--- /dev/null
+/*******************************************************************************
+ * Copyright (c) 2016 AT&T Intellectual Property. All rights reserved.
+ *******************************************************************************/
+package com.att.authz.reports;
+
+import java.io.IOException;
+import java.util.List;
+
+import com.att.authz.Batch;
+import com.att.authz.env.AuthzTrans;
+import com.att.authz.helpers.NS;
+import com.att.authz.helpers.NsAttrib;
+import com.att.authz.helpers.Perm;
+import com.att.authz.helpers.Role;
+import com.att.dao.aaf.cass.NsType;
+import org.onap.aaf.inno.env.APIException;
+import org.onap.aaf.inno.env.Env;
+import org.onap.aaf.inno.env.TimeTaken;
+
+public class CheckNS extends Batch{
+
+ public CheckNS(AuthzTrans trans) throws APIException, IOException {
+ super(trans.env());
+ TimeTaken tt = trans.start("Connect to Cluster", Env.REMOTE);
+ try {
+ session = cluster.connect();
+ } finally {
+ tt.done();
+ }
+ NS.load(trans, session,NS.v2_0_11);
+ Role.load(trans, session);
+ Perm.load(trans, session);
+ NsAttrib.load(trans, session, NsAttrib.v2_0_11);
+ }
+
+ @Override
+ protected void run(AuthzTrans trans) {
+
+ String msg;
+ String query;
+ trans.info().log(STARS, msg = "Checking for NS type mis-match", STARS);
+ TimeTaken tt = trans.start(msg, Env.SUB);
+ try {
+ for(NS ns : NS.data.values()) {
+ if(ns.description==null) {
+ trans.warn().log("Namepace description is null. Changing to empty string.");
+ if(dryRun) {
+ trans.warn().log("Namepace description is null. Changing to empty string");
+ } else {
+ query = "UPDATE authz.ns SET description='' WHERE name='" + ns.name +"';";
+ session.execute(query);
+ }
+ }
+ int scope = count(ns.name,'.');
+ NsType nt;
+ switch(scope) {
+ case 0:
+ nt = NsType.DOT;
+ break;
+ case 1:
+ nt = NsType.ROOT;
+ break;
+ case 2:
+ nt = NsType.COMPANY;
+ break;
+ default:
+ nt = NsType.APP;
+ break;
+ }
+ if(ns.type!=nt.type || ns.scope !=scope) {
+ if(dryRun) {
+ trans.warn().log("Namepace",ns.name,"has no type. Should change to ",nt.name());
+ } else {
+ query = "UPDATE authz.ns SET type=" + nt.type + ", scope=" + scope + " WHERE name='" + ns.name +"';";
+ trans.warn().log("Namepace",ns.name,"changing to",nt.name()+":",query);
+ session.execute(query);
+ }
+ }
+ }
+ } finally {
+ tt.done();
+ }
+
+
+ trans.info().log(STARS, msg = "Checking for NS admin/owner mis-match", STARS);
+ tt = trans.start(msg, Env.SUB);
+ try {
+ /// Evaluate
+ for(NS nk : NS.data.values()) {
+ //String name;
+ String roleAdmin = nk.name+"|admin";
+ String roleAdminPrev = nk.name+".admin";
+ String roleOwner = nk.name+"|owner";
+ String roleOwnerPrev = nk.name+".owner";
+ String permAll = nk.name+"|access|*|*";
+ String permAllPrev = nk.name+".access|*|*";
+ String permRead = nk.name+"|access|*|read";
+ String permReadPrev = nk.name+".access|*|read";
+ // Admins
+
+ Role rk = Role.keys.get(roleAdmin); // accomodate new role key
+ // Role Admin should exist
+ if(rk==null) {
+ if(dryRun) {
+ trans.warn().log(nk.name + " is missing role: " + roleAdmin);
+ } else {
+ query = "INSERT INTO authz.role(ns, name, description, perms) VALUES ('"
+ + nk.name
+ + "','admin','Automatic Administration',"
+ + "{'" + nk.name + "|access|*|*'});";
+ session.execute(query);
+ env.info().log(query);
+
+
+ if(Role.keys.get(roleAdminPrev)!=null) {
+ query = "UPDATE authz.role set perms = perms + "
+ + "{'" + roleAdminPrev + "'} "
+ + "WHERE ns='"+ nk.name + "' AND "
+ + "name='admin'"
+ + ";";
+ session.execute(query);
+ env.info().log(query);
+ }
+ }
+ } else {
+ // Role Admin should be linked to Perm All
+ if(!rk.perms.contains(permAll)) {
+ if(dryRun) {
+ trans.warn().log(roleAdmin,"is not linked to",permAll);
+ } else {
+ query = "UPDATE authz.role set perms = perms + "
+ + "{'" + nk.name + "|access|*|*'} "
+ + "WHERE ns='"+ nk.name + "' AND "
+ + "name='admin'"
+ + ";";
+ session.execute(query);
+ env.info().log(query);
+
+ if(rk.perms.contains(permAllPrev)) {
+ query = "UPDATE authz.role set perms = perms - "
+ + "{'" + nk.name + ".access|*|*'} "
+ + "WHERE ns='"+ nk.name + "' AND "
+ + "name='admin'"
+ + ";";
+ session.execute(query);
+ env.info().log(query);
+ }
+ }
+ }
+ // Role Admin should not be linked to Perm Read
+ if(rk.perms.contains(permRead)) {
+ if(dryRun) {
+ trans.warn().log(roleAdmin,"should not be linked to",permRead);
+ } else {
+ query = "UPDATE authz.role set perms = perms - "
+ + "{'" + nk.name + "|access|*|read'} "
+ + "WHERE ns='"+ nk.name + "' AND "
+ + "name='admin'"
+ + ";";
+ session.execute(query);
+ env.info().log(query);
+ }
+ }
+ }
+
+ Perm pk = Perm.keys.get(permAll);
+ if(pk==null) {
+ trans.warn().log(nk.name + " is missing perm: " + permAll);
+ if(!dryRun) {
+ query = "INSERT INTO authz.perm(ns, type,instance,action,description, roles) VALUES ('"
+ + nk.name
+ + "','access','*','*','Namespace Write',"
+ + "{'" + nk.name + "|admin'});";
+ session.execute(query);
+ env.info().log(query);
+
+ }
+ } else {
+ // PermALL should be linked to Role Admin
+ if(!pk.roles.contains(roleAdmin)) {
+ trans.warn().log(permAll,"is not linked to",roleAdmin);
+ if(!dryRun) {
+ query = "UPDATE authz.perm set roles = roles + "
+ + "{'" + nk.name + "|admin'} WHERE "
+ + "ns='"+ pk.ns + "' AND "
+ + "type='access' AND instance='*' and action='*'"
+ + ";";
+ session.execute(query);
+ env.info().log(query);
+
+ if(pk.roles.contains(roleAdminPrev)) {
+ query = "UPDATE authz.perm set roles = roles - "
+ + "{'" + nk.name + ".admin'} WHERE "
+ + "ns='"+ pk.ns + "' AND "
+ + "type='access' AND instance='*' and action='*'"
+ + ";";
+ session.execute(query);
+ env.info().log(query);
+
+ }
+ }
+ }
+
+ // PermALL should be not linked to Role Owner
+ if(pk.roles.contains(roleOwner)) {
+ trans.warn().log(permAll,"should not be linked to",roleOwner);
+ if(!dryRun) {
+ query = "UPDATE authz.perm set roles = roles - "
+ + "{'" + nk.name + "|owner'} WHERE "
+ + "ns='"+ pk.ns + "' AND "
+ + "type='access' AND instance='*' and action='*'"
+ + ";";
+ session.execute(query);
+ env.info().log(query);
+ }
+ }
+
+ }
+
+
+
+ // Owner
+ rk = Role.keys.get(roleOwner);
+ if(rk==null) {
+ trans.warn().log(nk.name + " is missing role: " + roleOwner);
+ if(!dryRun) {
+ query = "INSERT INTO authz.role(ns, name, description, perms) VALUES('"
+ + nk.name
+ + "','owner','Automatic Owners',"
+ + "{'" + nk.name + "|access|*|read'});";
+ session.execute(query);
+ env.info().log(query);
+
+ }
+ } else {
+ // Role Owner should be linked to permRead
+ if(!rk.perms.contains(permRead)) {
+ trans.warn().log(roleOwner,"is not linked to",permRead);
+ if(!dryRun) {
+ query = "UPDATE authz.role set perms = perms + "
+ + "{'" + nk.name + "|access|*|read'} "
+ + "WHERE ns='"+ nk.name + "' AND "
+ + "name='owner'"
+ + ";";
+ session.execute(query);
+ env.info().log(query);
+
+ if(rk.perms.contains(permReadPrev)) {
+ query = "UPDATE authz.role set perms = perms - "
+ + "{'" + nk.name + ".access|*|read'} "
+ + "WHERE ns='"+ nk.name + "' AND "
+ + "name='owner'"
+ + ";";
+ session.execute(query);
+ env.info().log(query);
+
+ }
+ }
+ }
+ // Role Owner should not be linked to PermAll
+ if(rk.perms.contains(permAll)) {
+ trans.warn().log(roleAdmin,"should not be linked to",permAll);
+ if(!dryRun) {
+ query = "UPDATE authz.role set perms = perms - "
+ + "{'" + nk.name + "|access|*|*'} "
+ + "WHERE ns='"+ nk.name + "' AND "
+ + "name='admin'"
+ + ";";
+ session.execute(query);
+ env.info().log(query);
+ }
+ }
+
+ }
+
+ pk = Perm.keys.get(permRead);
+ if(pk==null) {
+ trans.warn().log(nk.name + " is missing perm: " + permRead);
+ if(!dryRun) {
+ query = "INSERT INTO authz.perm(ns, type,instance,action,description, roles) VALUES ('"
+ + nk.name
+ + "','access','*','read','Namespace Read',"
+ + "{'" + nk.name + "|owner'});";
+ session.execute(query);
+ env.info().log(query);
+ }
+ } else {
+ // PermRead should be linked to roleOwner
+ if(!pk.roles.contains(roleOwner)) {
+ trans.warn().log(permRead, "is not linked to", roleOwner);
+ if(!dryRun) {
+ query = "UPDATE authz.perm set roles = roles + "
+ + "{'" + nk.name + "|owner'} WHERE "
+ + "ns='"+ pk.ns + "' AND "
+ + "type='access' AND instance='*' and action='read'"
+ + ";";
+ session.execute(query);
+ env.info().log(query);
+
+ if(pk.roles.contains(roleOwnerPrev)) {
+ query = "UPDATE authz.perm set roles = roles - "
+ + "{'" + nk.name + ".owner'} WHERE "
+ + "ns='"+ pk.ns + "' AND "
+ + "type='access' AND instance='*' and action='read'"
+ + ";";
+ session.execute(query);
+ env.info().log(query);
+
+ }
+ }
+ }
+ // PermRead should be not linked to RoleAdmin
+ if(pk.roles.contains(roleAdmin)) {
+ if(dryRun) {
+ trans.warn().log(permRead,"should not be linked to",roleAdmin);
+ } else {
+ query = "UPDATE authz.perm set roles = roles - "
+ + "{'" + nk.name + "|admin'} WHERE "
+ + "ns='"+ pk.ns + "' AND "
+ + "type='access' AND instance='*' and action='read'"
+ + ";";
+ session.execute(query);
+ env.info().log(query);
+ }
+ }
+ }
+
+
+ int dot = nk.name.lastIndexOf('.');
+ String parent;
+ if(dot<0) {
+ parent = ".";
+ } else {
+ parent = nk.name.substring(0, dot);
+ }
+
+ if(!parent.equals(nk.parent)) {
+ if(dryRun) {
+ trans.warn().log(nk.name + " is missing namespace data");
+ } else {
+ query = "UPDATE authz.ns SET parent='"+parent+"'" +
+ " WHERE name='" + nk.name + "';";
+ session.execute(query);
+ env.info().log(query);
+ }
+ }
+
+ // During Migration:
+ List<NsAttrib> swm = NsAttrib.byNS.get(nk.name);
+ boolean hasSwmV1 = false;
+ if(swm!=null) {for(NsAttrib na : swm) {
+ if("swm".equals(na.key) && "v1".equals(na.value)) {
+ hasSwmV1=true;
+ break;
+ }
+ }}
+ String roleMem = nk.name+"|member";
+ Role rm = Role.keys.get(roleMem); // Accommodate new role key
+ if(rm==null && hasSwmV1) {
+ query = "INSERT INTO authz.role(ns, name, description, perms) VALUES ('"
+ + nk.name
+ + "','member','Member',"
+ + "{'" + nk.name + "|access|*|read'});";
+ session.execute(query);
+ query = "UPDATE authz.role set perms = perms + "
+ + "{'" + nk.name + "|access|*|read'} "
+ + "WHERE ns='"+ nk.name + "' AND "
+ + "name='member'"
+ + ";";
+ session.execute(query);
+ env.info().log(query);
+ }
+ if(rm!=null) {
+ if(!rm.perms.contains(permRead)) {
+ if(isDryRun()) {
+ env.info().log(nk.name+"|member needs " + nk.name + "|access|*|read");
+ } else {
+ query = "UPDATE authz.perm set roles = roles + "
+ + "{'" + nk.name + "|member'} WHERE "
+ + "ns='"+ pk.ns + "' AND "
+ + "type='access' AND instance='*' and action='read'"
+ + ";";
+ session.execute(query);
+ env.info().log(query);
+ query = "UPDATE authz.role set perms = perms + "
+ + "{'" + nk.name + "|access|*|read'"
+ + (hasSwmV1?",'"+nk.name+"|swm.star|*|*'":"")
+ + "} "
+ + "WHERE ns='"+ nk.name + "' AND "
+ + "name='member'"
+ + ";";
+ session.execute(query);
+ env.info().log(query);
+ if(hasSwmV1) {
+ query = "UPDATE authz.perm set roles = roles + "
+ + "{'" + nk.name + "|member'} WHERE "
+ + "ns='"+ pk.ns + "' AND "
+ + "type='swm.star' AND instance='*' and action='*'"
+ + ";";
+ session.execute(query);
+ env.info().log(query);
+ }
+ }
+ }
+ }
+
+
+
+ // Best Guess Owner
+
+// owner = Role.keys.get(ns.)
+ }
+ } finally {
+ tt.done();
+ }
+
+ }
+
+
+ @Override
+ protected void _close(AuthzTrans trans) {
+ session.close();
+ aspr.info("End " + this.getClass().getSimpleName() + " processing" );
+ }
+}
Code Review / aaf / authz.git / blobdiff