X-Git-Url: https://gerrit.onap.org/r/gitweb?a=blobdiff_plain;f=auth%2Fauth-cass%2Fsrc%2Fmain%2Fjava%2Forg%2Fonap%2Faaf%2Fauth%2Fdao%2Fhl%2FFunction.java;h=0d5c487d51c66035cebdb88e4b2dfdb475119d14;hb=c353159903bf9c7f3f4426e66cad9af2c657fb1d;hp=f3aae2ec8b7b3c55b47041605153faebe2223b44;hpb=4b5a7d721d994a49057e9bfb403c7bff1b376660;p=aaf%2Fauthz.git diff --git a/auth/auth-cass/src/main/java/org/onap/aaf/auth/dao/hl/Function.java b/auth/auth-cass/src/main/java/org/onap/aaf/auth/dao/hl/Function.java index f3aae2ec..0d5c487d 100644 --- a/auth/auth-cass/src/main/java/org/onap/aaf/auth/dao/hl/Function.java +++ b/auth/auth-cass/src/main/java/org/onap/aaf/auth/dao/hl/Function.java @@ -7,9 +7,9 @@ * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. * You may obtain a copy of the License at - * + * * http://www.apache.org/licenses/LICENSE-2.0 - * + * * Unless required by applicable law or agreed to in writing, software * distributed under the License is distributed on an "AS IS" BASIS, * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. @@ -64,26 +64,26 @@ public class Function { public enum FUTURE_OP { C("Create"),U("Update"),D("Delete"),G("Grant"),UG("UnGrant"),A("Approval"); - + private String desc; - + private FUTURE_OP(String desc) { this.desc = desc; } - + public String desc() { return desc; } - + /** * Same as valueOf(), but passes back null instead of throwing Exception * @param value * @return */ public static FUTURE_OP toFO(String value) { - if(value!=null) { - for(FUTURE_OP fo : values()) { - if(fo.name().equals(value)){ + if (value!=null) { + for (FUTURE_OP fo : values()) { + if (fo.name().equals(value)){ return fo; } } @@ -94,21 +94,21 @@ public class Function { public enum OP_STATUS { E("Executed"),D("Denied"),P("Pending"),L("Lapsed"); - + private String desc; - public final static Result RE = Result.ok(OP_STATUS.E); - public final static Result RD = Result.ok(OP_STATUS.D); - public final static Result RP = Result.ok(OP_STATUS.P); - public final static Result RL = Result.ok(OP_STATUS.L); + public static final Result RE = Result.ok(OP_STATUS.E); + public static final Result RD = Result.ok(OP_STATUS.D); + public static final Result RP = Result.ok(OP_STATUS.P); + public static final Result RL = Result.ok(OP_STATUS.L); private OP_STATUS(String desc) { this.desc = desc; } - + public String desc() { return desc; } - + } public static final String FOP_CRED = "cred"; @@ -136,11 +136,8 @@ public class Function { sb = new StringBuilder(); ao = new ArrayList<>(); } - sb.append(result.details); + sb.append(String.format(result.details,result.variables)); sb.append('\n'); - for (String s : result.variables) { - ao.add(s); - } } } @@ -162,16 +159,16 @@ public class Function { /** * createNS - * + * * Create Namespace - * + * * @param trans * @param org * @param ns * @param user * @return * @throws DAOException - * + * * To create an NS, you need to: 1) validate permission to * modify parent NS 2) Does NS exist already? 3) Create NS with * a) "user" as owner. NOTE: Per 10-15 request for AAF 1.0 4) @@ -181,11 +178,6 @@ public class Function { */ public Result createNS(AuthzTrans trans, Namespace namespace, boolean fromApproval) { Result rq; -// if (namespace.name.endsWith(Question.DOT_ADMIN) -// || namespace.name.endsWith(Question.DOT_OWNER)) { -// return Result.err(Status.ERR_BadData, -// "'admin' and 'owner' are reserved names in AAF"); -// } try { for (String u : namespace.owner) { @@ -193,17 +185,17 @@ public class Function { Identity orgUser = org.getIdentity(trans, u); String reason; if (orgUser == null) { - return Result.err(Status.ERR_Policy,"%s is not a valid user at %s",u,org.getName()); - } else if((reason=orgUser.mayOwn())!=null) { + return Result.err(Status.ERR_Policy,"%s is not a valid user at %s",u,org.getName()); + } else if ((reason=orgUser.mayOwn())!=null) { if (org.isTestEnv()) { String reason2; - if((reason2=org.validate(trans, Policy.AS_RESPONSIBLE,new CassExecutor(trans, this), u))!=null) { // can masquerade as responsible + if ((reason2=org.validate(trans, Policy.AS_RESPONSIBLE,new CassExecutor(trans, this), u))!=null) { // can masquerade as responsible trans.debug().log(reason2); return Result.err(Status.ERR_Policy,CANNOT_BE_THE_OWNER_OF_A_NAMESPACE,orgUser.fullName(),orgUser.id(),namespace.name,reason); } // a null means ok } else { - if(orgUser.isFound()) { + if (orgUser.isFound()) { return Result.err(Status.ERR_Policy,CANNOT_BE_THE_OWNER_OF_A_NAMESPACE,orgUser.fullName(),orgUser.id(),namespace.name, reason); } else { return Result.err(Status.ERR_Policy,u + " is an invalid Identity"); @@ -235,6 +227,7 @@ public class Function { if (rparent.notOK()) { return Result.err(rparent); } + parent = rparent.value.parent; if (!fromApproval) { rparent = q.mayUser(trans, user, rparent.value, Access.write); if (rparent.notOK()) { @@ -242,13 +235,26 @@ public class Function { } } parent = namespace.parent = rparent.value.name; // Correct Namespace from real data + String cname = parent.length()<1 || namespace.name.equals(parent)?null:namespace.name.substring(parent.length()+1); // 2) Does requested NS exist - if (q.nsDAO.read(trans, namespace.name).isOKhasData()) { + if (q.nsDAO().read(trans, namespace.name).isOKhasData()) { return Result.err(Status.ERR_ConflictAlreadyExists, "Target Namespace already exists"); } + // 2.1) Does role exist with that name + if(cname!=null && q.roleDAO().read(trans, parent, cname).isOKhasData()) { + return Result.err(Status.ERR_ConflictAlreadyExists, + "Role exists with that name"); + } + + // 2.2) Do perms exist with that name + if(cname!=null && q.permDAO().readByType(trans, parent, cname).isOKhasData()) { + return Result.err(Status.ERR_ConflictAlreadyExists, + "Perms exist with that name"); + } + // Someone must be responsible. if (namespace.owner == null || namespace.owner.isEmpty()) { return Result @@ -267,9 +273,6 @@ public class Function { // or helpful for Operations folks.. // Admins can be empty, because they can be changed by lower level // NSs - // if(ns.admin(false).isEmpty()) { - // ns.admin(true).add(user); - // } if (namespace.admin != null) { for (String u : namespace.admin) { if ((r = checkValidID(trans, now, u)).notOK()) { @@ -294,7 +297,8 @@ public class Function { } // VALIDATIONS done... Add NS - if ((rq = q.nsDAO.create(trans, namespace.data())).notOK()) { + rq = q.nsDAO().create(trans, namespace.data()); + if (rq.notOK()) { return Result.err(rq); } @@ -307,12 +311,12 @@ public class Function { urdd.role(namespace.name, Question.ADMIN); for (String admin : namespace.admin) { urdd.user = admin; - eb.log(q.userRoleDAO.create(trans, urdd)); + eb.log(q.userRoleDAO().create(trans, urdd)); } urdd.role(namespace.name,Question.OWNER); for (String owner : namespace.owner) { urdd.user = owner; - eb.log(q.userRoleDAO.create(trans, urdd)); + eb.log(q.userRoleDAO().create(trans, urdd)); } addNSAdminRolesPerms(trans, eb, namespace.name); @@ -329,22 +333,22 @@ public class Function { int targetNameDot = targetName.length() + 1; // 4) Change any roles with children matching this NS, and - Result> rrdc = q.roleDAO.readChildren(trans, targetNs, targetName); + Result> rrdc = q.roleDAO().readChildren(trans, targetNs, targetName); if (rrdc.isOKhasData()) { for (RoleDAO.Data rdd : rrdc.value) { // Remove old Role from Perms, save them off List lpdd = new ArrayList<>(); - for(String p : rdd.perms(false)) { + for (String p : rdd.perms(false)) { Result rpdd = PermDAO.Data.decode(trans,q,p); - if(rpdd.isOKhasData()) { + if (rpdd.isOKhasData()) { PermDAO.Data pdd = rpdd.value; lpdd.add(pdd); - q.permDAO.delRole(trans, pdd, rdd); + q.permDAO().delRole(trans, pdd, rdd); } else{ trans.error().log(rpdd.errorString()); } } - + // Save off Old keys String delP1 = rdd.ns; String delP2 = rdd.name; @@ -353,27 +357,27 @@ public class Function { rdd.ns = namespace.name; rdd.name = (delP2.length() > targetNameDot) ? delP2 .substring(targetNameDot) : ""; - + // Need to use non-cached, because switching namespaces, not // "create" per se - if ((rq = q.roleDAO.create(trans, rdd)).isOK()) { + if ((rq = q.roleDAO().create(trans, rdd)).isOK()) { // Put Role back into Perm, with correct info - for(PermDAO.Data pdd : lpdd) { - q.permDAO.addRole(trans, pdd, rdd); + for (PermDAO.Data pdd : lpdd) { + q.permDAO().addRole(trans, pdd, rdd); } - // Change data for User Roles - Result> rurd = q.userRoleDAO.readByRole(trans, rdd.fullName()); - if(rurd.isOKhasData()) { - for(UserRoleDAO.Data urd : rurd.value) { + // Change data for User Roles + Result> rurd = q.userRoleDAO().readByRole(trans, rdd.fullName()); + if (rurd.isOKhasData()) { + for (UserRoleDAO.Data urd : rurd.value) { urd.ns = rdd.ns; urd.rname = rdd.name; - q.userRoleDAO.update(trans, urd); + q.userRoleDAO().update(trans, urd); } } // Now delete old one rdd.ns = delP1; rdd.name = delP2; - if ((rq = q.roleDAO.delete(trans, rdd, false)).notOK()) { + if ((rq = q.roleDAO().delete(trans, rdd, false)).notOK()) { eb.log(rq); } } else { @@ -383,43 +387,41 @@ public class Function { } // 4) Change any Permissions with children matching this NS, and - Result> rpdc = q.permDAO.readChildren(trans,targetNs, targetName); + Result> rpdc = q.permDAO().readChildren(trans,targetNs, targetName); if (rpdc.isOKhasData()) { for (PermDAO.Data pdd : rpdc.value) { // Remove old Perm from Roles, save them off List lrdd = new ArrayList<>(); - - for(String rl : pdd.roles(false)) { + + for (String rl : pdd.roles(false)) { Result rrdd = RoleDAO.Data.decode(trans,q,rl); - if(rrdd.isOKhasData()) { + if (rrdd.isOKhasData()) { RoleDAO.Data rdd = rrdd.value; lrdd.add(rdd); - q.roleDAO.delPerm(trans, rdd, pdd); + q.roleDAO().delPerm(trans, rdd, pdd); } else{ trans.error().log(rrdd.errorString()); } } - + // Save off Old keys String delP1 = pdd.ns; String delP2 = pdd.type; pdd.ns = namespace.name; pdd.type = (delP2.length() > targetNameDot) ? delP2 .substring(targetNameDot) : ""; - if ((rq = q.permDAO.create(trans, pdd)).isOK()) { + if ((rq = q.permDAO().create(trans, pdd)).isOK()) { // Put Role back into Perm, with correct info - for(RoleDAO.Data rdd : lrdd) { - q.roleDAO.addPerm(trans, rdd, pdd); + for (RoleDAO.Data rdd : lrdd) { + q.roleDAO().addPerm(trans, rdd, pdd); } pdd.ns = delP1; pdd.type = delP2; - if ((rq = q.permDAO.delete(trans, pdd, false)).notOK()) { + if ((rq = q.permDAO().delete(trans, pdd, false)).notOK()) { eb.log(rq); - // } else { // Need to invalidate directly, because we're // switching places in NS, not normal cache behavior - // q.permDAO.invalidate(trans,pdd); } } else { eb.log(rq); @@ -427,7 +429,7 @@ public class Function { } } if (eb.hasErr()) { - return Result.err(Status.ERR_ActionNotCompleted,eb.sb.toString(), eb.vars()); + return Result.err(Status.ERR_ActionNotCompleted,eb.sb.toString(), (Object[])eb.vars()); } } return Result.ok(); @@ -449,11 +451,11 @@ public class Function { rd.perms = new HashSet<>(); rd.perms.add(pd.encode()); - eb.log(q.roleDAO.create(trans, rd)); + eb.log(q.roleDAO().create(trans, rd)); pd.roles = new HashSet<>(); pd.roles.add(rd.encode()); - eb.log(q.permDAO.create(trans, pd)); + eb.log(q.permDAO().create(trans, pd)); } private void addNSOwnerRolesPerms(AuthzTrans trans, ErrBuilder eb, String ns) { @@ -471,18 +473,18 @@ public class Function { rd.perms = new HashSet<>(); rd.perms.add(pd.encode()); - eb.log(q.roleDAO.create(trans, rd)); + eb.log(q.roleDAO().create(trans, rd)); pd.roles = new HashSet<>(); pd.roles.add(rd.encode()); - eb.log(q.permDAO.create(trans, pd)); + eb.log(q.permDAO().create(trans, pd)); } /** * deleteNS - * + * * Delete Namespace - * + * * @param trans * @param org * @param ns @@ -490,8 +492,8 @@ public class Function { * @param user * @return * @throws DAOException - * - * + * + * * To delete an NS, you need to: 1) validate permission to * modify this NS 2) Find all Roles with this NS, and 2a) if * Force, delete them, else modify to Parent NS 3) Find all @@ -504,7 +506,7 @@ public class Function { boolean move = trans.requested(REQD_TYPE.move); // 1) Validate Result> nsl; - if ((nsl = q.nsDAO.read(trans, ns)).notOKorIsEmpty()) { + if ((nsl = q.nsDAO().read(trans, ns)).notOKorIsEmpty()) { return Result.err(Status.ERR_NsNotFound, "%s does not exist", ns); } NsDAO.Data nsd = nsl.value.get(0); @@ -542,18 +544,18 @@ public class Function { ErrBuilder er = new ErrBuilder(); // 2a) Deny if any IDs on Namespace - Result> creds = q.credDAO.readNS(trans, ns); + Result> creds = q.credDAO().readNS(trans, ns); if (creds.isOKhasData()) { if (force || move) { for (CredDAO.Data cd : creds.value) { - er.log(q.credDAO.delete(trans, cd, false)); + er.log(q.credDAO().delete(trans, cd, false)); // Since we're deleting all the creds, we should delete all // the user Roles for that Cred - Result> rlurd = q.userRoleDAO + Result> rlurd = q.userRoleDAO() .readByUser(trans, cd.id); if (rlurd.isOK()) { for (UserRoleDAO.Data data : rlurd.value) { - q.userRoleDAO.delete(trans, data, false); + q.userRoleDAO().delete(trans, data, false); } } @@ -569,7 +571,7 @@ public class Function { // 2b) Find (or delete if forced flag is set) dependencies // First, find if NS Perms are the only ones - Result> rpdc = q.permDAO.readNS(trans, ns); + Result> rpdc = q.permDAO().readNS(trans, ns); if (rpdc.isOKhasData()) { // Since there are now NS perms, we have to count NON-NS perms. // FYI, if we delete them now, and the NS is not deleted, it is in @@ -594,7 +596,7 @@ public class Function { } } - Result> rrdc = q.roleDAO.readNS(trans, ns); + Result> rrdc = q.roleDAO().readNS(trans, ns); if (rrdc.isOKhasData()) { // Since there are now NS roles, we have to count NON-NS roles. // FYI, if we delete th)em now, and the NS is not deleted, it is in @@ -665,7 +667,7 @@ public class Function { } } - return q.nsDAO.delete(trans, nsd, false); + return q.nsDAO().delete(trans, nsd, false); } public Result> getOwners(AuthzTrans trans, String ns, @@ -698,7 +700,7 @@ public class Function { } else { if (org.isTestEnv()) { String reason2; - if((reason2 = org.validate(trans, Policy.AS_RESPONSIBLE, new CassExecutor(trans, this), id))==null) { + if ((reason2 = org.validate(trans, Policy.AS_RESPONSIBLE, new CassExecutor(trans, this), id))==null) { return Result.ok(); } else { trans.debug().log(reason2); @@ -722,11 +724,11 @@ public class Function { if (rq.notOK()) { return Result.err(rq); } - + rq = q.mayUser(trans, trans.user(), rq.value, Access.write); if (rq.notOK()) { - Result> ruinr = q.userRoleDAO.readUserInRole(trans, trans.user(),ns+".owner"); - if(!(ruinr.isOKhasData() && ruinr.value.get(0).expires.after(new Date()))) { + Result> ruinr = q.userRoleDAO().readUserInRole(trans, trans.user(),ns+".owner"); + if (!(ruinr.isOKhasData() && ruinr.value.get(0).expires.after(new Date()))) { return Result.err(rq); } } @@ -739,7 +741,7 @@ public class Function { try { if (org.getIdentity(trans, user) == null) { return Result.err(Status.ERR_Denied, - "%s reports that %s is a faulty ID", org.getName(), + "%s reports that %s is an invalid ID", org.getName(), user); } return Result.ok(); @@ -748,15 +750,15 @@ public class Function { "%s is not a valid %s Credential", user, org.getName()); } //TODO find out how to make sure good ALTERNATE OAUTH DOMAIN USER -// } else if(user.endsWith(ALTERNATE OAUTH DOMAIN)) { +// } else if (user.endsWith(ALTERNATE OAUTH DOMAIN)) { // return Result.ok(); } else { - Result> cdr = q.credDAO.readID(trans, user); + Result> cdr = q.credDAO().readID(trans, user); if (cdr.notOKorIsEmpty()) { return Result.err(Status.ERR_Security, "%s is not a valid AAF Credential", user); } - + for (CredDAO.Data cd : cdr.value) { if (cd.expires.after(now)) { return Result.ok(); @@ -791,10 +793,10 @@ public class Function { } rq = q.mayUser(trans, trans.user(), rq.value, Access.write); - if (rq.notOK()) { + if (rq.notOK()) { // Even though not a "writer", Owners still determine who gets to be an Admin - Result> ruinr = q.userRoleDAO.readUserInRole(trans, trans.user(),ns+".owner"); - if(!(ruinr.isOKhasData() && ruinr.value.get(0).expires.after(new Date()))) { + Result> ruinr = q.userRoleDAO().readUserInRole(trans, trans.user(),ns+".owner"); + if (!(ruinr.isOKhasData() && ruinr.value.get(0).expires.after(new Date()))) { return Result.err(rq); } } @@ -805,7 +807,7 @@ public class Function { /** * Helper function that moves permissions from a namespace being deleted to * its parent namespace - * + * * @param trans * @param parent * @param sb @@ -826,39 +828,39 @@ public class Function { } // Remove old Perm from Roles, save them off List lrdd = new ArrayList<>(); - - for(String rl : pdd.roles(false)) { + + for (String rl : pdd.roles(false)) { Result rrdd = RoleDAO.Data.decode(trans,q,rl); - if(rrdd.isOKhasData()) { + if (rrdd.isOKhasData()) { RoleDAO.Data rdd = rrdd.value; lrdd.add(rdd); - q.roleDAO.delPerm(trans, rdd, pdd); + q.roleDAO().delPerm(trans, rdd, pdd); } else{ trans.error().log(rrdd.errorString()); } } - + // Save off Old keys String delP1 = pdd.ns; NsSplit nss = new NsSplit(parent, pdd.fullType()); pdd.ns = nss.ns; pdd.type = nss.name; // Use direct Create/Delete, because switching namespaces - if ((pd = q.permDAO.create(trans, pdd)).isOK()) { + if ((pd = q.permDAO().create(trans, pdd)).isOK()) { // Put Role back into Perm, with correct info - for(RoleDAO.Data rdd : lrdd) { - q.roleDAO.addPerm(trans, rdd, pdd); + for (RoleDAO.Data rdd : lrdd) { + q.roleDAO().addPerm(trans, rdd, pdd); } pdd.ns = delP1; pdd.type = delP2; - if ((rv = q.permDAO.delete(trans, pdd, false)).notOK()) { + if ((rv = q.permDAO().delete(trans, pdd, false)).notOK()) { sb.append(rv.details); sb.append('\n'); // } else { // Need to invalidate directly, because we're switching // places in NS, not normal cache behavior - // q.permDAO.invalidate(trans,pdd); + // q.permDAO().invalidate(trans,pdd); } } else { sb.append(pd.details); @@ -871,7 +873,7 @@ public class Function { /** * Helper function that moves roles from a namespace being deleted to its * parent namespace - * + * * @param trans * @param parent * @param sb @@ -892,17 +894,17 @@ public class Function { } // Remove old Role from Perms, save them off List lpdd = new ArrayList<>(); - for(String p : rdd.perms(false)) { + for (String p : rdd.perms(false)) { Result rpdd = PermDAO.Data.decode(trans,q,p); - if(rpdd.isOKhasData()) { + if (rpdd.isOKhasData()) { PermDAO.Data pdd = rpdd.value; lpdd.add(pdd); - q.permDAO.delRole(trans, pdd, rdd); + q.permDAO().delRole(trans, pdd, rdd); } else{ trans.error().log(rpdd.errorString()); } } - + // Save off Old keys String delP1 = rdd.ns; @@ -910,21 +912,21 @@ public class Function { rdd.ns = nss.ns; rdd.name = nss.name; // Use direct Create/Delete, because switching namespaces - if ((rd = q.roleDAO.create(trans, rdd)).isOK()) { + if ((rd = q.roleDAO().create(trans, rdd)).isOK()) { // Put Role back into Perm, with correct info - for(PermDAO.Data pdd : lpdd) { - q.permDAO.addRole(trans, pdd, rdd); + for (PermDAO.Data pdd : lpdd) { + q.permDAO().addRole(trans, pdd, rdd); } rdd.ns = delP1; rdd.name = delP2; - if ((rv = q.roleDAO.delete(trans, rdd, true)).notOK()) { + if ((rv = q.roleDAO().delete(trans, rdd, true)).notOK()) { sb.append(rv.details); sb.append('\n'); // } else { // Need to invalidate directly, because we're switching // places in NS, not normal cache behavior - // q.roleDAO.invalidate(trans,rdd); + // q.roleDAO().invalidate(trans,rdd); } } else { sb.append(rd.details); @@ -937,9 +939,9 @@ public class Function { /** * Create Permission (and any missing Permission between this and Parent) if * we have permission - * + * * Pass in the desired Management Permission for this Permission - * + * * If Force is set, then Roles listed will be created, if allowed, * pre-granted. */ @@ -954,12 +956,12 @@ public class Function { return Result.err(rnsd); } } else { - rnsd = q.deriveNs(trans, perm.ns); + q.deriveNs(trans, perm.ns); } // Does Child exist? if (!trans.requested(REQD_TYPE.force)) { - if (q.permDAO.read(trans, perm).isOKhasData()) { + if (q.permDAO().read(trans, perm).isOKhasData()) { return Result.err(Status.ERR_ConflictAlreadyExists, "Permission [%s.%s|%s|%s] already exists.", perm.ns, perm.type, perm.instance, perm.action); @@ -973,7 +975,7 @@ public class Function { // For each Role for (String role : roles = perm.roles(true)) { Result rdd = RoleDAO.Data.decode(trans,q,role); - if(rdd.isOKhasData()) { + if (rdd.isOKhasData()) { RoleDAO.Data rd = rdd.value; if (!fromApproval) { // May User write to the Role in question. @@ -989,25 +991,25 @@ public class Function { } Result> rlrd; - if ((rlrd = q.roleDAO.read(trans, rd)).notOKorIsEmpty()) { + if ((rlrd = q.roleDAO().read(trans, rd)).notOKorIsEmpty()) { rd.perms(true).add(pstring); - if (q.roleDAO.create(trans, rd).notOK()) { + if (q.roleDAO().create(trans, rd).notOK()) { roles.remove(role); // Role doesn't exist, and can't be // created } } else { rd = rlrd.value.get(0); if (!rd.perms.contains(pstring)) { - q.roleDAO.addPerm(trans, rd, perm); + q.roleDAO().addPerm(trans, rd, perm); } } } } - Result pdr = q.permDAO.create(trans, perm); + Result pdr = q.permDAO().create(trans, perm); if (pdr.isOK()) { return Result.ok(); - } else { + } else { return Result.err(pdr); } } @@ -1024,7 +1026,7 @@ public class Function { } } // Does Perm exist? - Result> pdr = q.permDAO.read(trans, perm); + Result> pdr = q.permDAO().read(trans, perm); if (pdr.notOKorIsEmpty()) { return Result.err(Status.ERR_PermissionNotFound,"Permission [%s.%s|%s|%s] does not exist.", perm.ns,perm.type, perm.instance, perm.action); @@ -1034,13 +1036,13 @@ public class Function { // Attached to any Roles? if (fullperm.roles != null) { - if (force) { + if (force || fullperm.roles.contains(user+":user")) { for (String role : fullperm.roles) { Result rv = null; Result rrdd = RoleDAO.Data.decode(trans, q, role); - if(rrdd.isOKhasData()) { + if (rrdd.isOKhasData()) { trans.debug().log("Removing", role, "from", fullperm, "on Perm Delete"); - if ((rv = q.roleDAO.delPerm(trans, rrdd.value, fullperm)).notOK()) { + if ((rv = q.roleDAO().delPerm(trans, rrdd.value, fullperm)).notOK()) { if (rv.notOK()) { trans.error().log("Error removing Role during delFromPermRole: ", trans.getUserPrincipal(), @@ -1054,12 +1056,12 @@ public class Function { } else if (!fullperm.roles.isEmpty()) { return Result .err(Status.ERR_DependencyExists, - "Permission [%s.%s|%s|%s] cannot be deleted as it is attached to 1 or more roles.", - fullperm.ns, fullperm.type, fullperm.instance, fullperm.action); + "Permission [%s] cannot be deleted as it is attached to 1 or more roles.", + fullperm.fullPerm()); } } - return q.permDAO.delete(trans, fullperm, false); + return q.permDAO().delete(trans, fullperm, false); } public Result deleteRole(final AuthzTrans trans, final RoleDAO.Data role, boolean force, boolean fromApproval) { @@ -1075,11 +1077,11 @@ public class Function { } // Are there any Users Attached to Role? - Result> urdr = q.userRoleDAO.readByRole(trans,role.fullName()); + Result> urdr = q.userRoleDAO().readByRole(trans,role.fullName()); if (force) { if (urdr.isOKhasData()) { for (UserRoleDAO.Data urd : urdr.value) { - q.userRoleDAO.delete(trans, urd, false); + q.userRoleDAO().delete(trans, urd, false); } } } else if (urdr.isOKhasData()) { @@ -1089,7 +1091,7 @@ public class Function { } // Does Role exist? - Result> rdr = q.roleDAO.read(trans, role); + Result> rdr = q.roleDAO().read(trans, role); if (rdr.notOKorIsEmpty()) { return Result.err(Status.ERR_RoleNotFound, "Role [%s.%s] does not exist", role.ns, role.name); @@ -1103,7 +1105,7 @@ public class Function { if (rpd.isOK()) { trans.debug().log("Removing", perm, "from", fullrole,"on Role Delete"); - Result r = q.permDAO.delRole(trans, rpd.value, fullrole); + Result r = q.permDAO().delRole(trans, rpd.value, fullrole); if (r.notOK()) { trans.error().log("ERR_FDR1 unable to remove",fullrole,"from",perm,':',r.status,'-',r.details); } @@ -1112,15 +1114,15 @@ public class Function { } } } - return q.roleDAO.delete(trans, fullrole, false); + return q.roleDAO().delete(trans, fullrole, false); } /** * Only owner of Permission may add to Role - * + * * If force set, however, Role will be created before Grant, if User is * allowed to create. - * + * * @param trans * @param role * @param pd @@ -1128,33 +1130,33 @@ public class Function { */ public Result addPermToRole(AuthzTrans trans, RoleDAO.Data role,PermDAO.Data pd, boolean fromApproval) { String user = trans.user(); - + if (!fromApproval) { Result rRoleCo = q.deriveFirstNsForType(trans, role.ns, NsType.COMPANY); - if(rRoleCo.notOK()) { + if (rRoleCo.notOK()) { return Result.err(rRoleCo); } Result rPermCo = q.deriveFirstNsForType(trans, pd.ns, NsType.COMPANY); - if(rPermCo.notOK()) { + if (rPermCo.notOK()) { return Result.err(rPermCo); } // Not from same company - if(!rRoleCo.value.name.equals(rPermCo.value.name)) { + if (!rRoleCo.value.name.equals(rPermCo.value.name)) { Result r; // Only grant if User ALSO has Write ability in Other Company - if((r = q.mayUser(trans, user, role, Access.write)).notOK()) { + if ((r = q.mayUser(trans, user, role, Access.write)).notOK()) { return Result.err(r); } } - + // Must be Perm Admin, or Granted Special Permission Result ucp = q.mayUser(trans, user, pd, Access.write); if (ucp.notOK()) { // Don't allow CLI potential Grantees to change their own AAF // Perms, - if ((ROOT_NS.equals(pd.ns) && Question.NS.equals(pd.type)) + if ((ROOT_NS.equals(pd.ns) && Question.NS.equals(pd.type)) || !q.isGranted(trans, trans.user(),ROOT_NS,Question.PERM, rPermCo.value.name, "grant")) { // Not otherwise granted // TODO Needed? @@ -1162,7 +1164,7 @@ public class Function { } // Final Check... Don't allow Grantees to add to Roles they are // part of - Result> rlurd = q.userRoleDAO + Result> rlurd = q.userRoleDAO() .readByUser(trans, trans.user()); if (rlurd.isOK()) { for (UserRoleDAO.Data ur : rlurd.value) { @@ -1174,13 +1176,13 @@ public class Function { } } - Result> rlpd = q.permDAO.read(trans, pd); + Result> rlpd = q.permDAO().read(trans, pd); if (rlpd.notOKorIsEmpty()) { return Result.err(Status.ERR_PermissionNotFound, "Permission must exist to add to Role"); } - Result> rlrd = q.roleDAO.read(trans, role); // Already + Result> rlrd = q.roleDAO().read(trans, role); // Already // Checked // for // can @@ -1200,7 +1202,7 @@ public class Function { } role.perms(true).add(pd.encode()); - Result rdd = q.roleDAO.create(trans, role); + Result rdd = q.roleDAO().create(trans, role); if (rdd.isOK()) { rv = Result.ok(); } else { @@ -1220,10 +1222,10 @@ public class Function { role.perms(true).add(pd.encode()); // this is added for Caching // access purposes... doesn't // affect addPerm - rv = q.roleDAO.addPerm(trans, role, pd); + rv = q.roleDAO().addPerm(trans, role, pd); } if (rv.status == Status.OK) { - return q.permDAO.addRole(trans, pd, role); + return q.permDAO().addRole(trans, pd, role); // exploring how to add information message to successful http // request } @@ -1232,7 +1234,7 @@ public class Function { /** * Either Owner of Role or Permission may delete from Role - * + * * @param trans * @param role * @param pd @@ -1254,13 +1256,13 @@ public class Function { } } - Result> rlr = q.roleDAO.read(trans, role); + Result> rlr = q.roleDAO().read(trans, role); if (rlr.notOKorIsEmpty()) { // If Bad Data, clean out - Result> rlp = q.permDAO.read(trans, pd); + Result> rlp = q.permDAO().read(trans, pd); if (rlp.isOKhasData()) { for (PermDAO.Data pv : rlp.value) { - q.permDAO.delRole(trans, pv, role); + q.permDAO().delRole(trans, pv, role); } } return Result.err(rlr); @@ -1279,7 +1281,7 @@ public class Function { break; } } - if(!notFound) { + if (!notFound) { break; } } @@ -1292,12 +1294,12 @@ public class Function { } // Read Perm for full data - Result> rlp = q.permDAO.read(trans, pd); + Result> rlp = q.permDAO().read(trans, pd); Result rv = null; if (rlp.isOKhasData()) { for (PermDAO.Data pv : rlp.value) { - if ((rv = q.permDAO.delRole(trans, pv, role)).isOK()) { - if ((rv = q.roleDAO.delPerm(trans, role, pv)).notOK()) { + if ((rv = q.permDAO().delRole(trans, pv, role)).isOK()) { + if ((rv = q.roleDAO().delPerm(trans, role, pv)).notOK()) { trans.error().log( "Error removing Perm during delFromPermRole:", trans.getUserPrincipal(), rv.errorString()); @@ -1309,7 +1311,7 @@ public class Function { } } } else { - rv = q.roleDAO.delPerm(trans, role, pd); + rv = q.roleDAO().delPerm(trans, role, pd); if (rv.notOK()) { trans.error().log("Error removing Role during delFromPermRole", rv.errorString()); @@ -1331,10 +1333,10 @@ public class Function { /** * Add a User to Role - * + * * 1) Role must exist 2) User must be a known Credential (i.e. mechID ok if * Credential) or known Organizational User - * + * * @param trans * @param org * @param urData @@ -1343,42 +1345,40 @@ public class Function { */ public Result addUserRole(AuthzTrans trans,UserRoleDAO.Data urData) { Result rv; - if(Question.ADMIN.equals(urData.rname)) { + if (Question.ADMIN.equals(urData.rname)) { rv = mayAddAdmin(trans, urData.ns, urData.user); - } else if(Question.OWNER.equals(urData.rname)) { + } else if (Question.OWNER.equals(urData.rname)) { rv = mayAddOwner(trans, urData.ns, urData.user); } else { rv = checkValidID(trans, new Date(), urData.user); } - if(rv.notOK()) { - return rv; + if (rv.notOK()) { + return rv; } - + // Check if record exists - if (q.userRoleDAO.read(trans, urData).isOKhasData()) { + if (q.userRoleDAO().read(trans, urData).isOKhasData()) { return Result.err(Status.ERR_ConflictAlreadyExists, "User Role exists"); } - if (q.roleDAO.read(trans, urData.ns, urData.rname).notOKorIsEmpty()) { + if (q.roleDAO().read(trans, urData.ns, urData.rname).notOKorIsEmpty()) { return Result.err(Status.ERR_RoleNotFound, "Role [%s.%s] does not exist", urData.ns, urData.rname); } urData.expires = trans.org().expiration(null, Expiration.UserInRole, urData.user).getTime(); - - - Result udr = q.userRoleDAO.create(trans, urData); - switch (udr.status) { - case OK: + + + Result udr = q.userRoleDAO().create(trans, urData); + if (udr.status == OK) { return Result.ok(); - default: - return Result.err(udr); } + return Result.err(udr); } public Result addUserRole(AuthzTrans trans, String user, String ns, String rname) { try { - if(trans.org().getIdentity(trans, user)==null) { + if (trans.org().getIdentity(trans, user)==null) { return Result.err(Result.ERR_BadData,user+" is an Invalid Identity for " + trans.org().getName()); } } catch (OrganizationException e) { @@ -1393,9 +1393,9 @@ public class Function { /** * Extend User Role. - * + * * extend the Expiration data, according to Organization rules. - * + * * @param trans * @param org * @param urData @@ -1403,12 +1403,12 @@ public class Function { */ public Result extendUserRole(AuthzTrans trans, UserRoleDAO.Data urData, boolean checkForExist) { // Check if record still exists - if (checkForExist && q.userRoleDAO.read(trans, urData).notOKorIsEmpty()) { + if (checkForExist && q.userRoleDAO().read(trans, urData).notOKorIsEmpty()) { return Result.err(Status.ERR_UserRoleNotFound, "User Role does not exist"); } - - if (q.roleDAO.read(trans, urData.ns, urData.rname).notOKorIsEmpty()) { + + if (q.roleDAO().read(trans, urData.ns, urData.rname).notOKorIsEmpty()) { return Result.err(Status.ERR_RoleNotFound, "Role [%s.%s] does not exist", urData.ns,urData.rname); } @@ -1422,7 +1422,7 @@ public class Function { // time // starting // today - return q.userRoleDAO.update(trans, urData); + return q.userRoleDAO().update(trans, urData); } // //////////////////////////////////////////////////// @@ -1433,7 +1433,7 @@ public class Function { // Roles // //////////////////////////////////////////////////// public Result> getUsersByRole(AuthzTrans trans, String role, boolean includeExpired) { - Result> rurdd = q.userRoleDAO.readByRole(trans,role); + Result> rurdd = q.userRoleDAO().readByRole(trans,role); if (rurdd.notOK()) { return Result.err(rurdd); } @@ -1452,7 +1452,7 @@ public class Function { UserRoleDAO.Data urdd = new UserRoleDAO.Data(); urdd.user = user; urdd.role(ns,rname); - Result> r = q.userRoleDAO.read(trans, urdd); + Result> r = q.userRoleDAO().read(trans, urdd); if (r.status == 404 || r.isEmpty()) { return Result.err(Status.ERR_UserRoleNotFound, "UserRole [%s] [%s.%s]", user, ns, rname); @@ -1461,7 +1461,7 @@ public class Function { return Result.err(r); } - return q.userRoleDAO.delete(trans, urdd, false); + return q.userRoleDAO().delete(trans, urdd, false); } public Result createFuture(AuthzTrans trans, FutureDAO.Data data, String id, String user, @@ -1473,12 +1473,12 @@ public class Function { List approvers = op.equals(FUTURE_OP.A)?NO_ADDL_APPROVE:org.getApprovers(trans, user); List owners = new ArrayList<>(); if (nsd != null) { - Result> rrbr = q.userRoleDAO + Result> rrbr = q.userRoleDAO() .readByRole(trans, nsd.name + Question.DOT_OWNER); if (rrbr.isOKhasData()) { - for(UserRoleDAO.Data urd : rrbr.value) { + for (UserRoleDAO.Data urd : rrbr.value) { Identity owner = org.getIdentity(trans, urd.user); - if(owner==null) { + if (owner==null) { return Result.err(Result.ERR_NotFound,urd.user + " is not a Valid Owner of " + nsd.name); } else { owners.add(owner); @@ -1486,32 +1486,32 @@ public class Function { } } } - - if(owners.isEmpty()) { + + if (owners.isEmpty()) { return Result.err(Result.ERR_NotFound,"No Owners found for " + nsd.name); } - + // Create Future Object - - Result fr = q.futureDAO.create(trans, data, id); + + Result fr = q.futureDAO().create(trans, data, id); if (fr.isOK()) { sb.append("Created Future: "); sb.append(data.id); // User Future ID as ticket for Approvals final UUID ticket = fr.value.id; sb.append(", Approvals: "); - Boolean first[] = new Boolean[]{true}; - if(op!=FUTURE_OP.A) { + Boolean[] first = new Boolean[]{true}; + if (op!=FUTURE_OP.A) { for (Identity u : approvers) { Result r = addIdentity(trans,sb,first,user,data.memo,op,u,ticket,org.getApproverType()); - if(r.notOK()) { + if (r.notOK()) { return Result.err(r); } } } for (Identity u : owners) { Result r = addIdentity(trans,sb,first,user,data.memo,op,u,ticket,"owner"); - if(r.notOK()) { + if (r.notOK()) { return Result.err(r); } } @@ -1519,7 +1519,7 @@ public class Function { } catch (Exception e) { return Result.err(e); } - + return Result.ok(sb.toString()); } @@ -1529,12 +1529,12 @@ public class Function { public interface Lookup { T get(AuthzTrans trans, Object ... keys); } - + public Lookup urDBLookup = new Lookup() { @Override public UserRoleDAO.Data get(AuthzTrans trans, Object ... keys) { - Result> r = q.userRoleDAO.read(trans, keys); - if(r.isOKhasData()) { + Result> r = q.userRoleDAO().read(trans, keys); + if (r.isOKhasData()) { return r.value.get(0); } else { return null; @@ -1543,11 +1543,11 @@ public class Function { }; /** - * Note: if "allApprovals for Ticket is null, it will be looked up. + * Note: if "allApprovals for Ticket is null, it will be looked up. * if "fdd" is null, it will be looked up, but - * + * * They can be passed for performance reasons. - * + * * @param trans * @param cd * @param allApprovalsForTicket @@ -1556,19 +1556,19 @@ public class Function { public Result performFutureOp(final AuthzTrans trans, FUTURE_OP fop, FutureDAO.Data curr, Lookup> la, Lookup lur) { // Pre-Evaluate if ReApproval is already done. UserRoleDAO.Data urdd = null; - if(fop.equals(FUTURE_OP.A) && curr.target.equals(FOP_USER_ROLE) && curr.construct!=null) { + if (fop.equals(FUTURE_OP.A) && curr.target.equals(FOP_USER_ROLE) && curr.construct!=null) { try { // Get Expected UserRole from Future urdd = new UserRoleDAO.Data(); urdd.reconstitute(curr.construct); // Get Current UserRole from lookup UserRoleDAO.Data lurdd = lur.get(trans, urdd.user,urdd.role); - if(lurdd==null) { - q.futureDAO.delete(trans, curr, false); + if (lurdd==null) { + q.futureDAO().delete(trans, curr, false); return OP_STATUS.RL; } else { - if(curr.expires.compareTo(lurdd.expires)<0) { - q.futureDAO.delete(trans, curr, false); + if (curr.expires.compareTo(lurdd.expires)<0) { + q.futureDAO().delete(trans, curr, false); return OP_STATUS.RL; } } @@ -1576,46 +1576,44 @@ public class Function { return Result.err(Result.ERR_BadData,"Cannot reconstitute %1",curr.memo); } } - + boolean aDenial = false; int cntSuper=0, appSuper=0,cntOwner=0, appOwner=0; - for(ApprovalDAO.Data add : la.get(trans)) { + for (ApprovalDAO.Data add : la.get(trans)) { switch(add.status) { case "approved": - if("owner".equals(add.type)) { + if ("owner".equals(add.type)) { ++cntOwner; ++appOwner; - } else if("supervisor".equals(add.type)) { + } else if ("supervisor".equals(add.type)) { ++cntSuper; ++appSuper; } break; case "pending": - if("owner".equals(add.type)) { + if ("owner".equals(add.type)) { ++cntOwner; - } else if("supervisor".equals(add.type)) { + } else if ("supervisor".equals(add.type)) { ++cntSuper; } break; case "denied": aDenial=true; break; + default: + break; } } - + Result ros=null; - if(aDenial) { - // Note: Denial will be Audit-logged. -// for (ApprovalDAO.Data ad : allApprovalsForTicket.value) { -// q.approvalDAO.delete(trans, ad, false); -// } + if (aDenial) { ros = OP_STATUS.RD; - if(q.futureDAO.delete(trans, curr, false).notOK()) { + if (q.futureDAO().delete(trans, curr, false).notOK()) { trans.info().printf("Future %s could not be deleted", curr.id.toString()); } else { if (FOP_USER_ROLE.equalsIgnoreCase(curr.target)) { // A Denial means we must remove UserRole - if(fop.equals(FUTURE_OP.U) || fop.equals(FUTURE_OP.A)) { + if (fop.equals(FUTURE_OP.U) || fop.equals(FUTURE_OP.A)) { UserRoleDAO.Data data = new UserRoleDAO.Data(); try { data.reconstitute(curr.construct); @@ -1627,11 +1625,11 @@ public class Function { } } } - + // Decision: If not Denied, and at least owner, if exists, and at least one Super, if exists boolean goDecision = (cntOwner>0?appOwner>0:true) && (cntSuper>0?appSuper>0:true); - if(goDecision) { + if (goDecision) { // should check if any other pendings before performing // actions try { @@ -1640,7 +1638,7 @@ public class Function { data.reconstitute(curr.construct); switch(fop) { case C: - ros = set(OP_STATUS.RE,q.roleDAO.dao().create(trans, data)); + ros = set(OP_STATUS.RE,q.roleDAO().dao().create(trans, data)); break; case D: ros = set(OP_STATUS.RE,deleteRole(trans, data, true, true)); @@ -1684,7 +1682,7 @@ public class Function { default: } } else if (FOP_USER_ROLE.equalsIgnoreCase(curr.target)) { - if(urdd==null) { + if (urdd==null) { urdd = new UserRoleDAO.Data(); urdd.reconstitute(curr.construct); } @@ -1702,59 +1700,53 @@ public class Function { } else if (FOP_NS.equalsIgnoreCase(curr.target)) { Namespace namespace = new Namespace(); namespace.reconstitute(curr.construct); - switch(fop) { - case C: - ros = set(OP_STATUS.RE,createNS(trans, namespace, true)); - break; - default: + if (fop == FUTURE_OP.C) { + ros = set(OP_STATUS.RE, createNS(trans, namespace, true)); } } else if (FOP_DELEGATE.equalsIgnoreCase(curr.target)) { DelegateDAO.Data data = new DelegateDAO.Data(); data.reconstitute(curr.construct); switch(fop) { case C: - ros = set(OP_STATUS.RE,q.delegateDAO.create(trans, data)); + ros = set(OP_STATUS.RE,q.delegateDAO().create(trans, data)); break; case U: - ros = set(OP_STATUS.RE,q.delegateDAO.update(trans, data)); + ros = set(OP_STATUS.RE,q.delegateDAO().update(trans, data)); break; default: } } else if (FOP_CRED.equalsIgnoreCase(curr.target)) { CredDAO.Data data = new CredDAO.Data(); data.reconstitute(curr.construct); - switch(fop) { - case C: - ros = set(OP_STATUS.RE,q.credDAO.dao().create(trans, data)); - break; - default: + if (fop == FUTURE_OP.C) { + ros = set(OP_STATUS.RE, q.credDAO().dao().create(trans, data)); } - } + } } catch (Exception e) { trans.error().log("Exception: ", e.getMessage(), " \n occurred while performing", curr.memo, " from Ticket ", curr.id.toString()); } - q.futureDAO.delete(trans, curr, false); + q.futureDAO().delete(trans, curr, false); } // end for goDecision - if(ros==null) { + if (ros==null) { //return Result.err(Status.ACC_Future, "Full Approvals not obtained: No action taken"); ros = OP_STATUS.RP; } - + return ros; } // Convenience method for setting OPSTatus Results private Result set(Result rs, Result orig) { - if(orig.isOK()) { + if (orig.isOK()) { return rs; } else { return Result.err(orig); } } - private Result addIdentity(AuthzTrans trans, StringBuilder sb, + private Result addIdentity(AuthzTrans trans, StringBuilder sb, Boolean[] first, String user, String memo, FUTURE_OP op, Identity u, UUID ticket, String type) throws OrganizationException { ApprovalDAO.Data ad = new ApprovalDAO.Data(); // Note ad.id is set by ApprovalDAO Create @@ -1766,9 +1758,9 @@ public class Function { ad.type = type; ad.operation = op.name(); // Note ad.updated is created in System - Result r = q.approvalDAO.create(trans,ad); - if(r.isOK()) { - if(first[0]) { + Result r = q.approvalDAO().create(trans,ad); + if (r.isOK()) { + if (first[0]) { first[0] = false; } else { sb.append(", ");