--- /dev/null
+/*******************************************************************************\r
+ * ============LICENSE_START====================================================\r
+ * * org.onap.aaf\r
+ * * ===========================================================================\r
+ * * Copyright © 2017 AT&T Intellectual Property. All rights reserved.\r
+ * * ===========================================================================\r
+ * * Licensed under the Apache License, Version 2.0 (the "License");\r
+ * * you may not use this file except in compliance with the License.\r
+ * * You may obtain a copy of the License at\r
+ * * \r
+ * * http://www.apache.org/licenses/LICENSE-2.0\r
+ * * \r
+ * * Unless required by applicable law or agreed to in writing, software\r
+ * * distributed under the License is distributed on an "AS IS" BASIS,\r
+ * * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\r
+ * * See the License for the specific language governing permissions and\r
+ * * limitations under the License.\r
+ * * ============LICENSE_END====================================================\r
+ * *\r
+ * * ECOMP is a trademark and service mark of AT&T Intellectual Property.\r
+ * *\r
+ ******************************************************************************/\r
+package org.onap.aaf.authz.service.api;\r
+\r
+import static org.onap.aaf.authz.layer.Result.OK;\r
+import static org.onap.aaf.cssa.rserv.HttpMethods.DELETE;\r
+import static org.onap.aaf.cssa.rserv.HttpMethods.POST;\r
+\r
+import javax.servlet.http.HttpServletRequest;\r
+import javax.servlet.http.HttpServletResponse;\r
+\r
+import org.onap.aaf.authz.common.Define;\r
+import org.onap.aaf.authz.env.AuthzTrans;\r
+import org.onap.aaf.authz.facade.AuthzFacade;\r
+import org.onap.aaf.authz.layer.Result;\r
+import org.onap.aaf.authz.service.AuthAPI;\r
+import org.onap.aaf.authz.service.Code;\r
+import org.onap.aaf.authz.service.mapper.Mapper.API;\r
+import org.onap.aaf.dao.aaf.cass.Status;\r
+import org.onap.aaf.dao.aaf.hl.Question;\r
+import org.onap.aaf.dao.session.SessionFilter;\r
+\r
+import com.att.aft.dme2.internal.jetty.http.HttpStatus;\r
+import org.onap.aaf.cadi.taf.dos.DenialOfServiceTaf;\r
+import org.onap.aaf.inno.env.Trans;\r
+\r
+/**\r
+ * User Role APIs\r
+ *\r
+ */\r
+public class API_Mgmt {\r
+\r
+ private static final String SUCCESS = "SUCCESS";\r
+\r
+ /**\r
+ * Normal Init level APIs\r
+ * \r
+ * @param authzAPI\r
+ * @param facade\r
+ * @throws Exception\r
+ */\r
+ public static void init(final AuthAPI authzAPI, AuthzFacade facade) throws Exception {\r
+\r
+ /**\r
+ * Clear Cache Segment\r
+ */\r
+ authzAPI.route(DELETE,"/mgmt/cache/:area/:segments",API.VOID,new Code(facade,"Clear Cache by Segment", true) {\r
+ @Override\r
+ public void handle(AuthzTrans trans, HttpServletRequest req, HttpServletResponse resp) throws Exception {\r
+ Result<Void> r = context.cacheClear(trans, pathParam(req,"area"), pathParam(req,"segments"));\r
+ switch(r.status) {\r
+ case OK:\r
+ trans.checkpoint(SUCCESS,Trans.ALWAYS);\r
+ resp.setStatus(HttpStatus.OK_200); \r
+ break;\r
+ default:\r
+ context.error(trans,resp,r);\r
+ }\r
+ }\r
+ });\r
+ \r
+ /**\r
+ * Clear Cache\r
+ */\r
+ authzAPI.route(DELETE,"/mgmt/cache/:area",API.VOID,new Code(facade,"Clear Cache", true) {\r
+ @Override\r
+ public void handle(AuthzTrans trans, HttpServletRequest req, HttpServletResponse resp) throws Exception {\r
+ Result<Void> r;\r
+ String area;\r
+ r = context.cacheClear(trans, area=pathParam(req,"area"));\r
+ switch(r.status) {\r
+ case OK:\r
+ trans.audit().log("Cache " + area + " has been cleared by "+trans.user());\r
+ trans.checkpoint(SUCCESS,Trans.ALWAYS);\r
+ resp.setStatus(HttpStatus.OK_200); \r
+ break;\r
+ default:\r
+ context.error(trans,resp,r);\r
+ }\r
+ }\r
+ });\r
+\r
+ /**\r
+ * Clear DB Sessions\r
+ */\r
+ authzAPI.route(DELETE,"/mgmt/dbsession",API.VOID,new Code(facade,"Clear DBSessions", true) {\r
+ @Override\r
+ public void handle(AuthzTrans trans, HttpServletRequest req, HttpServletResponse resp) throws Exception {\r
+ try {\r
+ if(req.isUserInRole(Define.ROOT_NS+".db|pool|clear")) {\r
+ SessionFilter.clear();\r
+ context.dbReset(trans);\r
+\r
+ trans.audit().log("DB Sessions have been cleared by "+trans.user());\r
+\r
+ trans.checkpoint(SUCCESS,Trans.ALWAYS);\r
+ resp.setStatus(HttpStatus.OK_200);\r
+ return;\r
+ }\r
+ context.error(trans,resp,Result.err(Result.ERR_Denied,"%s is not allowed to clear dbsessions",trans.user()));\r
+ } catch(Exception e) {\r
+ trans.error().log(e, "clearing dbsession");\r
+ context.error(trans,resp,Result.err(e));\r
+ }\r
+ }\r
+ });\r
+\r
+ /**\r
+ * Deny an IP \r
+ */\r
+ authzAPI.route(POST, "/mgmt/deny/ip/:ip", API.VOID, new Code(facade,"Deny IP",true) {\r
+ @Override\r
+ public void handle(AuthzTrans trans, HttpServletRequest req, HttpServletResponse resp) throws Exception {\r
+ String ip = pathParam(req,":ip");\r
+ if(req.isUserInRole(Define.ROOT_NS+".deny|"+Define.ROOT_COMPANY+"|ip")) {\r
+ if(DenialOfServiceTaf.denyIP(ip)) {\r
+ trans.audit().log(ip+" has been set to deny by "+trans.user());\r
+ trans.checkpoint(SUCCESS,Trans.ALWAYS);\r
+\r
+ resp.setStatus(HttpStatus.CREATED_201);\r
+ } else {\r
+ context.error(trans,resp,Result.err(Status.ERR_ConflictAlreadyExists, \r
+ ip + " is already being denied"));\r
+ }\r
+ } else {\r
+ trans.audit().log(trans.user(),"has attempted to deny",ip,"without authorization");\r
+ context.error(trans,resp,Result.err(Status.ERR_Denied, \r
+ trans.getUserPrincipal().getName() + " is not allowed to set IP Denial"));\r
+ }\r
+ }\r
+ });\r
+ \r
+ /**\r
+ * Stop Denying an IP\r
+ */\r
+ authzAPI.route(DELETE, "/mgmt/deny/ip/:ip", API.VOID, new Code(facade,"Stop Denying IP",true) {\r
+ @Override\r
+ public void handle(AuthzTrans trans, HttpServletRequest req, HttpServletResponse resp) throws Exception {\r
+ String ip = pathParam(req,":ip");\r
+ if(req.isUserInRole(Define.ROOT_NS+".deny|"+Define.ROOT_COMPANY+"|ip")) {\r
+ if(DenialOfServiceTaf.removeDenyIP(ip)) {\r
+ trans.audit().log(ip+" has been removed from denial by "+trans.user());\r
+ trans.checkpoint(SUCCESS,Trans.ALWAYS);\r
+ resp.setStatus(HttpStatus.OK_200);\r
+ } else {\r
+ context.error(trans,resp,Result.err(Status.ERR_NotFound, \r
+ ip + " is not on the denial list"));\r
+ }\r
+ } else {\r
+ trans.audit().log(trans.user(),"has attempted to remove",ip," from being denied without authorization");\r
+ context.error(trans,resp,Result.err(Status.ERR_Denied, \r
+ trans.getUserPrincipal().getName() + " is not allowed to remove IP Denial"));\r
+ }\r
+ }\r
+ });\r
+\r
+ /**\r
+ * Deny an ID \r
+ */\r
+ authzAPI.route(POST, "/mgmt/deny/id/:id", API.VOID, new Code(facade,"Deny ID",true) {\r
+ @Override\r
+ public void handle(AuthzTrans trans, HttpServletRequest req, HttpServletResponse resp) throws Exception {\r
+ String id = pathParam(req,":id");\r
+ if(req.isUserInRole(Define.ROOT_NS+".deny|"+Define.ROOT_COMPANY+"|id")) {\r
+ if(DenialOfServiceTaf.denyID(id)) {\r
+ trans.audit().log(id+" has been set to deny by "+trans.user());\r
+ trans.checkpoint(SUCCESS,Trans.ALWAYS);\r
+ resp.setStatus(HttpStatus.CREATED_201);\r
+ } else {\r
+ context.error(trans,resp,Result.err(Status.ERR_ConflictAlreadyExists, \r
+ id + " is already being denied"));\r
+ }\r
+ } else {\r
+ trans.audit().log(trans.user(),"has attempted to deny",id,"without authorization");\r
+ context.error(trans,resp,Result.err(Status.ERR_Denied, \r
+ trans.getUserPrincipal().getName() + " is not allowed to set ID Denial"));\r
+ }\r
+ }\r
+ });\r
+ \r
+ /**\r
+ * Stop Denying an ID\r
+ */\r
+ authzAPI.route(DELETE, "/mgmt/deny/id/:id", API.VOID, new Code(facade,"Stop Denying ID",true) {\r
+ @Override\r
+ public void handle(AuthzTrans trans, HttpServletRequest req, HttpServletResponse resp) throws Exception {\r
+ String id = pathParam(req,":id");\r
+ if(req.isUserInRole(Define.ROOT_NS+".deny|"+Define.ROOT_COMPANY+"|id")) {\r
+ if(DenialOfServiceTaf.removeDenyID(id)) {\r
+ trans.audit().log(id+" has been removed from denial by " + trans.user());\r
+ trans.checkpoint(SUCCESS,Trans.ALWAYS);\r
+ resp.setStatus(HttpStatus.OK_200);\r
+ } else {\r
+ context.error(trans,resp,Result.err(Status.ERR_NotFound, \r
+ id + " is not on the denial list"));\r
+ }\r
+ } else {\r
+ trans.audit().log(trans.user(),"has attempted to remove",id," from being denied without authorization");\r
+ context.error(trans,resp,Result.err(Status.ERR_Denied, \r
+ trans.getUserPrincipal().getName() + " is not allowed to remove ID Denial"));\r
+ }\r
+ }\r
+ });\r
+\r
+ /**\r
+ * Deny an ID \r
+ */\r
+ authzAPI.route(POST, "/mgmt/log/id/:id", API.VOID, new Code(facade,"Special Log ID",true) {\r
+ @Override\r
+ public void handle(AuthzTrans trans, HttpServletRequest req, HttpServletResponse resp) throws Exception {\r
+ String id = pathParam(req,":id");\r
+ if(req.isUserInRole(Define.ROOT_NS+".log|"+Define.ROOT_COMPANY+"|id")) {\r
+ if(Question.specialLogOn(trans,id)) {\r
+ trans.audit().log(id+" has been set to special Log by "+trans.user());\r
+ trans.checkpoint(SUCCESS,Trans.ALWAYS);\r
+ resp.setStatus(HttpStatus.CREATED_201);\r
+ } else {\r
+ context.error(trans,resp,Result.err(Status.ERR_ConflictAlreadyExists, \r
+ id + " is already being special Logged"));\r
+ }\r
+ } else {\r
+ trans.audit().log(trans.user(),"has attempted to special Log",id,"without authorization");\r
+ context.error(trans,resp,Result.err(Status.ERR_Denied, \r
+ trans.getUserPrincipal().getName() + " is not allowed to set ID special Logging"));\r
+ }\r
+ }\r
+ });\r
+ \r
+ /**\r
+ * Stop Denying an ID\r
+ */\r
+ authzAPI.route(DELETE, "/mgmt/log/id/:id", API.VOID, new Code(facade,"Stop Special Log ID",true) {\r
+ @Override\r
+ public void handle(AuthzTrans trans, HttpServletRequest req, HttpServletResponse resp) throws Exception {\r
+ String id = pathParam(req,":id");\r
+ if(req.isUserInRole(Define.ROOT_NS+".log|"+Define.ROOT_COMPANY+"|id")) {\r
+ if(Question.specialLogOff(trans,id)) {\r
+ trans.audit().log(id+" has been removed from special Logging by " + trans.user());\r
+ trans.checkpoint(SUCCESS,Trans.ALWAYS);\r
+ resp.setStatus(HttpStatus.OK_200);\r
+ } else {\r
+ context.error(trans,resp,Result.err(Status.ERR_NotFound, \r
+ id + " is not on the special Logging list"));\r
+ }\r
+ } else {\r
+ trans.audit().log(trans.user(),"has attempted to remove",id," from being special Logged without authorization");\r
+ context.error(trans,resp,Result.err(Status.ERR_Denied, \r
+ trans.getUserPrincipal().getName() + " is not allowed to remove ID special Logging"));\r
+ }\r
+ }\r
+ });\r
+\r
+\r
+ }\r
+}\r
Code Review / aaf / authz.git / blobdiff