Class BambooAclUpdateHelper
- java.lang.Object
-
- com.atlassian.bamboo.security.acegi.acls.BambooAclUpdateHelper
-
public class BambooAclUpdateHelper extends Object
A helper class used in Acl update and creation operationsIt converts between
Acl
andAccessControlEntry
objects and a "permissionKey" which is aString
representation of aAcl
andAccessControlEntry
combination.The "permissionKeys" are in the format: bambooPermission_TYPE_PRINCIPAL_PERMISSION
The permission configuration UI understands this format.
-
-
Field Summary
Fields Modifier and Type Field Description static String
BAMBOO_PERMISSION_FORM_GROUP_PREFIX
static String
BAMBOO_PERMISSION_PREFIX
static com.google.common.base.Joiner
PERMISSION_KEY_JOINER
-
Constructor Summary
Constructors Constructor Description BambooAclUpdateHelper()
-
Method Summary
All Methods Static Methods Instance Methods Concrete Methods Deprecated Methods Modifier and Type Method Description void
addPermissionsToAclForCurrentUser(@NotNull org.acegisecurity.acls.MutableAcl acl, @NotNull List<BambooPermission> permissions)
Adds the givenpermissions
for the currently logged in user to theacl
entry.void
addReadPermissionForAnonymousAndLoggedinUsers(@NotNull org.acegisecurity.acls.MutableAcl acl)
Grant READ permission for Anonymous and Logged-in users.@NotNull List<String>
addViewPermissionsForEditPermissions(@NotNull List<String> permissionKeys)
For each of the WRITE permission keys in the list make sure there's corresponding READ permission.void
buildPermissionAndUserGroupListsFromAcl(@NotNull List<String> grantedPermissions, @NotNull List<String> grantedUsers, @NotNull List<String> grantedGroups, @NotNull List<String> nonProcessedGrantedPermissions, @NotNull org.acegisecurity.acls.Acl acl, boolean showAdminPermissions, @NotNull BambooPermissionManager bambooPermissionManager)
Helper conversion method for the permission configuration pages.void
buildUserGroupListsFromPermissions(List<String> grantedPermissions, List<String> grantedUsers, List<String> grantedGroups)
Given a list of granted permissions (permissionKeyString
s), it will populate the grantedUsers list with unique usernames of those users which have permissions.@NotNull org.acegisecurity.acls.MutableAcl
clonePermissions(@Nullable com.atlassian.user.User user, Class<? extends BambooIdProvider> permissionObject, long id, org.acegisecurity.acls.Acl parentAcl)
@NotNull org.acegisecurity.acls.MutableAcl
clonePermissions(@Nullable com.atlassian.user.User user, Class<? extends BambooIdProvider> permissionObject, long id, org.acegisecurity.acls.Acl parentAcl, Set<org.acegisecurity.acls.Permission> permissionsToSkip)
@NotNull org.acegisecurity.acls.MutableAcl
copyProjectPermissionsToEnvironment(@Nullable com.atlassian.user.User user, Class<? extends BambooIdProvider> permissionObject, long id, org.acegisecurity.acls.Acl parentAcl, boolean accessForAllUsers)
static String
createGroupPermissionKey(String sid, String permissionName)
Create permission key for a group permission@NotNull org.acegisecurity.acls.MutableAcl
createNewDefaultAcl(@Nullable com.atlassian.user.User user, Class<? extends Plan> planType, boolean accessForAllUsers)
Creates a default Acl for a specific plan types which has: - All permissions for the creator (user argument) of the plan - READ permission for all logged in users - READ permission for all anonymous users@NotNull org.acegisecurity.acls.MutableAcl
createNewObjectAcl(@Nullable com.atlassian.user.User user, Class<? extends BambooIdProvider> permissionObject, long id, boolean accessForAllUsers)
Creates a default Acl for a object which has: - EDIT permission for the creator (user argument) of the deployment project - READ permission for all logged in users - READ permission for all anonymous usersstatic String
createPermissionKey(@NotNull String sidType, @NotNull String authority, @NotNull String permissionName)
Create permission key for a permissionstatic String
createPermissionKey(@NotNull org.acegisecurity.acls.sid.Sid sid, @NotNull String permissionName)
Create permission key for a permissionstatic String
createRolePermissionKey(String sid, String permissionName)
Create permission key for a role permissionstatic String
createUserPermissionKey(String sid, String permissionName)
Create permission key for a user permissionstatic @NotNull String
extractPrincipalFromSid(@NotNull org.acegisecurity.acls.sid.Sid sid)
Extract a principal as a String from aSid
.static String
extractSidTypeFromSid(@NotNull org.acegisecurity.acls.sid.Sid sid)
Extract a principal type as String from aSid
.Iterable<org.acegisecurity.acls.Permission>
getGroupPermissions(@NotNull String groupName, @NotNull org.acegisecurity.acls.Acl acl, @NotNull BambooPermissionManager bambooPermissionManager, boolean showAdminPermission)
Retrieve granted global permission of the given group Name.org.acegisecurity.acls.Permission
getPermission(String permissionKey)
static Optional<String>
getPermissionKeyFromAce(@NotNull org.acegisecurity.acls.AccessControlEntry ace)
Given anAccessControlEntry
return aString
representation.Map<String,List<org.acegisecurity.acls.Permission>>
getRolePermissions(@NotNull org.acegisecurity.acls.Acl acl, @NotNull BambooPermissionManager bambooPermissionManager, boolean showAdminPermission)
Retrieve global permissions of the two known roles, logged in user and anonymous user.@NotNull org.acegisecurity.acls.sid.Sid
getSidFromIdAndType(@NotNull String id, @NotNull String type)
Attempt to extractSid
from a given sid id and type.@NotNull org.acegisecurity.acls.sid.Sid
getSidFromPermissionKey(@NotNull String permissionKey)
Get theSid
based on a permission key.Iterable<org.acegisecurity.acls.Permission>
getUserPermissions(@NotNull String userName, @NotNull org.acegisecurity.acls.Acl acl, @NotNull BambooPermissionManager bambooPermissionManager, boolean showAdminPermissions)
Retrieve granted global permission of the given user.void
modifyAclAces(org.acegisecurity.acls.MutableAcl acl, List<String> newPermissionKeys)
Updates anMutableAcl
with newAccessControlEntry
s with permissions represented by a list ofString
permissionKeys.static String
retrievePermissionFromACE(@NotNull org.acegisecurity.acls.AccessControlEntry ace)
Deprecated.since 5.11, usegetPermissionKeyFromAce(AccessControlEntry)
void
updateGroupPermissions(@NotNull com.atlassian.user.Group group, @NotNull List<org.acegisecurity.acls.Permission> permissions, @NotNull BambooPermissionManager bambooPermissionManager, @NotNull HibernateMutableAclService aclService)
Update global permissions of the given group.void
updateGroupPermissions(@Nullable String groupName, @NotNull List<org.acegisecurity.acls.Permission> permissions, @NotNull BambooPermissionManager bambooPermissionManager, @NotNull HibernateMutableAclService aclService, @NotNull BambooUserManager userManager, @NotNull com.atlassian.sal.api.message.I18nResolver i18nResolver)
void
updateGroupPermissions(@Nullable String groupName, @NotNull List<org.acegisecurity.acls.Permission> permissions, @NotNull BambooPermissionManager bambooPermissionManager, @NotNull HibernateMutableAclService aclService, @NotNull BambooUserManager userManager, @NotNull com.atlassian.struts.TextProvider textProvider)
void
updateRolePermissions(@Nullable String roleName, @NotNull List<org.acegisecurity.acls.Permission> permissions, @NotNull BambooPermissionManager permissionManager, @NotNull HibernateMutableAclService aclService, @NotNull AdministrationConfigurationAccessor administrationConfigurationAccessor, @NotNull AdministrationConfigurationPersister administrationConfigurationPersister)
Update permission of a given role.void
updateUserPermissions(@Nullable String userName, @NotNull List<org.acegisecurity.acls.Permission> permissions, @NotNull BambooUserManager bambooUserManager, @NotNull BambooPermissionManager bambooPermissionManager, @NotNull HibernateMutableAclService aclService, @NotNull com.atlassian.sal.api.message.I18nResolver i18nResolver)
Update global permissions of the given user.protected ErrorCollection
validateRolePermissionUpdateRequest(@NotNull String roleName, @NotNull List<org.acegisecurity.acls.Permission> permissions)
protected @NotNull ErrorCollection
validateUpdateRequest(@Nullable com.atlassian.user.Group group, @NotNull List<org.acegisecurity.acls.Permission> permissions, @NotNull BambooPermissionManager bambooPermissionManager)
-
-
-
Field Detail
-
BAMBOO_PERMISSION_PREFIX
public static final String BAMBOO_PERMISSION_PREFIX
- See Also:
- Constant Field Values
-
BAMBOO_PERMISSION_FORM_GROUP_PREFIX
public static final String BAMBOO_PERMISSION_FORM_GROUP_PREFIX
- See Also:
- Constant Field Values
-
PERMISSION_KEY_JOINER
public static com.google.common.base.Joiner PERMISSION_KEY_JOINER
-
-
Method Detail
-
createUserPermissionKey
public static String createUserPermissionKey(String sid, String permissionName)
Create permission key for a user permission
-
createGroupPermissionKey
public static String createGroupPermissionKey(String sid, String permissionName)
Create permission key for a group permission
-
createRolePermissionKey
public static String createRolePermissionKey(String sid, String permissionName)
Create permission key for a role permission
-
createPermissionKey
public static String createPermissionKey(@NotNull @NotNull org.acegisecurity.acls.sid.Sid sid, @NotNull @NotNull String permissionName)
Create permission key for a permission
-
createPermissionKey
public static String createPermissionKey(@NotNull @NotNull String sidType, @NotNull @NotNull String authority, @NotNull @NotNull String permissionName)
Create permission key for a permission
-
getPermissionKeyFromAce
public static Optional<String> getPermissionKeyFromAce(@NotNull @NotNull org.acegisecurity.acls.AccessControlEntry ace)
Given anAccessControlEntry
return aString
representation.
-
buildUserGroupListsFromPermissions
public void buildUserGroupListsFromPermissions(List<String> grantedPermissions, List<String> grantedUsers, List<String> grantedGroups)
Given a list of granted permissions (permissionKeyString
s), it will populate the grantedUsers list with unique usernames of those users which have permissions. Likewise, it will populate the grantedGroups list with unique group names of those groups which have permissions.
-
addViewPermissionsForEditPermissions
@NotNull public @NotNull List<String> addViewPermissionsForEditPermissions(@NotNull @NotNull List<String> permissionKeys)
For each of the WRITE permission keys in the list make sure there's corresponding READ permission.
-
getUserPermissions
public Iterable<org.acegisecurity.acls.Permission> getUserPermissions(@NotNull @NotNull String userName, @NotNull @NotNull org.acegisecurity.acls.Acl acl, @NotNull @NotNull BambooPermissionManager bambooPermissionManager, boolean showAdminPermissions)
Retrieve granted global permission of the given user. It callsbuildPermissionAndUserGroupListsFromAcl
and filter out permissions for the user name- Parameters:
userName
- name of the user to be filteredacl
-showAdminPermissions
-- Returns:
- A list of
Permission
of the given user
-
getGroupPermissions
public Iterable<org.acegisecurity.acls.Permission> getGroupPermissions(@NotNull @NotNull String groupName, @NotNull @NotNull org.acegisecurity.acls.Acl acl, @NotNull @NotNull BambooPermissionManager bambooPermissionManager, boolean showAdminPermission)
Retrieve granted global permission of the given group Name. It callsbuildPermissionAndUserGroupListsFromAcl
and filter out permissions for the group name- Parameters:
groupName
- group name to be filteredacl
-showAdminPermission
-- Returns:
- A list of
Permission
of the given group name
-
getRolePermissions
public Map<String,List<org.acegisecurity.acls.Permission>> getRolePermissions(@NotNull @NotNull org.acegisecurity.acls.Acl acl, @NotNull @NotNull BambooPermissionManager bambooPermissionManager, boolean showAdminPermission)
Retrieve global permissions of the two known roles, logged in user and anonymous user.- Parameters:
acl
-bambooPermissionManager
-showAdminPermission
-- Returns:
- Map of roles and their global permissions
-
updateRolePermissions
public void updateRolePermissions(@Nullable @Nullable String roleName, @NotNull @NotNull List<org.acegisecurity.acls.Permission> permissions, @NotNull @NotNull BambooPermissionManager permissionManager, @NotNull @NotNull HibernateMutableAclService aclService, @NotNull @NotNull AdministrationConfigurationAccessor administrationConfigurationAccessor, @NotNull @NotNull AdministrationConfigurationPersister administrationConfigurationPersister) throws WebValidationException
Update permission of a given role. Require current user to have System Admin or Restricted Admin permission. OtherwiseUnauthorisedException
will be thrown.If updating ROLE_ANONYMOUS it will also update the anonymous access flag in the administration configuration depending on the READ permission.
- Parameters:
roleName
- Role name. Must be one of the know roles, ROLE_USER or ROLE_ANONYMOUS. ROLE_USER can only have ACCESS or CREATE permissions. ROLE_ANONYMOUS can only have ACCESS permission.permissions
-permissionManager
-aclService
-administrationConfigurationAccessor
-administrationConfigurationPersister
-- Throws:
WebValidationException
- If the role name is invalid or the role is given extra permission than it should have.
-
validateRolePermissionUpdateRequest
protected ErrorCollection validateRolePermissionUpdateRequest(@NotNull @NotNull String roleName, @NotNull @NotNull List<org.acegisecurity.acls.Permission> permissions)
-
updateUserPermissions
public void updateUserPermissions(@Nullable @Nullable String userName, @NotNull @NotNull List<org.acegisecurity.acls.Permission> permissions, @NotNull @NotNull BambooUserManager bambooUserManager, @NotNull @NotNull BambooPermissionManager bambooPermissionManager, @NotNull @NotNull HibernateMutableAclService aclService, @NotNull @NotNull com.atlassian.sal.api.message.I18nResolver i18nResolver) throws WebValidationException
Update global permissions of the given user. Require current user to have System Admin or Restricted Admin permission. OtherwiseUnauthorisedException
will be thrown.- Parameters:
userName
- name of user for which permissions should be updatedpermissions
- updated permissions- Throws:
WebValidationException
-
updateGroupPermissions
public void updateGroupPermissions(@Nullable @Nullable String groupName, @NotNull @NotNull List<org.acegisecurity.acls.Permission> permissions, @NotNull @NotNull BambooPermissionManager bambooPermissionManager, @NotNull @NotNull HibernateMutableAclService aclService, @NotNull @NotNull BambooUserManager userManager, @NotNull @NotNull com.atlassian.sal.api.message.I18nResolver i18nResolver) throws WebValidationException
- Throws:
WebValidationException
-
updateGroupPermissions
public void updateGroupPermissions(@Nullable @Nullable String groupName, @NotNull @NotNull List<org.acegisecurity.acls.Permission> permissions, @NotNull @NotNull BambooPermissionManager bambooPermissionManager, @NotNull @NotNull HibernateMutableAclService aclService, @NotNull @NotNull BambooUserManager userManager, @NotNull @NotNull com.atlassian.struts.TextProvider textProvider) throws WebValidationException
- Throws:
WebValidationException
-
updateGroupPermissions
public void updateGroupPermissions(@NotNull @NotNull com.atlassian.user.Group group, @NotNull @NotNull List<org.acegisecurity.acls.Permission> permissions, @NotNull @NotNull BambooPermissionManager bambooPermissionManager, @NotNull @NotNull HibernateMutableAclService aclService) throws WebValidationException
Update global permissions of the given group. Require current user to have System Admin or Restricted Admin permission. OtherwiseUnauthorisedException
will be thrown.- Parameters:
group
-permissions
-- Throws:
WebValidationException
-
retrievePermissionFromACE
@Deprecated public static String retrievePermissionFromACE(@NotNull @NotNull org.acegisecurity.acls.AccessControlEntry ace)
Deprecated.since 5.11, usegetPermissionKeyFromAce(AccessControlEntry)
-
validateUpdateRequest
@NotNull protected @NotNull ErrorCollection validateUpdateRequest(@Nullable @Nullable com.atlassian.user.Group group, @NotNull @NotNull List<org.acegisecurity.acls.Permission> permissions, @NotNull @NotNull BambooPermissionManager bambooPermissionManager)
-
buildPermissionAndUserGroupListsFromAcl
public void buildPermissionAndUserGroupListsFromAcl(@NotNull @NotNull List<String> grantedPermissions, @NotNull @NotNull List<String> grantedUsers, @NotNull @NotNull List<String> grantedGroups, @NotNull @NotNull List<String> nonProcessedGrantedPermissions, @NotNull @NotNull org.acegisecurity.acls.Acl acl, boolean showAdminPermissions, @NotNull @NotNull BambooPermissionManager bambooPermissionManager)
Helper conversion method for the permission configuration pages.Takes in an
Acl
and populates three lists from this Acl: - grantedPermissions - a list ofString
in format: bambooPermission_TYPE_PRINCIPAL_PERMISSION - grantedUsers - a list ofString
usernames - who have at least oneAccessControlEntry
against theAcl
- grantedGroups - a list ofString
groupnames - who have at least oneAccessControlEntry
against theAcl
- nonProcessedGrantedPermissions - a list of permissions, that are not processed - so could not be changed here. It is introduced to avoid cleaning up permissions, that are not visible for user performing this action- Parameters:
grantedPermissions
-grantedUsers
-grantedGroups
-nonProcessedGrantedPermissions
-acl
-showAdminPermissions
-bambooPermissionManager
-
-
modifyAclAces
public void modifyAclAces(org.acegisecurity.acls.MutableAcl acl, List<String> newPermissionKeys)
Updates anMutableAcl
with newAccessControlEntry
s with permissions represented by a list ofString
permissionKeys.- Parameters:
acl
-newPermissionKeys
-
-
addPermissionsToAclForCurrentUser
public void addPermissionsToAclForCurrentUser(@NotNull @NotNull org.acegisecurity.acls.MutableAcl acl, @NotNull @NotNull List<BambooPermission> permissions)
Adds the givenpermissions
for the currently logged in user to theacl
entry. This method will not persist the modifications on theMutableAcl
.- Parameters:
acl
- acl to updatepermissions
- permissions to grant
-
createNewDefaultAcl
@NotNull public @NotNull org.acegisecurity.acls.MutableAcl createNewDefaultAcl(@Nullable @Nullable com.atlassian.user.User user, Class<? extends Plan> planType, boolean accessForAllUsers)
Creates a default Acl for a specific plan types which has: - All permissions for the creator (user argument) of the plan - READ permission for all logged in users - READ permission for all anonymous users- Parameters:
user
- to create acl for.planType
- to create acl for.accessForAllUsers
- to create acl for anonymous and logged-in user- Returns:
MutableAcl
representing a default permission set
-
createNewObjectAcl
@NotNull public @NotNull org.acegisecurity.acls.MutableAcl createNewObjectAcl(@Nullable @Nullable com.atlassian.user.User user, Class<? extends BambooIdProvider> permissionObject, long id, boolean accessForAllUsers)
Creates a default Acl for a object which has: - EDIT permission for the creator (user argument) of the deployment project - READ permission for all logged in users - READ permission for all anonymous users- Parameters:
user
- to create acl for.permissionObject
- to create acl for.- Returns:
MutableAcl
representing a default permission set
-
copyProjectPermissionsToEnvironment
@NotNull public @NotNull org.acegisecurity.acls.MutableAcl copyProjectPermissionsToEnvironment(@Nullable @Nullable com.atlassian.user.User user, Class<? extends BambooIdProvider> permissionObject, long id, org.acegisecurity.acls.Acl parentAcl, boolean accessForAllUsers)
-
clonePermissions
@NotNull public @NotNull org.acegisecurity.acls.MutableAcl clonePermissions(@Nullable @Nullable com.atlassian.user.User user, Class<? extends BambooIdProvider> permissionObject, long id, org.acegisecurity.acls.Acl parentAcl)
-
clonePermissions
@NotNull public @NotNull org.acegisecurity.acls.MutableAcl clonePermissions(@Nullable @Nullable com.atlassian.user.User user, Class<? extends BambooIdProvider> permissionObject, long id, org.acegisecurity.acls.Acl parentAcl, Set<org.acegisecurity.acls.Permission> permissionsToSkip)
-
extractPrincipalFromSid
@NotNull public static @NotNull String extractPrincipalFromSid(@NotNull @NotNull org.acegisecurity.acls.sid.Sid sid)
Extract a principal as a String from aSid
. ThrowsIllegalStateException
if the sid type is unknown.- Parameters:
sid
- ACEGI sid- Returns:
- principal extracted from sid, e.g.
GroupPrincipalSid.getPrincipal()
orPrincipalSid.getPrincipal()
. - Throws:
IllegalStateException
- when sid type is not recognized
-
extractSidTypeFromSid
public static String extractSidTypeFromSid(@NotNull @NotNull org.acegisecurity.acls.sid.Sid sid)
Extract a principal type as String from aSid
. ThrowsIllegalStateException
if the sid type is unknown.- Parameters:
sid
- ACEGI sid- Returns:
- sid type, e.g.
BAMBOO_PERMISSION_FORM_GROUP
orBAMBOO_PERMISSION_FORM_USER
.
-
getSidFromPermissionKey
@NotNull public @NotNull org.acegisecurity.acls.sid.Sid getSidFromPermissionKey(@NotNull @NotNull String permissionKey)
Get theSid
based on a permission key.- Parameters:
permissionKey
- full permission key, containing sid type, principal name and permission name- Returns:
- correct instance of
Sid
based on the passed key - Throws:
IllegalArgumentException
- if the key can't be used to properly construct aSid
-
addReadPermissionForAnonymousAndLoggedinUsers
public void addReadPermissionForAnonymousAndLoggedinUsers(@NotNull @NotNull org.acegisecurity.acls.MutableAcl acl)
Grant READ permission for Anonymous and Logged-in users.
-
getSidFromIdAndType
@NotNull public @NotNull org.acegisecurity.acls.sid.Sid getSidFromIdAndType(@NotNull @NotNull String id, @NotNull @NotNull String type)
Attempt to extractSid
from a given sid id and type.- Parameters:
id
- unique id of the sidtype
- type of the sid, one of the values defined inHibernateSidUserType
- Throws:
IllegalArgumentException
- if the sid type is not recognised
-
getPermission
public org.acegisecurity.acls.Permission getPermission(String permissionKey)
-
-