PageRenderTime 23ms CodeModel.GetById 10ms app.highlight 9ms RepoModel.GetById 1ms app.codeStats 0ms

/hudson-core/src/main/java/hudson/security/ACL.java

http://github.com/hudson/hudson
Java | 115 lines | 27 code | 9 blank | 79 comment | 1 complexity | 781c223a69a0312eae53b5b137351d7e MD5 | raw file 
  1/*
  2 * The MIT License
  3 * 
  4 * Copyright (c) 2004-2009, Sun Microsystems, Inc., Kohsuke Kawaguchi
  5 * 
  6 * Permission is hereby granted, free of charge, to any person obtaining a copy
  7 * of this software and associated documentation files (the "Software"), to deal
  8 * in the Software without restriction, including without limitation the rights
  9 * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
 10 * copies of the Software, and to permit persons to whom the Software is
 11 * furnished to do so, subject to the following conditions:
 12 * 
 13 * The above copyright notice and this permission notice shall be included in
 14 * all copies or substantial portions of the Software.
 15 * 
 16 * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
 17 * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
 18 * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
 19 * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
 20 * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
 21 * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
 22 * THE SOFTWARE.
 23 */
 24package hudson.security;
 25
 26import org.acegisecurity.Authentication;
 27import org.acegisecurity.providers.UsernamePasswordAuthenticationToken;
 28import org.acegisecurity.acls.sid.PrincipalSid;
 29import org.acegisecurity.acls.sid.Sid;
 30import hudson.model.Hudson;
 31import hudson.model.Executor;
 32
 33/**
 34 * Gate-keeper that controls access to Hudson's model objects.
 35 *
 36 * @author Kohsuke Kawaguchi
 37 * @see http://wiki.hudson-ci.org/display/HUDSON/Making+your+plugin+behave+in+secured+Hudson
 38 */
 39public abstract class ACL {
 40    /**
 41     * Checks if the current security principal has this permission.
 42     *
 43     * <p>
 44     * This is just a convenience function.
 45     *
 46     * @throws org.acegisecurity.AccessDeniedException
 47     *      if the user doesn't have the permission.
 48     */
 49    public final void checkPermission(Permission p) {
 50        Authentication a = Hudson.getAuthentication();
 51        if(!hasPermission(a,p))
 52            throw new AccessDeniedException2(a,p);
 53    }
 54
 55    /**
 56     * Checks if the current security principal has this permission.
 57     *
 58     * @return false
 59     *      if the user doesn't have the permission.
 60     */
 61    public final boolean hasPermission(Permission p) {
 62        return hasPermission(Hudson.getAuthentication(),p);
 63    }
 64
 65    /**
 66     * Checks if the given principle has the given permission.
 67     *
 68     * <p>
 69     * Note that {@link #SYSTEM} can be passed in as the authentication parameter,
 70     * in which case you should probably just assume it has every permission.
 71     */
 72    public abstract boolean hasPermission(Authentication a, Permission permission);
 73
 74    //
 75    // Sid constants
 76    //
 77
 78    /**
 79     * Special {@link Sid} that represents "everyone", even including anonymous users.
 80     *
 81     * <p>
 82     * This doesn't need to be included in {@link Authentication#getAuthorities()},
 83     * but {@link ACL} is responsible for checking it nontheless, as if it was the
 84     * last entry in the granted authority.
 85     */
 86    public static final Sid EVERYONE = new Sid() {
 87        @Override
 88        public String toString() {
 89            return "EVERYONE";
 90        }
 91    };
 92
 93    /**
 94     * {@link Sid} that represents the anonymous unauthenticated users.
 95     * <p>
 96     * {@link HudsonFilter} sets this up, so this sid remains the same
 97     * regardless of the current {@link SecurityRealm} in use.
 98     */
 99    public static final Sid ANONYMOUS = new PrincipalSid("anonymous");
100
101    protected static final Sid[] AUTOMATIC_SIDS = new Sid[]{EVERYONE,ANONYMOUS};
102
103    /**
104     * {@link Sid} that represents the Hudson itself.
105     * <p>
106     * This is used when Hudson is performing computation for itself, instead
107     * of acting on behalf of an user, such as doing builds.
108     *
109     * <p>
110     * (Note that one of the features being considered is to keep track of who triggered
111     * a build &mdash; so in a future, perhaps {@link Executor} will run on behalf of
112     * the user who triggered a build.)
113     */
114    public static final Authentication SYSTEM = new UsernamePasswordAuthenticationToken("SYSTEM","SYSTEM");
115}