/*******************************************************************************
* Licensed to the Apache Software Foundation (ASF) under one
* or more contributor license agreements. See the NOTICE file
* distributed with this work for additional information
* regarding copyright ownership. The ASF licenses this file
* to you under the Apache License, Version 2.0 (the
* "License"); you may not use this file except in compliance
* with the License. You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing,
* software distributed under the License is distributed on an
* "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
* KIND, either express or implied. See the License for the
* specific language governing permissions and limitations
* under the License.
*******************************************************************************/
package org.ofbiz.service;
import java.io.Serializable;
import java.util.List;
import java.util.Map;
import org.ofbiz.base.util.Debug;
import org.ofbiz.base.util.UtilValidate;
import org.ofbiz.entity.GenericValue;
import org.ofbiz.entity.util.EntityUtil;
import org.ofbiz.security.Security;
import org.ofbiz.security.authz.Authorization;
/**
* Service Permission Model Class
*/
@SuppressWarnings("serial")
public class ModelPermission implements Serializable {
public static final String module = ModelPermission.class.getName();
public static final int PERMISSION = 1;
public static final int ENTITY_PERMISSION = 2;
public static final int ROLE_MEMBER = 3;
public static final int PERMISSION_SERVICE = 4;
public ModelService serviceModel = null;
public int permissionType = 0;
public String nameOrRole = null;
public String action = null;
public String permissionServiceName = null;
public String permissionResourceDesc = null;
public Boolean auth;
public String clazz = null;
public boolean evalPermission(DispatchContext dctx, Map<String, ? extends Object> context) {
GenericValue userLogin = (GenericValue) context.get("userLogin");
Authorization authz = dctx.getAuthorization();
Security security = dctx.getSecurity();
if (userLogin == null) {
Debug.logInfo("Secure service requested with no userLogin object", module);
return false;
}
switch (permissionType) {
case PERMISSION:
return evalAuthzPermission(authz, userLogin, context);
case ENTITY_PERMISSION:
return evalEntityPermission(security, userLogin);
case ROLE_MEMBER:
return evalRoleMember(userLogin);
case PERMISSION_SERVICE:
return evalPermissionService(serviceModel, dctx, context);
default:
Debug.logWarning("Invalid permission type [" + permissionType + "] for permission named : " + nameOrRole + " on service : " + serviceModel.name, module);
return false;
}
}
private boolean evalAuthzPermission(Authorization authz, GenericValue userLogin, Map<String, ? extends Object> context) {
if (nameOrRole == null) {
Debug.logWarning("Null permission name passed for evaluation", module);
return false;
}
return authz.hasPermission(userLogin.getString("userLoginId"), nameOrRole, context);
}
private boolean evalEntityPermission(Security security, GenericValue userLogin) {
if (nameOrRole == null) {
Debug.logWarning("Null permission name passed for evaluation", module);
return false;
}
if (action == null) {
Debug.logWarning("Null action passed for evaluation", module);
}
return security.hasEntityPermission(nameOrRole, action, userLogin);
}
private boolean evalRoleMember(GenericValue userLogin) {
if (nameOrRole == null) {
Debug.logWarning("Null role type name passed for evaluation", module);
return false;
}
List<GenericValue> partyRoles = null;
/** (jaz) THIS IS NOT SECURE AT ALL
try {
partyRoles = delegator.findByAnd("PartyRole", "roleTypeId", nameOrRole, "partyId", userLogin.get("partyId"));
} catch (GenericEntityException e) {
Debug.logError(e, "Unable to lookup PartyRole records", module);
}
**/
if (UtilValidate.isNotEmpty(partyRoles)) {
partyRoles = EntityUtil.filterByDate(partyRoles);
if (UtilValidate.isNotEmpty(partyRoles)) {
return true;
}
}
return false;
}
private boolean evalPermissionService(ModelService origService, DispatchContext dctx, Map<String, ? extends Object> context) {
ModelService permission;
if (permissionServiceName == null) {
Debug.logWarning("No ModelService found; no service name specified!", module);
return false;
}
try {
permission = dctx.getModelService(permissionServiceName);
} catch (GenericServiceException e) {
Debug.logError(e, "Failed to get ModelService: " + e.toString(), module);
return false;
}
if (permission == null) {
Debug.logError("No ModelService found with the name [" + permissionServiceName + "]", module);
return false;
}
permission.auth = true;
Map<String, Object> ctx = permission.makeValid(context, ModelService.IN_PARAM);
if (UtilValidate.isNotEmpty(action)) {
ctx.put("mainAction", action);
}
if (UtilValidate.isNotEmpty(permissionResourceDesc)) {
ctx.put("resourceDescription", permissionResourceDesc);
} else if (origService != null) {
ctx.put("resourceDescription", origService.name);
}
LocalDispatcher dispatcher = dctx.getDispatcher();
Map<String, Object> resp;
String failMessage = null;
try {
resp = dispatcher.runSync(permission.name, ctx, 300, true);
failMessage = (String) resp.get("failMessage");
} catch (GenericServiceException e) {
Debug.logError(failMessage + e.getMessage(), module);
return false;
}
if (ServiceUtil.isError(resp) || ServiceUtil.isFailure(resp)) {
Debug.logError(failMessage, module);
return false;
}
return ((Boolean) resp.get("hasPermission")).booleanValue();
}
}