Source code

001/*
002 * Copyright (c) 2006-2011 Nuxeo SA (http://nuxeo.com/) and others.
003 *
004 * All rights reserved. This program and the accompanying materials
005 * are made available under the terms of the Eclipse Public License v1.0
006 * which accompanies this distribution, and is available at
007 * http://www.eclipse.org/legal/epl-v10.html
008 *
009 * Contributors:
010 *     Anahide Tchertchian
011 *     Florent Guillaume
012 */
013
014package org.nuxeo.ecm.core.security;
015
016import java.io.Serializable;
017import java.security.Principal;
018import java.util.Collection;
019import java.util.List;
020
021import org.nuxeo.ecm.core.api.security.ACP;
022import org.nuxeo.ecm.core.api.security.Access;
023import org.nuxeo.ecm.core.model.Document;
024import org.nuxeo.ecm.core.query.sql.model.SQLQuery;
025
026/**
027 * Service checking permissions for pluggable policies.
028 *
029 * @author Anahide Tchertchian
030 * @author Florent Guillaume
031 */
032public interface SecurityPolicyService extends Serializable {
033
034    /**
035     * Checks given permission for doc and principal.
036     * <p>
037     * The security service checks this service for a security access. This access is defined iterating over pluggable
038     * policies in a defined order. If access is not specified, security service applies its default policy.
039     *
040     * @param doc the document to check
041     * @param mergedAcp merged acp resolved for this document
042     * @param principal principal to check
043     * @param permission permission to check
044     * @param resolvedPermissions permissions or groups of permissions containing permission
045     * @param principalsToCheck principals (groups) to check for principal
046     * @return access: true, false, or nothing. When nothing is returned, following policies or default core security
047     *         are applied.
048     */
049    Access checkPermission(Document doc, ACP mergedAcp, Principal principal, String permission,
050            String[] resolvedPermissions, String[] principalsToCheck);
051
052    void registerDescriptor(SecurityPolicyDescriptor descriptor);
053
054    void unregisterDescriptor(SecurityPolicyDescriptor descriptor);
055
056    /**
057     * Checks if any policy restricts the given permission.
058     * <p>
059     * If not, then no post-filtering on policies will be needed for query results.
060     *
061     * @return {@code true} if a policy restricts the permission
062     */
063    boolean arePoliciesRestrictingPermission(String permission);
064
065    /**
066     * Checks if the policies can be expressed in a query for a given repository.
067     * <p>
068     * If not, then any query made will have to be post-filtered.
069     *
070     * @param repositoryName the target repository name.
071     * @return {@code true} if all policies can be expressed in a query
072     */
073    boolean arePoliciesExpressibleInQuery(String repositoryName);
074
075    /**
076     * Get the transformers to apply the policies to a query for given repository.
077     *
078     * @param repositoryName the target repository name.
079     * @return the transformers.
080     */
081    Collection<SQLQuery.Transformer> getPoliciesQueryTransformers(String repositoryName);
082
083    /**
084     * Gets the list of registered security policies.
085     *
086     * @return the policies
087     * @since 5.7.2
088     */
089    List<SecurityPolicy> getPolicies();
090
091}