Class AuthenticatedRegistrarAccessor
Registrars the current user has access to.
A user has OWNER role on a Registrar if there exists a mapping to the registrar in its UserRoles map, regardless of the role.
An "admin" has, in addition, OWNER role on #registryAdminRegistrarId and to all
non-REAL registrars (see RegistrarBase.getType()).
An "admin" also has ADMIN role on ALL registrars.
A user is an "admin" if it has global admin permission, or if their email is in the "Support" G Suite group.
NOTE: to check whether the user is in the "Support" G Suite group, we need a connection to G Suite. This, in turn, requires us to have valid JsonCredentials, which not all environments have set up. This connection will be created lazily (only if needed).
Specifically, we don't instantiate the connection if: (a) gSuiteSupportGroupEmailAddress isn't defined, or (b) the user is logged out, or (c) the user is an admin.
-
Nested Class Summary
Nested ClassesModifier and TypeClassDescriptionstatic classException thrown when the current user doesn't have access to the requested Registrar.static enumThe role under which access is granted. -
Constructor Summary
ConstructorsConstructorDescriptionAuthenticatedRegistrarAccessor(AuthResult authResult, String registryAdminRegistrarId, Optional<String> gSuiteSupportGroupEmailAddress, dagger.Lazy<GroupsConnection> lazyGroupsConnection) -
Method Summary
Modifier and TypeMethodDescriptioncreateForTesting(com.google.common.collect.ImmutableSetMultimap<String, AuthenticatedRegistrarAccessor.Role> roleMap) Creates a "logged-in user" accessor with a given role map, used for tests.com.google.common.collect.ImmutableSetMultimap<String, AuthenticatedRegistrarAccessor.Role> A map that gives all roles a user has for a given registrar ID.getRegistrar(String registrarId) Loads a Registrar IFF the user is authorized.com.google.common.collect.ImmutableSet<AuthenticatedRegistrarAccessor.Role> getRolesForRegistrar(String registrarId) Returns all the roles the current user has on the given registrar."Guesses" which client ID the user wants from all those they have access to.booleanhasRoleOnRegistrar(AuthenticatedRegistrarAccessor.Role role, String registrarId) Checks if we have a given role for a given registrar.booleanisAdmin()Returns whether this user is allowed to create new Registrars and TLDs.toString()voidverifyAccess(String registrarId)
-
Constructor Details
-
AuthenticatedRegistrarAccessor
@Inject public AuthenticatedRegistrarAccessor(AuthResult authResult, @Config("registryAdminClientId") String registryAdminRegistrarId, @Config("gSuiteSupportGroupEmailAddress") Optional<String> gSuiteSupportGroupEmailAddress, dagger.Lazy<GroupsConnection> lazyGroupsConnection)
-
-
Method Details
-
createForTesting
public static AuthenticatedRegistrarAccessor createForTesting(com.google.common.collect.ImmutableSetMultimap<String, AuthenticatedRegistrarAccessor.Role> roleMap) Creates a "logged-in user" accessor with a given role map, used for tests.The user will be allowed to create Registrars (and hence do OT&E setup) iff they have the role of ADMIN for at least one registrar ID.
The user's "name" in logs and exception messages is "TestUserId".
-
isAdmin
public boolean isAdmin()Returns whether this user is allowed to create new Registrars and TLDs. -
getAllRegistrarIdsWithRoles
public com.google.common.collect.ImmutableSetMultimap<String,AuthenticatedRegistrarAccessor.Role> getAllRegistrarIdsWithRoles()A map that gives all roles a user has for a given registrar ID.Throws a
AuthenticatedRegistrarAccessor.RegistrarAccessDeniedExceptionif the user is not logged in.The result is ordered starting from "most specific to this user".
If you want to load the
Registrarobject from these (or any other)registrarId, in order to perform actions on behalf of a user, you must usegetRegistrar(java.lang.String)which makes sure the user has permissions.Note that this is an OPTIONAL step in the authentication - only used if we don't have any other clue as to the requested
registrarId. It is perfectly OK to get aregistrarIdfrom any other source, as long as the registrar is then loaded usinggetRegistrar(java.lang.String). -
getRolesForRegistrar
public com.google.common.collect.ImmutableSet<AuthenticatedRegistrarAccessor.Role> getRolesForRegistrar(String registrarId) Returns all the roles the current user has on the given registrar.This is syntactic sugar for
getAllRegistrarIdsWithRoles().get(registrarId). -
hasRoleOnRegistrar
Checks if we have a given role for a given registrar.This is syntactic sugar for
getAllRegistrarIdsWithRoles().containsEntry(registrarId, role). -
guessRegistrarId
public String guessRegistrarId() throws AuthenticatedRegistrarAccessor.RegistrarAccessDeniedException"Guesses" which client ID the user wants from all those they have access to.If no such registrar IDs exist, throws a RegistrarAccessDeniedException.
This should be the registrar ID "most likely wanted by the user".
If you want to load the
Registrarobject from this (or any other)registrarId, in order to perform actions on behalf of a user, you must usegetRegistrar(java.lang.String)which makes sure the user has permissions.Note that this is an OPTIONAL step in the authentication - only used if we don't have any other clue as to the requested
registrarId. It is perfectly OK to get aregistrarIdfrom any other source, as long as the registrar is then loaded usinggetRegistrar(java.lang.String). -
getRegistrar
public Registrar getRegistrar(String registrarId) throws AuthenticatedRegistrarAccessor.RegistrarAccessDeniedException Loads a Registrar IFF the user is authorized.Throws a
AuthenticatedRegistrarAccessor.RegistrarAccessDeniedExceptionif the user is not logged in, or not authorized to access the requested registrar.- Parameters:
registrarId- ID of the registrar we request- Throws:
AuthenticatedRegistrarAccessor.RegistrarAccessDeniedException
-
verifyAccess
public void verifyAccess(String registrarId) throws AuthenticatedRegistrarAccessor.RegistrarAccessDeniedException -
userIdForLogging
-
toString
-