[aaf/cadi.git] / cass / src / main / java / com / att / cadi / aaf / cass / AAFAuthorizer.java

/*******************************************************************************\r
 * ============LICENSE_START====================================================\r
 * * org.onap.aai\r
 * * ===========================================================================\r
 * * Copyright © 2017 AT&T Intellectual Property. All rights reserved.\r
 * * Copyright © 2017 Amdocs\r
 * * ===========================================================================\r
 * * Licensed under the Apache License, Version 2.0 (the "License");\r
 * * you may not use this file except in compliance with the License.\r
 * * You may obtain a copy of the License at\r
 * * \r
 *  *      http://www.apache.org/licenses/LICENSE-2.0\r
 * * \r
 *  * Unless required by applicable law or agreed to in writing, software\r
 * * distributed under the License is distributed on an "AS IS" BASIS,\r
 * * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\r
 * * See the License for the specific language governing permissions and\r
 * * limitations under the License.\r
 * * ============LICENSE_END====================================================\r
 * *\r
 * * ECOMP is a trademark and service mark of AT&T Intellectual Property.\r
 * *\r
 ******************************************************************************/\r
package com.att.cadi.aaf.cass;\r
\r
import java.util.ArrayList;\r
import java.util.HashSet;\r
import java.util.Set;\r
\r
import org.apache.cassandra.auth.AuthenticatedUser;\r
import org.apache.cassandra.auth.IAuthorizer;\r
import org.apache.cassandra.auth.IResource;\r
import org.apache.cassandra.auth.Permission;\r
import org.apache.cassandra.auth.PermissionDetails;\r
import org.apache.cassandra.exceptions.RequestExecutionException;\r
import org.apache.cassandra.exceptions.RequestValidationException;\r
\r
import com.att.cadi.Access.Level;\r
import com.att.cadi.aaf.v2_0.AbsAAFLur;\r
import com.att.cadi.lur.LocalPermission;\r
\r
public class AAFAuthorizer extends AAFBase implements IAuthorizer {\r
        // Returns every permission on the resource granted to the user.\r
    public Set<Permission> authorize(AuthenticatedUser user, IResource resource) {\r
        String uname, rname;\r
        access.log(Level.DEBUG,"Authorizing",uname=user.getName(),"for",rname=resource.getName());\r
\r
        Set<Permission> permissions;\r
\r
        if(user instanceof AAFAuthenticatedUser) {\r
                AAFAuthenticatedUser aafUser = (AAFAuthenticatedUser) user;\r
                        aafUser.setAnonymous(false);\r
                        \r
                        if(aafUser.isLocal()) {\r
                                permissions = checkPermissions(aafUser, new LocalPermission(\r
                                        rname.replaceFirst("data", cluster_name)\r
                                ));\r
                        } else {\r
                                permissions = checkPermissions(\r
                                                aafUser,\r
                                                perm_type,\r
                                                ':'+rname.replaceFirst("data", cluster_name).replace('/', ':'));\r
                        }\r
        } else {\r
                permissions = Permission.NONE;\r
        }\r
        \r
        access.log(Level.INFO,"Permissions on",rname,"for",uname,':', permissions);\r
\r
        return permissions;\r
    }\r
    \r
    /**\r
     * Check only for Localized IDs (see cadi.properties)\r
     * @param aau\r
     * @param perm\r
     * @return\r
     */\r
    private Set<Permission> checkPermissions(AAFAuthenticatedUser aau, LocalPermission perm) {\r
        if(localLur.fish(aau.getFullName(), perm)) {\r
//              aau.setSuper(true);\r
                return Permission.ALL;\r
        } else {\r
                return Permission.NONE;\r
        }\r
    }\r
    \r
    /**\r
     * Check remoted AAF Permissions\r
     * @param aau\r
     * @param type\r
     * @param instance\r
     * @return\r
     */\r
    private Set<Permission> checkPermissions(AAFAuthenticatedUser aau, String type, String instance) {\r
                // Can perform ALL actions\r
        String fullName = aau.getFullName();\r
        PermHolder ph = new PermHolder(aau);\r
        aafLur.fishOneOf(fullName, ph,type,instance,actions);\r
        return ph.permissions;\r
    }   \r
\r
    private class PermHolder {\r
        private AAFAuthenticatedUser aau;\r
                public PermHolder(AAFAuthenticatedUser aau) {\r
                this.aau = aau;\r
        }\r
        public Set<Permission> permissions = Permission.NONE;\r
                public void mutable() {\r
                        if(permissions==Permission.NONE) {\r
                                permissions = new HashSet<Permission>();\r
                        }\r
                }\r
    };\r
 \r
   /**\r
    * This specialty List avoid extra Object Creation, and allows the Lur to do a Vistor on all appropriate Perms\r
    */\r
   private static final ArrayList<AbsAAFLur.Action<PermHolder>> actions = new ArrayList<AbsAAFLur.Action<PermHolder>>();\r
   static {\r
           actions.add(new AbsAAFLur.Action<PermHolder>() {\r
                public String getName() {\r
                        return "*";\r
                }\r
                \r
                public boolean exec(PermHolder a) {\r
                a.aau.setSuper(true);\r
                a.permissions = Permission.ALL;\r
                        return true;\r
                }\r
           });\r
           \r
           actions.add(new AbsAAFLur.Action<PermHolder>() {\r
                public String getName() {\r
                        return "SELECT";\r
                }\r
                \r
                public boolean exec(PermHolder ph) {\r
                        ph.mutable();\r
                ph.permissions.add(Permission.SELECT);\r
                        return false;\r
                }\r
           });\r
           actions.add(new AbsAAFLur.Action<PermHolder>() {\r
                public String getName() {\r
                        return "MODIFY";\r
                }\r
                \r
                public boolean exec(PermHolder ph) {\r
                        ph.mutable();\r
                ph.permissions.add(Permission.MODIFY);\r
                        return false;\r
                }\r
           });\r
           actions.add(new AbsAAFLur.Action<PermHolder>() {\r
                public String getName() {\r
                        return "CREATE";\r
                }\r
                \r
                public boolean exec(PermHolder ph) {\r
                        ph.mutable();\r
                ph.permissions.add(Permission.CREATE);\r
                        return false;\r
                }\r
           });\r
\r
           actions.add(new AbsAAFLur.Action<PermHolder>() {\r
                public String getName() {\r
                        return "ALTER";\r
                }\r
                \r
                public boolean exec(PermHolder ph) {\r
                        ph.mutable();\r
                ph.permissions.add(Permission.ALTER);\r
                        return false;\r
                }\r
           });\r
           actions.add(new AbsAAFLur.Action<PermHolder>() {\r
                public String getName() {\r
                        return "DROP";\r
                }\r
                \r
                public boolean exec(PermHolder ph) {\r
                        ph.mutable();\r
                ph.permissions.add(Permission.DROP);\r
                        return false;\r
                }\r
           });\r
           actions.add(new AbsAAFLur.Action<PermHolder>() {\r
                public String getName() {\r
                        return "AUTHORIZE";\r
                }\r
                \r
                public boolean exec(PermHolder ph) {\r
                        ph.mutable();\r
                ph.permissions.add(Permission.AUTHORIZE);\r
                        return false;\r
                }\r
           });\r
\r
\r
   }; \r
   \r
   \r
    public void grant(AuthenticatedUser performer, Set<Permission> permissions, IResource resource, String to) throws RequestExecutionException {\r
        access.log(Level.INFO, "Use AAF CLI to grant permission(s) to user/role");\r
    }\r
\r
    public void revoke(AuthenticatedUser performer, Set<Permission> permissions, IResource resource, String from) throws RequestExecutionException {\r
        access.log(Level.INFO,"Use AAF CLI to revoke permission(s) for user/role");\r
    }\r
\r
    public Set<PermissionDetails> list(AuthenticatedUser performer, Set<Permission> permissions, IResource resource, String of) throws RequestValidationException, RequestExecutionException {\r
        access.log(Level.INFO,"Use AAF CLI to find the list of permissions");\r
        return null;\r
    }\r
\r
    // Called prior to deleting the user with DROP USER query. Internal hook, so no permission checks are needed here.\r
    public void revokeAll(String droppedUser) {\r
        access.log(Level.INFO,"Use AAF CLI to revoke permission(s) for user/role");\r
    }\r
\r
    // Called after a resource is removed (DROP KEYSPACE, DROP TABLE, etc.).\r
    public void revokeAll(IResource droppedResource) {\r
        access.log(Level.INFO,"Use AAF CLI to delete the unused permission", droppedResource.getName());\r
    }\r
\r
}\r