X-Git-Url: https://gerrit.onap.org/r/gitweb?a=blobdiff_plain;f=auth%2Fauth-service%2Fsrc%2Fmain%2Fjava%2Forg%2Fonap%2Faaf%2Fauth%2Fservice%2FAuthzCassServiceImpl.java;h=3b0108218f47fad6899d76d374cda186b3167858;hb=3d1706fcbe7f95830ff6fd23cf679ee55c6d0595;hp=295db4acf5db7ecc3223f4c2bf327080b2011bca;hpb=1338680ef142f9a33ee32a00b07c7d2ae658cb3a;p=aaf%2Fauthz.git diff --git a/auth/auth-service/src/main/java/org/onap/aaf/auth/service/AuthzCassServiceImpl.java b/auth/auth-service/src/main/java/org/onap/aaf/auth/service/AuthzCassServiceImpl.java index 295db4ac..3b010821 100644 --- a/auth/auth-service/src/main/java/org/onap/aaf/auth/service/AuthzCassServiceImpl.java +++ b/auth/auth-service/src/main/java/org/onap/aaf/auth/service/AuthzCassServiceImpl.java @@ -42,6 +42,7 @@ import java.util.Map; import java.util.Set; import java.util.TreeMap; import java.util.UUID; +import java.util.concurrent.TimeUnit; import javax.servlet.http.HttpServletRequest; @@ -117,7 +118,7 @@ public class AuthzCassServiceImpl { private static final String TWO_SPACE = " "; - private Mapper mapper; + private Mapper mapper; @Override public Mapper mapper() {return mapper;} @@ -815,120 +816,120 @@ public class AuthzCassServiceImpl 0) { - PermDAO.Data pdd = newPd.value; - if(trans.user().equals(newPd.value.ns)) { - CachedPermDAO permDAO = ques.permDAO(); - Result> rlpdd = permDAO.read(trans, pdd); - if(rlpdd.notOK()) { - return Result.err(rlpdd); - } - if(!rlpdd.isEmpty()) { - return Result.err(Result.ERR_ConflictAlreadyExists,"Permission already exists"); - } - - RoleDAO.Data rdd = new RoleDAO.Data(); - rdd.ns = pdd.ns; - rdd.name = "user"; - - pdd.roles(true).add(rdd.fullName()); - Result rpdd = permDAO.create(trans, pdd); - if(rpdd.notOK()) { - return Result.err(rpdd); - } - - CachedRoleDAO roleDAO = ques.roleDAO(); - Result> rlrdd = roleDAO.read(trans, rdd); - if(rlrdd.notOK()) { - return Result.err(rlrdd); - } else { - if(!rlrdd.isEmpty()) { - rdd = rlrdd.value.get(0); - } - } - - String eperm = pdd.encode(); - rdd.perms(true).add(eperm); - Result rv = roleDAO.update(trans, rdd); - if(rv.notOK()) { - return rv; - } - - CachedUserRoleDAO urDAO = ques.userRoleDAO(); - UserRoleDAO.Data urdd = new UserRoleDAO.Data(); - urdd.user = trans.user(); - urdd.ns = rdd.ns; - urdd.rname = rdd.name; - urdd.role = rdd.fullName(); - Result> rlurdd = urDAO.read(trans, urdd); - if(rlurdd.notOK()) { - return Result.err(rlrdd); - } else if(rlurdd.isEmpty()) { - GregorianCalendar gc = trans.org().expiration(null, Expiration.UserInRole); - if(gc==null) { - return Result.err(Result.ERR_Policy,"Organzation does not grant Expiration for UserRole"); - } else { - urdd.expires = gc.getTime(); - } - Result rurdd = urDAO.create(trans, urdd); - return Result.err(rurdd); - } - return rv; - } else { - return Result.err(Result.ERR_Security,"Only the User can create User Permissions"); - } + PermDAO.Data pdd = newPd.value; + if(trans.user().equals(newPd.value.ns)) { + CachedPermDAO permDAO = ques.permDAO(); + Result> rlpdd = permDAO.read(trans, pdd); + if(rlpdd.notOK()) { + return Result.err(rlpdd); + } + if(!rlpdd.isEmpty()) { + return Result.err(Result.ERR_ConflictAlreadyExists,"Permission already exists"); + } + + RoleDAO.Data rdd = new RoleDAO.Data(); + rdd.ns = pdd.ns; + rdd.name = "user"; + + pdd.roles(true).add(rdd.fullName()); + Result rpdd = permDAO.create(trans, pdd); + if(rpdd.notOK()) { + return Result.err(rpdd); + } + + CachedRoleDAO roleDAO = ques.roleDAO(); + Result> rlrdd = roleDAO.read(trans, rdd); + if(rlrdd.notOK()) { + return Result.err(rlrdd); + } else { + if(!rlrdd.isEmpty()) { + rdd = rlrdd.value.get(0); + } + } + + String eperm = pdd.encode(); + rdd.perms(true).add(eperm); + Result rv = roleDAO.update(trans, rdd); + if(rv.notOK()) { + return rv; + } + + CachedUserRoleDAO urDAO = ques.userRoleDAO(); + UserRoleDAO.Data urdd = new UserRoleDAO.Data(); + urdd.user = trans.user(); + urdd.ns = rdd.ns; + urdd.rname = rdd.name; + urdd.role = rdd.fullName(); + Result> rlurdd = urDAO.read(trans, urdd); + if(rlurdd.notOK()) { + return Result.err(rlrdd); + } else if(rlurdd.isEmpty()) { + GregorianCalendar gc = trans.org().expiration(null, Expiration.UserInRole); + if(gc==null) { + return Result.err(Result.ERR_Policy,"Organzation does not grant Expiration for UserRole"); + } else { + urdd.expires = gc.getTime(); + } + Result rurdd = urDAO.create(trans, urdd); + return Result.err(rurdd); + } + return rv; + } else { + return Result.err(Result.ERR_Security,"Only the User can create User Permissions"); + } } else { - // Does Perm Type exist as a Namespace? - if(newPd.value.type.isEmpty() || ques.nsDAO().read(trans, newPd.value.fullType()).isOKhasData()) { - return Result.err(Status.ERR_ConflictAlreadyExists, - "Permission Type exists as a Namespace"); - } - - Result fd = mapper.future(trans, PermDAO.TABLE, rreq, newPd.value,false, - new Mapper.Memo() { - @Override - public String get() { - return "Create Permission [" + - newPd.value.fullType() + '|' + - newPd.value.instance + '|' + - newPd.value.action + ']'; - } - }, - new MayChange() { - private Result nsd; - @Override - public Result mayChange() { - if (nsd==null) { - nsd = ques.mayUser(trans, trans.user(), newPd.value, Access.write); - } - return nsd; - } - }); - - Result> nsr = ques.nsDAO().read(trans, newPd.value.ns); - if (nsr.notOKorIsEmpty()) { - return Result.err(nsr); - } - switch(fd.status) { - case OK: - Result rfc = func.createFuture(trans,fd.value, - newPd.value.fullType() + '|' + newPd.value.instance + '|' + newPd.value.action, - trans.user(), - nsr.value.get(0), - FUTURE_OP.C); - if (rfc.isOK()) { - return Result.err(Status.ACC_Future, "Perm [%s.%s|%s|%s] is saved for future processing", - newPd.value.ns, - newPd.value.type, - newPd.value.instance, - newPd.value.action); - } else { - return Result.err(rfc); - } - case Status.ACC_Now: - return func.createPerm(trans, newPd.value, true); - default: - return Result.err(fd); - } + // Does Perm Type exist as a Namespace? + if(newPd.value.type.isEmpty() || ques.nsDAO().read(trans, newPd.value.fullType()).isOKhasData()) { + return Result.err(Status.ERR_ConflictAlreadyExists, + "Permission Type exists as a Namespace"); + } + + Result fd = mapper.future(trans, PermDAO.TABLE, rreq, newPd.value,false, + new Mapper.Memo() { + @Override + public String get() { + return "Create Permission [" + + newPd.value.fullType() + '|' + + newPd.value.instance + '|' + + newPd.value.action + ']'; + } + }, + new MayChange() { + private Result nsd; + @Override + public Result mayChange() { + if (nsd==null) { + nsd = ques.mayUser(trans, trans.user(), newPd.value, Access.write); + } + return nsd; + } + }); + + Result> nsr = ques.nsDAO().read(trans, newPd.value.ns); + if (nsr.notOKorIsEmpty()) { + return Result.err(nsr); + } + switch(fd.status) { + case OK: + Result rfc = func.createFuture(trans,fd.value, + newPd.value.fullType() + '|' + newPd.value.instance + '|' + newPd.value.action, + trans.user(), + nsr.value.get(0), + FUTURE_OP.C); + if (rfc.isOK()) { + return Result.err(Status.ACC_Future, "Perm [%s.%s|%s|%s] is saved for future processing", + newPd.value.ns, + newPd.value.type, + newPd.value.instance, + newPd.value.action); + } else { + return Result.err(rfc); + } + case Status.ACC_Now: + return func.createPerm(trans, newPd.value, true); + default: + return Result.err(fd); + } } } @@ -1994,7 +1995,7 @@ public class AuthzCassServiceImpl rfc = func.createFuture(trans,fd.value, - rpd.value.fullPerm(), - trans.user(), - nsr.value.get(0), - FUTURE_OP.G); - if (rfc.isOK()) { - return Result.err(Status.ACC_Future, "Perm [%s.%s|%s|%s] is saved for future processing", - rpd.value.ns, - rpd.value.type, - rpd.value.instance, - rpd.value.action); - } else { - return Result.err(rfc); - } - case Status.ACC_Now: - Result rv = null; - if (createPerm!=null) {// has been validated for creating - rv = func.createPerm(trans, createPerm, false); - } - if (rv==null || rv.isOK()) { - rv = func.addPermToRole(trans, rrd.value, rpd.value, false); - } - return rv; - default: - return Result.err(fd); + case OK: + Result rfc = func.createFuture(trans,fd.value, + rpd.value.fullPerm(), + trans.user(), + nsr.value.get(0), + FUTURE_OP.G); + if (rfc.isOK()) { + return Result.err(Status.ACC_Future, "Perm [%s.%s|%s|%s] is saved for future processing", + rpd.value.ns, + rpd.value.type, + rpd.value.instance, + rpd.value.action); + } else { + return Result.err(rfc); + } + case Status.ACC_Now: + Result rv = null; + if (createPerm!=null) {// has been validated for creating + rv = func.createPerm(trans, createPerm, false); + } + if (rv==null || rv.isOK()) { + rv = func.addPermToRole(trans, rrd.value, rpd.value, false); + } + return rv; + default: + return Result.err(fd); } } @@ -2309,12 +2310,12 @@ public class AuthzCassServiceImpl nsd; + private static final String RESET = "reset"; + private static final String DELETE = "delete"; + private Result nsd; private AuthzTrans trans; private CredDAO.Data cred; - private String action; + private String action; public MayChangeCred(AuthzTrans trans, CredDAO.Data cred, String action) { this.trans = trans; this.cred = cred; @@ -2329,35 +2330,35 @@ public class AuthzCassServiceImpl TimeUnit.DAYS.toMillis(1)) { + return Result.err(Status.ERR_ConflictAlreadyExists, "Credential with same Expiration Date exists"); + } + } + } } } else { try { @@ -2501,13 +2508,20 @@ public class AuthzCassServiceImpl > admins = func.getAdmins(trans, nsr.value.get(0).name, false); - // OK, it's a first ID, and not by NS Admin, so let's set TempPassword length - // Note, we only do this on First time, because of possibility of - // prematurely expiring a production id - if (admins.isOKhasData() && !admins.value.contains(trans.user())) { - rcred.value.expires = org.expiration(null, Expiration.TempPassword).getTime(); + // OK, it's a first ID, and not by NS Owner + if(!ques.isOwner(trans,trans.user(),cdd.ns)) { + // Admins are not allowed to set first Cred, but Org has already + // said entity MAY create, typically by Permission + // We can't know which reason they are allowed here, so we + // have to assume that any with Special Permission would not be + // an Admin. + if(ques.isAdmin(trans, trans.user(), cdd.ns)) { + return Result.err(Result.ERR_Denied, + "Only Owners may create first passwords in their Namespace. Admins may modify after one exists" ); + } else { + // Allow IDs that AREN'T part of NS with Org Onboarding Permission (see Org object) to create Temp Passwords. + rcred.value.expires = org.expiration(null, Expiration.TempPassword).getTime(); + } } } } catch (Exception e) { @@ -2838,7 +2852,7 @@ public class AuthzCassServiceImpl deleteUserCred(AuthzTrans trans, REQUEST from) { - final Result cred = mapper.cred(trans, from, false); - final Validator v = new ServiceValidator(); - if (v.nullOrBlank("cred", cred.value.id).err()) { - return Result.err(Status.ERR_BadData,v.errs()); - } - - MayChange mc = new MayChangeCred(trans,cred.value,MayChangeCred.DELETE); - Result rmc = mc.mayChange(); - if (rmc.notOK()) { - return Result.err(rmc); - } - - boolean doForce = trans.requested(force); - Result> rlcd = ques.credDAO().readID(trans, cred.value.id); - if (rlcd.notOKorIsEmpty()) { - // Empty Creds should not have user_roles. - Result> rlurd = ques.userRoleDAO().readByUser(trans, cred.value.id); - if (rlurd.isOKhasData()) { - for (UserRoleDAO.Data data : rlurd.value) { - ques.userRoleDAO().delete(trans, data, false); - } - } - return Result.err(Status.ERR_UserNotFound, "Credential does not exist"); - } - boolean isLastCred = rlcd.value.size()==1; - - int entry; - CredRequest cr = (CredRequest)from; - if(isLastCred) { - if(cr.getEntry()==null || "1".equals(cr.getEntry())) { - entry = 0; - } else { - return Result.err(Status.ERR_BadData, "User chose invalid credential selection"); - } - } else { - entry = -1; - int fentry = entry; - if(cred.value.type==CredDAO.FQI) { - entry = -1; - for(CredDAO.Data cdd : rlcd.value) { - ++fentry; - if(cdd.type == CredDAO.FQI) { - entry = fentry; - break; - } - } - } else { - if (!doForce) { - if (rlcd.value.size() > 1) { - String inputOption = cr.getEntry(); - if (inputOption == null) { - List list = filterList(rlcd.value,CredDAO.BASIC_AUTH,CredDAO.BASIC_AUTH_SHA256,CredDAO.CERT_SHA256_RSA); - String message = selectCredFromList(list, MayChangeCred.DELETE); - Object[] variables = buildVariables(list); - return Result.err(Status.ERR_ChoiceNeeded, message, variables); - } else { - try { - if (inputOption.length()>5) { // should be a date - Date d = Chrono.xmlDatatypeFactory.newXMLGregorianCalendar(inputOption).toGregorianCalendar().getTime(); - for (CredDAO.Data cd : rlcd.value) { - ++fentry; - if (cd.type.equals(cr.getType()) && cd.expires.equals(d)) { - entry = fentry; - break; - } - } - } else { - entry = Integer.parseInt(inputOption) - 1; - int count = 0; - for (CredDAO.Data cd : rlcd.value) { - if(cd.type!=CredDAO.BASIC_AUTH && cd.type!=CredDAO.BASIC_AUTH_SHA256 && cd.type!=CredDAO.CERT_SHA256_RSA) { - ++entry; - } - if(++count>entry) { - break; - } - } - } - } catch (NullPointerException e) { - return Result.err(Status.ERR_BadData, "Invalid Date Format for Entry"); - } catch (NumberFormatException e) { - return Result.err(Status.ERR_BadData, "User chose invalid credential selection"); - } - } - isLastCred = (entry==-1)?true:false; - } else { - isLastCred = true; - } - if (entry < -1 || entry >= rlcd.value.size()) { - return Result.err(Status.ERR_BadData, "User chose invalid credential selection"); - } - } - } - } - - Result fd = mapper.future(trans,CredDAO.TABLE,from,cred.value,false, - () -> "Delete Credential [" + - cred.value.id + - ']', - mc); - - Result> nsr = ques.nsDAO().read(trans, cred.value.ns); - if (nsr.notOKorIsEmpty()) { - return Result.err(nsr); - } - - switch(fd.status) { - case OK: - Result rfc = func.createFuture(trans, fd.value, cred.value.id, - trans.user(), nsr.value.get(0), FUTURE_OP.D); - - if (rfc.isOK()) { - return Result.err(Status.ACC_Future, "Credential Delete [%s] is saved for future processing",cred.value.id); - } else { - return Result.err(rfc); - } - case Status.ACC_Now: - Resultudr = null; - if (!trans.requested(force)) { - if (entry<0 || entry >= rlcd.value.size()) { - if(cred.value.type==CredDAO.FQI) { - return Result.err(Status.ERR_BadData,"FQI does not exist"); - } else { - return Result.err(Status.ERR_BadData,"Invalid Choice [" + entry + "] chosen for Delete [%s] is saved for future processing",cred.value.id); - } - } - udr = ques.credDAO().delete(trans, rlcd.value.get(entry),false); - } else { - for (CredDAO.Data curr : rlcd.value) { - udr = ques.credDAO().delete(trans, curr, false); - if (udr.notOK()) { - return Result.err(udr); - } - } - } - if (isLastCred) { - Result> rlurd = ques.userRoleDAO().readByUser(trans, cred.value.id); - if (rlurd.isOK()) { - for (UserRoleDAO.Data data : rlurd.value) { - ques.userRoleDAO().delete(trans, data, false); - } - } - } - if (udr==null) { - return Result.err(Result.ERR_NotFound,"No User Data found"); - } - if (udr.isOK()) { - return Result.ok(); - } - return Result.err(udr); - default: - return Result.err(fd); - } - - } - - /* - * Codify the way to get Either Choice Needed or actual Integer from Credit Request - */ - private Result selectEntryIfMultiple(final CredRequest cr, List lcd, String action) { - int entry = 0; - if (lcd.size() > 1) { - String inputOption = cr.getEntry(); - if (inputOption == null) { - String message = selectCredFromList(lcd, action); - Object[] variables = buildVariables(lcd); - return Result.err(Status.ERR_ChoiceNeeded, message, variables); - } else { - if(MayChangeCred.EXTEND.equals(action)) { - // might be Tag - if(inputOption.length()>4) { //Tag is at least 12 - int e = 0; - CredDAO.Data last = null; - int lastIdx = -1; - for(CredDAO.Data cdd : lcd) { - if(inputOption.equals(cdd.tag)) { - if(last==null) { - last = cdd; - lastIdx = e; - } else { - if(last.expires.before(cdd.expires)) { - last = cdd; - lastIdx = e; - } - } - } - ++e; - } - if(last!=null) { - return Result.ok(lastIdx); - } - return Result.err(Status.ERR_BadData, "User chose unknown Tag"); - } - } - entry = Integer.parseInt(inputOption) - 1; - } - if (entry < 0 || entry >= lcd.size()) { - return Result.err(Status.ERR_BadData, "User chose invalid credential selection"); - } - } - return Result.ok(entry); - } - - private List filterList(List orig, Integer ... types) { - List rv = new ArrayList<>(); + method = DELETE, + path = "/authn/cred", + params = {}, + expectedCode = 200, + errorCodes = {300,403,404,406}, + text = { "Delete a Credential. If multiple credentials exist for this", + "ID, you will need to specify which entry you are deleting in the", + "CredRequest object." + } + ) + @Override + public Result deleteUserCred(AuthzTrans trans, REQUEST from) { + final Result cred = mapper.cred(trans, from, false); + final Validator v = new ServiceValidator(); + if (v.nullOrBlank("cred", cred.value.id).err()) { + return Result.err(Status.ERR_BadData,v.errs()); + } + + MayChange mc = new MayChangeCred(trans,cred.value,MayChangeCred.DELETE); + Result rmc = mc.mayChange(); + if (rmc.notOK()) { + return Result.err(rmc); + } + + boolean doForce = trans.requested(force); + Result> rlcd = ques.credDAO().readID(trans, cred.value.id); + if (rlcd.notOKorIsEmpty()) { + // Empty Creds should not have user_roles. + Result> rlurd = ques.userRoleDAO().readByUser(trans, cred.value.id); + if (rlurd.isOKhasData()) { + for (UserRoleDAO.Data data : rlurd.value) { + ques.userRoleDAO().delete(trans, data, false); + } + } + return Result.err(Status.ERR_UserNotFound, "Credential does not exist"); + } + boolean isLastCred = rlcd.value.size()==1; + + int entry; + CredRequest cr = (CredRequest)from; + if(isLastCred) { + if(cr.getEntry()==null || "1".equals(cr.getEntry())) { + entry = 0; + } else { + return Result.err(Status.ERR_BadData, "User chose invalid credential selection"); + } + } else { + entry = -1; + int fentry = entry; + if(cred.value.type==CredDAO.FQI) { + entry = -1; + for(CredDAO.Data cdd : rlcd.value) { + ++fentry; + if(cdd.type == CredDAO.FQI) { + entry = fentry; + break; + } + } + } else { + if (!doForce) { + if (rlcd.value.size() > 1) { + String inputOption = cr.getEntry(); + if (inputOption == null) { + List list = filterList(rlcd.value,CredDAO.BASIC_AUTH,CredDAO.BASIC_AUTH_SHA256,CredDAO.CERT_SHA256_RSA); + String message = selectCredFromList(list, MayChangeCred.DELETE); + Object[] variables = buildVariables(list); + return Result.err(Status.ERR_ChoiceNeeded, message, variables); + } else { + try { + if (inputOption.length()>5) { // should be a date + Date d = Chrono.xmlDatatypeFactory.newXMLGregorianCalendar(inputOption).toGregorianCalendar().getTime(); + for (CredDAO.Data cd : rlcd.value) { + ++fentry; + if (cd.type.equals(cr.getType()) && cd.expires.equals(d)) { + entry = fentry; + break; + } + } + } else { + entry = Integer.parseInt(inputOption) - 1; + int count = 0; + for (CredDAO.Data cd : rlcd.value) { + if(cd.type!=CredDAO.BASIC_AUTH && cd.type!=CredDAO.BASIC_AUTH_SHA256 && cd.type!=CredDAO.CERT_SHA256_RSA) { + ++entry; + } + if(++count>entry) { + break; + } + } + } + } catch (NullPointerException e) { + return Result.err(Status.ERR_BadData, "Invalid Date Format for Entry"); + } catch (NumberFormatException e) { + return Result.err(Status.ERR_BadData, "User chose invalid credential selection"); + } + } + isLastCred = (entry==-1); + } else { + isLastCred = true; + } + if (entry < -1 || entry >= rlcd.value.size()) { + return Result.err(Status.ERR_BadData, "User chose invalid credential selection"); + } + } + } + } + + Result fd = mapper.future(trans,CredDAO.TABLE,from,cred.value,false, + () -> "Delete Credential [" + + cred.value.id + + ']', + mc); + + Result> nsr = ques.nsDAO().read(trans, cred.value.ns); + if (nsr.notOKorIsEmpty()) { + return Result.err(nsr); + } + + switch(fd.status) { + case OK: + Result rfc = func.createFuture(trans, fd.value, cred.value.id, + trans.user(), nsr.value.get(0), FUTURE_OP.D); + + if (rfc.isOK()) { + return Result.err(Status.ACC_Future, "Credential Delete [%s] is saved for future processing",cred.value.id); + } else { + return Result.err(rfc); + } + case Status.ACC_Now: + Resultudr = null; + if (!trans.requested(force)) { + if (entry<0 || entry >= rlcd.value.size()) { + if(cred.value.type==CredDAO.FQI) { + return Result.err(Status.ERR_BadData,"FQI does not exist"); + } else { + return Result.err(Status.ERR_BadData,"Invalid Choice [" + entry + "] chosen for Delete [%s] is saved for future processing",cred.value.id); + } + } + udr = ques.credDAO().delete(trans, rlcd.value.get(entry),false); + } else { + for (CredDAO.Data curr : rlcd.value) { + udr = ques.credDAO().delete(trans, curr, false); + if (udr.notOK()) { + return Result.err(udr); + } + } + } + if (isLastCred) { + Result> rlurd = ques.userRoleDAO().readByUser(trans, cred.value.id); + if (rlurd.isOK()) { + for (UserRoleDAO.Data data : rlurd.value) { + ques.userRoleDAO().delete(trans, data, false); + } + } + } + if (udr==null) { + return Result.err(Result.ERR_NotFound,"No User Data found"); + } + if (udr.isOK()) { + return Result.ok(); + } + return Result.err(udr); + default: + return Result.err(fd); + } + + } + + /* + * Codify the way to get Either Choice Needed or actual Integer from Credit Request + */ + private Result selectEntryIfMultiple(final CredRequest cr, List lcd, String action) { + int entry = 0; + if (lcd.size() > 1) { + String inputOption = cr.getEntry(); + if (inputOption == null) { + String message = selectCredFromList(lcd, action); + Object[] variables = buildVariables(lcd); + return Result.err(Status.ERR_ChoiceNeeded, message, variables); + } else { + if(MayChangeCred.EXTEND.equals(action)) { + // might be Tag + if(inputOption.length()>4) { //Tag is at least 12 + int e = 0; + CredDAO.Data last = null; + int lastIdx = -1; + for(CredDAO.Data cdd : lcd) { + if(inputOption.equals(cdd.tag)) { + if(last==null) { + last = cdd; + lastIdx = e; + } else { + if(last.expires.before(cdd.expires)) { + last = cdd; + lastIdx = e; + } + } + } + ++e; + } + if(last!=null) { + return Result.ok(lastIdx); + } + return Result.err(Status.ERR_BadData, "User chose unknown Tag"); + } + } + entry = Integer.parseInt(inputOption) - 1; + } + if (entry < 0 || entry >= lcd.size()) { + return Result.err(Status.ERR_BadData, "User chose invalid credential selection"); + } + } + return Result.ok(entry); + } + + private List filterList(List orig, Integer ... types) { + List rv = new ArrayList<>(); for(CredDAO.Data cdd : orig) { - if(cdd!=null) { - for(int t : types) { - if(t==cdd.type) { - rv.add(cdd); - } - } - } + if(cdd!=null) { + for(int t : types) { + if(t==cdd.type) { + rv.add(cdd); + } + } + } } Collections.sort(rv, (o1,o2) -> { - if(o1.type==o2.type) { - return o1.expires.compareTo(o2.expires); - } else { - return o1.type.compareTo(o2.type); - } + if(o1.type==o2.type) { + return o1.expires.compareTo(o2.expires); + } else { + return o1.type.compareTo(o2.type); + } }); - return rv; - } + return rv; + } - private String[] buildVariables(List value) { + private String[] buildVariables(List value) { String [] vars = new String[value.size()]; CredDAO.Data cdd; for (int i = 0; i < value.size(); i++) { - cdd = value.get(i); - vars[i] = cdd.id + TWO_SPACE + Define.getCredType(cdd.type) + TWO_SPACE + Chrono.niceUTCStamp(cdd.expires) + TWO_SPACE + cdd.tag; + cdd = value.get(i); + vars[i] = cdd.id + TWO_SPACE + Define.getCredType(cdd.type) + TWO_SPACE + Chrono.niceUTCStamp(cdd.expires) + TWO_SPACE + cdd.tag; } return vars; } @@ -3102,8 +3116,8 @@ public class AuthzCassServiceImpl value, String action) { StringBuilder errMessage = new StringBuilder(); String userPrompt = MayChangeCred.DELETE.equals(action)? - "Select which cred to delete (set force=true to delete all):": - "Select which cred to " + action + ':'; + "Select which cred to delete (set force=true to delete all):": + "Select which cred to " + action + ':'; int numSpaces = value.get(0).id.length() - "Id".length(); errMessage.append(userPrompt + '\n'); @@ -3118,7 +3132,7 @@ public class AuthzCassServiceImpl nsd; @Override public Result mayChange() { - if(urr.value.role.startsWith(urr.value.user)) { - return Result.ok((NsDAO.Data)null); - } + if(urr.value.role.startsWith(urr.value.user)) { + return Result.ok((NsDAO.Data)null); + } if (nsd==null) { RoleDAO.Data r = RoleDAO.Data.decode(userRole); nsd = ques.mayUser(trans, trans.user(), r, Access.write); @@ -3250,15 +3264,15 @@ public class AuthzCassServiceImpl nsr = ques.deriveNs(trans, userRole.role); - if (nsr.notOK()) { - return Result.err(nsr); - } - ndd = nsr.value; + Result nsr = ques.deriveNs(trans, userRole.role); + if (nsr.notOK()) { + return Result.err(nsr); + } + ndd = nsr.value; } switch(fd.status) { @@ -3806,17 +3820,17 @@ public class AuthzCassServiceImpl > resp; if(type.startsWith(trans.user())) { - resp = ques.historyDAO().readBySubject(trans, type, "perm", yyyymm); + resp = ques.historyDAO().readBySubject(trans, type, "perm", yyyymm); } else { Result rnd = ques.deriveNs(trans,type); - if (rnd.notOK()) { - return Result.err(rnd); - } - rnd = ques.mayUser(trans, trans.user(), rnd.value, Access.read); - if (rnd.notOK()) { - return Result.err(rnd); - } - resp = ques.historyDAO().readBySubject(trans, type, "perm", yyyymm); + if (rnd.notOK()) { + return Result.err(rnd); + } + rnd = ques.mayUser(trans, trans.user(), rnd.value, Access.read); + if (rnd.notOK()) { + return Result.err(rnd); + } + resp = ques.historyDAO().readBySubject(trans, type, "perm", yyyymm); } if (resp.notOK()) { @@ -3850,8 +3864,8 @@ public class AuthzCassServiceImpl getHistoryBySubject(AuthzTrans trans, String subject, String target, int[] yyyymm, final int sort) { - NsDAO.Data ndd = new NsDAO.Data(); - ndd.name = FQI.reverseDomain(subject); + NsDAO.Data ndd = new NsDAO.Data(); + ndd.name = FQI.reverseDomain(subject); Result rnd = ques.mayUser(trans, trans.user(), ndd, Access.read); if (rnd.notOK()) { return Result.err(rnd);