[utils] / security / impl / src / main / java / org / wamblee / security / authorization / UrlAuthorizationRule.java

/*
 * Copyright 2005-2010 the original author or authors.
 * 
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
 * You may obtain a copy of the License at
 * 
 *      http://www.apache.org/licenses/LICENSE-2.0
 * 
 * Unless required by applicable law or agreed to in writing, software
 * distributed under the License is distributed on an "AS IS" BASIS,
 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 * See the License for the specific language governing permissions and
 * limitations under the License.
 */ 
package org.wamblee.security.authorization;

import static org.wamblee.security.authorization.AuthorizationResult.*;

import javax.enterprise.inject.Typed;
import javax.persistence.Access;
import javax.persistence.AccessType;
import javax.persistence.CascadeType;
import javax.persistence.Column;
import javax.persistence.DiscriminatorValue;
import javax.persistence.Entity;
import javax.persistence.JoinColumn;
import javax.persistence.ManyToOne;
import javax.persistence.OneToOne;
import javax.persistence.Transient;

import org.apache.log4j.Logger;
import org.wamblee.security.authentication.User;
import org.wamblee.security.authentication.UserAdministration;

/**
 * Utility base class for implementation of authentication rules based on the
 * <ul>
 * <li>The path of the resource. To obtain the path of a resource, subclasses
 * must implement {@link #getResourcePath(Object)}. Whether a path is
 * appropriate is determined by a
 * {@link org.wamblee.security.authorization.AbstractPathCondition}.</li>
 * <li>The user identity with which the resource is accessed. Whether a user is
 * appropriate is determined by a
 * {@link org.wamblee.security.authorization.AbstractUserCondition}.</li>
 * <li>The operation that is requested. Whether the operation is appropriate is
 * determined by a {@link org.wamblee.security.authorization.AbstractOperationCondition}
 * .</li>
 * </ul>
 * In case all three conditions match, the condition returns the configured
 * result passed at construction (GRANTED or DENIED). If the resource is not of
 * the specified type, the result is UNSUPPORTED_RESOURCE, otherwise, the result
 * is UNDECIDED.
 */
@Entity
@Access(AccessType.PROPERTY)
public abstract class UrlAuthorizationRule extends AbstractAuthorizationRule {
    private static final Logger LOGGER = Logger
        .getLogger(UrlAuthorizationRule.class);

    /**
     * Result that the rule will return in case there is a match.
     */
    private AuthorizationResult result;

    /**
     * A condition which specifies which users the rule is for.
     */
    private UserCondition userCondition;

    /**
     * Path the rule applies for.
     */
    private PathCondition pathCondition;

    /**
     * Resource class that the rule applies for.
     */
    private Class resourceClass;

    /**
     * Operation that this rule is for.
     */
    
    private OperationCondition operationCondition;

    /**
     * Constructs an authorization rule. IF the group and path match, then the
     * provided result will be returned.
     * 
     * @param aResult
     *            Result of the authorization when the path and group match.
     * @param aUserCondition
     *            Condition to match users.
     * @param aPathCondition
     *            Condition to match paths with.
     * @param aResourceClass
     *            Supported resource class this is for.
     * @param aOperationCondition
     *            Condition to match the operation with.
     */
    protected UrlAuthorizationRule(AuthorizationResult aResult,
        UserCondition aUserCondition, PathCondition aPathCondition,
        Class aResourceClass, OperationCondition aOperationCondition) {
        if (!aResult.equals(GRANTED) && !aResult.equals(DENIED)) {
            throw new IllegalArgumentException(
                "Only GRANTED or DENIED may be used: " + aResult);
        }

        result = aResult;
        userCondition = aUserCondition;
        pathCondition = aPathCondition;
        resourceClass = aResourceClass;
        operationCondition = aOperationCondition;
    }

    /**
     * For OR mapping.
     * 
     */
    protected UrlAuthorizationRule(Class aResourceClass) {
        result = null;
        userCondition = null;
        pathCondition = null;
        resourceClass = aResourceClass;
        operationCondition = null;
    }

    /**
     * For OR mapping.
     * 
     */
    protected UrlAuthorizationRule() {
        result = null;
        userCondition = null;
        pathCondition = null;
        resourceClass = null;
        operationCondition = null;
    }

    /*
     * (non-Javadoc)
     * 
     * @see
     * org.wamblee.security.authorization.AuthorizationRule#getSupportedTypes()
     */
    @Transient
    public Class[] getSupportedTypes() {
        return new Class[] { resourceClass };
    }

    /*
     * (non-Javadoc)
     * 
     * @see
     * org.wamblee.security.authorization.AuthorizationRule#isAllowed(java.lang
     * .Object, org.wamblee.security.authorization.Operation)
     */
    public AuthorizationResult isAllowed(Object aResource,
        Operation aOperation, String aUser) {
        if (!resourceClass.isInstance(aResource)) {
            return UNSUPPORTED_RESOURCE;
        }

        String path = getResourcePath(aResource);

        return isAllowedWithPath(path, aOperation, aUser);
    }

    /**
     * Determines if the operation is allowed on the resource.
     * 
     * @param aPath
     *            Path of the resource.
     * @param aOperation
     *            Operation to be done.
     * @param aUser
     *            Currently logged in user or null if no user is logged in.
     * 
     * @return Authorization result,
     */
    protected AuthorizationResult isAllowedWithPath(String aPath, Operation aOperation,
        String aUser) {
        if (!pathCondition.matches(aPath)) {
            return UNDECIDED;
        }

        if (!operationCondition.matches(aOperation)) {
            return UNDECIDED;
        }

        if (!userCondition.matches(aUser)) {
            return UNDECIDED;
        }

        return result;
    }

    /**
     * Gets the path of the resource.
     * 
     * @param aResource
     *            Resource, guaranteed to be an instance of
     *            {@link #resourceClass}.
     * 
     * @return Path of the resource.
     */
    protected abstract String getResourcePath(Object aResource);

    /*
     * (non-Javadoc)
     * 
     * @see java.lang.Object#toString()
     */
    @Override
    public String toString() {
        return "UrlAUthorizationRule(result = " + result +
            ", pathCondition = " + pathCondition + ", userCondition = " +
            userCondition + ", resourceClass = " + resourceClass + ")";
    }

    /**
     * Gets the authorization result for OR mapping.
     * 
     * @return Result.
     */
    @Column(name = "AUTH_RESULT", nullable = false)
    protected String getAuthorizationResultString() {
        if (result == null) {
            return null;
        }

        return result.toString();
    }

    /**
     * Sets the authorization result, for OR mapping.
     * 
     * @param aResult
     *            Result.
     */
    protected void setAuthorizationResultString(String aResult) {
        result = AuthorizationResult.valueOf(aResult);
    }

    @Column(name = "RES_CLASSNAME", nullable = false)
    protected String getResourceClassName() {
        if (resourceClass == null) {
            return "";
        }

        return resourceClass.getName();
    }

    protected void setResourceClassName(String aResourceClass) {
        try {
            resourceClass = Class.forName(aResourceClass);
        } catch (ClassNotFoundException e) {
            LOGGER.error("Cannot find resource class '" + aResourceClass + "'",
                e);
            throw new IllegalArgumentException(e.getMessage(), e);
        }
    }

    /**
     * 
     * @return Returns the operationCondition.
     */
    @OneToOne(cascade = CascadeType.ALL, targetEntity = AbstractOperationCondition.class, orphanRemoval = true)
    @JoinColumn(name = "OPER_COND_PK")
    public OperationCondition getOperationCondition() {
        return operationCondition;
    }

    /**
     * 
     * @param aOperationCondition
     *            The operationCondition to set.
     */
    protected void setOperationCondition(OperationCondition aOperationCondition) {
        operationCondition = aOperationCondition;
    }

    /**
     * 
     * @return Returns the pathCondition.
     */
    @OneToOne(cascade = CascadeType.ALL, targetEntity = AbstractPathCondition.class, orphanRemoval = true)
    @JoinColumn(name = "PATH_COND_PK")
    public PathCondition getPathCondition() {
        return pathCondition;
    }

    /**
     * 
     * @param aPathCondition
     *            The pathCondition to set.
     */
    protected void setPathCondition(PathCondition aPathCondition) {
        pathCondition = aPathCondition;
    }

    /**
     * 
     * @return Returns the userCondition.
     */
    @OneToOne(cascade = CascadeType.ALL, targetEntity = AbstractUserCondition.class, orphanRemoval = true)
    @JoinColumn(name = "USER_COND_PK")
    public UserCondition getUserCondition() {
        return userCondition;
    }

    /**
     * 
     * @param aUserCondition
     *            The userCondition to set.
     */
    protected void setUserCondition(UserCondition aUserCondition) {
        userCondition = aUserCondition;
    }
    
    @Override
    public void setUserAdministration(UserAdministration aAdmin) {
        userCondition.setUserAdmin(aAdmin);   
    }

}