org.apache.james.mailbox.acl

Class UnionMailboxACLResolver

java.lang.Object

org.apache.james.mailbox.acl.UnionMailboxACLResolver

All Implemented Interfaces:

MailboxACLResolver

public class UnionMailboxACLResolver
extends Object
implements MailboxACLResolver

An implementation which works with the union of the rights granted to the applicable identifiers. Inspired by RFC 4314 Section 2. In UnionMailboxACLResolver#resolveRights(String, org.apache.james.mailbox.MailboxACLResolver.GroupMembershipResolver, MailboxACL, String, boolean) all applicable negative and non-negative rights are union-ed separately and the result is computed afterwards with nonNegativeUnion.except(negativeUnion). Allows for setting distinct global ACL for users' mailboxes on one hand and group (a.k.a shared) mailboxes on the other hand. E.g. the zero parameter constructor uses full rights for user mailboxes and full-except-administration rights for group mailboxes.

Field Summary

Fields

Modifier and Type	Field and Description
static MailboxACL	DEFAULT_GLOBAL_GROUP_ACL
static MailboxACL	DEFAULT_GLOBAL_USER_ACL Nothing else than full rights for the owner.

Constructor Summary

Constructors

Constructor and Description
UnionMailboxACLResolver() Creates a new instance of UnionMailboxACLResolver with DEFAULT_GLOBAL_USER_ACL as userGlobalACL and DEFAULT_GLOBAL_USER_ACL as groupGlobalACL.
UnionMailboxACLResolver(MailboxACL userGlobalACL, MailboxACL groupGlobalACL) Creates a new instance of UnionMailboxACLResolver with the given globalACL.

Method Summary

Methods

Modifier and Type	Method and Description
protected static boolean	applies(MailboxACL.MailboxACLEntryKey aclKey, MailboxACL.MailboxACLEntryKey queryKey, GroupMembershipResolver groupMembershipResolver, String resourceOwner, boolean resourceOwnerIsGroup) Tells whether the given aclKey MailboxACL.MailboxACLEntryKey is applicable for the given queryKey.
MailboxACL	applyGlobalACL(MailboxACL resourceACL, boolean resourceOwnerIsGroup) Applies global ACL to the given resourceACL.
boolean	hasRight(String requestUser, GroupMembershipResolver groupMembershipResolver, MailboxACL.MailboxACLRight right, MailboxACL resourceACL, String resourceOwner, boolean resourceOwnerIsGroup) Tells whether the given user has the given right granted on the basis of the given resourceACL.
boolean	isReadWrite(MailboxACL.MailboxACLRights mailboxACLRights, javax.mail.Flags sharedFlags) Maps the given mailboxACLRights to READ-WRITE and READ-ONLY response codes.
MailboxACL.MailboxACLRights[]	listRights(MailboxACL.MailboxACLEntryKey queryKey, GroupMembershipResolver groupMembershipResolver, String resourceOwner, boolean resourceOwnerIsGroup) The key point of this implementation is that it resolves everything what can be resolved.
MailboxACL.MailboxACLRights	resolveRights(String requestUser, GroupMembershipResolver groupMembershipResolver, MailboxACL resourceACL, String resourceOwner, boolean resourceOwnerIsGroup) Computes the rights which apply to the given user and resource.

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Field Detail

DEFAULT_GLOBAL_GROUP_ACL

public static final MailboxACL DEFAULT_GLOBAL_GROUP_ACL

DEFAULT_GLOBAL_USER_ACL

public static final MailboxACL DEFAULT_GLOBAL_USER_ACL

Nothing else than full rights for the owner.

Constructor Detail

UnionMailboxACLResolver

public UnionMailboxACLResolver()

Creates a new instance of UnionMailboxACLResolver with DEFAULT_GLOBAL_USER_ACL as userGlobalACL and DEFAULT_GLOBAL_USER_ACL as groupGlobalACL.

UnionMailboxACLResolver

public UnionMailboxACLResolver(MailboxACL userGlobalACL,
                       MailboxACL groupGlobalACL)

Creates a new instance of UnionMailboxACLResolver with the given globalACL.

Parameters:

groupGlobalACL -

globalACL - see userGlobalACL, cannot be null.

Throws:

NullPointerException - when globalACL is null.

Method Detail

applies

protected static boolean applies(MailboxACL.MailboxACLEntryKey aclKey,
              MailboxACL.MailboxACLEntryKey queryKey,
              GroupMembershipResolver groupMembershipResolver,
              String resourceOwner,
              boolean resourceOwnerIsGroup)

Tells whether the given aclKey MailboxACL.MailboxACLEntryKey is applicable for the given queryKey. There are two use cases for which this method was designed and tested: (1) Calls from #hasRight(String, GroupMembershipResolver, MailboxACLRight, MailboxACL, String, boolean) and resolveRights(String, GroupMembershipResolver, MailboxACL, String, boolean) in which the queryKey is a MailboxACL.NameType.user. (2) Calls from #listRights(MailboxACLEntryKey, GroupMembershipResolver, String, boolean) where queryKey can be anything including MailboxACL.NameType.user, MailboxACL.NameType.group and all MailboxACL.NameType.special identifiers. Clearly the set of cases which this method has to handle in (1) is a proper subset of the cases handled in (2). See the javadoc on #listRights(MailboxACLEntryKey, GroupMembershipResolver, String, boolean) for more details.

Parameters:

aclKey -

queryKey -

groupMembershipResolver -

resourceOwner -

resourceOwnerIsGroup -

Returns:

applyGlobalACL

public MailboxACL applyGlobalACL(MailboxACL resourceACL,
                        boolean resourceOwnerIsGroup)
                          throws UnsupportedRightException

Description copied from interface: MailboxACLResolver

Applies global ACL to the given resourceACL. From RFC 4314: An implementation [...] MAY force rights to always or never be granted to particular identifiers.

Specified by:

applyGlobalACL in interface MailboxACLResolver

Returns:

Throws:

UnsupportedRightException

See Also:

org.apache.james.mailbox.MailboxACLResolver#applyGlobalACL(org.apache .james.mailbox.MailboxACL, boolean)

hasRight

public boolean hasRight(String requestUser,
               GroupMembershipResolver groupMembershipResolver,
               MailboxACL.MailboxACLRight right,
               MailboxACL resourceACL,
               String resourceOwner,
               boolean resourceOwnerIsGroup)
                 throws UnsupportedRightException

Description copied from interface: MailboxACLResolver

Tells whether the given user has the given right granted on the basis of the given resourceACL. Global ACL (if there is any) should be applied within this method.

Specified by:

hasRight in interface MailboxACLResolver

Parameters:

requestUser - the user for whom the given right is tested, possibly null when there is no authenticated user in the given context.

groupMembershipResolver - this resolver is used when checking whether any group rights contained in resourceACL are applicable for the requestUser.

right - the right which will be proven to apply for the given requestUser.

resourceACL - the ACL defining the access right for the resource in question.

resourceOwner - this user name is used as a replacement for the "owner" place holder in the resourceACL.

resourceOwnerIsGroup - true if the resourceOwner is a group of users, false otherwise.

Returns:

true if the given user has the given right for the given resource; false otherwise.

Throws:

UnsupportedRightException

See Also:

org.apache.james.mailbox.store.mail.MailboxACLResolver#hasRight(java. lang.String, org.apache.james.mailbox.store.mail.MailboxACLResolver. GroupMembershipResolver, org.apache.james.mailbox.MailboxACL.MailboxACLRight, org.apache.james.mailbox.MailboxACL, java.lang.String)

isReadWrite

public boolean isReadWrite(MailboxACL.MailboxACLRights mailboxACLRights,
                  javax.mail.Flags sharedFlags)
                    throws UnsupportedRightException

Description copied from interface: MailboxACLResolver

Maps the given mailboxACLRights to READ-WRITE and READ-ONLY response codes. From RFC 4314 section 5.2: The server SHOULD include a READ-WRITE response code in the tagged OK response if at least one of the "i", "e", or "shared flag rights"(***) is granted to the current user. The server MUST include a READ-ONLY response code in the tagged OK response to a SELECT command if none of the following rights is granted to the current user: "i", "e", and "shared flag rights"(***).

Specified by:

isReadWrite in interface MailboxACLResolver

Parameters:

mailboxACLRights - the rights applicable to the user and resource in question. This method supposes that any global ACLs were already applied to the mailboxACLRights parameter before this method is called.

sharedFlags - From RFC 4314 section 5.2: If the ACL server implements some flags as shared for a mailbox (i.e., the ACL for the mailbox MAY be set up so that changes to those flags are visible to another user), let’s call the set of rights associated with these flags (as described in Section 4) for that mailbox collectively as "shared flag rights". Note that the "shared flag rights" set MAY be different for different mailboxes. If the server doesn’t support "shared multiuser write access" to a mailbox or doesn’t implement shared flags on the mailbox, "shared flag rights" for the mailbox is defined to be the empty set.

Returns:

Throws:

UnsupportedRightException

See Also:

MailboxACLResolver.isReadWrite(org.apache.james.mailbox.model.MailboxACL.MailboxACLRights, javax.mail.Flags)

listRights

public MailboxACL.MailboxACLRights[] listRights(MailboxACL.MailboxACLEntryKey queryKey,
                                       GroupMembershipResolver groupMembershipResolver,
                                       String resourceOwner,
                                       boolean resourceOwnerIsGroup)
                                         throws UnsupportedRightException

The key point of this implementation is that it resolves everything what can be resolved. Let us explain what it means in particular for the implicit (global) rights included in the result: (1) if queryKey is a user key, the rights included come from the following ACL entries:

• the entry literally matching the given user name
• the entries of the groups of which the given user is a member
• if the given user is the owner of the given mailbox also the "owner" entry is included
• the "authenticated" entry
• the "anybody" entry

(2) if queryKey is a group key, the rights included come from the following ACL entries:

• the entry literally matching the given group name
• if the given group is the owner of the given mailbox also the "owner" entry is included
• the "authenticated" entry (*)
• the "anybody" entry

(3) if queryKey is a special key, the rights included come from the following ACL entries:

• the entry literally matching the given special name
• the "authenticated" entry if the queryKey is the "owner" query key (*)
• the "anybody" entry

(*) This is the most questionable case: should "authenticated" ACL entries hold for group name queries? We say yes. Firstly, listing implicit rights for, say "group1", should inform which rights do not need to be set explicitly for the members of "group1". And secondly the group rights are actually queried and applied only for authenticated users. To put it in other words, the hasRight(user, right, ...) call can be performed only either with user == null (only "anybody" rights will apply) or with a user name which is there only after the user was authenticated.

Specified by:

listRights in interface MailboxACLResolver

Parameters:

queryKey - the identifier from the LISTRIGHTS command

resourceOwner - the owner of the mailbox named in the LISTRIGHTS command. User name or group name.

resourceOwnerIsGroup - true if the resourceOwner is a group of users, false otherwise.

Returns:

an array of MailboxACL.MailboxACLRights. The first element is the set of implicit (global) rights which does not need to be set explicitly for the given identifier. Further elements are groups of rights which can be set for the given identifier and resource.

Throws:

UnsupportedRightException

See Also:

org.apache.james.mailbox.acl.MailboxACLResolver#listRightsDefault(boolean)

resolveRights

public MailboxACL.MailboxACLRights resolveRights(String requestUser,
                                        GroupMembershipResolver groupMembershipResolver,
                                        MailboxACL resourceACL,
                                        String resourceOwner,
                                        boolean resourceOwnerIsGroup)
                                          throws UnsupportedRightException

Description copied from interface: MailboxACLResolver

Computes the rights which apply to the given user and resource. Global ACL (if there is any) should be applied within this method.

Specified by:

resolveRights in interface MailboxACLResolver

Parameters:

requestUser - the user for whom the rights are computed, possibly null when there is no authenticated user in the given context.

groupMembershipResolver - this resolver is used when checking whether any group rights contained in resourceACL are applicable for the requestUser.

resourceACL - the ACL defining the access right for the resource in question.

resourceOwner - this user name is used as a replacement for the "owner" place holder in the resourceACL.

resourceOwnerIsGroup - true if the resourceOwner is a group of users, false otherwise.

Returns:

the rights applicable for the given user and resource.

Throws:

UnsupportedRightException

See Also:

org.apache.james.mailbox.store.mail.MailboxACLResolver#rightsOf(java. lang.String, org.apache.james.mailbox.store.mail.MailboxACLResolver. GroupMembershipResolver, org.apache.james.mailbox.MailboxACL, java.lang.String)