--- /dev/null
+/*******************************************************************************\r
+ * ============LICENSE_START====================================================\r
+ * * org.onap.aai\r
+ * * ===========================================================================\r
+ * * Copyright © 2017 AT&T Intellectual Property. All rights reserved.\r
+ * * Copyright © 2017 Amdocs\r
+ * * ===========================================================================\r
+ * * Licensed under the Apache License, Version 2.0 (the "License");\r
+ * * you may not use this file except in compliance with the License.\r
+ * * You may obtain a copy of the License at\r
+ * * \r
+ * * http://www.apache.org/licenses/LICENSE-2.0\r
+ * * \r
+ * * Unless required by applicable law or agreed to in writing, software\r
+ * * distributed under the License is distributed on an "AS IS" BASIS,\r
+ * * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\r
+ * * See the License for the specific language governing permissions and\r
+ * * limitations under the License.\r
+ * * ============LICENSE_END====================================================\r
+ * *\r
+ * * ECOMP is a trademark and service mark of AT&T Intellectual Property.\r
+ * *\r
+ ******************************************************************************/\r
+package com.att.dao.aaf.cass;\r
+\r
+import java.io.ByteArrayOutputStream;\r
+import java.io.DataInputStream;\r
+import java.io.DataOutputStream;\r
+import java.io.IOException;\r
+import java.nio.ByteBuffer;\r
+import java.util.HashSet;\r
+import java.util.List;\r
+import java.util.Set;\r
+\r
+import com.att.authz.env.AuthzTrans;\r
+import com.att.authz.layer.Result;\r
+import com.att.dao.Bytification;\r
+import com.att.dao.Cached;\r
+import com.att.dao.CassAccess;\r
+import com.att.dao.CassDAOImpl;\r
+import com.att.dao.DAOException;\r
+import com.att.dao.Loader;\r
+import com.att.dao.Streamer;\r
+import com.att.dao.aaf.hl.Question;\r
+import com.att.inno.env.APIException;\r
+import com.att.inno.env.util.Split;\r
+import com.datastax.driver.core.Cluster;\r
+import com.datastax.driver.core.Row;\r
+import com.datastax.driver.core.exceptions.DriverException;\r
+\r
+public class PermDAO extends CassDAOImpl<AuthzTrans,PermDAO.Data> {\r
+\r
+ public static final String TABLE = "perm";\r
+\r
+ public static final int CACHE_SEG = 0x40; // yields segment 0x0-0x3F\r
+ private static final String STAR = "*";\r
+ \r
+ private final HistoryDAO historyDAO;\r
+ private final CacheInfoDAO infoDAO;\r
+ \r
+ private PSInfo psNS, psChildren, psByType;\r
+\r
+ public PermDAO(AuthzTrans trans, Cluster cluster, String keyspace) throws APIException, IOException {\r
+ super(trans, PermDAO.class.getSimpleName(),cluster,keyspace,Data.class,TABLE, readConsistency(trans,TABLE), writeConsistency(trans,TABLE));\r
+ init(trans);\r
+ historyDAO = new HistoryDAO(trans, this);\r
+ infoDAO = new CacheInfoDAO(trans,this);\r
+ }\r
+\r
+ public PermDAO(AuthzTrans trans, HistoryDAO hDAO, CacheInfoDAO ciDAO) {\r
+ super(trans, PermDAO.class.getSimpleName(),hDAO,Data.class,TABLE, readConsistency(trans,TABLE), writeConsistency(trans,TABLE));\r
+ historyDAO = hDAO;\r
+ infoDAO=ciDAO;\r
+ init(trans);\r
+ }\r
+\r
+\r
+ private static final int KEYLIMIT = 4;\r
+ public static class Data extends CacheableData implements Bytification {\r
+ public String ns;\r
+ public String type;\r
+ public String instance;\r
+ public String action;\r
+ public Set<String> roles; \r
+ public String description;\r
+\r
+ public Data() {}\r
+ \r
+ public Data(NsSplit nss, String instance, String action) {\r
+ ns = nss.ns;\r
+ type = nss.name;\r
+ this.instance = instance;\r
+ this.action = action;\r
+ }\r
+\r
+ public String fullType() {\r
+ return ns + '.' + type;\r
+ }\r
+ \r
+ public String fullPerm() {\r
+ return ns + '.' + type + '|' + instance + '|' + action;\r
+ }\r
+\r
+ public String encode() {\r
+ return ns + '|' + type + '|' + instance + '|' + action;\r
+ }\r
+ \r
+ /**\r
+ * Decode Perm String, including breaking into appropriate Namespace\r
+ * \r
+ * @param trans\r
+ * @param q\r
+ * @param p\r
+ * @return\r
+ */\r
+ public static Result<Data> decode(AuthzTrans trans, Question q, String p) {\r
+ String[] ss = Split.splitTrim('|', p,4);\r
+ if(ss[2]==null) {\r
+ return Result.err(Status.ERR_BadData,"Perm Encodings must be separated by '|'");\r
+ }\r
+ Data data = new Data();\r
+ if(ss[3]==null) { // older 3 part encoding must be evaluated for NS\r
+ Result<NsSplit> nss = q.deriveNsSplit(trans, ss[0]);\r
+ if(nss.notOK()) {\r
+ return Result.err(nss);\r
+ }\r
+ data.ns=nss.value.ns;\r
+ data.type=nss.value.name;\r
+ data.instance=ss[1];\r
+ data.action=ss[2];\r
+ } else { // new 4 part encoding\r
+ data.ns=ss[0];\r
+ data.type=ss[1];\r
+ data.instance=ss[2];\r
+ data.action=ss[3];\r
+ }\r
+ return Result.ok(data);\r
+ }\r
+\r
+ /**\r
+ * Decode Perm String, including breaking into appropriate Namespace\r
+ * \r
+ * @param trans\r
+ * @param q\r
+ * @param p\r
+ * @return\r
+ */\r
+ public static Result<String[]> decodeToArray(AuthzTrans trans, Question q, String p) {\r
+ String[] ss = Split.splitTrim('|', p,4);\r
+ if(ss[2]==null) {\r
+ return Result.err(Status.ERR_BadData,"Perm Encodings must be separated by '|'");\r
+ }\r
+ \r
+ if(ss[3]==null) { // older 3 part encoding must be evaluated for NS\r
+ ss[3] = ss[2];\r
+ ss[2] = ss[1];\r
+ Result<NsSplit> nss = q.deriveNsSplit(trans, ss[0]);\r
+ if(nss.notOK()) {\r
+ return Result.err(nss);\r
+ }\r
+ ss[1] = nss.value.name;\r
+ ss[0] = nss.value.ns;\r
+ }\r
+ return Result.ok(ss);\r
+ }\r
+\r
+ public static Data create(NsDAO.Data ns, String name) {\r
+ NsSplit nss = new NsSplit(ns,name);\r
+ Data rv = new Data();\r
+ rv.ns = nss.ns;\r
+ String[] s = nss.name.split("\\|");\r
+ switch(s.length) {\r
+ case 3:\r
+ rv.type=s[0];\r
+ rv.instance=s[1];\r
+ rv.action=s[2];\r
+ break;\r
+ case 2:\r
+ rv.type=s[0];\r
+ rv.instance=s[1];\r
+ rv.action=STAR;\r
+ break;\r
+ default:\r
+ rv.type=s[0];\r
+ rv.instance = STAR;\r
+ rv.action = STAR;\r
+ }\r
+ return rv;\r
+ }\r
+ \r
+ public static Data create(AuthzTrans trans, Question q, String name) {\r
+ String[] s = name.split("\\|");\r
+ Result<NsSplit> rdns = q.deriveNsSplit(trans, s[0]);\r
+ Data rv = new PermDAO.Data();\r
+ if(rdns.isOKhasData()) {\r
+ switch(s.length) {\r
+ case 3:\r
+ rv.type=s[1];\r
+ rv.instance=s[2];\r
+ rv.action=s[3];\r
+ break;\r
+ case 2:\r
+ rv.type=s[1];\r
+ rv.instance=s[2];\r
+ rv.action=STAR;\r
+ break;\r
+ default:\r
+ rv.type=s[1];\r
+ rv.instance = STAR;\r
+ rv.action = STAR;\r
+ }\r
+ }\r
+ return rv;\r
+ }\r
+ \r
+ ////////////////////////////////////////\r
+ // Getters\r
+ public Set<String> roles(boolean mutable) {\r
+ if (roles == null) {\r
+ roles = new HashSet<String>();\r
+ } else if (mutable && !(roles instanceof HashSet)) {\r
+ roles = new HashSet<String>(roles);\r
+ }\r
+ return roles;\r
+ }\r
+\r
+ @Override\r
+ public int[] invalidate(Cached<?,?> cache) {\r
+ return new int[] {\r
+ seg(cache,ns),\r
+ seg(cache,ns,type),\r
+ seg(cache,ns,type,STAR),\r
+ seg(cache,ns,type,instance,action)\r
+ };\r
+ }\r
+\r
+ @Override\r
+ public ByteBuffer bytify() throws IOException {\r
+ ByteArrayOutputStream baos = new ByteArrayOutputStream();\r
+ PermLoader.deflt.marshal(this, new DataOutputStream(baos));\r
+ return ByteBuffer.wrap(baos.toByteArray());\r
+ }\r
+ \r
+ @Override\r
+ public void reconstitute(ByteBuffer bb) throws IOException {\r
+ PermLoader.deflt.unmarshal(this, toDIS(bb));\r
+ }\r
+\r
+ @Override\r
+ public String toString() {\r
+ return encode();\r
+ }\r
+ }\r
+ \r
+ private static class PermLoader extends Loader<Data> implements Streamer<Data> {\r
+ public static final int MAGIC=283939453;\r
+ public static final int VERSION=1;\r
+ public static final int BUFF_SIZE=96;\r
+\r
+ public static final PermLoader deflt = new PermLoader(KEYLIMIT);\r
+ \r
+ public PermLoader(int keylimit) {\r
+ super(keylimit);\r
+ }\r
+ \r
+ @Override\r
+ public Data load(Data data, Row row) {\r
+ // Int more efficient Match "fields" string\r
+ data.ns = row.getString(0);\r
+ data.type = row.getString(1);\r
+ data.instance = row.getString(2);\r
+ data.action = row.getString(3);\r
+ data.roles = row.getSet(4,String.class);\r
+ data.description = row.getString(5);\r
+ return data;\r
+ }\r
+\r
+ @Override\r
+ protected void key(Data data, int _idx, Object[] obj) {\r
+ int idx = _idx;\r
+ obj[idx]=data.ns;\r
+ obj[++idx]=data.type;\r
+ obj[++idx]=data.instance;\r
+ obj[++idx]=data.action;\r
+ }\r
+\r
+ @Override\r
+ protected void body(Data data, int _idx, Object[] obj) {\r
+ int idx = _idx;\r
+ obj[idx]=data.roles;\r
+ obj[++idx]=data.description;\r
+ }\r
+\r
+ @Override\r
+ public void marshal(Data data, DataOutputStream os) throws IOException {\r
+ writeHeader(os,MAGIC,VERSION);\r
+ writeString(os, data.ns);\r
+ writeString(os, data.type);\r
+ writeString(os, data.instance);\r
+ writeString(os, data.action);\r
+ writeStringSet(os, data.roles);\r
+ writeString(os, data.description);\r
+ }\r
+\r
+ @Override\r
+ public void unmarshal(Data data, DataInputStream is) throws IOException {\r
+ /*int version = */readHeader(is,MAGIC,VERSION);\r
+ // If Version Changes between Production runs, you'll need to do a switch Statement, and adequately read in fields\r
+ byte[] buff = new byte[BUFF_SIZE];\r
+ data.ns = readString(is, buff);\r
+ data.type = readString(is,buff);\r
+ data.instance = readString(is,buff);\r
+ data.action = readString(is,buff);\r
+ data.roles = readStringSet(is,buff);\r
+ data.description = readString(is,buff);\r
+ }\r
+ }\r
+ \r
+ private void init(AuthzTrans trans) {\r
+ // the 3 is the number of key fields\r
+ String[] helpers = setCRUD(trans, TABLE, Data.class, PermLoader.deflt);\r
+ \r
+ // Other SELECT style statements... match with a local Method\r
+ psByType = new PSInfo(trans, SELECT_SP + helpers[FIELD_COMMAS] + " FROM " + TABLE + \r
+ " WHERE ns = ? AND type = ?", new PermLoader(2) {\r
+ @Override\r
+ protected void key(Data data, int idx, Object[] obj) {\r
+ obj[idx]=data.type;\r
+ }\r
+ },readConsistency);\r
+ \r
+ psNS = new PSInfo(trans, SELECT_SP + helpers[FIELD_COMMAS] + " FROM " + TABLE +\r
+ " WHERE ns = ?", new PermLoader(1),readConsistency);\r
+ \r
+ psChildren = new PSInfo(trans, SELECT_SP + helpers[FIELD_COMMAS] + " FROM " + TABLE + \r
+ " WHERE ns=? AND type > ? AND type < ?", \r
+ new PermLoader(3) {\r
+ @Override\r
+ protected void key(Data data, int _idx, Object[] obj) {\r
+ int idx = _idx;\r
+ obj[idx] = data.ns;\r
+ obj[++idx]=data.type + DOT;\r
+ obj[++idx]=data.type + DOT_PLUS_ONE;\r
+ }\r
+ },readConsistency);\r
+\r
+ }\r
+\r
+\r
+ /**\r
+ * Add a single Permission to the Role's Permission Collection\r
+ * \r
+ * @param trans\r
+ * @param roleFullName\r
+ * @param perm\r
+ * @param type\r
+ * @param action\r
+ * @return\r
+ */\r
+ public Result<Void> addRole(AuthzTrans trans, PermDAO.Data perm, String roleFullName) {\r
+ // Note: Prepared Statements for Collection updates aren't supported\r
+ //ResultSet rv =\r
+ try {\r
+ getSession(trans).execute(UPDATE_SP + TABLE + " SET roles = roles + {'" + roleFullName + "'} " +\r
+ "WHERE " +\r
+ "ns = '" + perm.ns + "' AND " +\r
+ "type = '" + perm.type + "' AND " +\r
+ "instance = '" + perm.instance + "' AND " +\r
+ "action = '" + perm.action + "';"\r
+ );\r
+ } catch (DriverException | APIException | IOException e) {\r
+ reportPerhapsReset(trans,e);\r
+ return Result.err(Result.ERR_Backend, CassAccess.ERR_ACCESS_MSG);\r
+ }\r
+\r
+ wasModified(trans, CRUD.update, perm, "Added role " + roleFullName + " to perm " +\r
+ perm.ns + '.' + perm.type + '|' + perm.instance + '|' + perm.action);\r
+ return Result.ok();\r
+ }\r
+\r
+ /**\r
+ * Remove a single Permission from the Role's Permission Collection\r
+ * @param trans\r
+ * @param roleFullName\r
+ * @param perm\r
+ * @param type\r
+ * @param action\r
+ * @return\r
+ */\r
+ public Result<Void> delRole(AuthzTrans trans, PermDAO.Data perm, String roleFullName) {\r
+ // Note: Prepared Statements for Collection updates aren't supported\r
+ //ResultSet rv =\r
+ try {\r
+ getSession(trans).execute(UPDATE_SP + TABLE + " SET roles = roles - {'" + roleFullName + "'} " +\r
+ "WHERE " +\r
+ "ns = '" + perm.ns + "' AND " +\r
+ "type = '" + perm.type + "' AND " +\r
+ "instance = '" + perm.instance + "' AND " +\r
+ "action = '" + perm.action + "';"\r
+ );\r
+ } catch (DriverException | APIException | IOException e) {\r
+ reportPerhapsReset(trans,e);\r
+ return Result.err(Result.ERR_Backend, CassAccess.ERR_ACCESS_MSG);\r
+ }\r
+\r
+ //TODO how can we tell when it doesn't?\r
+ wasModified(trans, CRUD.update, perm, "Removed role " + roleFullName + " from perm " +\r
+ perm.ns + '.' + perm.type + '|' + perm.instance + '|' + perm.action);\r
+ return Result.ok();\r
+ }\r
+\r
+\r
+ \r
+ /**\r
+ * Additional method: \r
+ * Select all Permissions by Name\r
+ * \r
+ * @param name\r
+ * @return\r
+ * @throws DAOException\r
+ */\r
+ public Result<List<Data>> readByType(AuthzTrans trans, String ns, String type) {\r
+ return psByType.read(trans, R_TEXT, new Object[]{ns, type});\r
+ }\r
+ \r
+ public Result<List<Data>> readChildren(AuthzTrans trans, String ns, String type) {\r
+ return psChildren.read(trans, R_TEXT, new Object[]{ns, type+DOT, type + DOT_PLUS_ONE});\r
+ }\r
+\r
+ public Result<List<Data>> readNS(AuthzTrans trans, String ns) {\r
+ return psNS.read(trans, R_TEXT, new Object[]{ns});\r
+ }\r
+\r
+ /**\r
+ * Add description to this permission\r
+ * \r
+ * @param trans\r
+ * @param ns\r
+ * @param type\r
+ * @param instance\r
+ * @param action\r
+ * @param description\r
+ * @return\r
+ */\r
+ public Result<Void> addDescription(AuthzTrans trans, String ns, String type,\r
+ String instance, String action, String description) {\r
+ try {\r
+ getSession(trans).execute(UPDATE_SP + TABLE + " SET description = '" \r
+ + description + "' WHERE ns = '" + ns + "' AND type = '" + type + "'"\r
+ + "AND instance = '" + instance + "' AND action = '" + action + "';");\r
+ } catch (DriverException | APIException | IOException e) {\r
+ reportPerhapsReset(trans,e);\r
+ return Result.err(Result.ERR_Backend, CassAccess.ERR_ACCESS_MSG);\r
+ }\r
+\r
+ Data data = new Data();\r
+ data.ns=ns;\r
+ data.type=type;\r
+ data.instance=instance;\r
+ data.action=action;\r
+ wasModified(trans, CRUD.update, data, "Added description " + description + " to permission " \r
+ + data.encode(), null );\r
+ return Result.ok();\r
+ }\r
+ \r
+ /**\r
+ * Log Modification statements to History\r
+ */\r
+ @Override\r
+ protected void wasModified(AuthzTrans trans, CRUD modified, Data data, String ... override) {\r
+ boolean memo = override.length>0 && override[0]!=null;\r
+ boolean subject = override.length>1 && override[1]!=null;\r
+\r
+ // Need to update history\r
+ HistoryDAO.Data hd = HistoryDAO.newInitedData();\r
+ hd.user = trans.user();\r
+ hd.action = modified.name();\r
+ hd.target = TABLE;\r
+ hd.subject = subject ? override[1] : data.fullType();\r
+ if (memo) {\r
+ hd.memo = String.format("%s", override[0]);\r
+ } else {\r
+ hd.memo = String.format("%sd %s|%s|%s", modified.name(),data.fullType(),data.instance,data.action);\r
+ }\r
+ \r
+ if(modified==CRUD.delete) {\r
+ try {\r
+ hd.reconstruct = data.bytify();\r
+ } catch (IOException e) {\r
+ trans.error().log(e,"Could not serialize PermDAO.Data");\r
+ }\r
+ }\r
+ \r
+ if(historyDAO.create(trans, hd).status!=Status.OK) {\r
+ trans.error().log("Cannot log to History");\r
+ }\r
+ if(infoDAO.touch(trans, TABLE,data.invalidate(cache)).notOK()) {\r
+ trans.error().log("Cannot touch CacheInfo");\r
+ }\r
+ }\r
+}\r
+\r
Code Review / aaf / authz.git / blobdiff