+++ /dev/null
-/*******************************************************************************\r
- * ============LICENSE_START====================================================\r
- * * org.onap.aaf\r
- * * ===========================================================================\r
- * * Copyright © 2017 AT&T Intellectual Property. All rights reserved.\r
- * * ===========================================================================\r
- * * Licensed under the Apache License, Version 2.0 (the "License");\r
- * * you may not use this file except in compliance with the License.\r
- * * You may obtain a copy of the License at\r
- * * \r
- * * http://www.apache.org/licenses/LICENSE-2.0\r
- * * \r
- * * Unless required by applicable law or agreed to in writing, software\r
- * * distributed under the License is distributed on an "AS IS" BASIS,\r
- * * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\r
- * * See the License for the specific language governing permissions and\r
- * * limitations under the License.\r
- * * ============LICENSE_END====================================================\r
- * *\r
- * * ECOMP is a trademark and service mark of AT&T Intellectual Property.\r
- * *\r
- ******************************************************************************/\r
-package org.onap.aaf.authz.service;\r
-\r
-import static org.onap.aaf.authz.layer.Result.OK;\r
-import static org.onap.aaf.cssa.rserv.HttpMethods.DELETE;\r
-import static org.onap.aaf.cssa.rserv.HttpMethods.GET;\r
-import static org.onap.aaf.cssa.rserv.HttpMethods.POST;\r
-import static org.onap.aaf.cssa.rserv.HttpMethods.PUT;\r
-\r
-import java.io.IOException;\r
-import java.util.ArrayList;\r
-import java.util.Collection;\r
-import java.util.Collections;\r
-import java.util.Comparator;\r
-import java.util.Date;\r
-import java.util.GregorianCalendar;\r
-import java.util.HashMap;\r
-import java.util.HashSet;\r
-import java.util.List;\r
-import java.util.Map;\r
-import java.util.Set;\r
-import java.util.TreeMap;\r
-import java.util.UUID;\r
-\r
-import javax.servlet.http.HttpServletRequest;\r
-\r
-import org.onap.aaf.authz.common.Define;\r
-import org.onap.aaf.authz.env.AuthzTrans;\r
-import org.onap.aaf.authz.layer.Result;\r
-import org.onap.aaf.authz.org.Executor;\r
-import org.onap.aaf.authz.org.Organization;\r
-import org.onap.aaf.authz.org.Organization.Expiration;\r
-import org.onap.aaf.authz.org.Organization.Identity;\r
-import org.onap.aaf.authz.org.Organization.Policy;\r
-import org.onap.aaf.authz.service.mapper.Mapper;\r
-import org.onap.aaf.authz.service.mapper.Mapper.API;\r
-import org.onap.aaf.authz.service.validation.Validator;\r
-import org.onap.aaf.cssa.rserv.doc.ApiDoc;\r
-import org.onap.aaf.dao.DAOException;\r
-import org.onap.aaf.dao.aaf.cass.ApprovalDAO;\r
-import org.onap.aaf.dao.aaf.cass.CertDAO;\r
-import org.onap.aaf.dao.aaf.cass.CredDAO;\r
-import org.onap.aaf.dao.aaf.cass.DelegateDAO;\r
-import org.onap.aaf.dao.aaf.cass.FutureDAO;\r
-import org.onap.aaf.dao.aaf.cass.HistoryDAO;\r
-import org.onap.aaf.dao.aaf.cass.Namespace;\r
-import org.onap.aaf.dao.aaf.cass.NsDAO;\r
-import org.onap.aaf.dao.aaf.cass.NsSplit;\r
-import org.onap.aaf.dao.aaf.cass.NsType;\r
-import org.onap.aaf.dao.aaf.cass.PermDAO;\r
-import org.onap.aaf.dao.aaf.cass.RoleDAO;\r
-import org.onap.aaf.dao.aaf.cass.Status;\r
-import org.onap.aaf.dao.aaf.cass.UserRoleDAO;\r
-import org.onap.aaf.dao.aaf.cass.NsDAO.Data;\r
-import org.onap.aaf.dao.aaf.hl.CassExecutor;\r
-import org.onap.aaf.dao.aaf.hl.Function;\r
-import org.onap.aaf.dao.aaf.hl.Question;\r
-import org.onap.aaf.dao.aaf.hl.Question.Access;\r
-\r
-import org.onap.aaf.cadi.principal.BasicPrincipal;\r
-import org.onap.aaf.inno.env.Env;\r
-import org.onap.aaf.inno.env.TimeTaken;\r
-import org.onap.aaf.inno.env.util.Chrono;\r
-import org.onap.aaf.inno.env.util.Split;\r
-\r
-import aaf.v2_0.CredRequest;\r
-\r
-/**\r
- * AuthzCassServiceImpl implements AuthzCassService for \r
- * \r
- *\r
- * @param <NSS>\r
- * @param <PERMS>\r
- * @param <PERMKEY>\r
- * @param <ROLES>\r
- * @param <USERS>\r
- * @param <DELGS>\r
- * @param <REQUEST>\r
- * @param <HISTORY>\r
- * @param <ERR>\r
- * @param <APPROVALS>\r
- */\r
-public class AuthzCassServiceImpl <NSS,PERMS,PERMKEY,ROLES,USERS,USERROLES,DELGS,CERTS,KEYS,REQUEST,HISTORY,ERR,APPROVALS>\r
- implements AuthzService <NSS,PERMS,PERMKEY,ROLES,USERS,USERROLES,DELGS,CERTS,KEYS,REQUEST,HISTORY,ERR,APPROVALS> {\r
- \r
- private Mapper <NSS,PERMS,PERMKEY,ROLES,USERS,USERROLES,DELGS,CERTS,KEYS,REQUEST,HISTORY,ERR,APPROVALS> mapper;\r
- @Override\r
- public Mapper <NSS,PERMS,PERMKEY,ROLES,USERS,USERROLES,DELGS,CERTS,KEYS,REQUEST,HISTORY,ERR,APPROVALS> mapper() {return mapper;}\r
- \r
- private static final String ASTERIX = "*";\r
- private static final String CACHE = "cache";\r
-\r
- private final Question ques;\r
- private final Function func;\r
- \r
- public AuthzCassServiceImpl(AuthzTrans trans, Mapper<NSS,PERMS,PERMKEY,ROLES,USERS,USERROLES,DELGS,CERTS,KEYS,REQUEST,HISTORY,ERR,APPROVALS> mapper,Question question) {\r
- this.ques = question;\r
- func = new Function(trans, question);\r
- this.mapper = mapper;\r
- \r
- }\r
-\r
-/***********************************\r
- * NAMESPACE \r
- ***********************************/\r
- /**\r
- * createNS\r
- * @throws DAOException \r
- * @see org.onap.aaf.authz.service.AuthzService#createNS(org.onap.aaf.authz.env.AuthzTrans, java.lang.String, java.lang.String)\r
- */\r
- @ApiDoc( \r
- method = POST, \r
- path = "/authz/ns",\r
- params = {},\r
- expectedCode = 201,\r
- errorCodes = { 403,404,406,409 }, \r
- text = { "Namespace consists of: ",\r
- "<ul><li>name - What you want to call this Namespace</li>",\r
- "<li>responsible(s) - Person(s) who receive Notifications and approves Requests ",\r
- "regarding this Namespace. Companies have Policies as to who may take on ",\r
- "this Responsibility. Separate multiple identities with commas</li>",\r
- "<li>admin(s) - Person(s) who are allowed to make changes on the namespace, ",\r
- "including creating Roles, Permissions and Credentials. Separate multiple ",\r
- "identities with commas</li></ul>",\r
- "Note: Namespaces are dot-delimited (i.e. com.myCompany.myApp) and must be ",\r
- "created with parent credentials (i.e. To create com.myCompany.myApp, you must ",\r
- "be an admin of com.myCompany or com"\r
- }\r
- )\r
- @Override\r
- public Result<Void> createNS(final AuthzTrans trans, REQUEST from, NsType type) {\r
- final Result<Namespace> rnamespace = mapper.ns(trans, from);\r
- final Validator v = new Validator();\r
- if(v.ns(rnamespace).err()) { \r
- return Result.err(Status.ERR_BadData,v.errs());\r
- }\r
- final Namespace namespace = rnamespace.value;\r
- final Result<NsDAO.Data> parentNs = ques.deriveNs(trans,namespace.name);\r
- if(parentNs.notOK()) {\r
- return Result.err(parentNs);\r
- }\r
- \r
- if(namespace.name.lastIndexOf('.')<0) { // Root Namespace... Function will check if allowed\r
- return func.createNS(trans, namespace, false);\r
- }\r
- \r
- Result<FutureDAO.Data> fd = mapper.future(trans, NsDAO.TABLE,from,namespace,true, \r
- new Mapper.Memo() {\r
- @Override\r
- public String get() {\r
- return "Create Namespace [" + namespace.name + ']';\r
- }\r
- },\r
- new MayChange() {\r
- private Result<NsDAO.Data> rnd;\r
- @Override\r
- public Result<?> mayChange() {\r
- if(rnd==null) {\r
- rnd = ques.mayUser(trans, trans.user(), parentNs.value,Access.write);\r
- }\r
- return rnd;\r
- }\r
- });\r
- switch(fd.status) {\r
- case OK:\r
- Result<List<Identity>> rfc = func.createFuture(trans, fd.value, namespace.name, trans.user(),parentNs.value, "C");\r
- if(rfc.isOK()) {\r
- return Result.err(Status.ACC_Future, "NS [%s] is saved for future processing",namespace.name);\r
- } else { \r
- return Result.err(rfc);\r
- }\r
- case Status.ACC_Now:\r
- return func.createNS(trans, namespace, false);\r
- default:\r
- return Result.err(fd);\r
- }\r
- }\r
- \r
- @ApiDoc(\r
- method = POST, \r
- path = "/authz/ns/:ns/admin/:id",\r
- params = { "ns|string|true",\r
- "id|string|true" \r
- },\r
- expectedCode = 201,\r
- errorCodes = { 403,404,406,409 }, \r
- text = { "Add an Identity :id to the list of Admins for the Namespace :ns", \r
- "Note: :id must be fully qualified (i.e. ab1234@csp.att.com)" }\r
- )\r
- @Override\r
- public Result<Void> addAdminNS(AuthzTrans trans, String ns, String id) {\r
- return func.addUserRole(trans, id, ns,Question.ADMIN);\r
- }\r
-\r
- @ApiDoc(\r
- method = DELETE, \r
- path = "/authz/ns/:ns/admin/:id",\r
- params = { "ns|string|true",\r
- "id|string|true" \r
- },\r
- expectedCode = 200,\r
- errorCodes = { 403,404 }, \r
- text = { "Remove an Identity :id from the list of Admins for the Namespace :ns",\r
- "Note: :id must be fully qualified (i.e. ab1234@csp.att.com)" }\r
- )\r
- @Override\r
- public Result<Void> delAdminNS(AuthzTrans trans, String ns, String id) {\r
- return func.delAdmin(trans,ns,id);\r
- }\r
-\r
- @ApiDoc(\r
- method = POST, \r
- path = "/authz/ns/:ns/responsible/:id",\r
- params = { "ns|string|true",\r
- "id|string|true" \r
- },\r
- expectedCode = 201,\r
- errorCodes = { 403,404,406,409 }, \r
- text = { "Add an Identity :id to the list of Responsibles for the Namespace :ns",\r
- "Note: :id must be fully qualified (i.e. ab1234@csp.att.com)" }\r
- )\r
- @Override\r
- public Result<Void> addResponsibleNS(AuthzTrans trans, String ns, String id) {\r
- return func.addUserRole(trans,id,ns,Question.OWNER);\r
- }\r
-\r
- @ApiDoc(\r
- method = DELETE, \r
- path = "/authz/ns/:ns/responsible/:id",\r
- params = { "ns|string|true",\r
- "id|string|true" \r
- },\r
- expectedCode = 200,\r
- errorCodes = { 403,404 }, \r
- text = { "Remove an Identity :id to the list of Responsibles for the Namespace :ns",\r
- "Note: :id must be fully qualified (i.e. ab1234@csp.att.com)",\r
- "Note: A namespace must have at least 1 responsible party"\r
- }\r
- )\r
- @Override\r
- public Result<Void> delResponsibleNS(AuthzTrans trans, String ns, String id) {\r
- return func.delOwner(trans,ns,id);\r
- }\r
-\r
- /* (non-Javadoc)\r
- * @see org.onap.aaf.authz.service.AuthzService#applyModel(org.onap.aaf.authz.env.AuthzTrans, java.lang.Object)\r
- */\r
- @ApiDoc(\r
- method = POST, \r
- path = "/authz/ns/:ns/attrib/:key/:value",\r
- params = { "ns|string|true",\r
- "key|string|true",\r
- "value|string|true"},\r
- expectedCode = 201,\r
- errorCodes = { 403,404,406,409 }, \r
- text = { \r
- "Create an attribute in the Namespace",\r
- "You must be given direct permission for key by AAF"\r
- }\r
- )\r
- @Override\r
- public Result<Void> createNsAttrib(AuthzTrans trans, String ns, String key, String value) {\r
- TimeTaken tt = trans.start("Create NsAttrib " + ns + ':' + key + ':' + value, Env.SUB);\r
- try {\r
- // Check inputs\r
- final Validator v = new Validator();\r
- if(v.ns(ns).err() ||\r
- v.key(key).err() ||\r
- v.value(value).err()) {\r
- return Result.err(Status.ERR_BadData,v.errs());\r
- }\r
-\r
- // Check if exists already\r
- Result<List<Data>> rlnsd = ques.nsDAO.read(trans, ns);\r
- if(rlnsd.notOKorIsEmpty()) {\r
- return Result.err(rlnsd);\r
- }\r
- NsDAO.Data nsd = rlnsd.value.get(0);\r
-\r
- // Check for Existence\r
- if(nsd.attrib.get(key)!=null) {\r
- return Result.err(Status.ERR_ConflictAlreadyExists, "NS Property %s:%s exists", ns, key);\r
- }\r
- \r
- // Check if User may put\r
- if(!ques.isGranted(trans, trans.user(), Define.ROOT_NS, Question.ATTRIB, \r
- ":"+trans.org().getDomain()+".*:"+key, Access.write.name())) {\r
- return Result.err(Status.ERR_Denied, "%s may not create NS Attrib [%s:%s]", trans.user(),ns, key);\r
- }\r
-\r
- // Add Attrib\r
- nsd.attrib.put(key, value);\r
- ques.nsDAO.dao().attribAdd(trans,ns,key,value);\r
- return Result.ok();\r
- } finally {\r
- tt.done();\r
- }\r
- }\r
- \r
- @ApiDoc(\r
- method = GET, \r
- path = "/authz/ns/attrib/:key",\r
- params = { "key|string|true" },\r
- expectedCode = 200,\r
- errorCodes = { 403,404 }, \r
- text = { \r
- "Read Attributes for Namespace"\r
- }\r
- )\r
- @Override\r
- public Result<KEYS> readNsByAttrib(AuthzTrans trans, String key) {\r
- // Check inputs\r
- final Validator v = new Validator();\r
- if(v.nullOrBlank("Key",key).err()) {\r
- return Result.err(Status.ERR_BadData,v.errs());\r
- }\r
-\r
- // May Read\r
- if(!ques.isGranted(trans, trans.user(), Define.ROOT_NS, Question.ATTRIB, \r
- ":"+trans.org().getDomain()+".*:"+key, Question.READ)) {\r
- return Result.err(Status.ERR_Denied,"%s may not read NS by Attrib '%s'",trans.user(),key);\r
- }\r
-\r
- Result<Set<String>> rsd = ques.nsDAO.dao().readNsByAttrib(trans, key);\r
- if(rsd.notOK()) {\r
- return Result.err(rsd);\r
- }\r
- return mapper().keys(rsd.value);\r
- }\r
-\r
-\r
- @ApiDoc(\r
- method = PUT, \r
- path = "/authz/ns/:ns/attrib/:key/:value",\r
- params = { "ns|string|true",\r
- "key|string|true"},\r
- expectedCode = 200,\r
- errorCodes = { 403,404 }, \r
- text = { \r
- "Update Value on an existing attribute in the Namespace",\r
- "You must be given direct permission for key by AAF"\r
- }\r
- )\r
- @Override\r
- public Result<?> updateNsAttrib(AuthzTrans trans, String ns, String key, String value) {\r
- TimeTaken tt = trans.start("Update NsAttrib " + ns + ':' + key + ':' + value, Env.SUB);\r
- try {\r
- // Check inputs\r
- final Validator v = new Validator();\r
- if(v.ns(ns).err() ||\r
- v.key(key).err() ||\r
- v.value(value).err()) {\r
- return Result.err(Status.ERR_BadData,v.errs());\r
- }\r
-\r
- // Check if exists already (NS must exist)\r
- Result<List<Data>> rlnsd = ques.nsDAO.read(trans, ns);\r
- if(rlnsd.notOKorIsEmpty()) {\r
- return Result.err(rlnsd);\r
- }\r
- NsDAO.Data nsd = rlnsd.value.get(0);\r
-\r
- // Check for Existence\r
- if(nsd.attrib.get(key)==null) {\r
- return Result.err(Status.ERR_NotFound, "NS Property %s:%s exists", ns, key);\r
- }\r
- \r
- // Check if User may put\r
- if(!ques.isGranted(trans, trans.user(), Define.ROOT_NS, Question.ATTRIB, \r
- ":"+trans.org().getDomain()+".*:"+key, Access.write.name())) {\r
- return Result.err(Status.ERR_Denied, "%s may not create NS Attrib [%s:%s]", trans.user(),ns, key);\r
- }\r
-\r
- // Add Attrib\r
- nsd.attrib.put(key, value);\r
-\r
- return ques.nsDAO.update(trans,nsd);\r
- \r
- } finally {\r
- tt.done();\r
- }\r
- }\r
-\r
- @ApiDoc(\r
- method = DELETE, \r
- path = "/authz/ns/:ns/attrib/:key",\r
- params = { "ns|string|true",\r
- "key|string|true"},\r
- expectedCode = 200,\r
- errorCodes = { 403,404 }, \r
- text = { \r
- "Delete an attribute in the Namespace",\r
- "You must be given direct permission for key by AAF"\r
- }\r
- )\r
- @Override\r
- public Result<Void> deleteNsAttrib(AuthzTrans trans, String ns, String key) {\r
- TimeTaken tt = trans.start("Delete NsAttrib " + ns + ':' + key, Env.SUB);\r
- try {\r
- // Check inputs\r
- final Validator v = new Validator();\r
- if(v.nullOrBlank("NS",ns).err() ||\r
- v.nullOrBlank("Key",key).err()) {\r
- return Result.err(Status.ERR_BadData,v.errs());\r
- }\r
-\r
- // Check if exists already\r
- Result<List<Data>> rlnsd = ques.nsDAO.read(trans, ns);\r
- if(rlnsd.notOKorIsEmpty()) {\r
- return Result.err(rlnsd);\r
- }\r
- NsDAO.Data nsd = rlnsd.value.get(0);\r
-\r
- // Check for Existence\r
- if(nsd.attrib.get(key)==null) {\r
- return Result.err(Status.ERR_NotFound, "NS Property [%s:%s] does not exist", ns, key);\r
- }\r
- \r
- // Check if User may del\r
- if(!ques.isGranted(trans, trans.user(), Define.ROOT_NS, "attrib", ":com.att.*:"+key, Access.write.name())) {\r
- return Result.err(Status.ERR_Denied, "%s may not delete NS Attrib [%s:%s]", trans.user(),ns, key);\r
- }\r
-\r
- // Add Attrib\r
- nsd.attrib.remove(key);\r
- ques.nsDAO.dao().attribRemove(trans,ns,key);\r
- return Result.ok();\r
- } finally {\r
- tt.done();\r
- }\r
- }\r
-\r
- @ApiDoc(\r
- method = GET, \r
- path = "/authz/nss/:id",\r
- params = { "id|string|true" },\r
- expectedCode = 200,\r
- errorCodes = { 404,406 }, \r
- text = { \r
- "Lists the Admin(s), Responsible Party(s), Role(s), Permission(s)",\r
- "Credential(s) and Expiration of Credential(s) in Namespace :id",\r
- }\r
- )\r
- @Override\r
- public Result<NSS> getNSbyName(AuthzTrans trans, String ns) {\r
- final Validator v = new Validator();\r
- if(v.nullOrBlank("NS", ns).err()) {\r
- return Result.err(Status.ERR_BadData,v.errs());\r
- }\r
- \r
- Result<List<NsDAO.Data>> rlnd = ques.nsDAO.read(trans, ns);\r
- if(rlnd.isOK()) {\r
- if(rlnd.isEmpty()) {\r
- return Result.err(Status.ERR_NotFound, "No data found for %s",ns);\r
- }\r
- Result<NsDAO.Data> rnd = ques.mayUser(trans, trans.user(), rlnd.value.get(0), Access.read);\r
- if(rnd.notOK()) {\r
- return Result.err(rnd); \r
- }\r
- \r
- \r
- Namespace namespace = new Namespace(rnd.value);\r
- Result<List<String>> rd = func.getOwners(trans, namespace.name, false);\r
- if(rd.isOK()) {\r
- namespace.owner = rd.value;\r
- }\r
- rd = func.getAdmins(trans, namespace.name, false);\r
- if(rd.isOK()) {\r
- namespace.admin = rd.value;\r
- }\r
- \r
- NSS nss = mapper.newInstance(API.NSS);\r
- return mapper.nss(trans, namespace, nss);\r
- } else {\r
- return Result.err(rlnd);\r
- }\r
- }\r
-\r
- @ApiDoc(\r
- method = GET, \r
- path = "/authz/nss/admin/:id",\r
- params = { "id|string|true" },\r
- expectedCode = 200,\r
- errorCodes = { 403,404 }, \r
- text = { "Lists all Namespaces where Identity :id is an Admin", \r
- "Note: :id must be fully qualified (i.e. ab1234@csp.att.com)" \r
- }\r
- )\r
- @Override\r
- public Result<NSS> getNSbyAdmin(AuthzTrans trans, String user, boolean full) {\r
- final Validator v = new Validator();\r
- if (v.nullOrBlank("User", user).err()) {\r
- return Result.err(Status.ERR_BadData, v.errs());\r
- }\r
- \r
- Result<Collection<Namespace>> rn = loadNamepace(trans, user, ".admin", full);\r
- if(rn.notOK()) {\r
- return Result.err(rn);\r
- }\r
- if (rn.isEmpty()) {\r
- return Result.err(Status.ERR_NotFound, "[%s] is not an admin for any namespaces",user); \r
- }\r
- NSS nss = mapper.newInstance(API.NSS);\r
- // Note: "loadNamespace" already validates view of Namespace\r
- return mapper.nss(trans, rn.value, nss);\r
-\r
- }\r
-\r
- @ApiDoc(\r
- method = GET, \r
- path = "/authz/nss/either/:id",\r
- params = { "id|string|true" },\r
- expectedCode = 200,\r
- errorCodes = { 403,404 }, \r
- text = { "Lists all Namespaces where Identity :id is either an Admin or an Owner", \r
- "Note: :id must be fully qualified (i.e. ab1234@csp.att.com)" \r
- }\r
- )\r
- @Override\r
- public Result<NSS> getNSbyEither(AuthzTrans trans, String user, boolean full) {\r
- final Validator v = new Validator();\r
- if (v.nullOrBlank("User", user).err()) {\r
- return Result.err(Status.ERR_BadData, v.errs());\r
- }\r
- \r
- Result<Collection<Namespace>> rn = loadNamepace(trans, user, null, full);\r
- if(rn.notOK()) {\r
- return Result.err(rn);\r
- }\r
- if (rn.isEmpty()) {\r
- return Result.err(Status.ERR_NotFound, "[%s] is not an admin or owner for any namespaces",user); \r
- }\r
- NSS nss = mapper.newInstance(API.NSS);\r
- // Note: "loadNamespace" already validates view of Namespace\r
- return mapper.nss(trans, rn.value, nss);\r
- }\r
-\r
- private Result<Collection<Namespace>> loadNamepace(AuthzTrans trans, String user, String endsWith, boolean full) {\r
- Result<List<UserRoleDAO.Data>> urd = ques.userRoleDAO.readByUser(trans, user);\r
- if(urd.notOKorIsEmpty()) {\r
- return Result.err(urd);\r
- }\r
- Map<String, Namespace> lm = new HashMap<String,Namespace>();\r
- Map<String, Namespace> other = full || endsWith==null?null:new TreeMap<String,Namespace>();\r
- for(UserRoleDAO.Data urdd : urd.value) {\r
- if(full) {\r
- if(endsWith==null || urdd.role.endsWith(endsWith)) {\r
- RoleDAO.Data rd = RoleDAO.Data.decode(urdd);\r
- Result<NsDAO.Data> nsd = ques.mayUser(trans, user, rd, Access.read);\r
- if(nsd.isOK()) {\r
- Namespace namespace = lm.get(nsd.value.name);\r
- if(namespace==null) {\r
- namespace = new Namespace(nsd.value);\r
- lm.put(namespace.name,namespace);\r
- }\r
- Result<List<String>> rls = func.getAdmins(trans, namespace.name, false);\r
- if(rls.isOK()) {\r
- namespace.admin=rls.value;\r
- }\r
- \r
- rls = func.getOwners(trans, namespace.name, false);\r
- if(rls.isOK()) {\r
- namespace.owner=rls.value;\r
- }\r
- }\r
- }\r
- } else { // Shortened version. Only Namespace Info available from Role.\r
- if(Question.ADMIN.equals(urdd.rname) || Question.OWNER.equals(urdd.rname)) {\r
- RoleDAO.Data rd = RoleDAO.Data.decode(urdd);\r
- Result<NsDAO.Data> nsd = ques.mayUser(trans, user, rd, Access.read);\r
- if(nsd.isOK()) {\r
- Namespace namespace = lm.get(nsd.value.name);\r
- if(namespace==null) {\r
- if(other!=null) {\r
- namespace = other.remove(nsd.value.name);\r
- }\r
- if(namespace==null) {\r
- namespace = new Namespace(nsd.value);\r
- namespace.admin=new ArrayList<String>();\r
- namespace.owner=new ArrayList<String>();\r
- }\r
- if(endsWith==null || urdd.role.endsWith(endsWith)) {\r
- lm.put(namespace.name,namespace);\r
- } else { \r
- other.put(namespace.name,namespace);\r
- }\r
- }\r
- if(Question.OWNER.equals(urdd.rname)) {\r
- namespace.owner.add(urdd.user);\r
- } else {\r
- namespace.admin.add(urdd.user);\r
- }\r
- }\r
- }\r
- }\r
- }\r
- return Result.ok(lm.values());\r
- }\r
-\r
- @ApiDoc(\r
- method = GET, \r
- path = "/authz/nss/responsible/:id",\r
- params = { "id|string|true" },\r
- expectedCode = 200,\r
- errorCodes = { 403,404 }, \r
- text = { "Lists all Namespaces where Identity :id is a Responsible Party", \r
- "Note: :id must be fully qualified (i.e. ab1234@csp.att.com)"\r
- }\r
- )\r
- @Override\r
- public Result<NSS> getNSbyResponsible(AuthzTrans trans, String user, boolean full) {\r
- final Validator v = new Validator();\r
- if (v.nullOrBlank("User", user).err()) {\r
- return Result.err(Status.ERR_BadData, v.errs());\r
- }\r
- Result<Collection<Namespace>> rn = loadNamepace(trans, user, ".owner",full);\r
- if(rn.notOK()) {\r
- return Result.err(rn);\r
- }\r
- if (rn.isEmpty()) {\r
- return Result.err(Status.ERR_NotFound, "[%s] is not an owner for any namespaces",user); \r
- }\r
- NSS nss = mapper.newInstance(API.NSS);\r
- // Note: "loadNamespace" prevalidates\r
- return mapper.nss(trans, rn.value, nss);\r
- }\r
- \r
- @ApiDoc(\r
- method = GET, \r
- path = "/authz/nss/children/:id",\r
- params = { "id|string|true" },\r
- expectedCode = 200,\r
- errorCodes = { 403,404 }, \r
- text = { "Lists all Child Namespaces of Namespace :id", \r
- "Note: This is not a cached read"\r
- }\r
- )\r
- @Override\r
- public Result<NSS> getNSsChildren(AuthzTrans trans, String parent) {\r
- final Validator v = new Validator();\r
- if(v.nullOrBlank("NS", parent).err()) {\r
- return Result.err(Status.ERR_BadData,v.errs());\r
- }\r
- \r
- Result<NsDAO.Data> rnd = ques.deriveNs(trans, parent);\r
- if(rnd.notOK()) {\r
- return Result.err(rnd);\r
- }\r
- rnd = ques.mayUser(trans, trans.user(), rnd.value, Access.read);\r
- if(rnd.notOK()) {\r
- return Result.err(rnd); \r
- }\r
-\r
- Set<Namespace> lm = new HashSet<Namespace>();\r
- Result<List<NsDAO.Data>> rlnd = ques.nsDAO.dao().getChildren(trans, parent);\r
- if(rlnd.isOK()) {\r
- if(rlnd.isEmpty()) {\r
- return Result.err(Status.ERR_NotFound, "No data found for %s",parent);\r
- }\r
- for(NsDAO.Data ndd : rlnd.value) {\r
- Namespace namespace = new Namespace(ndd);\r
- Result<List<String>> rls = func.getAdmins(trans, namespace.name, false);\r
- if(rls.isOK()) {\r
- namespace.admin=rls.value;\r
- }\r
- \r
- rls = func.getOwners(trans, namespace.name, false);\r
- if(rls.isOK()) {\r
- namespace.owner=rls.value;\r
- }\r
-\r
- lm.add(namespace);\r
- }\r
- NSS nss = mapper.newInstance(API.NSS);\r
- return mapper.nss(trans,lm, nss);\r
- } else {\r
- return Result.err(rlnd);\r
- }\r
- }\r
-\r
-\r
- @ApiDoc(\r
- method = PUT, \r
- path = "/authz/ns",\r
- params = {},\r
- expectedCode = 200,\r
- errorCodes = { 403,404,406 }, \r
- text = { "Replace the Current Description of a Namespace with a new one"\r
- }\r
- )\r
- @Override\r
- public Result<Void> updateNsDescription(AuthzTrans trans, REQUEST from) {\r
- final Result<Namespace> nsd = mapper.ns(trans, from);\r
- final Validator v = new Validator();\r
- if(v.ns(nsd).err()) {\r
- return Result.err(Status.ERR_BadData,v.errs());\r
- }\r
- if(v.nullOrBlank("description", nsd.value.description).err()) {\r
- return Result.err(Status.ERR_BadData,v.errs());\r
- }\r
-\r
- Namespace namespace = nsd.value;\r
- Result<List<NsDAO.Data>> rlnd = ques.nsDAO.read(trans, namespace.name);\r
- \r
- if(rlnd.notOKorIsEmpty()) {\r
- return Result.err(Status.ERR_NotFound, "Namespace [%s] does not exist",namespace.name);\r
- }\r
- \r
- if (ques.mayUser(trans, trans.user(), rlnd.value.get(0), Access.write).notOK()) {\r
- return Result.err(Status.ERR_Denied, "You do not have approval to change %s",namespace.name);\r
- }\r
-\r
- Result<Void> rdr = ques.nsDAO.dao().addDescription(trans, namespace.name, namespace.description);\r
- if(rdr.isOK()) {\r
- return Result.ok();\r
- } else {\r
- return Result.err(rdr);\r
- }\r
- }\r
- \r
- /**\r
- * deleteNS\r
- * @throws DAOException \r
- * @see org.onap.aaf.authz.service.AuthzService#deleteNS(org.onap.aaf.authz.env.AuthzTrans, java.lang.String, java.lang.String)\r
- */\r
- @ApiDoc(\r
- method = DELETE, \r
- path = "/authz/ns/:ns",\r
- params = { "ns|string|true" },\r
- expectedCode = 200,\r
- errorCodes = { 403,404,424 }, \r
- text = { "Delete the Namespace :ns. Namespaces cannot normally be deleted when there ",\r
- "are still credentials associated with them, but they can be deleted by setting ",\r
- "the \"force\" property. To do this: Add 'force=true' as a query parameter",\r
- "<p>WARNING: Using force will delete all credentials attached to this namespace. Use with care.</p>"\r
- + "if the \"force\" property is set to 'force=move', then Permissions and Roles are not deleted,"\r
- + "but are retained, and assigned to the Parent Namespace. 'force=move' is not permitted "\r
- + "at or below Application Scope"\r
- }\r
- )\r
- @Override\r
- public Result<Void> deleteNS(AuthzTrans trans, String ns) {\r
- return func.deleteNS(trans, ns);\r
- }\r
-\r
-\r
-/***********************************\r
- * PERM \r
- ***********************************/\r
-\r
- /*\r
- * (non-Javadoc)\r
- * @see org.onap.aaf.authz.service.AuthzService#createOrUpdatePerm(org.onap.aaf.authz.env.AuthzTrans, java.lang.Object, boolean, java.lang.String, java.lang.String, java.lang.String, java.util.List, java.util.List)\r
- */\r
- @ApiDoc( \r
- method = POST, \r
- path = "/authz/perm",\r
- params = {},\r
- expectedCode = 201,\r
- errorCodes = {403,404,406,409}, \r
- text = { "Permission consists of:",\r
- "<ul><li>type - a Namespace qualified identifier specifying what kind of resource "\r
- + "is being protected</li>",\r
- "<li>instance - a key, possibly multi-dimensional, that identifies a specific "\r
- + " instance of the type</li>",\r
- "<li>action - what kind of action is allowed</li></ul>",\r
- "Note: instance and action can be an *"\r
- }\r
- )\r
- @Override\r
- public Result<Void> createPerm(final AuthzTrans trans,REQUEST rreq) { \r
- final Result<PermDAO.Data> newPd = mapper.perm(trans, rreq);\r
- final Validator v = new Validator(trans);\r
- if(v.perm(newPd).err()) {\r
- return Result.err(Status.ERR_BadData,v.errs());\r
- }\r
- \r
- Result<FutureDAO.Data> fd = mapper.future(trans, PermDAO.TABLE, rreq, newPd.value,false,\r
- new Mapper.Memo() {\r
- @Override\r
- public String get() {\r
- return "Create Permission [" + \r
- newPd.value.fullType() + '|' + \r
- newPd.value.instance + '|' + \r
- newPd.value.action + ']';\r
- }\r
- },\r
- new MayChange() {\r
- private Result<NsDAO.Data> nsd;\r
- @Override\r
- public Result<?> mayChange() {\r
- if(nsd==null) {\r
- nsd = ques.mayUser(trans, trans.user(), newPd.value, Access.write);\r
- }\r
- return nsd;\r
- }\r
- });\r
- Result<List<NsDAO.Data>> nsr = ques.nsDAO.read(trans, newPd.value.ns);\r
- if(nsr.notOKorIsEmpty()) {\r
- return Result.err(nsr);\r
- }\r
- switch(fd.status) {\r
- case OK:\r
- Result<List<Identity>> rfc = func.createFuture(trans,fd.value, \r
- newPd.value.fullType() + '|' + newPd.value.instance + '|' + newPd.value.action,\r
- trans.user(),\r
- nsr.value.get(0),\r
- "C");\r
- if(rfc.isOK()) {\r
- return Result.err(Status.ACC_Future, "Perm [%s.%s|%s|%s] is saved for future processing",\r
- newPd.value.ns,\r
- newPd.value.type,\r
- newPd.value.instance,\r
- newPd.value.action);\r
- } else {\r
- return Result.err(rfc);\r
- }\r
- case Status.ACC_Now:\r
- return func.createPerm(trans, newPd.value, true);\r
- default:\r
- return Result.err(fd);\r
- } \r
- }\r
-\r
- @ApiDoc( \r
- method = GET, \r
- path = "/authz/perms/:type",\r
- params = {"type|string|true"},\r
- expectedCode = 200,\r
- errorCodes = { 404,406 }, \r
- text = { "List All Permissions that match the :type element of the key" }\r
- )\r
- @Override\r
- public Result<PERMS> getPermsByType(AuthzTrans trans, final String permType) {\r
- final Validator v = new Validator();\r
- if(v.nullOrBlank("PermType", permType).err()) {\r
- return Result.err(Status.ERR_BadData,v.errs());\r
- }\r
-\r
- Result<List<PermDAO.Data>> rlpd = ques.getPermsByType(trans, permType);\r
- if(rlpd.notOK()) {\r
- return Result.err(rlpd);\r
- }\r
-\r
-// We don't have instance & action for mayUserView... do we want to loop through all returned here as well as in mapper?\r
-// Result<NsDAO.Data> r;\r
-// if((r = ques.mayUserViewPerm(trans, trans.user(), permType)).notOK())return Result.err(r);\r
- \r
- PERMS perms = mapper.newInstance(API.PERMS);\r
- if(!rlpd.isEmpty()) {\r
- // Note: Mapper will restrict what can be viewed\r
- return mapper.perms(trans, rlpd.value, perms, true);\r
- }\r
- return Result.ok(perms);\r
- }\r
- \r
- @ApiDoc( \r
- method = GET, \r
- path = "/authz/perms/:type/:instance/:action",\r
- params = {"type|string|true",\r
- "instance|string|true",\r
- "action|string|true"},\r
- expectedCode = 200,\r
- errorCodes = { 404,406 }, \r
- text = { "List Permissions that match key; :type, :instance and :action" }\r
- )\r
- @Override\r
- public Result<PERMS> getPermsByName(AuthzTrans trans, String type, String instance, String action) {\r
- final Validator v = new Validator();\r
- if(v.nullOrBlank("PermType", type).err()\r
- || v.nullOrBlank("PermInstance", instance).err()\r
- || v.nullOrBlank("PermAction", action).err()) {\r
- return Result.err(Status.ERR_BadData,v.errs());\r
- }\r
- \r
- Result<List<PermDAO.Data>> rlpd = ques.getPermsByName(trans, type, instance, action);\r
- if(rlpd.notOK()) {\r
- return Result.err(rlpd);\r
- }\r
-\r
- PERMS perms = mapper.newInstance(API.PERMS);\r
- if(!rlpd.isEmpty()) {\r
- // Note: Mapper will restrict what can be viewed\r
- return mapper.perms(trans, rlpd.value, perms, true);\r
- }\r
- return Result.ok(perms);\r
- }\r
-\r
- @ApiDoc( \r
- method = GET, \r
- path = "/authz/perms/user/:user",\r
- params = {"user|string|true"},\r
- expectedCode = 200,\r
- errorCodes = { 404,406 }, \r
- text = { "List All Permissions that match user :user",\r
- "<p>'user' must be expressed as full identity (ex: id@full.domain.com)</p>"}\r
- )\r
- @Override\r
- public Result<PERMS> getPermsByUser(AuthzTrans trans, String user) {\r
- final Validator v = new Validator();\r
- if(v.nullOrBlank("User", user).err()) {\r
- return Result.err(Status.ERR_BadData,v.errs());\r
- }\r
-\r
- Result<List<PermDAO.Data>> rlpd = ques.getPermsByUser(trans, user, trans.forceRequested());\r
- if(rlpd.notOK()) {\r
- return Result.err(rlpd);\r
- }\r
- \r
- PERMS perms = mapper.newInstance(API.PERMS);\r
- \r
- if(rlpd.isEmpty()) {\r
- return Result.ok(perms);\r
- }\r
- // Note: Mapper will restrict what can be viewed\r
- // if user is the same as that which is looked up, no filtering is required\r
- return mapper.perms(trans, rlpd.value, \r
- perms, \r
- !user.equals(trans.user()));\r
- }\r
- \r
- @ApiDoc( \r
- method = POST, \r
- path = "/authz/perms/user/:user",\r
- params = {"user|string|true"},\r
- expectedCode = 200,\r
- errorCodes = { 404,406 }, \r
- text = { "List All Permissions that match user :user",\r
- "<p>'user' must be expressed as full identity (ex: id@full.domain.com)</p>",\r
- "",\r
- "Present Queries as one or more Permissions (see ContentType Links below for format).",\r
- "",\r
- "If the Caller is Granted this specific Permission, and the Permission is valid",\r
- " for the User, it will be included in response Permissions, along with",\r
- " all the normal permissions on the 'GET' version of this call. If it is not",\r
- " valid, or Caller does not have permission to see, it will be removed from the list",\r
- "",\r
- " *Note: This design allows you to make one call for all expected permissions",\r
- " The permission to be included MUST be:",\r
- " <user namespace>.access|:<ns|role|perm>[:key]|<create|read|write>",\r
- " examples:",\r
- " com.att.myns.access|:ns|write",\r
- " com.att.myns.access|:role:myrole|create",\r
- " com.att.myns.access|:perm:mytype:myinstance:myaction|read",\r
- ""\r
- }\r
- )\r
- @Override\r
- public Result<PERMS> getPermsByUser(AuthzTrans trans, PERMS _perms, String user) {\r
- PERMS perms = _perms;\r
- final Validator v = new Validator();\r
- if(v.nullOrBlank("User", user).err()) {\r
- return Result.err(Status.ERR_BadData,v.errs());\r
- }\r
- \r
- //////////////\r
- Result<List<PermDAO.Data>> rlpd = ques.getPermsByUser(trans, user,trans.forceRequested());\r
- if(rlpd.notOK()) {\r
- return Result.err(rlpd);\r
- }\r
- \r
- /*//TODO \r
- 1) See if allowed to query\r
- 2) See if User is allowed\r
- */\r
- Result<List<PermDAO.Data>> in = mapper.perms(trans, perms);\r
- if(in.isOKhasData()) {\r
- List<PermDAO.Data> out = rlpd.value;\r
- boolean ok;\r
- for(PermDAO.Data pdd : in.value) {\r
- ok = false;\r
- if("access".equals(pdd.type)) {\r
- Access access = Access.valueOf(pdd.action);\r
- String[] mdkey = Split.splitTrim(':',pdd.instance);\r
- if(mdkey.length>1) {\r
- String type = mdkey[1];\r
- if("role".equals(type)) {\r
- if(mdkey.length>2) {\r
- RoleDAO.Data rdd = new RoleDAO.Data();\r
- rdd.ns=pdd.ns;\r
- rdd.name=mdkey[2];\r
- ok = ques.mayUser(trans, trans.user(), rdd, Access.read).isOK() && ques.mayUser(trans, user, rdd , access).isOK();\r
- }\r
- } else if("perm".equals(type)) {\r
- if(mdkey.length>4) { // also need instance/action\r
- PermDAO.Data p = new PermDAO.Data();\r
- p.ns=pdd.ns;\r
- p.type=mdkey[2];\r
- p.instance=mdkey[3];\r
- p.action=mdkey[4];\r
- ok = ques.mayUser(trans, trans.user(), p, Access.read).isOK() && ques.mayUser(trans, user, p , access).isOK();\r
- }\r
- } else if("ns".equals(type)) {\r
- NsDAO.Data ndd = new NsDAO.Data();\r
- ndd.name=pdd.ns;\r
- ok = ques.mayUser(trans, trans.user(), ndd, Access.read).isOK() && ques.mayUser(trans, user, ndd , access).isOK();\r
- }\r
- }\r
- }\r
- if(ok) {\r
- out.add(pdd);\r
- }\r
- }\r
- } \r
- \r
- perms = mapper.newInstance(API.PERMS);\r
- if(rlpd.isEmpty()) {\r
- return Result.ok(perms);\r
- }\r
- // Note: Mapper will restrict what can be viewed\r
- // if user is the same as that which is looked up, no filtering is required\r
- return mapper.perms(trans, rlpd.value, \r
- perms, \r
- !user.equals(trans.user()));\r
- }\r
- \r
- @ApiDoc( \r
- method = GET, \r
- path = "/authz/perms/role/:role",\r
- params = {"role|string|true"},\r
- expectedCode = 200,\r
- errorCodes = { 404,406 }, \r
- text = { "List All Permissions that are granted to :role" }\r
- )\r
- @Override\r
- public Result<PERMS> getPermsByRole(AuthzTrans trans,String role) {\r
- final Validator v = new Validator();\r
- if(v.nullOrBlank("Role", role).err()) {\r
- return Result.err(Status.ERR_BadData,v.errs());\r
- }\r
-\r
- Result<RoleDAO.Data> rrdd = RoleDAO.Data.decode(trans, ques,role);\r
- if(rrdd.notOK()) {\r
- return Result.err(rrdd);\r
- }\r
-\r
- Result<NsDAO.Data> r = ques.mayUser(trans, trans.user(), rrdd.value, Access.read);\r
- if(r.notOK()) {\r
- return Result.err(r);\r
- }\r
-\r
- PERMS perms = mapper.newInstance(API.PERMS);\r
-\r
- Result<List<PermDAO.Data>> rlpd = ques.getPermsByRole(trans, role, trans.forceRequested());\r
- if(rlpd.isOKhasData()) {\r
- // Note: Mapper will restrict what can be viewed\r
- return mapper.perms(trans, rlpd.value, perms, true);\r
- }\r
- return Result.ok(perms);\r
- }\r
-\r
- @ApiDoc( \r
- method = GET, \r
- path = "/authz/perms/ns/:ns",\r
- params = {"ns|string|true"},\r
- expectedCode = 200,\r
- errorCodes = { 404,406 }, \r
- text = { "List All Permissions that are in Namespace :ns" }\r
- )\r
- @Override\r
- public Result<PERMS> getPermsByNS(AuthzTrans trans,String ns) {\r
- final Validator v = new Validator();\r
- if(v.nullOrBlank("NS", ns).err()) {\r
- return Result.err(Status.ERR_BadData,v.errs());\r
- }\r
-\r
- Result<NsDAO.Data> rnd = ques.deriveNs(trans, ns);\r
- if(rnd.notOK()) {\r
- return Result.err(rnd);\r
- }\r
-\r
- rnd = ques.mayUser(trans, trans.user(), rnd.value, Access.read);\r
- if(rnd.notOK()) {\r
- return Result.err(rnd); \r
- }\r
- \r
- Result<List<PermDAO.Data>> rlpd = ques.permDAO.readNS(trans, ns);\r
- if(rlpd.notOK()) {\r
- return Result.err(rlpd);\r
- }\r
-\r
- PERMS perms = mapper.newInstance(API.PERMS);\r
- if(!rlpd.isEmpty()) {\r
- // Note: Mapper will restrict what can be viewed\r
- return mapper.perms(trans, rlpd.value,perms, true);\r
- }\r
- return Result.ok(perms);\r
- }\r
- \r
- @ApiDoc( \r
- method = PUT, \r
- path = "/authz/perm/:type/:instance/:action",\r
- params = {"type|string|true",\r
- "instance|string|true",\r
- "action|string|true"},\r
- expectedCode = 200,\r
- errorCodes = { 404,406, 409 }, \r
- text = { "Rename the Permission referenced by :type :instance :action, and "\r
- + "rename (copy/delete) to the Permission described in PermRequest" }\r
- )\r
- @Override\r
- public Result<Void> renamePerm(final AuthzTrans trans,REQUEST rreq, String origType, String origInstance, String origAction) {\r
- final Result<PermDAO.Data> newPd = mapper.perm(trans, rreq);\r
- final Validator v = new Validator(trans);\r
- if(v.perm(newPd).err()) {\r
- return Result.err(Status.ERR_BadData,v.errs());\r
- }\r
-\r
- if (ques.mayUser(trans, trans.user(), newPd.value,Access.write).notOK()) {\r
- return Result.err(Status.ERR_Denied, "You do not have approval to change Permission [%s.%s|%s|%s]",\r
- newPd.value.ns,newPd.value.type,newPd.value.instance,newPd.value.action);\r
- }\r
- \r
- Result<NsSplit> nss = ques.deriveNsSplit(trans, origType);\r
- Result<List<PermDAO.Data>> origRlpd = ques.permDAO.read(trans, nss.value.ns, nss.value.name, origInstance, origAction); \r
- \r
- if(origRlpd.notOKorIsEmpty()) {\r
- return Result.err(Status.ERR_PermissionNotFound, \r
- "Permission [%s|%s|%s] does not exist",\r
- origType,origInstance,origAction);\r
- }\r
- \r
- PermDAO.Data origPd = origRlpd.value.get(0);\r
-\r
- if (!origPd.ns.equals(newPd.value.ns)) {\r
- return Result.err(Status.ERR_Denied, "Cannot change namespace with rename command. " +\r
- "<new type> must start with [" + origPd.ns + "]");\r
- }\r
- \r
- if ( origPd.type.equals(newPd.value.type) && \r
- origPd.action.equals(newPd.value.action) && \r
- origPd.instance.equals(newPd.value.instance) ) {\r
- return Result.err(Status.ERR_ConflictAlreadyExists, "New Permission must be different than original permission");\r
- }\r
- \r
- Set<String> origRoles = origPd.roles(false);\r
- if (!origRoles.isEmpty()) {\r
- Set<String> roles = newPd.value.roles(true);\r
- for (String role : origPd.roles) {\r
- roles.add(role); \r
- }\r
- } \r
- \r
- newPd.value.description = origPd.description;\r
- \r
- Result<Void> rv = null;\r
- \r
- rv = func.createPerm(trans, newPd.value, false);\r
- if (rv.isOK()) {\r
- rv = func.deletePerm(trans, origPd, true, false);\r
- }\r
- return rv;\r
- }\r
- \r
- @ApiDoc( \r
- method = PUT, \r
- path = "/authz/perm",\r
- params = {},\r
- expectedCode = 200,\r
- errorCodes = { 404,406 }, \r
- text = { "Add Description Data to Perm" }\r
- )\r
- @Override\r
- public Result<Void> updatePermDescription(AuthzTrans trans, REQUEST from) {\r
- final Result<PermDAO.Data> pd = mapper.perm(trans, from);\r
- final Validator v = new Validator(trans);\r
- if(v.perm(pd).err()) {\r
- return Result.err(Status.ERR_BadData,v.errs());\r
- }\r
- if(v.nullOrBlank("description", pd.value.description).err()) {\r
- return Result.err(Status.ERR_BadData,v.errs());\r
- }\r
- final PermDAO.Data perm = pd.value;\r
- if(ques.permDAO.read(trans, perm.ns, perm.type, perm.instance,perm.action).notOKorIsEmpty()) {\r
- return Result.err(Status.ERR_NotFound, "Permission [%s.%s|%s|%s] does not exist",\r
- perm.ns,perm.type,perm.instance,perm.action);\r
- }\r
-\r
- if (ques.mayUser(trans, trans.user(), perm, Access.write).notOK()) {\r
- return Result.err(Status.ERR_Denied, "You do not have approval to change Permission [%s.%s|%s|%s]",\r
- perm.ns,perm.type,perm.instance,perm.action);\r
- }\r
-\r
- Result<List<NsDAO.Data>> nsr = ques.nsDAO.read(trans, pd.value.ns);\r
- if(nsr.notOKorIsEmpty()) {\r
- return Result.err(nsr);\r
- }\r
-\r
- Result<Void> rdr = ques.permDAO.addDescription(trans, perm.ns, perm.type, perm.instance,\r
- perm.action, perm.description);\r
- if(rdr.isOK()) {\r
- return Result.ok();\r
- } else {\r
- return Result.err(rdr);\r
- }\r
-\r
- }\r
- \r
- @ApiDoc(\r
- method = PUT,\r
- path = "/authz/role/perm",\r
- params = {},\r
- expectedCode = 201,\r
- errorCodes = {403,404,406,409},\r
- text = { "Set a permission's roles to roles given" }\r
- )\r
-\r
- @Override\r
- public Result<Void> resetPermRoles(final AuthzTrans trans, REQUEST rreq) {\r
- final Result<PermDAO.Data> updt = mapper.permFromRPRequest(trans, rreq);\r
- if(updt.notOKorIsEmpty()) {\r
- return Result.err(updt);\r
- }\r
-\r
- final Validator v = new Validator(trans);\r
- if(v.perm(updt).err()) {\r
- return Result.err(Status.ERR_BadData,v.errs());\r
- }\r
-\r
- Result<NsDAO.Data> nsd = ques.mayUser(trans, trans.user(), updt.value, Access.write);\r
- if (nsd.notOK()) {\r
- return Result.err(nsd);\r
- }\r
-\r
- // Read full set to get CURRENT values\r
- Result<List<PermDAO.Data>> rcurr = ques.permDAO.read(trans, \r
- updt.value.ns, \r
- updt.value.type, \r
- updt.value.instance, \r
- updt.value.action);\r
- \r
- if(rcurr.notOKorIsEmpty()) {\r
- return Result.err(Status.ERR_PermissionNotFound, \r
- "Permission [%s.%s|%s|%s] does not exist",\r
- updt.value.ns,updt.value.type,updt.value.instance,updt.value.action);\r
- }\r
- \r
- // Create a set of Update Roles, which are in Internal Format\r
- Set<String> updtRoles = new HashSet<String>();\r
- Result<NsSplit> nss;\r
- for(String role : updt.value.roles(false)) {\r
- nss = ques.deriveNsSplit(trans, role);\r
- if(nss.isOK()) {\r
- updtRoles.add(nss.value.ns + '|' + nss.value.name);\r
- } else {\r
- trans.error().log(nss.errorString());\r
- }\r
- }\r
-\r
- Result<Void> rv = null;\r
- \r
- for(PermDAO.Data curr : rcurr.value) {\r
- Set<String> currRoles = curr.roles(false);\r
- // must add roles to this perm, and add this perm to each role \r
- // in the update, but not in the current \r
- for (String role : updtRoles) {\r
- if (!currRoles.contains(role)) {\r
- Result<RoleDAO.Data> key = RoleDAO.Data.decode(trans, ques, role);\r
- if(key.isOKhasData()) {\r
- Result<List<RoleDAO.Data>> rrd = ques.roleDAO.read(trans, key.value);\r
- if(rrd.isOKhasData()) {\r
- for(RoleDAO.Data r : rrd.value) {\r
- rv = func.addPermToRole(trans, r, curr, false);\r
- if (rv.notOK() && rv.status!=Result.ERR_ConflictAlreadyExists) {\r
- return Result.err(rv);\r
- }\r
- }\r
- } else {\r
- return Result.err(rrd);\r
- }\r
- }\r
- }\r
- }\r
- // similarly, must delete roles from this perm, and delete this perm from each role\r
- // in the update, but not in the current\r
- for (String role : currRoles) {\r
- if (!updtRoles.contains(role)) {\r
- Result<RoleDAO.Data> key = RoleDAO.Data.decode(trans, ques, role);\r
- if(key.isOKhasData()) {\r
- Result<List<RoleDAO.Data>> rdd = ques.roleDAO.read(trans, key.value);\r
- if(rdd.isOKhasData()) {\r
- for(RoleDAO.Data r : rdd.value) {\r
- rv = func.delPermFromRole(trans, r, curr, true);\r
- if (rv.notOK() && rv.status!=Status.ERR_PermissionNotFound) {\r
- return Result.err(rv);\r
- }\r
- }\r
- }\r
- }\r
- }\r
- } \r
- } \r
- return rv==null?Result.ok():rv; \r
- }\r
- \r
- @ApiDoc( \r
- method = DELETE,\r
- path = "/authz/perm",\r
- params = {},\r
- expectedCode = 200,\r
- errorCodes = { 404,406 }, \r
- text = { "Delete the Permission referenced by PermKey.",\r
- "You cannot normally delete a permission which is still granted to roles,",\r
- "however the \"force\" property allows you to do just that. To do this: Add",\r
- "'force=true' as a query parameter.",\r
- "<p>WARNING: Using force will ungrant this permission from all roles. Use with care.</p>" }\r
- )\r
- @Override\r
- public Result<Void> deletePerm(final AuthzTrans trans, REQUEST from) {\r
- Result<PermDAO.Data> pd = mapper.perm(trans, from);\r
- if(pd.notOK()) {\r
- return Result.err(pd);\r
- }\r
- final Validator v = new Validator(trans);\r
- if(v.nullOrBlank(pd.value).err()) {\r
- return Result.err(Status.ERR_BadData,v.errs());\r
- }\r
- final PermDAO.Data perm = pd.value;\r
- if (ques.permDAO.read(trans, perm).notOKorIsEmpty()) {\r
- return Result.err(Status.ERR_PermissionNotFound, "Permission [%s.%s|%s|%s] does not exist",\r
- perm.ns,perm.type,perm.instance,perm.action );\r
- }\r
-\r
- Result<FutureDAO.Data> fd = mapper.future(trans,PermDAO.TABLE,from,perm,false,\r
- new Mapper.Memo() {\r
- @Override\r
- public String get() {\r
- return "Delete Permission [" + perm.fullPerm() + ']';\r
- }\r
- },\r
- new MayChange() {\r
- private Result<NsDAO.Data> nsd;\r
- @Override\r
- public Result<?> mayChange() {\r
- if(nsd==null) {\r
- nsd = ques.mayUser(trans, trans.user(), perm, Access.write);\r
- }\r
- return nsd;\r
- }\r
- });\r
- \r
- switch(fd.status) {\r
- case OK:\r
- Result<List<NsDAO.Data>> nsr = ques.nsDAO.read(trans, perm.ns);\r
- if(nsr.notOKorIsEmpty()) {\r
- return Result.err(nsr);\r
- }\r
- \r
- Result<List<Identity>> rfc = func.createFuture(trans, fd.value, \r
- perm.encode(), trans.user(),nsr.value.get(0),"D");\r
- if(rfc.isOK()) {\r
- return Result.err(Status.ACC_Future, "Perm Deletion [%s] is saved for future processing",perm.encode());\r
- } else { \r
- return Result.err(rfc);\r
- }\r
- case Status.ACC_Now:\r
- return func.deletePerm(trans,perm,trans.forceRequested(), false);\r
- default:\r
- return Result.err(fd);\r
- } \r
- } \r
- \r
- @ApiDoc( \r
- method = DELETE,\r
- path = "/authz/perm/:name/:type/:action",\r
- params = {"type|string|true",\r
- "instance|string|true",\r
- "action|string|true"},\r
- expectedCode = 200,\r
- errorCodes = { 404,406 }, \r
- text = { "Delete the Permission referenced by :type :instance :action",\r
- "You cannot normally delete a permission which is still granted to roles,",\r
- "however the \"force\" property allows you to do just that. To do this: Add",\r
- "'force=true' as a query parameter",\r
- "<p>WARNING: Using force will ungrant this permission from all roles. Use with care.</p>"}\r
- )\r
- @Override\r
- public Result<Void> deletePerm(AuthzTrans trans, String type, String instance, String action) {\r
- final Validator v = new Validator(trans);\r
- if(v.nullOrBlank("Type",type)\r
- .nullOrBlank("Instance",instance)\r
- .nullOrBlank("Action",action)\r
- .err()) {\r
- return Result.err(Status.ERR_BadData,v.errs());\r
- }\r
- \r
- Result<PermDAO.Data> pd = ques.permFrom(trans, type, instance, action);\r
- if(pd.isOK()) {\r
- return func.deletePerm(trans, pd.value, trans.forceRequested(), false);\r
- } else {\r
- return Result.err(pd);\r
- }\r
- }\r
-\r
-/***********************************\r
- * ROLE \r
- ***********************************/\r
- @ApiDoc(\r
- method = POST,\r
- path = "/authz/role",\r
- params = {},\r
- expectedCode = 201,\r
- errorCodes = {403,404,406,409},\r
- text = {\r
-\r
- "Roles are part of Namespaces",\r
- "Examples:",\r
- "<ul><li> org.osaaf - A Possible root Namespace for maintaining AAF</li>",\r
- "Roles do not include implied permissions for an App. Instead, they contain explicit Granted Permissions by any Namespace in AAF (See Permissions)",\r
- "Restrictions on Role Names:",\r
- "<ul><li>Must start with valid Namespace name, terminated by . (dot/period)</li>",\r
- "<li>Allowed Characters are a-zA-Z0-9._-</li>",\r
- "<li>role names are Case Sensitive</li></ul>",\r
- "The right questions to ask for defining and populating a Role in AAF, therefore, are:",\r
- "<ul><li>'What Job Function does this represent?'</li>",\r
- "<li>'Does this person perform this Job Function?'</li></ul>" }\r
- )\r
-\r
- @Override\r
- public Result<Void> createRole(final AuthzTrans trans, REQUEST from) {\r
- final Result<RoleDAO.Data> rd = mapper.role(trans, from);\r
- final Validator v = new Validator(trans);\r
- if(v.role(rd).err()) {\r
- return Result.err(Status.ERR_BadData,v.errs());\r
- }\r
- final RoleDAO.Data role = rd.value;\r
- if(ques.roleDAO.read(trans, role.ns, role.name).isOKhasData()) {\r
- return Result.err(Status.ERR_ConflictAlreadyExists, "Role [" + role.fullName() + "] already exists");\r
- }\r
-\r
- Result<FutureDAO.Data> fd = mapper.future(trans,RoleDAO.TABLE,from,role,false,\r
- new Mapper.Memo() {\r
- @Override\r
- public String get() {\r
- return "Create Role [" + \r
- rd.value.fullName() + \r
- ']';\r
- }\r
- },\r
- new MayChange() {\r
- private Result<NsDAO.Data> nsd;\r
- @Override\r
- public Result<?> mayChange() {\r
- if(nsd==null) {\r
- nsd = ques.mayUser(trans, trans.user(), role, Access.write);\r
- }\r
- return nsd;\r
- }\r
- });\r
- \r
- Result<List<NsDAO.Data>> nsr = ques.nsDAO.read(trans, rd.value.ns);\r
- if(nsr.notOKorIsEmpty()) {\r
- return Result.err(nsr);\r
- }\r
-\r
- switch(fd.status) {\r
- case OK:\r
- Result<List<Identity>> rfc = func.createFuture(trans, fd.value, \r
- role.encode(), trans.user(),nsr.value.get(0),"C");\r
- if(rfc.isOK()) {\r
- return Result.err(Status.ACC_Future, "Role [%s.%s] is saved for future processing",\r
- rd.value.ns,\r
- rd.value.name);\r
- } else { \r
- return Result.err(rfc);\r
- }\r
- case Status.ACC_Now:\r
- Result<RoleDAO.Data> rdr = ques.roleDAO.create(trans, role);\r
- if(rdr.isOK()) {\r
- return Result.ok();\r
- } else {\r
- return Result.err(rdr);\r
- }\r
- default:\r
- return Result.err(fd);\r
- }\r
- }\r
-\r
- /* (non-Javadoc)\r
- * @see org.onap.aaf.authz.service.AuthzService#getRolesByName(org.onap.aaf.authz.env.AuthzTrans, java.lang.String)\r
- */\r
- @ApiDoc(\r
- method = GET,\r
- path = "/authz/roles/:role",\r
- params = {"role|string|true"}, \r
- expectedCode = 200,\r
- errorCodes = {404,406},\r
- text = { "List Roles that match :role",\r
- "Note: You must have permission to see any given role"\r
- }\r
- )\r
- @Override\r
- public Result<ROLES> getRolesByName(AuthzTrans trans, String role) {\r
- final Validator v = new Validator();\r
- if(v.nullOrBlank("Role", role).err()) {\r
- return Result.err(Status.ERR_BadData,v.errs());\r
- }\r
- \r
- // Determine if User can ask this question\r
- Result<RoleDAO.Data> rrdd = RoleDAO.Data.decode(trans, ques, role);\r
- if(rrdd.isOKhasData()) {\r
- Result<NsDAO.Data> r;\r
- if((r = ques.mayUser(trans, trans.user(), rrdd.value, Access.read)).notOK()) {\r
- return Result.err(r);\r
- }\r
- } else {\r
- return Result.err(rrdd);\r
- }\r
- \r
- // Look up data\r
- Result<List<RoleDAO.Data>> rlrd = ques.getRolesByName(trans, role);\r
- if(rlrd.isOK()) {\r
- // Note: Mapper will restrict what can be viewed\r
- ROLES roles = mapper.newInstance(API.ROLES);\r
- return mapper.roles(trans, rlrd.value, roles, true);\r
- } else {\r
- return Result.err(rlrd);\r
- }\r
- }\r
-\r
- /* (non-Javadoc)\r
- * @see org.onap.aaf.authz.service.AuthzService#getRolesByUser(org.onap.aaf.authz.env.AuthzTrans, java.lang.String)\r
- */\r
- @ApiDoc(\r
- method = GET,\r
- path = "/authz/roles/user/:name",\r
- params = {"name|string|true"},\r
- expectedCode = 200,\r
- errorCodes = {404,406},\r
- text = { "List all Roles that match user :name",\r
- "'user' must be expressed as full identity (ex: id@full.domain.com)",\r
- "Note: You must have permission to see any given role"\r
- }\r
- )\r
-\r
- @Override\r
- public Result<ROLES> getRolesByUser(AuthzTrans trans, String user) {\r
- final Validator v = new Validator();\r
- if(v.nullOrBlank("User", user).err()) {\r
- return Result.err(Status.ERR_BadData,v.errs());\r
- }\r
-\r
- ROLES roles = mapper.newInstance(API.ROLES);\r
- // Get list of roles per user, then add to Roles as we go\r
- Result<List<RoleDAO.Data>> rlrd;\r
- Result<List<UserRoleDAO.Data>> rlurd = ques.userRoleDAO.readByUser(trans, user);\r
- if(rlurd.isOKhasData()) {\r
- for(UserRoleDAO.Data urd : rlurd.value ) {\r
- rlrd = ques.roleDAO.read(trans, urd.ns,urd.rname);\r
- // Note: Mapper will restrict what can be viewed\r
- // if user is the same as that which is looked up, no filtering is required\r
- if(rlrd.isOKhasData()) {\r
- mapper.roles(trans, rlrd.value,roles, !user.equals(trans.user()));\r
- }\r
- }\r
- }\r
- return Result.ok(roles);\r
- }\r
-\r
- /*\r
- * (non-Javadoc)\r
- * @see org.onap.aaf.authz.service.AuthzService#getRolesByNS(org.onap.aaf.authz.env.AuthzTrans, java.lang.String)\r
- */\r
- @ApiDoc(\r
- method = GET,\r
- path = "/authz/roles/ns/:ns",\r
- params = {"ns|string|true"},\r
- expectedCode = 200,\r
- errorCodes = {404,406},\r
- text = { "List all Roles for the Namespace :ns", \r
- "Note: You must have permission to see any given role"\r
- }\r
- )\r
-\r
- @Override\r
- public Result<ROLES> getRolesByNS(AuthzTrans trans, String ns) {\r
- final Validator v = new Validator();\r
- if(v.nullOrBlank("NS", ns).err()) {\r
- return Result.err(Status.ERR_BadData,v.errs());\r
- }\r
- \r
- // check if user is allowed to view NS\r
- Result<NsDAO.Data> rnsd = ques.deriveNs(trans, ns); \r
- if(rnsd.notOK()) {\r
- return Result.err(rnsd); \r
- }\r
- rnsd = ques.mayUser(trans, trans.user(), rnsd.value, Access.read);\r
- if(rnsd.notOK()) {\r
- return Result.err(rnsd); \r
- }\r
-\r
- TimeTaken tt = trans.start("MAP Roles by NS to Roles", Env.SUB);\r
- try {\r
- ROLES roles = mapper.newInstance(API.ROLES);\r
- // Get list of roles per user, then add to Roles as we go\r
- Result<List<RoleDAO.Data>> rlrd = ques.roleDAO.readNS(trans, ns);\r
- if(rlrd.isOK()) {\r
- if(!rlrd.isEmpty()) {\r
- // Note: Mapper doesn't need to restrict what can be viewed, because we did it already.\r
- mapper.roles(trans,rlrd.value,roles,false);\r
- }\r
- return Result.ok(roles);\r
- } else {\r
- return Result.err(rlrd);\r
- }\r
- } finally {\r
- tt.done();\r
- }\r
- }\r
-\r
- /*\r
- * (non-Javadoc)\r
- * @see org.onap.aaf.authz.service.AuthzService#getRolesByNS(org.onap.aaf.authz.env.AuthzTrans, java.lang.String)\r
- */\r
- @ApiDoc(\r
- method = GET,\r
- path = "/authz/roles/name/:name",\r
- params = {"name|string|true"},\r
- expectedCode = 200,\r
- errorCodes = {404,406},\r
- text = { "List all Roles for only the Name of Role (without Namespace)", \r
- "Note: You must have permission to see any given role"\r
- }\r
- )\r
- @Override\r
- public Result<ROLES> getRolesByNameOnly(AuthzTrans trans, String name) {\r
- final Validator v = new Validator();\r
- if(v.nullOrBlank("Name", name).err()) {\r
- return Result.err(Status.ERR_BadData,v.errs());\r
- }\r
- \r
- // User Mapper to make sure user is allowed to view NS\r
-\r
- TimeTaken tt = trans.start("MAP Roles by Name to Roles", Env.SUB);\r
- try {\r
- ROLES roles = mapper.newInstance(API.ROLES);\r
- // Get list of roles per user, then add to Roles as we go\r
- Result<List<RoleDAO.Data>> rlrd = ques.roleDAO.readName(trans, name);\r
- if(rlrd.isOK()) {\r
- if(!rlrd.isEmpty()) {\r
- // Note: Mapper will restrict what can be viewed\r
- mapper.roles(trans,rlrd.value,roles,true);\r
- }\r
- return Result.ok(roles);\r
- } else {\r
- return Result.err(rlrd);\r
- }\r
- } finally {\r
- tt.done();\r
- }\r
- }\r
-\r
- @ApiDoc(\r
- method = GET,\r
- path = "/authz/roles/perm/:type/:instance/:action",\r
- params = {"type|string|true",\r
- "instance|string|true",\r
- "action|string|true"},\r
- expectedCode = 200,\r
- errorCodes = {404,406},\r
- text = { "Find all Roles containing the given Permission." +\r
- "Permission consists of:",\r
- "<ul><li>type - a Namespace qualified identifier specifying what kind of resource "\r
- + "is being protected</li>",\r
- "<li>instance - a key, possibly multi-dimensional, that identifies a specific "\r
- + " instance of the type</li>",\r
- "<li>action - what kind of action is allowed</li></ul>",\r
- "Notes: instance and action can be an *",\r
- " You must have permission to see any given role"\r
- }\r
- )\r
-\r
- @Override\r
- public Result<ROLES> getRolesByPerm(AuthzTrans trans, String type, String instance, String action) {\r
- final Validator v = new Validator(trans);\r
- if(v.permType(type,null)\r
- .permInstance(instance)\r
- .permAction(action)\r
- .err()) {\r
- return Result.err(Status.ERR_BadData,v.errs());\r
- }\r
- \r
- TimeTaken tt = trans.start("Map Perm Roles Roles", Env.SUB);\r
- try {\r
- ROLES roles = mapper.newInstance(API.ROLES);\r
- // Get list of roles per user, then add to Roles as we go\r
- Result<NsSplit> nsSplit = ques.deriveNsSplit(trans, type);\r
- if(nsSplit.isOK()) {\r
- PermDAO.Data pdd = new PermDAO.Data(nsSplit.value, instance, action);\r
- Result<?> res;\r
- if((res=ques.mayUser(trans, trans.user(), pdd, Question.Access.read)).notOK()) {\r
- return Result.err(res);\r
- }\r
- \r
- Result<List<PermDAO.Data>> pdlr = ques.permDAO.read(trans, pdd);\r
- if(pdlr.isOK())for(PermDAO.Data pd : pdlr.value) {\r
- Result<List<RoleDAO.Data>> rlrd;\r
- for(String r : pd.roles) {\r
- Result<String[]> rs = RoleDAO.Data.decodeToArray(trans, ques, r);\r
- if(rs.isOK()) {\r
- rlrd = ques.roleDAO.read(trans, rs.value[0],rs.value[1]);\r
- // Note: Mapper will restrict what can be viewed\r
- if(rlrd.isOKhasData()) {\r
- mapper.roles(trans,rlrd.value,roles,true);\r
- }\r
- }\r
- }\r
- }\r
- }\r
- return Result.ok(roles);\r
- } finally {\r
- tt.done();\r
- }\r
- }\r
-\r
- @ApiDoc(\r
- method = PUT,\r
- path = "/authz/role",\r
- params = {},\r
- expectedCode = 200,\r
- errorCodes = {404,406},\r
- text = { "Add Description Data to a Role" }\r
- )\r
-\r
- @Override\r
- public Result<Void> updateRoleDescription(AuthzTrans trans, REQUEST from) {\r
- final Result<RoleDAO.Data> rd = mapper.role(trans, from);\r
- final Validator v = new Validator(trans);\r
- if(v.role(rd).err()) {\r
- return Result.err(Status.ERR_BadData,v.errs());\r
- } {\r
- if(v.nullOrBlank("description", rd.value.description).err()) {\r
- return Result.err(Status.ERR_BadData,v.errs());\r
- }\r
- }\r
- final RoleDAO.Data role = rd.value;\r
- if(ques.roleDAO.read(trans, role.ns, role.name).notOKorIsEmpty()) {\r
- return Result.err(Status.ERR_NotFound, "Role [" + role.fullName() + "] does not exist");\r
- }\r
-\r
- if (ques.mayUser(trans, trans.user(), role, Access.write).notOK()) {\r
- return Result.err(Status.ERR_Denied, "You do not have approval to change " + role.fullName());\r
- }\r
-\r
- Result<List<NsDAO.Data>> nsr = ques.nsDAO.read(trans, rd.value.ns);\r
- if(nsr.notOKorIsEmpty()) {\r
- return Result.err(nsr);\r
- }\r
-\r
- Result<Void> rdr = ques.roleDAO.addDescription(trans, role.ns, role.name, role.description);\r
- if(rdr.isOK()) {\r
- return Result.ok();\r
- } else {\r
- return Result.err(rdr);\r
- }\r
-\r
- }\r
- \r
- @ApiDoc(\r
- method = POST,\r
- path = "/authz/role/perm",\r
- params = {},\r
- expectedCode = 201,\r
- errorCodes = {403,404,406,409},\r
- text = { "Grant a Permission to a Role",\r
- "Permission consists of:", \r
- "<ul><li>type - a Namespace qualified identifier specifying what kind of resource "\r
- + "is being protected</li>",\r
- "<li>instance - a key, possibly multi-dimensional, that identifies a specific "\r
- + " instance of the type</li>",\r
- "<li>action - what kind of action is allowed</li></ul>",\r
- "Note: instance and action can be an *",\r
- "Note: Using the \"force\" property will create the Permission, if it doesn't exist AND the requesting " +\r
- " ID is allowed to create. It will then grant",\r
- " the permission to the role in one step. To do this: add 'force=true' as a query parameter."\r
- }\r
- )\r
-\r
- @Override\r
- public Result<Void> addPermToRole(final AuthzTrans trans, REQUEST rreq) {\r
- // Translate Request into Perm and Role Objects\r
- final Result<PermDAO.Data> rpd = mapper.permFromRPRequest(trans, rreq);\r
- if(rpd.notOKorIsEmpty()) {\r
- return Result.err(rpd);\r
- }\r
- final Result<RoleDAO.Data> rrd = mapper.roleFromRPRequest(trans, rreq);\r
- if(rrd.notOKorIsEmpty()) {\r
- return Result.err(rrd);\r
- }\r
- \r
- // Validate Role and Perm values\r
- final Validator v = new Validator(trans);\r
- if(v.perm(rpd.value)\r
- .role(rrd.value)\r
- .err()) {\r
- return Result.err(Status.ERR_BadData,v.errs());\r
- }\r
-\r
- Result<List<RoleDAO.Data>> rlrd = ques.roleDAO.read(trans, rrd.value.ns, rrd.value.name);\r
- if(rlrd.notOKorIsEmpty()) {\r
- return Result.err(Status.ERR_RoleNotFound, "Role [%s] does not exist", rrd.value.fullName());\r
- }\r
- \r
- // Check Status of Data in DB (does it exist)\r
- Result<List<PermDAO.Data>> rlpd = ques.permDAO.read(trans, rpd.value.ns, \r
- rpd.value.type, rpd.value.instance, rpd.value.action);\r
- PermDAO.Data createPerm = null; // if not null, create first\r
- if(rlpd.notOKorIsEmpty()) { // Permission doesn't exist\r
- if(trans.forceRequested()) {\r
- // Remove roles from perm data object so we just create the perm here\r
- createPerm = rpd.value;\r
- createPerm.roles.clear();\r
- } else {\r
- return Result.err(Status.ERR_PermissionNotFound,"Permission [%s.%s|%s|%s] does not exist", \r
- rpd.value.ns,rpd.value.type,rpd.value.instance,rpd.value.action);\r
- }\r
- } else {\r
- if (rlpd.value.get(0).roles(false).contains(rrd.value.encode())) {\r
- return Result.err(Status.ERR_ConflictAlreadyExists,\r
- "Permission [%s.%s|%s|%s] already granted to Role [%s.%s]",\r
- rpd.value.ns,rpd.value.type,rpd.value.instance,rpd.value.action,\r
- rrd.value.ns,rrd.value.name\r
- );\r
- }\r
- }\r
-\r
- \r
- Result<FutureDAO.Data> fd = mapper.future(trans, PermDAO.TABLE, rreq, rpd.value,true, // Allow grants to create Approvals\r
- new Mapper.Memo() {\r
- @Override\r
- public String get() {\r
- return "Grant Permission [" + rpd.value.fullPerm() + ']' +\r
- " to Role [" + rrd.value.fullName() + "]";\r
- }\r
- },\r
- new MayChange() {\r
- private Result<NsDAO.Data> nsd;\r
- @Override\r
- public Result<?> mayChange() {\r
- if(nsd==null) {\r
- nsd = ques.mayUser(trans, trans.user(), rpd.value, Access.write);\r
- }\r
- return nsd;\r
- }\r
- });\r
- Result<List<NsDAO.Data>> nsr = ques.nsDAO.read(trans, rpd.value.ns);\r
- if(nsr.notOKorIsEmpty()) {\r
- return Result.err(nsr);\r
- }\r
- switch(fd.status) {\r
- case OK:\r
- Result<List<Identity>> rfc = func.createFuture(trans,fd.value, \r
- rpd.value.fullPerm(),\r
- trans.user(),\r
- nsr.value.get(0),\r
- "G");\r
- if(rfc.isOK()) {\r
- return Result.err(Status.ACC_Future, "Perm [%s.%s|%s|%s] is saved for future processing",\r
- rpd.value.ns,\r
- rpd.value.type,\r
- rpd.value.instance,\r
- rpd.value.action);\r
- } else { \r
- return Result.err(rfc);\r
- }\r
- case Status.ACC_Now:\r
- Result<Void> rv = null;\r
- if(createPerm!=null) {// has been validated for creating\r
- rv = func.createPerm(trans, createPerm, false);\r
- }\r
- if(rv==null || rv.isOK()) {\r
- rv = func.addPermToRole(trans, rrd.value, rpd.value, false);\r
- }\r
- return rv;\r
- default:\r
- return Result.err(fd);\r
- }\r
- \r
- }\r
-\r
- /**\r
- * Create a RoleDAO.Data\r
- * @param trans\r
- * @param roleFullName\r
- * @return\r
- */\r
- @ApiDoc(\r
- method = DELETE,\r
- path = "/authz/role/:role/perm",\r
- params = {"role|string|true"},\r
- expectedCode = 200,\r
- errorCodes = {404,406},\r
- text = { "Ungrant a permission from Role :role" }\r
- )\r
-\r
- @Override\r
- public Result<Void> delPermFromRole(final AuthzTrans trans, REQUEST rreq) {\r
- final Result<PermDAO.Data> updt = mapper.permFromRPRequest(trans, rreq);\r
- if(updt.notOKorIsEmpty()) {\r
- return Result.err(updt);\r
- }\r
- final Result<RoleDAO.Data> rrd = mapper.roleFromRPRequest(trans, rreq);\r
- if(rrd.notOKorIsEmpty()) {\r
- return Result.err(rrd);\r
- }\r
- \r
- final Validator v = new Validator(trans);\r
- if(v.nullOrBlank(updt.value)\r
- .nullOrBlank(rrd.value)\r
- .err()) {\r
- return Result.err(Status.ERR_BadData,v.errs());\r
- }\r
- \r
- Result<List<PermDAO.Data>> rlpd = ques.permDAO.read(trans, updt.value.ns, updt.value.type, \r
- updt.value.instance, updt.value.action);\r
- \r
- if(rlpd.notOKorIsEmpty()) {\r
- return Result.err(Status.ERR_PermissionNotFound, \r
- "Permission [%s.%s|%s|%s] does not exist",\r
- updt.value.ns,updt.value.type,updt.value.instance,updt.value.action);\r
- }\r
- \r
- Result<FutureDAO.Data> fd = mapper.future(trans, PermDAO.TABLE, rreq, updt.value,true, // allow ungrants requests\r
- new Mapper.Memo() {\r
- @Override\r
- public String get() {\r
- return "Ungrant Permission [" + updt.value.fullPerm() + ']' +\r
- " from Role [" + rrd.value.fullName() + "]";\r
- }\r
- },\r
- new MayChange() {\r
- private Result<NsDAO.Data> nsd;\r
- @Override\r
- public Result<?> mayChange() {\r
- if(nsd==null) {\r
- nsd = ques.mayUser(trans, trans.user(), updt.value, Access.write);\r
- }\r
- return nsd;\r
- }\r
- });\r
- Result<List<NsDAO.Data>> nsr = ques.nsDAO.read(trans, updt.value.ns);\r
- if(nsr.notOKorIsEmpty()) {\r
- return Result.err(nsr);\r
- }\r
- switch(fd.status) {\r
- case OK:\r
- Result<List<Identity>> rfc = func.createFuture(trans,fd.value, \r
- updt.value.fullPerm(),\r
- trans.user(),\r
- nsr.value.get(0),\r
- "UG"\r
- );\r
- if(rfc.isOK()) {\r
- return Result.err(Status.ACC_Future, "Perm [%s.%s|%s|%s] is saved for future processing",\r
- updt.value.ns,\r
- updt.value.type,\r
- updt.value.instance,\r
- updt.value.action);\r
- } else {\r
- return Result.err(rfc);\r
- }\r
- case Status.ACC_Now:\r
- return func.delPermFromRole(trans, rrd.value, updt.value, false);\r
- default:\r
- return Result.err(fd);\r
- }\r
- }\r
- \r
- @ApiDoc(\r
- method = DELETE,\r
- path = "/authz/role/:role",\r
- params = {"role|string|true"},\r
- expectedCode = 200,\r
- errorCodes = {404,406},\r
- text = { "Delete the Role named :role"}\r
- )\r
-\r
- @Override\r
- public Result<Void> deleteRole(AuthzTrans trans, String role) {\r
- Result<RoleDAO.Data> rrdd = RoleDAO.Data.decode(trans,ques,role);\r
- if(rrdd.isOKhasData()) {\r
- final Validator v = new Validator(trans);\r
- if(v.nullOrBlank(rrdd.value).err()) { \r
- return Result.err(Status.ERR_BadData,v.errs());\r
- }\r
- return func.deleteRole(trans, rrdd.value, false, false);\r
- } else {\r
- return Result.err(rrdd);\r
- }\r
- }\r
-\r
- @ApiDoc(\r
- method = DELETE,\r
- path = "/authz/role",\r
- params = {},\r
- expectedCode = 200,\r
- errorCodes = { 404,406 },\r
- text = { "Delete the Role referenced by RoleKey",\r
- "You cannot normally delete a role which still has permissions granted or users assigned to it,",\r
- "however the \"force\" property allows you to do just that. To do this: Add 'force=true'",\r
- "as a query parameter.",\r
- "<p>WARNING: Using force will remove all users and permission from this role. Use with care.</p>"}\r
- )\r
-\r
- @Override\r
- public Result<Void> deleteRole(final AuthzTrans trans, REQUEST from) {\r
- final Result<RoleDAO.Data> rd = mapper.role(trans, from);\r
- final Validator v = new Validator(trans);\r
- if(rd==null) {\r
- return Result.err(Status.ERR_BadData,"Request does not contain Role");\r
- }\r
- if(v.nullOrBlank(rd.value).err()) {\r
- return Result.err(Status.ERR_BadData,v.errs());\r
- }\r
- final RoleDAO.Data role = rd.value;\r
- if(ques.roleDAO.read(trans, role).notOKorIsEmpty() && !trans.forceRequested()) {\r
- return Result.err(Status.ERR_RoleNotFound, "Role [" + role.fullName() + "] does not exist");\r
- }\r
-\r
- Result<FutureDAO.Data> fd = mapper.future(trans,RoleDAO.TABLE,from,role,false,\r
- new Mapper.Memo() {\r
- @Override\r
- public String get() {\r
- return "Delete Role [" + role.fullName() + ']' \r
- + " and all attached user roles";\r
- }\r
- },\r
- new MayChange() {\r
- private Result<NsDAO.Data> nsd;\r
- @Override\r
- public Result<?> mayChange() {\r
- if(nsd==null) {\r
- nsd = ques.mayUser(trans, trans.user(), role, Access.write);\r
- }\r
- return nsd;\r
- }\r
- });\r
- \r
- switch(fd.status) {\r
- case OK:\r
- Result<List<NsDAO.Data>> nsr = ques.nsDAO.read(trans, rd.value.ns);\r
- if(nsr.notOKorIsEmpty()) {\r
- return Result.err(nsr);\r
- }\r
- \r
- Result<List<Identity>> rfc = func.createFuture(trans, fd.value, \r
- role.encode(), trans.user(),nsr.value.get(0),"D");\r
- if(rfc.isOK()) {\r
- return Result.err(Status.ACC_Future, "Role Deletion [%s.%s] is saved for future processing",\r
- rd.value.ns,\r
- rd.value.name);\r
- } else { \r
- return Result.err(rfc);\r
- }\r
- case Status.ACC_Now:\r
- return func.deleteRole(trans,role,trans.forceRequested(), true /*preapproved*/);\r
- default:\r
- return Result.err(fd);\r
- }\r
-\r
- }\r
-\r
-/***********************************\r
- * CRED \r
- ***********************************/\r
- private class MayCreateCred implements MayChange {\r
- private Result<NsDAO.Data> nsd;\r
- private AuthzTrans trans;\r
- private CredDAO.Data cred;\r
- private Executor exec;\r
- \r
- public MayCreateCred(AuthzTrans trans, CredDAO.Data cred, Executor exec) {\r
- this.trans = trans;\r
- this.cred = cred;\r
- this.exec = exec;\r
- }\r
-\r
- @Override\r
- public Result<?> mayChange() {\r
- if(nsd==null) {\r
- nsd = ques.validNSOfDomain(trans, cred.id);\r
- }\r
- // is Ns of CredID valid?\r
- if(nsd.isOK()) {\r
- try {\r
- // Check Org Policy\r
- if(trans.org().validate(trans,Policy.CREATE_MECHID, exec, cred.id)==null) {\r
- return Result.ok(); \r
- } else {\r
- Result<?> rmc = ques.mayUser(trans, trans.user(), nsd.value, Access.write);\r
- if(rmc.isOKhasData()) {\r
- return rmc;\r
- }\r
- }\r
- } catch (Exception e) {\r
- trans.warn().log(e);\r
- }\r
- } else {\r
- trans.warn().log(nsd.errorString());\r
- }\r
- return Result.err(Status.ERR_Denied,"%s is not allowed to create %s in %s",trans.user(),cred.id,cred.ns);\r
- }\r
- }\r
-\r
- private class MayChangeCred implements MayChange {\r
- \r
- private Result<NsDAO.Data> nsd;\r
- private AuthzTrans trans;\r
- private CredDAO.Data cred;\r
- public MayChangeCred(AuthzTrans trans, CredDAO.Data cred) {\r
- this.trans = trans;\r
- this.cred = cred;\r
- }\r
-\r
- @Override\r
- public Result<?> mayChange() {\r
- // User can change himself (but not create)\r
- if(trans.user().equals(cred.id)) {\r
- return Result.ok();\r
- }\r
- if(nsd==null) {\r
- nsd = ques.validNSOfDomain(trans, cred.id);\r
- }\r
- // Get the Namespace\r
- if(nsd.isOK()) {\r
- if(ques.mayUser(trans, trans.user(), nsd.value,Access.write).isOK()) {\r
- return Result.ok();\r
- }\r
- String user[] = Split.split('.',trans.user());\r
- if(user.length>2) {\r
- String company = user[user.length-1] + '.' + user[user.length-2];\r
- if(ques.isGranted(trans, trans.user(), Define.ROOT_NS,"password",company,"reset")) {\r
- return Result.ok();\r
- }\r
- }\r
- }\r
- return Result.err(Status.ERR_Denied,"%s is not allowed to change %s in %s",trans.user(),cred.id,cred.ns);\r
- }\r
-\r
- }\r
-\r
- private final long DAY_IN_MILLIS = 24*3600*1000;\r
- \r
- @ApiDoc( \r
- method = POST, \r
- path = "/authn/cred",\r
- params = {},\r
- expectedCode = 201,\r
- errorCodes = {403,404,406,409}, \r
- text = { "A credential consists of:",\r
- "<ul><li>id - the ID to create within AAF. The domain is in reverse",\r
- "order of Namespace (i.e. Users of Namespace com.att.myapp would be",\r
- "AB1234@myapp.att.com</li>",\r
- "<li>password - Company Policy Compliant Password</li></ul>",\r
- "Note: AAF does support multiple credentials with the same ID.",\r
- "Check with your organization if you have this implemented."\r
- }\r
- )\r
- @Override\r
- public Result<Void> createUserCred(final AuthzTrans trans, REQUEST from) {\r
- final String cmdDescription = ("Create User Credential");\r
- TimeTaken tt = trans.start(cmdDescription, Env.SUB);\r
- \r
- try {\r
- Result<CredDAO.Data> rcred = mapper.cred(trans, from, true);\r
- if(rcred.isOKhasData()) {\r
- rcred = ques.userCredSetup(trans, rcred.value);\r
- \r
- final Validator v = new Validator();\r
- \r
- if(v.cred(trans.org(),rcred,true).err()) { // Note: Creates have stricter Validations \r
- return Result.err(Status.ERR_BadData,v.errs());\r
- }\r
- \r
-\r
- // 2016-4 JG, New Behavior - If MechID is not registered with Org, deny creation\r
- Identity mechID = null;\r
- Organization org = trans.org();\r
- try {\r
- mechID = org.getIdentity(trans, rcred.value.id);\r
- } catch (Exception e1) {\r
- trans.error().log(e1,rcred.value.id,"cannot be validated at this time");\r
- }\r
- if(mechID==null || !mechID.isFound()) { \r
- return Result.err(Status.ERR_Policy,"MechIDs must be registered with %s before provisioning in AAF",org.getName());\r
- }\r
-\r
- Result<List<NsDAO.Data>> nsr = ques.nsDAO.read(trans, rcred.value.ns);\r
- if(nsr.notOKorIsEmpty()) {\r
- return Result.err(Status.ERR_NsNotFound,"Cannot provision %s on non-existent Namespace %s",mechID.id(),rcred.value.ns);\r
- }\r
-\r
- boolean firstID = false;\r
- MayChange mc;\r
- \r
- CassExecutor exec = new CassExecutor(trans, func);\r
- Result<List<CredDAO.Data>> rlcd = ques.credDAO.readID(trans, rcred.value.id);\r
- if (rlcd.isOKhasData()) {\r
- if (!org.canHaveMultipleCreds(rcred.value.id)) {\r
- return Result.err(Status.ERR_ConflictAlreadyExists, "Credential exists");\r
- }\r
- for (CredDAO.Data curr : rlcd.value) {\r
- if (Chrono.dateOnlyStamp(curr.expires).equals(Chrono.dateOnlyStamp(rcred.value.expires)) && curr.type==rcred.value.type) {\r
- return Result.err(Status.ERR_ConflictAlreadyExists, "Credential with same Expiration Date exists, use 'reset'");\r
- }\r
- } \r
- } else {\r
- try {\r
- // 2016-04-12 JG If Caller is the Sponsor and is also an Owner of NS, allow without special Perm\r
- String theMechID = rcred.value.id;\r
- Boolean otherMechIDs = false;\r
- // find out if this is the only mechID. other MechIDs mean special handling (not automated)\r
- for(CredDAO.Data cd : ques.credDAO.readNS(trans,nsr.value.get(0).name).value) {\r
- if(!cd.id.equals(theMechID)) {\r
- otherMechIDs = true;\r
- break;\r
- }\r
- }\r
- String reason;\r
- // We can say "ID does not exist" here\r
- if((reason=org.validate(trans, Policy.CREATE_MECHID, exec, theMechID,trans.user(),otherMechIDs.toString()))!=null) {\r
- return Result.err(Status.ERR_Denied, reason); \r
- }\r
- firstID=true;\r
- } catch (Exception e) {\r
- return Result.err(e);\r
- }\r
- }\r
- \r
- mc = new MayCreateCred(trans, rcred.value, exec);\r
- \r
- final CredDAO.Data cdd = rcred.value;\r
- Result<FutureDAO.Data> fd = mapper.future(trans,CredDAO.TABLE,from, rcred.value,false, // may want to enable in future.\r
- new Mapper.Memo() {\r
- @Override\r
- public String get() {\r
- return cmdDescription + " [" + \r
- cdd.id + '|' \r
- + cdd.type + '|' \r
- + cdd.expires + ']';\r
- }\r
- },\r
- mc);\r
- \r
- switch(fd.status) {\r
- case OK:\r
- Result<List<Identity>> rfc = func.createFuture(trans, fd.value, \r
- rcred.value.id + '|' + rcred.value.type.toString() + '|' + rcred.value.expires,\r
- trans.user(), nsr.value.get(0), "C");\r
- if(rfc.isOK()) {\r
- return Result.err(Status.ACC_Future, "Credential Request [%s|%s|%s] is saved for future processing",\r
- rcred.value.id,\r
- Integer.toString(rcred.value.type),\r
- rcred.value.expires.toString());\r
- } else { \r
- return Result.err(rfc);\r
- }\r
- case Status.ACC_Now:\r
- try {\r
- if(firstID) {\r
- // && !nsr.value.get(0).isAdmin(trans.getUserPrincipal().getName())) {\r
- Result<List<String>> admins = func.getAdmins(trans, nsr.value.get(0).name, false);\r
- // OK, it's a first ID, and not by NS Admin, so let's set TempPassword length\r
- // Note, we only do this on First time, because of possibility of \r
- // prematurely expiring a production id\r
- if(admins.isOKhasData() && !admins.value.contains(trans.user())) {\r
- rcred.value.expires = org.expiration(null, Expiration.TempPassword).getTime();\r
- }\r
- }\r
- } catch (Exception e) {\r
- trans.error().log(e, "While setting expiration to TempPassword");\r
- }\r
- Result<?>udr = ques.credDAO.create(trans, rcred.value);\r
- if(udr.isOK()) {\r
- return Result.ok();\r
- }\r
- return Result.err(udr);\r
- default:\r
- return Result.err(fd);\r
- }\r
-\r
- } else {\r
- return Result.err(rcred);\r
- }\r
- } finally {\r
- tt.done();\r
- }\r
- }\r
-\r
- @ApiDoc( \r
- method = GET, \r
- path = "/authn/creds/ns/:ns",\r
- params = {"ns|string|true"},\r
- expectedCode = 200,\r
- errorCodes = {403,404,406}, \r
- text = { "Return all IDs in Namespace :ns"\r
- }\r
- )\r
- @Override\r
- public Result<USERS> getCredsByNS(AuthzTrans trans, String ns) {\r
- final Validator v = new Validator();\r
- if(v.ns(ns).err()) {\r
- return Result.err(Status.ERR_BadData,v.errs());\r
- }\r
- \r
- // check if user is allowed to view NS\r
- Result<NsDAO.Data> rnd = ques.deriveNs(trans,ns);\r
- if(rnd.notOK()) {\r
- return Result.err(rnd); \r
- }\r
- rnd = ques.mayUser(trans, trans.user(), rnd.value, Access.read);\r
- if(rnd.notOK()) {\r
- return Result.err(rnd); \r
- }\r
- \r
- TimeTaken tt = trans.start("MAP Creds by NS to Creds", Env.SUB);\r
- try { \r
- USERS users = mapper.newInstance(API.USERS);\r
- Result<List<CredDAO.Data>> rlcd = ques.credDAO.readNS(trans, ns);\r
- \r
- if(rlcd.isOK()) {\r
- if(!rlcd.isEmpty()) {\r
- return mapper.cred(rlcd.value, users);\r
- }\r
- return Result.ok(users); \r
- } else {\r
- return Result.err(rlcd);\r
- }\r
- } finally {\r
- tt.done();\r
- }\r
- \r
- }\r
-\r
- @ApiDoc( \r
- method = GET, \r
- path = "/authn/creds/id/:ns",\r
- params = {"id|string|true"},\r
- expectedCode = 200,\r
- errorCodes = {403,404,406}, \r
- text = { "Return all IDs in for ID"\r
- ,"(because IDs are multiple, due to multiple Expiration Dates)"\r
- }\r
- )\r
- @Override\r
- public Result<USERS> getCredsByID(AuthzTrans trans, String id) {\r
- final Validator v = new Validator();\r
- if(v.nullOrBlank("ID",id).err()) {\r
- return Result.err(Status.ERR_BadData,v.errs());\r
- }\r
- \r
- String ns = Question.domain2ns(id);\r
- // check if user is allowed to view NS\r
- Result<NsDAO.Data> rnd = ques.deriveNs(trans,ns);\r
- if(rnd.notOK()) {\r
- return Result.err(rnd); \r
- }\r
- rnd = ques.mayUser(trans, trans.user(), rnd.value, Access.read);\r
- if(rnd.notOK()) {\r
- return Result.err(rnd); \r
- }\r
- \r
- TimeTaken tt = trans.start("MAP Creds by ID to Creds", Env.SUB);\r
- try { \r
- USERS users = mapper.newInstance(API.USERS);\r
- Result<List<CredDAO.Data>> rlcd = ques.credDAO.readID(trans, id);\r
- \r
- if(rlcd.isOK()) {\r
- if(!rlcd.isEmpty()) {\r
- return mapper.cred(rlcd.value, users);\r
- }\r
- return Result.ok(users); \r
- } else {\r
- return Result.err(rlcd);\r
- }\r
- } finally {\r
- tt.done();\r
- }\r
- \r
- }\r
-\r
- @ApiDoc( \r
- method = GET, \r
- path = "/authn/certs/id/:id",\r
- params = {"id|string|true"},\r
- expectedCode = 200,\r
- errorCodes = {403,404,406}, \r
- text = { "Return Cert Info for ID"\r
- }\r
- )\r
- @Override\r
- public Result<CERTS> getCertInfoByID(AuthzTrans trans, HttpServletRequest req, String id) {\r
- TimeTaken tt = trans.start("Get Cert Info by ID", Env.SUB);\r
- try { \r
- CERTS certs = mapper.newInstance(API.CERTS);\r
- Result<List<CertDAO.Data>> rlcd = ques.certDAO.readID(trans, id);\r
- \r
- if(rlcd.isOK()) {\r
- if(!rlcd.isEmpty()) {\r
- return mapper.cert(rlcd.value, certs);\r
- }\r
- return Result.ok(certs); \r
- } else { \r
- return Result.err(rlcd);\r
- }\r
- } finally {\r
- tt.done();\r
- }\r
-\r
- }\r
-\r
- @ApiDoc( \r
- method = PUT, \r
- path = "/authn/cred",\r
- params = {},\r
- expectedCode = 200,\r
- errorCodes = {300,403,404,406}, \r
- text = { "Reset a Credential Password. If multiple credentials exist for this",\r
- "ID, you will need to specify which entry you are resetting in the",\r
- "CredRequest object"\r
- }\r
- )\r
- @Override\r
- public Result<Void> changeUserCred(final AuthzTrans trans, REQUEST from) {\r
- final String cmdDescription = "Update User Credential";\r
- TimeTaken tt = trans.start(cmdDescription, Env.SUB);\r
- try {\r
- Result<CredDAO.Data> rcred = mapper.cred(trans, from, true);\r
- if(rcred.isOKhasData()) {\r
- rcred = ques.userCredSetup(trans, rcred.value);\r
- \r
- final Validator v = new Validator();\r
- \r
- if(v.cred(trans.org(),rcred,false).err()) {// Note: Creates have stricter Validations \r
- return Result.err(Status.ERR_BadData,v.errs());\r
- }\r
- Result<List<CredDAO.Data>> rlcd = ques.credDAO.readID(trans, rcred.value.id);\r
- if(rlcd.notOKorIsEmpty()) {\r
- return Result.err(Status.ERR_UserNotFound, "Credential does not exist");\r
- } \r
- \r
- MayChange mc = new MayChangeCred(trans, rcred.value);\r
- Result<?> rmc = mc.mayChange(); \r
- if (rmc.notOK()) {\r
- return Result.err(rmc);\r
- }\r
- \r
- Result<Integer> ri = selectEntryIfMultiple((CredRequest)from, rlcd.value);\r
- if(ri.notOK()) {\r
- return Result.err(ri);\r
- }\r
- int entry = ri.value;\r
- \r
- \r
- final CredDAO.Data cred = rcred.value;\r
- \r
- Result<FutureDAO.Data> fd = mapper.future(trans,CredDAO.TABLE,from, rcred.value,false,\r
- new Mapper.Memo() {\r
- @Override\r
- public String get() {\r
- return cmdDescription + " [" + \r
- cred.id + '|' \r
- + cred.type + '|' \r
- + cred.expires + ']';\r
- }\r
- },\r
- mc);\r
- \r
- Result<List<NsDAO.Data>> nsr = ques.nsDAO.read(trans, rcred.value.ns);\r
- if(nsr.notOKorIsEmpty()) {\r
- return Result.err(nsr);\r
- }\r
- \r
- switch(fd.status) {\r
- case OK:\r
- Result<List<Identity>> rfc = func.createFuture(trans, fd.value, \r
- rcred.value.id + '|' + rcred.value.type.toString() + '|' + rcred.value.expires,\r
- trans.user(), nsr.value.get(0), "U");\r
- if(rfc.isOK()) {\r
- return Result.err(Status.ACC_Future, "Credential Request [%s|%s|%s]",\r
- rcred.value.id,\r
- Integer.toString(rcred.value.type),\r
- rcred.value.expires.toString());\r
- } else { \r
- return Result.err(rfc);\r
- }\r
- case Status.ACC_Now:\r
- Result<?>udr = null;\r
- // If we are Resetting Password on behalf of someone else (am not the Admin)\r
- // use TempPassword Expiration time.\r
- Expiration exp;\r
- if(ques.isAdmin(trans, trans.user(), nsr.value.get(0).name)) {\r
- exp = Expiration.Password;\r
- } else {\r
- exp = Expiration.TempPassword;\r
- }\r
- \r
- Organization org = trans.org();\r
- // If user resets password in same day, we will have a primary key conflict, so subtract 1 day\r
- if (rlcd.value.get(entry).expires.equals(rcred.value.expires) \r
- && rlcd.value.get(entry).type==rcred.value.type) {\r
- GregorianCalendar gc = org.expiration(null, exp,rcred.value.id);\r
- gc = Chrono.firstMomentOfDay(gc);\r
- gc.set(GregorianCalendar.HOUR_OF_DAY, org.startOfDay()); \r
- rcred.value.expires = new Date(gc.getTimeInMillis() - DAY_IN_MILLIS);\r
- } else {\r
- rcred.value.expires = org.expiration(null,exp).getTime();\r
- }\r
- \r
- udr = ques.credDAO.create(trans, rcred.value);\r
- if(udr.isOK()) {\r
- udr = ques.credDAO.delete(trans, rlcd.value.get(entry),false);\r
- }\r
- if (udr.isOK()) {\r
- return Result.ok();\r
- }\r
- \r
- return Result.err(udr);\r
- default:\r
- return Result.err(fd);\r
- }\r
- } else {\r
- return Result.err(rcred);\r
- }\r
- } finally {\r
- tt.done();\r
- }\r
- }\r
-\r
- /*\r
- * Codify the way to get Either Choice Needed or actual Integer from Credit Request\r
- */\r
- private Result<Integer> selectEntryIfMultiple(final CredRequest cr, List<CredDAO.Data> lcd) {\r
- int entry = 0;\r
- if (lcd.size() > 1) {\r
- String inputOption = cr.getEntry();\r
- if (inputOption == null) {\r
- String message = selectCredFromList(lcd, false);\r
- String[] variables = buildVariables(lcd);\r
- return Result.err(Status.ERR_ChoiceNeeded, message, variables);\r
- } else {\r
- entry = Integer.parseInt(inputOption) - 1;\r
- }\r
- if (entry < 0 || entry >= lcd.size()) {\r
- return Result.err(Status.ERR_BadData, "User chose invalid credential selection");\r
- }\r
- }\r
- return Result.ok(entry);\r
- }\r
- \r
- @ApiDoc( \r
- method = PUT, \r
- path = "/authn/cred/:days",\r
- params = {"days|string|true"},\r
- expectedCode = 200,\r
- errorCodes = {300,403,404,406}, \r
- text = { "Extend a Credential Expiration Date. The intention of this API is",\r
- "to avoid an outage in PROD due to a Credential expiring before it",\r
- "can be configured correctly. Measures are being put in place ",\r
- "so that this is not abused."\r
- }\r
- )\r
- @Override\r
- public Result<Void> extendUserCred(final AuthzTrans trans, REQUEST from, String days) {\r
- TimeTaken tt = trans.start("Extend User Credential", Env.SUB);\r
- try {\r
- Result<CredDAO.Data> cred = mapper.cred(trans, from, false);\r
- Organization org = trans.org();\r
- final Validator v = new Validator();\r
- if(v.notOK(cred).err() || \r
- v.nullOrBlank(cred.value.id, "Invalid ID").err() ||\r
- v.user(org,cred.value.id).err()) {\r
- return Result.err(Status.ERR_BadData,v.errs());\r
- }\r
- \r
- try {\r
- String reason;\r
- if ((reason=org.validate(trans, Policy.MAY_EXTEND_CRED_EXPIRES, new CassExecutor(trans,func)))!=null) {\r
- return Result.err(Status.ERR_Policy,reason);\r
- }\r
- } catch (Exception e) {\r
- String msg;\r
- trans.error().log(e, msg="Could not contact Organization for User Validation");\r
- return Result.err(Status.ERR_Denied, msg);\r
- }\r
- \r
- // Get the list of Cred Entries\r
- Result<List<CredDAO.Data>> rlcd = ques.credDAO.readID(trans, cred.value.id);\r
- if(rlcd.notOKorIsEmpty()) {\r
- return Result.err(Status.ERR_UserNotFound, "Credential does not exist");\r
- }\r
-\r
- //Need to do the "Pick Entry" mechanism\r
- Result<Integer> ri = selectEntryIfMultiple((CredRequest)from, rlcd.value);\r
- if(ri.notOK()) {\r
- return Result.err(ri);\r
- }\r
-\r
- CredDAO.Data found = rlcd.value.get(ri.value);\r
- CredDAO.Data cd = cred.value;\r
- // Copy over the cred\r
- cd.cred = found.cred;\r
- cd.type = found.type;\r
- cd.expires = org.expiration(null, Expiration.ExtendPassword,days).getTime();\r
- \r
- cred = ques.credDAO.create(trans, cd);\r
- if(cred.isOK()) {\r
- return Result.ok();\r
- }\r
- return Result.err(cred);\r
- } finally {\r
- tt.done();\r
- }\r
- } \r
-\r
- private String[] buildVariables(List<CredDAO.Data> value) {\r
- // ensure credentials are sorted so we can fully automate Cred regression test\r
- Collections.sort(value, new Comparator<CredDAO.Data>() {\r
- @Override\r
- public int compare(CredDAO.Data cred1, CredDAO.Data cred2) {\r
- return cred1.expires.compareTo(cred2.expires);\r
- } \r
- });\r
- String [] vars = new String[value.size()+1];\r
- vars[0]="Choice";\r
- for (int i = 0; i < value.size(); i++) {\r
- vars[i+1] = value.get(i).id + " " + value.get(i).type \r
- + " |" + value.get(i).expires;\r
- }\r
- return vars;\r
- }\r
- \r
- private String selectCredFromList(List<CredDAO.Data> value, boolean isDelete) {\r
- StringBuilder errMessage = new StringBuilder();\r
- String userPrompt = isDelete?"Select which cred to delete (set force=true to delete all):":"Select which cred to update:";\r
- int numSpaces = value.get(0).id.length() - "Id".length();\r
- \r
- errMessage.append(userPrompt + '\n');\r
- errMessage.append(" Id");\r
- for (int i = 0; i < numSpaces; i++) {\r
- errMessage.append(' ');\r
- }\r
- errMessage.append(" Type Expires" + '\n');\r
- for(int i=0;i<value.size();++i) {\r
- errMessage.append(" %s\n");\r
- }\r
- errMessage.append("Run same command again with chosen entry as last parameter");\r
- \r
- return errMessage.toString();\r
- \r
- }\r
-\r
- @ApiDoc( \r
- method = DELETE, \r
- path = "/authn/cred",\r
- params = {},\r
- expectedCode = 200,\r
- errorCodes = {300,403,404,406}, \r
- text = { "Delete a Credential. If multiple credentials exist for this",\r
- "ID, you will need to specify which entry you are deleting in the",\r
- "CredRequest object."\r
- }\r
- )\r
- @Override\r
- public Result<Void> deleteUserCred(AuthzTrans trans, REQUEST from) {\r
- final Result<CredDAO.Data> cred = mapper.cred(trans, from, false);\r
- final Validator v = new Validator();\r
- if(v.nullOrBlank("cred", cred.value.id).err()) {\r
- return Result.err(Status.ERR_BadData,v.errs());\r
- }\r
- \r
- Result<List<CredDAO.Data>> rlcd = ques.credDAO.readID(trans, cred.value.id);\r
- if(rlcd.notOKorIsEmpty()) {\r
- // Empty Creds should have no user_roles.\r
- Result<List<UserRoleDAO.Data>> rlurd = ques.userRoleDAO.readByUser(trans, cred.value.id);\r
- if(rlurd.isOK()) {\r
- for(UserRoleDAO.Data data : rlurd.value) {\r
- ques.userRoleDAO.delete(trans, data, false);\r
- }\r
- }\r
- return Result.err(Status.ERR_UserNotFound, "Credential does not exist");\r
- }\r
- boolean isLastCred = rlcd.value.size()==1;\r
- \r
- MayChange mc = new MayChangeCred(trans,cred.value);\r
- Result<?> rmc = mc.mayChange(); \r
- if (rmc.notOK()) {\r
- return Result.err(rmc);\r
- }\r
- \r
- int entry = 0;\r
- if(!trans.forceRequested()) {\r
- if (rlcd.value.size() > 1) {\r
- CredRequest cr = (CredRequest)from;\r
- String inputOption = cr.getEntry();\r
- if (inputOption == null) {\r
- String message = selectCredFromList(rlcd.value, true);\r
- String[] variables = buildVariables(rlcd.value);\r
- return Result.err(Status.ERR_ChoiceNeeded, message, variables);\r
- } else {\r
- try {\r
- entry = Integer.parseInt(inputOption) - 1;\r
- } catch(NumberFormatException e) {\r
- return Result.err(Status.ERR_BadData, "User chose invalid credential selection");\r
- }\r
- }\r
- isLastCred = (entry==-1)?true:false;\r
- } else {\r
- isLastCred = true;\r
- }\r
- if (entry < -1 || entry >= rlcd.value.size()) {\r
- return Result.err(Status.ERR_BadData, "User chose invalid credential selection");\r
- }\r
- }\r
- \r
- Result<FutureDAO.Data> fd = mapper.future(trans,CredDAO.TABLE,from,cred.value,false, \r
- new Mapper.Memo() {\r
- @Override\r
- public String get() {\r
- return "Delete Credential [" + \r
- cred.value.id + \r
- ']';\r
- }\r
- },\r
- mc);\r
- \r
- Result<List<NsDAO.Data>> nsr = ques.nsDAO.read(trans, cred.value.ns);\r
- if(nsr.notOKorIsEmpty()) {\r
- return Result.err(nsr);\r
- }\r
- \r
- switch(fd.status) {\r
- case OK:\r
- Result<List<Identity>> rfc = func.createFuture(trans, fd.value, cred.value.id,\r
- trans.user(), nsr.value.get(0),"D");\r
- \r
- if(rfc.isOK()) {\r
- return Result.err(Status.ACC_Future, "Credential Delete [%s] is saved for future processing",cred.value.id);\r
- } else { \r
- return Result.err(rfc);\r
- }\r
- case Status.ACC_Now:\r
- Result<?>udr = null;\r
- if (!trans.forceRequested()) {\r
- if(entry<0 || entry >= rlcd.value.size()) {\r
- return Result.err(Status.ERR_BadData,"Invalid Choice [" + entry + "] chosen for Delete [%s] is saved for future processing",cred.value.id);\r
- }\r
- udr = ques.credDAO.delete(trans, rlcd.value.get(entry),false);\r
- } else {\r
- for (CredDAO.Data curr : rlcd.value) {\r
- udr = ques.credDAO.delete(trans, curr, false);\r
- if (udr.notOK()) {\r
- return Result.err(udr);\r
- }\r
- }\r
- }\r
- if(isLastCred) {\r
- Result<List<UserRoleDAO.Data>> rlurd = ques.userRoleDAO.readByUser(trans, cred.value.id);\r
- if(rlurd.isOK()) {\r
- for(UserRoleDAO.Data data : rlurd.value) {\r
- ques.userRoleDAO.delete(trans, data, false);\r
- }\r
- }\r
- }\r
- if (udr.isOK()) {\r
- return Result.ok();\r
- }\r
- return Result.err(udr);\r
- default:\r
- return Result.err(fd);\r
- }\r
- \r
- }\r
-\r
-\r
- @Override\r
- public Result<Date> doesCredentialMatch(AuthzTrans trans, REQUEST credReq) {\r
- TimeTaken tt = trans.start("Does Credential Match", Env.SUB);\r
- try {\r
- // Note: Mapper assigns RAW type\r
- Result<CredDAO.Data> data = mapper.cred(trans, credReq,false);\r
- if(data.notOKorIsEmpty()) {\r
- return Result.err(data);\r
- }\r
- CredDAO.Data cred = data.value; // of the Mapped Cred\r
- return ques.doesUserCredMatch(trans, cred.id, cred.cred.array());\r
-\r
- } catch (DAOException e) {\r
- trans.error().log(e,"Error looking up cred");\r
- return Result.err(Status.ERR_Denied,"Credential does not match");\r
- } finally {\r
- tt.done();\r
- }\r
- }\r
-\r
- @ApiDoc( \r
- method = GET, \r
- path = "/authn/basicAuth",\r
- params = {},\r
- expectedCode = 200,\r
- errorCodes = { 403 }, \r
- text = { "Validate a Password using BasicAuth Base64 encoded Header. This HTTP/S call is intended as a fast"\r
- + " User/Password lookup for Security Frameworks, and responds 200 if it passes BasicAuth "\r
- + "security, and 403 if it does not." }\r
- )\r
- private void basicAuth() {\r
- // This is a place holder for Documentation. The real BasicAuth API does not call Service.\r
- }\r
- \r
- @ApiDoc( \r
- method = POST, \r
- path = "/authn/validate",\r
- params = {},\r
- expectedCode = 200,\r
- errorCodes = { 403 }, \r
- text = { "Validate a Credential given a Credential Structure. This is a more comprehensive validation, can "\r
- + "do more than BasicAuth as Credential types exp" }\r
- )\r
- @Override\r
- public Result<Date> validateBasicAuth(AuthzTrans trans, String basicAuth) {\r
- //TODO how to make sure people don't use this in browsers? Do we care?\r
- TimeTaken tt = trans.start("Validate Basic Auth", Env.SUB);\r
- try {\r
- BasicPrincipal bp = new BasicPrincipal(basicAuth,trans.org().getRealm());\r
- Result<Date> rq = ques.doesUserCredMatch(trans, bp.getName(), bp.getCred());\r
- // Note: Only want to log problem, don't want to send back to end user\r
- if(rq.isOK()) {\r
- return rq;\r
- } else {\r
- trans.audit().log(rq.errorString());\r
- }\r
- } catch (Exception e) {\r
- trans.warn().log(e);\r
- } finally {\r
- tt.done();\r
- }\r
- return Result.err(Status.ERR_Denied,"Bad Basic Auth");\r
- }\r
-\r
-/***********************************\r
- * USER-ROLE \r
- ***********************************/\r
- @ApiDoc( \r
- method = POST, \r
- path = "/authz/userRole",\r
- params = {},\r
- expectedCode = 201,\r
- errorCodes = {403,404,406,409}, \r
- text = { "Create a UserRole relationship (add User to Role)",\r
- "A UserRole is an object Representation of membership of a Role for limited time.",\r
- "If a shorter amount of time for Role ownership is required, use the 'End' field.",\r
- "** Note: Owners of Namespaces will be required to revalidate users in these roles ",\r
- "before Expirations expire. Namespace owners will be notified by email."\r
- }\r
- )\r
- @Override\r
- public Result<Void> createUserRole(final AuthzTrans trans, REQUEST from) {\r
- TimeTaken tt = trans.start("Create UserRole", Env.SUB);\r
- try {\r
- Result<UserRoleDAO.Data> urr = mapper.userRole(trans, from);\r
- if(urr.notOKorIsEmpty()) {\r
- return Result.err(urr);\r
- }\r
- final UserRoleDAO.Data userRole = urr.value;\r
- \r
- final Validator v = new Validator();\r
- if(v.user_role(userRole).err() ||\r
- v.user(trans.org(), userRole.user).err()) {\r
- return Result.err(Status.ERR_BadData,v.errs());\r
- }\r
-\r
-\r
- \r
- // Check if user can change first\r
- Result<FutureDAO.Data> fd = mapper.future(trans,UserRoleDAO.TABLE,from,urr.value,true, // may request Approvals\r
- new Mapper.Memo() {\r
- @Override\r
- public String get() {\r
- return "Add User [" + userRole.user + "] to Role [" + \r
- userRole.role + \r
- ']';\r
- }\r
- },\r
- new MayChange() {\r
- private Result<NsDAO.Data> nsd;\r
- @Override\r
- public Result<?> mayChange() {\r
- if(nsd==null) {\r
- RoleDAO.Data r = RoleDAO.Data.decode(userRole);\r
- nsd = ques.mayUser(trans, trans.user(), r, Access.write);\r
- }\r
- return nsd;\r
- }\r
- });\r
- Result<NsDAO.Data> nsr = ques.deriveNs(trans, userRole.role);\r
- if(nsr.notOKorIsEmpty()) {\r
- return Result.err(nsr);\r
- }\r
-\r
- switch(fd.status) {\r
- case OK:\r
- Result<List<Identity>> rfc = func.createFuture(trans, fd.value, userRole.user+'|'+userRole.ns + '.' + userRole.rname, \r
- userRole.user, nsr.value, "C");\r
- if(rfc.isOK()) {\r
- return Result.err(Status.ACC_Future, "UserRole [%s - %s.%s] is saved for future processing",\r
- userRole.user,\r
- userRole.ns,\r
- userRole.rname);\r
- } else { \r
- return Result.err(rfc);\r
- }\r
- case Status.ACC_Now:\r
- return func.addUserRole(trans, userRole);\r
- default:\r
- return Result.err(fd);\r
- }\r
- } finally {\r
- tt.done();\r
- }\r
- }\r
- \r
- /**\r
- * getUserRolesByRole\r
- */\r
- @ApiDoc(\r
- method = GET,\r
- path = "/authz/userRoles/role/:role",\r
- params = {"role|string|true"},\r
- expectedCode = 200,\r
- errorCodes = {404,406},\r
- text = { "List all Users that are attached to Role specified in :role",\r
- }\r
- )\r
- @Override\r
- public Result<USERROLES> getUserRolesByRole(AuthzTrans trans, String role) {\r
- final Validator v = new Validator(trans);\r
- if(v.nullOrBlank("Role",role).err()) {\r
- return Result.err(Status.ERR_BadData,v.errs());\r
- }\r
- \r
- Result<RoleDAO.Data> rrdd;\r
- rrdd = RoleDAO.Data.decode(trans,ques,role);\r
- if(rrdd.notOK()) {\r
- return Result.err(rrdd);\r
- }\r
- // May Requester see result?\r
- Result<NsDAO.Data> ns = ques.mayUser(trans,trans.user(), rrdd.value,Access.read);\r
- if (ns.notOK()) {\r
- return Result.err(ns);\r
- }\r
- \r
- // boolean filter = true; \r
- // if (ns.value.isAdmin(trans.user()) || ns.value.isResponsible(trans.user()))\r
- // filter = false;\r
- \r
- // Get list of roles per user, then add to Roles as we go\r
- HashSet<UserRoleDAO.Data> userSet = new HashSet<UserRoleDAO.Data>();\r
- Result<List<UserRoleDAO.Data>> rlurd = ques.userRoleDAO.readByRole(trans, role);\r
- if(rlurd.isOK()) {\r
- for(UserRoleDAO.Data data : rlurd.value) {\r
- userSet.add(data);\r
- }\r
- }\r
- \r
- @SuppressWarnings("unchecked")\r
- USERROLES users = (USERROLES) mapper.newInstance(API.USER_ROLES);\r
- // Checked for permission\r
- mapper.userRoles(trans, userSet, users);\r
- return Result.ok(users);\r
- }\r
- /**\r
- * getUserRolesByRole\r
- */\r
- @ApiDoc(\r
- method = GET,\r
- path = "/authz/userRoles/user/:user",\r
- params = {"role|string|true"},\r
- expectedCode = 200,\r
- errorCodes = {404,406},\r
- text = { "List all UserRoles for :user",\r
- }\r
- )\r
- @Override\r
- public Result<USERROLES> getUserRolesByUser(AuthzTrans trans, String user) {\r
- final Validator v = new Validator(trans);\r
- if(v.nullOrBlank("User",user).err()) {\r
- return Result.err(Status.ERR_BadData,v.errs());\r
- }\r
-\r
- // Get list of roles per user, then add to Roles as we go\r
- Result<List<UserRoleDAO.Data>> rlurd = ques.userRoleDAO.readByUser(trans, user);\r
- if(rlurd.notOK()) { \r
- return Result.err(rlurd);\r
- }\r
- @SuppressWarnings("unchecked")\r
- USERROLES users = (USERROLES) mapper.newInstance(API.USER_ROLES);\r
- // Checked for permission\r
- mapper.userRoles(trans, rlurd.value, users);\r
- return Result.ok(users);\r
- }\r
-\r
- \r
- @ApiDoc( \r
- method = PUT, \r
- path = "/authz/userRole/user",\r
- params = {},\r
- expectedCode = 200,\r
- errorCodes = {403,404,406}, \r
- text = { "Set a User's roles to the roles specified in the UserRoleRequest object.",\r
- "WARNING: Roles supplied will be the ONLY roles attached to this user",\r
- "If no roles are supplied, user's roles are reset."\r
- }\r
- )\r
- @Override\r
- public Result<Void> resetRolesForUser(AuthzTrans trans, REQUEST rreq) {\r
- Result<UserRoleDAO.Data> rurdd = mapper.userRole(trans, rreq);\r
- final Validator v = new Validator();\r
- if(rurdd.notOKorIsEmpty()) {\r
- return Result.err(rurdd);\r
- }\r
- if (v.user(trans.org(), rurdd.value.user).err()) {\r
- return Result.err(Status.ERR_BadData,v.errs());\r
- }\r
-\r
- Set<String> currRoles = new HashSet<String>();\r
- Result<List<UserRoleDAO.Data>> rlurd = ques.userRoleDAO.readByUser(trans, rurdd.value.user);\r
- if(rlurd.isOK()) {\r
- for(UserRoleDAO.Data data : rlurd.value) {\r
- currRoles.add(data.role);\r
- }\r
- }\r
- \r
- Result<Void> rv = null;\r
- String[] roles;\r
- if(rurdd.value.role==null) {\r
- roles = new String[0];\r
- } else {\r
- roles = rurdd.value.role.split(",");\r
- }\r
- \r
- for (String role : roles) { \r
- if (v.role(role).err()) {\r
- return Result.err(Status.ERR_BadData,v.errs());\r
- }\r
- Result<RoleDAO.Data> rrdd = RoleDAO.Data.decode(trans, ques, role);\r
- if(rrdd.notOK()) {\r
- return Result.err(rrdd);\r
- }\r
- \r
- rurdd.value.role(rrdd.value);\r
- \r
- Result<NsDAO.Data> nsd = ques.mayUser(trans, trans.user(), rrdd.value,Access.write);\r
- if (nsd.notOK()) {\r
- return Result.err(nsd);\r
- }\r
- Result<NsDAO.Data> nsr = ques.deriveNs(trans, role);\r
- if(nsr.notOKorIsEmpty()) {\r
- return Result.err(nsr); \r
- }\r
- \r
- if(currRoles.contains(role)) {\r
- currRoles.remove(role);\r
- } else {\r
- rv = func.addUserRole(trans, rurdd.value);\r
- if (rv.notOK()) {\r
- return rv;\r
- }\r
- }\r
- }\r
- \r
- for (String role : currRoles) {\r
- rurdd.value.role(trans,ques,role);\r
- rv = ques.userRoleDAO.delete(trans, rurdd.value, true);\r
- if(rv.notOK()) {\r
- trans.info().log(rurdd.value.user,"/",rurdd.value.role, "expected to be deleted, but does not exist");\r
- // return rv; // if it doesn't exist, don't error out\r
- }\r
-\r
- }\r
- \r
- return Result.ok(); \r
- \r
- }\r
- \r
- @ApiDoc( \r
- method = PUT, \r
- path = "/authz/userRole/role",\r
- params = {},\r
- expectedCode = 200,\r
- errorCodes = {403,404,406}, \r
- text = { "Set a Role's users to the users specified in the UserRoleRequest object.",\r
- "WARNING: Users supplied will be the ONLY users attached to this role",\r
- "If no users are supplied, role's users are reset."\r
- }\r
- )\r
- @Override\r
- public Result<Void> resetUsersForRole(AuthzTrans trans, REQUEST rreq) {\r
- Result<UserRoleDAO.Data> rurdd = mapper.userRole(trans, rreq);\r
- if(rurdd.notOKorIsEmpty()) {\r
- return Result.err(rurdd);\r
- }\r
- final Validator v = new Validator();\r
- if (v.user_role(rurdd.value).err()) {\r
- return Result.err(Status.ERR_BadData,v.errs());\r
- }\r
-\r
- RoleDAO.Data rd = RoleDAO.Data.decode(rurdd.value);\r
-\r
- Result<NsDAO.Data> nsd = ques.mayUser(trans, trans.user(), rd, Access.write);\r
- if (nsd.notOK()) {\r
- return Result.err(nsd);\r
- }\r
-\r
- Result<NsDAO.Data> nsr = ques.deriveNs(trans, rurdd.value.role);\r
- if(nsr.notOKorIsEmpty()) {\r
- return Result.err(nsr); \r
- }\r
-\r
- Set<String> currUsers = new HashSet<String>();\r
- Result<List<UserRoleDAO.Data>> rlurd = ques.userRoleDAO.readByRole(trans, rurdd.value.role);\r
- if(rlurd.isOK()) { \r
- for(UserRoleDAO.Data data : rlurd.value) {\r
- currUsers.add(data.user);\r
- }\r
- }\r
- \r
- // found when connected remotely to DEVL, can't replicate locally\r
- // inconsistent errors with cmd: role user setTo [nothing]\r
- // deleteUserRole --> read --> get --> cacheIdx(?)\r
- // sometimes returns idx for last added user instead of user passed in\r
- // cache bug? \r
- \r
- \r
- Result<Void> rv = null;\r
- String[] users = {};\r
- if (rurdd.value.user != null) {\r
- users = rurdd.value.user.split(",");\r
- }\r
- \r
- for (String user : users) { \r
- if (v.user(trans.org(), user).err()) {\r
- return Result.err(Status.ERR_BadData,v.errs());\r
- }\r
- rurdd.value.user = user;\r
-\r
- if(currUsers.contains(user)) {\r
- currUsers.remove(user);\r
- } else {\r
- rv = func.addUserRole(trans, rurdd.value);\r
- if (rv.notOK()) { \r
- return rv;\r
- }\r
- }\r
- }\r
- \r
- for (String user : currUsers) {\r
- rurdd.value.user = user; \r
- rv = ques.userRoleDAO.delete(trans, rurdd.value, true);\r
- if(rv.notOK()) {\r
- trans.info().log(rurdd.value, "expected to be deleted, but not exists");\r
- return rv;\r
- }\r
- } \r
- \r
- return Result.ok(); \r
- }\r
- \r
- @ApiDoc(\r
- method = GET,\r
- path = "/authz/userRole/extend/:user/:role",\r
- params = { "user|string|true",\r
- "role|string|true"\r
- },\r
- expectedCode = 200,\r
- errorCodes = {403,404,406},\r
- text = { "Extend the Expiration of this User Role by the amount set by Organization",\r
- "Requestor must be allowed to modify the role"\r
- }\r
- )\r
- @Override\r
- public Result<Void> extendUserRole(AuthzTrans trans, String user, String role) {\r
- Organization org = trans.org();\r
- final Validator v = new Validator();\r
- if(v.user(org, user)\r
- .role(role)\r
- .err()) {\r
- return Result.err(Status.ERR_BadData,v.errs());\r
- }\r
- \r
- Result<RoleDAO.Data> rrdd = RoleDAO.Data.decode(trans,ques,role);\r
- if(rrdd.notOK()) {\r
- return Result.err(rrdd);\r
- }\r
- \r
- Result<NsDAO.Data> rcr = ques.mayUser(trans, trans.user(), rrdd.value, Access.write);\r
- boolean mayNotChange;\r
- if((mayNotChange = rcr.notOK()) && !trans.futureRequested()) {\r
- return Result.err(rcr);\r
- }\r
- \r
- Result<List<UserRoleDAO.Data>> rr = ques.userRoleDAO.read(trans, user,role);\r
- if(rr.notOK()) {\r
- return Result.err(rr);\r
- }\r
- for(UserRoleDAO.Data userRole : rr.value) {\r
- if(mayNotChange) { // Function exited earlier if !trans.futureRequested\r
- FutureDAO.Data fto = new FutureDAO.Data();\r
- fto.target=UserRoleDAO.TABLE;\r
- fto.memo = "Extend User ["+userRole.user+"] in Role ["+userRole.role+"]";\r
- GregorianCalendar now = new GregorianCalendar();\r
- fto.start = now.getTime();\r
- fto.expires = org.expiration(now, Expiration.Future).getTime();\r
- try {\r
- fto.construct = userRole.bytify();\r
- } catch (IOException e) {\r
- trans.error().log(e, "Error while bytifying UserRole for Future");\r
- return Result.err(e);\r
- }\r
-\r
- Result<List<Identity>> rfc = func.createFuture(trans, fto, \r
- userRole.user+'|'+userRole.role, userRole.user, rcr.value, "U");\r
- if(rfc.isOK()) {\r
- return Result.err(Status.ACC_Future, "UserRole [%s - %s] is saved for future processing",\r
- userRole.user,\r
- userRole.role);\r
- } else {\r
- return Result.err(rfc);\r
- }\r
- } else {\r
- return func.extendUserRole(trans, userRole, false);\r
- }\r
- }\r
- return Result.err(Result.ERR_NotFound,"This user and role doesn't exist");\r
- }\r
-\r
- @ApiDoc( \r
- method = DELETE, \r
- path = "/authz/userRole/:user/:role",\r
- params = { "user|string|true",\r
- "role|string|true"\r
- },\r
- expectedCode = 200,\r
- errorCodes = {403,404,406}, \r
- text = { "Remove Role :role from User :user."\r
- }\r
- )\r
- @Override\r
- public Result<Void> deleteUserRole(AuthzTrans trans, String usr, String role) {\r
- Validator val = new Validator();\r
- if(val.nullOrBlank("User", usr)\r
- .nullOrBlank("Role", role).err()) {\r
- return Result.err(Status.ERR_BadData, val.errs());\r
- }\r
-\r
- boolean mayNotChange;\r
- Result<RoleDAO.Data> rrdd = RoleDAO.Data.decode(trans,ques,role);\r
- if(rrdd.notOK()) {\r
- return Result.err(rrdd);\r
- }\r
- \r
- RoleDAO.Data rdd = rrdd.value;\r
- // Make sure we don't delete the last owner\r
- if(Question.OWNER.equals(rdd.name) && ques.countOwner(trans, usr, rdd.ns)<=1) {\r
- return Result.err(Status.ERR_Denied,"You may not delete the last Owner of " + rdd.ns );\r
- }\r
- \r
- Result<NsDAO.Data> rns = ques.mayUser(trans, trans.user(), rdd, Access.write);\r
- if(mayNotChange=rns.notOK()) {\r
- if(!trans.futureRequested()) {\r
- return Result.err(rns);\r
- }\r
- }\r
-\r
- Result<List<UserRoleDAO.Data>> rulr;\r
- if((rulr=ques.userRoleDAO.read(trans, usr, role)).notOKorIsEmpty()) {\r
- return Result.err(Status.ERR_UserRoleNotFound, "User [ "+usr+" ] is not "\r
- + "Assigned to the Role [ " + role + " ]");\r
- }\r
-\r
- UserRoleDAO.Data userRole = rulr.value.get(0);\r
- if(mayNotChange) { // Function exited earlier if !trans.futureRequested\r
- FutureDAO.Data fto = new FutureDAO.Data();\r
- fto.target=UserRoleDAO.TABLE;\r
- fto.memo = "Remove User ["+userRole.user+"] from Role ["+userRole.role+"]";\r
- GregorianCalendar now = new GregorianCalendar();\r
- fto.start = now.getTime();\r
- fto.expires = trans.org().expiration(now, Expiration.Future).getTime();\r
-\r
- Result<List<Identity>> rfc = func.createFuture(trans, fto, \r
- userRole.user+'|'+userRole.role, userRole.user, rns.value, "D");\r
- if(rfc.isOK()) {\r
- return Result.err(Status.ACC_Future, "UserRole [%s - %s] is saved for future processing", \r
- userRole.user,\r
- userRole.role);\r
- } else { \r
- return Result.err(rfc);\r
- }\r
- } else {\r
- return ques.userRoleDAO.delete(trans, rulr.value.get(0), false);\r
- }\r
- }\r
-\r
- @ApiDoc( \r
- method = GET, \r
- path = "/authz/userRole/:user/:role",\r
- params = {"user|string|true",\r
- "role|string|true"},\r
- expectedCode = 200,\r
- errorCodes = {403,404,406}, \r
- text = { "Returns the User (with Expiration date from listed User/Role) if it exists"\r
- }\r
- )\r
- @Override\r
- public Result<USERS> getUserInRole(AuthzTrans trans, String user, String role) {\r
- final Validator v = new Validator();\r
- if(v.role(role).nullOrBlank("User", user).err()) {\r
- return Result.err(Status.ERR_BadData,v.errs());\r
- }\r
-\r
-// Result<NsDAO.Data> ns = ques.deriveNs(trans, role);\r
-// if (ns.notOK()) return Result.err(ns);\r
-// \r
-// Result<NsDAO.Data> rnd = ques.mayUser(trans, trans.user(), ns.value, Access.write);\r
- // May calling user see by virtue of the Role\r
- Result<RoleDAO.Data> rrdd = RoleDAO.Data.decode(trans, ques, role);\r
- if(rrdd.notOK()) {\r
- return Result.err(rrdd);\r
- }\r
- Result<NsDAO.Data> rnd = ques.mayUser(trans, trans.user(), rrdd.value,Access.read);\r
- if(rnd.notOK()) {\r
- return Result.err(rnd); \r
- }\r
- \r
- HashSet<UserRoleDAO.Data> userSet = new HashSet<UserRoleDAO.Data>();\r
- Result<List<UserRoleDAO.Data>> rlurd = ques.userRoleDAO.readUserInRole(trans, user, role);\r
- if(rlurd.isOK()) {\r
- for(UserRoleDAO.Data data : rlurd.value) {\r
- userSet.add(data);\r
- }\r
- }\r
- \r
- @SuppressWarnings("unchecked")\r
- USERS users = (USERS) mapper.newInstance(API.USERS);\r
- mapper.users(trans, userSet, users);\r
- return Result.ok(users);\r
- }\r
-\r
- @ApiDoc( \r
- method = GET, \r
- path = "/authz/users/role/:role",\r
- params = {"user|string|true",\r
- "role|string|true"},\r
- expectedCode = 200,\r
- errorCodes = {403,404,406}, \r
- text = { "Returns the User (with Expiration date from listed User/Role) if it exists"\r
- }\r
- )\r
- @Override\r
- public Result<USERS> getUsersByRole(AuthzTrans trans, String role) {\r
- final Validator v = new Validator();\r
- if(v.nullOrBlank("Role",role).err()) {\r
- return Result.err(Status.ERR_BadData,v.errs());\r
- }\r
-\r
-// Result<NsDAO.Data> ns = ques.deriveNs(trans, role);\r
-// if (ns.notOK()) return Result.err(ns);\r
-// \r
-// Result<NsDAO.Data> rnd = ques.mayUser(trans, trans.user(), ns.value, Access.write);\r
- // May calling user see by virtue of the Role\r
- Result<RoleDAO.Data> rrdd = RoleDAO.Data.decode(trans, ques, role);\r
- if(rrdd.notOK()) {\r
- return Result.err(rrdd);\r
- }\r
- Result<NsDAO.Data> rnd = ques.mayUser(trans, trans.user(), rrdd.value,Access.read);\r
- if(rnd.notOK()) {\r
- return Result.err(rnd); \r
- }\r
- \r
- HashSet<UserRoleDAO.Data> userSet = new HashSet<UserRoleDAO.Data>();\r
- Result<List<UserRoleDAO.Data>> rlurd = ques.userRoleDAO.readByRole(trans, role);\r
- if(rlurd.isOK()) { \r
- for(UserRoleDAO.Data data : rlurd.value) {\r
- userSet.add(data);\r
- }\r
- }\r
- \r
- @SuppressWarnings("unchecked")\r
- USERS users = (USERS) mapper.newInstance(API.USERS);\r
- mapper.users(trans, userSet, users);\r
- return Result.ok(users);\r
- }\r
-\r
- /**\r
- * getUsersByPermission\r
- */\r
- @ApiDoc(\r
- method = GET,\r
- path = "/authz/users/perm/:type/:instance/:action",\r
- params = { "type|string|true",\r
- "instance|string|true",\r
- "action|string|true"\r
- },\r
- expectedCode = 200,\r
- errorCodes = {404,406},\r
- text = { "List all Users that have Permission specified by :type :instance :action",\r
- }\r
- )\r
- @Override\r
- public Result<USERS> getUsersByPermission(AuthzTrans trans, String type, String instance, String action) {\r
- final Validator v = new Validator(trans);\r
- if(v.nullOrBlank("Type",type)\r
- .nullOrBlank("Instance",instance)\r
- .nullOrBlank("Action",action) \r
- .err()) {\r
- return Result.err(Status.ERR_BadData,v.errs());\r
- }\r
-\r
- Result<NsSplit> nss = ques.deriveNsSplit(trans, type);\r
- if(nss.notOK()) {\r
- return Result.err(nss);\r
- }\r
- \r
- Result<List<NsDAO.Data>> nsd = ques.nsDAO.read(trans, nss.value.ns);\r
- if (nsd.notOK()) {\r
- return Result.err(nsd);\r
- }\r
- \r
- boolean allInstance = ASTERIX.equals(instance);\r
- boolean allAction = ASTERIX.equals(action);\r
- // Get list of roles per Permission, \r
- // Then loop through Roles to get Users\r
- // Note: Use Sets to avoid processing or responding with Duplicates\r
- Set<String> roleUsed = new HashSet<String>();\r
- Set<UserRoleDAO.Data> userSet = new HashSet<UserRoleDAO.Data>();\r
- \r
- if(!nss.isEmpty()) {\r
- Result<List<PermDAO.Data>> rlp = ques.permDAO.readByType(trans, nss.value.ns, nss.value.name);\r
- if(rlp.isOKhasData()) {\r
- for(PermDAO.Data pd : rlp.value) {\r
- if((allInstance || pd.instance.equals(instance)) && \r
- (allAction || pd.action.equals(action))) {\r
- if(ques.mayUser(trans, trans.user(),pd,Access.read).isOK()) {\r
- for(String role : pd.roles) {\r
- if(!roleUsed.contains(role)) { // avoid evaluating Role many times\r
- roleUsed.add(role);\r
- Result<List<UserRoleDAO.Data>> rlurd = ques.userRoleDAO.readByRole(trans, role.replace('|', '.'));\r
- if(rlurd.isOKhasData()) {\r
- for(UserRoleDAO.Data urd : rlurd.value) {\r
- userSet.add(urd);\r
- }\r
- }\r
- }\r
- }\r
- }\r
- }\r
- }\r
- }\r
- }\r
- @SuppressWarnings("unchecked")\r
- USERS users = (USERS) mapper.newInstance(API.USERS);\r
- mapper.users(trans, userSet, users);\r
- return Result.ok(users);\r
- }\r
-\r
- /***********************************\r
- * HISTORY \r
- ***********************************/ \r
- @Override\r
- public Result<HISTORY> getHistoryByUser(final AuthzTrans trans, String user, final int[] yyyymm, final int sort) { \r
- final Validator v = new Validator(trans);\r
- if(v.nullOrBlank("User",user).err()) {\r
- return Result.err(Status.ERR_BadData,v.errs());\r
- }\r
-\r
- Result<NsDAO.Data> rnd;\r
- // Users may look at their own data\r
- if(trans.user().equals(user)) {\r
- // Users may look at their own data\r
- } else {\r
- int at = user.indexOf('@');\r
- if(at>=0 && trans.org().getRealm().equals(user.substring(at+1))) {\r
- NsDAO.Data nsd = new NsDAO.Data();\r
- nsd.name = Question.domain2ns(user);\r
- rnd = ques.mayUser(trans, trans.user(), nsd, Access.read);\r
- if(rnd.notOK()) {\r
- return Result.err(rnd);\r
- }\r
- } else {\r
- rnd = ques.validNSOfDomain(trans, user);\r
- if(rnd.notOK()) {\r
- return Result.err(rnd);\r
- }\r
-\r
- rnd = ques.mayUser(trans, trans.user(), rnd.value, Access.read);\r
- if(rnd.notOK()) {\r
- return Result.err(rnd);\r
- }\r
- }\r
- }\r
- Result<List<HistoryDAO.Data>> resp = ques.historyDAO.readByUser(trans, user, yyyymm);\r
- if(resp.notOK()) {\r
- return Result.err(resp);\r
- }\r
- return mapper.history(trans, resp.value,sort);\r
- }\r
-\r
- @Override\r
- public Result<HISTORY> getHistoryByRole(AuthzTrans trans, String role, int[] yyyymm, final int sort) {\r
- final Validator v = new Validator(trans);\r
- if(v.nullOrBlank("Role",role).err()) {\r
- return Result.err(Status.ERR_BadData,v.errs());\r
- }\r
-\r
- Result<RoleDAO.Data> rrdd = RoleDAO.Data.decode(trans, ques, role);\r
- if(rrdd.notOK()) {\r
- return Result.err(rrdd);\r
- }\r
- \r
- Result<NsDAO.Data> rnd = ques.mayUser(trans, trans.user(), rrdd.value, Access.read);\r
- if(rnd.notOK()) {\r
- return Result.err(rnd);\r
- }\r
- Result<List<HistoryDAO.Data>> resp = ques.historyDAO.readBySubject(trans, role, "role", yyyymm); \r
- if(resp.notOK()) {\r
- return Result.err(resp);\r
- }\r
- return mapper.history(trans, resp.value,sort);\r
- }\r
-\r
- @Override\r
- public Result<HISTORY> getHistoryByPerm(AuthzTrans trans, String type, int[] yyyymm, final int sort) {\r
- final Validator v = new Validator(trans);\r
- if(v.nullOrBlank("Type",type)\r
- .err()) {\r
- return Result.err(Status.ERR_BadData,v.errs());\r
- }\r
-\r
- // May user see Namespace of Permission (since it's only one piece... we can't check for "is permission part of")\r
- Result<NsDAO.Data> rnd = ques.deriveNs(trans,type);\r
- if(rnd.notOK()) {\r
- return Result.err(rnd);\r
- }\r
- \r
- rnd = ques.mayUser(trans, trans.user(), rnd.value, Access.read);\r
- if(rnd.notOK()) {\r
- return Result.err(rnd); \r
- }\r
- Result<List<HistoryDAO.Data>> resp = ques.historyDAO.readBySubject(trans, type, "perm", yyyymm);\r
- if(resp.notOK()) {\r
- return Result.err(resp);\r
- }\r
- return mapper.history(trans, resp.value,sort);\r
- }\r
-\r
- @Override\r
- public Result<HISTORY> getHistoryByNS(AuthzTrans trans, String ns, int[] yyyymm, final int sort) {\r
- final Validator v = new Validator(trans);\r
- if(v.nullOrBlank("NS",ns)\r
- .err()) { \r
- return Result.err(Status.ERR_BadData,v.errs());\r
- }\r
-\r
- Result<NsDAO.Data> rnd = ques.deriveNs(trans,ns);\r
- if(rnd.notOK()) {\r
- return Result.err(rnd);\r
- }\r
- rnd = ques.mayUser(trans, trans.user(), rnd.value, Access.read);\r
- if(rnd.notOK()) {\r
- return Result.err(rnd); \r
- }\r
-\r
- Result<List<HistoryDAO.Data>> resp = ques.historyDAO.readBySubject(trans, ns, "ns", yyyymm);\r
- if(resp.notOK()) {\r
- return Result.err(resp);\r
- }\r
- return mapper.history(trans, resp.value,sort);\r
- }\r
-\r
-/***********************************\r
- * DELEGATE \r
- ***********************************/\r
- @Override\r
- public Result<Void> createDelegate(final AuthzTrans trans, REQUEST base) {\r
- return createOrUpdateDelegate(trans, base, Question.Access.create);\r
- }\r
-\r
- @Override\r
- public Result<Void> updateDelegate(AuthzTrans trans, REQUEST base) {\r
- return createOrUpdateDelegate(trans, base, Question.Access.write);\r
- }\r
-\r
-\r
- private Result<Void> createOrUpdateDelegate(final AuthzTrans trans, REQUEST base, final Access access) {\r
- final Result<DelegateDAO.Data> rd = mapper.delegate(trans, base);\r
- final Validator v = new Validator();\r
- if(v.delegate(trans.org(),rd).err()) { \r
- return Result.err(Status.ERR_BadData,v.errs());\r
- }\r
-\r
- final DelegateDAO.Data dd = rd.value;\r
- \r
- Result<List<DelegateDAO.Data>> ddr = ques.delegateDAO.read(trans, dd);\r
- if(access==Access.create && ddr.isOKhasData()) {\r
- return Result.err(Status.ERR_ConflictAlreadyExists, "[%s] already delegates to [%s]", dd.user, ddr.value.get(0).delegate);\r
- } else if(access!=Access.create && ddr.notOKorIsEmpty()) { \r
- return Result.err(Status.ERR_NotFound, "[%s] does not have a Delegate Record to [%s].",dd.user,access.name());\r
- }\r
- Result<Void> rv = ques.mayUser(trans, dd, access);\r
- if(rv.notOK()) {\r
- return rv;\r
- }\r
- \r
- Result<FutureDAO.Data> fd = mapper.future(trans,DelegateDAO.TABLE,base, dd, false, \r
- new Mapper.Memo() {\r
- @Override\r
- public String get() {\r
- StringBuilder sb = new StringBuilder();\r
- sb.append(access.name());\r
- sb.setCharAt(0, Character.toUpperCase(sb.charAt(0)));\r
- sb.append("Delegate ");\r
- sb.append(access==Access.create?"[":"to [");\r
- sb.append(rd.value.delegate);\r
- sb.append("] for [");\r
- sb.append(rd.value.user);\r
- sb.append(']');\r
- return sb.toString();\r
- }\r
- },\r
- new MayChange() {\r
- @Override\r
- public Result<?> mayChange() {\r
- return Result.ok(); // Validate in code above\r
- }\r
- });\r
- \r
- switch(fd.status) {\r
- case OK:\r
- Result<List<Identity>> rfc = func.createFuture(trans, fd.value, \r
- dd.user, trans.user(),null, access==Access.create?"C":"U");\r
- if(rfc.isOK()) { \r
- return Result.err(Status.ACC_Future, "Delegate for [%s]",\r
- dd.user);\r
- } else { \r
- return Result.err(rfc);\r
- }\r
- case Status.ACC_Now:\r
- if(access==Access.create) {\r
- Result<DelegateDAO.Data> rdr = ques.delegateDAO.create(trans, dd);\r
- if(rdr.isOK()) {\r
- return Result.ok();\r
- } else {\r
- return Result.err(rdr);\r
- }\r
- } else {\r
- return ques.delegateDAO.update(trans, dd);\r
- }\r
- default:\r
- return Result.err(fd);\r
- }\r
- }\r
-\r
- @Override\r
- public Result<Void> deleteDelegate(AuthzTrans trans, REQUEST base) {\r
- final Result<DelegateDAO.Data> rd = mapper.delegate(trans, base);\r
- final Validator v = new Validator();\r
- if(v.notOK(rd).nullOrBlank("User", rd.value.user).err()) {\r
- return Result.err(Status.ERR_BadData,v.errs());\r
- }\r
- \r
- Result<List<DelegateDAO.Data>> ddl;\r
- if((ddl=ques.delegateDAO.read(trans, rd.value)).notOKorIsEmpty()) {\r
- return Result.err(Status.ERR_DelegateNotFound,"Cannot delete non-existent Delegate");\r
- }\r
- final DelegateDAO.Data dd = ddl.value.get(0);\r
- Result<Void> rv = ques.mayUser(trans, dd, Access.write);\r
- if(rv.notOK()) {\r
- return rv;\r
- }\r
- \r
- return ques.delegateDAO.delete(trans, dd, false);\r
- }\r
-\r
- @Override\r
- public Result<Void> deleteDelegate(AuthzTrans trans, String userName) {\r
- DelegateDAO.Data dd = new DelegateDAO.Data();\r
- final Validator v = new Validator();\r
- if(v.nullOrBlank("User", userName).err()) {\r
- return Result.err(Status.ERR_BadData,v.errs());\r
- }\r
- dd.user = userName;\r
- Result<List<DelegateDAO.Data>> ddl;\r
- if((ddl=ques.delegateDAO.read(trans, dd)).notOKorIsEmpty()) {\r
- return Result.err(Status.ERR_DelegateNotFound,"Cannot delete non-existent Delegate");\r
- }\r
- dd = ddl.value.get(0);\r
- Result<Void> rv = ques.mayUser(trans, dd, Access.write);\r
- if(rv.notOK()) {\r
- return rv;\r
- }\r
- \r
- return ques.delegateDAO.delete(trans, dd, false);\r
- }\r
- \r
- @Override\r
- public Result<DELGS> getDelegatesByUser(AuthzTrans trans, String user) {\r
- final Validator v = new Validator();\r
- if(v.nullOrBlank("User", user).err()) {\r
- return Result.err(Status.ERR_BadData,v.errs());\r
- }\r
-\r
- DelegateDAO.Data ddd = new DelegateDAO.Data();\r
- ddd.user = user;\r
- ddd.delegate = null;\r
- Result<Void> rv = ques.mayUser(trans, ddd, Access.read);\r
- if(rv.notOK()) {\r
- return Result.err(rv);\r
- }\r
- \r
- TimeTaken tt = trans.start("Get delegates for a user", Env.SUB);\r
-\r
- Result<List<DelegateDAO.Data>> dbDelgs = ques.delegateDAO.read(trans, user);\r
- try {\r
- if (dbDelgs.isOKhasData()) {\r
- return mapper.delegate(dbDelgs.value);\r
- } else {\r
- return Result.err(Status.ERR_DelegateNotFound,"No Delegate found for [%s]",user);\r
- }\r
- } finally {\r
- tt.done();\r
- } \r
- }\r
-\r
- @Override\r
- public Result<DELGS> getDelegatesByDelegate(AuthzTrans trans, String delegate) {\r
- final Validator v = new Validator();\r
- if(v.nullOrBlank("Delegate", delegate).err()) {\r
- return Result.err(Status.ERR_BadData,v.errs());\r
- }\r
-\r
- DelegateDAO.Data ddd = new DelegateDAO.Data();\r
- ddd.user = delegate;\r
- Result<Void> rv = ques.mayUser(trans, ddd, Access.read);\r
- if(rv.notOK()) {\r
- return Result.err(rv);\r
- }\r
-\r
- TimeTaken tt = trans.start("Get users for a delegate", Env.SUB);\r
-\r
- Result<List<DelegateDAO.Data>> dbDelgs = ques.delegateDAO.readByDelegate(trans, delegate);\r
- try {\r
- if (dbDelgs.isOKhasData()) {\r
- return mapper.delegate(dbDelgs.value);\r
- } else {\r
- return Result.err(Status.ERR_DelegateNotFound,"Delegate [%s] is not delegating for anyone.",delegate);\r
- }\r
- } finally {\r
- tt.done();\r
- } \r
- }\r
-\r
-/***********************************\r
- * APPROVAL \r
- ***********************************/\r
- @Override\r
- public Result<Void> updateApproval(AuthzTrans trans, APPROVALS approvals) {\r
- Result<List<ApprovalDAO.Data>> rlad = mapper.approvals(approvals);\r
- if(rlad.notOK()) {\r
- return Result.err(rlad);\r
- }\r
- int numApprs = rlad.value.size();\r
- if(numApprs<1) {\r
- return Result.err(Status.ERR_NoApprovals,"No Approvals sent for Updating");\r
- }\r
- int numProcessed = 0;\r
- String user = trans.user();\r
- \r
- Result<List<ApprovalDAO.Data>> curr;\r
- for(ApprovalDAO.Data updt : rlad.value) {\r
- if(updt.ticket!=null) {\r
- curr = ques.approvalDAO.readByTicket(trans, updt.ticket);\r
- } else if(updt.id!=null) {\r
- curr = ques.approvalDAO.read(trans, updt);\r
- } else if(updt.approver!=null) {\r
- curr = ques.approvalDAO.readByApprover(trans, updt.approver);\r
- } else {\r
- return Result.err(Status.ERR_BadData,"Approvals need ID, Ticket or Approval data to update");\r
- }\r
- if(curr.isOKhasData()) {\r
- for(ApprovalDAO.Data cd : curr.value){\r
- // Check for right record. Need ID, or (Ticket&Trans.User==Appr)\r
- // If Default ID\r
- boolean delegatedAction = ques.isDelegated(trans, user, cd.approver);\r
- String delegator = cd.approver;\r
- if(updt.id!=null || \r
- (updt.ticket!=null && user.equals(cd.approver)) ||\r
- (updt.ticket!=null && delegatedAction)) {\r
- if(updt.ticket.equals(cd.ticket)) {\r
- cd.id = changed(updt.id,cd.id);\r
- cd.ticket = changed(updt.ticket,cd.ticket);\r
- cd.user = changed(updt.user,cd.user);\r
- cd.approver = changed(updt.approver,cd.approver);\r
- cd.type = changed(updt.type,cd.type);\r
- cd.status = changed(updt.status,cd.status);\r
- cd.memo = changed(updt.memo,cd.memo);\r
- cd.operation = changed(updt.operation,cd.operation);\r
- cd.updated = changed(updt.updated,cd.updated);\r
- ques.approvalDAO.update(trans, cd);\r
- Result<Void> rv = func.performFutureOp(trans, cd);\r
- if (rv.isOK()) {\r
- if (delegatedAction) {\r
- trans.audit().log("actor=",user,",action=",updt.status,",operation=\"",cd.memo,\r
- '"',",requestor=",cd.user,",delegator=",delegator);\r
- }\r
- if (!delegatedAction && cd.status.equalsIgnoreCase("denied")) {\r
- trans.audit().log("actor=",trans.user(),",action=denied,operation=\"",cd.memo,'"',",requestor=",cd.user);\r
- }\r
- rv = ques.approvalDAO.delete(trans, cd, false);\r
- }\r
- ++numProcessed;\r
-\r
- }\r
- }\r
- }\r
- }\r
- }\r
-\r
- if(numApprs==numProcessed) {\r
- return Result.ok();\r
- }\r
- return Result.err(Status.ERR_ActionNotCompleted,numProcessed + " out of " + numApprs + " completed");\r
-\r
- }\r
- \r
- private<T> T changed(T src, T dflt) {\r
- if(src!=null) {\r
- return src;\r
- }\r
- return dflt;\r
- }\r
-\r
- @Override\r
- public Result<APPROVALS> getApprovalsByUser(AuthzTrans trans, String user) {\r
- final Validator v = new Validator();\r
- if(v.nullOrBlank("User", user).err()) { \r
- return Result.err(Status.ERR_BadData,v.errs());\r
- }\r
-\r
- Result<List<ApprovalDAO.Data>> rapd = ques.approvalDAO.readByUser(trans, user);\r
- if(rapd.isOK()) {\r
- return mapper.approvals(rapd.value);\r
- } else {\r
- return Result.err(rapd);\r
- }\r
-}\r
-\r
- @Override\r
- public Result<APPROVALS> getApprovalsByTicket(AuthzTrans trans, String ticket) {\r
- final Validator v = new Validator();\r
- if(v.nullOrBlank("Ticket", ticket).err()) { \r
- return Result.err(Status.ERR_BadData,v.errs());\r
- }\r
- UUID uuid;\r
- try {\r
- uuid = UUID.fromString(ticket);\r
- } catch (IllegalArgumentException e) {\r
- return Result.err(Status.ERR_BadData,e.getMessage());\r
- }\r
- \r
- Result<List<ApprovalDAO.Data>> rapd = ques.approvalDAO.readByTicket(trans, uuid);\r
- if(rapd.isOK()) {\r
- return mapper.approvals(rapd.value);\r
- } else {\r
- return Result.err(rapd);\r
- }\r
- }\r
- \r
- @Override\r
- public Result<APPROVALS> getApprovalsByApprover(AuthzTrans trans, String approver) {\r
- final Validator v = new Validator();\r
- if(v.nullOrBlank("Approver", approver).err()) {\r
- return Result.err(Status.ERR_BadData,v.errs());\r
- }\r
- \r
- List<ApprovalDAO.Data> listRapds = new ArrayList<ApprovalDAO.Data>();\r
- \r
- Result<List<ApprovalDAO.Data>> myRapd = ques.approvalDAO.readByApprover(trans, approver);\r
- if(myRapd.notOK()) {\r
- return Result.err(myRapd);\r
- }\r
- \r
- listRapds.addAll(myRapd.value);\r
- \r
- Result<List<DelegateDAO.Data>> delegatedFor = ques.delegateDAO.readByDelegate(trans, approver);\r
- if (delegatedFor.isOK()) {\r
- for (DelegateDAO.Data dd : delegatedFor.value) {\r
- if (dd.expires.after(new Date())) {\r
- String delegator = dd.user;\r
- Result<List<ApprovalDAO.Data>> rapd = ques.approvalDAO.readByApprover(trans, delegator);\r
- if (rapd.isOK()) {\r
- for (ApprovalDAO.Data d : rapd.value) { \r
- if (!d.user.equals(trans.user())) {\r
- listRapds.add(d);\r
- }\r
- }\r
- }\r
- }\r
- }\r
- }\r
- \r
- return mapper.approvals(listRapds);\r
- }\r
- \r
- /* (non-Javadoc)\r
- * @see org.onap.aaf.authz.service.AuthzService#clearCache(org.onap.aaf.authz.env.AuthzTrans, java.lang.String)\r
- */\r
- @Override\r
- public Result<Void> cacheClear(AuthzTrans trans, String cname) {\r
- if(ques.isGranted(trans,trans.user(),Define.ROOT_NS,CACHE,cname,"clear")) {\r
- return ques.clearCache(trans,cname);\r
- }\r
- return Result.err(Status.ERR_Denied, "%s does not have AAF Permission '%s.cache|%s|clear",\r
- trans.user(),Define.ROOT_NS,cname);\r
- }\r
-\r
- /* (non-Javadoc)\r
- * @see org.onap.aaf.authz.service.AuthzService#cacheClear(org.onap.aaf.authz.env.AuthzTrans, java.lang.String, java.lang.Integer)\r
- */\r
- @Override\r
- public Result<Void> cacheClear(AuthzTrans trans, String cname, int[] segment) {\r
- if(ques.isGranted(trans,trans.user(),Define.ROOT_NS,CACHE,cname,"clear")) {\r
- Result<Void> v=null;\r
- for(int i: segment) {\r
- v=ques.cacheClear(trans,cname,i);\r
- }\r
- if(v!=null) {\r
- return v;\r
- }\r
- }\r
- return Result.err(Status.ERR_Denied, "%s does not have AAF Permission '%s.cache|%s|clear",\r
- trans.user(),Define.ROOT_NS,cname);\r
- }\r
-\r
- /* (non-Javadoc)\r
- * @see org.onap.aaf.authz.service.AuthzService#dbReset(org.onap.aaf.authz.env.AuthzTrans)\r
- */\r
- @Override\r
- public void dbReset(AuthzTrans trans) {\r
- ques.historyDAO.reportPerhapsReset(trans, null);\r
- }\r
-\r
-}\r
-\r
Code Review / aaf / authz.git / blobdiff