X-Git-Url: https://gerrit.onap.org/r/gitweb?a=blobdiff_plain;f=auth%2Fauth-cass%2Fsrc%2Fmain%2Fjava%2Forg%2Fonap%2Faaf%2Fauth%2Fdao%2Fhl%2FFunction.java;h=c59312c02be29e37980987f4ca445e09e85154eb;hb=1338680ef142f9a33ee32a00b07c7d2ae658cb3a;hp=f3aae2ec8b7b3c55b47041605153faebe2223b44;hpb=4b5a7d721d994a49057e9bfb403c7bff1b376660;p=aaf%2Fauthz.git diff --git a/auth/auth-cass/src/main/java/org/onap/aaf/auth/dao/hl/Function.java b/auth/auth-cass/src/main/java/org/onap/aaf/auth/dao/hl/Function.java index f3aae2ec..c59312c0 100644 --- a/auth/auth-cass/src/main/java/org/onap/aaf/auth/dao/hl/Function.java +++ b/auth/auth-cass/src/main/java/org/onap/aaf/auth/dao/hl/Function.java @@ -81,9 +81,9 @@ public class Function { * @return */ public static FUTURE_OP toFO(String value) { - if(value!=null) { - for(FUTURE_OP fo : values()) { - if(fo.name().equals(value)){ + if (value!=null) { + for (FUTURE_OP fo : values()) { + if (fo.name().equals(value)){ return fo; } } @@ -136,11 +136,8 @@ public class Function { sb = new StringBuilder(); ao = new ArrayList<>(); } - sb.append(result.details); + sb.append(String.format(result.details,result.variables)); sb.append('\n'); - for (String s : result.variables) { - ao.add(s); - } } } @@ -181,11 +178,6 @@ public class Function { */ public Result createNS(AuthzTrans trans, Namespace namespace, boolean fromApproval) { Result rq; -// if (namespace.name.endsWith(Question.DOT_ADMIN) -// || namespace.name.endsWith(Question.DOT_OWNER)) { -// return Result.err(Status.ERR_BadData, -// "'admin' and 'owner' are reserved names in AAF"); -// } try { for (String u : namespace.owner) { @@ -194,16 +186,16 @@ public class Function { String reason; if (orgUser == null) { return Result.err(Status.ERR_Policy,"%s is not a valid user at %s",u,org.getName()); - } else if((reason=orgUser.mayOwn())!=null) { + } else if ((reason=orgUser.mayOwn())!=null) { if (org.isTestEnv()) { String reason2; - if((reason2=org.validate(trans, Policy.AS_RESPONSIBLE,new CassExecutor(trans, this), u))!=null) { // can masquerade as responsible + if ((reason2=org.validate(trans, Policy.AS_RESPONSIBLE,new CassExecutor(trans, this), u))!=null) { // can masquerade as responsible trans.debug().log(reason2); return Result.err(Status.ERR_Policy,CANNOT_BE_THE_OWNER_OF_A_NAMESPACE,orgUser.fullName(),orgUser.id(),namespace.name,reason); } // a null means ok } else { - if(orgUser.isFound()) { + if (orgUser.isFound()) { return Result.err(Status.ERR_Policy,CANNOT_BE_THE_OWNER_OF_A_NAMESPACE,orgUser.fullName(),orgUser.id(),namespace.name, reason); } else { return Result.err(Status.ERR_Policy,u + " is an invalid Identity"); @@ -235,6 +227,7 @@ public class Function { if (rparent.notOK()) { return Result.err(rparent); } + parent = rparent.value.parent; if (!fromApproval) { rparent = q.mayUser(trans, user, rparent.value, Access.write); if (rparent.notOK()) { @@ -242,12 +235,25 @@ public class Function { } } parent = namespace.parent = rparent.value.name; // Correct Namespace from real data + String cname = parent.length()<1 || namespace.name.equals(parent)?null:namespace.name.substring(parent.length()+1); // 2) Does requested NS exist - if (q.nsDAO.read(trans, namespace.name).isOKhasData()) { + if (q.nsDAO().read(trans, namespace.name).isOKhasData()) { return Result.err(Status.ERR_ConflictAlreadyExists, "Target Namespace already exists"); } + + // 2.1) Does role exist with that name + if(cname!=null && q.roleDAO().read(trans, parent, cname).isOKhasData()) { + return Result.err(Status.ERR_ConflictAlreadyExists, + "Role exists with that name"); + } + + // 2.2) Do perms exist with that name + if(cname!=null && q.permDAO().readByType(trans, parent, cname).isOKhasData()) { + return Result.err(Status.ERR_ConflictAlreadyExists, + "Perms exist with that name"); + } // Someone must be responsible. if (namespace.owner == null || namespace.owner.isEmpty()) { @@ -267,9 +273,6 @@ public class Function { // or helpful for Operations folks.. // Admins can be empty, because they can be changed by lower level // NSs - // if(ns.admin(false).isEmpty()) { - // ns.admin(true).add(user); - // } if (namespace.admin != null) { for (String u : namespace.admin) { if ((r = checkValidID(trans, now, u)).notOK()) { @@ -294,7 +297,7 @@ public class Function { } // VALIDATIONS done... Add NS - if ((rq = q.nsDAO.create(trans, namespace.data())).notOK()) { + if ((rq = q.nsDAO().create(trans, namespace.data())).notOK()) { return Result.err(rq); } @@ -307,12 +310,12 @@ public class Function { urdd.role(namespace.name, Question.ADMIN); for (String admin : namespace.admin) { urdd.user = admin; - eb.log(q.userRoleDAO.create(trans, urdd)); + eb.log(q.userRoleDAO().create(trans, urdd)); } urdd.role(namespace.name,Question.OWNER); for (String owner : namespace.owner) { urdd.user = owner; - eb.log(q.userRoleDAO.create(trans, urdd)); + eb.log(q.userRoleDAO().create(trans, urdd)); } addNSAdminRolesPerms(trans, eb, namespace.name); @@ -329,17 +332,17 @@ public class Function { int targetNameDot = targetName.length() + 1; // 4) Change any roles with children matching this NS, and - Result> rrdc = q.roleDAO.readChildren(trans, targetNs, targetName); + Result> rrdc = q.roleDAO().readChildren(trans, targetNs, targetName); if (rrdc.isOKhasData()) { for (RoleDAO.Data rdd : rrdc.value) { // Remove old Role from Perms, save them off List lpdd = new ArrayList<>(); - for(String p : rdd.perms(false)) { + for (String p : rdd.perms(false)) { Result rpdd = PermDAO.Data.decode(trans,q,p); - if(rpdd.isOKhasData()) { + if (rpdd.isOKhasData()) { PermDAO.Data pdd = rpdd.value; lpdd.add(pdd); - q.permDAO.delRole(trans, pdd, rdd); + q.permDAO().delRole(trans, pdd, rdd); } else{ trans.error().log(rpdd.errorString()); } @@ -356,24 +359,24 @@ public class Function { // Need to use non-cached, because switching namespaces, not // "create" per se - if ((rq = q.roleDAO.create(trans, rdd)).isOK()) { + if ((rq = q.roleDAO().create(trans, rdd)).isOK()) { // Put Role back into Perm, with correct info - for(PermDAO.Data pdd : lpdd) { - q.permDAO.addRole(trans, pdd, rdd); + for (PermDAO.Data pdd : lpdd) { + q.permDAO().addRole(trans, pdd, rdd); } // Change data for User Roles - Result> rurd = q.userRoleDAO.readByRole(trans, rdd.fullName()); - if(rurd.isOKhasData()) { - for(UserRoleDAO.Data urd : rurd.value) { + Result> rurd = q.userRoleDAO().readByRole(trans, rdd.fullName()); + if (rurd.isOKhasData()) { + for (UserRoleDAO.Data urd : rurd.value) { urd.ns = rdd.ns; urd.rname = rdd.name; - q.userRoleDAO.update(trans, urd); + q.userRoleDAO().update(trans, urd); } } // Now delete old one rdd.ns = delP1; rdd.name = delP2; - if ((rq = q.roleDAO.delete(trans, rdd, false)).notOK()) { + if ((rq = q.roleDAO().delete(trans, rdd, false)).notOK()) { eb.log(rq); } } else { @@ -383,18 +386,18 @@ public class Function { } // 4) Change any Permissions with children matching this NS, and - Result> rpdc = q.permDAO.readChildren(trans,targetNs, targetName); + Result> rpdc = q.permDAO().readChildren(trans,targetNs, targetName); if (rpdc.isOKhasData()) { for (PermDAO.Data pdd : rpdc.value) { // Remove old Perm from Roles, save them off List lrdd = new ArrayList<>(); - for(String rl : pdd.roles(false)) { + for (String rl : pdd.roles(false)) { Result rrdd = RoleDAO.Data.decode(trans,q,rl); - if(rrdd.isOKhasData()) { + if (rrdd.isOKhasData()) { RoleDAO.Data rdd = rrdd.value; lrdd.add(rdd); - q.roleDAO.delPerm(trans, rdd, pdd); + q.roleDAO().delPerm(trans, rdd, pdd); } else{ trans.error().log(rrdd.errorString()); } @@ -406,20 +409,18 @@ public class Function { pdd.ns = namespace.name; pdd.type = (delP2.length() > targetNameDot) ? delP2 .substring(targetNameDot) : ""; - if ((rq = q.permDAO.create(trans, pdd)).isOK()) { + if ((rq = q.permDAO().create(trans, pdd)).isOK()) { // Put Role back into Perm, with correct info - for(RoleDAO.Data rdd : lrdd) { - q.roleDAO.addPerm(trans, rdd, pdd); + for (RoleDAO.Data rdd : lrdd) { + q.roleDAO().addPerm(trans, rdd, pdd); } pdd.ns = delP1; pdd.type = delP2; - if ((rq = q.permDAO.delete(trans, pdd, false)).notOK()) { + if ((rq = q.permDAO().delete(trans, pdd, false)).notOK()) { eb.log(rq); - // } else { // Need to invalidate directly, because we're // switching places in NS, not normal cache behavior - // q.permDAO.invalidate(trans,pdd); } } else { eb.log(rq); @@ -427,7 +428,7 @@ public class Function { } } if (eb.hasErr()) { - return Result.err(Status.ERR_ActionNotCompleted,eb.sb.toString(), eb.vars()); + return Result.err(Status.ERR_ActionNotCompleted,eb.sb.toString(), (Object[])eb.vars()); } } return Result.ok(); @@ -449,11 +450,11 @@ public class Function { rd.perms = new HashSet<>(); rd.perms.add(pd.encode()); - eb.log(q.roleDAO.create(trans, rd)); + eb.log(q.roleDAO().create(trans, rd)); pd.roles = new HashSet<>(); pd.roles.add(rd.encode()); - eb.log(q.permDAO.create(trans, pd)); + eb.log(q.permDAO().create(trans, pd)); } private void addNSOwnerRolesPerms(AuthzTrans trans, ErrBuilder eb, String ns) { @@ -471,11 +472,11 @@ public class Function { rd.perms = new HashSet<>(); rd.perms.add(pd.encode()); - eb.log(q.roleDAO.create(trans, rd)); + eb.log(q.roleDAO().create(trans, rd)); pd.roles = new HashSet<>(); pd.roles.add(rd.encode()); - eb.log(q.permDAO.create(trans, pd)); + eb.log(q.permDAO().create(trans, pd)); } /** @@ -504,7 +505,7 @@ public class Function { boolean move = trans.requested(REQD_TYPE.move); // 1) Validate Result> nsl; - if ((nsl = q.nsDAO.read(trans, ns)).notOKorIsEmpty()) { + if ((nsl = q.nsDAO().read(trans, ns)).notOKorIsEmpty()) { return Result.err(Status.ERR_NsNotFound, "%s does not exist", ns); } NsDAO.Data nsd = nsl.value.get(0); @@ -542,18 +543,18 @@ public class Function { ErrBuilder er = new ErrBuilder(); // 2a) Deny if any IDs on Namespace - Result> creds = q.credDAO.readNS(trans, ns); + Result> creds = q.credDAO().readNS(trans, ns); if (creds.isOKhasData()) { if (force || move) { for (CredDAO.Data cd : creds.value) { - er.log(q.credDAO.delete(trans, cd, false)); + er.log(q.credDAO().delete(trans, cd, false)); // Since we're deleting all the creds, we should delete all // the user Roles for that Cred - Result> rlurd = q.userRoleDAO + Result> rlurd = q.userRoleDAO() .readByUser(trans, cd.id); if (rlurd.isOK()) { for (UserRoleDAO.Data data : rlurd.value) { - q.userRoleDAO.delete(trans, data, false); + q.userRoleDAO().delete(trans, data, false); } } @@ -569,7 +570,7 @@ public class Function { // 2b) Find (or delete if forced flag is set) dependencies // First, find if NS Perms are the only ones - Result> rpdc = q.permDAO.readNS(trans, ns); + Result> rpdc = q.permDAO().readNS(trans, ns); if (rpdc.isOKhasData()) { // Since there are now NS perms, we have to count NON-NS perms. // FYI, if we delete them now, and the NS is not deleted, it is in @@ -594,7 +595,7 @@ public class Function { } } - Result> rrdc = q.roleDAO.readNS(trans, ns); + Result> rrdc = q.roleDAO().readNS(trans, ns); if (rrdc.isOKhasData()) { // Since there are now NS roles, we have to count NON-NS roles. // FYI, if we delete th)em now, and the NS is not deleted, it is in @@ -627,7 +628,12 @@ public class Function { return Result.err(Status.ERR_DependencyExists, sb.toString()); } - if (move && (parent == null || parent.type == NsType.COMPANY.type)) { + if (move && parent == null) { + return Result + .err(Status.ERR_DependencyExists, + "Cannot move users, roles or permissions - parent is missing.\nDelete dependencies and try again"); + } + else if (move && parent.type == NsType.COMPANY.type) { return Result .err(Status.ERR_DependencyExists, "Cannot move users, roles or permissions to [%s].\nDelete dependencies and try again", @@ -665,7 +671,7 @@ public class Function { } } - return q.nsDAO.delete(trans, nsd, false); + return q.nsDAO().delete(trans, nsd, false); } public Result> getOwners(AuthzTrans trans, String ns, @@ -698,7 +704,7 @@ public class Function { } else { if (org.isTestEnv()) { String reason2; - if((reason2 = org.validate(trans, Policy.AS_RESPONSIBLE, new CassExecutor(trans, this), id))==null) { + if ((reason2 = org.validate(trans, Policy.AS_RESPONSIBLE, new CassExecutor(trans, this), id))==null) { return Result.ok(); } else { trans.debug().log(reason2); @@ -725,8 +731,8 @@ public class Function { rq = q.mayUser(trans, trans.user(), rq.value, Access.write); if (rq.notOK()) { - Result> ruinr = q.userRoleDAO.readUserInRole(trans, trans.user(),ns+".owner"); - if(!(ruinr.isOKhasData() && ruinr.value.get(0).expires.after(new Date()))) { + Result> ruinr = q.userRoleDAO().readUserInRole(trans, trans.user(),ns+".owner"); + if (!(ruinr.isOKhasData() && ruinr.value.get(0).expires.after(new Date()))) { return Result.err(rq); } } @@ -739,7 +745,7 @@ public class Function { try { if (org.getIdentity(trans, user) == null) { return Result.err(Status.ERR_Denied, - "%s reports that %s is a faulty ID", org.getName(), + "%s reports that %s is an invalid ID", org.getName(), user); } return Result.ok(); @@ -748,10 +754,10 @@ public class Function { "%s is not a valid %s Credential", user, org.getName()); } //TODO find out how to make sure good ALTERNATE OAUTH DOMAIN USER -// } else if(user.endsWith(ALTERNATE OAUTH DOMAIN)) { +// } else if (user.endsWith(ALTERNATE OAUTH DOMAIN)) { // return Result.ok(); } else { - Result> cdr = q.credDAO.readID(trans, user); + Result> cdr = q.credDAO().readID(trans, user); if (cdr.notOKorIsEmpty()) { return Result.err(Status.ERR_Security, "%s is not a valid AAF Credential", user); @@ -793,8 +799,8 @@ public class Function { rq = q.mayUser(trans, trans.user(), rq.value, Access.write); if (rq.notOK()) { // Even though not a "writer", Owners still determine who gets to be an Admin - Result> ruinr = q.userRoleDAO.readUserInRole(trans, trans.user(),ns+".owner"); - if(!(ruinr.isOKhasData() && ruinr.value.get(0).expires.after(new Date()))) { + Result> ruinr = q.userRoleDAO().readUserInRole(trans, trans.user(),ns+".owner"); + if (!(ruinr.isOKhasData() && ruinr.value.get(0).expires.after(new Date()))) { return Result.err(rq); } } @@ -827,12 +833,12 @@ public class Function { // Remove old Perm from Roles, save them off List lrdd = new ArrayList<>(); - for(String rl : pdd.roles(false)) { + for (String rl : pdd.roles(false)) { Result rrdd = RoleDAO.Data.decode(trans,q,rl); - if(rrdd.isOKhasData()) { + if (rrdd.isOKhasData()) { RoleDAO.Data rdd = rrdd.value; lrdd.add(rdd); - q.roleDAO.delPerm(trans, rdd, pdd); + q.roleDAO().delPerm(trans, rdd, pdd); } else{ trans.error().log(rrdd.errorString()); } @@ -844,21 +850,21 @@ public class Function { pdd.ns = nss.ns; pdd.type = nss.name; // Use direct Create/Delete, because switching namespaces - if ((pd = q.permDAO.create(trans, pdd)).isOK()) { + if ((pd = q.permDAO().create(trans, pdd)).isOK()) { // Put Role back into Perm, with correct info - for(RoleDAO.Data rdd : lrdd) { - q.roleDAO.addPerm(trans, rdd, pdd); + for (RoleDAO.Data rdd : lrdd) { + q.roleDAO().addPerm(trans, rdd, pdd); } pdd.ns = delP1; pdd.type = delP2; - if ((rv = q.permDAO.delete(trans, pdd, false)).notOK()) { + if ((rv = q.permDAO().delete(trans, pdd, false)).notOK()) { sb.append(rv.details); sb.append('\n'); // } else { // Need to invalidate directly, because we're switching // places in NS, not normal cache behavior - // q.permDAO.invalidate(trans,pdd); + // q.permDAO().invalidate(trans,pdd); } } else { sb.append(pd.details); @@ -892,12 +898,12 @@ public class Function { } // Remove old Role from Perms, save them off List lpdd = new ArrayList<>(); - for(String p : rdd.perms(false)) { + for (String p : rdd.perms(false)) { Result rpdd = PermDAO.Data.decode(trans,q,p); - if(rpdd.isOKhasData()) { + if (rpdd.isOKhasData()) { PermDAO.Data pdd = rpdd.value; lpdd.add(pdd); - q.permDAO.delRole(trans, pdd, rdd); + q.permDAO().delRole(trans, pdd, rdd); } else{ trans.error().log(rpdd.errorString()); } @@ -910,21 +916,21 @@ public class Function { rdd.ns = nss.ns; rdd.name = nss.name; // Use direct Create/Delete, because switching namespaces - if ((rd = q.roleDAO.create(trans, rdd)).isOK()) { + if ((rd = q.roleDAO().create(trans, rdd)).isOK()) { // Put Role back into Perm, with correct info - for(PermDAO.Data pdd : lpdd) { - q.permDAO.addRole(trans, pdd, rdd); + for (PermDAO.Data pdd : lpdd) { + q.permDAO().addRole(trans, pdd, rdd); } rdd.ns = delP1; rdd.name = delP2; - if ((rv = q.roleDAO.delete(trans, rdd, true)).notOK()) { + if ((rv = q.roleDAO().delete(trans, rdd, true)).notOK()) { sb.append(rv.details); sb.append('\n'); // } else { // Need to invalidate directly, because we're switching // places in NS, not normal cache behavior - // q.roleDAO.invalidate(trans,rdd); + // q.roleDAO().invalidate(trans,rdd); } } else { sb.append(rd.details); @@ -954,12 +960,12 @@ public class Function { return Result.err(rnsd); } } else { - rnsd = q.deriveNs(trans, perm.ns); + q.deriveNs(trans, perm.ns); } // Does Child exist? if (!trans.requested(REQD_TYPE.force)) { - if (q.permDAO.read(trans, perm).isOKhasData()) { + if (q.permDAO().read(trans, perm).isOKhasData()) { return Result.err(Status.ERR_ConflictAlreadyExists, "Permission [%s.%s|%s|%s] already exists.", perm.ns, perm.type, perm.instance, perm.action); @@ -973,7 +979,7 @@ public class Function { // For each Role for (String role : roles = perm.roles(true)) { Result rdd = RoleDAO.Data.decode(trans,q,role); - if(rdd.isOKhasData()) { + if (rdd.isOKhasData()) { RoleDAO.Data rd = rdd.value; if (!fromApproval) { // May User write to the Role in question. @@ -989,22 +995,22 @@ public class Function { } Result> rlrd; - if ((rlrd = q.roleDAO.read(trans, rd)).notOKorIsEmpty()) { + if ((rlrd = q.roleDAO().read(trans, rd)).notOKorIsEmpty()) { rd.perms(true).add(pstring); - if (q.roleDAO.create(trans, rd).notOK()) { + if (q.roleDAO().create(trans, rd).notOK()) { roles.remove(role); // Role doesn't exist, and can't be // created } } else { rd = rlrd.value.get(0); if (!rd.perms.contains(pstring)) { - q.roleDAO.addPerm(trans, rd, perm); + q.roleDAO().addPerm(trans, rd, perm); } } } } - Result pdr = q.permDAO.create(trans, perm); + Result pdr = q.permDAO().create(trans, perm); if (pdr.isOK()) { return Result.ok(); } else { @@ -1024,7 +1030,7 @@ public class Function { } } // Does Perm exist? - Result> pdr = q.permDAO.read(trans, perm); + Result> pdr = q.permDAO().read(trans, perm); if (pdr.notOKorIsEmpty()) { return Result.err(Status.ERR_PermissionNotFound,"Permission [%s.%s|%s|%s] does not exist.", perm.ns,perm.type, perm.instance, perm.action); @@ -1038,9 +1044,9 @@ public class Function { for (String role : fullperm.roles) { Result rv = null; Result rrdd = RoleDAO.Data.decode(trans, q, role); - if(rrdd.isOKhasData()) { + if (rrdd.isOKhasData()) { trans.debug().log("Removing", role, "from", fullperm, "on Perm Delete"); - if ((rv = q.roleDAO.delPerm(trans, rrdd.value, fullperm)).notOK()) { + if ((rv = q.roleDAO().delPerm(trans, rrdd.value, fullperm)).notOK()) { if (rv.notOK()) { trans.error().log("Error removing Role during delFromPermRole: ", trans.getUserPrincipal(), @@ -1054,12 +1060,12 @@ public class Function { } else if (!fullperm.roles.isEmpty()) { return Result .err(Status.ERR_DependencyExists, - "Permission [%s.%s|%s|%s] cannot be deleted as it is attached to 1 or more roles.", - fullperm.ns, fullperm.type, fullperm.instance, fullperm.action); + "Permission [%s] cannot be deleted as it is attached to 1 or more roles.", + fullperm.fullPerm()); } } - return q.permDAO.delete(trans, fullperm, false); + return q.permDAO().delete(trans, fullperm, false); } public Result deleteRole(final AuthzTrans trans, final RoleDAO.Data role, boolean force, boolean fromApproval) { @@ -1075,11 +1081,11 @@ public class Function { } // Are there any Users Attached to Role? - Result> urdr = q.userRoleDAO.readByRole(trans,role.fullName()); + Result> urdr = q.userRoleDAO().readByRole(trans,role.fullName()); if (force) { if (urdr.isOKhasData()) { for (UserRoleDAO.Data urd : urdr.value) { - q.userRoleDAO.delete(trans, urd, false); + q.userRoleDAO().delete(trans, urd, false); } } } else if (urdr.isOKhasData()) { @@ -1089,7 +1095,7 @@ public class Function { } // Does Role exist? - Result> rdr = q.roleDAO.read(trans, role); + Result> rdr = q.roleDAO().read(trans, role); if (rdr.notOKorIsEmpty()) { return Result.err(Status.ERR_RoleNotFound, "Role [%s.%s] does not exist", role.ns, role.name); @@ -1103,7 +1109,7 @@ public class Function { if (rpd.isOK()) { trans.debug().log("Removing", perm, "from", fullrole,"on Role Delete"); - Result r = q.permDAO.delRole(trans, rpd.value, fullrole); + Result r = q.permDAO().delRole(trans, rpd.value, fullrole); if (r.notOK()) { trans.error().log("ERR_FDR1 unable to remove",fullrole,"from",perm,':',r.status,'-',r.details); } @@ -1112,7 +1118,7 @@ public class Function { } } } - return q.roleDAO.delete(trans, fullrole, false); + return q.roleDAO().delete(trans, fullrole, false); } /** @@ -1131,19 +1137,19 @@ public class Function { if (!fromApproval) { Result rRoleCo = q.deriveFirstNsForType(trans, role.ns, NsType.COMPANY); - if(rRoleCo.notOK()) { + if (rRoleCo.notOK()) { return Result.err(rRoleCo); } Result rPermCo = q.deriveFirstNsForType(trans, pd.ns, NsType.COMPANY); - if(rPermCo.notOK()) { + if (rPermCo.notOK()) { return Result.err(rPermCo); } // Not from same company - if(!rRoleCo.value.name.equals(rPermCo.value.name)) { + if (!rRoleCo.value.name.equals(rPermCo.value.name)) { Result r; // Only grant if User ALSO has Write ability in Other Company - if((r = q.mayUser(trans, user, role, Access.write)).notOK()) { + if ((r = q.mayUser(trans, user, role, Access.write)).notOK()) { return Result.err(r); } } @@ -1162,7 +1168,7 @@ public class Function { } // Final Check... Don't allow Grantees to add to Roles they are // part of - Result> rlurd = q.userRoleDAO + Result> rlurd = q.userRoleDAO() .readByUser(trans, trans.user()); if (rlurd.isOK()) { for (UserRoleDAO.Data ur : rlurd.value) { @@ -1174,13 +1180,13 @@ public class Function { } } - Result> rlpd = q.permDAO.read(trans, pd); + Result> rlpd = q.permDAO().read(trans, pd); if (rlpd.notOKorIsEmpty()) { return Result.err(Status.ERR_PermissionNotFound, "Permission must exist to add to Role"); } - Result> rlrd = q.roleDAO.read(trans, role); // Already + Result> rlrd = q.roleDAO().read(trans, role); // Already // Checked // for // can @@ -1200,7 +1206,7 @@ public class Function { } role.perms(true).add(pd.encode()); - Result rdd = q.roleDAO.create(trans, role); + Result rdd = q.roleDAO().create(trans, role); if (rdd.isOK()) { rv = Result.ok(); } else { @@ -1220,10 +1226,10 @@ public class Function { role.perms(true).add(pd.encode()); // this is added for Caching // access purposes... doesn't // affect addPerm - rv = q.roleDAO.addPerm(trans, role, pd); + rv = q.roleDAO().addPerm(trans, role, pd); } if (rv.status == Status.OK) { - return q.permDAO.addRole(trans, pd, role); + return q.permDAO().addRole(trans, pd, role); // exploring how to add information message to successful http // request } @@ -1254,13 +1260,13 @@ public class Function { } } - Result> rlr = q.roleDAO.read(trans, role); + Result> rlr = q.roleDAO().read(trans, role); if (rlr.notOKorIsEmpty()) { // If Bad Data, clean out - Result> rlp = q.permDAO.read(trans, pd); + Result> rlp = q.permDAO().read(trans, pd); if (rlp.isOKhasData()) { for (PermDAO.Data pv : rlp.value) { - q.permDAO.delRole(trans, pv, role); + q.permDAO().delRole(trans, pv, role); } } return Result.err(rlr); @@ -1279,7 +1285,7 @@ public class Function { break; } } - if(!notFound) { + if (!notFound) { break; } } @@ -1292,12 +1298,12 @@ public class Function { } // Read Perm for full data - Result> rlp = q.permDAO.read(trans, pd); + Result> rlp = q.permDAO().read(trans, pd); Result rv = null; if (rlp.isOKhasData()) { for (PermDAO.Data pv : rlp.value) { - if ((rv = q.permDAO.delRole(trans, pv, role)).isOK()) { - if ((rv = q.roleDAO.delPerm(trans, role, pv)).notOK()) { + if ((rv = q.permDAO().delRole(trans, pv, role)).isOK()) { + if ((rv = q.roleDAO().delPerm(trans, role, pv)).notOK()) { trans.error().log( "Error removing Perm during delFromPermRole:", trans.getUserPrincipal(), rv.errorString()); @@ -1309,7 +1315,7 @@ public class Function { } } } else { - rv = q.roleDAO.delPerm(trans, role, pd); + rv = q.roleDAO().delPerm(trans, role, pd); if (rv.notOK()) { trans.error().log("Error removing Role during delFromPermRole", rv.errorString()); @@ -1343,23 +1349,23 @@ public class Function { */ public Result addUserRole(AuthzTrans trans,UserRoleDAO.Data urData) { Result rv; - if(Question.ADMIN.equals(urData.rname)) { + if (Question.ADMIN.equals(urData.rname)) { rv = mayAddAdmin(trans, urData.ns, urData.user); - } else if(Question.OWNER.equals(urData.rname)) { + } else if (Question.OWNER.equals(urData.rname)) { rv = mayAddOwner(trans, urData.ns, urData.user); } else { rv = checkValidID(trans, new Date(), urData.user); } - if(rv.notOK()) { + if (rv.notOK()) { return rv; } // Check if record exists - if (q.userRoleDAO.read(trans, urData).isOKhasData()) { + if (q.userRoleDAO().read(trans, urData).isOKhasData()) { return Result.err(Status.ERR_ConflictAlreadyExists, "User Role exists"); } - if (q.roleDAO.read(trans, urData.ns, urData.rname).notOKorIsEmpty()) { + if (q.roleDAO().read(trans, urData.ns, urData.rname).notOKorIsEmpty()) { return Result.err(Status.ERR_RoleNotFound, "Role [%s.%s] does not exist", urData.ns, urData.rname); } @@ -1367,18 +1373,16 @@ public class Function { urData.expires = trans.org().expiration(null, Expiration.UserInRole, urData.user).getTime(); - Result udr = q.userRoleDAO.create(trans, urData); - switch (udr.status) { - case OK: + Result udr = q.userRoleDAO().create(trans, urData); + if (udr.status == OK) { return Result.ok(); - default: - return Result.err(udr); } + return Result.err(udr); } public Result addUserRole(AuthzTrans trans, String user, String ns, String rname) { try { - if(trans.org().getIdentity(trans, user)==null) { + if (trans.org().getIdentity(trans, user)==null) { return Result.err(Result.ERR_BadData,user+" is an Invalid Identity for " + trans.org().getName()); } } catch (OrganizationException e) { @@ -1403,12 +1407,12 @@ public class Function { */ public Result extendUserRole(AuthzTrans trans, UserRoleDAO.Data urData, boolean checkForExist) { // Check if record still exists - if (checkForExist && q.userRoleDAO.read(trans, urData).notOKorIsEmpty()) { + if (checkForExist && q.userRoleDAO().read(trans, urData).notOKorIsEmpty()) { return Result.err(Status.ERR_UserRoleNotFound, "User Role does not exist"); } - if (q.roleDAO.read(trans, urData.ns, urData.rname).notOKorIsEmpty()) { + if (q.roleDAO().read(trans, urData.ns, urData.rname).notOKorIsEmpty()) { return Result.err(Status.ERR_RoleNotFound, "Role [%s.%s] does not exist", urData.ns,urData.rname); } @@ -1422,7 +1426,7 @@ public class Function { // time // starting // today - return q.userRoleDAO.update(trans, urData); + return q.userRoleDAO().update(trans, urData); } // //////////////////////////////////////////////////// @@ -1433,7 +1437,7 @@ public class Function { // Roles // //////////////////////////////////////////////////// public Result> getUsersByRole(AuthzTrans trans, String role, boolean includeExpired) { - Result> rurdd = q.userRoleDAO.readByRole(trans,role); + Result> rurdd = q.userRoleDAO().readByRole(trans,role); if (rurdd.notOK()) { return Result.err(rurdd); } @@ -1452,7 +1456,7 @@ public class Function { UserRoleDAO.Data urdd = new UserRoleDAO.Data(); urdd.user = user; urdd.role(ns,rname); - Result> r = q.userRoleDAO.read(trans, urdd); + Result> r = q.userRoleDAO().read(trans, urdd); if (r.status == 404 || r.isEmpty()) { return Result.err(Status.ERR_UserRoleNotFound, "UserRole [%s] [%s.%s]", user, ns, rname); @@ -1461,7 +1465,7 @@ public class Function { return Result.err(r); } - return q.userRoleDAO.delete(trans, urdd, false); + return q.userRoleDAO().delete(trans, urdd, false); } public Result createFuture(AuthzTrans trans, FutureDAO.Data data, String id, String user, @@ -1473,12 +1477,12 @@ public class Function { List approvers = op.equals(FUTURE_OP.A)?NO_ADDL_APPROVE:org.getApprovers(trans, user); List owners = new ArrayList<>(); if (nsd != null) { - Result> rrbr = q.userRoleDAO + Result> rrbr = q.userRoleDAO() .readByRole(trans, nsd.name + Question.DOT_OWNER); if (rrbr.isOKhasData()) { - for(UserRoleDAO.Data urd : rrbr.value) { + for (UserRoleDAO.Data urd : rrbr.value) { Identity owner = org.getIdentity(trans, urd.user); - if(owner==null) { + if (owner==null) { return Result.err(Result.ERR_NotFound,urd.user + " is not a Valid Owner of " + nsd.name); } else { owners.add(owner); @@ -1487,31 +1491,31 @@ public class Function { } } - if(owners.isEmpty()) { + if (owners.isEmpty()) { return Result.err(Result.ERR_NotFound,"No Owners found for " + nsd.name); } // Create Future Object - Result fr = q.futureDAO.create(trans, data, id); + Result fr = q.futureDAO().create(trans, data, id); if (fr.isOK()) { sb.append("Created Future: "); sb.append(data.id); // User Future ID as ticket for Approvals final UUID ticket = fr.value.id; sb.append(", Approvals: "); - Boolean first[] = new Boolean[]{true}; - if(op!=FUTURE_OP.A) { + Boolean[] first = new Boolean[]{true}; + if (op!=FUTURE_OP.A) { for (Identity u : approvers) { Result r = addIdentity(trans,sb,first,user,data.memo,op,u,ticket,org.getApproverType()); - if(r.notOK()) { + if (r.notOK()) { return Result.err(r); } } } for (Identity u : owners) { Result r = addIdentity(trans,sb,first,user,data.memo,op,u,ticket,"owner"); - if(r.notOK()) { + if (r.notOK()) { return Result.err(r); } } @@ -1533,8 +1537,8 @@ public class Function { public Lookup urDBLookup = new Lookup() { @Override public UserRoleDAO.Data get(AuthzTrans trans, Object ... keys) { - Result> r = q.userRoleDAO.read(trans, keys); - if(r.isOKhasData()) { + Result> r = q.userRoleDAO().read(trans, keys); + if (r.isOKhasData()) { return r.value.get(0); } else { return null; @@ -1556,19 +1560,19 @@ public class Function { public Result performFutureOp(final AuthzTrans trans, FUTURE_OP fop, FutureDAO.Data curr, Lookup> la, Lookup lur) { // Pre-Evaluate if ReApproval is already done. UserRoleDAO.Data urdd = null; - if(fop.equals(FUTURE_OP.A) && curr.target.equals(FOP_USER_ROLE) && curr.construct!=null) { + if (fop.equals(FUTURE_OP.A) && curr.target.equals(FOP_USER_ROLE) && curr.construct!=null) { try { // Get Expected UserRole from Future urdd = new UserRoleDAO.Data(); urdd.reconstitute(curr.construct); // Get Current UserRole from lookup UserRoleDAO.Data lurdd = lur.get(trans, urdd.user,urdd.role); - if(lurdd==null) { - q.futureDAO.delete(trans, curr, false); + if (lurdd==null) { + q.futureDAO().delete(trans, curr, false); return OP_STATUS.RL; } else { - if(curr.expires.compareTo(lurdd.expires)<0) { - q.futureDAO.delete(trans, curr, false); + if (curr.expires.compareTo(lurdd.expires)<0) { + q.futureDAO().delete(trans, curr, false); return OP_STATUS.RL; } } @@ -1579,43 +1583,41 @@ public class Function { boolean aDenial = false; int cntSuper=0, appSuper=0,cntOwner=0, appOwner=0; - for(ApprovalDAO.Data add : la.get(trans)) { + for (ApprovalDAO.Data add : la.get(trans)) { switch(add.status) { case "approved": - if("owner".equals(add.type)) { + if ("owner".equals(add.type)) { ++cntOwner; ++appOwner; - } else if("supervisor".equals(add.type)) { + } else if ("supervisor".equals(add.type)) { ++cntSuper; ++appSuper; } break; case "pending": - if("owner".equals(add.type)) { + if ("owner".equals(add.type)) { ++cntOwner; - } else if("supervisor".equals(add.type)) { + } else if ("supervisor".equals(add.type)) { ++cntSuper; } break; case "denied": aDenial=true; break; + default: + break; } } Result ros=null; - if(aDenial) { - // Note: Denial will be Audit-logged. -// for (ApprovalDAO.Data ad : allApprovalsForTicket.value) { -// q.approvalDAO.delete(trans, ad, false); -// } + if (aDenial) { ros = OP_STATUS.RD; - if(q.futureDAO.delete(trans, curr, false).notOK()) { + if (q.futureDAO().delete(trans, curr, false).notOK()) { trans.info().printf("Future %s could not be deleted", curr.id.toString()); } else { if (FOP_USER_ROLE.equalsIgnoreCase(curr.target)) { // A Denial means we must remove UserRole - if(fop.equals(FUTURE_OP.U) || fop.equals(FUTURE_OP.A)) { + if (fop.equals(FUTURE_OP.U) || fop.equals(FUTURE_OP.A)) { UserRoleDAO.Data data = new UserRoleDAO.Data(); try { data.reconstitute(curr.construct); @@ -1631,7 +1633,7 @@ public class Function { // Decision: If not Denied, and at least owner, if exists, and at least one Super, if exists boolean goDecision = (cntOwner>0?appOwner>0:true) && (cntSuper>0?appSuper>0:true); - if(goDecision) { + if (goDecision) { // should check if any other pendings before performing // actions try { @@ -1640,7 +1642,7 @@ public class Function { data.reconstitute(curr.construct); switch(fop) { case C: - ros = set(OP_STATUS.RE,q.roleDAO.dao().create(trans, data)); + ros = set(OP_STATUS.RE,q.roleDAO().dao().create(trans, data)); break; case D: ros = set(OP_STATUS.RE,deleteRole(trans, data, true, true)); @@ -1684,7 +1686,7 @@ public class Function { default: } } else if (FOP_USER_ROLE.equalsIgnoreCase(curr.target)) { - if(urdd==null) { + if (urdd==null) { urdd = new UserRoleDAO.Data(); urdd.reconstitute(curr.construct); } @@ -1702,32 +1704,26 @@ public class Function { } else if (FOP_NS.equalsIgnoreCase(curr.target)) { Namespace namespace = new Namespace(); namespace.reconstitute(curr.construct); - switch(fop) { - case C: - ros = set(OP_STATUS.RE,createNS(trans, namespace, true)); - break; - default: + if (fop == FUTURE_OP.C) { + ros = set(OP_STATUS.RE, createNS(trans, namespace, true)); } } else if (FOP_DELEGATE.equalsIgnoreCase(curr.target)) { DelegateDAO.Data data = new DelegateDAO.Data(); data.reconstitute(curr.construct); switch(fop) { case C: - ros = set(OP_STATUS.RE,q.delegateDAO.create(trans, data)); + ros = set(OP_STATUS.RE,q.delegateDAO().create(trans, data)); break; case U: - ros = set(OP_STATUS.RE,q.delegateDAO.update(trans, data)); + ros = set(OP_STATUS.RE,q.delegateDAO().update(trans, data)); break; default: } } else if (FOP_CRED.equalsIgnoreCase(curr.target)) { CredDAO.Data data = new CredDAO.Data(); data.reconstitute(curr.construct); - switch(fop) { - case C: - ros = set(OP_STATUS.RE,q.credDAO.dao().create(trans, data)); - break; - default: + if (fop == FUTURE_OP.C) { + ros = set(OP_STATUS.RE, q.credDAO().dao().create(trans, data)); } } } catch (Exception e) { @@ -1735,9 +1731,9 @@ public class Function { " \n occurred while performing", curr.memo, " from Ticket ", curr.id.toString()); } - q.futureDAO.delete(trans, curr, false); + q.futureDAO().delete(trans, curr, false); } // end for goDecision - if(ros==null) { + if (ros==null) { //return Result.err(Status.ACC_Future, "Full Approvals not obtained: No action taken"); ros = OP_STATUS.RP; } @@ -1747,7 +1743,7 @@ public class Function { // Convenience method for setting OPSTatus Results private Result set(Result rs, Result orig) { - if(orig.isOK()) { + if (orig.isOK()) { return rs; } else { return Result.err(orig); @@ -1766,9 +1762,9 @@ public class Function { ad.type = type; ad.operation = op.name(); // Note ad.updated is created in System - Result r = q.approvalDAO.create(trans,ad); - if(r.isOK()) { - if(first[0]) { + Result r = q.approvalDAO().create(trans,ad); + if (r.isOK()) { + if (first[0]) { first[0] = false; } else { sb.append(", ");