import org.onap.aaf.auth.dao.cass.CredDAO;
import org.onap.aaf.auth.dao.cass.UserRoleDAO;
import org.onap.aaf.auth.env.AuthzTrans;
+import org.onap.aaf.auth.org.Organization.Expiration;
import org.onap.aaf.auth.org.Organization.Identity;
import org.onap.aaf.auth.org.OrganizationException;
import org.onap.aaf.cadi.configure.Factory;
public class Analyze extends Batch {
- private static final int unknown=0;
+ private static final int unknown=0;
private static final int owner=1;
private static final int supervisor=2;
private static final int total=0;
private static final String EXPIRED_OWNERS = "ExpiredOwners";
private static final String CSV = ".csv";
private static final String INFO = "info";
+ private static final String NOT_COMPLIANT = "NotCompliant";
private int minOwners;
private Map<String, CSV.Writer> writerList;
private ExpireRange expireRange;
private CSV.Writer deleteCW;
private CSV.Writer needApproveCW;
private CSV.Writer extendCW;
+ private CSV.Writer notCompliantCW;
private Range futureRange;
private final String sdate;
private LastNotified ln;
extendCW.row(INFO,EXTEND,sdate,1);
writerList.put(EXTEND,extendCW);
+ // Setup NotCompliant Writer for Apps
+ file = new File(logDir(),NOT_COMPLIANT + sdate + CSV);
+ CSV ncCSV = new CSV(env.access(),file);
+ notCompliantCW = ncCSV.writer();
+ writerList.put(NOT_COMPLIANT, notCompliantCW);
+
// Load full data of the following
ln = new LastNotified(session);
// for users and approvers still valid
String user = appr.getUser();
- if(org.isRevoked(noAvg, appr.getApprover())) {
- deleteCW.comment("Approver ID is revoked");
+ Date revokedAppr = org.isRevoked(noAvg, appr.getApprover());
+ Date revokedUser = org.isRevoked(noAvg, user);
+ if(revokedAppr!=null) {
+ deleteCW.comment("Approver ID is revoked on " + revokedAppr);
Approval.row(deleteCW, appr);
- } else if(user!=null && !user.isEmpty() && org.isRevoked(noAvg, user)) {
- deleteCW.comment("USER ID is revoked");
+ } else if(user!=null && !user.isEmpty() && revokedUser!=null) {
+ deleteCW.comment("USER ID is revoked on " + revokedUser);
Approval.row(deleteCW, appr);
} else {
ticket.approvals.add(appr); // add to found Ticket
}
return;
}
+ Date revoked = org.isRevoked(trans, ur.user());
+ if(revoked!=null) {
+ GregorianCalendar gc = new GregorianCalendar();
+ gc.setTime(revoked);
+ GregorianCalendar gracePeriodEnds = org.expiration(gc, Expiration.RevokedGracePeriodEnds, ur.user());
+ if(now.after(gracePeriodEnds.getTime())) {
+ ur.row(deleteCW, UserRole.UR,"Revoked ID, no grace period left");
+ } else {
+ ur.row(notCompliantCW, UserRole.UR, "Revoked ID: WARNING! GracePeriod Ends " + Chrono.dateOnlyStamp(gracePeriodEnds));
+ }
+ return;
+ }
ur.row(deleteCW, UserRole.UR,"Not in Organization");
return;
} else if(Role.byName.get(ur.role())==null) {
ur.row(deleteCW, UserRole.UR,String.format("Role %s does not exist", ur.role()));
return;
+ // Make sure owners can still be owners.
+ } else if(ur.role().endsWith(".owner")) {
+ String err = identity.mayOwn();
+ if(err!=null) {
+ ur.row(deleteCW, UserRole.UR,String.format("%s may not be an owner: %s",ur.user(),err));
+ return;
+ }
}
+
+
+
// Just let expired UserRoles sit until deleted
if(futureRange.inRange(ur.expires())&&(!mur.containsKey(ur.user() + '|' + ur.role()))) {
// Cannot just delete owners, unless there is at least one left. Process later
if(r!=null) {
Approval existing = findApproval(ur);
if(existing==null) {
- ur.row(needApproveCW,UserRole.APPROVE_UR);
+ if (org.isUserExpireExempt(ur.user(), ur.expires())) {
+ ur.row(notCompliantCW, UserRole.UR);
+ } else {
+ ur.row(needApproveCW, UserRole.APPROVE_UR,
+ "Expired user role! Membership expired " + Chrono.dateOnlyStamp(ur.expires()));
+ }
}
}
}
Code Review / aaf / authz.git / blobdiff