* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
private final CacheInfoDAO cacheInfoDAO;
private final int cldays;
private final boolean alwaysSpecial;
private final CacheInfoDAO cacheInfoDAO;
private final int cldays;
private final boolean alwaysSpecial;
CachedDAO.startCleansing(env, credDAO, userRoleDAO);
CachedDAO.startRefresh(env, cacheInfoDAO);
}
CachedDAO.startCleansing(env, credDAO, userRoleDAO);
CachedDAO.startRefresh(env, cacheInfoDAO);
}
* Because this call is frequently called internally, AND because we already
* look for it in the initial Call, we cache within the Transaction
* Because this call is frequently called internally, AND because we already
* look for it in the initial Call, we cache within the Transaction
public Result<List<PermDAO.Data>> getPermsByUser(AuthzTrans trans, String user, boolean lookup) {
return PermLookup.get(trans, this, user).getPerms(lookup);
}
public Result<List<PermDAO.Data>> getPermsByUser(AuthzTrans trans, String user, boolean lookup) {
return PermLookup.get(trans, this, user).getPerms(lookup);
}
public Result<List<PermDAO.Data>> getPermsByUserFromRolesFilter(AuthzTrans trans, String user, String forUser) {
PermLookup plUser = PermLookup.get(trans, this, user);
Result<Set<String>> plPermNames = plUser.getPermNames();
if (plPermNames.notOK()) {
return Result.err(plPermNames);
}
public Result<List<PermDAO.Data>> getPermsByUserFromRolesFilter(AuthzTrans trans, String user, String forUser) {
PermLookup plUser = PermLookup.get(trans, this, user);
Result<Set<String>> plPermNames = plUser.getPermNames();
if (plPermNames.notOK()) {
return Result.err(plPermNames);
}
nss = new TreeSet<>();
PermLookup fUser = PermLookup.get(trans, this, forUser);
Result<Set<String>> forUpn = fUser.getPermNames();
if (forUpn.notOK()) {
return Result.err(forUpn);
}
nss = new TreeSet<>();
PermLookup fUser = PermLookup.get(trans, this, forUser);
Result<Set<String>> forUpn = fUser.getPermNames();
if (forUpn.notOK()) {
return Result.err(forUpn);
}
for (String pn : forUpn.value) {
Result<String[]> decoded = PermDAO.Data.decodeToArray(trans, this, pn);
if (decoded.isOKhasData()) {
for (String pn : forUpn.value) {
Result<String[]> decoded = PermDAO.Data.decodeToArray(trans, this, pn);
if (decoded.isOKhasData()) {
trans.error().log(pn,", derived from a Role, is invalid. Run Data Cleanup:",rpdd.errorString());
}
}
trans.error().log(pn,", derived from a Role, is invalid. Run Data Cleanup:",rpdd.errorString());
}
}
return permDAO.read(trans, nss.value.ns, nss.value.name, instance,action);
}
}
return permDAO.read(trans, nss.value.ns, nss.value.name, instance,action);
}
}
* For instance, if in the NS table, the parent "org.osaaf" exists, but not
* "org.osaaf.child" or "org.osaaf.a.b.c", then passing in either
* "org.osaaf.child" or "org.osaaf.a.b.c" will return "org.osaaf"
* For instance, if in the NS table, the parent "org.osaaf" exists, but not
* "org.osaaf.child" or "org.osaaf.a.b.c", then passing in either
* "org.osaaf.child" or "org.osaaf.a.b.c" will return "org.osaaf"
* @param trans
* @param child
* @return
*/
public Result<NsDAO.Data> deriveNs(AuthzTrans trans, String child) {
Result<List<NsDAO.Data>> r = nsDAO.read(trans, child);
* @param trans
* @param child
* @return
*/
public Result<NsDAO.Data> deriveNs(AuthzTrans trans, String child) {
Result<List<NsDAO.Data>> r = nsDAO.read(trans, child);
Result<List<NsDAO.Data>> rlnsd = nsDAO.read(trans, ns);
if (rlnsd.isOKhasData()) {
return Result.ok(rlnsd.value.get(0));
Result<List<NsDAO.Data>> rlnsd = nsDAO.read(trans, ns);
if (rlnsd.isOKhasData()) {
return Result.ok(rlnsd.value.get(0));
// Check if Access to Whole NS
// AAF-724 - Make consistent response for May User", and not take the
// last check... too confusing.
// Check if Access to Whole NS
// AAF-724 - Make consistent response for May User", and not take the
// last check... too confusing.
- Result<org.onap.aaf.auth.dao.cass.NsDAO.Data> rv = mayUserVirtueOfNS(trans, user, ndd,
+ Result<org.onap.aaf.auth.dao.cass.NsDAO.Data> rv = mayUserVirtueOfNS(trans, user, ndd,
if (isGranted(trans, user, pdd.ns, pdd.type, pdd.instance, pdd.action)) {
return Result.ok(ndd);
}
if (isGranted(trans, user, pdd.ns, pdd.type, pdd.instance, pdd.action)) {
return Result.ok(ndd);
}
String permInst = ":perm:" + pdd.type + ':' + pdd.instance + ':' + pdd.action;
// <ns>.access|:role:<role name>|<read|write>
String ns = ndd.name;
String permInst = ":perm:" + pdd.type + ':' + pdd.instance + ':' + pdd.action;
// <ns>.access|:role:<role name>|<read|write>
String ns = ndd.name;
!isGranted(trans, trans.user(), ROOT_NS,DELG,org.getDomain(), access.name())) {
return Result.err(Status.ERR_Denied,
"[%s] may not %s delegates for [%s]", trans.user(),
!isGranted(trans, trans.user(), ROOT_NS,DELG,org.getDomain(), access.name())) {
return Result.err(Status.ERR_Denied,
"[%s] may not %s delegates for [%s]", trans.user(),
Result<List<UserRoleDAO.Data>> rurd;
if ((rurd = userRoleDAO.readUserInRole(trans, user, ns+DOT_ADMIN)).isOKhasData()) {
return Result.ok(nsd);
} else if (rurd.status==Result.ERR_Backend) {
return Result.err(rurd);
}
Result<List<UserRoleDAO.Data>> rurd;
if ((rurd = userRoleDAO.readUserInRole(trans, user, ns+DOT_ADMIN)).isOKhasData()) {
return Result.ok(nsd);
} else if (rurd.status==Result.ERR_Backend) {
return Result.err(rurd);
}
// If Specially granted Global Permission
if (isGranted(trans, user, ROOT_NS,NS, ns_and_type, access)) {
return Result.ok(nsd);
// If Specially granted Global Permission
if (isGranted(trans, user, ROOT_NS,NS, ns_and_type, access)) {
return Result.ok(nsd);
if (ns.equals(pd.ns)) {
if (type.equals(pd.type)) {
if (PermEval.evalInstance(pd.instance, instance)) {
if (ns.equals(pd.ns)) {
if (type.equals(pd.type)) {
if (PermEval.evalInstance(pd.instance, instance)) {
- if (PermEval.evalAction(pd.action, action)) { // don't return action here, might miss other action
+ if (PermEval.evalAction(pd.action, action)) { // don't return action here, might miss other action
// 9/14/2019. Use TreeSet for sorting, and using only the LAST of a Tagged entry
Collection<CredDAO.Data> cddl;
if (result.value.size() > 1) {
// 9/14/2019. Use TreeSet for sorting, and using only the LAST of a Tagged entry
Collection<CredDAO.Data> cddl;
if (result.value.size() > 1) {
for (CredDAO.Data rcdd : result.value) {
if (rcdd.type==CredDAO.BASIC_AUTH || rcdd.type==CredDAO.BASIC_AUTH_SHA256) {
for (CredDAO.Data rcdd : result.value) {
if (rcdd.type==CredDAO.BASIC_AUTH || rcdd.type==CredDAO.BASIC_AUTH_SHA256) {
- if(rcdd.tag==null) {
- mcdd.put(Integer.toString(++pseudoTag),rcdd);
- } else {
- tag = rcdd.tag;
- cdd = mcdd.get(tag);
- if(cdd==null || cdd.expires.before(rcdd.expires)) {
- mcdd.put(tag,rcdd);
- }
- }
+ if(rcdd.tag==null) {
+ mcdd.put(Integer.toString(++pseudoTag),rcdd);
+ } else {
+ tag = rcdd.tag;
+ cdd = mcdd.get(tag);
+ if(cdd==null || cdd.expires.before(rcdd.expires)) {
+ mcdd.put(tag,rcdd);
+ }
+ }
Date expired = null;
StringBuilder debug = willSpecialLog(trans,user)?new StringBuilder():null;
for (CredDAO.Data cdd : cddl) {
Date expired = null;
StringBuilder debug = willSpecialLog(trans,user)?new StringBuilder():null;
for (CredDAO.Data cdd : cddl) {
if (Hash.compareTo(hash,dbcred)==0) {
checkLessThanDays(trans,cldays,now,cdd);
trans.setTag(cdd.tag);
if (Hash.compareTo(hash,dbcred)==0) {
checkLessThanDays(trans,cldays,now,cdd);
trans.setTag(cdd.tag);
if (expired!=null) {
// Note: this is only returned if there are no good Credentials
rv = Result.err(Status.ERR_Security,
if (expired!=null) {
// Note: this is only returned if there are no good Credentials
rv = Result.err(Status.ERR_Security,
if (cexp<close) {
int daysLeft = days-(int)((close-cexp)/86400000);
trans.audit().printf("user=%s,ip=%s,expires=%s,days=%d,tag=%s,msg=\"Password expires in less than %d day%s\"",
if (cexp<close) {
int daysLeft = days-(int)((close-cexp)/86400000);
trans.audit().printf("user=%s,ip=%s,expires=%s,days=%d,tag=%s,msg=\"Password expires in less than %d day%s\"",
- cdd.id,trans.ip(),Chrono.dateOnlyStamp(cdd.expires),daysLeft, cdd.tag,
+ cdd.id,trans.ip(),Chrono.dateOnlyStamp(cdd.expires),daysLeft, cdd.tag,
} else if (cred.type==CredDAO.FQI) {
cred.cred = null;
return Result.ok(cred);
}
return Result.err(Status.ERR_Security,"invalid/unreadable credential");
}
} else if (cred.type==CredDAO.FQI) {
cred.cred = null;
return Result.ok(cred);
}
return Result.err(Status.ERR_Security,"invalid/unreadable credential");
}
public Result<Boolean> userCredCheck(AuthzTrans trans, CredDAO.Data orig, final byte[] raw) {
Result<Boolean> rv;
TimeTaken tt = trans.start("CheckCred Cred", Env.SUB);
public Result<Boolean> userCredCheck(AuthzTrans trans, CredDAO.Data orig, final byte[] raw) {
Result<Boolean> rv;
TimeTaken tt = trans.start("CheckCred Cred", Env.SUB);
public static void logEncryptTrace(AuthzTrans trans, String data) {
long ti;
trans.put(transIDSlot, ti=nextTraceID());
public static void logEncryptTrace(AuthzTrans trans, String data) {
long ti;
trans.put(transIDSlot, ti=nextTraceID());
public boolean isOwner(AuthzTrans trans, String user, String ns) {
Result<List<UserRoleDAO.Data>> rur = userRoleDAO().read(trans, user,ns+DOT_OWNER);
if (rur.isOKhasData()) {for (UserRoleDAO.Data urdd : rur.value){
public boolean isOwner(AuthzTrans trans, String user, String ns) {
Result<List<UserRoleDAO.Data>> rur = userRoleDAO().read(trans, user,ns+DOT_OWNER);
if (rur.isOKhasData()) {for (UserRoleDAO.Data urdd : rur.value){
/**
* Return a Unique String, (same string, if it is already unique), with only
* lowercase letters, digits and the '.' character.
/**
* Return a Unique String, (same string, if it is already unique), with only
* lowercase letters, digits and the '.' character.
public static String fromUnique(String name) throws IOException {
byte[] from = name.getBytes();
StringBuilder sb = new StringBuilder();
public static String fromUnique(String name) throws IOException {
byte[] from = name.getBytes();
StringBuilder sb = new StringBuilder();