Package io.jans.ca.plugin.adminui.service.adminui

Class AdminUISecurityService

  • @Singleton
public class AdminUISecurityService
extends Object
    Service responsible for managing Admin UI security related operations such as retrieving, uploading, synchronizing and updating the Cedarling policy store.

    This service interacts with:

    • Local policy store files
    • Remote policy store endpoints
    • Jans persistence layer
    • Admin UI role and permission configuration

    It also supports synchronization between Cedar policy definitions and Admin UI role-to-scope mappings.

    • Constructor Detail

      • AdminUISecurityService

        public AdminUISecurityService()

    • Method Detail

      • getPolicyStore

        public GenericResponse getPolicyStore()
                               throws ApplicationException
        Retrieves the current policy store from the configured local file system path.

        The policy store path is resolved using the following precedence:

        1. Configured value in AUIConfiguration.getAuiCedarlingDefaultPolicyStorePath()
        2. AppConstants.DEFAULT_POLICY_STORE_FILE_PATH

        If the file exists, the method returns the binary content of the policy store (typically a .cjar archive). If the file does not exist, a 404 response is returned.

        Returns:
        GenericResponse containing the policy store file as a byte array
        Throws:
        ApplicationException - if an unexpected error occurs while retrieving the file

      • uploadPolicyStore

        public GenericResponse uploadPolicyStore​(AdminUIPolicyStore adminUIPolicyStore)
                                  throws ApplicationException
        Uploads and overwrites the existing policy store file on the server.

        This method performs the following operations:

        • Validates the incoming request and file metadata
        • Ensures the uploaded file has a valid .cjar extension
        • Validates the input stream of the uploaded policy store
        • Resolves the configured policy store path
        • Validates the domain inside the existing policy store against the server host
        • Creates a backup of the existing policy store file (if present)
        • Uploads and replaces the policy store with the new file
        Parameters:
        adminUIPolicyStore - the AdminUIPolicyStore containing the policy store file and its associated metadata
        Returns:
        a GenericResponse indicating success or failure of the upload operation
        Throws:
        ApplicationException - if:
        • The request or document is null
        • The file name is missing or does not have a .cjar extension
        • The input stream is invalid or empty
        • The policy store domain does not match the configured server host
        • Any error occurs during validation, backup, or file upload

      • syncRoleScopeMapping

        public GenericResponse syncRoleScopeMapping()
                                     throws ApplicationException
        Synchronizes Admin UI role-to-scope mappings using the currently configured Cedar policy store.

        The synchronization process includes:

        1. Retrieving resource-to-scope mappings from persistence
        2. Parsing the Cedar policy store archive (.cjar)
        3. Deriving principal-to-scope mappings from policies
        4. Generating Admin UI roles from the principals
        5. Generating role-permission mappings
        6. Removing duplicate permissions
        7. Updating Admin UI roles and permissions

        This ensures that Admin UI access control remains consistent with Cedar authorization policies.

        Returns:
        GenericResponse indicating success or failure of the synchronization process
        Throws:
        ApplicationException - if synchronization fails due to validation or system errors