Interface SecurityEvaluator

  • All Known Implementing Classes:
    CachedSecurityEvaluator, ExampleEvaluator, ReadOnlyEval, ShiroExampleEvaluator

    public interface SecurityEvaluator
    SecurityEvaluator.

    The security evaluator is the link between the graph security system and an external security system. This interface specifies the methods that are required by the graph security system. It is assumed that the implementation will handle tracking the current user and will query some underlying data source to determine what actions the user can and can not take.

    All questions of white listing or black listing will be handled in the concrete implementation.

    Implementations of this class should probably cache any evaluate calculations as the evaluate methods are called frequently. However, the underlying classes do cache results within a single method check.

    Secured operations
    The security system recognizes and secures each of the CRUD (Create, Read, Update and Delete) operations as represented by the Action enumeration.
    Levels of security
    The security interfaces operates at two (2) levels: graph (or Model) and triple.

    At the the graph level the security evaluator may restrict CRUD access to the graph or model as a whole. When evaluating the restriction, if the user it not permitted to perform the operation on the graph or model access is denied. If the user is permitted any triple restrictions are evaluated.

    At the triple level the security evaluator may restrict CRUD access to specific triples. In order to skip potentially expensive triple security checks the system will generally ask if the user is permitted the CRUD action on any triple. This is represented by the SecTriple (ANY, ANY, ANY).

    • If the system does not support triple level security the system should always return true.
    • If the system does support triple level security and is unable to verify that the user can execute the CRUD action against any arbitrary triple the system should return false.
    • See Node.ANY, SecurityEvaluator.FUTURE, and SecurityEvaluator.VARIABLE for discussion of specifics of their respective usages.
    • Nested Class Summary

      Nested Classes 
      Modifier and Type Interface Description
      static class  SecurityEvaluator.Action
      Identifies a sepcific CRUD actions.
      static class  SecurityEvaluator.Util
      A collection of utility functions for the SecurityEvaluator implementations.
    • Field Summary

      Fields 
      Modifier and Type Field Description
      static Node FUTURE
      This is a blank (anonymous) node that will be created in the future.
      static Node VARIABLE
      Indicates a variable in the triple.
    • Field Detail

      • VARIABLE

        static final Node VARIABLE
        Indicates a variable in the triple.

        This differs from ANY in that the system is asking if there are any prohibitions not if the user may perform. Thus queries with the VARIABLE type node should return true where ANY returns false. In general this type is used in the query to determine if triple level filtering of results must be performed.

        (VARIABLE, X, Y )
        Asks if there are any prohibitions against the user seeing all subjects that have property X and object Y.
        (X, VARIABLE, Y )
        Asks if there are any prohibitions against the user seeing all predicates that have subject X and object Y.
        (X, Y, VARIABLE)
        Asks if there are any prohibitions against the user seeing all objects that have subject X and predicate Y.
        The VARIABLE may occur multiple times and may occur with the ANY node.

      • FUTURE

        static final Node FUTURE
        This is a blank (anonymous) node that will be created in the future.

        FUTURE is used to check that a blank node may be created in as specific position in a triple.

        (FUTURE, X, Y )
        Asks if there the user may create a blank node that has property X and object Y.
        (X, Y, FUTURE)
        Asks if there the user may create a blank node that has subject X and property Y.
        The FUTURE may occur multiple times and may occur with the ANY node.

    • Method Detail

      • evaluate

        boolean evaluate​(java.lang.Object principal,
                         SecurityEvaluator.Action action,
                         Node graphIRI)
                  throws AuthenticationRequiredException
        Determine if the action is allowed on the graph.
        Parameters:
        principal - The principal that is attempting the action.
        action - The action to perform
        graphIRI - The IRI of the graph to check
        Returns:
        true if the action is allowed, false otherwise.
        Throws:
        AuthenticationRequiredException - if user is not authenticated and is required to be.
      • evaluate

        boolean evaluate​(java.lang.Object principal,
                         SecurityEvaluator.Action action,
                         Node graphIRI,
                         Triple triple)
                  throws AuthenticationRequiredException
        Determine if the action is allowed on the triple within the graph.

        The evaluation should be performed in the following order:

        1. If the triple contains a VARIABLE then this method must return true if there are any restrictions where the remaining nodes are either constants or ANY nodes. This will force the system to use subsequent checks to verify access by substituting the value of the VARIABLEs. If the system can not quickly verify the solution it is always acceptable to return true.
        2. Except as specified in the above check, if the triple contains an ANY then this method must return false if there are any restrictions where the remaining nodes are held constant and the ANY node is allowed to vary. This checks is used to avoid subsequent explicit triple checks. If the system can not quickly verify the solution it is always acceptable to return false.
        3. All other triples are explicit triples and the system must determine if the user is permitted to perform the action on the triple. If the triple contains a FUTURE node that node should be considered as an anonymous or blank node that is not yet created. It should only be used with Create actions and is asking if the user may create a blank node in that position in the triple.

        Parameters:
        principal - The principal that is attempting the action.
        action - The action to perform
        graphIRI - The IRI of the graph to the action is being taken upon. May be ANY.
        triple - The triple to check
        Returns:
        true if the action is allowed, false otherwise.
        Throws:
        java.lang.IllegalArgumentException - if any argument is null.
        AuthenticationRequiredException - if user is not authenticated and is required to be.
      • evaluate

        default boolean evaluate​(java.lang.Object principal,
                                 java.util.Set<SecurityEvaluator.Action> actions,
                                 Node graphIRI)
                          throws AuthenticationRequiredException
        Determine if all actions are allowed on the graph.
        Parameters:
        principal - The principal that is attempting the action.
        actions - The set of actions to perform
        graphIRI - The IRI of the graph to the action is being taken upon. May be ANY.
        Returns:
        true if all the actions are allowed, false otherwise.
        Throws:
        java.lang.IllegalArgumentException - if any argument is null.
        AuthenticationRequiredException - if user is not authenticated and is required to be.
      • evaluate

        default boolean evaluate​(java.lang.Object principal,
                                 java.util.Set<SecurityEvaluator.Action> actions,
                                 Node graphIRI,
                                 Triple triple)
                          throws AuthenticationRequiredException
        Determine if all the actions are allowed on the triple within the graph.

        See evaluate( Action, Node, Triple ) for discussion of evaluation strategy.

        Parameters:
        actions - The actions to perform.
        graphIRI - The IRI of the graph to the action is being taken upon. May be ANY.
        triple - The triple to check
        Returns:
        true if all the actions are allowed, false otherwise.
        Throws:
        java.lang.IllegalArgumentException - if any argument is null.
        AuthenticationRequiredException - if user is not authenticated and is required to be.
      • evaluateAny

        default boolean evaluateAny​(java.lang.Object principal,
                                    java.util.Set<SecurityEvaluator.Action> actions,
                                    Node graphIRI)
                             throws AuthenticationRequiredException
        Determine if any of the actions are allowed on the graph.
        Parameters:
        principal - The principal that is attempting the action.
        actions - The actions to perform
        graphIRI - The IRI of the graph to the action is being taken upon. May be ANY.
        Returns:
        true true if any the actions are allowed, false otherwise.
        Throws:
        java.lang.IllegalArgumentException - if any argument is null.
        AuthenticationRequiredException - if user is not authenticated and is required to be.
      • evaluateAny

        default boolean evaluateAny​(java.lang.Object principal,
                                    java.util.Set<SecurityEvaluator.Action> actions,
                                    Node graphIRI,
                                    Triple triple)
                             throws AuthenticationRequiredException
        Determine if any of the actions are allowed on the triple within the graph.

        See evaluate( Action, Node, Triple ) for discussion of evaluation strategy.

        Parameters:
        principal - The principal that is attempting the action.
        actions - The actions to check.
        graphIRI - The IRI of the graph to the action is being taken upon. May be ANY.
        triple - The triple to check
        Returns:
        true if any the actions are allowed, false otherwise.
        Throws:
        java.lang.IllegalArgumentException - if any argument is null.
        AuthenticationRequiredException - if user is not authenticated and is required to be.
      • evaluateUpdate

        default boolean evaluateUpdate​(java.lang.Object principal,
                                       Node graphIRI,
                                       Triple from,
                                       Triple to)
                                throws AuthenticationRequiredException
        Determine if the user is allowed to update the "from" triple to the "to" triple.

        Update is a special case since it modifies one triple to be another. So the user must have permissions to change the "from" triple into the "to" triple.

        Parameters:
        principal - The principal that is attempting the action.
        graphIRI - The IRI of the graph to the action is being taken upon. May be ANY.
        from - The triple to be changed
        to - The value to change it to.
        Returns:
        true if the user may make the change, false otherwise.
        Throws:
        java.lang.IllegalArgumentException - if any argument is null.
        AuthenticationRequiredException - if user is not authenticated and is required to be.
      • getPrincipal

        java.lang.Object getPrincipal()
        returns the current principal or null if there is no current principal. All security evaluation methods use this method to determine who the call is being executed as. This allows subsystems (like the listener system) to capture the current user and evaluate later calls in terms of that user.
        Returns:
        The current principal
      • isPrincipalAuthenticated

        boolean isPrincipalAuthenticated​(java.lang.Object principal)
        Returns true if the principal is recognized as an authenticated principal by the underlying authentication mechanism. This is to handle the case where an authentication mechanism returns a non-null object to indicate a non-authenticated principal. (e.g. Shiro). The principal is guaranteed to have been the return value from an earlier getPrincipal() call.
        Parameters:
        principal - The principal to check.
        Returns:
        true if authenticated, false if not.
      • isHardReadError

        default boolean isHardReadError()
        Returns true if reads blocked by permissions should throw exceptions. If set false then:
        • For iterators return empty iterators.
        • For existential checks return false.
        • For counts return 0.
        Returns:
        true if reads blocked by permissions should throw an exception.