* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
public enum FUTURE_OP {
C("Create"),U("Update"),D("Delete"),G("Grant"),UG("UnGrant"),A("Approval");
public enum FUTURE_OP {
C("Create"),U("Update"),D("Delete"),G("Grant"),UG("UnGrant"),A("Approval");
public enum OP_STATUS {
E("Executed"),D("Denied"),P("Pending"),L("Lapsed");
public enum OP_STATUS {
E("Executed"),D("Denied"),P("Pending"),L("Lapsed");
- public final static Result<OP_STATUS> RE = Result.ok(OP_STATUS.E);
- public final static Result<OP_STATUS> RD = Result.ok(OP_STATUS.D);
- public final static Result<OP_STATUS> RP = Result.ok(OP_STATUS.P);
- public final static Result<OP_STATUS> RL = Result.ok(OP_STATUS.L);
+ public static final Result<OP_STATUS> RE = Result.ok(OP_STATUS.E);
+ public static final Result<OP_STATUS> RD = Result.ok(OP_STATUS.D);
+ public static final Result<OP_STATUS> RP = Result.ok(OP_STATUS.P);
+ public static final Result<OP_STATUS> RL = Result.ok(OP_STATUS.L);
* To create an NS, you need to: 1) validate permission to
* modify parent NS 2) Does NS exist already? 3) Create NS with
* a) "user" as owner. NOTE: Per 10-15 request for AAF 1.0 4)
* To create an NS, you need to: 1) validate permission to
* modify parent NS 2) Does NS exist already? 3) Create NS with
* a) "user" as owner. NOTE: Per 10-15 request for AAF 1.0 4)
- return Result.err(Status.ERR_Policy,"%s is not a valid user at %s",u,org.getName());
+ return Result.err(Status.ERR_Policy,"%s is not a valid user at %s",u,org.getName());
if (!fromApproval) {
rparent = q.mayUser(trans, user, rparent.value, Access.write);
if (rparent.notOK()) {
if (!fromApproval) {
rparent = q.mayUser(trans, user, rparent.value, Access.write);
if (rparent.notOK()) {
return Result.err(Status.ERR_ConflictAlreadyExists,
"Target Namespace already exists");
}
return Result.err(Status.ERR_ConflictAlreadyExists,
"Target Namespace already exists");
}
// 2.1) Does role exist with that name
if(cname!=null && q.roleDAO().read(trans, parent, cname).isOKhasData()) {
// 2.1) Does role exist with that name
if(cname!=null && q.roleDAO().read(trans, parent, cname).isOKhasData()) {
"Role exists with that name");
}
// 2.2) Do perms exist with that name
if(cname!=null && q.permDAO().readByType(trans, parent, cname).isOKhasData()) {
"Role exists with that name");
}
// 2.2) Do perms exist with that name
if(cname!=null && q.permDAO().readByType(trans, parent, cname).isOKhasData()) {
// Need to use non-cached, because switching namespaces, not
// "create" per se
if ((rq = q.roleDAO().create(trans, rdd)).isOK()) {
// Need to use non-cached, because switching namespaces, not
// "create" per se
if ((rq = q.roleDAO().create(trans, rdd)).isOK()) {
for (PermDAO.Data pdd : lpdd) {
q.permDAO().addRole(trans, pdd, rdd);
}
for (PermDAO.Data pdd : lpdd) {
q.permDAO().addRole(trans, pdd, rdd);
}
Result<List<UserRoleDAO.Data>> rurd = q.userRoleDAO().readByRole(trans, rdd.fullName());
if (rurd.isOKhasData()) {
for (UserRoleDAO.Data urd : rurd.value) {
Result<List<UserRoleDAO.Data>> rurd = q.userRoleDAO().readByRole(trans, rdd.fullName());
if (rurd.isOKhasData()) {
for (UserRoleDAO.Data urd : rurd.value) {
for (PermDAO.Data pdd : rpdc.value) {
// Remove old Perm from Roles, save them off
List<RoleDAO.Data> lrdd = new ArrayList<>();
for (PermDAO.Data pdd : rpdc.value) {
// Remove old Perm from Roles, save them off
List<RoleDAO.Data> lrdd = new ArrayList<>();
for (String rl : pdd.roles(false)) {
Result<RoleDAO.Data> rrdd = RoleDAO.Data.decode(trans,q,rl);
if (rrdd.isOKhasData()) {
for (String rl : pdd.roles(false)) {
Result<RoleDAO.Data> rrdd = RoleDAO.Data.decode(trans,q,rl);
if (rrdd.isOKhasData()) {
* To delete an NS, you need to: 1) validate permission to
* modify this NS 2) Find all Roles with this NS, and 2a) if
* Force, delete them, else modify to Parent NS 3) Find all
* To delete an NS, you need to: 1) validate permission to
* modify this NS 2) Find all Roles with this NS, and 2a) if
* Force, delete them, else modify to Parent NS 3) Find all
rq = q.mayUser(trans, trans.user(), rq.value, Access.write);
if (rq.notOK()) {
Result<List<UserRoleDAO.Data>> ruinr = q.userRoleDAO().readUserInRole(trans, trans.user(),ns+".owner");
rq = q.mayUser(trans, trans.user(), rq.value, Access.write);
if (rq.notOK()) {
Result<List<UserRoleDAO.Data>> ruinr = q.userRoleDAO().readUserInRole(trans, trans.user(),ns+".owner");
return Result.err(Status.ERR_Security,
"%s is not a valid AAF Credential", user);
}
return Result.err(Status.ERR_Security,
"%s is not a valid AAF Credential", user);
}
}
rq = q.mayUser(trans, trans.user(), rq.value, Access.write);
}
rq = q.mayUser(trans, trans.user(), rq.value, Access.write);
// Even though not a "writer", Owners still determine who gets to be an Admin
Result<List<UserRoleDAO.Data>> ruinr = q.userRoleDAO().readUserInRole(trans, trans.user(),ns+".owner");
if (!(ruinr.isOKhasData() && ruinr.value.get(0).expires.after(new Date()))) {
// Even though not a "writer", Owners still determine who gets to be an Admin
Result<List<UserRoleDAO.Data>> ruinr = q.userRoleDAO().readUserInRole(trans, trans.user(),ns+".owner");
if (!(ruinr.isOKhasData() && ruinr.value.get(0).expires.after(new Date()))) {
}
// Remove old Perm from Roles, save them off
List<RoleDAO.Data> lrdd = new ArrayList<>();
}
// Remove old Perm from Roles, save them off
List<RoleDAO.Data> lrdd = new ArrayList<>();
for (String rl : pdd.roles(false)) {
Result<RoleDAO.Data> rrdd = RoleDAO.Data.decode(trans,q,rl);
if (rrdd.isOKhasData()) {
for (String rl : pdd.roles(false)) {
Result<RoleDAO.Data> rrdd = RoleDAO.Data.decode(trans,q,rl);
if (rrdd.isOKhasData()) {
* If Force is set, then Roles listed will be created, if allowed,
* pre-granted.
*/
* If Force is set, then Roles listed will be created, if allowed,
* pre-granted.
*/
* If force set, however, Role will be created before Grant, if User is
* allowed to create.
* If force set, however, Role will be created before Grant, if User is
* allowed to create.
*/
public Result<Void> addPermToRole(AuthzTrans trans, RoleDAO.Data role,PermDAO.Data pd, boolean fromApproval) {
String user = trans.user();
*/
public Result<Void> addPermToRole(AuthzTrans trans, RoleDAO.Data role,PermDAO.Data pd, boolean fromApproval) {
String user = trans.user();
// Must be Perm Admin, or Granted Special Permission
Result<NsDAO.Data> ucp = q.mayUser(trans, user, pd, Access.write);
if (ucp.notOK()) {
// Don't allow CLI potential Grantees to change their own AAF
// Perms,
// Must be Perm Admin, or Granted Special Permission
Result<NsDAO.Data> ucp = q.mayUser(trans, user, pd, Access.write);
if (ucp.notOK()) {
// Don't allow CLI potential Grantees to change their own AAF
// Perms,
|| !q.isGranted(trans, trans.user(),ROOT_NS,Question.PERM, rPermCo.value.name, "grant")) {
// Not otherwise granted
// TODO Needed?
|| !q.isGranted(trans, trans.user(),ROOT_NS,Question.PERM, rPermCo.value.name, "grant")) {
// Not otherwise granted
// TODO Needed?
* 1) Role must exist 2) User must be a known Credential (i.e. mechID ok if
* Credential) or known Organizational User
* 1) Role must exist 2) User must be a known Credential (i.e. mechID ok if
* Credential) or known Organizational User
// Check if record exists
if (q.userRoleDAO().read(trans, urData).isOKhasData()) {
return Result.err(Status.ERR_ConflictAlreadyExists,
// Check if record exists
if (q.userRoleDAO().read(trans, urData).isOKhasData()) {
return Result.err(Status.ERR_ConflictAlreadyExists,
return Result.err(Status.ERR_UserRoleNotFound,
"User Role does not exist");
}
return Result.err(Status.ERR_UserRoleNotFound,
"User Role does not exist");
}
if (q.roleDAO().read(trans, urData.ns, urData.rname).notOKorIsEmpty()) {
return Result.err(Status.ERR_RoleNotFound,
"Role [%s.%s] does not exist", urData.ns,urData.rname);
if (q.roleDAO().read(trans, urData.ns, urData.rname).notOKorIsEmpty()) {
return Result.err(Status.ERR_RoleNotFound,
"Role [%s.%s] does not exist", urData.ns,urData.rname);
List<UserRoleDAO.Data> list = rurdd.value;
List<String> rv = new ArrayList<>(list.size()); // presize
for (UserRoleDAO.Data urdd : rurdd.value) {
List<UserRoleDAO.Data> list = rurdd.value;
List<String> rv = new ArrayList<>(list.size()); // presize
for (UserRoleDAO.Data urdd : rurdd.value) {
Result<FutureDAO.Data> fr = q.futureDAO().create(trans, data, id);
if (fr.isOK()) {
sb.append("Created Future: ");
Result<FutureDAO.Data> fr = q.futureDAO().create(trans, data, id);
if (fr.isOK()) {
sb.append("Created Future: ");
public interface Lookup<T> {
T get(AuthzTrans trans, Object ... keys);
}
public interface Lookup<T> {
T get(AuthzTrans trans, Object ... keys);
}
public Lookup<UserRoleDAO.Data> urDBLookup = new Lookup<UserRoleDAO.Data>() {
@Override
public UserRoleDAO.Data get(AuthzTrans trans, Object ... keys) {
public Lookup<UserRoleDAO.Data> urDBLookup = new Lookup<UserRoleDAO.Data>() {
@Override
public UserRoleDAO.Data get(AuthzTrans trans, Object ... keys) {
boolean aDenial = false;
int cntSuper=0, appSuper=0,cntOwner=0, appOwner=0;
for (ApprovalDAO.Data add : la.get(trans)) {
boolean aDenial = false;
int cntSuper=0, appSuper=0,cntOwner=0, appOwner=0;
for (ApprovalDAO.Data add : la.get(trans)) {
// Decision: If not Denied, and at least owner, if exists, and at least one Super, if exists
boolean goDecision = (cntOwner>0?appOwner>0:true) && (cntSuper>0?appSuper>0:true);
// Decision: If not Denied, and at least owner, if exists, and at least one Super, if exists
boolean goDecision = (cntOwner>0?appOwner>0:true) && (cntSuper>0?appSuper>0:true);
if (fop == FUTURE_OP.C) {
ros = set(OP_STATUS.RE, q.credDAO().dao().create(trans, data));
}
if (fop == FUTURE_OP.C) {
ros = set(OP_STATUS.RE, q.credDAO().dao().create(trans, data));
}
} catch (Exception e) {
trans.error().log("Exception: ", e.getMessage(),
" \n occurred while performing", curr.memo,
} catch (Exception e) {
trans.error().log("Exception: ", e.getMessage(),
" \n occurred while performing", curr.memo,
Boolean[] first, String user, String memo, FUTURE_OP op, Identity u, UUID ticket, String type) throws OrganizationException {
ApprovalDAO.Data ad = new ApprovalDAO.Data();
// Note ad.id is set by ApprovalDAO Create
Boolean[] first, String user, String memo, FUTURE_OP op, Identity u, UUID ticket, String type) throws OrganizationException {
ApprovalDAO.Data ad = new ApprovalDAO.Data();
// Note ad.id is set by ApprovalDAO Create