* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
- *
+ *
* http://www.apache.org/licenses/LICENSE-2.0
- *
+ *
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
public enum FUTURE_OP {
C("Create"),U("Update"),D("Delete"),G("Grant"),UG("UnGrant"),A("Approval");
-
+
private String desc;
-
+
private FUTURE_OP(String desc) {
this.desc = desc;
}
-
+
public String desc() {
return desc;
}
-
+
/**
* Same as valueOf(), but passes back null instead of throwing Exception
* @param value
public enum OP_STATUS {
E("Executed"),D("Denied"),P("Pending"),L("Lapsed");
-
+
private String desc;
- public final static Result<OP_STATUS> RE = Result.ok(OP_STATUS.E);
- public final static Result<OP_STATUS> RD = Result.ok(OP_STATUS.D);
- public final static Result<OP_STATUS> RP = Result.ok(OP_STATUS.P);
- public final static Result<OP_STATUS> RL = Result.ok(OP_STATUS.L);
+ public static final Result<OP_STATUS> RE = Result.ok(OP_STATUS.E);
+ public static final Result<OP_STATUS> RD = Result.ok(OP_STATUS.D);
+ public static final Result<OP_STATUS> RP = Result.ok(OP_STATUS.P);
+ public static final Result<OP_STATUS> RL = Result.ok(OP_STATUS.L);
private OP_STATUS(String desc) {
this.desc = desc;
}
-
+
public String desc() {
return desc;
}
-
+
}
public static final String FOP_CRED = "cred";
/**
* createNS
- *
+ *
* Create Namespace
- *
+ *
* @param trans
* @param org
* @param ns
* @param user
* @return
* @throws DAOException
- *
+ *
* To create an NS, you need to: 1) validate permission to
* modify parent NS 2) Does NS exist already? 3) Create NS with
* a) "user" as owner. NOTE: Per 10-15 request for AAF 1.0 4)
Identity orgUser = org.getIdentity(trans, u);
String reason;
if (orgUser == null) {
- return Result.err(Status.ERR_Policy,"%s is not a valid user at %s",u,org.getName());
+ return Result.err(Status.ERR_Policy,"%s is not a valid user at %s",u,org.getName());
} else if ((reason=orgUser.mayOwn())!=null) {
if (org.isTestEnv()) {
String reason2;
}
}
parent = namespace.parent = rparent.value.name; // Correct Namespace from real data
+ String cname = parent.length()<1 || namespace.name.equals(parent)?null:namespace.name.substring(parent.length()+1);
// 2) Does requested NS exist
- if (q.nsDAO.read(trans, namespace.name).isOKhasData()) {
+ if (q.nsDAO().read(trans, namespace.name).isOKhasData()) {
return Result.err(Status.ERR_ConflictAlreadyExists,
"Target Namespace already exists");
}
+ // 2.1) Does role exist with that name
+ if(cname!=null && q.roleDAO().read(trans, parent, cname).isOKhasData()) {
+ return Result.err(Status.ERR_ConflictAlreadyExists,
+ "Role exists with that name");
+ }
+
+ // 2.2) Do perms exist with that name
+ if(cname!=null && q.permDAO().readByType(trans, parent, cname).isOKhasData()) {
+ return Result.err(Status.ERR_ConflictAlreadyExists,
+ "Perms exist with that name");
+ }
+
// Someone must be responsible.
if (namespace.owner == null || namespace.owner.isEmpty()) {
return Result
}
// VALIDATIONS done... Add NS
- if ((rq = q.nsDAO.create(trans, namespace.data())).notOK()) {
+ rq = q.nsDAO().create(trans, namespace.data());
+ if (rq.notOK()) {
return Result.err(rq);
}
urdd.role(namespace.name, Question.ADMIN);
for (String admin : namespace.admin) {
urdd.user = admin;
- eb.log(q.userRoleDAO.create(trans, urdd));
+ eb.log(q.userRoleDAO().create(trans, urdd));
}
urdd.role(namespace.name,Question.OWNER);
for (String owner : namespace.owner) {
urdd.user = owner;
- eb.log(q.userRoleDAO.create(trans, urdd));
+ eb.log(q.userRoleDAO().create(trans, urdd));
}
addNSAdminRolesPerms(trans, eb, namespace.name);
int targetNameDot = targetName.length() + 1;
// 4) Change any roles with children matching this NS, and
- Result<List<RoleDAO.Data>> rrdc = q.roleDAO.readChildren(trans, targetNs, targetName);
+ Result<List<RoleDAO.Data>> rrdc = q.roleDAO().readChildren(trans, targetNs, targetName);
if (rrdc.isOKhasData()) {
for (RoleDAO.Data rdd : rrdc.value) {
// Remove old Role from Perms, save them off
if (rpdd.isOKhasData()) {
PermDAO.Data pdd = rpdd.value;
lpdd.add(pdd);
- q.permDAO.delRole(trans, pdd, rdd);
+ q.permDAO().delRole(trans, pdd, rdd);
} else{
trans.error().log(rpdd.errorString());
}
}
-
+
// Save off Old keys
String delP1 = rdd.ns;
String delP2 = rdd.name;
rdd.ns = namespace.name;
rdd.name = (delP2.length() > targetNameDot) ? delP2
.substring(targetNameDot) : "";
-
+
// Need to use non-cached, because switching namespaces, not
// "create" per se
- if ((rq = q.roleDAO.create(trans, rdd)).isOK()) {
+ if ((rq = q.roleDAO().create(trans, rdd)).isOK()) {
// Put Role back into Perm, with correct info
for (PermDAO.Data pdd : lpdd) {
- q.permDAO.addRole(trans, pdd, rdd);
+ q.permDAO().addRole(trans, pdd, rdd);
}
- // Change data for User Roles
- Result<List<UserRoleDAO.Data>> rurd = q.userRoleDAO.readByRole(trans, rdd.fullName());
+ // Change data for User Roles
+ Result<List<UserRoleDAO.Data>> rurd = q.userRoleDAO().readByRole(trans, rdd.fullName());
if (rurd.isOKhasData()) {
for (UserRoleDAO.Data urd : rurd.value) {
urd.ns = rdd.ns;
urd.rname = rdd.name;
- q.userRoleDAO.update(trans, urd);
+ q.userRoleDAO().update(trans, urd);
}
}
// Now delete old one
rdd.ns = delP1;
rdd.name = delP2;
- if ((rq = q.roleDAO.delete(trans, rdd, false)).notOK()) {
+ if ((rq = q.roleDAO().delete(trans, rdd, false)).notOK()) {
eb.log(rq);
}
} else {
}
// 4) Change any Permissions with children matching this NS, and
- Result<List<PermDAO.Data>> rpdc = q.permDAO.readChildren(trans,targetNs, targetName);
+ Result<List<PermDAO.Data>> rpdc = q.permDAO().readChildren(trans,targetNs, targetName);
if (rpdc.isOKhasData()) {
for (PermDAO.Data pdd : rpdc.value) {
// Remove old Perm from Roles, save them off
List<RoleDAO.Data> lrdd = new ArrayList<>();
-
+
for (String rl : pdd.roles(false)) {
Result<RoleDAO.Data> rrdd = RoleDAO.Data.decode(trans,q,rl);
if (rrdd.isOKhasData()) {
RoleDAO.Data rdd = rrdd.value;
lrdd.add(rdd);
- q.roleDAO.delPerm(trans, rdd, pdd);
+ q.roleDAO().delPerm(trans, rdd, pdd);
} else{
trans.error().log(rrdd.errorString());
}
}
-
+
// Save off Old keys
String delP1 = pdd.ns;
String delP2 = pdd.type;
pdd.ns = namespace.name;
pdd.type = (delP2.length() > targetNameDot) ? delP2
.substring(targetNameDot) : "";
- if ((rq = q.permDAO.create(trans, pdd)).isOK()) {
+ if ((rq = q.permDAO().create(trans, pdd)).isOK()) {
// Put Role back into Perm, with correct info
for (RoleDAO.Data rdd : lrdd) {
- q.roleDAO.addPerm(trans, rdd, pdd);
+ q.roleDAO().addPerm(trans, rdd, pdd);
}
pdd.ns = delP1;
pdd.type = delP2;
- if ((rq = q.permDAO.delete(trans, pdd, false)).notOK()) {
+ if ((rq = q.permDAO().delete(trans, pdd, false)).notOK()) {
eb.log(rq);
// Need to invalidate directly, because we're
// switching places in NS, not normal cache behavior
}
}
if (eb.hasErr()) {
- return Result.err(Status.ERR_ActionNotCompleted,eb.sb.toString(), eb.vars());
+ return Result.err(Status.ERR_ActionNotCompleted,eb.sb.toString(), (Object[])eb.vars());
}
}
return Result.ok();
rd.perms = new HashSet<>();
rd.perms.add(pd.encode());
- eb.log(q.roleDAO.create(trans, rd));
+ eb.log(q.roleDAO().create(trans, rd));
pd.roles = new HashSet<>();
pd.roles.add(rd.encode());
- eb.log(q.permDAO.create(trans, pd));
+ eb.log(q.permDAO().create(trans, pd));
}
private void addNSOwnerRolesPerms(AuthzTrans trans, ErrBuilder eb, String ns) {
rd.perms = new HashSet<>();
rd.perms.add(pd.encode());
- eb.log(q.roleDAO.create(trans, rd));
+ eb.log(q.roleDAO().create(trans, rd));
pd.roles = new HashSet<>();
pd.roles.add(rd.encode());
- eb.log(q.permDAO.create(trans, pd));
+ eb.log(q.permDAO().create(trans, pd));
}
/**
* deleteNS
- *
+ *
* Delete Namespace
- *
+ *
* @param trans
* @param org
* @param ns
* @param user
* @return
* @throws DAOException
- *
- *
+ *
+ *
* To delete an NS, you need to: 1) validate permission to
* modify this NS 2) Find all Roles with this NS, and 2a) if
* Force, delete them, else modify to Parent NS 3) Find all
boolean move = trans.requested(REQD_TYPE.move);
// 1) Validate
Result<List<NsDAO.Data>> nsl;
- if ((nsl = q.nsDAO.read(trans, ns)).notOKorIsEmpty()) {
+ if ((nsl = q.nsDAO().read(trans, ns)).notOKorIsEmpty()) {
return Result.err(Status.ERR_NsNotFound, "%s does not exist", ns);
}
NsDAO.Data nsd = nsl.value.get(0);
ErrBuilder er = new ErrBuilder();
// 2a) Deny if any IDs on Namespace
- Result<List<CredDAO.Data>> creds = q.credDAO.readNS(trans, ns);
+ Result<List<CredDAO.Data>> creds = q.credDAO().readNS(trans, ns);
if (creds.isOKhasData()) {
if (force || move) {
for (CredDAO.Data cd : creds.value) {
- er.log(q.credDAO.delete(trans, cd, false));
+ er.log(q.credDAO().delete(trans, cd, false));
// Since we're deleting all the creds, we should delete all
// the user Roles for that Cred
- Result<List<UserRoleDAO.Data>> rlurd = q.userRoleDAO
+ Result<List<UserRoleDAO.Data>> rlurd = q.userRoleDAO()
.readByUser(trans, cd.id);
if (rlurd.isOK()) {
for (UserRoleDAO.Data data : rlurd.value) {
- q.userRoleDAO.delete(trans, data, false);
+ q.userRoleDAO().delete(trans, data, false);
}
}
// 2b) Find (or delete if forced flag is set) dependencies
// First, find if NS Perms are the only ones
- Result<List<PermDAO.Data>> rpdc = q.permDAO.readNS(trans, ns);
+ Result<List<PermDAO.Data>> rpdc = q.permDAO().readNS(trans, ns);
if (rpdc.isOKhasData()) {
// Since there are now NS perms, we have to count NON-NS perms.
// FYI, if we delete them now, and the NS is not deleted, it is in
}
}
- Result<List<RoleDAO.Data>> rrdc = q.roleDAO.readNS(trans, ns);
+ Result<List<RoleDAO.Data>> rrdc = q.roleDAO().readNS(trans, ns);
if (rrdc.isOKhasData()) {
// Since there are now NS roles, we have to count NON-NS roles.
// FYI, if we delete th)em now, and the NS is not deleted, it is in
}
}
- return q.nsDAO.delete(trans, nsd, false);
+ return q.nsDAO().delete(trans, nsd, false);
}
public Result<List<String>> getOwners(AuthzTrans trans, String ns,
if (rq.notOK()) {
return Result.err(rq);
}
-
+
rq = q.mayUser(trans, trans.user(), rq.value, Access.write);
if (rq.notOK()) {
- Result<List<UserRoleDAO.Data>> ruinr = q.userRoleDAO.readUserInRole(trans, trans.user(),ns+".owner");
+ Result<List<UserRoleDAO.Data>> ruinr = q.userRoleDAO().readUserInRole(trans, trans.user(),ns+".owner");
if (!(ruinr.isOKhasData() && ruinr.value.get(0).expires.after(new Date()))) {
return Result.err(rq);
}
try {
if (org.getIdentity(trans, user) == null) {
return Result.err(Status.ERR_Denied,
- "%s reports that %s is a faulty ID", org.getName(),
+ "%s reports that %s is an invalid ID", org.getName(),
user);
}
return Result.ok();
// } else if (user.endsWith(ALTERNATE OAUTH DOMAIN)) {
// return Result.ok();
} else {
- Result<List<CredDAO.Data>> cdr = q.credDAO.readID(trans, user);
+ Result<List<CredDAO.Data>> cdr = q.credDAO().readID(trans, user);
if (cdr.notOKorIsEmpty()) {
return Result.err(Status.ERR_Security,
"%s is not a valid AAF Credential", user);
}
-
+
for (CredDAO.Data cd : cdr.value) {
if (cd.expires.after(now)) {
return Result.ok();
}
rq = q.mayUser(trans, trans.user(), rq.value, Access.write);
- if (rq.notOK()) {
+ if (rq.notOK()) {
// Even though not a "writer", Owners still determine who gets to be an Admin
- Result<List<UserRoleDAO.Data>> ruinr = q.userRoleDAO.readUserInRole(trans, trans.user(),ns+".owner");
+ Result<List<UserRoleDAO.Data>> ruinr = q.userRoleDAO().readUserInRole(trans, trans.user(),ns+".owner");
if (!(ruinr.isOKhasData() && ruinr.value.get(0).expires.after(new Date()))) {
return Result.err(rq);
}
/**
* Helper function that moves permissions from a namespace being deleted to
* its parent namespace
- *
+ *
* @param trans
* @param parent
* @param sb
}
// Remove old Perm from Roles, save them off
List<RoleDAO.Data> lrdd = new ArrayList<>();
-
+
for (String rl : pdd.roles(false)) {
Result<RoleDAO.Data> rrdd = RoleDAO.Data.decode(trans,q,rl);
if (rrdd.isOKhasData()) {
RoleDAO.Data rdd = rrdd.value;
lrdd.add(rdd);
- q.roleDAO.delPerm(trans, rdd, pdd);
+ q.roleDAO().delPerm(trans, rdd, pdd);
} else{
trans.error().log(rrdd.errorString());
}
}
-
+
// Save off Old keys
String delP1 = pdd.ns;
NsSplit nss = new NsSplit(parent, pdd.fullType());
pdd.ns = nss.ns;
pdd.type = nss.name;
// Use direct Create/Delete, because switching namespaces
- if ((pd = q.permDAO.create(trans, pdd)).isOK()) {
+ if ((pd = q.permDAO().create(trans, pdd)).isOK()) {
// Put Role back into Perm, with correct info
for (RoleDAO.Data rdd : lrdd) {
- q.roleDAO.addPerm(trans, rdd, pdd);
+ q.roleDAO().addPerm(trans, rdd, pdd);
}
pdd.ns = delP1;
pdd.type = delP2;
- if ((rv = q.permDAO.delete(trans, pdd, false)).notOK()) {
+ if ((rv = q.permDAO().delete(trans, pdd, false)).notOK()) {
sb.append(rv.details);
sb.append('\n');
// } else {
// Need to invalidate directly, because we're switching
// places in NS, not normal cache behavior
- // q.permDAO.invalidate(trans,pdd);
+ // q.permDAO().invalidate(trans,pdd);
}
} else {
sb.append(pd.details);
/**
* Helper function that moves roles from a namespace being deleted to its
* parent namespace
- *
+ *
* @param trans
* @param parent
* @param sb
if (rpdd.isOKhasData()) {
PermDAO.Data pdd = rpdd.value;
lpdd.add(pdd);
- q.permDAO.delRole(trans, pdd, rdd);
+ q.permDAO().delRole(trans, pdd, rdd);
} else{
trans.error().log(rpdd.errorString());
}
}
-
+
// Save off Old keys
String delP1 = rdd.ns;
rdd.ns = nss.ns;
rdd.name = nss.name;
// Use direct Create/Delete, because switching namespaces
- if ((rd = q.roleDAO.create(trans, rdd)).isOK()) {
+ if ((rd = q.roleDAO().create(trans, rdd)).isOK()) {
// Put Role back into Perm, with correct info
for (PermDAO.Data pdd : lpdd) {
- q.permDAO.addRole(trans, pdd, rdd);
+ q.permDAO().addRole(trans, pdd, rdd);
}
rdd.ns = delP1;
rdd.name = delP2;
- if ((rv = q.roleDAO.delete(trans, rdd, true)).notOK()) {
+ if ((rv = q.roleDAO().delete(trans, rdd, true)).notOK()) {
sb.append(rv.details);
sb.append('\n');
// } else {
// Need to invalidate directly, because we're switching
// places in NS, not normal cache behavior
- // q.roleDAO.invalidate(trans,rdd);
+ // q.roleDAO().invalidate(trans,rdd);
}
} else {
sb.append(rd.details);
/**
* Create Permission (and any missing Permission between this and Parent) if
* we have permission
- *
+ *
* Pass in the desired Management Permission for this Permission
- *
+ *
* If Force is set, then Roles listed will be created, if allowed,
* pre-granted.
*/
// Does Child exist?
if (!trans.requested(REQD_TYPE.force)) {
- if (q.permDAO.read(trans, perm).isOKhasData()) {
+ if (q.permDAO().read(trans, perm).isOKhasData()) {
return Result.err(Status.ERR_ConflictAlreadyExists,
"Permission [%s.%s|%s|%s] already exists.", perm.ns,
perm.type, perm.instance, perm.action);
}
Result<List<RoleDAO.Data>> rlrd;
- if ((rlrd = q.roleDAO.read(trans, rd)).notOKorIsEmpty()) {
+ if ((rlrd = q.roleDAO().read(trans, rd)).notOKorIsEmpty()) {
rd.perms(true).add(pstring);
- if (q.roleDAO.create(trans, rd).notOK()) {
+ if (q.roleDAO().create(trans, rd).notOK()) {
roles.remove(role); // Role doesn't exist, and can't be
// created
}
} else {
rd = rlrd.value.get(0);
if (!rd.perms.contains(pstring)) {
- q.roleDAO.addPerm(trans, rd, perm);
+ q.roleDAO().addPerm(trans, rd, perm);
}
}
}
}
- Result<PermDAO.Data> pdr = q.permDAO.create(trans, perm);
+ Result<PermDAO.Data> pdr = q.permDAO().create(trans, perm);
if (pdr.isOK()) {
return Result.ok();
- } else {
+ } else {
return Result.err(pdr);
}
}
}
}
// Does Perm exist?
- Result<List<PermDAO.Data>> pdr = q.permDAO.read(trans, perm);
+ Result<List<PermDAO.Data>> pdr = q.permDAO().read(trans, perm);
if (pdr.notOKorIsEmpty()) {
return Result.err(Status.ERR_PermissionNotFound,"Permission [%s.%s|%s|%s] does not exist.",
perm.ns,perm.type, perm.instance, perm.action);
// Attached to any Roles?
if (fullperm.roles != null) {
- if (force) {
+ if (force || fullperm.roles.contains(user+":user")) {
for (String role : fullperm.roles) {
Result<Void> rv = null;
Result<RoleDAO.Data> rrdd = RoleDAO.Data.decode(trans, q, role);
if (rrdd.isOKhasData()) {
trans.debug().log("Removing", role, "from", fullperm, "on Perm Delete");
- if ((rv = q.roleDAO.delPerm(trans, rrdd.value, fullperm)).notOK()) {
+ if ((rv = q.roleDAO().delPerm(trans, rrdd.value, fullperm)).notOK()) {
if (rv.notOK()) {
trans.error().log("Error removing Role during delFromPermRole: ",
trans.getUserPrincipal(),
} else if (!fullperm.roles.isEmpty()) {
return Result
.err(Status.ERR_DependencyExists,
- "Permission [%s.%s|%s|%s] cannot be deleted as it is attached to 1 or more roles.",
- fullperm.ns, fullperm.type, fullperm.instance, fullperm.action);
+ "Permission [%s] cannot be deleted as it is attached to 1 or more roles.",
+ fullperm.fullPerm());
}
}
- return q.permDAO.delete(trans, fullperm, false);
+ return q.permDAO().delete(trans, fullperm, false);
}
public Result<Void> deleteRole(final AuthzTrans trans, final RoleDAO.Data role, boolean force, boolean fromApproval) {
}
// Are there any Users Attached to Role?
- Result<List<UserRoleDAO.Data>> urdr = q.userRoleDAO.readByRole(trans,role.fullName());
+ Result<List<UserRoleDAO.Data>> urdr = q.userRoleDAO().readByRole(trans,role.fullName());
if (force) {
if (urdr.isOKhasData()) {
for (UserRoleDAO.Data urd : urdr.value) {
- q.userRoleDAO.delete(trans, urd, false);
+ q.userRoleDAO().delete(trans, urd, false);
}
}
} else if (urdr.isOKhasData()) {
}
// Does Role exist?
- Result<List<RoleDAO.Data>> rdr = q.roleDAO.read(trans, role);
+ Result<List<RoleDAO.Data>> rdr = q.roleDAO().read(trans, role);
if (rdr.notOKorIsEmpty()) {
return Result.err(Status.ERR_RoleNotFound,
"Role [%s.%s] does not exist", role.ns, role.name);
if (rpd.isOK()) {
trans.debug().log("Removing", perm, "from", fullrole,"on Role Delete");
- Result<?> r = q.permDAO.delRole(trans, rpd.value, fullrole);
+ Result<?> r = q.permDAO().delRole(trans, rpd.value, fullrole);
if (r.notOK()) {
trans.error().log("ERR_FDR1 unable to remove",fullrole,"from",perm,':',r.status,'-',r.details);
}
}
}
}
- return q.roleDAO.delete(trans, fullrole, false);
+ return q.roleDAO().delete(trans, fullrole, false);
}
/**
* Only owner of Permission may add to Role
- *
+ *
* If force set, however, Role will be created before Grant, if User is
* allowed to create.
- *
+ *
* @param trans
* @param role
* @param pd
*/
public Result<Void> addPermToRole(AuthzTrans trans, RoleDAO.Data role,PermDAO.Data pd, boolean fromApproval) {
String user = trans.user();
-
+
if (!fromApproval) {
Result<NsDAO.Data> rRoleCo = q.deriveFirstNsForType(trans, role.ns, NsType.COMPANY);
if (rRoleCo.notOK()) {
return Result.err(r);
}
}
-
+
// Must be Perm Admin, or Granted Special Permission
Result<NsDAO.Data> ucp = q.mayUser(trans, user, pd, Access.write);
if (ucp.notOK()) {
// Don't allow CLI potential Grantees to change their own AAF
// Perms,
- if ((ROOT_NS.equals(pd.ns) && Question.NS.equals(pd.type))
+ if ((ROOT_NS.equals(pd.ns) && Question.NS.equals(pd.type))
|| !q.isGranted(trans, trans.user(),ROOT_NS,Question.PERM, rPermCo.value.name, "grant")) {
// Not otherwise granted
// TODO Needed?
}
// Final Check... Don't allow Grantees to add to Roles they are
// part of
- Result<List<UserRoleDAO.Data>> rlurd = q.userRoleDAO
+ Result<List<UserRoleDAO.Data>> rlurd = q.userRoleDAO()
.readByUser(trans, trans.user());
if (rlurd.isOK()) {
for (UserRoleDAO.Data ur : rlurd.value) {
}
}
- Result<List<PermDAO.Data>> rlpd = q.permDAO.read(trans, pd);
+ Result<List<PermDAO.Data>> rlpd = q.permDAO().read(trans, pd);
if (rlpd.notOKorIsEmpty()) {
return Result.err(Status.ERR_PermissionNotFound,
"Permission must exist to add to Role");
}
- Result<List<RoleDAO.Data>> rlrd = q.roleDAO.read(trans, role); // Already
+ Result<List<RoleDAO.Data>> rlrd = q.roleDAO().read(trans, role); // Already
// Checked
// for
// can
}
role.perms(true).add(pd.encode());
- Result<RoleDAO.Data> rdd = q.roleDAO.create(trans, role);
+ Result<RoleDAO.Data> rdd = q.roleDAO().create(trans, role);
if (rdd.isOK()) {
rv = Result.ok();
} else {
role.perms(true).add(pd.encode()); // this is added for Caching
// access purposes... doesn't
// affect addPerm
- rv = q.roleDAO.addPerm(trans, role, pd);
+ rv = q.roleDAO().addPerm(trans, role, pd);
}
if (rv.status == Status.OK) {
- return q.permDAO.addRole(trans, pd, role);
+ return q.permDAO().addRole(trans, pd, role);
// exploring how to add information message to successful http
// request
}
/**
* Either Owner of Role or Permission may delete from Role
- *
+ *
* @param trans
* @param role
* @param pd
}
}
- Result<List<RoleDAO.Data>> rlr = q.roleDAO.read(trans, role);
+ Result<List<RoleDAO.Data>> rlr = q.roleDAO().read(trans, role);
if (rlr.notOKorIsEmpty()) {
// If Bad Data, clean out
- Result<List<PermDAO.Data>> rlp = q.permDAO.read(trans, pd);
+ Result<List<PermDAO.Data>> rlp = q.permDAO().read(trans, pd);
if (rlp.isOKhasData()) {
for (PermDAO.Data pv : rlp.value) {
- q.permDAO.delRole(trans, pv, role);
+ q.permDAO().delRole(trans, pv, role);
}
}
return Result.err(rlr);
}
// Read Perm for full data
- Result<List<PermDAO.Data>> rlp = q.permDAO.read(trans, pd);
+ Result<List<PermDAO.Data>> rlp = q.permDAO().read(trans, pd);
Result<Void> rv = null;
if (rlp.isOKhasData()) {
for (PermDAO.Data pv : rlp.value) {
- if ((rv = q.permDAO.delRole(trans, pv, role)).isOK()) {
- if ((rv = q.roleDAO.delPerm(trans, role, pv)).notOK()) {
+ if ((rv = q.permDAO().delRole(trans, pv, role)).isOK()) {
+ if ((rv = q.roleDAO().delPerm(trans, role, pv)).notOK()) {
trans.error().log(
"Error removing Perm during delFromPermRole:",
trans.getUserPrincipal(), rv.errorString());
}
}
} else {
- rv = q.roleDAO.delPerm(trans, role, pd);
+ rv = q.roleDAO().delPerm(trans, role, pd);
if (rv.notOK()) {
trans.error().log("Error removing Role during delFromPermRole",
rv.errorString());
/**
* Add a User to Role
- *
+ *
* 1) Role must exist 2) User must be a known Credential (i.e. mechID ok if
* Credential) or known Organizational User
- *
+ *
* @param trans
* @param org
* @param urData
rv = checkValidID(trans, new Date(), urData.user);
}
if (rv.notOK()) {
- return rv;
+ return rv;
}
-
+
// Check if record exists
- if (q.userRoleDAO.read(trans, urData).isOKhasData()) {
+ if (q.userRoleDAO().read(trans, urData).isOKhasData()) {
return Result.err(Status.ERR_ConflictAlreadyExists,
"User Role exists");
}
- if (q.roleDAO.read(trans, urData.ns, urData.rname).notOKorIsEmpty()) {
+ if (q.roleDAO().read(trans, urData.ns, urData.rname).notOKorIsEmpty()) {
return Result.err(Status.ERR_RoleNotFound,
"Role [%s.%s] does not exist", urData.ns, urData.rname);
}
urData.expires = trans.org().expiration(null, Expiration.UserInRole, urData.user).getTime();
-
-
- Result<UserRoleDAO.Data> udr = q.userRoleDAO.create(trans, urData);
+
+
+ Result<UserRoleDAO.Data> udr = q.userRoleDAO().create(trans, urData);
if (udr.status == OK) {
return Result.ok();
}
/**
* Extend User Role.
- *
+ *
* extend the Expiration data, according to Organization rules.
- *
+ *
* @param trans
* @param org
* @param urData
*/
public Result<Void> extendUserRole(AuthzTrans trans, UserRoleDAO.Data urData, boolean checkForExist) {
// Check if record still exists
- if (checkForExist && q.userRoleDAO.read(trans, urData).notOKorIsEmpty()) {
+ if (checkForExist && q.userRoleDAO().read(trans, urData).notOKorIsEmpty()) {
return Result.err(Status.ERR_UserRoleNotFound,
"User Role does not exist");
}
-
- if (q.roleDAO.read(trans, urData.ns, urData.rname).notOKorIsEmpty()) {
+
+ if (q.roleDAO().read(trans, urData.ns, urData.rname).notOKorIsEmpty()) {
return Result.err(Status.ERR_RoleNotFound,
"Role [%s.%s] does not exist", urData.ns,urData.rname);
}
// time
// starting
// today
- return q.userRoleDAO.update(trans, urData);
+ return q.userRoleDAO().update(trans, urData);
}
// ////////////////////////////////////////////////////
// Roles
// ////////////////////////////////////////////////////
public Result<List<String>> getUsersByRole(AuthzTrans trans, String role, boolean includeExpired) {
- Result<List<UserRoleDAO.Data>> rurdd = q.userRoleDAO.readByRole(trans,role);
+ Result<List<UserRoleDAO.Data>> rurdd = q.userRoleDAO().readByRole(trans,role);
if (rurdd.notOK()) {
return Result.err(rurdd);
}
UserRoleDAO.Data urdd = new UserRoleDAO.Data();
urdd.user = user;
urdd.role(ns,rname);
- Result<List<UserRoleDAO.Data>> r = q.userRoleDAO.read(trans, urdd);
+ Result<List<UserRoleDAO.Data>> r = q.userRoleDAO().read(trans, urdd);
if (r.status == 404 || r.isEmpty()) {
return Result.err(Status.ERR_UserRoleNotFound,
"UserRole [%s] [%s.%s]", user, ns, rname);
return Result.err(r);
}
- return q.userRoleDAO.delete(trans, urdd, false);
+ return q.userRoleDAO().delete(trans, urdd, false);
}
public Result<String> createFuture(AuthzTrans trans, FutureDAO.Data data, String id, String user,
List<Identity> approvers = op.equals(FUTURE_OP.A)?NO_ADDL_APPROVE:org.getApprovers(trans, user);
List<Identity> owners = new ArrayList<>();
if (nsd != null) {
- Result<List<UserRoleDAO.Data>> rrbr = q.userRoleDAO
+ Result<List<UserRoleDAO.Data>> rrbr = q.userRoleDAO()
.readByRole(trans, nsd.name + Question.DOT_OWNER);
if (rrbr.isOKhasData()) {
for (UserRoleDAO.Data urd : rrbr.value) {
}
}
}
-
+
if (owners.isEmpty()) {
return Result.err(Result.ERR_NotFound,"No Owners found for " + nsd.name);
}
-
+
// Create Future Object
-
- Result<FutureDAO.Data> fr = q.futureDAO.create(trans, data, id);
+
+ Result<FutureDAO.Data> fr = q.futureDAO().create(trans, data, id);
if (fr.isOK()) {
sb.append("Created Future: ");
sb.append(data.id);
} catch (Exception e) {
return Result.err(e);
}
-
+
return Result.ok(sb.toString());
}
public interface Lookup<T> {
T get(AuthzTrans trans, Object ... keys);
}
-
+
public Lookup<UserRoleDAO.Data> urDBLookup = new Lookup<UserRoleDAO.Data>() {
@Override
public UserRoleDAO.Data get(AuthzTrans trans, Object ... keys) {
- Result<List<UserRoleDAO.Data>> r = q.userRoleDAO.read(trans, keys);
+ Result<List<UserRoleDAO.Data>> r = q.userRoleDAO().read(trans, keys);
if (r.isOKhasData()) {
return r.value.get(0);
} else {
};
/**
- * Note: if "allApprovals for Ticket is null, it will be looked up.
+ * Note: if "allApprovals for Ticket is null, it will be looked up.
* if "fdd" is null, it will be looked up, but
- *
+ *
* They can be passed for performance reasons.
- *
+ *
* @param trans
* @param cd
* @param allApprovalsForTicket
// Get Current UserRole from lookup
UserRoleDAO.Data lurdd = lur.get(trans, urdd.user,urdd.role);
if (lurdd==null) {
- q.futureDAO.delete(trans, curr, false);
+ q.futureDAO().delete(trans, curr, false);
return OP_STATUS.RL;
} else {
if (curr.expires.compareTo(lurdd.expires)<0) {
- q.futureDAO.delete(trans, curr, false);
+ q.futureDAO().delete(trans, curr, false);
return OP_STATUS.RL;
}
}
return Result.err(Result.ERR_BadData,"Cannot reconstitute %1",curr.memo);
}
}
-
+
boolean aDenial = false;
int cntSuper=0, appSuper=0,cntOwner=0, appOwner=0;
for (ApprovalDAO.Data add : la.get(trans)) {
break;
}
}
-
+
Result<OP_STATUS> ros=null;
if (aDenial) {
ros = OP_STATUS.RD;
- if (q.futureDAO.delete(trans, curr, false).notOK()) {
+ if (q.futureDAO().delete(trans, curr, false).notOK()) {
trans.info().printf("Future %s could not be deleted", curr.id.toString());
} else {
if (FOP_USER_ROLE.equalsIgnoreCase(curr.target)) {
}
}
}
-
+
// Decision: If not Denied, and at least owner, if exists, and at least one Super, if exists
boolean goDecision = (cntOwner>0?appOwner>0:true) && (cntSuper>0?appSuper>0:true);
data.reconstitute(curr.construct);
switch(fop) {
case C:
- ros = set(OP_STATUS.RE,q.roleDAO.dao().create(trans, data));
+ ros = set(OP_STATUS.RE,q.roleDAO().dao().create(trans, data));
break;
case D:
ros = set(OP_STATUS.RE,deleteRole(trans, data, true, true));
data.reconstitute(curr.construct);
switch(fop) {
case C:
- ros = set(OP_STATUS.RE,q.delegateDAO.create(trans, data));
+ ros = set(OP_STATUS.RE,q.delegateDAO().create(trans, data));
break;
case U:
- ros = set(OP_STATUS.RE,q.delegateDAO.update(trans, data));
+ ros = set(OP_STATUS.RE,q.delegateDAO().update(trans, data));
break;
default:
}
CredDAO.Data data = new CredDAO.Data();
data.reconstitute(curr.construct);
if (fop == FUTURE_OP.C) {
- ros = set(OP_STATUS.RE, q.credDAO.dao().create(trans, data));
+ ros = set(OP_STATUS.RE, q.credDAO().dao().create(trans, data));
}
- }
+ }
} catch (Exception e) {
trans.error().log("Exception: ", e.getMessage(),
" \n occurred while performing", curr.memo,
" from Ticket ", curr.id.toString());
}
- q.futureDAO.delete(trans, curr, false);
+ q.futureDAO().delete(trans, curr, false);
} // end for goDecision
if (ros==null) {
//return Result.err(Status.ACC_Future, "Full Approvals not obtained: No action taken");
ros = OP_STATUS.RP;
}
-
+
return ros;
}
}
}
- private Result<ApprovalDAO.Data> addIdentity(AuthzTrans trans, StringBuilder sb,
+ private Result<ApprovalDAO.Data> addIdentity(AuthzTrans trans, StringBuilder sb,
Boolean[] first, String user, String memo, FUTURE_OP op, Identity u, UUID ticket, String type) throws OrganizationException {
ApprovalDAO.Data ad = new ApprovalDAO.Data();
// Note ad.id is set by ApprovalDAO Create
ad.type = type;
ad.operation = op.name();
// Note ad.updated is created in System
- Result<ApprovalDAO.Data> r = q.approvalDAO.create(trans,ad);
+ Result<ApprovalDAO.Data> r = q.approvalDAO().create(trans,ad);
if (r.isOK()) {
if (first[0]) {
first[0] = false;