001/* 002 * Copyright (c) 2006-2011 Nuxeo SA (http://nuxeo.com/) and others. 003 * 004 * All rights reserved. This program and the accompanying materials 005 * are made available under the terms of the Eclipse Public License v1.0 006 * which accompanies this distribution, and is available at 007 * http://www.eclipse.org/legal/epl-v10.html 008 * 009 * Contributors: 010 * Anahide Tchertchian 011 * Florent Guillaume 012 */ 013 014package org.nuxeo.ecm.core.security; 015 016import java.io.Serializable; 017import java.security.Principal; 018import java.util.Collection; 019import java.util.List; 020 021import org.nuxeo.ecm.core.api.security.ACP; 022import org.nuxeo.ecm.core.api.security.Access; 023import org.nuxeo.ecm.core.model.Document; 024import org.nuxeo.ecm.core.query.sql.model.SQLQuery; 025 026/** 027 * Service checking permissions for pluggable policies. 028 * 029 * @author Anahide Tchertchian 030 * @author Florent Guillaume 031 */ 032public interface SecurityPolicyService extends Serializable { 033 034 /** 035 * Checks given permission for doc and principal. 036 * <p> 037 * The security service checks this service for a security access. This access is defined iterating over pluggable 038 * policies in a defined order. If access is not specified, security service applies its default policy. 039 * 040 * @param doc the document to check 041 * @param mergedAcp merged acp resolved for this document 042 * @param principal principal to check 043 * @param permission permission to check 044 * @param resolvedPermissions permissions or groups of permissions containing permission 045 * @param principalsToCheck principals (groups) to check for principal 046 * @return access: true, false, or nothing. When nothing is returned, following policies or default core security 047 * are applied. 048 */ 049 Access checkPermission(Document doc, ACP mergedAcp, Principal principal, String permission, 050 String[] resolvedPermissions, String[] principalsToCheck); 051 052 void registerDescriptor(SecurityPolicyDescriptor descriptor); 053 054 void unregisterDescriptor(SecurityPolicyDescriptor descriptor); 055 056 /** 057 * Checks if any policy restricts the given permission. 058 * <p> 059 * If not, then no post-filtering on policies will be needed for query results. 060 * 061 * @return {@code true} if a policy restricts the permission 062 */ 063 boolean arePoliciesRestrictingPermission(String permission); 064 065 /** 066 * Checks if the policies can be expressed in a query for a given repository. 067 * <p> 068 * If not, then any query made will have to be post-filtered. 069 * 070 * @param repositoryName the target repository name. 071 * @return {@code true} if all policies can be expressed in a query 072 */ 073 boolean arePoliciesExpressibleInQuery(String repositoryName); 074 075 /** 076 * Get the transformers to apply the policies to a query for given repository. 077 * 078 * @param repositoryName the target repository name. 079 * @return the transformers. 080 */ 081 Collection<SQLQuery.Transformer> getPoliciesQueryTransformers(String repositoryName); 082 083 /** 084 * Gets the list of registered security policies. 085 * 086 * @return the policies 087 * @since 5.7.2 088 */ 089 List<SecurityPolicy> getPolicies(); 090 091}