/hudson-core/src/main/java/hudson/security/ACL.java

http://github.com/hudson/hudson · Java · 115 lines · 27 code · 9 blank · 79 comment · 1 complexity · 781c223a69a0312eae53b5b137351d7e MD5 · raw file

  1. /*
  2. * The MIT License
  3. *
  4. * Copyright (c) 2004-2009, Sun Microsystems, Inc., Kohsuke Kawaguchi
  5. *
  6. * Permission is hereby granted, free of charge, to any person obtaining a copy
  7. * of this software and associated documentation files (the "Software"), to deal
  8. * in the Software without restriction, including without limitation the rights
  9. * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
  10. * copies of the Software, and to permit persons to whom the Software is
  11. * furnished to do so, subject to the following conditions:
  12. *
  13. * The above copyright notice and this permission notice shall be included in
  14. * all copies or substantial portions of the Software.
  15. *
  16. * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
  17. * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
  18. * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
  19. * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
  20. * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
  21. * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
  22. * THE SOFTWARE.
  23. */
  24. package hudson.security;
  25. import org.acegisecurity.Authentication;
  26. import org.acegisecurity.providers.UsernamePasswordAuthenticationToken;
  27. import org.acegisecurity.acls.sid.PrincipalSid;
  28. import org.acegisecurity.acls.sid.Sid;
  29. import hudson.model.Hudson;
  30. import hudson.model.Executor;
  31. /**
  32. * Gate-keeper that controls access to Hudson's model objects.
  33. *
  34. * @author Kohsuke Kawaguchi
  35. * @see http://wiki.hudson-ci.org/display/HUDSON/Making+your+plugin+behave+in+secured+Hudson
  36. */
  37. public abstract class ACL {
  38. /**
  39. * Checks if the current security principal has this permission.
  40. *
  41. * <p>
  42. * This is just a convenience function.
  43. *
  44. * @throws org.acegisecurity.AccessDeniedException
  45. * if the user doesn't have the permission.
  46. */
  47. public final void checkPermission(Permission p) {
  48. Authentication a = Hudson.getAuthentication();
  49. if(!hasPermission(a,p))
  50. throw new AccessDeniedException2(a,p);
  51. }
  52. /**
  53. * Checks if the current security principal has this permission.
  54. *
  55. * @return false
  56. * if the user doesn't have the permission.
  57. */
  58. public final boolean hasPermission(Permission p) {
  59. return hasPermission(Hudson.getAuthentication(),p);
  60. }
  61. /**
  62. * Checks if the given principle has the given permission.
  63. *
  64. * <p>
  65. * Note that {@link #SYSTEM} can be passed in as the authentication parameter,
  66. * in which case you should probably just assume it has every permission.
  67. */
  68. public abstract boolean hasPermission(Authentication a, Permission permission);
  69. //
  70. // Sid constants
  71. //
  72. /**
  73. * Special {@link Sid} that represents "everyone", even including anonymous users.
  74. *
  75. * <p>
  76. * This doesn't need to be included in {@link Authentication#getAuthorities()},
  77. * but {@link ACL} is responsible for checking it nontheless, as if it was the
  78. * last entry in the granted authority.
  79. */
  80. public static final Sid EVERYONE = new Sid() {
  81. @Override
  82. public String toString() {
  83. return "EVERYONE";
  84. }
  85. };
  86. /**
  87. * {@link Sid} that represents the anonymous unauthenticated users.
  88. * <p>
  89. * {@link HudsonFilter} sets this up, so this sid remains the same
  90. * regardless of the current {@link SecurityRealm} in use.
  91. */
  92. public static final Sid ANONYMOUS = new PrincipalSid("anonymous");
  93. protected static final Sid[] AUTOMATIC_SIDS = new Sid[]{EVERYONE,ANONYMOUS};
  94. /**
  95. * {@link Sid} that represents the Hudson itself.
  96. * <p>
  97. * This is used when Hudson is performing computation for itself, instead
  98. * of acting on behalf of an user, such as doing builds.
  99. *
  100. * <p>
  101. * (Note that one of the features being considered is to keep track of who triggered
  102. * a build &mdash; so in a future, perhaps {@link Executor} will run on behalf of
  103. * the user who triggered a build.)
  104. */
  105. public static final Authentication SYSTEM = new UsernamePasswordAuthenticationToken("SYSTEM","SYSTEM");
  106. }