Package org.projectnessie.services.authz

Interface BatchAccessChecker

  • All Known Implementing Classes:
    AbstractBatchAccessChecker
    public interface BatchAccessChecker
    Accept various allowance-checks and retrieve the result of all operations at once.

    The purpose of the BatchAccessChecker is to accept all required checks via the can...() methods and return the result of these "can do xyz" checks via check().

    The checks make sure that a particular role is allowed to perform an action (such as creation, deletion) on a NamedRef (Branch/Tag). Additionally, this interface also provides checks based on a given ContentKey.

    It is safe to call a check method with the same arguments multiple times.

    Implementations can expect that either check() or checkAndThrow() are called either once or never.

    See Also:
    Check, Check.CheckType, AbstractBatchAccessChecker

    • Method Summary

      All Methods Static Methods Instance Methods Abstract Methods Default Methods 
      Modifier and Type Method Description
      BatchAccessChecker can​(Check check)  
      BatchAccessChecker canAssignRefToHash​(org.projectnessie.versioned.NamedRef ref)
      Checks whether the given role/principal is allowed to assign the given Branch/Tag to a commit id.
      BatchAccessChecker canCommitChangeAgainstReference​(org.projectnessie.versioned.NamedRef ref)
      Checks whether the given role/principal is allowed to commit changes against the given Branch/Tag or Detached.
      BatchAccessChecker canCreateReference​(org.projectnessie.versioned.NamedRef ref)
      Checks whether the given role/principal is allowed to create a Branch/Tag.
      BatchAccessChecker canDeleteEntity​(org.projectnessie.versioned.NamedRef ref, org.projectnessie.model.ContentKey key, java.lang.String contentId)
      Checks whether the given role/principal is allowed to delete an entity value as defined by the ContentKey for the given Branch, called for a Operation.Delete operation in a commit.
      BatchAccessChecker canDeleteReference​(org.projectnessie.versioned.NamedRef ref)
      Checks whether the given role/principal is allowed to delete a Branch/Tag.
      BatchAccessChecker canListCommitLog​(org.projectnessie.versioned.NamedRef ref)
      Checks whether the given role/principal is allowed to list the commit log for the given Branch/Tag or Detached.
      BatchAccessChecker canReadContentKey​(org.projectnessie.versioned.NamedRef ref, org.projectnessie.model.ContentKey key, java.lang.String contentId)
      Called for every content-key about to be returned from, for example, a "get commit log" operation.
      BatchAccessChecker canReadEntityValue​(org.projectnessie.versioned.NamedRef ref, org.projectnessie.model.ContentKey key, java.lang.String contentId)
      Checks whether the given role/principal is allowed to read an entity value as defined by the ContentKey for the given Branch/Tag or Detached.
      BatchAccessChecker canReadEntries​(org.projectnessie.versioned.NamedRef ref)
      Checks whether the given role/principal is allowed to read entries content for the given Branch/Tag or Detached.
      BatchAccessChecker canUpdateEntity​(org.projectnessie.versioned.NamedRef ref, org.projectnessie.model.ContentKey key, java.lang.String contentId, org.projectnessie.model.Content.Type contentType)
      Checks whether the given role/principal is allowed to update an entity value as defined by the ContentKey for the given Branch, called for a Operation.Put operation in a commit.
      BatchAccessChecker canViewReference​(org.projectnessie.versioned.NamedRef ref)
      Checks whether the given role/principal is allowed to view/list the given Branch/Tag or Detached.
      BatchAccessChecker canViewRefLog()
      Checks whether the given role/principal is allowed to view the reflog entries.
      java.util.Map<Check,​java.lang.String> check()
      Checks the recorded checks.
      default void checkAndThrow()
      Convenience methods that throws an AccessCheckException, if check() returns a non-empty map.
      static void throwForFailedChecks​(java.util.Map<Check,​java.lang.String> failedChecks)  

    • Method Detail

      • check

        java.util.Map<Check,​java.lang.String> check()
        Checks the recorded checks.
        Returns:
        set of failed checks or an empty collection, if all checks passed

      • canViewReference

        BatchAccessChecker canViewReference​(org.projectnessie.versioned.NamedRef ref)
        Checks whether the given role/principal is allowed to view/list the given Branch/Tag or Detached.
        Parameters:
        ref - The NamedRef to check

      • canCreateReference

        BatchAccessChecker canCreateReference​(org.projectnessie.versioned.NamedRef ref)
        Checks whether the given role/principal is allowed to create a Branch/Tag.
        Parameters:
        ref - The NamedRef to check

      • canAssignRefToHash

        BatchAccessChecker canAssignRefToHash​(org.projectnessie.versioned.NamedRef ref)
        Checks whether the given role/principal is allowed to assign the given Branch/Tag to a commit id.

        Adds an implicit canViewReference(NamedRef).

        Parameters:
        ref - The NamedRef to check not granted.

      • canDeleteReference

        BatchAccessChecker canDeleteReference​(org.projectnessie.versioned.NamedRef ref)
        Checks whether the given role/principal is allowed to delete a Branch/Tag.
        Parameters:
        ref - The NamedRef to check

      • canReadEntries

        BatchAccessChecker canReadEntries​(org.projectnessie.versioned.NamedRef ref)
        Checks whether the given role/principal is allowed to read entries content for the given Branch/Tag or Detached.

        Adds an implicit canViewReference(NamedRef).

        Parameters:
        ref - The NamedRef to check

      • canReadContentKey

        BatchAccessChecker canReadContentKey​(org.projectnessie.versioned.NamedRef ref,
                                     org.projectnessie.model.ContentKey key,
                                     @Nullable @Nullable
                                     java.lang.String contentId)
        Called for every content-key about to be returned from, for example, a "get commit log" operation.

        This is an additional check for each content-key. "Early" checks, that run before generating the result, like canReadEntries(NamedRef) or canListCommitLog(NamedRef), run as well.

        Adds an implicit canViewReference(NamedRef).

        Parameters:
        ref - current reference
        key - content key to check
        contentId - content id to check, may be null, for example, for Operation.Delete from Operations in the commit log.

      • canListCommitLog

        BatchAccessChecker canListCommitLog​(org.projectnessie.versioned.NamedRef ref)
        Checks whether the given role/principal is allowed to list the commit log for the given Branch/Tag or Detached.

        Adds an implicit canViewReference(NamedRef).

        Parameters:
        ref - The NamedRef to check

      • canCommitChangeAgainstReference

        BatchAccessChecker canCommitChangeAgainstReference​(org.projectnessie.versioned.NamedRef ref)
        Checks whether the given role/principal is allowed to commit changes against the given Branch/Tag or Detached.

        Adds an implicit canViewReference(NamedRef).

        Parameters:
        ref - The NamedRef to check

      • canReadEntityValue

        BatchAccessChecker canReadEntityValue​(org.projectnessie.versioned.NamedRef ref,
                                      org.projectnessie.model.ContentKey key,
                                      java.lang.String contentId)
        Checks whether the given role/principal is allowed to read an entity value as defined by the ContentKey for the given Branch/Tag or Detached.

        Adds an implicit canViewReference(NamedRef).

        Parameters:
        ref - The NamedRef to check
        key - The ContentKey to check
        contentId - The ID of the Content object. See the ContentId docs for how to use this.

      • canUpdateEntity

        BatchAccessChecker canUpdateEntity​(org.projectnessie.versioned.NamedRef ref,
                                   org.projectnessie.model.ContentKey key,
                                   java.lang.String contentId,
                                   org.projectnessie.model.Content.Type contentType)
        Checks whether the given role/principal is allowed to update an entity value as defined by the ContentKey for the given Branch, called for a Operation.Put operation in a commit.

        Adds an implicit canViewReference(NamedRef).

        Parameters:
        ref - The NamedRef to check
        key - The ContentKey to check
        contentId - The ID of the Content object. See the ContentId docs for how to use this.
        contentType - the Content.Type of the entity value.

      • canDeleteEntity

        BatchAccessChecker canDeleteEntity​(org.projectnessie.versioned.NamedRef ref,
                                   org.projectnessie.model.ContentKey key,
                                   java.lang.String contentId)
        Checks whether the given role/principal is allowed to delete an entity value as defined by the ContentKey for the given Branch, called for a Operation.Delete operation in a commit.

        Adds an implicit canViewReference(NamedRef).

        Parameters:
        ref - The NamedRef to check
        key - The ContentKey to check
        contentId - The ID of the Content object. See the ContentId docs for how to use this.

      • canViewRefLog

        BatchAccessChecker canViewRefLog()
        Checks whether the given role/principal is allowed to view the reflog entries.