X-Git-Url: https://gerrit.onap.org/r/gitweb?a=blobdiff_plain;f=auth%2Fauth-batch%2Fsrc%2Fmain%2Fjava%2Forg%2Fonap%2Faaf%2Fauth%2Fbatch%2Freports%2FAnalyze.java;h=ff2c72a5ece07420b5887f78e6330ccb52eecdb8;hb=a3b442a09aa3666662003d7c8a5ed69ee24a373e;hp=5cab52976ca08d76cc6eed2b8e1ce5ff6bb8069a;hpb=deb396a3d53a84b2eb5a46d40122b4902d72c601;p=aaf%2Fauthz.git diff --git a/auth/auth-batch/src/main/java/org/onap/aaf/auth/batch/reports/Analyze.java b/auth/auth-batch/src/main/java/org/onap/aaf/auth/batch/reports/Analyze.java index 5cab5297..ff2c72a5 100644 --- a/auth/auth-batch/src/main/java/org/onap/aaf/auth/batch/reports/Analyze.java +++ b/auth/auth-batch/src/main/java/org/onap/aaf/auth/batch/reports/Analyze.java @@ -57,6 +57,7 @@ import org.onap.aaf.auth.batch.helpers.X509; import org.onap.aaf.auth.dao.cass.CredDAO; import org.onap.aaf.auth.dao.cass.UserRoleDAO; import org.onap.aaf.auth.env.AuthzTrans; +import org.onap.aaf.auth.org.Organization.Expiration; import org.onap.aaf.auth.org.Organization.Identity; import org.onap.aaf.auth.org.OrganizationException; import org.onap.aaf.cadi.configure.Factory; @@ -218,11 +219,13 @@ public class Analyze extends Batch { // for users and approvers still valid String user = appr.getUser(); - if(org.isRevoked(noAvg, appr.getApprover())) { - deleteCW.comment("Approver ID is revoked"); + Date revokedAppr = org.isRevoked(noAvg, appr.getApprover()); + Date revokedUser = org.isRevoked(noAvg, user); + if(revokedAppr!=null) { + deleteCW.comment("Approver ID is revoked on " + revokedAppr); Approval.row(deleteCW, appr); - } else if(user!=null && !user.isEmpty() && org.isRevoked(noAvg, user)) { - deleteCW.comment("USER ID is revoked"); + } else if(user!=null && !user.isEmpty() && revokedUser!=null) { + deleteCW.comment("USER ID is revoked on " + revokedUser); Approval.row(deleteCW, appr); } else { ticket.approvals.add(appr); // add to found Ticket @@ -392,12 +395,34 @@ public class Analyze extends Batch { } return; } + Date revoked = org.isRevoked(trans, ur.user()); + if(revoked!=null) { + GregorianCalendar gc = new GregorianCalendar(); + gc.setTime(revoked); + GregorianCalendar gracePeriodEnds = org.expiration(gc, Expiration.RevokedGracePeriodEnds, ur.user()); + if(now.after(gracePeriodEnds.getTime())) { + ur.row(deleteCW, UserRole.UR,"Revoked ID, no grace period left"); + } else { + ur.row(notCompliantCW, UserRole.UR, "Revoked ID: WARNING! GracePeriod Ends " + Chrono.dateOnlyStamp(gracePeriodEnds)); + } + return; + } ur.row(deleteCW, UserRole.UR,"Not in Organization"); return; } else if(Role.byName.get(ur.role())==null) { ur.row(deleteCW, UserRole.UR,String.format("Role %s does not exist", ur.role())); return; + // Make sure owners can still be owners. + } else if(ur.role().endsWith(".owner")) { + String err = identity.mayOwn(); + if(err!=null) { + ur.row(deleteCW, UserRole.UR,String.format("%s may not be an owner: %s",ur.user(),err)); + return; + } } + + + // Just let expired UserRoles sit until deleted if(futureRange.inRange(ur.expires())&&(!mur.containsKey(ur.user() + '|' + ur.role()))) { // Cannot just delete owners, unless there is at least one left. Process later