cass/src/main/java/com/att/cadi/aaf/cass/AAFAuthorizer.java

   1 /*******************************************************************************\r
   2  * ============LICENSE_START====================================================\r
   3  * * org.onap.aaf\r
   4  * * ===========================================================================\r
   5  * * Copyright © 2017 AT&T Intellectual Property. All rights reserved.\r
   6  * * ===========================================================================\r
   7  * * Licensed under the Apache License, Version 2.0 (the "License");\r
   8  * * you may not use this file except in compliance with the License.\r
   9  * * You may obtain a copy of the License at\r
  10  * * \r
  11  *  *      http://www.apache.org/licenses/LICENSE-2.0\r
  12  * * \r
  13  *  * Unless required by applicable law or agreed to in writing, software\r
  14  * * distributed under the License is distributed on an "AS IS" BASIS,\r
  15  * * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\r
  16  * * See the License for the specific language governing permissions and\r
  17  * * limitations under the License.\r
  18  * * ============LICENSE_END====================================================\r
  19  * *\r
  20  * * ECOMP is a trademark and service mark of AT&T Intellectual Property.\r
  21  * *\r
  22  ******************************************************************************/\r
  23 package com.att.cadi.aaf.cass;\r
  24 \r
  25 import java.util.ArrayList;\r
  26 import java.util.HashSet;\r
  27 import java.util.Set;\r
  28 \r
  29 import org.apache.cassandra.auth.AuthenticatedUser;\r
  30 import org.apache.cassandra.auth.IAuthorizer;\r
  31 import org.apache.cassandra.auth.IResource;\r
  32 import org.apache.cassandra.auth.Permission;\r
  33 import org.apache.cassandra.auth.PermissionDetails;\r
  34 import org.apache.cassandra.exceptions.RequestExecutionException;\r
  35 import org.apache.cassandra.exceptions.RequestValidationException;\r
  36 \r
  37 import com.att.cadi.Access.Level;\r
  38 import com.att.cadi.aaf.v2_0.AbsAAFLur;\r
  39 import com.att.cadi.lur.LocalPermission;\r
  40 \r
  41 public class AAFAuthorizer extends AAFBase implements IAuthorizer {\r
  42         // Returns every permission on the resource granted to the user.\r
  43     public Set<Permission> authorize(AuthenticatedUser user, IResource resource) {\r
  44         String uname, rname;\r
  45         access.log(Level.DEBUG,"Authorizing",uname=user.getName(),"for",rname=resource.getName());\r
  46 \r
  47         Set<Permission> permissions;\r
  48 \r
  49         if(user instanceof AAFAuthenticatedUser) {\r
  50                 AAFAuthenticatedUser aafUser = (AAFAuthenticatedUser) user;\r
  51                         aafUser.setAnonymous(false);\r
  52                         \r
  53                         if(aafUser.isLocal()) {\r
  54                                 permissions = checkPermissions(aafUser, new LocalPermission(\r
  55                                         rname.replaceFirst("data", cluster_name)\r
  56                                 ));\r
  57                         } else {\r
  58                                 permissions = checkPermissions(\r
  59                                                 aafUser,\r
  60                                                 perm_type,\r
  61                                                 ':'+rname.replaceFirst("data", cluster_name).replace('/', ':'));\r
  62                         }\r
  63         } else {\r
  64                 permissions = Permission.NONE;\r
  65         }\r
  66         \r
  67         access.log(Level.INFO,"Permissions on",rname,"for",uname,':', permissions);\r
  68 \r
  69         return permissions;\r
  70     }\r
  71     \r
  72     /**\r
  73      * Check only for Localized IDs (see cadi.properties)\r
  74      * @param aau\r
  75      * @param perm\r
  76      * @return\r
  77      */\r
  78     private Set<Permission> checkPermissions(AAFAuthenticatedUser aau, LocalPermission perm) {\r
  79         if(localLur.fish(aau.getFullName(), perm)) {\r
  80 //              aau.setSuper(true);\r
  81                 return Permission.ALL;\r
  82         } else {\r
  83                 return Permission.NONE;\r
  84         }\r
  85     }\r
  86     \r
  87     /**\r
  88      * Check remoted AAF Permissions\r
  89      * @param aau\r
  90      * @param type\r
  91      * @param instance\r
  92      * @return\r
  93      */\r
  94     private Set<Permission> checkPermissions(AAFAuthenticatedUser aau, String type, String instance) {\r
  95                 // Can perform ALL actions\r
  96         String fullName = aau.getFullName();\r
  97         PermHolder ph = new PermHolder(aau);\r
  98         aafLur.fishOneOf(fullName, ph,type,instance,actions);\r
  99         return ph.permissions;\r
 100     }   \r
 101 \r
 102     private class PermHolder {\r
 103         private AAFAuthenticatedUser aau;\r
 104                 public PermHolder(AAFAuthenticatedUser aau) {\r
 105                 this.aau = aau;\r
 106         }\r
 107         public Set<Permission> permissions = Permission.NONE;\r
 108                 public void mutable() {\r
 109                         if(permissions==Permission.NONE) {\r
 110                                 permissions = new HashSet<Permission>();\r
 111                         }\r
 112                 }\r
 113     };\r
 114  \r
 115    /**\r
 116     * This specialty List avoid extra Object Creation, and allows the Lur to do a Vistor on all appropriate Perms\r
 117     */\r
 118    private static final ArrayList<AbsAAFLur.Action<PermHolder>> actions = new ArrayList<AbsAAFLur.Action<PermHolder>>();\r
 119    static {\r
 120            actions.add(new AbsAAFLur.Action<PermHolder>() {\r
 121                 public String getName() {\r
 122                         return "*";\r
 123                 }\r
 124                 \r
 125                 public boolean exec(PermHolder a) {\r
 126                 a.aau.setSuper(true);\r
 127                 a.permissions = Permission.ALL;\r
 128                         return true;\r
 129                 }\r
 130            });\r
 131            \r
 132            actions.add(new AbsAAFLur.Action<PermHolder>() {\r
 133                 public String getName() {\r
 134                         return "SELECT";\r
 135                 }\r
 136                 \r
 137                 public boolean exec(PermHolder ph) {\r
 138                         ph.mutable();\r
 139                 ph.permissions.add(Permission.SELECT);\r
 140                         return false;\r
 141                 }\r
 142            });\r
 143            actions.add(new AbsAAFLur.Action<PermHolder>() {\r
 144                 public String getName() {\r
 145                         return "MODIFY";\r
 146                 }\r
 147                 \r
 148                 public boolean exec(PermHolder ph) {\r
 149                         ph.mutable();\r
 150                 ph.permissions.add(Permission.MODIFY);\r
 151                         return false;\r
 152                 }\r
 153            });\r
 154            actions.add(new AbsAAFLur.Action<PermHolder>() {\r
 155                 public String getName() {\r
 156                         return "CREATE";\r
 157                 }\r
 158                 \r
 159                 public boolean exec(PermHolder ph) {\r
 160                         ph.mutable();\r
 161                 ph.permissions.add(Permission.CREATE);\r
 162                         return false;\r
 163                 }\r
 164            });\r
 165 \r
 166            actions.add(new AbsAAFLur.Action<PermHolder>() {\r
 167                 public String getName() {\r
 168                         return "ALTER";\r
 169                 }\r
 170                 \r
 171                 public boolean exec(PermHolder ph) {\r
 172                         ph.mutable();\r
 173                 ph.permissions.add(Permission.ALTER);\r
 174                         return false;\r
 175                 }\r
 176            });\r
 177            actions.add(new AbsAAFLur.Action<PermHolder>() {\r
 178                 public String getName() {\r
 179                         return "DROP";\r
 180                 }\r
 181                 \r
 182                 public boolean exec(PermHolder ph) {\r
 183                         ph.mutable();\r
 184                 ph.permissions.add(Permission.DROP);\r
 185                         return false;\r
 186                 }\r
 187            });\r
 188            actions.add(new AbsAAFLur.Action<PermHolder>() {\r
 189                 public String getName() {\r
 190                         return "AUTHORIZE";\r
 191                 }\r
 192                 \r
 193                 public boolean exec(PermHolder ph) {\r
 194                         ph.mutable();\r
 195                 ph.permissions.add(Permission.AUTHORIZE);\r
 196                         return false;\r
 197                 }\r
 198            });\r
 199 \r
 200 \r
 201    }; \r
 202    \r
 203    \r
 204     public void grant(AuthenticatedUser performer, Set<Permission> permissions, IResource resource, String to) throws RequestExecutionException {\r
 205         access.log(Level.INFO, "Use AAF CLI to grant permission(s) to user/role");\r
 206     }\r
 207 \r
 208     public void revoke(AuthenticatedUser performer, Set<Permission> permissions, IResource resource, String from) throws RequestExecutionException {\r
 209         access.log(Level.INFO,"Use AAF CLI to revoke permission(s) for user/role");\r
 210     }\r
 211 \r
 212     public Set<PermissionDetails> list(AuthenticatedUser performer, Set<Permission> permissions, IResource resource, String of) throws RequestValidationException, RequestExecutionException {\r
 213         access.log(Level.INFO,"Use AAF CLI to find the list of permissions");\r
 214         return null;\r
 215     }\r
 216 \r
 217     // Called prior to deleting the user with DROP USER query. Internal hook, so no permission checks are needed here.\r
 218     public void revokeAll(String droppedUser) {\r
 219         access.log(Level.INFO,"Use AAF CLI to revoke permission(s) for user/role");\r
 220     }\r
 221 \r
 222     // Called after a resource is removed (DROP KEYSPACE, DROP TABLE, etc.).\r
 223     public void revokeAll(IResource droppedResource) {\r
 224         access.log(Level.INFO,"Use AAF CLI to delete the unused permission", droppedResource.getName());\r
 225     }\r
 226 \r
 227 }\r