--- /dev/null
+/*******************************************************************************
+ * Copyright (c) 2016 AT&T Intellectual Property. All rights reserved.
+ *******************************************************************************/
+package com.att.authz.reports;
+
+import java.io.IOException;
+import java.util.Set;
+
+import com.att.authz.Batch;
+import com.att.authz.env.AuthzTrans;
+import com.att.authz.helpers.NS;
+import com.att.authz.helpers.Perm;
+import com.att.authz.helpers.Role;
+import com.att.inno.env.APIException;
+import com.att.inno.env.Env;
+import com.att.inno.env.TimeTaken;
+import com.att.inno.env.util.Split;
+
+public class CheckRolePerm extends Batch{
+
+ public CheckRolePerm(AuthzTrans trans) throws APIException, IOException {
+ super(trans.env());
+ TimeTaken tt = trans.start("Connect to Cluster", Env.REMOTE);
+ try {
+ session = cluster.connect();
+ } finally {
+ tt.done();
+ }
+ NS.load(trans,session,NS.v2_0_11);
+ Role.load(trans, session);
+ Perm.load(trans, session);
+ }
+
+ @Override
+ protected void run(AuthzTrans trans) {
+ // Run for Roles
+ trans.info().log("Checking for Role/Perm mis-match");
+
+ String query;
+ /// Evaluate from Role side
+ for(Role roleKey : Role.data.keySet()) {
+ for(String perm : Role.data.get(roleKey)) {
+ Perm pk = Perm.keys.get(perm);
+ if(pk==null) {
+ NS ns=null;
+ String msg = perm + " in role " + roleKey.fullName() + " does not exist";
+ String newPerm;
+ String[] s = Split.split('|', perm);
+ if(s.length==3) {
+ int i;
+ String find = s[0];
+ for(i=find.lastIndexOf('.');ns==null && i>=0;i=find.lastIndexOf('.', i-1)) {
+ ns = NS.data.get(find.substring(0,i));
+ }
+ if(ns==null) {
+ newPerm = perm;
+ } else {
+ newPerm = ns.name + '|' + s[0].substring(i+1) + '|' + s[1] + '|' + s[2];
+ }
+ } else {
+ newPerm = perm;
+ }
+ if(dryRun) {
+ if(ns==null) {
+ trans.warn().log(msg, "- would remove role from perm;");
+ } else {
+ trans.warn().log(msg, "- would update role in perm;");
+ }
+ } else {
+ if(ns!=null) {
+ query = "UPDATE authz.role SET perms = perms + {'" +
+ newPerm + "'}"
+ + (roleKey.description==null?", description='clean'":"")
+ + " WHERE "
+ + "ns='" + roleKey.ns
+ + "' AND name='" + roleKey.name + "';";
+ trans.warn().log("Fixing role in perm",query);
+ session.execute(query);
+ }
+
+ query = "UPDATE authz.role SET perms = perms - {'"
+ + perm.replace("'", "''") + "'}"
+ + (roleKey.description==null?", description='clean'":"")
+ + " WHERE "
+ + "ns='" + roleKey.ns
+ + "' AND name='" + roleKey.name + "';";
+ session.execute(query);
+ trans.warn().log(msg, "- removing role from perm");
+// env.info().log( "query: " + query );
+ }
+ } else {
+ Set<String> p_roles = Perm.data.get(pk);
+ if(p_roles!=null && !p_roles.contains(roleKey.encode())) {
+ String msg = perm + " does not have role: " + roleKey;
+ if(dryRun) {
+ trans.warn().log(msg,"- should add this role to this perm;");
+ } else {
+ query = "update authz.perm set roles = roles + {'"
+ + roleKey.encode() + "'}"
+ + (pk.description==null?", description=''":"")
+ + " WHERE "
+ + "ns='" + pk.ns
+ + "' AND type='" + pk.type
+ + "' AND instance='" + pk.instance
+ + "' AND action='" + pk.action
+ + "';";
+ session.execute(query);
+ trans.warn().log(msg,"- adding perm to role");
+ }
+
+ }
+ }
+ }
+ }
+
+ for(Perm permKey : Perm.data.keySet()) {
+ for(String role : Perm.data.get(permKey)) {
+ Role rk = Role.keys.get(role);
+ if(rk==null) {
+ String s = role + " in perm " + permKey.encode() + " does not exist";
+ if(dryRun) {
+ trans.warn().log(s,"- would remove perm from role;");
+ } else {
+ query = "update authz.perm set roles = roles - {'"
+ + role.replace("'","''") + "'}"
+ + (permKey.description==null?", description='clean'":"")
+ + " WHERE "
+ + "ns='" + permKey.ns
+ + "' AND type='" + permKey.type
+ + "' AND instance='" + permKey.instance
+ + "' AND action='" + permKey.action + "';";
+ session.execute(query);
+ trans.warn().log(s,"- removing role from perm");
+ }
+ } else {
+ Set<String> r_perms = Role.data.get(rk);
+ if(r_perms!=null && !r_perms.contains(permKey.encode())) {
+ String s ="Role '" + role + "' does not have perm: '" + permKey + '\'';
+ if(dryRun) {
+ trans.warn().log(s,"- should add this perm to this role;");
+ } else {
+ query = "update authz.role set perms = perms + {'"
+ + permKey.encode() + "'}"
+ + (rk.description==null?", description=''":"")
+ + " WHERE "
+ + "ns='" + rk.ns
+ + "' AND name='" + rk.name + "';";
+ session.execute(query);
+ trans.warn().log(s,"- adding role to perm");
+ }
+ }
+ }
+ }
+ }
+
+ }
+
+
+ @Override
+ protected void _close(AuthzTrans trans) {
+ session.close();
+ aspr.info("End " + this.getClass().getSimpleName() + " processing" );
+ }
+}
Code Review / aaf / authz.git / blobdiff