authz-service/src/main/java/com/att/authz/service/api/API_Mgmt.java

   1 /*******************************************************************************\r
   2  * ============LICENSE_START====================================================\r
   3  * * org.onap.aaf\r
   4  * * ===========================================================================\r
   5  * * Copyright © 2017 AT&T Intellectual Property. All rights reserved.\r
   6  * * ===========================================================================\r
   7  * * Licensed under the Apache License, Version 2.0 (the "License");\r
   8  * * you may not use this file except in compliance with the License.\r
   9  * * You may obtain a copy of the License at\r
  10  * * \r
  11  *  *      http://www.apache.org/licenses/LICENSE-2.0\r
  12  * * \r
  13  *  * Unless required by applicable law or agreed to in writing, software\r
  14  * * distributed under the License is distributed on an "AS IS" BASIS,\r
  15  * * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\r
  16  * * See the License for the specific language governing permissions and\r
  17  * * limitations under the License.\r
  18  * * ============LICENSE_END====================================================\r
  19  * *\r
  20  * * ECOMP is a trademark and service mark of AT&T Intellectual Property.\r
  21  * *\r
  22  ******************************************************************************/\r
  23 package com.att.authz.service.api;\r
  24 \r
  25 import static com.att.authz.layer.Result.OK;\r
  26 import static com.att.cssa.rserv.HttpMethods.DELETE;\r
  27 import static com.att.cssa.rserv.HttpMethods.POST;\r
  28 \r
  29 import javax.servlet.http.HttpServletRequest;\r
  30 import javax.servlet.http.HttpServletResponse;\r
  31 \r
  32 import com.att.aft.dme2.internal.jetty.http.HttpStatus;\r
  33 import com.att.authz.common.Define;\r
  34 import com.att.authz.env.AuthzTrans;\r
  35 import com.att.authz.facade.AuthzFacade;\r
  36 import com.att.authz.layer.Result;\r
  37 import com.att.authz.service.AuthAPI;\r
  38 import com.att.authz.service.Code;\r
  39 import com.att.authz.service.mapper.Mapper.API;\r
  40 import com.att.cadi.taf.dos.DenialOfServiceTaf;\r
  41 import com.att.dao.aaf.cass.Status;\r
  42 import com.att.dao.aaf.hl.Question;\r
  43 import com.att.dao.session.SessionFilter;\r
  44 import com.att.inno.env.Trans;\r
  45 \r
  46 /**\r
  47  * User Role APIs\r
  48  *\r
  49  */\r
  50 public class API_Mgmt {\r
  51 \r
  52         private static final String SUCCESS = "SUCCESS";\r
  53 \r
  54         /**\r
  55          * Normal Init level APIs\r
  56          * \r
  57          * @param authzAPI\r
  58          * @param facade\r
  59          * @throws Exception\r
  60          */\r
  61         public static void init(final AuthAPI authzAPI, AuthzFacade facade) throws Exception {\r
  62 \r
  63                 /**\r
  64                  * Clear Cache Segment\r
  65                  */\r
  66                 authzAPI.route(DELETE,"/mgmt/cache/:area/:segments",API.VOID,new Code(facade,"Clear Cache by Segment", true) {\r
  67                         @Override\r
  68                         public void handle(AuthzTrans trans, HttpServletRequest req, HttpServletResponse resp) throws Exception {\r
  69                                 Result<Void> r = context.cacheClear(trans, pathParam(req,"area"), pathParam(req,"segments"));\r
  70                                 switch(r.status) {\r
  71                                         case OK:\r
  72                                                 trans.checkpoint(SUCCESS,Trans.ALWAYS);\r
  73                                                 resp.setStatus(HttpStatus.OK_200); \r
  74                                                 break;\r
  75                                         default:\r
  76                                                 context.error(trans,resp,r);\r
  77                                 }\r
  78                         }\r
  79                 });\r
  80                 \r
  81                 /**\r
  82                  * Clear Cache\r
  83                  */\r
  84                 authzAPI.route(DELETE,"/mgmt/cache/:area",API.VOID,new Code(facade,"Clear Cache", true) {\r
  85                         @Override\r
  86                         public void handle(AuthzTrans trans, HttpServletRequest req, HttpServletResponse resp) throws Exception {\r
  87                                 Result<Void> r;\r
  88                                 String area;\r
  89                                 r = context.cacheClear(trans, area=pathParam(req,"area"));\r
  90                                 switch(r.status) {\r
  91                                         case OK:\r
  92                                                 trans.audit().log("Cache " + area + " has been cleared by "+trans.user());\r
  93                                                 trans.checkpoint(SUCCESS,Trans.ALWAYS);\r
  94                                                 resp.setStatus(HttpStatus.OK_200); \r
  95                                                 break;\r
  96                                         default:\r
  97                                                 context.error(trans,resp,r);\r
  98                                 }\r
  99                         }\r
 100                 });\r
 101 \r
 102                 /**\r
 103                  * Clear DB Sessions\r
 104                  */\r
 105                 authzAPI.route(DELETE,"/mgmt/dbsession",API.VOID,new Code(facade,"Clear DBSessions", true) {\r
 106                         @Override\r
 107                         public void handle(AuthzTrans trans, HttpServletRequest req, HttpServletResponse resp) throws Exception {\r
 108                                 try {\r
 109                                         if(req.isUserInRole(Define.ROOT_NS+".db|pool|clear")) {\r
 110                                                 SessionFilter.clear();\r
 111                                                 context.dbReset(trans);\r
 112 \r
 113                                                 trans.audit().log("DB Sessions have been cleared by "+trans.user());\r
 114 \r
 115                                                 trans.checkpoint(SUCCESS,Trans.ALWAYS);\r
 116                                                 resp.setStatus(HttpStatus.OK_200);\r
 117                                                 return;\r
 118                                         }\r
 119                                         context.error(trans,resp,Result.err(Result.ERR_Denied,"%s is not allowed to clear dbsessions",trans.user()));\r
 120                                 } catch(Exception e) {\r
 121                                         trans.error().log(e, "clearing dbsession");\r
 122                                         context.error(trans,resp,Result.err(e));\r
 123                                 }\r
 124                         }\r
 125                 });\r
 126 \r
 127                 /**\r
 128                  * Deny an IP \r
 129                  */\r
 130                 authzAPI.route(POST, "/mgmt/deny/ip/:ip", API.VOID, new Code(facade,"Deny IP",true) {\r
 131                         @Override\r
 132                         public void handle(AuthzTrans trans, HttpServletRequest req, HttpServletResponse resp) throws Exception {\r
 133                                 String ip = pathParam(req,":ip");\r
 134                                 if(req.isUserInRole(Define.ROOT_NS+".deny|"+Define.ROOT_COMPANY+"|ip")) {\r
 135                                         if(DenialOfServiceTaf.denyIP(ip)) {\r
 136                                                 trans.audit().log(ip+" has been set to deny by "+trans.user());\r
 137                                                 trans.checkpoint(SUCCESS,Trans.ALWAYS);\r
 138 \r
 139                                                 resp.setStatus(HttpStatus.CREATED_201);\r
 140                                         } else {\r
 141                                                 context.error(trans,resp,Result.err(Status.ERR_ConflictAlreadyExists, \r
 142                                                                 ip + " is already being denied"));\r
 143                                         }\r
 144                                 } else {\r
 145                                         trans.audit().log(trans.user(),"has attempted to deny",ip,"without authorization");\r
 146                                         context.error(trans,resp,Result.err(Status.ERR_Denied, \r
 147                                                 trans.getUserPrincipal().getName() + " is not allowed to set IP Denial"));\r
 148                                 }\r
 149                         }\r
 150                 });\r
 151                 \r
 152                 /**\r
 153                  * Stop Denying an IP\r
 154                  */\r
 155                 authzAPI.route(DELETE, "/mgmt/deny/ip/:ip", API.VOID, new Code(facade,"Stop Denying IP",true) {\r
 156                         @Override\r
 157                         public void handle(AuthzTrans trans, HttpServletRequest req, HttpServletResponse resp) throws Exception {\r
 158                                 String ip = pathParam(req,":ip");\r
 159                                 if(req.isUserInRole(Define.ROOT_NS+".deny|"+Define.ROOT_COMPANY+"|ip")) {\r
 160                                         if(DenialOfServiceTaf.removeDenyIP(ip)) {\r
 161                                                 trans.audit().log(ip+" has been removed from denial by "+trans.user());\r
 162                                                 trans.checkpoint(SUCCESS,Trans.ALWAYS);\r
 163                                                 resp.setStatus(HttpStatus.OK_200);\r
 164                                         } else {\r
 165                                                 context.error(trans,resp,Result.err(Status.ERR_NotFound, \r
 166                                                                 ip + " is not on the denial list"));\r
 167                                         }\r
 168                                 } else {\r
 169                                         trans.audit().log(trans.user(),"has attempted to remove",ip," from being denied without authorization");\r
 170                                         context.error(trans,resp,Result.err(Status.ERR_Denied, \r
 171                                                 trans.getUserPrincipal().getName() + " is not allowed to remove IP Denial"));\r
 172                                 }\r
 173                         }\r
 174                 });\r
 175 \r
 176                 /**\r
 177                  * Deny an ID \r
 178                  */\r
 179                 authzAPI.route(POST, "/mgmt/deny/id/:id", API.VOID, new Code(facade,"Deny ID",true) {\r
 180                         @Override\r
 181                         public void handle(AuthzTrans trans, HttpServletRequest req, HttpServletResponse resp) throws Exception {\r
 182                                 String id = pathParam(req,":id");\r
 183                                 if(req.isUserInRole(Define.ROOT_NS+".deny|"+Define.ROOT_COMPANY+"|id")) {\r
 184                                         if(DenialOfServiceTaf.denyID(id)) {\r
 185                                                 trans.audit().log(id+" has been set to deny by "+trans.user());\r
 186                                                 trans.checkpoint(SUCCESS,Trans.ALWAYS);\r
 187                                                 resp.setStatus(HttpStatus.CREATED_201);\r
 188                                         } else {\r
 189                                                 context.error(trans,resp,Result.err(Status.ERR_ConflictAlreadyExists, \r
 190                                                                 id + " is already being denied"));\r
 191                                         }\r
 192                                 } else {\r
 193                                         trans.audit().log(trans.user(),"has attempted to deny",id,"without authorization");\r
 194                                         context.error(trans,resp,Result.err(Status.ERR_Denied, \r
 195                                                 trans.getUserPrincipal().getName() + " is not allowed to set ID Denial"));\r
 196                                 }\r
 197                         }\r
 198                 });\r
 199                 \r
 200                 /**\r
 201                  * Stop Denying an ID\r
 202                  */\r
 203                 authzAPI.route(DELETE, "/mgmt/deny/id/:id", API.VOID, new Code(facade,"Stop Denying ID",true) {\r
 204                         @Override\r
 205                         public void handle(AuthzTrans trans, HttpServletRequest req, HttpServletResponse resp) throws Exception {\r
 206                                 String id = pathParam(req,":id");\r
 207                                 if(req.isUserInRole(Define.ROOT_NS+".deny|"+Define.ROOT_COMPANY+"|id")) {\r
 208                                         if(DenialOfServiceTaf.removeDenyID(id)) {\r
 209                                                 trans.audit().log(id+" has been removed from denial by " + trans.user());\r
 210                                                 trans.checkpoint(SUCCESS,Trans.ALWAYS);\r
 211                                                 resp.setStatus(HttpStatus.OK_200);\r
 212                                         } else {\r
 213                                                 context.error(trans,resp,Result.err(Status.ERR_NotFound, \r
 214                                                                 id + " is not on the denial list"));\r
 215                                         }\r
 216                                 } else {\r
 217                                         trans.audit().log(trans.user(),"has attempted to remove",id," from being denied without authorization");\r
 218                                         context.error(trans,resp,Result.err(Status.ERR_Denied, \r
 219                                                 trans.getUserPrincipal().getName() + " is not allowed to remove ID Denial"));\r
 220                                 }\r
 221                         }\r
 222                 });\r
 223 \r
 224                 /**\r
 225                  * Deny an ID \r
 226                  */\r
 227                 authzAPI.route(POST, "/mgmt/log/id/:id", API.VOID, new Code(facade,"Special Log ID",true) {\r
 228                         @Override\r
 229                         public void handle(AuthzTrans trans, HttpServletRequest req, HttpServletResponse resp) throws Exception {\r
 230                                 String id = pathParam(req,":id");\r
 231                                 if(req.isUserInRole(Define.ROOT_NS+".log|"+Define.ROOT_COMPANY+"|id")) {\r
 232                                         if(Question.specialLogOn(trans,id)) {\r
 233                                                 trans.audit().log(id+" has been set to special Log by "+trans.user());\r
 234                                                 trans.checkpoint(SUCCESS,Trans.ALWAYS);\r
 235                                                 resp.setStatus(HttpStatus.CREATED_201);\r
 236                                         } else {\r
 237                                                 context.error(trans,resp,Result.err(Status.ERR_ConflictAlreadyExists, \r
 238                                                                 id + " is already being special Logged"));\r
 239                                         }\r
 240                                 } else {\r
 241                                         trans.audit().log(trans.user(),"has attempted to special Log",id,"without authorization");\r
 242                                         context.error(trans,resp,Result.err(Status.ERR_Denied, \r
 243                                                 trans.getUserPrincipal().getName() + " is not allowed to set ID special Logging"));\r
 244                                 }\r
 245                         }\r
 246                 });\r
 247                 \r
 248                 /**\r
 249                  * Stop Denying an ID\r
 250                  */\r
 251                 authzAPI.route(DELETE, "/mgmt/log/id/:id", API.VOID, new Code(facade,"Stop Special Log ID",true) {\r
 252                         @Override\r
 253                         public void handle(AuthzTrans trans, HttpServletRequest req, HttpServletResponse resp) throws Exception {\r
 254                                 String id = pathParam(req,":id");\r
 255                                 if(req.isUserInRole(Define.ROOT_NS+".log|"+Define.ROOT_COMPANY+"|id")) {\r
 256                                         if(Question.specialLogOff(trans,id)) {\r
 257                                                 trans.audit().log(id+" has been removed from special Logging by " + trans.user());\r
 258                                                 trans.checkpoint(SUCCESS,Trans.ALWAYS);\r
 259                                                 resp.setStatus(HttpStatus.OK_200);\r
 260                                         } else {\r
 261                                                 context.error(trans,resp,Result.err(Status.ERR_NotFound, \r
 262                                                                 id + " is not on the special Logging list"));\r
 263                                         }\r
 264                                 } else {\r
 265                                         trans.audit().log(trans.user(),"has attempted to remove",id," from being special Logged without authorization");\r
 266                                         context.error(trans,resp,Result.err(Status.ERR_Denied, \r
 267                                                 trans.getUserPrincipal().getName() + " is not allowed to remove ID special Logging"));\r
 268                                 }\r
 269                         }\r
 270                 });\r
 271 \r
 272 \r
 273         }\r
 274 }\r