<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<!-- NewPage -->
<html lang="en">
<head>
<!-- Generated by javadoc (1.8.0_265) on Tue Aug 25 19:30:51 UTC 2020 -->
<title>D1AuthHelper (MetaCat API)</title>
<meta name="date" content="2020-08-25">
<link rel="stylesheet" type="text/css" href="../../../../../stylesheet.css" title="Style">
<script type="text/javascript" src="../../../../../script.js"></script>
</head>
<body>
<script type="text/javascript"><!--
    try {
        if (location.href.indexOf('is-external=true') == -1) {
            parent.document.title="D1AuthHelper (MetaCat API)";
        }
    }
    catch(err) {
    }
//-->
var methods = {"i0":10,"i1":10,"i2":10,"i3":10,"i4":10,"i5":10,"i6":10,"i7":9,"i8":10,"i9":10,"i10":10,"i11":10,"i12":10,"i13":10,"i14":10,"i15":10,"i16":10};
var tabs = {65535:["t0","All Methods"],1:["t1","Static Methods"],2:["t2","Instance Methods"],8:["t4","Concrete Methods"]};
var altColor = "altColor";
var rowColor = "rowColor";
var tableTab = "tableTab";
var activeTableTab = "activeTableTab";
</script>
<noscript>
<div>JavaScript is disabled on your browser.</div>
</noscript>
<!-- ========= START OF TOP NAVBAR ======= -->
<div class="topNav"><a name="navbar.top">
<!--   -->
</a>
<div class="skipNav"><a href="#skip.navbar.top" title="Skip navigation links">Skip navigation links</a></div>
<a name="navbar.top.firstrow">
<!--   -->
</a>
<ul class="navList" title="Navigation">
<li><a href="../../../../../overview-summary.html">Overview</a></li>
<li><a href="package-summary.html">Package</a></li>
<li class="navBarCell1Rev">Class</li>
<li><a href="class-use/D1AuthHelper.html">Use</a></li>
<li><a href="package-tree.html">Tree</a></li>
<li><a href="../../../../../deprecated-list.html">Deprecated</a></li>
<li><a href="../../../../../index-all.html">Index</a></li>
<li><a href="../../../../../help-doc.html">Help</a></li>
</ul>
</div>
<div class="subNav">
<ul class="navList">
<li><a href="../../../../../edu/ucsb/nceas/metacat/dataone/CNodeService.html" title="class in edu.ucsb.nceas.metacat.dataone"><span class="typeNameLink">Prev&nbsp;Class</span></a></li>
<li><a href="../../../../../edu/ucsb/nceas/metacat/dataone/D1NodeService.html" title="class in edu.ucsb.nceas.metacat.dataone"><span class="typeNameLink">Next&nbsp;Class</span></a></li>
</ul>
<ul class="navList">
<li><a href="../../../../../index.html?edu/ucsb/nceas/metacat/dataone/D1AuthHelper.html" target="_top">Frames</a></li>
<li><a href="D1AuthHelper.html" target="_top">No&nbsp;Frames</a></li>
</ul>
<ul class="navList" id="allclasses_navbar_top">
<li><a href="../../../../../allclasses-noframe.html">All&nbsp;Classes</a></li>
</ul>
<div>
<script type="text/javascript"><!--
  allClassesLink = document.getElementById("allclasses_navbar_top");
  if(window==top) {
    allClassesLink.style.display = "block";
  }
  else {
    allClassesLink.style.display = "none";
  }
  //-->
</script>
</div>
<div>
<ul class="subNavList">
<li>Summary:&nbsp;</li>
<li>Nested&nbsp;|&nbsp;</li>
<li>Field&nbsp;|&nbsp;</li>
<li><a href="#constructor.summary">Constr</a>&nbsp;|&nbsp;</li>
<li><a href="#method.summary">Method</a></li>
</ul>
<ul class="subNavList">
<li>Detail:&nbsp;</li>
<li>Field&nbsp;|&nbsp;</li>
<li><a href="#constructor.detail">Constr</a>&nbsp;|&nbsp;</li>
<li><a href="#method.detail">Method</a></li>
</ul>
</div>
<a name="skip.navbar.top">
<!--   -->
</a></div>
<!-- ========= END OF TOP NAVBAR ========= -->
<!-- ======== START OF CLASS DATA ======== -->
<div class="header">
<div class="subTitle">edu.ucsb.nceas.metacat.dataone</div>
<h2 title="Class D1AuthHelper" class="title">Class D1AuthHelper</h2>
</div>
<div class="contentContainer">
<ul class="inheritance">
<li>java.lang.Object</li>
<li>
<ul class="inheritance">
<li>edu.ucsb.nceas.metacat.dataone.D1AuthHelper</li>
</ul>
</li>
</ul>
<div class="description">
<ul class="blockList">
<li class="blockList">
<hr>
<br>
<pre>public class <span class="typeNameLabel">D1AuthHelper</span>
extends java.lang.Object</pre>
<div class="block">This is delegate class for D1NodeService and subclasses.
 It centralizes authorization implementations to make them
 more consistent across the various API methods, and more testable.
 
 There are 6 basic authorization checks that can be done, and these
 are implemented as protected methods in this class.  these checks are:
 1. session vs. systemMetadata subjects
 2. session vs. local admin credentials
 3. session vs. systemMetadata authoritativeMemberNode (requires NodeList)
 4. session vs. CN nodelist subjects (checking for CN admin authorization)
 5. session vs. systemMetadata replica nodeReferences (via nodelist subjects)
 6. session vs. expanded rightsHolder equivalent subjects and groups. (uses API calls to the CN)
 
 
 In practice, there are currently only a handful of combinations of authorization checks being used.
 These are represented by the public methods in this class.
 If more combinations are ever required, they should be added as a new public method,
 and follow the general way the other methods are implemented.
 
 The combinations in use are:
 1. CNadmin only
 2. Local or AuthoritativeMN only
 3. Local MN or CN admin only 
 4. "isAuthorized" - all checks except allowing replica nodes
 5. "getSystemMetadata" - all checks
 6. "update" authorization - success depends on the local node being the authMN</div>
<dl>
<dt><span class="simpleTagLabel">Author:</span></dt>
<dd>rnahf</dd>
</dl>
</li>
</ul>
</div>
<div class="summary">
<ul class="blockList">
<li class="blockList">
<!-- ======== CONSTRUCTOR SUMMARY ======== -->
<ul class="blockList">
<li class="blockList"><a name="constructor.summary">
<!--   -->
</a>
<h3>Constructor Summary</h3>
<table class="memberSummary" border="0" cellpadding="3" cellspacing="0" summary="Constructor Summary table, listing constructors, and an explanation">
<caption><span>Constructors</span><span class="tabEnd">&nbsp;</span></caption>
<tr>
<th class="colOne" scope="col">Constructor and Description</th>
</tr>
<tr class="altColor">
<td class="colOne"><code><span class="memberNameLink"><a href="../../../../../edu/ucsb/nceas/metacat/dataone/D1AuthHelper.html#D1AuthHelper-javax.servlet.http.HttpServletRequest-org.dataone.service.types.v1.Identifier-java.lang.String-java.lang.String-">D1AuthHelper</a></span>(javax.servlet.http.HttpServletRequest&nbsp;request,
            org.dataone.service.types.v1.Identifier&nbsp;requestIdentifier,
            java.lang.String&nbsp;notAuthorizedCode,
            java.lang.String&nbsp;serviceFailureCode)</code>
<div class="block">Each instance should correspond to a single request.</div>
</td>
</tr>
</table>
</li>
</ul>
<!-- ========== METHOD SUMMARY =========== -->
<ul class="blockList">
<li class="blockList"><a name="method.summary">
<!--   -->
</a>
<h3>Method Summary</h3>
<table class="memberSummary" border="0" cellpadding="3" cellspacing="0" summary="Method Summary table, listing methods, and an explanation">
<caption><span id="t0" class="activeTableTab"><span>All Methods</span><span class="tabEnd">&nbsp;</span></span><span id="t1" class="tableTab"><span><a href="javascript:show(1);">Static Methods</a></span><span class="tabEnd">&nbsp;</span></span><span id="t2" class="tableTab"><span><a href="javascript:show(2);">Instance Methods</a></span><span class="tabEnd">&nbsp;</span></span><span id="t4" class="tableTab"><span><a href="javascript:show(8);">Concrete Methods</a></span><span class="tabEnd">&nbsp;</span></span></caption>
<tr>
<th class="colFirst" scope="col">Modifier and Type</th>
<th class="colLast" scope="col">Method and Description</th>
</tr>
<tr id="i0" class="altColor">
<td class="colFirst"><code>protected boolean</code></td>
<td class="colLast"><code><span class="memberNameLink"><a href="../../../../../edu/ucsb/nceas/metacat/dataone/D1AuthHelper.html#checkExpandedPermissions-org.dataone.service.types.v1.Session-org.dataone.service.types.v2.SystemMetadata-org.dataone.service.types.v1.Permission-">checkExpandedPermissions</a></span>(org.dataone.service.types.v1.Session&nbsp;session,
                        org.dataone.service.types.v2.SystemMetadata&nbsp;sysmeta,
                        org.dataone.service.types.v1.Permission&nbsp;permission)</code>
<div class="block">Compare all the session subjects against the expanded subjects (from listSubjects)
 of the object rightsholder.</div>
</td>
</tr>
<tr id="i1" class="rowColor">
<td class="colFirst"><code>void</code></td>
<td class="colLast"><code><span class="memberNameLink"><a href="../../../../../edu/ucsb/nceas/metacat/dataone/D1AuthHelper.html#doAdminAuthorization-org.dataone.service.types.v1.Session-">doAdminAuthorization</a></span>(org.dataone.service.types.v1.Session&nbsp;session)</code>
<div class="block">Does MN/CN admin authorization</div>
</td>
</tr>
<tr id="i2" class="altColor">
<td class="colFirst"><code>void</code></td>
<td class="colLast"><code><span class="memberNameLink"><a href="../../../../../edu/ucsb/nceas/metacat/dataone/D1AuthHelper.html#doAuthoritativeMNAuthorization-org.dataone.service.types.v1.Session-org.dataone.service.types.v2.SystemMetadata-">doAuthoritativeMNAuthorization</a></span>(org.dataone.service.types.v1.Session&nbsp;session,
                              org.dataone.service.types.v2.SystemMetadata&nbsp;sysmeta)</code>
<div class="block">Does local and AuthMN admin authorization</div>
</td>
</tr>
<tr id="i3" class="rowColor">
<td class="colFirst"><code>void</code></td>
<td class="colLast"><code><span class="memberNameLink"><a href="../../../../../edu/ucsb/nceas/metacat/dataone/D1AuthHelper.html#doCNOnlyAuthorization-org.dataone.service.types.v1.Session-">doCNOnlyAuthorization</a></span>(org.dataone.service.types.v1.Session&nbsp;session)</code>
<div class="block">Does only localNode(CN)/CN authorization</div>
</td>
</tr>
<tr id="i4" class="altColor">
<td class="colFirst"><code>void</code></td>
<td class="colLast"><code><span class="memberNameLink"><a href="../../../../../edu/ucsb/nceas/metacat/dataone/D1AuthHelper.html#doGetSysmetaAuthorization-org.dataone.service.types.v1.Session-org.dataone.service.types.v2.SystemMetadata-org.dataone.service.types.v1.Permission-">doGetSysmetaAuthorization</a></span>(org.dataone.service.types.v1.Session&nbsp;session,
                         org.dataone.service.types.v2.SystemMetadata&nbsp;sysmeta,
                         org.dataone.service.types.v1.Permission&nbsp;permission)</code>
<div class="block">used by getSystemMetadata, describe, and getPackage, the latter two by delegation to getSystemMetadata
 Very similar to doIsAuthorized, but also allows replica nodes administrative access.</div>
</td>
</tr>
<tr id="i5" class="rowColor">
<td class="colFirst"><code>void</code></td>
<td class="colLast"><code><span class="memberNameLink"><a href="../../../../../edu/ucsb/nceas/metacat/dataone/D1AuthHelper.html#doIsAuthorized-org.dataone.service.types.v1.Session-org.dataone.service.types.v2.SystemMetadata-org.dataone.service.types.v1.Permission-">doIsAuthorized</a></span>(org.dataone.service.types.v1.Session&nbsp;session,
              org.dataone.service.types.v2.SystemMetadata&nbsp;sysmeta,
              org.dataone.service.types.v1.Permission&nbsp;permission)</code>
<div class="block">Performs all authorization steps used by isAuthorized.</div>
</td>
</tr>
<tr id="i6" class="altColor">
<td class="colFirst"><code>void</code></td>
<td class="colLast"><code><span class="memberNameLink"><a href="../../../../../edu/ucsb/nceas/metacat/dataone/D1AuthHelper.html#doUpdateAuth-org.dataone.service.types.v1.Session-org.dataone.service.types.v2.SystemMetadata-org.dataone.service.types.v1.Permission-org.dataone.service.types.v1.NodeReference-">doUpdateAuth</a></span>(org.dataone.service.types.v1.Session&nbsp;session,
            org.dataone.service.types.v2.SystemMetadata&nbsp;sysmeta,
            org.dataone.service.types.v1.Permission&nbsp;permission,
            org.dataone.service.types.v1.NodeReference&nbsp;localNodeId)</code>
<div class="block">The locus of updates is limited to the authoritativeMN.</div>
</td>
</tr>
<tr id="i7" class="rowColor">
<td class="colFirst"><code>static boolean</code></td>
<td class="colLast"><code><span class="memberNameLink"><a href="../../../../../edu/ucsb/nceas/metacat/dataone/D1AuthHelper.html#expandRightsHolder-org.dataone.service.types.v1.Subject-org.dataone.service.types.v1.Subject-">expandRightsHolder</a></span>(org.dataone.service.types.v1.Subject&nbsp;rightHolder,
                  org.dataone.service.types.v1.Subject&nbsp;sessionSubject)</code>
<div class="block">Check if the given userSession is the member of the right holder group (if the right holder is a group subject).</div>
</td>
</tr>
<tr id="i8" class="altColor">
<td class="colFirst"><code>protected org.dataone.service.types.v2.NodeList</code></td>
<td class="colLast"><code><span class="memberNameLink"><a href="../../../../../edu/ucsb/nceas/metacat/dataone/D1AuthHelper.html#getCNNodeList--">getCNNodeList</a></span>()</code>
<div class="block">A centralized point for accessing the CN Nodelist,
 to make it easier to cache the nodelist in the future,
 if it's seen as helpful performance-wise</div>
</td>
</tr>
<tr id="i9" class="rowColor">
<td class="colFirst"><code>protected boolean</code></td>
<td class="colLast"><code><span class="memberNameLink"><a href="../../../../../edu/ucsb/nceas/metacat/dataone/D1AuthHelper.html#isAuthoritativeMNodeAdmin-org.dataone.service.types.v1.Session-org.dataone.service.types.v1.NodeReference-org.dataone.service.types.v2.NodeList-">isAuthoritativeMNodeAdmin</a></span>(org.dataone.service.types.v1.Session&nbsp;session,
                         org.dataone.service.types.v1.NodeReference&nbsp;authoritativeMNode,
                         org.dataone.service.types.v2.NodeList&nbsp;nodelist)</code>
<div class="block">Compare the session.subject to the authoritativeMN Node.nodeSubjects list of Subjects.</div>
</td>
</tr>
<tr id="i10" class="altColor">
<td class="colFirst"><code>protected boolean</code></td>
<td class="colLast"><code><span class="memberNameLink"><a href="../../../../../edu/ucsb/nceas/metacat/dataone/D1AuthHelper.html#isAuthorizedBySysMetaSubjects-org.dataone.service.types.v1.Session-org.dataone.service.types.v2.SystemMetadata-org.dataone.service.types.v1.Permission-">isAuthorizedBySysMetaSubjects</a></span>(org.dataone.service.types.v1.Session&nbsp;session,
                             org.dataone.service.types.v2.SystemMetadata&nbsp;sysmeta,
                             org.dataone.service.types.v1.Permission&nbsp;permission)</code>
<div class="block">Returns the authorization status of the Session vs.</div>
</td>
</tr>
<tr id="i11" class="rowColor">
<td class="colFirst"><code>protected boolean</code></td>
<td class="colLast"><code><span class="memberNameLink"><a href="../../../../../edu/ucsb/nceas/metacat/dataone/D1AuthHelper.html#isCNAdmin-org.dataone.service.types.v1.Session-org.dataone.service.types.v2.NodeList-">isCNAdmin</a></span>(org.dataone.service.types.v1.Session&nbsp;session,
         org.dataone.service.types.v2.NodeList&nbsp;nodelist)</code>
<div class="block">compares session.subject against CN.NodeList</div>
</td>
</tr>
<tr id="i12" class="altColor">
<td class="colFirst"><code>boolean</code></td>
<td class="colLast"><code><span class="memberNameLink"><a href="../../../../../edu/ucsb/nceas/metacat/dataone/D1AuthHelper.html#isLocalCNAdmin-org.dataone.service.types.v1.Session-">isLocalCNAdmin</a></span>(org.dataone.service.types.v1.Session&nbsp;session)</code>
<div class="block">Test if the user identified by the provided token has administrative authorization 
 on this node because they are calling themselves
 (the implementation uses property Settings to build a Node instance)</div>
</td>
</tr>
<tr id="i13" class="rowColor">
<td class="colFirst"><code>boolean</code></td>
<td class="colLast"><code><span class="memberNameLink"><a href="../../../../../edu/ucsb/nceas/metacat/dataone/D1AuthHelper.html#isLocalMNAdmin-org.dataone.service.types.v1.Session-">isLocalMNAdmin</a></span>(org.dataone.service.types.v1.Session&nbsp;session)</code>
<div class="block">Test if the user identified by the provided token has administrative authorization 
 on this node because they are calling themselves
 (the implementation uses property Settings to build a Node instance)</div>
</td>
</tr>
<tr id="i14" class="altColor">
<td class="colFirst"><code>protected boolean</code></td>
<td class="colLast"><code><span class="memberNameLink"><a href="../../../../../edu/ucsb/nceas/metacat/dataone/D1AuthHelper.html#isLocalNodeAdmin-org.dataone.service.types.v1.Session-org.dataone.service.types.v1.NodeType-">isLocalNodeAdmin</a></span>(org.dataone.service.types.v1.Session&nbsp;session,
                org.dataone.service.types.v1.NodeType&nbsp;nodeType)</code>
<div class="block">Checks Metacat properties representing the local Node document for
 matching Node.subjects.</div>
</td>
</tr>
<tr id="i15" class="rowColor">
<td class="colFirst"><code>protected boolean</code></td>
<td class="colLast"><code><span class="memberNameLink"><a href="../../../../../edu/ucsb/nceas/metacat/dataone/D1AuthHelper.html#isReplicaMNodeAdmin-org.dataone.service.types.v1.Session-org.dataone.service.types.v2.SystemMetadata-org.dataone.service.types.v2.NodeList-">isReplicaMNodeAdmin</a></span>(org.dataone.service.types.v1.Session&nbsp;session,
                   org.dataone.service.types.v2.SystemMetadata&nbsp;sysmeta,
                   org.dataone.service.types.v2.NodeList&nbsp;nodelist)</code>
<div class="block">determines if the session represents a replicaMN of the given systemMetadata.</div>
</td>
</tr>
<tr id="i16" class="altColor">
<td class="colFirst"><code>protected void</code></td>
<td class="colLast"><code><span class="memberNameLink"><a href="../../../../../edu/ucsb/nceas/metacat/dataone/D1AuthHelper.html#prepareAndThrowNotAuthorized-org.dataone.service.types.v1.Session-org.dataone.service.types.v1.Identifier-org.dataone.service.types.v1.Permission-java.lang.String-">prepareAndThrowNotAuthorized</a></span>(org.dataone.service.types.v1.Session&nbsp;session,
                            org.dataone.service.types.v1.Identifier&nbsp;pid,
                            org.dataone.service.types.v1.Permission&nbsp;permission,
                            java.lang.String&nbsp;detailCode)</code>&nbsp;</td>
</tr>
</table>
<ul class="blockList">
<li class="blockList"><a name="methods.inherited.from.class.java.lang.Object">
<!--   -->
</a>
<h3>Methods inherited from class&nbsp;java.lang.Object</h3>
<code>clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait</code></li>
</ul>
</li>
</ul>
</li>
</ul>
</div>
<div class="details">
<ul class="blockList">
<li class="blockList">
<!-- ========= CONSTRUCTOR DETAIL ======== -->
<ul class="blockList">
<li class="blockList"><a name="constructor.detail">
<!--   -->
</a>
<h3>Constructor Detail</h3>
<a name="D1AuthHelper-javax.servlet.http.HttpServletRequest-org.dataone.service.types.v1.Identifier-java.lang.String-java.lang.String-">
<!--   -->
</a>
<ul class="blockListLast">
<li class="blockList">
<h4>D1AuthHelper</h4>
<pre>public&nbsp;D1AuthHelper(javax.servlet.http.HttpServletRequest&nbsp;request,
                    org.dataone.service.types.v1.Identifier&nbsp;requestIdentifier,
                    java.lang.String&nbsp;notAuthorizedCode,
                    java.lang.String&nbsp;serviceFailureCode)</pre>
<div class="block">Each instance should correspond to a single request.</div>
<dl>
<dt><span class="paramLabel">Parameters:</span></dt>
<dd><code>request</code> - </dd>
<dd><code>hzSystemMetadataMap</code> - </dd>
</dl>
</li>
</ul>
</li>
</ul>
<!-- ============ METHOD DETAIL ========== -->
<ul class="blockList">
<li class="blockList"><a name="method.detail">
<!--   -->
</a>
<h3>Method Detail</h3>
<a name="doIsAuthorized-org.dataone.service.types.v1.Session-org.dataone.service.types.v2.SystemMetadata-org.dataone.service.types.v1.Permission-">
<!--   -->
</a>
<ul class="blockList">
<li class="blockList">
<h4>doIsAuthorized</h4>
<pre>public&nbsp;void&nbsp;doIsAuthorized(org.dataone.service.types.v1.Session&nbsp;session,
                           org.dataone.service.types.v2.SystemMetadata&nbsp;sysmeta,
                           org.dataone.service.types.v1.Permission&nbsp;permission)
                    throws org.dataone.service.exceptions.ServiceFailure,
                           org.dataone.service.exceptions.NotAuthorized</pre>
<div class="block">Performs all authorization steps used by isAuthorized.
 Checks for accessPolicy & rightsHolder authorization, 
 and authorizes local, authoritativeMN, and CN admins.</div>
<dl>
<dt><span class="paramLabel">Parameters:</span></dt>
<dd><code>session</code> - </dd>
<dd><code>sysmeta</code> - </dd>
<dd><code>permission</code> - </dd>
<dt><span class="throwsLabel">Throws:</span></dt>
<dd><code>org.dataone.service.exceptions.ServiceFailure</code></dd>
<dd><code>org.dataone.service.exceptions.NotAuthorized</code></dd>
</dl>
</li>
</ul>
<a name="doAuthoritativeMNAuthorization-org.dataone.service.types.v1.Session-org.dataone.service.types.v2.SystemMetadata-">
<!--   -->
</a>
<ul class="blockList">
<li class="blockList">
<h4>doAuthoritativeMNAuthorization</h4>
<pre>public&nbsp;void&nbsp;doAuthoritativeMNAuthorization(org.dataone.service.types.v1.Session&nbsp;session,
                                           org.dataone.service.types.v2.SystemMetadata&nbsp;sysmeta)
                                    throws org.dataone.service.exceptions.ServiceFailure,
                                           org.dataone.service.exceptions.NotAuthorized</pre>
<div class="block">Does local and AuthMN admin authorization</div>
<dl>
<dt><span class="paramLabel">Parameters:</span></dt>
<dd><code>session</code> - </dd>
<dd><code>sysmeta</code> - </dd>
<dt><span class="throwsLabel">Throws:</span></dt>
<dd><code>org.dataone.service.exceptions.ServiceFailure</code></dd>
<dd><code>org.dataone.service.exceptions.NotAuthorized</code></dd>
</dl>
</li>
</ul>
<a name="doUpdateAuth-org.dataone.service.types.v1.Session-org.dataone.service.types.v2.SystemMetadata-org.dataone.service.types.v1.Permission-org.dataone.service.types.v1.NodeReference-">
<!--   -->
</a>
<ul class="blockList">
<li class="blockList">
<h4>doUpdateAuth</h4>
<pre>public&nbsp;void&nbsp;doUpdateAuth(org.dataone.service.types.v1.Session&nbsp;session,
                         org.dataone.service.types.v2.SystemMetadata&nbsp;sysmeta,
                         org.dataone.service.types.v1.Permission&nbsp;permission,
                         org.dataone.service.types.v1.NodeReference&nbsp;localNodeId)
                  throws org.dataone.service.exceptions.NotAuthorized,
                         org.dataone.service.exceptions.ServiceFailure</pre>
<div class="block">The locus of updates is limited to the authoritativeMN.
 Therefore, the authorization rules are somewhat specialized:
 <ol><li> If the update is happening on the authoritative MN, either</li>
 <ul><li>  the session has the appropriate permission vs the systemmetadata or</li>
     <li>  the session represents the MN Admin Subject</li></ul>
  <li>If the session represents the D1 CN, it is allowed.</li></ol></div>
<dl>
<dt><span class="throwsLabel">Throws:</span></dt>
<dd><code>org.dataone.service.exceptions.NotAuthorized</code></dd>
<dd><code>org.dataone.service.exceptions.ServiceFailure</code></dd>
</dl>
</li>
</ul>
<a name="doCNOnlyAuthorization-org.dataone.service.types.v1.Session-">
<!--   -->
</a>
<ul class="blockList">
<li class="blockList">
<h4>doCNOnlyAuthorization</h4>
<pre>public&nbsp;void&nbsp;doCNOnlyAuthorization(org.dataone.service.types.v1.Session&nbsp;session)
                           throws org.dataone.service.exceptions.ServiceFailure,
                                  org.dataone.service.exceptions.NotAuthorized</pre>
<div class="block">Does only localNode(CN)/CN authorization</div>
<dl>
<dt><span class="paramLabel">Parameters:</span></dt>
<dd><code>session</code> - </dd>
<dt><span class="throwsLabel">Throws:</span></dt>
<dd><code>org.dataone.service.exceptions.ServiceFailure</code></dd>
<dd><code>org.dataone.service.exceptions.NotAuthorized</code></dd>
</dl>
</li>
</ul>
<a name="doAdminAuthorization-org.dataone.service.types.v1.Session-">
<!--   -->
</a>
<ul class="blockList">
<li class="blockList">
<h4>doAdminAuthorization</h4>
<pre>public&nbsp;void&nbsp;doAdminAuthorization(org.dataone.service.types.v1.Session&nbsp;session)
                          throws org.dataone.service.exceptions.ServiceFailure,
                                 org.dataone.service.exceptions.NotAuthorized</pre>
<div class="block">Does MN/CN admin authorization</div>
<dl>
<dt><span class="paramLabel">Parameters:</span></dt>
<dd><code>session</code> - </dd>
<dt><span class="throwsLabel">Throws:</span></dt>
<dd><code>org.dataone.service.exceptions.ServiceFailure</code></dd>
<dd><code>org.dataone.service.exceptions.NotAuthorized</code></dd>
</dl>
</li>
</ul>
<a name="doGetSysmetaAuthorization-org.dataone.service.types.v1.Session-org.dataone.service.types.v2.SystemMetadata-org.dataone.service.types.v1.Permission-">
<!--   -->
</a>
<ul class="blockList">
<li class="blockList">
<h4>doGetSysmetaAuthorization</h4>
<pre>public&nbsp;void&nbsp;doGetSysmetaAuthorization(org.dataone.service.types.v1.Session&nbsp;session,
                                      org.dataone.service.types.v2.SystemMetadata&nbsp;sysmeta,
                                      org.dataone.service.types.v1.Permission&nbsp;permission)
                               throws org.dataone.service.exceptions.ServiceFailure,
                                      org.dataone.service.exceptions.NotAuthorized</pre>
<div class="block">used by getSystemMetadata, describe, and getPackage, the latter two by delegation to getSystemMetadata
 Very similar to doIsAuthorized, but also allows replica nodes administrative access.</div>
<dl>
<dt><span class="paramLabel">Parameters:</span></dt>
<dd><code>session</code> - </dd>
<dd><code>sysmeta</code> - </dd>
<dd><code>permission</code> - </dd>
<dt><span class="throwsLabel">Throws:</span></dt>
<dd><code>org.dataone.service.exceptions.ServiceFailure</code></dd>
<dd><code>org.dataone.service.exceptions.NotAuthorized</code></dd>
</dl>
</li>
</ul>
<a name="prepareAndThrowNotAuthorized-org.dataone.service.types.v1.Session-org.dataone.service.types.v1.Identifier-org.dataone.service.types.v1.Permission-java.lang.String-">
<!--   -->
</a>
<ul class="blockList">
<li class="blockList">
<h4>prepareAndThrowNotAuthorized</h4>
<pre>protected&nbsp;void&nbsp;prepareAndThrowNotAuthorized(org.dataone.service.types.v1.Session&nbsp;session,
                                            org.dataone.service.types.v1.Identifier&nbsp;pid,
                                            org.dataone.service.types.v1.Permission&nbsp;permission,
                                            java.lang.String&nbsp;detailCode)
                                     throws org.dataone.service.exceptions.NotAuthorized</pre>
<dl>
<dt><span class="throwsLabel">Throws:</span></dt>
<dd><code>org.dataone.service.exceptions.NotAuthorized</code></dd>
</dl>
</li>
</ul>
<a name="checkExpandedPermissions-org.dataone.service.types.v1.Session-org.dataone.service.types.v2.SystemMetadata-org.dataone.service.types.v1.Permission-">
<!--   -->
</a>
<ul class="blockList">
<li class="blockList">
<h4>checkExpandedPermissions</h4>
<pre>protected&nbsp;boolean&nbsp;checkExpandedPermissions(org.dataone.service.types.v1.Session&nbsp;session,
                                           org.dataone.service.types.v2.SystemMetadata&nbsp;sysmeta,
                                           org.dataone.service.types.v1.Permission&nbsp;permission)
                                    throws org.dataone.service.exceptions.ServiceFailure</pre>
<div class="block">Compare all the session subjects against the expanded subjects (from listSubjects)
 of the object rightsholder.</div>
<dl>
<dt><span class="paramLabel">Parameters:</span></dt>
<dd><code>sessionSubjects</code> - </dd>
<dd><code>sysmeta</code> - </dd>
<dd><code>permission</code> - </dd>
<dt><span class="returnLabel">Returns:</span></dt>
<dd>true or false, depending...</dd>
<dt><span class="throwsLabel">Throws:</span></dt>
<dd><code>org.dataone.service.exceptions.ServiceFailure</code></dd>
</dl>
</li>
</ul>
<a name="getCNNodeList--">
<!--   -->
</a>
<ul class="blockList">
<li class="blockList">
<h4>getCNNodeList</h4>
<pre>protected&nbsp;org.dataone.service.types.v2.NodeList&nbsp;getCNNodeList()
                                                       throws org.dataone.service.exceptions.ServiceFailure</pre>
<div class="block">A centralized point for accessing the CN Nodelist,
 to make it easier to cache the nodelist in the future,
 if it's seen as helpful performance-wise</div>
<dl>
<dt><span class="returnLabel">Returns:</span></dt>
<dt><span class="throwsLabel">Throws:</span></dt>
<dd><code>org.dataone.service.exceptions.ServiceFailure</code></dd>
<dd><code>org.dataone.service.exceptions.NotImplemented</code></dd>
</dl>
</li>
</ul>
<a name="expandRightsHolder-org.dataone.service.types.v1.Subject-org.dataone.service.types.v1.Subject-">
<!--   -->
</a>
<ul class="blockList">
<li class="blockList">
<h4>expandRightsHolder</h4>
<pre>public static&nbsp;boolean&nbsp;expandRightsHolder(org.dataone.service.types.v1.Subject&nbsp;rightHolder,
                                         org.dataone.service.types.v1.Subject&nbsp;sessionSubject)
                                  throws org.dataone.service.exceptions.ServiceFailure,
                                         org.dataone.service.exceptions.NotImplemented,
                                         org.dataone.service.exceptions.InvalidRequest,
                                         org.dataone.service.exceptions.NotAuthorized,
                                         org.dataone.service.exceptions.InvalidToken</pre>
<div class="block">Check if the given userSession is the member of the right holder group (if the right holder is a group subject).
 If the right holder is not a group, it will be false of course.</div>
<dl>
<dt><span class="paramLabel">Parameters:</span></dt>
<dd><code>rightHolder</code> - the subject of the right holder.</dd>
<dd><code>sessionSubject</code> - the subject will be compared</dd>
<dt><span class="returnLabel">Returns:</span></dt>
<dd>true if the user session is a member of the right holder group; false otherwise.</dd>
<dt><span class="throwsLabel">Throws:</span></dt>
<dd><code>org.dataone.service.exceptions.NotImplemented</code></dd>
<dd><code>org.dataone.service.exceptions.ServiceFailure</code></dd>
<dd><code>org.dataone.service.exceptions.NotAuthorized</code></dd>
<dd><code>org.dataone.service.exceptions.InvalidToken</code></dd>
<dd><code>org.dataone.service.exceptions.InvalidRequest</code></dd>
</dl>
</li>
</ul>
<a name="isLocalMNAdmin-org.dataone.service.types.v1.Session-">
<!--   -->
</a>
<ul class="blockList">
<li class="blockList">
<h4>isLocalMNAdmin</h4>
<pre>public&nbsp;boolean&nbsp;isLocalMNAdmin(org.dataone.service.types.v1.Session&nbsp;session)
                       throws org.dataone.service.exceptions.ServiceFailure</pre>
<div class="block">Test if the user identified by the provided token has administrative authorization 
 on this node because they are calling themselves
 (the implementation uses property Settings to build a Node instance)</div>
<dl>
<dt><span class="paramLabel">Parameters:</span></dt>
<dd><code>session</code> - - the Session object containing the credentials for the Subject</dd>
<dt><span class="returnLabel">Returns:</span></dt>
<dd>true if the user is this node</dd>
<dt><span class="throwsLabel">Throws:</span></dt>
<dd><code>org.dataone.service.exceptions.ServiceFailure</code></dd>
<dd><code>org.dataone.service.exceptions.NotImplemented</code></dd>
</dl>
</li>
</ul>
<a name="isLocalCNAdmin-org.dataone.service.types.v1.Session-">
<!--   -->
</a>
<ul class="blockList">
<li class="blockList">
<h4>isLocalCNAdmin</h4>
<pre>public&nbsp;boolean&nbsp;isLocalCNAdmin(org.dataone.service.types.v1.Session&nbsp;session)
                       throws org.dataone.service.exceptions.ServiceFailure</pre>
<div class="block">Test if the user identified by the provided token has administrative authorization 
 on this node because they are calling themselves
 (the implementation uses property Settings to build a Node instance)</div>
<dl>
<dt><span class="paramLabel">Parameters:</span></dt>
<dd><code>session</code> - - the Session object containing the credentials for the Subject</dd>
<dt><span class="returnLabel">Returns:</span></dt>
<dd>true if the user is this node</dd>
<dt><span class="throwsLabel">Throws:</span></dt>
<dd><code>org.dataone.service.exceptions.ServiceFailure</code></dd>
<dd><code>org.dataone.service.exceptions.NotImplemented</code></dd>
</dl>
</li>
</ul>
<a name="isLocalNodeAdmin-org.dataone.service.types.v1.Session-org.dataone.service.types.v1.NodeType-">
<!--   -->
</a>
<ul class="blockList">
<li class="blockList">
<h4>isLocalNodeAdmin</h4>
<pre>protected&nbsp;boolean&nbsp;isLocalNodeAdmin(org.dataone.service.types.v1.Session&nbsp;session,
                                   org.dataone.service.types.v1.NodeType&nbsp;nodeType)
                            throws org.dataone.service.exceptions.ServiceFailure</pre>
<div class="block">Checks Metacat properties representing the local Node document for
 matching Node.subjects.  The NodeType parameter can be set to limit this 
 authorization check if needed.</div>
<dl>
<dt><span class="paramLabel">Parameters:</span></dt>
<dd><code>session</code> - </dd>
<dd><code>nodeType</code> - </dd>
<dt><span class="returnLabel">Returns:</span></dt>
<dt><span class="throwsLabel">Throws:</span></dt>
<dd><code>org.dataone.service.exceptions.ServiceFailure</code></dd>
</dl>
</li>
</ul>
<a name="isAuthorizedBySysMetaSubjects-org.dataone.service.types.v1.Session-org.dataone.service.types.v2.SystemMetadata-org.dataone.service.types.v1.Permission-">
<!--   -->
</a>
<ul class="blockList">
<li class="blockList">
<h4>isAuthorizedBySysMetaSubjects</h4>
<pre>protected&nbsp;boolean&nbsp;isAuthorizedBySysMetaSubjects(org.dataone.service.types.v1.Session&nbsp;session,
                                                org.dataone.service.types.v2.SystemMetadata&nbsp;sysmeta,
                                                org.dataone.service.types.v1.Permission&nbsp;permission)</pre>
<div class="block">Returns the authorization status of the Session vs. the given SystemMetadata 
 based on the rightsHolder and AccessPolicy fields</div>
<dl>
<dt><span class="paramLabel">Parameters:</span></dt>
<dd><code>session</code> - </dd>
<dd><code>sysmeta</code> - </dd>
<dd><code>permission</code> - </dd>
<dt><span class="returnLabel">Returns:</span></dt>
<dd>true|false</dd>
</dl>
</li>
</ul>
<a name="isReplicaMNodeAdmin-org.dataone.service.types.v1.Session-org.dataone.service.types.v2.SystemMetadata-org.dataone.service.types.v2.NodeList-">
<!--   -->
</a>
<ul class="blockList">
<li class="blockList">
<h4>isReplicaMNodeAdmin</h4>
<pre>protected&nbsp;boolean&nbsp;isReplicaMNodeAdmin(org.dataone.service.types.v1.Session&nbsp;session,
                                      org.dataone.service.types.v2.SystemMetadata&nbsp;sysmeta,
                                      org.dataone.service.types.v2.NodeList&nbsp;nodelist)</pre>
<div class="block">determines if the session represents a replicaMN of the given systemMetadata.</div>
<dl>
<dt><span class="paramLabel">Parameters:</span></dt>
<dd><code>session</code> - - the session, uses only the session.subject field</dd>
<dd><code>sysmeta</code> - </dd>
<dd><code>nodelist</code> - </dd>
<dt><span class="returnLabel">Returns:</span></dt>
<dd>true|false</dd>
</dl>
</li>
</ul>
<a name="isAuthoritativeMNodeAdmin-org.dataone.service.types.v1.Session-org.dataone.service.types.v1.NodeReference-org.dataone.service.types.v2.NodeList-">
<!--   -->
</a>
<ul class="blockList">
<li class="blockList">
<h4>isAuthoritativeMNodeAdmin</h4>
<pre>protected&nbsp;boolean&nbsp;isAuthoritativeMNodeAdmin(org.dataone.service.types.v1.Session&nbsp;session,
                                            org.dataone.service.types.v1.NodeReference&nbsp;authoritativeMNode,
                                            org.dataone.service.types.v2.NodeList&nbsp;nodelist)</pre>
<div class="block">Compare the session.subject to the authoritativeMN Node.nodeSubjects list of Subjects.
 According the the DataONE documentation, the authoritative member node has all the 
 rights of the *rightsHolder*.
 Any null parameter will result in return of false</div>
<dl>
<dt><span class="paramLabel">Parameters:</span></dt>
<dd><code>session</code> - </dd>
<dd><code>authoritativeMNode</code> - </dd>
<dd><code>nodelist</code> - </dd>
<dt><span class="returnLabel">Returns:</span></dt>
</dl>
</li>
</ul>
<a name="isCNAdmin-org.dataone.service.types.v1.Session-org.dataone.service.types.v2.NodeList-">
<!--   -->
</a>
<ul class="blockListLast">
<li class="blockList">
<h4>isCNAdmin</h4>
<pre>protected&nbsp;boolean&nbsp;isCNAdmin(org.dataone.service.types.v1.Session&nbsp;session,
                            org.dataone.service.types.v2.NodeList&nbsp;nodelist)</pre>
<div class="block">compares session.subject against CN.NodeList</div>
<dl>
<dt><span class="paramLabel">Parameters:</span></dt>
<dd><code>session</code> - </dd>
<dd><code>nodelist</code> - </dd>
</dl>
</li>
</ul>
</li>
</ul>
</li>
</ul>
</div>
</div>
<!-- ========= END OF CLASS DATA ========= -->
<!-- ======= START OF BOTTOM NAVBAR ====== -->
<div class="bottomNav"><a name="navbar.bottom">
<!--   -->
</a>
<div class="skipNav"><a href="#skip.navbar.bottom" title="Skip navigation links">Skip navigation links</a></div>
<a name="navbar.bottom.firstrow">
<!--   -->
</a>
<ul class="navList" title="Navigation">
<li><a href="../../../../../overview-summary.html">Overview</a></li>
<li><a href="package-summary.html">Package</a></li>
<li class="navBarCell1Rev">Class</li>
<li><a href="class-use/D1AuthHelper.html">Use</a></li>
<li><a href="package-tree.html">Tree</a></li>
<li><a href="../../../../../deprecated-list.html">Deprecated</a></li>
<li><a href="../../../../../index-all.html">Index</a></li>
<li><a href="../../../../../help-doc.html">Help</a></li>
</ul>
</div>
<div class="subNav">
<ul class="navList">
<li><a href="../../../../../edu/ucsb/nceas/metacat/dataone/CNodeService.html" title="class in edu.ucsb.nceas.metacat.dataone"><span class="typeNameLink">Prev&nbsp;Class</span></a></li>
<li><a href="../../../../../edu/ucsb/nceas/metacat/dataone/D1NodeService.html" title="class in edu.ucsb.nceas.metacat.dataone"><span class="typeNameLink">Next&nbsp;Class</span></a></li>
</ul>
<ul class="navList">
<li><a href="../../../../../index.html?edu/ucsb/nceas/metacat/dataone/D1AuthHelper.html" target="_top">Frames</a></li>
<li><a href="D1AuthHelper.html" target="_top">No&nbsp;Frames</a></li>
</ul>
<ul class="navList" id="allclasses_navbar_bottom">
<li><a href="../../../../../allclasses-noframe.html">All&nbsp;Classes</a></li>
</ul>
<div>
<script type="text/javascript"><!--
  allClassesLink = document.getElementById("allclasses_navbar_bottom");
  if(window==top) {
    allClassesLink.style.display = "block";
  }
  else {
    allClassesLink.style.display = "none";
  }
  //-->
</script>
</div>
<div>
<ul class="subNavList">
<li>Summary:&nbsp;</li>
<li>Nested&nbsp;|&nbsp;</li>
<li>Field&nbsp;|&nbsp;</li>
<li><a href="#constructor.summary">Constr</a>&nbsp;|&nbsp;</li>
<li><a href="#method.summary">Method</a></li>
</ul>
<ul class="subNavList">
<li>Detail:&nbsp;</li>
<li>Field&nbsp;|&nbsp;</li>
<li><a href="#constructor.detail">Constr</a>&nbsp;|&nbsp;</li>
<li><a href="#method.detail">Method</a></li>
</ul>
</div>
<a name="skip.navbar.bottom">
<!--   -->
</a></div>
<!-- ======== END OF BOTTOM NAVBAR ======= -->
<p class="legalCopy"><small><i>Copyright © 2020 Regents of the University of California. All Rights Reserved.</i></small></p>
</body>
</html>