1 /**
2 * This file Copyright (c) 2016-2017 Magnolia International
3 * Ltd. (http://www.magnolia-cms.com). All rights reserved.
4 *
5 *
6 * This file is dual-licensed under both the Magnolia
7 * Network Agreement and the GNU General Public License.
8 * You may elect to use one or the other of these licenses.
9 *
10 * This file is distributed in the hope that it will be
11 * useful, but AS-IS and WITHOUT ANY WARRANTY; without even the
12 * implied warranty of MERCHANTABILITY or FITNESS FOR A
13 * PARTICULAR PURPOSE, TITLE, or NONINFRINGEMENT.
14 * Redistribution, except as permitted by whichever of the GPL
15 * or MNA you select, is prohibited.
16 *
17 * 1. For the GPL license (GPL), you can redistribute and/or
18 * modify this file under the terms of the GNU General
19 * Public License, Version 3, as published by the Free Software
20 * Foundation. You should have received a copy of the GNU
21 * General Public License, Version 3 along with this program;
22 * if not, write to the Free Software Foundation, Inc., 51
23 * Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
24 *
25 * 2. For the Magnolia Network Agreement (MNA), this file
26 * and the accompanying materials are made available under the
27 * terms of the MNA which accompanies this distribution, and
28 * is available at http://www.magnolia-cms.com/mna.html
29 *
30 * Any modifications to this file must keep this entire header
31 * intact.
32 *
33 */
34 package info.magnolia.security.app.util;
35
36 import info.magnolia.cms.security.Permission;
37 import info.magnolia.cms.util.SimpleUrlPattern;
38 import info.magnolia.cms.util.UrlPattern;
39
40 import java.util.ArrayList;
41 import java.util.HashSet;
42 import java.util.List;
43 import java.util.Set;
44
45 /**
46 * Utility class for finding a matching permission to the path that want to grant permission when validating.
47 */
48 public class AccessControlPropertyUtil {
49
50 /**
51 * Return the best matching permission that matches with path and has equal or greater rights than the ones being granted.
52 * The best match permission must have pattern whose length has equal or less than the granted path.
53 */
54 public static Permission findBestMatchingPermissions(List<Permission> permissions, String path) {
55 if (permissions == null) {
56 return null;
57 }
58 Permission bestMatch = null;
59 long permission = 0;
60 int patternLength = 0;
61 List<Permission> temp = new ArrayList<>();
62 temp.addAll(permissions);
63 for (Permission p : temp) {
64 if (p.match(path)) {
65 // Pattern length typically deducts ending wildcard '*'
66 // see info.magnolia.cms.util.SimpleUrlPattern#setPatternString
67 // also stays inline with info.magnolia.cms.security.AccessManagerImpl#getPermissions
68 int l = p.getPattern().getLength();
69 if (patternLength == l && (permission < p.getPermissions())) {
70 permission = p.getPermissions();
71 bestMatch = p;
72 } else if (patternLength < l && l <= path.length()) {
73 patternLength = l;
74 permission = p.getPermissions();
75 bestMatch = p;
76 }
77 }
78 }
79 return bestMatch;
80 }
81
82 /**
83 * Find potential violating permissions, i.e. those to sub-paths of the granted path, with lower permission value (restrictions).
84 */
85 public static Set<Permission> findViolatedPermissions(List<Permission> ownPerms, String grantPath, long grantPermValue) {
86 Set<Permission> violatedPerms = new HashSet<>();
87 UrlPattern grantUrlPattern = new SimpleUrlPattern(grantPath);
88
89 for (Permission ownPerm : ownPerms) {
90
91 String ownPath = ownPerm.getPattern().getPatternString();
92 long ownPermValue = ownPerm.getPermissions();
93
94 if (grantPermValue > ownPermValue && grantUrlPattern.match(ownPath)) {
95 violatedPerms.add(ownPerm);
96 }
97 }
98 return violatedPerms;
99 }
100 }