1 /*******************************************************************************
2 * Copyright (c) 2016 AT&T Intellectual Property. All rights reserved.
3 *******************************************************************************/
4 package com.att.authz.reports;
6 import java.io.IOException;
9 import com.att.authz.Batch;
10 import com.att.authz.env.AuthzTrans;
11 import com.att.authz.helpers.NS;
12 import com.att.authz.helpers.NsAttrib;
13 import com.att.authz.helpers.Perm;
14 import com.att.authz.helpers.Role;
15 import com.att.dao.aaf.cass.NsType;
16 import com.att.inno.env.APIException;
17 import com.att.inno.env.Env;
18 import com.att.inno.env.TimeTaken;
20 public class CheckNS extends Batch{
22 public CheckNS(AuthzTrans trans) throws APIException, IOException {
24 TimeTaken tt = trans.start("Connect to Cluster", Env.REMOTE);
26 session = cluster.connect();
30 NS.load(trans, session,NS.v2_0_11);
31 Role.load(trans, session);
32 Perm.load(trans, session);
33 NsAttrib.load(trans, session, NsAttrib.v2_0_11);
37 protected void run(AuthzTrans trans) {
41 trans.info().log(STARS, msg = "Checking for NS type mis-match", STARS);
42 TimeTaken tt = trans.start(msg, Env.SUB);
44 for(NS ns : NS.data.values()) {
45 if(ns.description==null) {
46 trans.warn().log("Namepace description is null. Changing to empty string.");
48 trans.warn().log("Namepace description is null. Changing to empty string");
50 query = "UPDATE authz.ns SET description='' WHERE name='" + ns.name +"';";
51 session.execute(query);
54 int scope = count(ns.name,'.');
70 if(ns.type!=nt.type || ns.scope !=scope) {
72 trans.warn().log("Namepace",ns.name,"has no type. Should change to ",nt.name());
74 query = "UPDATE authz.ns SET type=" + nt.type + ", scope=" + scope + " WHERE name='" + ns.name +"';";
75 trans.warn().log("Namepace",ns.name,"changing to",nt.name()+":",query);
76 session.execute(query);
85 trans.info().log(STARS, msg = "Checking for NS admin/owner mis-match", STARS);
86 tt = trans.start(msg, Env.SUB);
89 for(NS nk : NS.data.values()) {
91 String roleAdmin = nk.name+"|admin";
92 String roleAdminPrev = nk.name+".admin";
93 String roleOwner = nk.name+"|owner";
94 String roleOwnerPrev = nk.name+".owner";
95 String permAll = nk.name+"|access|*|*";
96 String permAllPrev = nk.name+".access|*|*";
97 String permRead = nk.name+"|access|*|read";
98 String permReadPrev = nk.name+".access|*|read";
101 Role rk = Role.keys.get(roleAdmin); // accomodate new role key
102 // Role Admin should exist
105 trans.warn().log(nk.name + " is missing role: " + roleAdmin);
107 query = "INSERT INTO authz.role(ns, name, description, perms) VALUES ('"
109 + "','admin','Automatic Administration',"
110 + "{'" + nk.name + "|access|*|*'});";
111 session.execute(query);
112 env.info().log(query);
115 if(Role.keys.get(roleAdminPrev)!=null) {
116 query = "UPDATE authz.role set perms = perms + "
117 + "{'" + roleAdminPrev + "'} "
118 + "WHERE ns='"+ nk.name + "' AND "
121 session.execute(query);
122 env.info().log(query);
126 // Role Admin should be linked to Perm All
127 if(!rk.perms.contains(permAll)) {
129 trans.warn().log(roleAdmin,"is not linked to",permAll);
131 query = "UPDATE authz.role set perms = perms + "
132 + "{'" + nk.name + "|access|*|*'} "
133 + "WHERE ns='"+ nk.name + "' AND "
136 session.execute(query);
137 env.info().log(query);
139 if(rk.perms.contains(permAllPrev)) {
140 query = "UPDATE authz.role set perms = perms - "
141 + "{'" + nk.name + ".access|*|*'} "
142 + "WHERE ns='"+ nk.name + "' AND "
145 session.execute(query);
146 env.info().log(query);
150 // Role Admin should not be linked to Perm Read
151 if(rk.perms.contains(permRead)) {
153 trans.warn().log(roleAdmin,"should not be linked to",permRead);
155 query = "UPDATE authz.role set perms = perms - "
156 + "{'" + nk.name + "|access|*|read'} "
157 + "WHERE ns='"+ nk.name + "' AND "
160 session.execute(query);
161 env.info().log(query);
166 Perm pk = Perm.keys.get(permAll);
168 trans.warn().log(nk.name + " is missing perm: " + permAll);
170 query = "INSERT INTO authz.perm(ns, type,instance,action,description, roles) VALUES ('"
172 + "','access','*','*','Namespace Write',"
173 + "{'" + nk.name + "|admin'});";
174 session.execute(query);
175 env.info().log(query);
179 // PermALL should be linked to Role Admin
180 if(!pk.roles.contains(roleAdmin)) {
181 trans.warn().log(permAll,"is not linked to",roleAdmin);
183 query = "UPDATE authz.perm set roles = roles + "
184 + "{'" + nk.name + "|admin'} WHERE "
185 + "ns='"+ pk.ns + "' AND "
186 + "type='access' AND instance='*' and action='*'"
188 session.execute(query);
189 env.info().log(query);
191 if(pk.roles.contains(roleAdminPrev)) {
192 query = "UPDATE authz.perm set roles = roles - "
193 + "{'" + nk.name + ".admin'} WHERE "
194 + "ns='"+ pk.ns + "' AND "
195 + "type='access' AND instance='*' and action='*'"
197 session.execute(query);
198 env.info().log(query);
204 // PermALL should be not linked to Role Owner
205 if(pk.roles.contains(roleOwner)) {
206 trans.warn().log(permAll,"should not be linked to",roleOwner);
208 query = "UPDATE authz.perm set roles = roles - "
209 + "{'" + nk.name + "|owner'} WHERE "
210 + "ns='"+ pk.ns + "' AND "
211 + "type='access' AND instance='*' and action='*'"
213 session.execute(query);
214 env.info().log(query);
223 rk = Role.keys.get(roleOwner);
225 trans.warn().log(nk.name + " is missing role: " + roleOwner);
227 query = "INSERT INTO authz.role(ns, name, description, perms) VALUES('"
229 + "','owner','Automatic Owners',"
230 + "{'" + nk.name + "|access|*|read'});";
231 session.execute(query);
232 env.info().log(query);
236 // Role Owner should be linked to permRead
237 if(!rk.perms.contains(permRead)) {
238 trans.warn().log(roleOwner,"is not linked to",permRead);
240 query = "UPDATE authz.role set perms = perms + "
241 + "{'" + nk.name + "|access|*|read'} "
242 + "WHERE ns='"+ nk.name + "' AND "
245 session.execute(query);
246 env.info().log(query);
248 if(rk.perms.contains(permReadPrev)) {
249 query = "UPDATE authz.role set perms = perms - "
250 + "{'" + nk.name + ".access|*|read'} "
251 + "WHERE ns='"+ nk.name + "' AND "
254 session.execute(query);
255 env.info().log(query);
260 // Role Owner should not be linked to PermAll
261 if(rk.perms.contains(permAll)) {
262 trans.warn().log(roleAdmin,"should not be linked to",permAll);
264 query = "UPDATE authz.role set perms = perms - "
265 + "{'" + nk.name + "|access|*|*'} "
266 + "WHERE ns='"+ nk.name + "' AND "
269 session.execute(query);
270 env.info().log(query);
276 pk = Perm.keys.get(permRead);
278 trans.warn().log(nk.name + " is missing perm: " + permRead);
280 query = "INSERT INTO authz.perm(ns, type,instance,action,description, roles) VALUES ('"
282 + "','access','*','read','Namespace Read',"
283 + "{'" + nk.name + "|owner'});";
284 session.execute(query);
285 env.info().log(query);
288 // PermRead should be linked to roleOwner
289 if(!pk.roles.contains(roleOwner)) {
290 trans.warn().log(permRead, "is not linked to", roleOwner);
292 query = "UPDATE authz.perm set roles = roles + "
293 + "{'" + nk.name + "|owner'} WHERE "
294 + "ns='"+ pk.ns + "' AND "
295 + "type='access' AND instance='*' and action='read'"
297 session.execute(query);
298 env.info().log(query);
300 if(pk.roles.contains(roleOwnerPrev)) {
301 query = "UPDATE authz.perm set roles = roles - "
302 + "{'" + nk.name + ".owner'} WHERE "
303 + "ns='"+ pk.ns + "' AND "
304 + "type='access' AND instance='*' and action='read'"
306 session.execute(query);
307 env.info().log(query);
312 // PermRead should be not linked to RoleAdmin
313 if(pk.roles.contains(roleAdmin)) {
315 trans.warn().log(permRead,"should not be linked to",roleAdmin);
317 query = "UPDATE authz.perm set roles = roles - "
318 + "{'" + nk.name + "|admin'} WHERE "
319 + "ns='"+ pk.ns + "' AND "
320 + "type='access' AND instance='*' and action='read'"
322 session.execute(query);
323 env.info().log(query);
329 int dot = nk.name.lastIndexOf('.');
334 parent = nk.name.substring(0, dot);
337 if(!parent.equals(nk.parent)) {
339 trans.warn().log(nk.name + " is missing namespace data");
341 query = "UPDATE authz.ns SET parent='"+parent+"'" +
342 " WHERE name='" + nk.name + "';";
343 session.execute(query);
344 env.info().log(query);
349 List<NsAttrib> swm = NsAttrib.byNS.get(nk.name);
350 boolean hasSwmV1 = false;
351 if(swm!=null) {for(NsAttrib na : swm) {
352 if("swm".equals(na.key) && "v1".equals(na.value)) {
357 String roleMem = nk.name+"|member";
358 Role rm = Role.keys.get(roleMem); // Accommodate new role key
359 if(rm==null && hasSwmV1) {
360 query = "INSERT INTO authz.role(ns, name, description, perms) VALUES ('"
362 + "','member','Member',"
363 + "{'" + nk.name + "|access|*|read'});";
364 session.execute(query);
365 query = "UPDATE authz.role set perms = perms + "
366 + "{'" + nk.name + "|access|*|read'} "
367 + "WHERE ns='"+ nk.name + "' AND "
370 session.execute(query);
371 env.info().log(query);
374 if(!rm.perms.contains(permRead)) {
376 env.info().log(nk.name+"|member needs " + nk.name + "|access|*|read");
378 query = "UPDATE authz.perm set roles = roles + "
379 + "{'" + nk.name + "|member'} WHERE "
380 + "ns='"+ pk.ns + "' AND "
381 + "type='access' AND instance='*' and action='read'"
383 session.execute(query);
384 env.info().log(query);
385 query = "UPDATE authz.role set perms = perms + "
386 + "{'" + nk.name + "|access|*|read'"
387 + (hasSwmV1?",'"+nk.name+"|swm.star|*|*'":"")
389 + "WHERE ns='"+ nk.name + "' AND "
392 session.execute(query);
393 env.info().log(query);
395 query = "UPDATE authz.perm set roles = roles + "
396 + "{'" + nk.name + "|member'} WHERE "
397 + "ns='"+ pk.ns + "' AND "
398 + "type='swm.star' AND instance='*' and action='*'"
400 session.execute(query);
401 env.info().log(query);
411 // owner = Role.keys.get(ns.)
421 protected void _close(AuthzTrans trans) {
423 aspr.info("End " + this.getClass().getSimpleName() + " processing" );