Package com.evolveum.midpoint.security.enforcer.api

Class PositiveNegativeItemPaths

java.lang.Object
com.evolveum.midpoint.security.enforcer.api.PositiveNegativeItemPaths
All Implemented Interfaces:
ShortDumpable
public class PositiveNegativeItemPaths extends Object implements ShortDumpable
Supports "intelligent" specification of a set of item paths formed by three kinds of primitives: - "include all items" (corresponds to an authorization with neither `item` nor `exceptItem` values) - "include specified items (plus children)" (corresponds to an authorization with `item` values) - "include all items except for specified items (plus children)" (corresponds to an authorization with `exceptItem` values) This object is gradually built by calling collectItemPaths(Collection, Collection) method providing increments to `item` and `exceptItem` sets. Then, it is queried by calling includes(ItemPath) to determine whether given item path is _completely_ covered by this set. An alternative approach is represented by PrismEntityOpConstraints and its implementations: . This (older) class is used e.g. in ObjectSecurityConstraints implementation, returned e.g. by SecurityEnforcer.compileSecurityConstraints(PrismObject, boolean, SecurityEnforcer.Options, Task, OperationResult) method. . The newer class (PrismEntityOpConstraints) is used e.g. as a return value of narrow-focused SecurityEnforcer.compileOperationConstraints(MidPointPrincipal, PrismObjectValue, AuthorizationPhaseType, String[], SecurityEnforcer.Options, CompileConstraintsOptions, Task, OperationResult).
Author:
semancik

  • Constructor Details

    • PositiveNegativeItemPaths

      public PositiveNegativeItemPaths()

  • Method Details

    • includesAllItems

      public boolean includesAllItems()

    • getIncludedItems

      @NotNull protected @NotNull List<? extends ItemPath> getIncludedItems()

    • getExcludedItems

      @NotNull protected @NotNull List<? extends ItemPath> getExcludedItems()

    • collectItemPaths

      protected void collectItemPaths(Collection<? extends ItemPath> newIncludedItems, Collection<? extends ItemPath> newExcludedItems)
      Augments this specification with additional "included" (~ item) and "excluded" (~ exceptItem) item path collections. Note that currently `newIncludeItems` and `newExcludeItems` cannot be both non-empty.

    • includes

      public boolean includes(ItemPath nameOnlyItemPath)
      Is given `nameOnlyItemPath` considered to be _completely included_ in this specification? Generally, the contract of this method is intuitive. For completeness, see the comments inside. The only non-obvious part is handling of excluded items at levels deeper than one. For example, let us assume we have - `includedItems` = `name`, `description` - `excludedItems` = `assignment/activation` Then, all paths except for the following ones are considered to be "completely included": - `assignment` (because the `activation` child is excluded) - `assignment/activation` - `assignment/activation/xyz` (where `xyz` are children i.e. `administrativeStatus`, `validFrom`, `validTo`, and so on) Other children of `assignment` (like `assignment/targetRef`) are completely included.

    • toString

      public String toString()
      Overrides:
      toString in class Object

    • shortDump

      public void shortDump(StringBuilder sb)
      Description copied from interface: ShortDumpable
      Show the content of the object intended for diagnostics. This method is supposed to append a compact, human-readable output in a single line. Unlike toString() method, there is no requirement to identify the actual class or type of the object. It is assumed that the class/type will be obvious from the context in which the output is used.
      Specified by:
      shortDump in interface ShortDumpable
      Parameters:
      sb - StringBuilder to which to a compact one-line content of the object intended for diagnostics by system administrator should be appended.

    • dumpItems

      protected void dumpItems(StringBuilder sb, List<? extends ItemPath> items)