+++ /dev/null
-/*******************************************************************************\r
- * ============LICENSE_START====================================================\r
- * * org.onap.aaf\r
- * * ===========================================================================\r
- * * Copyright © 2017 AT&T Intellectual Property. All rights reserved.\r
- * * ===========================================================================\r
- * * Licensed under the Apache License, Version 2.0 (the "License");\r
- * * you may not use this file except in compliance with the License.\r
- * * You may obtain a copy of the License at\r
- * * \r
- * * http://www.apache.org/licenses/LICENSE-2.0\r
- * * \r
- * * Unless required by applicable law or agreed to in writing, software\r
- * * distributed under the License is distributed on an "AS IS" BASIS,\r
- * * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\r
- * * See the License for the specific language governing permissions and\r
- * * limitations under the License.\r
- * * ============LICENSE_END====================================================\r
- * *\r
- * * ECOMP is a trademark and service mark of AT&T Intellectual Property.\r
- * *\r
- ******************************************************************************/\r
-package org.onap.aaf.cadi.aaf.v2_0;\r
-\r
-import java.net.ConnectException;\r
-import java.net.URISyntaxException;\r
-import java.security.Principal;\r
-import java.util.Map;\r
-\r
-import org.onap.aaf.cadi.AbsUserCache;\r
-import org.onap.aaf.cadi.Access;\r
-import org.onap.aaf.cadi.CadiException;\r
-import org.onap.aaf.cadi.Permission;\r
-import org.onap.aaf.cadi.User;\r
-import org.onap.aaf.cadi.Access.Level;\r
-import org.onap.aaf.cadi.CachedPrincipal.Resp;\r
-import org.onap.aaf.cadi.aaf.AAFPermission;\r
-import org.onap.aaf.cadi.client.Future;\r
-import org.onap.aaf.cadi.client.Rcli;\r
-import org.onap.aaf.cadi.client.Retryable;\r
-import org.onap.aaf.cadi.lur.LocalPermission;\r
-\r
-import com.att.aft.dme2.api.DME2Exception;\r
-import org.onap.aaf.inno.env.APIException;\r
-import org.onap.aaf.inno.env.util.Split;\r
-\r
-import aaf.v2_0.Perm;\r
-import aaf.v2_0.Perms;\r
-\r
-/**\r
- * Use AAF Service as Permission Service.\r
- * \r
- * This Lur goes after AAF Permissions, which are elements of Roles, not the Roles themselves.\r
- * \r
- * If you want a simple Role Lur, use AAFRoleLur\r
- * \r
- *\r
- */\r
-public class AAFLurPerm extends AbsAAFLur<AAFPermission> {\r
- /**\r
- * Need to be able to transmutate a Principal into either ATTUID or MechID, which are the only ones accepted at this\r
- * point by AAF. There is no "domain", aka, no "@att.com" in "ab1234@att.com". \r
- * \r
- * The only thing that matters here for AAF is that we don't waste calls with IDs that obviously aren't valid.\r
- * Thus, we validate that the ID portion follows the rules before we waste time accessing AAF remotely\r
- * @throws APIException \r
- * @throws URISyntaxException \r
- * @throws DME2Exception \r
- */\r
- // Package on purpose\r
- AAFLurPerm(AAFCon<?> con) throws CadiException, DME2Exception, URISyntaxException, APIException {\r
- super(con);\r
- }\r
-\r
- // Package on purpose\r
- AAFLurPerm(AAFCon<?> con, AbsUserCache<AAFPermission> auc) throws DME2Exception, URISyntaxException, APIException {\r
- super(con,auc);\r
- }\r
-\r
- protected User<AAFPermission> loadUser(Principal p) {\r
- // Note: The rules for AAF is that it only stores permissions for ATTUID and MechIDs, which don't \r
- // have domains. We are going to make the Transitive Class (see this.transmutative) to convert\r
- Principal principal = transmutate.mutate(p);\r
- if(principal==null)return null; // if not a valid Transmutated credential, don't bother calling...\r
- return loadUser(p, p.getName());\r
- }\r
- \r
- protected User<AAFPermission> loadUser(String name) {\r
- return loadUser((Principal)null, name);\r
- }\r
- \r
- private User<AAFPermission> loadUser(final Principal prin, final String name) {\r
- \r
- //TODO Create a dynamic way to declare domains supported.\r
- final long start = System.nanoTime();\r
- final boolean[] success = new boolean[]{false};\r
- \r
-// new Exception("loadUser").printStackTrace();\r
- try {\r
- return aaf.best(new Retryable<User<AAFPermission>>() {\r
- @Override\r
- public User<AAFPermission> code(Rcli<?> client) throws CadiException, ConnectException, APIException {\r
- Future<Perms> fp = client.read("/authz/perms/user/"+name,aaf.permsDF);\r
- \r
- // In the meantime, lookup User, create if necessary\r
- User<AAFPermission> user = getUser(name);\r
- Principal p;\r
- if(prin == null) {\r
- p = new Principal() {// Create a holder for lookups\r
- private String n = name;\r
- public String getName() {\r
- return n;\r
- }\r
- };\r
- } else {\r
- p = prin;\r
- }\r
- \r
- if(user==null) {\r
- addUser(user = new User<AAFPermission>(p,aaf.userExpires)); // no password\r
- }\r
- \r
- // OK, done all we can, now get content\r
- if(fp.get(aaf.timeout)) {\r
- success[0]=true;\r
- Map<String, Permission> newMap = user.newMap();\r
- boolean willLog = aaf.access.willLog(Level.DEBUG);\r
- for(Perm perm : fp.value.getPerm()) {\r
- user.add(newMap,new AAFPermission(perm.getType(),perm.getInstance(),perm.getAction()));\r
- if(willLog) {\r
- aaf.access.log(Level.DEBUG, name,"has '",perm.getType(),'|',perm.getInstance(),'|',perm.getAction(),'\'');\r
- }\r
- }\r
- user.setMap(newMap);\r
- user.renewPerm();\r
- } else {\r
- int code;\r
- switch(code=fp.code()) {\r
- case 401:\r
- aaf.access.log(Access.Level.ERROR, code, "Unauthorized to make AAF calls");\r
- break;\r
- default:\r
- aaf.access.log(Access.Level.ERROR, code, fp.body());\r
- }\r
- }\r
-\r
- return user;\r
- }\r
- });\r
- } catch (Exception e) {\r
- aaf.access.log(e,"Calling","/authz/perms/user/"+name);\r
- success[0]=false;\r
- return null;\r
- } finally {\r
- float time = (System.nanoTime()-start)/1000000f;\r
- aaf.access.log(Level.INFO, success[0]?"Loaded":"Load Failure",name,"from AAF in",time,"ms");\r
- }\r
- }\r
-\r
- public Resp reload(User<AAFPermission> user) {\r
- final String name = user.principal.getName();\r
- long start = System.nanoTime();\r
- boolean success = false;\r
- try {\r
- Future<Perms> fp = aaf.client(AAFCon.AAF_LATEST_VERSION).read(\r
- "/authz/perms/user/"+name,\r
- aaf.permsDF\r
- );\r
- \r
- // OK, done all we can, now get content\r
- if(fp.get(aaf.timeout)) {\r
- success = true;\r
- Map<String,Permission> newMap = user.newMap(); \r
- boolean willLog = aaf.access.willLog(Level.DEBUG);\r
- for(Perm perm : fp.value.getPerm()) {\r
- user.add(newMap, new AAFPermission(perm.getType(),perm.getInstance(),perm.getAction()));\r
- if(willLog) {\r
- aaf.access.log(Level.DEBUG, name,"has",perm.getType(),perm.getInstance(),perm.getAction());\r
- }\r
- }\r
- user.renewPerm();\r
- return Resp.REVALIDATED;\r
- } else {\r
- int code;\r
- switch(code=fp.code()) {\r
- case 401:\r
- aaf.access.log(Access.Level.ERROR, code, "Unauthorized to make AAF calls");\r
- break;\r
- default:\r
- aaf.access.log(Access.Level.ERROR, code, fp.body());\r
- }\r
- return Resp.UNVALIDATED;\r
- }\r
- } catch (Exception e) {\r
- aaf.access.log(e,"Calling","/authz/perms/user/"+name);\r
- return Resp.INACCESSIBLE;\r
- } finally {\r
- float time = (System.nanoTime()-start)/1000000f;\r
- aaf.access.log(Level.AUDIT, success?"Reloaded":"Reload Failure",name,"from AAF in",time,"ms");\r
- }\r
- }\r
-\r
- @Override\r
- protected boolean isCorrectPermType(Permission pond) {\r
- return pond instanceof AAFPermission;\r
- }\r
-\r
- /* (non-Javadoc)\r
- * @see com.att.cadi.Lur#createPerm(java.lang.String)\r
- */\r
- @Override\r
- public Permission createPerm(String p) {\r
- String[] params = Split.split('|', p);\r
- if(params.length==3) {\r
- return new AAFPermission(params[0],params[1],params[2]);\r
- } else {\r
- return new LocalPermission(p);\r
- }\r
- }\r
- \r
-}\r
Code Review / aaf / cadi.git / blobdiff