Class BambooAclUpdateHelper


  • public class BambooAclUpdateHelper
    extends Object
    A helper class used in Acl update and creation operations

    It converts between Acl and AccessControlEntry objects and a "permissionKey" which is a String representation of a Acl and AccessControlEntry combination.

    The "permissionKeys" are in the format: bambooPermission_TYPE_PRINCIPAL_PERMISSION

    The permission configuration UI understands this format.

    • Field Detail

      • PERMISSION_KEY_JOINER

        public static com.google.common.base.Joiner PERMISSION_KEY_JOINER
    • Constructor Detail

      • BambooAclUpdateHelper

        public BambooAclUpdateHelper()
    • Method Detail

      • createUserPermissionKey

        public static String createUserPermissionKey​(String sid,
                                                     String permissionName)
        Create permission key for a user permission
      • createGroupPermissionKey

        public static String createGroupPermissionKey​(String sid,
                                                      String permissionName)
        Create permission key for a group permission
      • createRolePermissionKey

        public static String createRolePermissionKey​(String sid,
                                                     String permissionName)
        Create permission key for a role permission
      • createPermissionKey

        public static String createPermissionKey​(@NotNull
                                                 @NotNull org.acegisecurity.acls.sid.Sid sid,
                                                 @NotNull
                                                 @NotNull String permissionName)
        Create permission key for a permission
      • createPermissionKey

        public static String createPermissionKey​(@NotNull
                                                 @NotNull String sidType,
                                                 @NotNull
                                                 @NotNull String authority,
                                                 @NotNull
                                                 @NotNull String permissionName)
        Create permission key for a permission
      • getPermissionKeyFromAce

        public static Optional<String> getPermissionKeyFromAce​(@NotNull
                                                               @NotNull org.acegisecurity.acls.AccessControlEntry ace)
        Given an AccessControlEntry return a String representation.
      • buildUserGroupListsFromPermissions

        public void buildUserGroupListsFromPermissions​(List<String> grantedPermissions,
                                                       List<String> grantedUsers,
                                                       List<String> grantedGroups)
        Given a list of granted permissions (permissionKey Strings), it will populate the grantedUsers list with unique usernames of those users which have permissions. Likewise, it will populate the grantedGroups list with unique group names of those groups which have permissions.
      • addViewPermissionsForEditPermissions

        @NotNull
        public @NotNull List<String> addViewPermissionsForEditPermissions​(@NotNull
                                                                          @NotNull List<String> permissionKeys)
        For each of the WRITE permission keys in the list make sure there's corresponding READ permission.
      • getUserPermissions

        public Iterable<org.acegisecurity.acls.Permission> getUserPermissions​(@NotNull
                                                                              @NotNull String userName,
                                                                              @NotNull
                                                                              @NotNull org.acegisecurity.acls.Acl acl,
                                                                              @NotNull
                                                                              @NotNull BambooPermissionManager bambooPermissionManager,
                                                                              boolean showAdminPermissions)
        Retrieve granted global permission of the given user. It calls buildPermissionAndUserGroupListsFromAcl and filter out permissions for the user name
        Parameters:
        userName - name of the user to be filtered
        acl -
        showAdminPermissions -
        Returns:
        A list of Permission of the given user
      • getGroupPermissions

        public Iterable<org.acegisecurity.acls.Permission> getGroupPermissions​(@NotNull
                                                                               @NotNull String groupName,
                                                                               @NotNull
                                                                               @NotNull org.acegisecurity.acls.Acl acl,
                                                                               @NotNull
                                                                               @NotNull BambooPermissionManager bambooPermissionManager,
                                                                               boolean showAdminPermission)
        Retrieve granted global permission of the given group Name. It calls buildPermissionAndUserGroupListsFromAcl and filter out permissions for the group name
        Parameters:
        groupName - group name to be filtered
        acl -
        showAdminPermission -
        Returns:
        A list of Permission of the given group name
      • getRolePermissions

        public Map<String,​List<org.acegisecurity.acls.Permission>> getRolePermissions​(@NotNull
                                                                                            @NotNull org.acegisecurity.acls.Acl acl,
                                                                                            @NotNull
                                                                                            @NotNull BambooPermissionManager bambooPermissionManager,
                                                                                            boolean showAdminPermission)
        Retrieve global permissions of the two known roles, logged in user and anonymous user.
        Parameters:
        acl -
        bambooPermissionManager -
        showAdminPermission -
        Returns:
        Map of roles and their global permissions
      • updateRolePermissions

        public void updateRolePermissions​(@Nullable
                                          @Nullable String roleName,
                                          @NotNull
                                          @NotNull List<org.acegisecurity.acls.Permission> permissions,
                                          @NotNull
                                          @NotNull BambooPermissionManager permissionManager,
                                          @NotNull
                                          @NotNull HibernateMutableAclService aclService,
                                          @NotNull
                                          @NotNull AdministrationConfigurationAccessor administrationConfigurationAccessor,
                                          @NotNull
                                          @NotNull AdministrationConfigurationPersister administrationConfigurationPersister)
                                   throws WebValidationException
        Update permission of a given role. Require current user to have System Admin or Restricted Admin permission. Otherwise UnauthorisedException will be thrown.

        If updating ROLE_ANONYMOUS it will also update the anonymous access flag in the administration configuration depending on the READ permission.

        Parameters:
        roleName - Role name. Must be one of the know roles, ROLE_USER or ROLE_ANONYMOUS. ROLE_USER can only have ACCESS or CREATE permissions. ROLE_ANONYMOUS can only have ACCESS permission.
        permissions -
        permissionManager -
        aclService -
        administrationConfigurationAccessor -
        administrationConfigurationPersister -
        Throws:
        WebValidationException - If the role name is invalid or the role is given extra permission than it should have.
      • validateRolePermissionUpdateRequest

        protected ErrorCollection validateRolePermissionUpdateRequest​(@NotNull
                                                                      @NotNull String roleName,
                                                                      @NotNull
                                                                      @NotNull List<org.acegisecurity.acls.Permission> permissions)
      • updateUserPermissions

        public void updateUserPermissions​(@Nullable
                                          @Nullable String userName,
                                          @NotNull
                                          @NotNull List<org.acegisecurity.acls.Permission> permissions,
                                          @NotNull
                                          @NotNull BambooUserManager bambooUserManager,
                                          @NotNull
                                          @NotNull BambooPermissionManager bambooPermissionManager,
                                          @NotNull
                                          @NotNull HibernateMutableAclService aclService,
                                          @NotNull
                                          @NotNull com.atlassian.sal.api.message.I18nResolver i18nResolver)
                                   throws WebValidationException
        Update global permissions of the given user. Require current user to have System Admin or Restricted Admin permission. Otherwise UnauthorisedException will be thrown.
        Parameters:
        userName - name of user for which permissions should be updated
        permissions - updated permissions
        Throws:
        WebValidationException
      • validateUpdateRequest

        @NotNull
        protected @NotNull ErrorCollection validateUpdateRequest​(@Nullable
                                                                 @Nullable com.atlassian.user.Group group,
                                                                 @NotNull
                                                                 @NotNull List<org.acegisecurity.acls.Permission> permissions,
                                                                 @NotNull
                                                                 @NotNull BambooPermissionManager bambooPermissionManager)
      • buildPermissionAndUserGroupListsFromAcl

        public void buildPermissionAndUserGroupListsFromAcl​(@NotNull
                                                            @NotNull List<String> grantedPermissions,
                                                            @NotNull
                                                            @NotNull List<String> grantedUsers,
                                                            @NotNull
                                                            @NotNull List<String> grantedGroups,
                                                            @NotNull
                                                            @NotNull List<String> nonProcessedGrantedPermissions,
                                                            @NotNull
                                                            @NotNull org.acegisecurity.acls.Acl acl,
                                                            boolean showAdminPermissions,
                                                            @NotNull
                                                            @NotNull BambooPermissionManager bambooPermissionManager)
        Helper conversion method for the permission configuration pages.

        Takes in an Acl and populates three lists from this Acl: - grantedPermissions - a list of String in format: bambooPermission_TYPE_PRINCIPAL_PERMISSION - grantedUsers - a list of String usernames - who have at least one AccessControlEntry against the Acl - grantedGroups - a list of String groupnames - who have at least one AccessControlEntry against the Acl - nonProcessedGrantedPermissions - a list of permissions, that are not processed - so could not be changed here. It is introduced to avoid cleaning up permissions, that are not visible for user performing this action

        Parameters:
        grantedPermissions -
        grantedUsers -
        grantedGroups -
        nonProcessedGrantedPermissions -
        acl -
        showAdminPermissions -
        bambooPermissionManager -
      • modifyAclAces

        public void modifyAclAces​(org.acegisecurity.acls.MutableAcl acl,
                                  List<String> newPermissionKeys)
        Updates an MutableAcl with new AccessControlEntrys with permissions represented by a list of String permissionKeys.
        Parameters:
        acl -
        newPermissionKeys -
      • addPermissionsToAclForCurrentUser

        public void addPermissionsToAclForCurrentUser​(@NotNull
                                                      @NotNull org.acegisecurity.acls.MutableAcl acl,
                                                      @NotNull
                                                      @NotNull List<BambooPermission> permissions)
        Adds the given permissions for the currently logged in user to the acl entry. This method will not persist the modifications on the MutableAcl.
        Parameters:
        acl - acl to update
        permissions - permissions to grant
      • createNewDefaultAcl

        @NotNull
        public @NotNull org.acegisecurity.acls.MutableAcl createNewDefaultAcl​(@Nullable
                                                                              @Nullable com.atlassian.user.User user,
                                                                              Class<? extends Plan> planType,
                                                                              boolean accessForAllUsers)
        Creates a default Acl for a specific plan types which has: - All permissions for the creator (user argument) of the plan - READ permission for all logged in users - READ permission for all anonymous users
        Parameters:
        user - to create acl for.
        planType - to create acl for.
        accessForAllUsers - to create acl for anonymous and logged-in user
        Returns:
        MutableAcl representing a default permission set
      • createNewObjectAcl

        @NotNull
        public @NotNull org.acegisecurity.acls.MutableAcl createNewObjectAcl​(@Nullable
                                                                             @Nullable com.atlassian.user.User user,
                                                                             Class<? extends BambooIdProvider> permissionObject,
                                                                             long id,
                                                                             boolean accessForAllUsers)
        Creates a default Acl for a object which has: - EDIT permission for the creator (user argument) of the deployment project - READ permission for all logged in users - READ permission for all anonymous users
        Parameters:
        user - to create acl for.
        permissionObject - to create acl for.
        Returns:
        MutableAcl representing a default permission set
      • copyProjectPermissionsToEnvironment

        @NotNull
        public @NotNull org.acegisecurity.acls.MutableAcl copyProjectPermissionsToEnvironment​(@Nullable
                                                                                              @Nullable com.atlassian.user.User user,
                                                                                              Class<? extends BambooIdProvider> permissionObject,
                                                                                              long id,
                                                                                              org.acegisecurity.acls.Acl parentAcl,
                                                                                              boolean accessForAllUsers)
      • clonePermissions

        @NotNull
        public @NotNull org.acegisecurity.acls.MutableAcl clonePermissions​(@Nullable
                                                                           @Nullable com.atlassian.user.User user,
                                                                           Class<? extends BambooIdProvider> permissionObject,
                                                                           long id,
                                                                           org.acegisecurity.acls.Acl parentAcl)
      • clonePermissions

        @NotNull
        public @NotNull org.acegisecurity.acls.MutableAcl clonePermissions​(@Nullable
                                                                           @Nullable com.atlassian.user.User user,
                                                                           Class<? extends BambooIdProvider> permissionObject,
                                                                           long id,
                                                                           org.acegisecurity.acls.Acl parentAcl,
                                                                           Set<org.acegisecurity.acls.Permission> permissionsToSkip)
      • extractPrincipalFromSid

        @NotNull
        public static @NotNull String extractPrincipalFromSid​(@NotNull
                                                              @NotNull org.acegisecurity.acls.sid.Sid sid)
        Extract a principal as a String from a Sid. Throws IllegalStateException if the sid type is unknown.
        Parameters:
        sid - ACEGI sid
        Returns:
        principal extracted from sid, e.g. GroupPrincipalSid.getPrincipal() or PrincipalSid.getPrincipal().
        Throws:
        IllegalStateException - when sid type is not recognized
      • getSidFromPermissionKey

        @NotNull
        public @NotNull org.acegisecurity.acls.sid.Sid getSidFromPermissionKey​(@NotNull
                                                                               @NotNull String permissionKey)
        Get the Sid based on a permission key.
        Parameters:
        permissionKey - full permission key, containing sid type, principal name and permission name
        Returns:
        correct instance of Sid based on the passed key
        Throws:
        IllegalArgumentException - if the key can't be used to properly construct a Sid
      • addReadPermissionForAnonymousAndLoggedinUsers

        public void addReadPermissionForAnonymousAndLoggedinUsers​(@NotNull
                                                                  @NotNull org.acegisecurity.acls.MutableAcl acl)
        Grant READ permission for Anonymous and Logged-in users.
      • getSidFromIdAndType

        @NotNull
        public @NotNull org.acegisecurity.acls.sid.Sid getSidFromIdAndType​(@NotNull
                                                                           @NotNull String id,
                                                                           @NotNull
                                                                           @NotNull String type)
        Attempt to extract Sid from a given sid id and type.
        Parameters:
        id - unique id of the sid
        type - type of the sid, one of the values defined in HibernateSidUserType
        Throws:
        IllegalArgumentException - if the sid type is not recognised
      • getPermission

        public org.acegisecurity.acls.Permission getPermission​(String permissionKey)