-
- @ApiDoc(
- method = PUT,
- path = "/authz/userRole/user",
- params = {},
- expectedCode = 200,
- errorCodes = {403,404,406},
- text = { "Set a User's roles to the roles specified in the UserRoleRequest object.",
- "WARNING: Roles supplied will be the ONLY roles attached to this user",
- "If no roles are supplied, user's roles are reset."
- }
- )
- @Override
- public Result<Void> resetRolesForUser(AuthzTrans trans, REQUEST rreq) {
- Result<UserRoleDAO.Data> rurdd = mapper.userRole(trans, rreq);
- final ServiceValidator v = new ServiceValidator();
- if(rurdd.notOKorIsEmpty()) {
- return Result.err(rurdd);
- }
- if (v.user(trans.org(), rurdd.value.user).err()) {
- return Result.err(Status.ERR_BadData,v.errs());
- }
-
- Set<String> currRoles = new HashSet<String>();
- Result<List<UserRoleDAO.Data>> rlurd = ques.userRoleDAO.readByUser(trans, rurdd.value.user);
- if(rlurd.isOK()) {
- for(UserRoleDAO.Data data : rlurd.value) {
- currRoles.add(data.role);
- }
- }
-
- Result<Void> rv = null;
- String[] roles;
- if(rurdd.value.role==null) {
- roles = new String[0];
- } else {
- roles = rurdd.value.role.split(",");
- }
-
- for (String role : roles) {
- if (v.role(role).err()) {
- return Result.err(Status.ERR_BadData,v.errs());
- }
- Result<RoleDAO.Data> rrdd = RoleDAO.Data.decode(trans, ques, role);
- if(rrdd.notOK()) {
- return Result.err(rrdd);
- }
-
- rurdd.value.role(rrdd.value);
-
- Result<NsDAO.Data> nsd = ques.mayUser(trans, trans.user(), rrdd.value,Access.write);
- if (nsd.notOK()) {
- return Result.err(nsd);
- }
- Result<NsDAO.Data> nsr = ques.deriveNs(trans, role);
- if(nsr.notOKorIsEmpty()) {
- return Result.err(nsr);
- }
-
- if(currRoles.contains(role)) {
- currRoles.remove(role);
- } else {
- rv = func.addUserRole(trans, rurdd.value);
- if (rv.notOK()) {
- return rv;
- }
- }
- }
-
- for (String role : currRoles) {
- rurdd.value.role(trans,ques,role);
- rv = ques.userRoleDAO.delete(trans, rurdd.value, false);
- if(rv.notOK()) {
- trans.info().log(rurdd.value.user,"/",rurdd.value.role, "expected to be deleted, but does not exist");
- // return rv; // if it doesn't exist, don't error out
- }
-
- }
-
- return Result.ok();
-
- }
-
- @ApiDoc(
- method = PUT,
- path = "/authz/userRole/role",
- params = {},
- expectedCode = 200,
- errorCodes = {403,404,406},
- text = { "Set a Role's users to the users specified in the UserRoleRequest object.",
- "WARNING: Users supplied will be the ONLY users attached to this role",
- "If no users are supplied, role's users are reset."
- }
- )
- @Override
- public Result<Void> resetUsersForRole(AuthzTrans trans, REQUEST rreq) {
- Result<UserRoleDAO.Data> rurdd = mapper.userRole(trans, rreq);
- if(rurdd.notOKorIsEmpty()) {
- return Result.err(rurdd);
- }
- final ServiceValidator v = new ServiceValidator();
- if (v.user_role(rurdd.value).err()) {
- return Result.err(Status.ERR_BadData,v.errs());
- }
-
- RoleDAO.Data rd = RoleDAO.Data.decode(rurdd.value);
-
- Result<NsDAO.Data> nsd = ques.mayUser(trans, trans.user(), rd, Access.write);
- if (nsd.notOK()) {
- return Result.err(nsd);
- }
-
- Result<NsDAO.Data> nsr = ques.deriveNs(trans, rurdd.value.role);
- if(nsr.notOKorIsEmpty()) {
- return Result.err(nsr);
- }
-
- Set<String> currUsers = new HashSet<String>();
- Result<List<UserRoleDAO.Data>> rlurd = ques.userRoleDAO.readByRole(trans, rurdd.value.role);
- if(rlurd.isOK()) {
- for(UserRoleDAO.Data data : rlurd.value) {
- currUsers.add(data.user);
- }
- }
-
- // found when connected remotely to DEVL, can't replicate locally
- // inconsistent errors with cmd: role user setTo [nothing]
- // deleteUserRole --> read --> get --> cacheIdx(?)
- // sometimes returns idx for last added user instead of user passed in
- // cache bug?
-
-
- Result<Void> rv = null;
- String[] users = {};
- if (rurdd.value.user != null) {
- users = rurdd.value.user.split(",");
- }
-
- for (String user : users) {
- if (v.user(trans.org(), user).err()) {
- return Result.err(Status.ERR_BadData,v.errs());
- }
- rurdd.value.user = user;
-
- if(currUsers.contains(user)) {
- currUsers.remove(user);
- } else {
- rv = func.addUserRole(trans, rurdd.value);
- if (rv.notOK()) {
- return rv;
- }
- }
- }
-
- for (String user : currUsers) {
- rurdd.value.user = user;
- rv = ques.userRoleDAO.delete(trans, rurdd.value, false);
- if(rv.notOK()) {
- trans.info().log(rurdd.value, "expected to be deleted, but not exists");
- return rv;
- }
- }
-
- return Result.ok();
- }
-
- @ApiDoc(
- method = GET,
- path = "/authz/userRole/extend/:user/:role",
- params = { "user|string|true",
- "role|string|true"
- },
- expectedCode = 200,
- errorCodes = {403,404,406},
- text = { "Extend the Expiration of this User Role by the amount set by Organization",
- "Requestor must be allowed to modify the role"
- }
- )
- @Override
- public Result<Void> extendUserRole(AuthzTrans trans, String user, String role) {
- Organization org = trans.org();
- final ServiceValidator v = new ServiceValidator();
- if(v.user(org, user)
- .role(role)
- .err()) {
- return Result.err(Status.ERR_BadData,v.errs());
- }
-
- Result<RoleDAO.Data> rrdd = RoleDAO.Data.decode(trans,ques,role);
- if(rrdd.notOK()) {
- return Result.err(rrdd);
- }
-
- Result<NsDAO.Data> rcr = ques.mayUser(trans, trans.user(), rrdd.value, Access.write);
- boolean mayNotChange;
- if((mayNotChange = rcr.notOK()) && !trans.requested(future)) {
- return Result.err(rcr);
- }
-
- Result<List<UserRoleDAO.Data>> rr = ques.userRoleDAO.read(trans, user,role);
- if(rr.notOK()) {
- return Result.err(rr);
- }
- for(UserRoleDAO.Data userRole : rr.value) {
- if(mayNotChange) { // Function exited earlier if !trans.futureRequested
- FutureDAO.Data fto = new FutureDAO.Data();
- fto.target=UserRoleDAO.TABLE;
- fto.memo = "Extend User ["+userRole.user+"] in Role ["+userRole.role+"]";
- GregorianCalendar now = new GregorianCalendar();
- fto.start = now.getTime();
- fto.expires = org.expiration(now, Expiration.Future).getTime();
- try {
- fto.construct = userRole.bytify();
- } catch (IOException e) {
- trans.error().log(e, "Error while bytifying UserRole for Future");
- return Result.err(e);
- }
+ switch(fd.status) {
+ case OK:
+ Result<String> rfc = func.createFuture(trans, fd.value, userRole.user+'|'+userRole.ns + '.' + userRole.rname,
+ userRole.user, ndd, FUTURE_OP.C);
+ if (rfc.isOK()) {
+ return Result.err(Status.ACC_Future, "UserRole [%s - %s.%s] is saved for future processing",
+ userRole.user,
+ userRole.ns,
+ userRole.rname);
+ } else {
+ return Result.err(rfc);
+ }
+ case Status.ACC_Now:
+ return func.addUserRole(trans, userRole);
+ default:
+ return Result.err(fd);
+ }
+ } finally {
+ tt.done();
+ }
+ }
+
+ /**
+ * getUserRolesByRole
+ */
+ @ApiDoc(
+ method = GET,
+ path = "/authz/userRoles/role/:role",
+ params = {"role|string|true"},
+ expectedCode = 200,
+ errorCodes = {404,406},
+ text = { "List all Users that are attached to Role specified in :role",
+ }
+ )
+ @Override
+ public Result<USERROLES> getUserRolesByRole(AuthzTrans trans, String role) {
+ final Validator v = new ServiceValidator();
+ if (v.nullOrBlank("Role",role).err()) {
+ return Result.err(Status.ERR_BadData,v.errs());
+ }
+
+ Result<RoleDAO.Data> rrdd;
+ rrdd = RoleDAO.Data.decode(trans,ques,role);
+ if (rrdd.notOK()) {
+ return Result.err(rrdd);
+ }
+ // May Requester see result?
+ Result<NsDAO.Data> ns = ques.mayUser(trans,trans.user(), rrdd.value,Access.read);
+ if (ns.notOK()) {
+ return Result.err(ns);
+ }
+
+ // boolean filter = true;
+ // if (ns.value.isAdmin(trans.user()) || ns.value.isResponsible(trans.user()))
+ // filter = false;
+
+ // Get list of roles per user, then add to Roles as we go
+ HashSet<UserRoleDAO.Data> userSet = new HashSet<>();
+ Result<List<UserRoleDAO.Data>> rlurd = ques.userRoleDAO().readByRole(trans, role);
+ if (rlurd.isOK()) {
+ for (UserRoleDAO.Data data : rlurd.value) {
+ userSet.add(data);
+ }
+ }
+
+ @SuppressWarnings("unchecked")
+ USERROLES users = (USERROLES) mapper.newInstance(API.USER_ROLES);
+ // Checked for permission
+ mapper.userRoles(trans, userSet, users);
+ return Result.ok(users);
+ }
+ /**
+ * getUserRolesByRole
+ */
+ @ApiDoc(
+ method = GET,
+ path = "/authz/userRoles/user/:user",
+ params = {"role|string|true"},
+ expectedCode = 200,
+ errorCodes = {404,406},
+ text = { "List all UserRoles for :user",
+ }
+ )
+ @Override
+ public Result<USERROLES> getUserRolesByUser(AuthzTrans trans, String user) {
+ final Validator v = new ServiceValidator();
+ if (v.nullOrBlank("User",user).err()) {
+ return Result.err(Status.ERR_BadData,v.errs());
+ }
+
+ // Get list of roles per user, then add to Roles as we go
+ Result<List<UserRoleDAO.Data>> rlurd = ques.userRoleDAO().readByUser(trans, user);
+ if (rlurd.notOK()) {
+ return Result.err(rlurd);
+ }
+
+ /* Check for
+ * 1) is User
+ * 2) is User's Supervisor
+ * 3) Has special global access =read permission
+ *
+ * If none of the 3, then filter results to NSs in which Calling User has Ns.access * read
+ */
+ boolean mustFilter;
+ String callingUser = trans.getUserPrincipal().getName();
+ NsDAO.Data ndd = new NsDAO.Data();
+
+ if (user.equals(callingUser)) {
+ mustFilter = false;
+ } else {
+ Organization org = trans.org();
+ try {
+ Identity orgID = org.getIdentity(trans, user);
+ Identity manager = orgID==null?null:orgID.responsibleTo();
+ if (orgID!=null && (manager!=null && callingUser.equals(manager.fullID()))) {
+ mustFilter = false;
+ } else if (ques.isGranted(trans, callingUser, ROOT_NS, Question.ACCESS, "*", Access.read.name())) {
+ mustFilter=false;
+ } else {
+ mustFilter = true;
+ }
+ } catch (OrganizationException e) {
+ trans.env().log(e);
+ mustFilter = true;
+ }
+ }
+
+ List<UserRoleDAO.Data> content;
+ if (mustFilter) {
+ content = new ArrayList<>(rlurd.value.size()); // avoid multi-memory redos
+
+ for (UserRoleDAO.Data data : rlurd.value) {
+ ndd.name=data.ns;
+ Result<Data> mur = ques.mayUser(trans, callingUser, ndd, Access.read);
+ if (mur.isOK()){
+ content.add(data);
+ }
+ }
+
+ } else {
+ content = rlurd.value;
+ }