1 /*
2 * MIT License
3 *
4 * Copyright (c) 2010-2022 The Waffle Project Contributors: https://github.com/Waffle/waffle/graphs/contributors
5 *
6 * Permission is hereby granted, free of charge, to any person obtaining a copy
7 * of this software and associated documentation files (the "Software"), to deal
8 * in the Software without restriction, including without limitation the rights
9 * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
10 * copies of the Software, and to permit persons to whom the Software is
11 * furnished to do so, subject to the following conditions:
12 *
13 * The above copyright notice and this permission notice shall be included in all
14 * copies or substantial portions of the Software.
15 *
16 * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
17 * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
18 * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
19 * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
20 * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
21 * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
22 * SOFTWARE.
23 */
24 package waffle.shiro;
25
26 import java.util.Collection;
27 import java.util.HashMap;
28 import java.util.HashSet;
29 import java.util.Map;
30 import java.util.Set;
31
32 import org.apache.shiro.authz.AuthorizationInfo;
33 import org.apache.shiro.authz.SimpleAuthorizationInfo;
34
35 /**
36 * A {@link org.apache.shiro.realm.Realm} that authenticates with Active Directory using WAFFLE and assigns roles to
37 * users based on a mapping from their groups. To define permissions based on these roles, set a
38 * {@link org.apache.shiro.authz.permission.RolePermissionResolver}.
39 */
40 public class GroupMappingWaffleRealm extends AbstractWaffleRealm {
41
42 /** The group roles map. */
43 private final Map<String, String> groupRolesMap = new HashMap<>();
44
45 /**
46 * Sets the translation from group names to role names. If not set, the map is empty, resulting in no users getting
47 * roles.
48 *
49 * @param value
50 * the group roles map to set
51 */
52 public void setGroupRolesMap(final Map<String, String> value) {
53 this.groupRolesMap.clear();
54 if (value != null) {
55 this.groupRolesMap.putAll(value);
56 }
57 }
58
59 /**
60 * This method is called by to translate group names to role names. This implementation uses the groupRolesMap to
61 * map group names to role names.
62 *
63 * @param groupNames
64 * the group names that apply to the current user
65 *
66 * @return a collection of roles that are implied by the given role names
67 *
68 * @see #setGroupRolesMap
69 */
70 protected Collection<String> getRoleNamesForGroups(final Collection<String> groupNames) {
71 final Set<String> roleNames = new HashSet<>();
72 for (final String groupName : groupNames) {
73 final String roleName = this.groupRolesMap.get(groupName);
74 if (roleName != null) {
75 roleNames.add(roleName);
76 }
77 }
78 return roleNames;
79 }
80
81 /**
82 * Builds an {@link AuthorizationInfo} object based on the user's groups. The groups are translated to roles names
83 * by using the configured groupRolesMap.
84 *
85 * @param principal
86 * the principal of Subject that is being authorized
87 *
88 * @return the AuthorizationInfo for the given Subject principal
89 *
90 * @see #setGroupRolesMap
91 * @see #getRoleNamesForGroups
92 */
93 @Override
94 protected AuthorizationInfo buildAuthorizationInfo(final WaffleFqnPrincipal principal) {
95 final SimpleAuthorizationInfo authorizationInfo = new SimpleAuthorizationInfo();
96 authorizationInfo.addRoles(this.getRoleNamesForGroups(principal.getGroupFqns()));
97 return authorizationInfo;
98 }
99
100 }