Examples of org.rhq.core.domain.authz.Role

• org.rhq.core.domain.authz.Role
  A role has zero or more {@link org.rhq.core.domain.resource.group.ResourceGroup}s assigned to it. You can assign a role to zero or more {@link Subject}s. A role defines a set of {@link Permission}s that the assigned {@link Subject}s are authorized for in order to operate on the Resources in the assigned {@link org.rhq.core.domain.resource.group.ResourceGroup}s. @author Greg Hinkle

        try {
            EntityManager em = getEntityManager();

            // setup simple test structures
            Subject subject = SessionTestHelper.createNewSubject(em, "subject-ClusterManagerBeanTest");
            Role role = SessionTestHelper.createNewRoleForSubject(em, subject, "role-ClusterManagerBeanTest",
                Permission.MANAGE_INVENTORY);

            ResourceGroup clusterGroup = SessionTestHelper.createNewCompatibleGroupForRole(em, role,
                "clusterGroup-ClusterManagerBeanTest");

    @Override
    @RequiredPermission(Permission.MANAGE_SECURITY)
    public void deleteRoles(Subject subject, int[] doomedRoleIds) {
        if (doomedRoleIds != null) {
            for (int roleId : doomedRoleIds) {
                Role doomedRole = entityManager.find(Role.class, roleId);

                //remove attached Subjects
                Set<Subject> subjectsToUnhook = new HashSet<Subject>(doomedRole.getSubjects()); // avoid concurrent mod exception
                for (Subject doomedSubjectRelationship : subjectsToUnhook) {
                    doomedRole.removeSubject(doomedSubjectRelationship);
                    entityManager.merge(doomedSubjectRelationship);
                }

                //remove attached ResourceGroups
                Set<ResourceGroup> groupsToUnhook = new HashSet<ResourceGroup>(doomedRole.getResourceGroups()); // avoid concurrent mod exception
                for (ResourceGroup doomedResourceGroupRelationship : groupsToUnhook) {
                    doomedRole.removeResourceGroup(doomedResourceGroupRelationship);
                    entityManager.merge(doomedResourceGroupRelationship);
                }

                //remove attached Bundle Groups
                Set<BundleGroup> bundleGroupsToUnhook = new HashSet<BundleGroup>(doomedRole.getBundleGroups()); // avoid concurrent mod exception
                for (BundleGroup doomedBundleGroupRelationship : bundleGroupsToUnhook) {
                    doomedRole.removeBundleGroup(doomedBundleGroupRelationship);
                    entityManager.merge(doomedBundleGroupRelationship);
                }

                //remove attached LDAP Subjects
                Set<Subject> ldapSubjectsToUnhook = new HashSet<Subject>(doomedRole.getLdapSubjects()); // avoid concurrent mod exception
                for (Subject doomedLdapSubjectRelationship : ldapSubjectsToUnhook) {
                    doomedRole.removeLdapSubject(doomedLdapSubjectRelationship);
                    entityManager.merge(doomedLdapSubjectRelationship);
                }

                doomedRole = entityManager.merge(doomedRole);

                if (doomedRole.getFsystem()) {
                    throw new PermissionException("You cannot delete an internal system role");
                }

                alertNotificationManager.cleanseAlertNotificationByRole(doomedRole.getId());
                // Fetch the lazy Sets on the Role to be returned.
                //[BZ 754693:] we must fetch the lazy sets of LDAP Groups here for correct cascade removal
                doomedRole.getResourceGroups().size();
                doomedRole.getSubjects().size();
                doomedRole.getLdapGroups().size();

                entityManager.remove(doomedRole);
            }
        }

            }

            subjectToModify.getRoles().size();

            for (Integer roleId : roleIds) {
                Role role = entityManager.find(Role.class, roleId);
                if (role == null) {
                    throw new IllegalArgumentException("Tried to add role[" + roleId + "] to subject[" + subjectId
                        + "], but role was not found");
                }
                role.addSubject(subjectToModify);
                if (isLdap) {
                    role.addLdapSubject(subjectToModify);
                }
            }
        }
    }

     */
    @Override
    @RequiredPermission(Permission.MANAGE_SECURITY)
    public void addSubjectsToRole(Subject subject, int roleId, int[] subjectIds) {
        if (subjectIds != null) {
            Role role = getRoleById(roleId); // attach it
            if (role == null) {
                throw new IllegalArgumentException("Could not find role[" + roleId + "] to add subjects to");
            }

            for (Integer subjectId : subjectIds) {
                Subject newSubject = entityManager.find(Subject.class, subjectId);
                if (newSubject == null) {
                    throw new IllegalArgumentException("Tried to add subject[" + subjectId + "] to role[" + roleId
                        + "], but subject was not found");
                }

                if (newSubject.getFsystem() || (authorizationManager.isSystemSuperuser(newSubject))) {
                    throw new PermissionException("You cannot alter the roles for user [" + newSubject.getName()
                        + "] - roles are fixed for this user");
                }

                role.addSubject(newSubject);

            }
        }

        return;

                throw new PermissionException("You cannot remove roles from user [" + subjectToModify.getName()
                    + "] - roles are fixed for this user");
            }

            for (Integer roleId : roleIds) {
                Role role = entityManager.find(Role.class, roleId);
                if (role != null) {
                    role.removeSubject(subjectToModify);
                }
            }
        }

        return;

    /**
     * @see org.rhq.enterprise.server.authz.RoleManagerLocal#getRoleById(Integer)
     */
    @Override
    public Role getRoleById(Integer roleId) {
        Role role = entityManager.find(Role.class, roleId);
        return role;
    }

     * @see org.rhq.enterprise.server.authz.RoleManagerLocal#setPermissions(Subject, Integer, Set)
     */
    @Override
    @RequiredPermission(Permission.MANAGE_SECURITY)
    public void setPermissions(Subject subject, Integer roleId, Set<Permission> permissions) {
        Role role = entityManager.find(Role.class, roleId);
        Set<Permission> rolePermissions = role.getPermissions();
        rolePermissions.clear();
        rolePermissions.addAll(permissions);
        entityManager.merge(role);
        entityManager.flush();
        return;

    /**
     * @see org.rhq.enterprise.server.authz.RoleManagerLocal#getPermissions(Integer)
     */
    @Override
    public Set<Permission> getPermissions(Integer roleId) {
        Role role = entityManager.find(Role.class, roleId);
        Set<Permission> rolePermissions = role.getPermissions();
        return rolePermissions;
    }

     * @see org.rhq.enterprise.server.authz.RoleManagerLocal#updateRole(Subject, Role)
     */
    @Override
    @RequiredPermission(Permission.MANAGE_SECURITY)
    public Role updateRole(Subject whoami, Role role) {
        Role attachedRole = entityManager.find(Role.class, role.getId());
        if (attachedRole == null) {
            throw new IllegalStateException("Cannot update " + role + ", since no role exists with that id.");
        }

        // First update the simple fields and the permissions.
        attachedRole.setName(role.getName());
        attachedRole.setDescription(role.getDescription());
        attachedRole.setPermissions(role.getPermissions());
        processDependentPermissions(attachedRole);

        // Then update the subjects, resourceGroups, ldapGroups, and/or bundle groups, but only if those fields are
        // non-null on the passed-in Role.
        Set<Subject> newSubjects = role.getSubjects();
        if (newSubjects != null) {
            Set<Subject> currentSubjects = attachedRole.getSubjects();
            // wrap in new HashSet to avoid ConcurrentModificationExceptions.
            Set<Subject> subjectsToRemove = new HashSet<Subject>(currentSubjects);
            for (Subject subject : currentSubjects) {
                // Never remove a system user.
                if (subject.getFsystem()) {
                    subjectsToRemove.remove(subject);
                }
            }
            for (Subject subject : subjectsToRemove) {
                attachedRole.removeSubject(subject);
            }

            for (Subject subject : newSubjects) {
                Subject attachedSubject = entityManager.find(Subject.class, subject.getId());
                attachedRole.addSubject(attachedSubject);
            }
        }

        Set<ResourceGroup> newResourceGroups = role.getResourceGroups();
        if (newResourceGroups != null) {
            // wrap in new HashSet to avoid ConcurrentModificationExceptions.
            Set<ResourceGroup> currentResourceGroups = new HashSet<ResourceGroup>(attachedRole.getResourceGroups());
            for (ResourceGroup resourceGroup : currentResourceGroups) {
                attachedRole.removeResourceGroup(resourceGroup);
            }

            for (ResourceGroup resourceGroup : newResourceGroups) {
                ResourceGroup attachedResourceGroup = entityManager.find(ResourceGroup.class, resourceGroup.getId());
                attachedRole.addResourceGroup(attachedResourceGroup);
            }
        }

        Set<LdapGroup> newLdapGroups = role.getLdapGroups();
        if (newLdapGroups != null) {
            // wrap in new HashSet to avoid ConcurrentModificationExceptions.
            Set<LdapGroup> currentLdapGroups = new HashSet<LdapGroup>(attachedRole.getLdapGroups());
            for (LdapGroup ldapGroup : currentLdapGroups) {
                // Delete removed groups
                if (!newLdapGroups.contains(ldapGroup)) {
                    attachedRole.removeLdapGroup(ldapGroup);
                    entityManager.remove(ldapGroup);
                }
            }

            // Add new groups, but filter those that are still attached
            for (LdapGroup ldapGroup : newLdapGroups) {
                LdapGroup attachedLdapGroup = (ldapGroup.getId() != 0) ? entityManager.find(LdapGroup.class,
                    ldapGroup.getId()) : null;
                if (attachedLdapGroup == null && !currentLdapGroups.contains(ldapGroup)) {
                    ldapGroup.setRole(attachedRole);
                    entityManager.persist(ldapGroup);
                    attachedLdapGroup = ldapGroup;
                }
                if (attachedLdapGroup!=null) {
                    attachedRole.addLdapGroup(attachedLdapGroup);
                }
            }
        }

        Set<BundleGroup> newBundleGroups = role.getBundleGroups();
        if (newBundleGroups != null) {
            // wrap in new HashSet to avoid ConcurrentModificationExceptions.
            Set<BundleGroup> currentBundleGroups = attachedRole.getBundleGroups();
            Set<BundleGroup> bundleGroupsToRemove = new HashSet<BundleGroup>(currentBundleGroups);
            for (BundleGroup bg : newBundleGroups) {
                bundleGroupsToRemove.remove(bg);
            }
            for (BundleGroup bg : bundleGroupsToRemove) {
                attachedRole.removeBundleGroup(bg);
            }

            for (BundleGroup bg : newBundleGroups) {
                BundleGroup attachedBundleGroup = entityManager.find(BundleGroup.class, bg.getId());
                attachedRole.addBundleGroup(attachedBundleGroup);
            }
        }

        // Fetch the lazy Sets on the Role to be returned.
        attachedRole.getResourceGroups().size();
        attachedRole.getSubjects().size();
        attachedRole.getLdapGroups().size();
        attachedRole.getBundleGroups().size();

        return attachedRole;
    }

    @Override
    @RequiredPermission(Permission.MANAGE_SECURITY)
    public void addBundleGroupsToRole(Subject subject, int roleId, int[] bundleGroupIds) {
        if ((bundleGroupIds != null) && (bundleGroupIds.length > 0)) {
            Role role = entityManager.find(Role.class, roleId);
            if (role == null) {
                throw new IllegalArgumentException("Could not find role[" + roleId + "] in order to add resourceGroups");
            }
            role.getBundleGroups().size(); // load them in

            for (Integer bundleGroupId : bundleGroupIds) {
                BundleGroup bundleGroup = entityManager.find(BundleGroup.class, bundleGroupId);
                if (bundleGroup == null) {
                    throw new IllegalArgumentException("Tried to add BundleGroup[" + bundleGroupId + "] to role["
                        + roleId + "], but bundleGroup was not found.");
                }
                role.addBundleGroup(bundleGroup);
            }
        }

        return;
    }