001/**
002 * Copyright 2015 DuraSpace, Inc.
003 *
004 * Licensed under the Apache License, Version 2.0 (the "License");
005 * you may not use this file except in compliance with the License.
006 * You may obtain a copy of the License at
007 *
008 *     http://www.apache.org/licenses/LICENSE-2.0
009 *
010 * Unless required by applicable law or agreed to in writing, software
011 * distributed under the License is distributed on an "AS IS" BASIS,
012 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
013 * See the License for the specific language governing permissions and
014 * limitations under the License.
015 */
016package org.fcrepo.auth.roles.basic;
017
018import java.util.Set;
019
020import javax.jcr.Session;
021
022import org.fcrepo.auth.roles.common.AbstractRolesAuthorizationDelegate;
023import org.slf4j.Logger;
024import org.slf4j.LoggerFactory;
025
026/**
027 * @author Gregory Jansen
028 */
029public class BasicRolesAuthorizationDelegate extends AbstractRolesAuthorizationDelegate {
030
031    private static final Logger LOGGER = LoggerFactory
032            .getLogger(BasicRolesAuthorizationDelegate.class);
033
034    /*
035     * (non-Javadoc)
036     * @see org.fcrepo.auth.roles.AbstractRolesAuthorizationDelegate#rolesHavePermission(final
037     * String absPath, final String[] actions, final Set<String> roles)
038     */
039    @Override
040    public boolean rolesHavePermission(final Session userSession,
041            final String absPath,
042            final String[] actions, final Set<String> roles) {
043        if (roles.isEmpty()) {
044            LOGGER.debug("A caller without content roles can do nothing in the repository.");
045            return false;
046        }
047        if (roles.contains("admin")) {
048            LOGGER.debug("Granting an admin role permission to perform any action.");
049            return true;
050        }
051        if (roles.contains("writer")) {
052            if (absPath.contains(AUTHZ_DETECTION)) {
053                if (actions.length == 1 && "read".equals(actions[0])) {
054                    LOGGER.debug("Granting reader role permission to perform a read action.");
055                    return true;
056                } else {
057                    LOGGER.debug("Denying writer role permission to perform an action on an ACL node.");
058                    return false;
059                }
060            } else {
061                LOGGER.debug("Granting writer role permission to perform any action on a non-ACL node.");
062                return true;
063            }
064        }
065        if (roles.contains("reader")) {
066            if (actions.length == 1 && "read".equals(actions[0])) {
067                LOGGER.debug("Granting reader role permission to perform a read action.");
068                return true;
069            }
070            LOGGER.debug("Denying reader role permission to perform a non-read action.");
071            return false;
072        }
073        LOGGER.error("There are roles in session that aren't recognized by this authorization delegate: {}",
074                     roles);
075        return false;
076    }
077
078}