[#GRP-1198] incorporate John Gaspers hook to assign admin read privilege based on attribute

[GRP-1198] incorporate John Gaspers hook to assign admin read privilege based on attribute Created: 16/Sep/15 Updated: 16/Sep/15
Status:	Open
Project:	Grouper
Component/s:	API
Affects Version/s:	2.2.1
Fix Version/s:	2.2.2, 2.3.0

Type:

New Feature

Priority:

Minor

Reporter:

Chris Hyzer (upenn.edu)

Assignee:

Chris Hyzer (upenn.edu)

Resolution:

Unresolved

Votes:

Labels:

None

Remaining Estimate:

Not Specified

Time Spent:

Not Specified

Original Estimate:

Not Specified

Description

Have an attribute on folder that will assign READ to a readonly admin group. This attribute cant be removed unless the group is deleted. Cache the attribute assignments for an hour and clear the cache if there is an attribute assignment or removal in this jvm.

Comments

Comment by mchyzer [ 16/Sep/15 ]

package edu.internet2.middleware.subject.provider;

/**

Changes the "search" search type if the user is privileged.
*/
public class PrivilegedAwareGrouperJndiSourceAdapter extends edu.internet2.middleware.grouper.subj.GrouperJndiSourceAdapter {

private final static Logger log = LoggerFactory.getLogger(PrivilegedAwareGrouperJndiSourceAdapter.class);

/** privileged (special employees) group name */
public static final String PRIVILEGED_GROUP_NAME = GrouperConfig.retrieveConfig().propertyValueString("subjectCustomizer.privilegedGroup", "etc:sysadmingroup");

@Override
protected Search getSearch(String searchType) {
if (!searchType.equalsIgnoreCase("search"))

{ return super.getSearch(searchType); }

GrouperSession grouperSession = GrouperSession.staticGrouperSession();

MembershipResult groupMembershipResult = new MembershipFinder()
.assignCheckSecurity(false)
.addGroup(PRIVILEGED_GROUP_NAME)
.addSubject(grouperSession.getSubject())
.findMembershipResult();

//see if the user is privileged
boolean grouperSessionIsPrivileged = groupMembershipResult.hasGroupMembership(PRIVILEGED_GROUP_NAME, grouperSession.getSubject());

log.debug("Is 'search' caller ({}) privileged? {}", new Object[]

{grouperSession.getMember().getName(), grouperSessionIsPrivileged}

);

if (grouperSessionIsPrivileged) {
Search privSearch = super.getSearch("privilegedSearch");
if (privSearch != null)

{ return privSearch; }

log.error("'privilegedSearch' is not defined in sources.xml for the {} type", this.getClass().getName());
}
return super.getSearch("search");
}
}

package edu.nd.middleware.grouper;

import edu.internet2.middleware.grouper.GrouperSession;
import edu.internet2.middleware.grouper.MembershipFinder;
import edu.internet2.middleware.grouper.cfg.GrouperConfig;
import edu.internet2.middleware.grouper.membership.MembershipResult;
import edu.internet2.middleware.grouper.util.GrouperUtil;
import edu.internet2.middleware.grouper.subj.SubjectCustomizerBase;
import edu.internet2.middleware.subject.Subject;
import edu.internet2.middleware.subject.provider.SubjectImpl;

import java.util.LinkedHashSet;
import java.util.Set;

import org.apache.commons.lang.StringUtils;

/**

remove a subjects private information from people who shouldn't see them

@author jgasper
@author mchyzer
*/
public class SubjectCustomizer extends SubjectCustomizerBase {

/** protected (students) group name */
public static final String PROTECTED_GROUP_NAME = GrouperConfig.retrieveConfig().propertyValueStringRequired("subjectCustomizer.protectedGroup");

/** attribute name to use for the users display name */
public static final String UID_ATTRIBUTE = GrouperConfig.retrieveConfig().propertyValueString("subjectCustomizer.uidField", "uid");

/** attribute name to show "(restricted)" */
public static final String RESTRICTED_ATTRIBUTE_NAME = GrouperConfig.retrieveConfig().propertyValueString("subjectCustomizer.restrictedAttributeName", "cn");

/** attribute value to show instead of "(restricted)" */
public static final String RESTRICTED_ATTRIBUTE_VALUE = GrouperConfig.retrieveConfig().propertyValueString("subjectCustomizer.uidField", "(restricted)");

/**

@see SubjectCustomizer#filterSubjects(GrouperSession, Set, String)
*/
@Override
public Set<Subject> filterSubjects(GrouperSession grouperSession, Set<Subject> subjects, String findSubjectsInStemName) {

//nothing to do if no results
if (GrouperUtil.length(subjects) == 0)

{ return subjects; }

//get results in one query
final MembershipResult groupMembershipResult = new MembershipFinder()
.assignCheckSecurity(false)
.addGroup(PROTECTED_GROUP_NAME)
.addGroup(PRIVILEGED_GROUP_NAME)
.addSubjects(subjects)
.addSubject(grouperSession.getSubject())
.findMembershipResult();

//see if the user is privileged
final boolean grouperSessionIsPrivileged = groupMembershipResult.hasGroupMembership(PRIVILEGED_GROUP_NAME, grouperSession.getSubject());

//if so, we are done, they can see stuff
if (grouperSessionIsPrivileged)

{ return subjects; }

//loop through the subjects and see which are protected, set their name to be their netId, with no other attributes but cn marked as "restricted".
final Set<Subject> results = new LinkedHashSet<Subject>();
for (Subject subject : subjects) {

if (groupMembershipResult.hasGroupMembership(PROTECTED_GROUP_NAME, subject))

{ final String netId = subject.getAttributeValue(UID_ATTRIBUTE, false); final Subject replacementSubject = new SubjectImpl(subject.getId(), netId, "", subject.getTypeName(), subject.getSourceId()); replacementSubject.getAttributes(false).put(RESTRICTED_ATTRIBUTE_NAME, GrouperUtil.toSet(RESTRICTED_ATTRIBUTE_VALUE)); results.add(replacementSubject); }

else

{ results.add(subject); }

}

return results;
}

}

Generated at Fri Apr 26 19:42:40 UTC 2024 using Jira 9.4.18#940018-sha1:32a59db0b032756f9bbd6a22c656d21edb3fb41f.

[GRP-1198] incorporate John Gaspers hook to assign admin read privilege based on attribute Created: 16/Sep/15 Updated: 16/Sep/15