Package org.projectnessie.services.authz

Interface BatchAccessChecker

  • All Known Implementing Classes:
    AbstractBatchAccessChecker
    public interface BatchAccessChecker
    Accept various allowance-checks and retrieve the result of all operations at once.

    The purpose of the BatchAccessChecker is to accept all required checks via the can...() methods and return the result of these "can do xyz" checks via check().

    The checks make sure that a particular role is allowed to perform an action (such as creation, deletion) on a NamedRef (Branch/Tag). Additionally, this interface also provides checks based on a given ContentKey.

    It is safe to call a check method with the same arguments multiple times.

    Implementations can expect that either check() or checkAndThrow() are called either once or never.

    See Also:
    Check, Check.CheckType, AbstractBatchAccessChecker

    • Method Summary

      All Methods Static Methods Instance Methods Abstract Methods Default Methods 
      Modifier and Type Method Description
      BatchAccessChecker can​(Check check)  
      BatchAccessChecker canAssignRefToHash​(org.projectnessie.versioned.NamedRef ref)
      Checks whether the given role/principal is allowed to assign the given Branch/Tag to a commit id.
      BatchAccessChecker canCommitChangeAgainstReference​(org.projectnessie.versioned.NamedRef ref)
      Checks whether the given role/principal is allowed to commit changes against the given Branch/Tag or Detached.
      BatchAccessChecker canCreateEntity​(org.projectnessie.versioned.NamedRef ref, org.projectnessie.model.IdentifiedContentKey identifiedKey)
      Checks whether the given role/principal is allowed to create a new entity value as defined by the IdentifiedContentKey for the given Branch, called for a Operation.Put operation in a commit.
      BatchAccessChecker canCreateReference​(org.projectnessie.versioned.NamedRef ref)
      Checks whether the given role/principal is allowed to create a Branch/Tag.
      BatchAccessChecker canDeleteEntity​(org.projectnessie.versioned.NamedRef ref, org.projectnessie.model.IdentifiedContentKey identifiedKey)
      Checks whether the given role/principal is allowed to delete an entity value as defined by the ContentKey for the given Branch, called for a Operation.Delete operation in a commit.
      BatchAccessChecker canDeleteReference​(org.projectnessie.versioned.NamedRef ref)
      Checks whether the given role/principal is allowed to delete a Branch/Tag.
      BatchAccessChecker canListCommitLog​(org.projectnessie.versioned.NamedRef ref)
      Checks whether the given role/principal is allowed to list the commit log for the given Branch/Tag or Detached.
      BatchAccessChecker canReadContentKey​(org.projectnessie.versioned.NamedRef ref, org.projectnessie.model.IdentifiedContentKey identifiedKey)
      Called for every content-key about to be returned from, for example, a "get commit log" operation.
      BatchAccessChecker canReadEntityValue​(org.projectnessie.versioned.NamedRef ref, org.projectnessie.model.IdentifiedContentKey identifiedKey)
      Checks whether the given role/principal is allowed to read an entity value as defined by the ContentKey for the given Branch/Tag or Detached.
      BatchAccessChecker canReadEntries​(org.projectnessie.versioned.NamedRef ref)
      Checks whether the given role/principal is allowed to read entries content for the given Branch/Tag or Detached.
      BatchAccessChecker canReadRepositoryConfig​(org.projectnessie.model.RepositoryConfig.Type repositoryConfigType)  
      BatchAccessChecker canUpdateEntity​(org.projectnessie.versioned.NamedRef ref, org.projectnessie.model.IdentifiedContentKey identifiedKey)
      Checks whether the given role/principal is allowed to update an existing entity value as defined by the IdentifiedContentKey for the given Branch, called for a Operation.Put operation in a commit.
      BatchAccessChecker canUpdateRepositoryConfig​(org.projectnessie.model.RepositoryConfig.Type repositoryConfigType)  
      BatchAccessChecker canViewReference​(org.projectnessie.versioned.NamedRef ref)
      Checks whether the given role/principal is allowed to view/list the given Branch/Tag or Detached.
      java.util.Map<Check,​java.lang.String> check()
      Checks the recorded checks.
      default void checkAndThrow()
      Convenience methods that throws an AccessCheckException, if check() returns a non-empty map.
      static void throwForFailedChecks​(java.util.Map<Check,​java.lang.String> failedChecks)  

    • Method Detail

      • check

        java.util.Map<Check,​java.lang.String> check()
        Checks the recorded checks.
        Returns:
        map of failed checks or an empty collection, if all checks passed

      • canViewReference

        @CanIgnoreReturnValue
BatchAccessChecker canViewReference​(org.projectnessie.versioned.NamedRef ref)
        Checks whether the given role/principal is allowed to view/list the given Branch/Tag or Detached.
        Parameters:
        ref - The NamedRef to check

      • canCreateReference

        @CanIgnoreReturnValue
BatchAccessChecker canCreateReference​(org.projectnessie.versioned.NamedRef ref)
        Checks whether the given role/principal is allowed to create a Branch/Tag.
        Parameters:
        ref - The NamedRef to check

      • canAssignRefToHash

        @CanIgnoreReturnValue
BatchAccessChecker canAssignRefToHash​(org.projectnessie.versioned.NamedRef ref)
        Checks whether the given role/principal is allowed to assign the given Branch/Tag to a commit id.

        Adds an implicit canViewReference(NamedRef).

        Parameters:
        ref - The NamedRef to check not granted.

      • canDeleteReference

        @CanIgnoreReturnValue
BatchAccessChecker canDeleteReference​(org.projectnessie.versioned.NamedRef ref)
        Checks whether the given role/principal is allowed to delete a Branch/Tag.
        Parameters:
        ref - The NamedRef to check

      • canReadEntries

        @CanIgnoreReturnValue
BatchAccessChecker canReadEntries​(org.projectnessie.versioned.NamedRef ref)
        Checks whether the given role/principal is allowed to read entries content for the given Branch/Tag or Detached.

        Adds an implicit canViewReference(NamedRef).

        Parameters:
        ref - The NamedRef to check

      • canReadContentKey

        @CanIgnoreReturnValue
BatchAccessChecker canReadContentKey​(org.projectnessie.versioned.NamedRef ref,
                                     org.projectnessie.model.IdentifiedContentKey identifiedKey)
        Called for every content-key about to be returned from, for example, a "get commit log" operation.

        This is an additional check for each content-key. "Early" checks, that run before generating the result, like canReadEntries(NamedRef) or canListCommitLog(NamedRef), run as well.

        Adds an implicit canViewReference(NamedRef).

        Parameters:
        ref - current reference
        identifiedKey - content key / ID / type to check

      • canListCommitLog

        @CanIgnoreReturnValue
BatchAccessChecker canListCommitLog​(org.projectnessie.versioned.NamedRef ref)
        Checks whether the given role/principal is allowed to list the commit log for the given Branch/Tag or Detached.

        Adds an implicit canViewReference(NamedRef).

        Parameters:
        ref - The NamedRef to check

      • canCommitChangeAgainstReference

        @CanIgnoreReturnValue
BatchAccessChecker canCommitChangeAgainstReference​(org.projectnessie.versioned.NamedRef ref)
        Checks whether the given role/principal is allowed to commit changes against the given Branch/Tag or Detached.

        Adds an implicit canViewReference(NamedRef).

        Parameters:
        ref - The NamedRef to check

      • canReadEntityValue

        @CanIgnoreReturnValue
BatchAccessChecker canReadEntityValue​(org.projectnessie.versioned.NamedRef ref,
                                      org.projectnessie.model.IdentifiedContentKey identifiedKey)
        Checks whether the given role/principal is allowed to read an entity value as defined by the ContentKey for the given Branch/Tag or Detached.

        Adds an implicit canViewReference(NamedRef).

        Parameters:
        ref - The NamedRef to check
        identifiedKey - content key / ID / type to check

      • canCreateEntity

        @CanIgnoreReturnValue
BatchAccessChecker canCreateEntity​(org.projectnessie.versioned.NamedRef ref,
                                   org.projectnessie.model.IdentifiedContentKey identifiedKey)
        Checks whether the given role/principal is allowed to create a new entity value as defined by the IdentifiedContentKey for the given Branch, called for a Operation.Put operation in a commit.

        Adds an implicit canViewReference(NamedRef).

        Parameters:
        ref - The NamedRef to check
        identifiedKey - content key / ID / type to check

      • canUpdateEntity

        @CanIgnoreReturnValue
BatchAccessChecker canUpdateEntity​(org.projectnessie.versioned.NamedRef ref,
                                   org.projectnessie.model.IdentifiedContentKey identifiedKey)
        Checks whether the given role/principal is allowed to update an existing entity value as defined by the IdentifiedContentKey for the given Branch, called for a Operation.Put operation in a commit.

        Adds an implicit canViewReference(NamedRef).

        Parameters:
        ref - The NamedRef to check
        identifiedKey - content key / ID / type to check

      • canDeleteEntity

        @CanIgnoreReturnValue
BatchAccessChecker canDeleteEntity​(org.projectnessie.versioned.NamedRef ref,
                                   org.projectnessie.model.IdentifiedContentKey identifiedKey)
        Checks whether the given role/principal is allowed to delete an entity value as defined by the ContentKey for the given Branch, called for a Operation.Delete operation in a commit.

        Adds an implicit canViewReference(NamedRef).

        Parameters:
        ref - The NamedRef to check
        identifiedKey - content key / ID / type to check

      • canReadRepositoryConfig

        @CanIgnoreReturnValue
BatchAccessChecker canReadRepositoryConfig​(org.projectnessie.model.RepositoryConfig.Type repositoryConfigType)

      • canUpdateRepositoryConfig

        @CanIgnoreReturnValue
BatchAccessChecker canUpdateRepositoryConfig​(org.projectnessie.model.RepositoryConfig.Type repositoryConfigType)