[security-dev] PicketLink 3 - Group/Role - Membership

Shane Bryzak sbryzak at redhat.com
Sun Dec 2 20:05:42 EST 2012 

I've started by adjusting the IdentityQuery interface to accept a 
varargs for the setParameter() method.  I also think that we can do 
without the Operator parameter (and corresponding enum), as we can 
simply define specialist parameter types for particular query 
restrictions, such as CREATED_BEFORE, CREATED_AFTER, EXPIRES_AFTER, etc 
as user requirements become better defined.

public interface IdentityQuery<T extends IdentityType> {
//    public enum Operator { equals, notEquals, greaterThan, lessThan };

     IdentityQuery<T> setOffset(int offset);

     IdentityQuery<T> setLimit(int limit);

     IdentityQuery<T> setParameter(QueryParameter param, Object... value);

//    IdentityQuery<T> setParameter(QueryParameter param, Operator 
operator, Object... value);

     List<T> getResultList();
}

I've also started redefining many of the QueryParameter values as follows:

     /**
      * Used to specify either a realm or tier-specific role.  The query 
should only
      * return IdentityType instances that have been granted the 
specified role
      */
     QueryParameter HAS_ROLE = new QueryParameter() {};

     /**
      * Used to specify either a realm-specific User or Group, or a 
tier-specific Group.  The
      * query should only return Role instances that the specified User 
or Group is a member of
      */
     QueryParameter ROLE_OF = new QueryParameter() {};

     /**
      * Used to specify either a realm-specific or tier-specific group 
role, of which both the Group
      * and Role must be provided as parameter values.  The query should 
only return IdentityType
      * instances that have been granted the specified group role.
      */
     QueryParameter HAS_GROUP_ROLE = new QueryParameter() {};

     /**
      * Used to specify either a realm-specific User or Group, or a 
tier-specific Group.  The query
      * should only return GroupRole instances that the specified User 
or Group is a member of
      */
     QueryParameter GROUP_ROLE_OF = new QueryParameter() {};

     /**
      * Used to specify either a realm-specific or tier-specific Group.  
The query should only return
      * IdentityType instances that are a member of the specified group.
      */
     QueryParameter MEMBER_OF = new QueryParameter() {};

     /**
      * Used to specify either a realm-specific User or Group, or a 
tier-specific Group.  The query
      * should only return Group instances that the specified User or 
Group is a member of
      */
     QueryParameter HAS_MEMBER = new QueryParameter() {};

These new parameter definitions allow for all types of membership/role 
queries, and their inverses.  One issue we currently have though is with 
the GROUP_ROLE_OF parameter type.  Currently, IdentityQuery only works 
with IdentityType or its subclasses, of which GroupRole (which I've 
renamed Membership to) is not one, however this is what we'd really need 
to return if we wanted to query which group roles a User is a member 
of.  I'm not quite sure how we should handle this, so any suggestions 
would be welcome.

More information about the security-dev mailing list