Package ch.admin.bag.covidcertificate.authorization

Interface AuthorizationService

All Known Implementing Classes:
AuthorizationServiceImpl, MockAuthorizationServiceImpl
public interface AuthorizationService
Interface to define the AuthorizationService that controls the authorization using the configured information about services and roles. The isGranted Method tells the caller if he gets access or not.

  • Field Details

  • Method Details

    • getCurrent

      Set<String> getCurrent(String service, List<String> rawRoles)
      Returns all permitted functions by given roles at given service. This permission is bound to time and may change during time.
      Parameters:
      service - the requesting service
      rawRoles - the current roles of the user (either from eIAM or from Claim)
      Returns:
      set of permitted functions

    • getDefinition

      ServiceData getDefinition(String service)
      Returns the definition of given service.
      Parameters:
      service - the requesting service
      Returns:
      the service's definition

    • getRoleMapping

      List<RoleData> getRoleMapping()
      Returns the role mapping.

      Roles consist of different perspectives. The mapping aligns them:

      • claim = role name used in JWT tokens
      • eiam = role name used in eIAM
      • intern = role name used in this libraries function permissions
      Returns:
      the mapping for the supported roles

    • isUserPermitted

      boolean isUserPermitted(Collection<String> rawRoles)
      Returns true if the user based upon his roles is permitted to generally use the application.
      Parameters:
      rawRoles - the current roles of the user (either from eIAM or from Claim)
      Returns:
      true if permitted, otherwise false

    • identifyFunction

      List<ServiceData.Function> identifyFunction(String service, String uri, String httpMethod)
      Returns a list of ServiceData.Function that match given uri and http method.

      A single entry is a trustful identification, more or less than that indicates that the identification is NOT trustworthy.

      Parameters:
      service - identifies the current service
      uri - the uri the function has to match
      httpMethod - the http method the function has to match
      Returns:
      List of ServiceData.Function that match given uri and http method

    • isGranted

      boolean isGranted(Set<String> rawRoles, ServiceData.Function function)
      Returns true for given function if the one-of setting contains the role needed for the function to be accessed. If one-of isn't configured false will be returned.
      Parameters:
      rawRoles - the current roles of the user (either from eIAM or from Claim)
      function - the function to check
      Returns:
      true for given function if the one-of setting contains the role needed for the function to be accessed. If one-of isn't configured false will be returned.

    • mapRawRoles

      Set<String> mapRawRoles(Collection<String> rawRoles)
      Returns a set with the role names as expected by the ServiceData.Function.
      Parameters:
      rawRoles - the current roles of the user (either from eIAM or from Claim)
      Returns:
      set with role names