001/* 002 * (C) Copyright 2006-2011 Nuxeo SA (http://nuxeo.com/) and others. 003 * 004 * Licensed under the Apache License, Version 2.0 (the "License"); 005 * you may not use this file except in compliance with the License. 006 * You may obtain a copy of the License at 007 * 008 * http://www.apache.org/licenses/LICENSE-2.0 009 * 010 * Unless required by applicable law or agreed to in writing, software 011 * distributed under the License is distributed on an "AS IS" BASIS, 012 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 013 * See the License for the specific language governing permissions and 014 * limitations under the License. 015 * 016 * Contributors: 017 * Anahide Tchertchian 018 * Florent Guillaume 019 */ 020 021package org.nuxeo.ecm.core.security; 022 023import java.io.Serializable; 024import java.security.Principal; 025import java.util.Collection; 026import java.util.List; 027 028import org.nuxeo.ecm.core.api.security.ACP; 029import org.nuxeo.ecm.core.api.security.Access; 030import org.nuxeo.ecm.core.model.Document; 031import org.nuxeo.ecm.core.query.sql.model.SQLQuery; 032 033/** 034 * Service checking permissions for pluggable policies. 035 * 036 * @author Anahide Tchertchian 037 * @author Florent Guillaume 038 */ 039public interface SecurityPolicyService extends Serializable { 040 041 /** 042 * Checks given permission for doc and principal. 043 * <p> 044 * The security service checks this service for a security access. This access is defined iterating over pluggable 045 * policies in a defined order. If access is not specified, security service applies its default policy. 046 * 047 * @param doc the document to check 048 * @param mergedAcp merged acp resolved for this document 049 * @param principal principal to check 050 * @param permission permission to check 051 * @param resolvedPermissions permissions or groups of permissions containing permission 052 * @param principalsToCheck principals (groups) to check for principal 053 * @return access: true, false, or nothing. When nothing is returned, following policies or default core security 054 * are applied. 055 */ 056 Access checkPermission(Document doc, ACP mergedAcp, Principal principal, String permission, 057 String[] resolvedPermissions, String[] principalsToCheck); 058 059 void registerDescriptor(SecurityPolicyDescriptor descriptor); 060 061 void unregisterDescriptor(SecurityPolicyDescriptor descriptor); 062 063 /** 064 * Checks if any policy restricts the given permission. 065 * <p> 066 * If not, then no post-filtering on policies will be needed for query results. 067 * 068 * @return {@code true} if a policy restricts the permission 069 */ 070 boolean arePoliciesRestrictingPermission(String permission); 071 072 /** 073 * Checks if the policies can be expressed in a query for a given repository. 074 * <p> 075 * If not, then any query made will have to be post-filtered. 076 * 077 * @param repositoryName the target repository name. 078 * @return {@code true} if all policies can be expressed in a query 079 */ 080 boolean arePoliciesExpressibleInQuery(String repositoryName); 081 082 /** 083 * Get the transformers to apply the policies to a query for given repository. 084 * 085 * @param repositoryName the target repository name. 086 * @return the transformers. 087 */ 088 Collection<SQLQuery.Transformer> getPoliciesQueryTransformers(String repositoryName); 089 090 /** 091 * Gets the list of registered security policies. 092 * 093 * @return the policies 094 * @since 5.7.2 095 */ 096 List<SecurityPolicy> getPolicies(); 097 098}