1 /*******************************************************************************
\r
2 * ============LICENSE_START====================================================
\r
4 * * ===========================================================================
\r
5 * * Copyright © 2017 AT&T Intellectual Property. All rights reserved.
\r
6 * * ===========================================================================
\r
7 * * Licensed under the Apache License, Version 2.0 (the "License");
\r
8 * * you may not use this file except in compliance with the License.
\r
9 * * You may obtain a copy of the License at
\r
11 * * http://www.apache.org/licenses/LICENSE-2.0
\r
13 * * Unless required by applicable law or agreed to in writing, software
\r
14 * * distributed under the License is distributed on an "AS IS" BASIS,
\r
15 * * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
\r
16 * * See the License for the specific language governing permissions and
\r
17 * * limitations under the License.
\r
18 * * ============LICENSE_END====================================================
\r
20 * * ECOMP is a trademark and service mark of AT&T Intellectual Property.
\r
22 ******************************************************************************/
\r
23 package com.att.authz.service.api;
\r
25 import static com.att.authz.layer.Result.OK;
\r
26 import static com.att.cssa.rserv.HttpMethods.DELETE;
\r
27 import static com.att.cssa.rserv.HttpMethods.POST;
\r
29 import javax.servlet.http.HttpServletRequest;
\r
30 import javax.servlet.http.HttpServletResponse;
\r
32 import com.att.aft.dme2.internal.jetty.http.HttpStatus;
\r
33 import com.att.authz.common.Define;
\r
34 import com.att.authz.env.AuthzTrans;
\r
35 import com.att.authz.facade.AuthzFacade;
\r
36 import com.att.authz.layer.Result;
\r
37 import com.att.authz.service.AuthAPI;
\r
38 import com.att.authz.service.Code;
\r
39 import com.att.authz.service.mapper.Mapper.API;
\r
40 import com.att.cadi.taf.dos.DenialOfServiceTaf;
\r
41 import com.att.dao.aaf.cass.Status;
\r
42 import com.att.dao.aaf.hl.Question;
\r
43 import com.att.dao.session.SessionFilter;
\r
44 import com.att.inno.env.Trans;
\r
50 public class API_Mgmt {
\r
52 private static final String SUCCESS = "SUCCESS";
\r
55 * Normal Init level APIs
\r
61 public static void init(final AuthAPI authzAPI, AuthzFacade facade) throws Exception {
\r
64 * Clear Cache Segment
\r
66 authzAPI.route(DELETE,"/mgmt/cache/:area/:segments",API.VOID,new Code(facade,"Clear Cache by Segment", true) {
\r
68 public void handle(AuthzTrans trans, HttpServletRequest req, HttpServletResponse resp) throws Exception {
\r
69 Result<Void> r = context.cacheClear(trans, pathParam(req,"area"), pathParam(req,"segments"));
\r
72 trans.checkpoint(SUCCESS,Trans.ALWAYS);
\r
73 resp.setStatus(HttpStatus.OK_200);
\r
76 context.error(trans,resp,r);
\r
84 authzAPI.route(DELETE,"/mgmt/cache/:area",API.VOID,new Code(facade,"Clear Cache", true) {
\r
86 public void handle(AuthzTrans trans, HttpServletRequest req, HttpServletResponse resp) throws Exception {
\r
89 r = context.cacheClear(trans, area=pathParam(req,"area"));
\r
92 trans.audit().log("Cache " + area + " has been cleared by "+trans.user());
\r
93 trans.checkpoint(SUCCESS,Trans.ALWAYS);
\r
94 resp.setStatus(HttpStatus.OK_200);
\r
97 context.error(trans,resp,r);
\r
103 * Clear DB Sessions
\r
105 authzAPI.route(DELETE,"/mgmt/dbsession",API.VOID,new Code(facade,"Clear DBSessions", true) {
\r
107 public void handle(AuthzTrans trans, HttpServletRequest req, HttpServletResponse resp) throws Exception {
\r
109 if(req.isUserInRole(Define.ROOT_NS+".db|pool|clear")) {
\r
110 SessionFilter.clear();
\r
111 context.dbReset(trans);
\r
113 trans.audit().log("DB Sessions have been cleared by "+trans.user());
\r
115 trans.checkpoint(SUCCESS,Trans.ALWAYS);
\r
116 resp.setStatus(HttpStatus.OK_200);
\r
119 context.error(trans,resp,Result.err(Result.ERR_Denied,"%s is not allowed to clear dbsessions",trans.user()));
\r
120 } catch(Exception e) {
\r
121 trans.error().log(e, "clearing dbsession");
\r
122 context.error(trans,resp,Result.err(e));
\r
130 authzAPI.route(POST, "/mgmt/deny/ip/:ip", API.VOID, new Code(facade,"Deny IP",true) {
\r
132 public void handle(AuthzTrans trans, HttpServletRequest req, HttpServletResponse resp) throws Exception {
\r
133 String ip = pathParam(req,":ip");
\r
134 if(req.isUserInRole(Define.ROOT_NS+".deny|"+Define.ROOT_COMPANY+"|ip")) {
\r
135 if(DenialOfServiceTaf.denyIP(ip)) {
\r
136 trans.audit().log(ip+" has been set to deny by "+trans.user());
\r
137 trans.checkpoint(SUCCESS,Trans.ALWAYS);
\r
139 resp.setStatus(HttpStatus.CREATED_201);
\r
141 context.error(trans,resp,Result.err(Status.ERR_ConflictAlreadyExists,
\r
142 ip + " is already being denied"));
\r
145 trans.audit().log(trans.user(),"has attempted to deny",ip,"without authorization");
\r
146 context.error(trans,resp,Result.err(Status.ERR_Denied,
\r
147 trans.getUserPrincipal().getName() + " is not allowed to set IP Denial"));
\r
153 * Stop Denying an IP
\r
155 authzAPI.route(DELETE, "/mgmt/deny/ip/:ip", API.VOID, new Code(facade,"Stop Denying IP",true) {
\r
157 public void handle(AuthzTrans trans, HttpServletRequest req, HttpServletResponse resp) throws Exception {
\r
158 String ip = pathParam(req,":ip");
\r
159 if(req.isUserInRole(Define.ROOT_NS+".deny|"+Define.ROOT_COMPANY+"|ip")) {
\r
160 if(DenialOfServiceTaf.removeDenyIP(ip)) {
\r
161 trans.audit().log(ip+" has been removed from denial by "+trans.user());
\r
162 trans.checkpoint(SUCCESS,Trans.ALWAYS);
\r
163 resp.setStatus(HttpStatus.OK_200);
\r
165 context.error(trans,resp,Result.err(Status.ERR_NotFound,
\r
166 ip + " is not on the denial list"));
\r
169 trans.audit().log(trans.user(),"has attempted to remove",ip," from being denied without authorization");
\r
170 context.error(trans,resp,Result.err(Status.ERR_Denied,
\r
171 trans.getUserPrincipal().getName() + " is not allowed to remove IP Denial"));
\r
179 authzAPI.route(POST, "/mgmt/deny/id/:id", API.VOID, new Code(facade,"Deny ID",true) {
\r
181 public void handle(AuthzTrans trans, HttpServletRequest req, HttpServletResponse resp) throws Exception {
\r
182 String id = pathParam(req,":id");
\r
183 if(req.isUserInRole(Define.ROOT_NS+".deny|"+Define.ROOT_COMPANY+"|id")) {
\r
184 if(DenialOfServiceTaf.denyID(id)) {
\r
185 trans.audit().log(id+" has been set to deny by "+trans.user());
\r
186 trans.checkpoint(SUCCESS,Trans.ALWAYS);
\r
187 resp.setStatus(HttpStatus.CREATED_201);
\r
189 context.error(trans,resp,Result.err(Status.ERR_ConflictAlreadyExists,
\r
190 id + " is already being denied"));
\r
193 trans.audit().log(trans.user(),"has attempted to deny",id,"without authorization");
\r
194 context.error(trans,resp,Result.err(Status.ERR_Denied,
\r
195 trans.getUserPrincipal().getName() + " is not allowed to set ID Denial"));
\r
201 * Stop Denying an ID
\r
203 authzAPI.route(DELETE, "/mgmt/deny/id/:id", API.VOID, new Code(facade,"Stop Denying ID",true) {
\r
205 public void handle(AuthzTrans trans, HttpServletRequest req, HttpServletResponse resp) throws Exception {
\r
206 String id = pathParam(req,":id");
\r
207 if(req.isUserInRole(Define.ROOT_NS+".deny|"+Define.ROOT_COMPANY+"|id")) {
\r
208 if(DenialOfServiceTaf.removeDenyID(id)) {
\r
209 trans.audit().log(id+" has been removed from denial by " + trans.user());
\r
210 trans.checkpoint(SUCCESS,Trans.ALWAYS);
\r
211 resp.setStatus(HttpStatus.OK_200);
\r
213 context.error(trans,resp,Result.err(Status.ERR_NotFound,
\r
214 id + " is not on the denial list"));
\r
217 trans.audit().log(trans.user(),"has attempted to remove",id," from being denied without authorization");
\r
218 context.error(trans,resp,Result.err(Status.ERR_Denied,
\r
219 trans.getUserPrincipal().getName() + " is not allowed to remove ID Denial"));
\r
227 authzAPI.route(POST, "/mgmt/log/id/:id", API.VOID, new Code(facade,"Special Log ID",true) {
\r
229 public void handle(AuthzTrans trans, HttpServletRequest req, HttpServletResponse resp) throws Exception {
\r
230 String id = pathParam(req,":id");
\r
231 if(req.isUserInRole(Define.ROOT_NS+".log|"+Define.ROOT_COMPANY+"|id")) {
\r
232 if(Question.specialLogOn(trans,id)) {
\r
233 trans.audit().log(id+" has been set to special Log by "+trans.user());
\r
234 trans.checkpoint(SUCCESS,Trans.ALWAYS);
\r
235 resp.setStatus(HttpStatus.CREATED_201);
\r
237 context.error(trans,resp,Result.err(Status.ERR_ConflictAlreadyExists,
\r
238 id + " is already being special Logged"));
\r
241 trans.audit().log(trans.user(),"has attempted to special Log",id,"without authorization");
\r
242 context.error(trans,resp,Result.err(Status.ERR_Denied,
\r
243 trans.getUserPrincipal().getName() + " is not allowed to set ID special Logging"));
\r
249 * Stop Denying an ID
\r
251 authzAPI.route(DELETE, "/mgmt/log/id/:id", API.VOID, new Code(facade,"Stop Special Log ID",true) {
\r
253 public void handle(AuthzTrans trans, HttpServletRequest req, HttpServletResponse resp) throws Exception {
\r
254 String id = pathParam(req,":id");
\r
255 if(req.isUserInRole(Define.ROOT_NS+".log|"+Define.ROOT_COMPANY+"|id")) {
\r
256 if(Question.specialLogOff(trans,id)) {
\r
257 trans.audit().log(id+" has been removed from special Logging by " + trans.user());
\r
258 trans.checkpoint(SUCCESS,Trans.ALWAYS);
\r
259 resp.setStatus(HttpStatus.OK_200);
\r
261 context.error(trans,resp,Result.err(Status.ERR_NotFound,
\r
262 id + " is not on the special Logging list"));
\r
265 trans.audit().log(trans.user(),"has attempted to remove",id," from being special Logged without authorization");
\r
266 context.error(trans,resp,Result.err(Status.ERR_Denied,
\r
267 trans.getUserPrincipal().getName() + " is not allowed to remove ID special Logging"));
\r