The ASF licenses this file to You under the Apache License, Version 2.0 |
| * (the "License"); you may not use this file except in compliance with |
| * the License. You may obtain a copy of the License at |
| * |
| * http://www.apache.org/licenses/LICENSE-2.0 |
| * |
| * Unless required by applicable law or agreed to in writing, software |
| * distributed under the License is distributed on an "AS IS" BASIS, |
| * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. |
| * See the License for the specific language governing permissions and |
| * limitations under the License. |
| */ |
| package org.apache.usergrid.security.shiro.utils; |
| |
| |
| import java.util.Map; |
| import java.util.Set; |
| import java.util.UUID; |
| |
| import com.google.common.collect.HashBiMap; |
| import org.slf4j.Logger; |
| import org.slf4j.LoggerFactory; |
| import org.apache.usergrid.management.ApplicationInfo; |
| import org.apache.usergrid.management.OrganizationInfo; |
| import org.apache.usergrid.management.UserInfo; |
| import org.apache.usergrid.security.shiro.PrincipalCredentialsToken; |
| import org.apache.usergrid.security.shiro.principals.UserPrincipal; |
| |
| import org.apache.commons.lang.StringUtils; |
| import org.apache.shiro.SecurityUtils; |
| import org.apache.shiro.UnavailableSecurityManagerException; |
| import org.apache.shiro.session.Session; |
| import org.apache.shiro.subject.Subject; |
| |
| import com.google.common.collect.BiMap; |
| |
| import static org.apache.commons.lang.StringUtils.isNotBlank; |
| import org.apache.usergrid.persistence.index.query.Identifier; |
| import static org.apache.usergrid.security.shiro.Realm.ROLE_ADMIN_USER; |
| import static org.apache.usergrid.security.shiro.Realm.ROLE_APPLICATION_ADMIN; |
| import static org.apache.usergrid.security.shiro.Realm.ROLE_APPLICATION_USER; |
| import static org.apache.usergrid.security.shiro.Realm.ROLE_ORGANIZATION_ADMIN; |
| import static org.apache.usergrid.security.shiro.Realm.ROLE_SERVICE_ADMIN; |
| |
| |
| public class SubjectUtils { |
| |
| private static final Logger logger = LoggerFactory.getLogger( SubjectUtils.class ); |
| |
| |
| public static boolean isAnonymous() { |
| Subject currentUser = getSubject(); |
| if ( currentUser == null ) { |
| return true; |
| } |
| return !currentUser.isAuthenticated() && !currentUser.isRemembered(); |
| } |
| |
| |
| public static boolean isOrganizationAdmin() { |
| if ( isServiceAdmin() ) { |
| return true; |
| } |
| Subject currentUser = getSubject(); |
| if ( currentUser == null ) { |
| return false; |
| } |
| return currentUser.hasRole( ROLE_ORGANIZATION_ADMIN ); |
| } |
| |
| |
| public static BiMap<UUID, String> getOrganizations() { |
| Subject currentUser = getSubject(); |
| if ( !isOrganizationAdmin() ) { |
| return null; |
| } |
| Session session = currentUser.getSession(); |
| BiMap<UUID, String> organizations = HashBiMap.create(); |
| Map map = (Map)session.getAttribute( "organizations" ); |
| organizations.putAll(map); |
| return organizations; |
| } |
| |
| |
| public static boolean isPermittedAccessToOrganization( Identifier identifier ) { |
| if ( isServiceAdmin() ) { |
| return true; |
| } |
| OrganizationInfo organization = getOrganization( identifier ); |
| if ( organization == null ) { |
| return false; |
| } |
| Subject currentUser = getSubject(); |
| if ( currentUser == null ) { |
| return false; |
| } |
| return currentUser.isPermitted( "organizations:access:" + organization.getUuid() ); |
| } |
| |
| |
| public static OrganizationInfo getOrganization( Identifier identifier ) { |
| if ( identifier == null ) { |
| return null; |
| } |
| UUID organizationId = null; |
| String organizationName = null; |
| BiMap<UUID, String> organizations = getOrganizations(); |
| if ( organizations == null ) { |
| return null; |
| } |
| if ( identifier.isName() ) { |
| organizationName = identifier.getName().toLowerCase(); |
| organizationId = organizations.inverse().get( organizationName ); |
| } |
| else if ( identifier.isUUID() ) { |
| organizationId = identifier.getUUID(); |
| organizationName = organizations.get( organizationId ); |
| } |
| if ( ( organizationId != null ) && ( organizationName != null ) ) { |
| return new OrganizationInfo( organizationId, organizationName ); |
| } |
| return null; |
| } |
| |
| |
| public static OrganizationInfo getOrganization() { |
| Subject currentUser = getSubject(); |
| if ( currentUser == null ) { |
| return null; |
| } |
| if ( !currentUser.hasRole( ROLE_ORGANIZATION_ADMIN ) ) { |
| return null; |
| } |
| Session session = currentUser.getSession(); |
| OrganizationInfo organization = ( OrganizationInfo ) session.getAttribute( "organization" ); |
| return organization; |
| } |
| |
| |
| public static String getOrganizationName() { |
| Subject currentUser = getSubject(); |
| if ( currentUser == null ) { |
| return null; |
| } |
| if ( !currentUser.hasRole( ROLE_ORGANIZATION_ADMIN ) ) { |
| return null; |
| } |
| Session session = currentUser.getSession(); |
| OrganizationInfo organization = ( OrganizationInfo ) session.getAttribute( "organization" ); |
| if ( organization == null ) { |
| return null; |
| } |
| return organization.getName(); |
| } |
| |
| |
| public static UUID getOrganizationId() { |
| Subject currentUser = getSubject(); |
| if ( currentUser == null ) { |
| return null; |
| } |
| if ( !currentUser.hasRole( ROLE_ORGANIZATION_ADMIN ) ) { |
| return null; |
| } |
| Session session = currentUser.getSession(); |
| OrganizationInfo organization = ( OrganizationInfo ) session.getAttribute( "organization" ); |
| if ( organization == null ) { |
| return null; |
| } |
| return organization.getUuid(); |
| } |
| |
| |
| public static Set<String> getOrganizationNames() { |
| Subject currentUser = getSubject(); |
| if ( currentUser == null ) { |
| return null; |
| } |
| if ( !currentUser.hasRole( ROLE_ORGANIZATION_ADMIN ) ) { |
| return null; |
| } |
| BiMap<UUID, String> organizations = getOrganizations(); |
| if ( organizations == null ) { |
| return null; |
| } |
| return organizations.inverse().keySet(); |
| } |
| |
| |
| public static boolean isApplicationAdmin() { |
| if ( isServiceAdmin() ) { |
| return true; |
| } |
| Subject currentUser = getSubject(); |
| if ( currentUser == null ) { |
| return false; |
| } |
| boolean admin = currentUser.hasRole( ROLE_APPLICATION_ADMIN ); |
| return admin; |
| } |
| |
| |
| public static boolean isPermittedAccessToApplication( Identifier identifier ) { |
| if ( isServiceAdmin() ) { |
| return true; |
| } |
| ApplicationInfo application = getApplication( identifier ); |
| if ( application == null ) { |
| return false; |
| } |
| Subject currentUser = getSubject(); |
| if ( currentUser == null ) { |
| return false; |
| } |
| return currentUser.isPermitted( "applications:access:" + application.getId() ); |
| } |
| |
| |
| public static boolean isApplicationAdmin( Identifier identifier ) { |
| if ( isServiceAdmin() ) { |
| return true; |
| } |
| ApplicationInfo application = getApplication( identifier ); |
| if ( application == null ) { |
| return false; |
| } |
| Subject currentUser = getSubject(); |
| if ( currentUser == null ) { |
| return false; |
| } |
| return currentUser.isPermitted( "applications:admin:" + application.getId() ); |
| } |
| |
| |
| public static ApplicationInfo getApplication( Identifier identifier ) { |
| if ( identifier == null ) { |
| return null; |
| } |
| if ( !isApplicationAdmin() && !isApplicationUser() ) { |
| return null; |
| } |
| String applicationName = null; |
| UUID applicationId = null; |
| BiMap<UUID, String> applications = getApplications(); |
| |
| if ( applications == null ) { |
| return null; |
| } |
| if ( identifier.isName() ) { |
| applicationName = identifier.getName().toLowerCase(); |
| applicationId = applications.inverse().get( applicationName ); |
| } |
| else if ( identifier.isUUID() ) { |
| applicationId = identifier.getUUID(); |
| applicationName = applications.get( identifier.getUUID() ); |
| } |
| if ( ( applicationId != null ) && ( applicationName != null ) ) { |
| return new ApplicationInfo( applicationId, applicationName ); |
| } |
| return null; |
| } |
| |
| |
| @SuppressWarnings( "unchecked" ) |
| public static BiMap<UUID, String> getApplications() { |
| Subject currentUser = getSubject(); |
| if ( currentUser == null ) { |
| return null; |
| } |
| if ( !currentUser.hasRole( ROLE_APPLICATION_ADMIN ) && !currentUser.hasRole( ROLE_APPLICATION_USER ) ) { |
| return null; |
| } |
| Session session = currentUser.getSession(); |
| |
| BiMap<UUID, String> applications = HashBiMap.create(); |
| Map map = (Map)session.getAttribute( "applications" ); |
| applications.putAll(map); |
| return applications; |
| } |
| |
| |
| public static boolean isServiceAdmin() { |
| Subject currentUser = getSubject(); |
| if ( currentUser == null ) { |
| return false; |
| } |
| return currentUser.hasRole( ROLE_SERVICE_ADMIN ); |
| } |
| |
| |
| public static boolean isApplicationUser() { |
| Subject currentUser = getSubject(); |
| if ( currentUser == null ) { |
| return false; |
| } |
| return currentUser.hasRole( ROLE_APPLICATION_USER ); |
| } |
| |
| |
| public static boolean isAdminUser() { |
| if ( isServiceAdmin() ) { |
| return true; |
| } |
| Subject currentUser = getSubject(); |
| if ( currentUser == null ) { |
| return false; |
| } |
| return currentUser.hasRole( ROLE_ADMIN_USER ); |
| } |
| |
| |
| public static UserInfo getUser() { |
| Subject currentUser = getSubject(); |
| if ( currentUser == null ) { |
| return null; |
| } |
| if ( !( currentUser.getPrincipal() instanceof UserPrincipal ) ) { |
| return null; |
| } |
| UserPrincipal principal = ( UserPrincipal ) currentUser.getPrincipal(); |
| return principal.getUser(); |
| } |
| |
| |
| public static UserInfo getAdminUser() { |
| UserInfo user = getUser(); |
| if ( user == null ) { |
| return null; |
| } |
| return user.isAdminUser() ? user : null; |
| } |
| |
| |
| public static UUID getSubjectUserId() { |
| |
| UserInfo info = getUser(); |
| if ( info == null ) { |
| return null; |
| } |
| |
| return info.getUuid(); |
| } |
| |
| |
| public static boolean isUserActivated() { |
| UserInfo user = getUser(); |
| if ( user == null ) { |
| return false; |
| } |
| return user.isActivated(); |
| } |
| |
| |
| public static boolean isUserEnabled() { |
| UserInfo user = getUser(); |
| if ( user == null ) { |
| return false; |
| } |
| return !user.isDisabled(); |
| } |
| |
| |
| public static boolean isUser( Identifier identifier ) { |
| if ( identifier == null ) { |
| return false; |
| } |
| UserInfo user = getUser(); |
| if ( user == null ) { |
| return false; |
| } |
| if ( identifier.isUUID() ) { |
| return user.getUuid().equals( identifier.getUUID() ); |
| } |
| if ( identifier.isEmail() ) { |
| return user.getEmail().equalsIgnoreCase( identifier.getEmail() ); |
| } |
| if ( identifier.isName() ) { |
| return user.getUsername().equals( identifier.getName() ); |
| } |
| return false; |
| } |
| |
| |
| public static boolean isPermittedAccessToUser( UUID userId ) { |
| if ( isServiceAdmin() ) { |
| return true; |
| } |
| if ( userId == null ) { |
| return false; |
| } |
| Subject currentUser = getSubject(); |
| if ( currentUser == null ) { |
| return false; |
| } |
| return currentUser.isPermitted( "users:access:" + userId ); |
| } |
| |
| |
| public static String getPermissionFromPath( UUID applicationId, String operations, String... paths ) { |
| String permission = "applications:" + operations + ":" + applicationId; |
| String p = StringUtils.join( paths, ',' ); |
| permission += ( isNotBlank( p ) ? ":" + p : "" ); |
| return permission; |
| } |
| |
| |
| public static Subject getSubject() { |
| Subject currentUser = null; |
| try { |
| currentUser = SecurityUtils.getSubject(); |
| } |
| catch ( UnavailableSecurityManagerException e ) { |
| logger.error( "getSubject(): Attempt to use Shiro prior to initialization" ); |
| } |
| return currentUser; |
| } |
| |
| |
| public static void checkPermission( String permission ) { |
| Subject currentUser = getSubject(); |
| if ( currentUser == null ) { |
| return; |
| } |
| try { |
| currentUser.checkPermission( permission ); |
| } |
| catch ( org.apache.shiro.authz.UnauthenticatedException e ) { |
| if (logger.isTraceEnabled()) { |
| logger.trace("checkPermission(): Subject is anonymous"); |
| } |
| } |
| } |
| |
| |
| public static void loginApplicationGuest( ApplicationInfo application ) { |
| if ( application == null ) { |
| logger.error( "loginApplicationGuest(): Null application" ); |
| return; |
| } |
| if ( isAnonymous() ) { |
| Subject subject = SubjectUtils.getSubject(); |
| PrincipalCredentialsToken token = |
| PrincipalCredentialsToken.getGuestCredentialsFromApplicationInfo( application ); |
| subject.login( token ); |
| } |
| else { |
| logger.error( "loginApplicationGuest(): Logging in non-anonymous user as guest not allowed" ); |
| } |
| } |
| } |