X-Git-Url: http://git.argeo.org/?p=lgpl%2Fargeo-commons.git;a=blobdiff_plain;f=org.argeo.api.cms%2Fsrc%2Forg%2Fargeo%2Fapi%2Fcms%2Fauth%2FSystemRole.java;fp=org.argeo.api.cms%2Fsrc%2Forg%2Fargeo%2Fapi%2Fcms%2Fauth%2FSystemRole.java;h=9880851789f419c6c22b90ff9356faeccce927ec;hp=0000000000000000000000000000000000000000;hb=b95462873703848193e56fcbe997693630db6121;hpb=55d88fba80cec198a0f11ba7545e19878c51fc5e

diff --git a/org.argeo.api.cms/src/org/argeo/api/cms/auth/SystemRole.java b/org.argeo.api.cms/src/org/argeo/api/cms/auth/SystemRole.java
new file mode 100644
index 000000000..988085178
--- /dev/null
+++ b/org.argeo.api.cms/src/org/argeo/api/cms/auth/SystemRole.java
@@ -0,0 +1,47 @@
+package org.argeo.api.cms.auth;
+
+import java.util.Set;
+
+import javax.security.auth.Subject;
+import javax.xml.namespace.QName;
+
+import org.argeo.api.cms.CmsConstants;
+
+/** A programmatic role. */
+public interface SystemRole {
+	QName qName();
+
+	/** Whether this role is implied for this authenticated user. */
+	default boolean implied(Subject subject, String context) {
+		return implied(qName(), subject, context);
+	}
+
+	/** Whether this role is implied for this distinguished name. */
+	default boolean implied(String dn, String context) {
+		String roleContext = RoleNameUtils.getContext(dn);
+		QName roleName = RoleNameUtils.getLastRdnAsName(dn);
+		return roleContext.equalsIgnoreCase(context) && qName().equals(roleName);
+	}
+
+	/**
+	 * Whether this role is implied for this authenticated subject. If context is
+	 * <code>null</code>, it is not considered; this should be used to build user
+	 * interfaces, but not to authorise.
+	 */
+	static boolean implied(QName name, Subject subject, String context) {
+		Set<ImpliedByPrincipal> roles = subject.getPrincipals(ImpliedByPrincipal.class);
+		for (ImpliedByPrincipal role : roles) {
+			if (role.isSystemRole()) {
+				if (role.getRoleName().equals(name)) {
+					// !! if context is not specified, it is considered irrelevant
+					if (context == null)
+						return true;
+					if (role.getContext().equalsIgnoreCase(context)
+							|| role.getContext().equals(CmsConstants.NODE_BASEDN))
+						return true;
+				}
+			}
+		}
+		return false;
+	}
+}