Package com.atlassian.bamboo.security.acegi.acls

Class BambooAclUpdateHelper

java.lang.Object
com.atlassian.bamboo.security.acegi.acls.BambooAclUpdateHelper
public class BambooAclUpdateHelper extends Object
A helper class used in Acl update and creation operations

It converts between Acl and AccessControlEntry objects and a "permissionKey" which is a String representation of a Acl and AccessControlEntry combination.

The "permissionKeys" are in the format: bambooPermission_TYPE_PRINCIPAL_PERMISSION

The permission configuration UI understands this format.

  • Field Details

    • BAMBOO_PERMISSION_PREFIX

      public static final String BAMBOO_PERMISSION_PREFIX
      See Also:

    • BAMBOO_PERMISSION_FORM_GROUP_PREFIX

      public static final String BAMBOO_PERMISSION_FORM_GROUP_PREFIX
      See Also:

    • PERMISSION_KEY_JOINER

      public static com.google.common.base.Joiner PERMISSION_KEY_JOINER

  • Constructor Details

    • BambooAclUpdateHelper

      public BambooAclUpdateHelper()

  • Method Details

    • createUserPermissionKey

      public static String createUserPermissionKey(String sid, String permissionName)
      Create permission key for a user permission

    • createGroupPermissionKey

      public static String createGroupPermissionKey(String sid, String permissionName)
      Create permission key for a group permission

    • createRolePermissionKey

      public static String createRolePermissionKey(String sid, String permissionName)
      Create permission key for a role permission

    • createPermissionKey

      public static String createPermissionKey(@NotNull @NotNull org.acegisecurity.acls.sid.Sid sid, @NotNull @NotNull String permissionName)
      Create permission key for a permission

    • createPermissionKey

      public static String createPermissionKey(@NotNull @NotNull String sidType, @NotNull @NotNull String authority, @NotNull @NotNull String permissionName)
      Create permission key for a permission

    • getPermissionKeyFromAce

      public static Optional<String> getPermissionKeyFromAce(@NotNull @NotNull org.acegisecurity.acls.AccessControlEntry ace)
      Given an AccessControlEntry return a String representation.

    • buildUserGroupListsFromPermissions

      public void buildUserGroupListsFromPermissions(List<String> grantedPermissions, List<String> grantedUsers, List<String> grantedGroups)
      Given a list of granted permissions (permissionKey Strings), it will populate the grantedUsers list with unique usernames of those users which have permissions. Likewise, it will populate the grantedGroups list with unique group names of those groups which have permissions.

    • addViewPermissionsForEditPermissions

      @NotNull public @NotNull List<String> addViewPermissionsForEditPermissions(@NotNull @NotNull List<String> permissionKeys)
      For each of the WRITE permission keys in the list make sure there's corresponding READ permission.

    • getUserPermissions

      public Iterable<org.acegisecurity.acls.Permission> getUserPermissions(@NotNull @NotNull String userName, @NotNull @NotNull org.acegisecurity.acls.Acl acl, @NotNull @NotNull BambooPermissionManager bambooPermissionManager, boolean showAdminPermissions)
      Retrieve granted global permission of the given user. It calls buildPermissionAndUserGroupListsFromAcl and filter out permissions for the user name
      Parameters:
      userName - name of the user to be filtered
      acl -
      showAdminPermissions -
      Returns:
      A list of Permission of the given user

    • getGroupPermissions

      public Iterable<org.acegisecurity.acls.Permission> getGroupPermissions(@NotNull @NotNull String groupName, @NotNull @NotNull org.acegisecurity.acls.Acl acl, @NotNull @NotNull BambooPermissionManager bambooPermissionManager, boolean showAdminPermission)
      Retrieve granted global permission of the given group Name. It calls buildPermissionAndUserGroupListsFromAcl and filter out permissions for the group name
      Parameters:
      groupName - group name to be filtered
      acl -
      showAdminPermission -
      Returns:
      A list of Permission of the given group name

    • getRolePermissions

      public Map<String,List<org.acegisecurity.acls.Permission>> getRolePermissions(@NotNull @NotNull org.acegisecurity.acls.Acl acl, @NotNull @NotNull BambooPermissionManager bambooPermissionManager, boolean showAdminPermission)
      Retrieve global permissions of the two known roles, logged in user and anonymous user.
      Parameters:
      acl -
      bambooPermissionManager -
      showAdminPermission -
      Returns:
      Map of roles and their global permissions

    • updateRolePermissions

      public void updateRolePermissions(@Nullable @Nullable String roleName, @NotNull @NotNull List<org.acegisecurity.acls.Permission> permissions, @NotNull @NotNull BambooPermissionManager permissionManager, @NotNull @NotNull HibernateMutableAclService aclService, @NotNull @NotNull AdministrationConfigurationAccessor administrationConfigurationAccessor, @NotNull @NotNull AdministrationConfigurationPersister administrationConfigurationPersister) throws WebValidationException
      Update permission of a given role. Require current user to have System Admin or Restricted Admin permission. Otherwise UnauthorisedException will be thrown.

      If updating ROLE_ANONYMOUS it will also update the anonymous access flag in the administration configuration depending on the READ permission.

      Parameters:
      roleName - Role name. Must be one of the know roles, ROLE_USER or ROLE_ANONYMOUS. ROLE_USER can only have ACCESS or CREATE permissions. ROLE_ANONYMOUS can only have ACCESS permission.
      permissions -
      permissionManager -
      aclService -
      administrationConfigurationAccessor -
      administrationConfigurationPersister -
      Throws:
      WebValidationException - If the role name is invalid or the role is given extra permission than it should have.

    • validateRolePermissionUpdateRequest

      protected ErrorCollection validateRolePermissionUpdateRequest(@NotNull @NotNull String roleName, @NotNull @NotNull List<org.acegisecurity.acls.Permission> permissions)

    • updateUserPermissions

      public void updateUserPermissions(@Nullable @Nullable String userName, @NotNull @NotNull List<org.acegisecurity.acls.Permission> permissions, @NotNull @NotNull BambooUserManager bambooUserManager, @NotNull @NotNull BambooPermissionManager bambooPermissionManager, @NotNull @NotNull HibernateMutableAclService aclService, @NotNull @NotNull com.atlassian.sal.api.message.I18nResolver i18nResolver) throws WebValidationException
      Update global permissions of the given user. Require current user to have System Admin or Restricted Admin permission. Otherwise UnauthorisedException will be thrown.
      Parameters:
      userName - name of user for which permissions should be updated
      permissions - updated permissions
      Throws:
      WebValidationException

    • updateGroupPermissions

      public void updateGroupPermissions(@Nullable @Nullable String groupName, @NotNull @NotNull List<org.acegisecurity.acls.Permission> permissions, @NotNull @NotNull BambooPermissionManager bambooPermissionManager, @NotNull @NotNull HibernateMutableAclService aclService, @NotNull @NotNull BambooUserManager userManager, @NotNull @NotNull com.atlassian.sal.api.message.I18nResolver i18nResolver) throws WebValidationException
      Throws:
      WebValidationException

    • updateGroupPermissions

      public void updateGroupPermissions(@Nullable @Nullable String groupName, @NotNull @NotNull List<org.acegisecurity.acls.Permission> permissions, @NotNull @NotNull BambooPermissionManager bambooPermissionManager, @NotNull @NotNull HibernateMutableAclService aclService, @NotNull @NotNull BambooUserManager userManager, @NotNull @NotNull com.atlassian.struts.TextProvider textProvider) throws WebValidationException
      Throws:
      WebValidationException

    • updateGroupPermissions

      public void updateGroupPermissions(@NotNull @NotNull com.atlassian.user.Group group, @NotNull @NotNull List<org.acegisecurity.acls.Permission> permissions, @NotNull @NotNull BambooPermissionManager bambooPermissionManager, @NotNull @NotNull HibernateMutableAclService aclService) throws WebValidationException
      Update global permissions of the given group. Require current user to have System Admin or Restricted Admin permission. Otherwise UnauthorisedException will be thrown.
      Parameters:
      group -
      permissions -
      Throws:
      WebValidationException

    • retrievePermissionFromACE

      @Deprecated public static String retrievePermissionFromACE(@NotNull @NotNull org.acegisecurity.acls.AccessControlEntry ace)
      Deprecated.
      since 5.11, use getPermissionKeyFromAce(AccessControlEntry)

    • validateUpdateRequest

      @NotNull protected @NotNull ErrorCollection validateUpdateRequest(@Nullable @Nullable com.atlassian.user.Group group, @NotNull @NotNull List<org.acegisecurity.acls.Permission> permissions, @NotNull @NotNull BambooPermissionManager bambooPermissionManager)

    • buildPermissionAndUserGroupListsFromAcl

      public void buildPermissionAndUserGroupListsFromAcl(@NotNull @NotNull List<String> grantedPermissions, @NotNull @NotNull List<String> grantedUsers, @NotNull @NotNull List<String> grantedGroups, @NotNull @NotNull List<String> nonProcessedGrantedPermissions, @NotNull @NotNull org.acegisecurity.acls.Acl acl, boolean showAdminPermissions, @NotNull @NotNull BambooPermissionManager bambooPermissionManager)
      Helper conversion method for the permission configuration pages.

      Takes in an Acl and populates three lists from this Acl: - grantedPermissions - a list of String in format: bambooPermission_TYPE_PRINCIPAL_PERMISSION - grantedUsers - a list of String usernames - who have at least one AccessControlEntry against the Acl - grantedGroups - a list of String groupnames - who have at least one AccessControlEntry against the Acl - nonProcessedGrantedPermissions - a list of permissions, that are not processed - so could not be changed here. It is introduced to avoid cleaning up permissions, that are not visible for user performing this action

      Parameters:
      grantedPermissions -
      grantedUsers -
      grantedGroups -
      nonProcessedGrantedPermissions -
      acl -
      showAdminPermissions -
      bambooPermissionManager -

    • modifyAclAces

      public void modifyAclAces(org.acegisecurity.acls.MutableAcl acl, List<String> newPermissionKeys)
      Updates an MutableAcl with new AccessControlEntrys with permissions represented by a list of String permissionKeys.
      Parameters:
      acl -
      newPermissionKeys -

    • addPermissionsToAclForCurrentUser

      public void addPermissionsToAclForCurrentUser(@NotNull @NotNull org.acegisecurity.acls.MutableAcl acl, @NotNull @NotNull List<BambooPermission> permissions)
      Adds the given permissions for the currently logged in user to the acl entry. This method will not persist the modifications on the MutableAcl.
      Parameters:
      acl - acl to update
      permissions - permissions to grant

    • createNewDefaultAcl

      @NotNull public @NotNull org.acegisecurity.acls.MutableAcl createNewDefaultAcl(@Nullable @Nullable com.atlassian.user.User user, Class<? extends Plan> planType, boolean accessForAllUsers)
      Creates a default Acl for a specific plan types which has: - All permissions for the creator (user argument) of the plan - READ permission for all logged in users - READ permission for all anonymous users
      Parameters:
      user - to create acl for.
      planType - to create acl for.
      accessForAllUsers - to create acl for anonymous and logged-in user
      Returns:
      MutableAcl representing a default permission set

    • createNewObjectAcl

      @NotNull public @NotNull org.acegisecurity.acls.MutableAcl createNewObjectAcl(@Nullable @Nullable com.atlassian.user.User user, Class<? extends BambooIdProvider> permissionObject, long id, boolean accessForAllUsers)
      Creates a default Acl for a object which has: - EDIT permission for the creator (user argument) of the deployment project - READ permission for all logged in users - READ permission for all anonymous users
      Parameters:
      user - to create acl for.
      permissionObject - to create acl for.
      Returns:
      MutableAcl representing a default permission set

    • copyProjectPermissionsToEnvironment

      @NotNull public @NotNull org.acegisecurity.acls.MutableAcl copyProjectPermissionsToEnvironment(@Nullable @Nullable com.atlassian.user.User user, Class<? extends BambooIdProvider> permissionObject, long id, org.acegisecurity.acls.Acl parentAcl, boolean accessForAllUsers)

    • clonePermissions

      @NotNull public @NotNull org.acegisecurity.acls.MutableAcl clonePermissions(@Nullable @Nullable com.atlassian.user.User user, Class<? extends BambooIdProvider> permissionObject, long id, org.acegisecurity.acls.Acl parentAcl)

    • clonePermissions

      @NotNull public @NotNull org.acegisecurity.acls.MutableAcl clonePermissions(@Nullable @Nullable com.atlassian.user.User user, Class<? extends BambooIdProvider> permissionObject, long id, org.acegisecurity.acls.Acl parentAcl, Set<org.acegisecurity.acls.Permission> permissionsToSkip)

    • extractPrincipalFromSid

      @NotNull public static @NotNull String extractPrincipalFromSid(@NotNull @NotNull org.acegisecurity.acls.sid.Sid sid)
      Extract a principal as a String from a Sid. Throws IllegalStateException if the sid type is unknown.
      Parameters:
      sid - ACEGI sid
      Returns:
      principal extracted from sid, e.g. GroupPrincipalSid.getPrincipal() or PrincipalSid.getPrincipal().
      Throws:
      IllegalStateException - when sid type is not recognized

    • extractSidTypeFromSid

      public static String extractSidTypeFromSid(@NotNull @NotNull org.acegisecurity.acls.sid.Sid sid)
      Extract a principal type as String from a Sid. Throws IllegalStateException if the sid type is unknown.
      Parameters:
      sid - ACEGI sid
      Returns:
      sid type, e.g. BAMBOO_PERMISSION_FORM_GROUP or BAMBOO_PERMISSION_FORM_USER.

    • getSidFromPermissionKey

      @NotNull public @NotNull org.acegisecurity.acls.sid.Sid getSidFromPermissionKey(@NotNull @NotNull String permissionKey)
      Get the Sid based on a permission key.
      Parameters:
      permissionKey - full permission key, containing sid type, principal name and permission name
      Returns:
      correct instance of Sid based on the passed key
      Throws:
      IllegalArgumentException - if the key can't be used to properly construct a Sid

    • addReadPermissionForAnonymousAndLoggedinUsers

      public void addReadPermissionForAnonymousAndLoggedinUsers(@NotNull @NotNull org.acegisecurity.acls.MutableAcl acl)
      Grant READ permission for Anonymous and Logged-in users.

    • getSidFromIdAndType

      @NotNull public @NotNull org.acegisecurity.acls.sid.Sid getSidFromIdAndType(@NotNull @NotNull String id, @NotNull @NotNull String type)
      Attempt to extract Sid from a given sid id and type.
      Parameters:
      id - unique id of the sid
      type - type of the sid, one of the values defined in HibernateSidUserType
      Throws:
      IllegalArgumentException - if the sid type is not recognised

    • getPermission

      public org.acegisecurity.acls.Permission getPermission(String permissionKey)