ARoad0.gWork
Class AgoRightsFactoryImpl

java.lang.Object
  extended by ARoad0.gWork.AgoRightsFactoryImpl
All Implemented Interfaces:
CoreAlgorithm

public final class AgoRightsFactoryImpl
extends java.lang.Object
implements CoreAlgorithm

This class is responsible for all the core algorithms about Account/Group and Bridge rights. These rights are based mainly on UserID rights, GroupID rights in operating systems. This class is stateless, and RightsMediatorImpl at its creation setups an instance for its ViewInBase. The unique direct call to ACS is for ACS.getManageSecGroupsForActor(). The upper-level methods begin by detect...(), The middle-level methods begin by select...(), The lower-level methods begin by add...(). Reads the ACS structure for the property:

'AGO right inheritance 2: at each access, if the real account is not the parent account, it uses first its primary group inherited rights, if it is the parent group'.


Field Summary
private  AlgorithmInterpreter interpreter_
           
private  DisplayableLinkUtilities linkUtil_
           
 
Fields inherited from interface ARoad0.gWorkInterface.CoreAlgorithm
INITIAL_CAPACITY
 
Constructor Summary
protected AgoRightsFactoryImpl(AlgorithmInterpreter _interpreter)
          only one protected constructor
 
Method Summary
 DisplayableLinkImpl addOwnerContainRightsToDisplayableLink(DisplayableLinkImpl _dLink)
          Updates a DisplayableLinkImpl with group and user rights, including for 'root'.
 DisplayableLinkImpl addOwnerContainRightsToLastLinkInDisplayableLink(DisplayableLinkImpl _dLink)
          Updates a DisplayableLinkImpl with group and user rights, including for 'root'.
protected  java.util.Map detectAGRights(EPRViewInBase _viewInBase, java.util.Map _m_l_DisplayableLinks)
          Gets all the Account and Group links to Resource and Actors, but only when all the objects are in the view.
protected  java.util.Map detectGroupRights(EPRViewInBase _viewInBase, java.util.Map _m_l_DisplayableLinks, BaseObject _center)
          Defines all types of effective applicable direct group rights.
 java.util.Map detectHiddenChainedGroupsRights(GraphicView _gview, EPRViewInBase _viewInBase, java.util.Map _upd_m_l_DisplayableLinks)
          Defines the effective applicable rights of an EligibleParty for a Resource in _viewInBase, when there are several UserID or GroupID external to the view, which may define specific access control links based on relations (EligibleParty to UserID/GroupID), (Actor to BridgeTarget to UserID/GroupID), (GroupIDMember to GroupID), (UserID/GroupID to Resource) and (EligibleParty to Actor in another access context).
 java.util.Map detectOneHiddenNodeWithCommonAGORights(GraphicView _gview, EPRViewInBase _viewInBase, java.util.Map _m_l_DisplayableLinks)
          Defines the effective applicable rights of an EligibleParty to a Resource (not to a GroupIDMember or a VirtualFolder) in _viewInBase, when there is exactly one intermediate node, and only AGO rights.
 java.util.Map detectOwnerContainRights(EPRViewInBase _viewInBase, java.util.Map _m_l_DisplayableLinks, boolean _forUser, BaseObject _center)
          Defines the effective applicable rights of an UserID or a GroupID for a Resource which is its member, when the two objects are in the view.
protected  java.util.Map detectRootRights(EPRViewInBase _viewInBase, java.util.Map _m_l_DisplayableLinks, BaseObject _center)
          Defines the effective applicable rights of the administrative account with an order at 0, and for every actor running under such an account, for any resource which is in the view.
 java.util.Map detectSecondaryGroupRights(EPRViewInBase _viewInBase, java.util.Map _m_l_DisplayableLinks, BaseObject _center)
          Defines the effective applicable RUN_UNDER right through a secondary GroupID for an Actor as a rights user.
protected  java.util.Map detectUserRights(EPRViewInBase _viewInBase, java.util.Map _m_l_DisplayableLinks, BaseObject _center)
          Defines the effective applicable rights of an UserID for a Resource which it owns (between an actor and its current userID) when they are in the view, defines the effective rights between an actor and a resource when their common userID and they are in the view, and defines the effective rights between an actor and its current userID.
 void finalizeForProcess()
          Finalizes the instance.
 
Methods inherited from class java.lang.Object
clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait
 

Field Detail

interpreter_

private AlgorithmInterpreter interpreter_

linkUtil_

private DisplayableLinkUtilities linkUtil_
Constructor Detail

AgoRightsFactoryImpl

protected AgoRightsFactoryImpl(AlgorithmInterpreter _interpreter)
only one protected constructor

Parameters:
_interpreter - algorithm interpreter
Method Detail

detectUserRights

protected final java.util.Map detectUserRights(EPRViewInBase _viewInBase,
                                               java.util.Map _m_l_DisplayableLinks,
                                               BaseObject _center)
Defines the effective applicable rights of an UserID for a Resource which it owns (between an actor and its current userID) when they are in the view, defines the effective rights between an actor and a resource when their common userID and they are in the view, and defines the effective rights between an actor and its current userID. Called by RightsFactory_Facade.detectSketchRights(). Synchronized to _viewInBase by RightsFactory_Facade.

Parameters:
_viewInBase - EPRViewInBase
_m_l_DisplayableLinks - Map of DisplayableLinks lists (one per pair) associated to the view, and to update.
_center - is the central object of a sketch view. Null if it is not a sketch view.
Returns:
Map of DisplayableLinks, with Owner links associated to every pair (EP, Resource).

detectGroupRights

protected final java.util.Map detectGroupRights(EPRViewInBase _viewInBase,
                                                java.util.Map _m_l_DisplayableLinks,
                                                BaseObject _center)
Defines all types of effective applicable direct group rights. Defines the effective applicable rights of a GroupID for a Resource which is its member. Defines the effective rights between an actor and a resource when their common groupID is on the view. Defines the effective rights for an actor through its secondary groups. Defines also the direct member relations between each GroupIDMember and the GroupIDs in the view. Apply the rule 'AGO right: A rights overlay G rights'. Called by RightsFactory_Facade.detectSketchRights(). Synchronized to _viewInBase by RightsFactory_Facade.

Parameters:
_viewInBase - EPRViewInBase
_m_l_DisplayableLinks - Map of DisplayableLinks lists (one per pair) associated to the view, and to update.
_center - is the central object of a sketch view. Null if it is not a sketch view.
Returns:
Map of DisplayableLinks, with Contain links associated to every pair (EP,Resource).

detectOneHiddenNodeWithCommonAGORights

public final java.util.Map detectOneHiddenNodeWithCommonAGORights(GraphicView _gview,
                                                                  EPRViewInBase _viewInBase,
                                                                  java.util.Map _m_l_DisplayableLinks)
                                                           throws java.lang.InterruptedException
Defines the effective applicable rights of an EligibleParty to a Resource (not to a GroupIDMember or a VirtualFolder) in _viewInBase, when there is exactly one intermediate node, and only AGO rights. When the intermediate node is in the view, it is processed by detectUserRights() and detectGroupRights().

An Actor is an EligibleParty, but its processing is different. An actor has no proper AGO rights whether it does not run under a current UserID. Then, the current UserID, the current GroupID and the Actor secondary groups are processed. The path (actor started from xid/current account-group/actor started from other xid) is detected in CompoundRightsFactoryImpl. When there is a chain of hidden userID/groupID/bridges/ACLs which defines the rights, it is processed by detectHiddenChainedGroupsRights(). _m_l_DisplayableLinks is updated only with n DisplayableLinks, where n is the number of GroupID paths through which a _viewInBase EligibleParty has an indirect access right on a _viewInBase Resource. All the links are stored in _m_l_DisplayableLinks. Applies the rule 'AGO right: A rights overlay G rights'. A link is build up for the UserID that owns the target, even whithout rights. Called by RightsFactory_Facade.detectEPRRights() and detectNoThanRights(). Caution: called by detectNoThanRights(), _viewInBase is not the view of _gview, since this method uses transient EPRViewInBases with for each of them, a pair of nodes from the initial NoThanViewInBase. Calls addOwnerContainRightsToDisplayableLink(), NodeRights.selectHiddenDirectOwnerContainGlobalForActorAsEP(), selectHiddenDirectOwnerContainForActorAsResource(), selectHiddenDirectOwnerContainForTarget().

Parameters:
_gview - is the graphic view to update
_viewInBase - EPRViewInBase to analyze
_m_l_DisplayableLinks - Map of DisplayableLinks lists (one per pair) associated to the view, and to update.
Returns:
Map of DisplayableLinks, with hidden UserID/GroupID/Actor links associated to every pair (EP,Resource).
Throws:
java.lang.InterruptedException

detectHiddenChainedGroupsRights

public final java.util.Map detectHiddenChainedGroupsRights(GraphicView _gview,
                                                           EPRViewInBase _viewInBase,
                                                           java.util.Map _upd_m_l_DisplayableLinks)
                                                    throws java.lang.InterruptedException
Defines the effective applicable rights of an EligibleParty for a Resource in _viewInBase, when there are several UserID or GroupID external to the view, which may define specific access control links based on relations (EligibleParty to UserID/GroupID), (Actor to BridgeTarget to UserID/GroupID), (GroupIDMember to GroupID), (UserID/GroupID to Resource) and (EligibleParty to Actor in another access context).

_upd_m_l_DisplayableLinks is updated only with n DisplayableLinks, where n is the number of GroupID paths through which a _viewInBase EligibleParty has an indirect access right on a _viewInBase Resource. All the contain, own and bridge relations are stored in _upd_m_l_DisplayableLinks. Called by RightsFactory_Facade.detectRights() and detectNoThanRights(). Caution: called by detectNoThanRights(), _viewInBase is not the view of _gview, since this method uses transient EPRViewInBases with for each of them, a pair of nodes from the initial NoThanViewInBase.

Calls NodeRightsImpl.selectHiddenButNoDirectGroupLinks() and selectHiddenDirectOwnerContainForTarget(), LinkRightsImpl.withAccessThroughNodesTreeFromEP() and detectAccountPriorityInLastLinkAGORights(), RightsFactoryUtilities.addOwnerContainRightsToDisplayableLink().

Parameters:
_gview - is the graphic view to update
_viewInBase - EPRViewInBase to analyze
_upd_m_l_DisplayableLinks - Map of DisplayableLinks lists (one per pair) associated to the view, and to update.
Returns:
_upd_m_l_DisplayableLinks, with hidden UserID/GroupID links associated to every pair (EP, Resource).
Throws:
java.lang.InterruptedException

addOwnerContainRightsToDisplayableLink

public final DisplayableLinkImpl addOwnerContainRightsToDisplayableLink(DisplayableLinkImpl _dLink)
Updates a DisplayableLinkImpl with group and user rights, including for 'root'. The rights are updated following the type of the last node (GroupID, UserID) connected to the resource which is the second end. If this end is a GroupID or an UserID, the link types and the rights are also set. An empty owner relation is set for forbidding the other DisplayableLinks based on the group.

When the first node is an actor and the next node is its current user or group, a RUN_UNDER relation is set. When the GLOBAL relation is get through the secondary group of the first node, it is put in a comment AccessControlLink.C_SECONDARY_GROUP in the link from the actor to its secondary group. This is also done when the actor is before the last node.

For all the intermediates nodes, the single operation is for the MEMBER relation from a GroupIDMember to a GroupID. In a chain of nodes, IS_INDIRECT_MEMBER replaces IS_MEMBER in the last link. This is to reply to the detectHiddenChainedGroupsRights() needs. Updates also root rights. Processes _dLink with a bridge, but does not add the BRIDGE type or any comment in the link.

Called by detectOneHiddenNodeWithCommonAGORights(), detectHiddenChainedGroupsRights(), ThreeNodesRightsFactoryImpl.endsPathsFromGroupIDMemberWithAclPrivilegeAlias(). Calls addOwnerContainRightsToLastLinkInDisplayableLink().

Parameters:
_dLink - is a simple or not-simple link: - with a Resource as second end, and a GroupID or UserID as previous node, - or with a GroupID or UserID as second end, and a member or an actor as previous node, - and/or an Actor as first end with its current user/group as next node.
Returns:
the updated _dLink, or null if _dLink is null, or if addOwnerContainRightsToLastLinkInDisplayableLink() returns null.

addOwnerContainRightsToLastLinkInDisplayableLink

public final DisplayableLinkImpl addOwnerContainRightsToLastLinkInDisplayableLink(DisplayableLinkImpl _dLink)
Updates a DisplayableLinkImpl with group and user rights, including for 'root'. The rights are updated following the type of the last node (GroupID, UserID) connected to the resource which is the second end. If this end is a GroupID or an UserID, the link types and the rights are also set. An empty owner or group relation is set for forbidding the other DisplayableLinks, if the owner (or group) rights are null.

When the last node is the current user or group of the previous node, a RUN_UNDER relation is set. When it is the secondary group, a GLOBAL relation is set with a comment AccessControlLink.C_SECONDARY_GROUP.

Updates also root rights. Processes _dLink with a bridge, but does not add the BRIDGE type or any comment in the link.

If the method returns null, the argument is not updated. Called by addOwnerContainRightsToDisplayableLink(), NodeRightsImpl.selectHiddenButNoDirectGroupLinks(), CompoundRightsFactoryImpl.detectHiddenCompoundEpRights(), ThreeNodesrightsFactoryImpl.endsPathsFromGroupIDMemberWithAclPrivilegeMemberOwnContain(). Caution: does not call NodeRights.withAccessThroughNodesTreeFromEP(), and this is why it has to be called before, by the caller of this method, to be sure that there is a DisplayableLinkImpl to set. Calls LinkRights.getL_accessRightsThroughNodesTree() if the last link is from a GroupIDMember to a Resource, and throws an InternalError if these AGO inherited rights are null or empty.

Parameters:
_dLink - is a simple or not-simple link: - with a Resource as second end, and a GroupID or UserID as previous node, - or with a GroupID or UserID as second end, and a member or an actor as previous node.
Returns:
the updated _dLink, or null if _dLink is null, or if all the rights are not applicable nor link type settings.

detectOwnerContainRights

public final java.util.Map detectOwnerContainRights(EPRViewInBase _viewInBase,
                                                    java.util.Map _m_l_DisplayableLinks,
                                                    boolean _forUser,
                                                    BaseObject _center)
Defines the effective applicable rights of an UserID or a GroupID for a Resource which is its member, when the two objects are in the view. Defines the effective rights between an actor and a resource when their common UserID or GroupID is on the view with them. Defines also the relation when a view actor is owned by an UserID or a GroupID which is also in the view, even if the relevant rights of the actor are null, because this relation may allow access from the actor as rights user. Comments the links to view actors having currentUID/GID.

For a sketch view (non-null _center), the own resources of an UserID or a GroupID are not detected to keep short the view size. Does NOT define the root rights for the resources when the UserID 'root', with the order equal to 0, is in the view. Does NOT define the IS_MEMBER relations. Does NOT define the group rights when user rights are applicable. Does NOT define the 'other' rights for Linux/Unix operating systems, since the user or group may be activated but hidden, outside the view. Does NOT define the secondary group rights, if the secondary groups are in the view. Process only the view objects.

Called by detectUserRights() and detectGroupRights(), only for RightsFactory_Facade.detectSketchRights(). Calls LinkRights.withAccessThroughNodesTreeFromEP() and getL_accessRightsThroughNodesTree(). Synchronized to _viewInBase in the calling GraphicView.

Parameters:
_viewInBase - EPRViewInBase
_m_l_DisplayableLinks - Map of DisplayableLinks lists (one per pair) associated to the view, and to update.
_forUser - true if the user rights are to be detected, and false if the group rights are to be detected
_center - is the central object of a sketch view. Null if it is not a sketch view.
Returns:
Map of DisplayableLinks, with Owner/Contain type links associated to every pair (EP, Resource).

detectRootRights

protected final java.util.Map detectRootRights(EPRViewInBase _viewInBase,
                                               java.util.Map _m_l_DisplayableLinks,
                                               BaseObject _center)
Defines the effective applicable rights of the administrative account with an order at 0, and for every actor running under such an account, for any resource which is in the view. Called by RightsFactory_Facade.detectEPRRights() and detectSketchRights(). Synchronized to _viewInBase by RightsFactory_Facade.

Parameters:
_viewInBase - EPRViewInBase
_m_l_DisplayableLinks - Map of DisplayableLinks lists (one per pair) associated to the view, and to update.
_center - is the central object of a sketch view. Null if it is not a sketch view.
Returns:
Map of DisplayableLinks, with 'root' links associated to every pair (EP,Resource).

detectSecondaryGroupRights

public final java.util.Map detectSecondaryGroupRights(EPRViewInBase _viewInBase,
                                                      java.util.Map _m_l_DisplayableLinks,
                                                      BaseObject _center)
Defines the effective applicable RUN_UNDER right through a secondary GroupID for an Actor as a rights user. There is no right for a secondary GroupID upon an Actor. Defines the rights when the two objects are in the view, and define the rights between this actor and any view resource belonging to a secondary GroupID. Does not define the root rights when the UserID 'root', with the order equal to 0, is in the view. Called by detectGroupRights(). Synchronized to _viewInBase. Calls ACS.getManageSecGroupsForActor().

Parameters:
_viewInBase - EPRViewInBase
_m_l_DisplayableLinks - Map of DisplayableLinks lists (one per pair) associated to the view, and to update.
_center - is the central object of a sketch view. Null if it is not a sketch view.
Returns:
Map of DisplayableLinks, with Contain links associated to every pair.

detectAGRights

protected final java.util.Map detectAGRights(EPRViewInBase _viewInBase,
                                             java.util.Map _m_l_DisplayableLinks)
                                      throws java.lang.InterruptedException
Gets all the Account and Group links to Resource and Actors, but only when all the objects are in the view. Detect the links hereinafter:

- 2 links AG/own or contain/resource,

- 3 links actor/run under/current A, current G or secondary group,

- link groupidmember/member/groupID.

Does not apply the rules 'AGO right: A rights overlay G rights' since the group/resource direct link has to be displayed if the group is in the view. But this group/resource direct link is weak, and it is put in the link comment. Studying of this method is a good start to understand the AGO rights processing.

Called by RightsFactory_Facade.detectEPRRights() and detectNoThanRights(). Calls selectDirectOwnerContainGlobalForActorAsEP(), NodeRightsImpl.selectDirectOwnerContainGlobalForActorAsEP(), withAccessThroughNodesTreeFromEP() and getL_accessRightsThroughNodesTree().

Parameters:
_viewInBase - EPRViewInBase
_m_l_DisplayableLinks - Map of DisplayableLinks lists (one per pair) associated to the view, and to update.
Returns:
Map of DisplayableLinks
Throws:
java.lang.InterruptedException

finalizeForProcess

public void finalizeForProcess()
Finalizes the instance. Called by RightsMediatorImpl.finalizeForProcess().