Source code

001/*
002 * This library is part of OpenCms -
003 * the Open Source Content Management System
004 *
005 * Copyright (c) Alkacon Software GmbH & Co. KG (http://www.alkacon.com)
006 *
007 * This library is free software; you can redistribute it and/or
008 * modify it under the terms of the GNU Lesser General Public
009 * License as published by the Free Software Foundation; either
010 * version 2.1 of the License, or (at your option) any later version.
011 *
012 * This library is distributed in the hope that it will be useful,
013 * but WITHOUT ANY WARRANTY; without even the implied warranty of
014 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
015 * Lesser General Public License for more details.
016 *
017 * For further information about Alkacon Software GmbH & Co. KG, please see the
018 * company website: http://www.alkacon.com
019 *
020 * For further information about OpenCms, please see the
021 * project website: http://www.opencms.org
022 *
023 * You should have received a copy of the GNU Lesser General Public
024 * License along with this library; if not, write to the Free Software
025 * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA  02111-1307  USA
026 */
027
028package org.opencms.security;
029
030import org.opencms.db.CmsSecurityManager;
031import org.opencms.file.CmsGroup;
032import org.opencms.file.CmsObject;
033import org.opencms.file.CmsResource;
034import org.opencms.file.CmsResourceFilter;
035import org.opencms.file.CmsUser;
036import org.opencms.main.CmsException;
037import org.opencms.main.OpenCms;
038
039import java.util.ArrayList;
040import java.util.Iterator;
041import java.util.List;
042import java.util.Set;
043
044import com.google.common.collect.Lists;
045
046/**
047 * This manager provide access to the role related operations.<p>
048 *
049 * @since 6.5.6
050 */
051public class CmsRoleManager {
052
053    /** The security manager. */
054    private final CmsSecurityManager m_securityManager;
055
056    /**
057     * Default constructor.<p>
058     *
059     * @param securityManager the security manager
060     */
061    public CmsRoleManager(CmsSecurityManager securityManager) {
062
063        m_securityManager = securityManager;
064    }
065
066    /**
067     * Adds a user to the given role.<p>
068     *
069     * @param cms the opencms context
070     * @param role the role
071     * @param username the name of the user that is to be added to the role
072     *
073     * @throws CmsException if something goes wrong
074     */
075    public void addUserToRole(CmsObject cms, CmsRole role, String username) throws CmsException {
076
077        m_securityManager.addUserToGroup(cms.getRequestContext(), username, role.getGroupName(), true);
078    }
079
080    /**
081     * Checks if the user of this OpenCms context is a member of the given role
082     * for the given organizational unit.<p>
083     *
084     * The user must have the given role in at least one parent organizational unit.<p>
085     *
086     * @param cms the opencms context
087     * @param role the role to check
088     *
089     * @throws CmsRoleViolationException if the user does not have the required role permissions
090     */
091    public void checkRole(CmsObject cms, CmsRole role) throws CmsRoleViolationException {
092
093        m_securityManager.checkRole(cms.getRequestContext(), role);
094    }
095
096    /**
097     * Checks if the user of this OpenCms context is a member of the given role
098     * for the given resource.<p>
099     *
100     * The user must have the given role in at least one organizational unit to which this resource belongs.<p>
101     *
102     * @param cms the opencms context
103     * @param role the role to check
104     * @param resourceName the name of the resource to check the role for
105     *
106     * @throws CmsRoleViolationException if the user does not have the required role permissions
107     * @throws CmsException if something goes wrong, while reading the resource
108     */
109    public void checkRoleForResource(CmsObject cms, CmsRole role, String resourceName)
110    throws CmsException, CmsRoleViolationException {
111
112        CmsResource resource = cms.readResource(resourceName, CmsResourceFilter.ALL);
113        m_securityManager.checkRoleForResource(cms.getRequestContext(), role, resource);
114    }
115
116    /**
117     * Returns all groups of organizational units for which the current user
118     * has the {@link CmsRole#ACCOUNT_MANAGER} role.<p>
119     *
120     * @param cms the current cms context
121     * @param ouFqn the fully qualified name of the organizational unit
122     * @param includeSubOus if sub organizational units should be included in the search
123     *
124     * @return a list of {@link org.opencms.file.CmsGroup} objects
125     *
126     * @throws CmsException if something goes wrong
127     */
128    public List<CmsGroup> getManageableGroups(CmsObject cms, String ouFqn, boolean includeSubOus) throws CmsException {
129
130        List<CmsGroup> groups = new ArrayList<CmsGroup>();
131        Iterator<CmsOrganizationalUnit> it = getOrgUnitsForRole(
132            cms,
133            CmsRole.ACCOUNT_MANAGER.forOrgUnit(ouFqn),
134            includeSubOus).iterator();
135        while (it.hasNext()) {
136            CmsOrganizationalUnit orgUnit = it.next();
137            groups.addAll(OpenCms.getOrgUnitManager().getGroups(cms, orgUnit.getName(), false));
138        }
139        return groups;
140    }
141
142    /**
143     * Returns a list of those organizational units whose members can be managed by the current user.<p>
144     *
145     * @param cms the current CMS context
146     * @param ouFqn the fully qualified name of the organizational unit
147     * @param includeSubOus if sub organizational units should be included in the search
148     * @param includeWebusers if webuser organizational units should be included in the search
149     *
150     * @return a list of organizational units
151     *
152     * @throws CmsException if something goes wrong
153     */
154    public List<CmsOrganizationalUnit> getManageableOrgUnits(
155        CmsObject cms,
156        String ouFqn,
157        boolean includeSubOus,
158        boolean includeWebusers)
159    throws CmsException {
160
161        List<CmsOrganizationalUnit> result = Lists.newArrayList();
162        List<CmsOrganizationalUnit> ous = getOrgUnitsForRole(
163            cms,
164            CmsRole.ACCOUNT_MANAGER.forOrgUnit(ouFqn),
165            includeSubOus);
166        for (CmsOrganizationalUnit ou : ous) {
167            if (includeWebusers || !ou.hasFlagWebuser()) {
168                result.add(ou);
169            }
170        }
171        return result;
172    }
173
174    /**
175     * Returns all resources of organizational units for which the current user has
176     * the given role role.<p>
177     *
178     * @param cms the current cms context
179     * @param role the role to check
180     *
181     * @return a list of {@link org.opencms.file.CmsResource} objects
182     *
183     * @throws CmsException if something goes wrong
184     */
185    public List<CmsResource> getManageableResources(CmsObject cms, CmsRole role) throws CmsException {
186
187        return m_securityManager.getManageableResources(cms.getRequestContext(), role);
188    }
189
190    /**
191     * Returns all users of organizational units for which the current user has
192     * the {@link CmsRole#ACCOUNT_MANAGER} role.<p>
193     *
194     * @param cms the current cms context
195     * @param ouFqn the fully qualified name of the organizational unit
196     * @param includeSubOus if sub organizational units should be included in the search
197     *
198     * @return a list of {@link org.opencms.file.CmsUser} objects
199     *
200     * @throws CmsException if something goes wrong
201     */
202    public List<CmsUser> getManageableUsers(CmsObject cms, String ouFqn, boolean includeSubOus) throws CmsException {
203
204        return getManageableUsers(cms, ouFqn, includeSubOus, false);
205    }
206
207    /**
208     * Returns all users of organizational units for which the current user has
209     * the {@link CmsRole#ACCOUNT_MANAGER} role.<p>
210     *
211     * @param cms the current cms context
212     * @param ouFqn the fully qualified name of the organizational unit
213     * @param includeSubOus if sub organizational units should be included in the search
214     * @param includeWebusers if webuser organizational units should be included in the search
215     *
216     * @return a list of {@link org.opencms.file.CmsUser} objects
217     *
218     * @throws CmsException if something goes wrong
219     */
220    public List<CmsUser> getManageableUsers(CmsObject cms, String ouFqn, boolean includeSubOus, boolean includeWebusers)
221    throws CmsException {
222
223        List<CmsOrganizationalUnit> ous = getManageableOrgUnits(cms, ouFqn, includeSubOus, includeWebusers);
224        List<CmsUser> users = new ArrayList<CmsUser>();
225        Iterator<CmsOrganizationalUnit> it = ous.iterator();
226        while (it.hasNext()) {
227            CmsOrganizationalUnit orgUnit = it.next();
228            users.addAll(OpenCms.getOrgUnitManager().getUsers(cms, orgUnit.getName(), false));
229        }
230        return users;
231    }
232
233    /**
234     * Returns all the organizational units for which the current user has the given role.<p>
235     *
236     * @param cms the current cms context
237     * @param role the role to check
238     * @param includeSubOus if sub organizational units should be included in the search
239     *
240     * @return a list of {@link org.opencms.security.CmsOrganizationalUnit} objects
241     *
242     * @throws CmsException if something goes wrong
243     */
244    public List<CmsOrganizationalUnit> getOrgUnitsForRole(CmsObject cms, CmsRole role, boolean includeSubOus)
245    throws CmsException {
246
247        return m_securityManager.getOrgUnitsForRole(cms.getRequestContext(), role, includeSubOus);
248    }
249
250    /**
251     * Returns the groups which constitute a given role, i.e. the set of groups such that a member of any of them
252     * has the given role.<p>
253     *
254     * @param cms the CMS context
255     * @param role the role
256     * @param directUsersOnly if true, only the role's direct group will be returned
257     *
258     * @return the groups constituting the given role
259     *
260     * @throws CmsException if something goes wrong
261     */
262    public Set<CmsGroup> getRoleGroups(CmsObject cms, CmsRole role, boolean directUsersOnly) throws CmsException {
263
264        return m_securityManager.getRoleGroups(cms.getRequestContext(), role, directUsersOnly);
265    }
266
267    /**
268     * Returns all roles, in the given organizational unit.<p>
269     *
270     * @param cms the opencms context
271     * @param ouFqn the fully qualified name of the organizational unit of the role
272     * @param includeSubOus include roles of child organizational units
273     *
274     * @return a list of all <code>{@link CmsRole}</code> objects
275     *
276     * @throws CmsException if operation was not successful
277     */
278    public List<CmsRole> getRoles(CmsObject cms, String ouFqn, boolean includeSubOus) throws CmsException {
279
280        CmsOrganizationalUnit ou = OpenCms.getOrgUnitManager().readOrganizationalUnit(cms, ouFqn);
281        List<CmsGroup> groups = m_securityManager.getGroups(cms.getRequestContext(), ou, includeSubOus, true);
282        List<CmsRole> roles = new ArrayList<CmsRole>(groups.size());
283        Iterator<CmsGroup> itGroups = groups.iterator();
284        while (itGroups.hasNext()) {
285            CmsGroup group = itGroups.next();
286            roles.add(CmsRole.valueOf(group));
287        }
288        return roles;
289    }
290
291    /**
292     * Returns all roles the given user has over the given resource.<p>
293     *
294     * @param cms the current cms context
295     * @param user the user
296     * @param resource the resource
297     *
298     * @return a list of {@link CmsRole} objects
299     *
300     * @throws CmsException if something goes wrong
301     */
302    public List<CmsRole> getRolesForResource(CmsObject cms, CmsUser user, CmsResource resource) throws CmsException {
303
304        return m_securityManager.getRolesForResource(cms.getRequestContext(), user, resource);
305    }
306
307    /**
308     * Returns all roles the given user has over the given resource.<p>
309     *
310     * @param cms the current cms context
311     * @param userFqn the user name to check
312     * @param resourceName the resource name
313     *
314     * @return a list of {@link CmsRole} objects
315     *
316     * @throws CmsException if something goes wrong
317     */
318    public List<CmsRole> getRolesForResource(CmsObject cms, String userFqn, String resourceName) throws CmsException {
319
320        CmsUser user = cms.readUser(userFqn);
321        CmsResource resource = cms.readResource(resourceName, CmsResourceFilter.ALL);
322        return m_securityManager.getRolesForResource(cms.getRequestContext(), user, resource);
323    }
324
325    /**
326     * Returns all roles the given user belongs to, in the given organizational unit.<p>
327     *
328     * @param cms the opencms context
329     * @param username the name of the user to get all roles for
330     * @param ouFqn the fully qualified name of the organizational unit to restrict the search to
331     * @param includeChildOus include roles of child organizational units
332     * @param directRolesOnly if set only the direct assigned roles will be returned, if not also indirect roles
333     * @param recursive if this is set, also roles of higher organizational unit are considered
334     *
335     * @return a list of <code>{@link org.opencms.security.CmsRole}</code> objects
336     *
337     * @throws CmsException if operation was not successful
338     */
339    public List<CmsRole> getRolesOfUser(
340        CmsObject cms,
341        String username,
342        String ouFqn,
343        boolean includeChildOus,
344        boolean directRolesOnly,
345        boolean recursive)
346    throws CmsException {
347
348        List<CmsGroup> groups;
349        ouFqn = CmsOrganizationalUnit.removeLeadingSeparator(ouFqn);
350        if (!recursive) {
351            groups = m_securityManager.getGroupsOfUser(
352                cms.getRequestContext(),
353                username,
354                ouFqn,
355                includeChildOus,
356                true,
357                directRolesOnly,
358                cms.getRequestContext().getRemoteAddress());
359        } else {
360            groups = new ArrayList<CmsGroup>();
361            Iterator<CmsGroup> itAllGroups = m_securityManager.getGroupsOfUser(
362                cms.getRequestContext(),
363                username,
364                "",
365                true,
366                true,
367                directRolesOnly,
368                cms.getRequestContext().getRemoteAddress()).iterator();
369            while (itAllGroups.hasNext()) {
370                CmsGroup role = itAllGroups.next();
371                if (!includeChildOus && role.getOuFqn().equals(ouFqn)) {
372                    groups.add(role);
373                }
374                if (includeChildOus && role.getOuFqn().startsWith(ouFqn)) {
375                    groups.add(role);
376                }
377            }
378        }
379        List<CmsRole> roles = new ArrayList<CmsRole>(groups.size());
380        Iterator<CmsGroup> itGroups = groups.iterator();
381        while (itGroups.hasNext()) {
382            CmsGroup group = itGroups.next();
383            roles.add(CmsRole.valueOf(group));
384        }
385        return roles;
386    }
387
388    /**
389     * Returns all direct users of a given role, in the given organizational unit.<p>
390     *
391     * Users that are "indirectly" in the role are not returned in the result.<p>
392     *
393     * @param cms the opencms context
394     * @param role the role to get all users for
395     * @param includeOtherOuUsers include users of other organizational units
396     * @param directUsersOnly if set only the direct assigned users will be returned,
397     *                          if not also indirect users, ie. members of child groups
398     *
399     * @return all <code>{@link org.opencms.file.CmsUser}</code> objects in the group
400     *
401     * @throws CmsException if operation was not successful
402     */
403    public List<CmsUser> getUsersOfRole(
404        CmsObject cms,
405        CmsRole role,
406        boolean includeOtherOuUsers,
407        boolean directUsersOnly)
408    throws CmsException {
409
410        return m_securityManager.getUsersOfGroup(
411            cms.getRequestContext(),
412            role.getGroupName(),
413            includeOtherOuUsers,
414            directUsersOnly,
415            true);
416    }
417
418    /**
419     * Checks if the given context user has the given role in the given organizational unit.<p>
420     *
421     * @param cms the opencms context
422     * @param role the role to check
423     *
424     * @return <code>true</code> if the given context user has the given role in the given organizational unit
425     */
426    public boolean hasRole(CmsObject cms, CmsRole role) {
427
428        return m_securityManager.hasRole(cms.getRequestContext(), cms.getRequestContext().getCurrentUser(), role);
429    }
430
431    /**
432     * Checks if the given user has the given role in the given organizational unit.<p>
433     *
434     * @param cms the opencms context
435     * @param userName the name of the user to check the role for
436     * @param role the role to check
437     *
438     * @return <code>true</code> if the given user has the given role in the given organizational unit
439     */
440    public boolean hasRole(CmsObject cms, String userName, CmsRole role) {
441
442        CmsUser user;
443        try {
444            user = cms.readUser(userName);
445        } catch (CmsException e) {
446            // ignore
447            return false;
448        }
449        return m_securityManager.hasRole(cms.getRequestContext(), user, role);
450    }
451
452    /**
453     * Checks if the given context user has the given role for the given resource.<p>
454     *
455     * @param cms the opencms context
456     * @param role the role to check
457     * @param resource the resource to check
458     *
459     * @return <code>true</code> if the given context user has the given role for the given resource
460     */
461    public boolean hasRoleForResource(CmsObject cms, CmsRole role, CmsResource resource) {
462
463        return m_securityManager.hasRoleForResource(
464            cms.getRequestContext(),
465            cms.getRequestContext().getCurrentUser(),
466            role,
467            resource);
468    }
469
470    /**
471     * Checks if the given context user has the given role for the given resource.<p>
472     *
473     * @param cms the opencms context
474     * @param role the role to check
475     * @param resourceName the name of the resource to check
476     *
477     * @return <code>true</code> if the given context user has the given role for the given resource
478     */
479    public boolean hasRoleForResource(CmsObject cms, CmsRole role, String resourceName) {
480
481        CmsResource resource;
482        try {
483            resource = cms.readResource(resourceName, CmsResourceFilter.ALL);
484        } catch (CmsException e) {
485            // ignore
486            return false;
487        }
488        return m_securityManager.hasRoleForResource(
489            cms.getRequestContext(),
490            cms.getRequestContext().getCurrentUser(),
491            role,
492            resource);
493    }
494
495    /**
496     * Checks if the given context user has the given role for the given resource.<p>
497     *
498     * @param cms the opencms context
499     * @param userName the name of the user to check the role for
500     * @param role the role to check
501     * @param resourceName the name of the resource to check
502     *
503     * @return <code>true</code> if the given context user has the given role for the given resource
504     */
505    public boolean hasRoleForResource(CmsObject cms, String userName, CmsRole role, String resourceName) {
506
507        CmsResource resource;
508        try {
509            resource = cms.readResource(resourceName, CmsResourceFilter.ALL);
510        } catch (CmsException e) {
511            // ignore
512            return false;
513        }
514        CmsUser user;
515        try {
516            user = cms.readUser(userName);
517        } catch (CmsException e) {
518            // ignore
519            return false;
520        }
521        return m_securityManager.hasRoleForResource(cms.getRequestContext(), user, role, resource);
522    }
523
524    /**
525     * Removes a user from a role, in the given organizational unit.<p>
526     *
527     * @param cms the opencms context
528     * @param role the role to remove the user from
529     * @param username the name of the user that is to be removed from the group
530     *
531     * @throws CmsException if operation was not successful
532     */
533    public void removeUserFromRole(CmsObject cms, CmsRole role, String username) throws CmsException {
534
535        m_securityManager.removeUserFromGroup(cms.getRequestContext(), username, role.getGroupName(), true);
536    }
537
538}