X-Git-Url: https://gerrit.onap.org/r/gitweb?a=blobdiff_plain;f=auth%2Fauth-service%2Fsrc%2Fmain%2Fjava%2Forg%2Fonap%2Faaf%2Fauth%2Fservice%2FAuthzCassServiceImpl.java;h=41c433f4b0b893c40ac5a32fd763623875432b46;hb=a77e3d6e9180c1722a9d18f7717034bb0650a130;hp=c9730f5b6bfdbdee3dc683b47888beed7c7b45fa;hpb=4c709df6500a95057a92ec3ea5c739738764388d;p=aaf%2Fauthz.git diff --git a/auth/auth-service/src/main/java/org/onap/aaf/auth/service/AuthzCassServiceImpl.java b/auth/auth-service/src/main/java/org/onap/aaf/auth/service/AuthzCassServiceImpl.java index c9730f5b..41c433f4 100644 --- a/auth/auth-service/src/main/java/org/onap/aaf/auth/service/AuthzCassServiceImpl.java +++ b/auth/auth-service/src/main/java/org/onap/aaf/auth/service/AuthzCassServiceImpl.java @@ -47,6 +47,9 @@ import javax.servlet.http.HttpServletRequest; import org.onap.aaf.auth.common.Define; import org.onap.aaf.auth.dao.DAOException; +import org.onap.aaf.auth.dao.cached.CachedPermDAO; +import org.onap.aaf.auth.dao.cached.CachedRoleDAO; +import org.onap.aaf.auth.dao.cached.CachedUserRoleDAO; import org.onap.aaf.auth.dao.cass.ApprovalDAO; import org.onap.aaf.auth.dao.cass.CertDAO; import org.onap.aaf.auth.dao.cass.CredDAO; @@ -168,6 +171,7 @@ public class AuthzCassServiceImpl > rlnsd = ques.nsDAO.read(trans, ns); + Result> rlnsd = ques.nsDAO().read(trans, ns); if (rlnsd.notOKorIsEmpty()) { return Result.err(rlnsd); } @@ -318,7 +322,8 @@ public class AuthzCassServiceImpl > rsd = ques.nsDAO.dao().readNsByAttrib(trans, key); + Result> rsd = ques.nsDAO().dao().readNsByAttrib(trans, key); if (rsd.notOK()) { return Result.err(rsd); } @@ -382,7 +387,7 @@ public class AuthzCassServiceImpl > rlnsd = ques.nsDAO.read(trans, ns); + Result> rlnsd = ques.nsDAO().read(trans, ns); if (rlnsd.notOKorIsEmpty()) { return Result.err(rlnsd); } @@ -401,8 +406,8 @@ public class AuthzCassServiceImpl > rlnsd = ques.nsDAO.read(trans, ns); + Result> rlnsd = ques.nsDAO().read(trans, ns); if (rlnsd.notOKorIsEmpty()) { return Result.err(rlnsd); } @@ -451,7 +456,8 @@ public class AuthzCassServiceImpl getNSbyName(AuthzTrans trans, String ns) { + public Result getNSbyName(AuthzTrans trans, String ns, boolean includeExpired) { final Validator v = new ServiceValidator(); if (v.nullOrBlank("NS", ns).err()) { return Result.err(Status.ERR_BadData,v.errs()); } - Result> rlnd = ques.nsDAO.read(trans, ns); + Result> rlnd = ques.nsDAO().read(trans, ns); if (rlnd.isOK()) { if (rlnd.isEmpty()) { return Result.err(Status.ERR_NotFound, "No data found for %s",ns); @@ -488,11 +493,11 @@ public class AuthzCassServiceImpl > rd = func.getOwners(trans, namespace.name, false); + Result> rd = func.getOwners(trans, namespace.name, includeExpired); if (rd.isOK()) { namespace.owner = rd.value; } - rd = func.getAdmins(trans, namespace.name, false); + rd = func.getAdmins(trans, namespace.name, includeExpired); if (rd.isOK()) { namespace.admin = rd.value; } @@ -563,7 +568,7 @@ public class AuthzCassServiceImpl > loadNamepace(AuthzTrans trans, String user, String endsWith, boolean full) { - Result> urd = ques.userRoleDAO.readByUser(trans, user); + Result> urd = ques.userRoleDAO().readByUser(trans, user); if (urd.notOKorIsEmpty()) { return Result.err(urd); } @@ -679,7 +684,7 @@ public class AuthzCassServiceImpl lm = new HashSet<>(); - Result> rlnd = ques.nsDAO.dao().getChildren(trans, parent); + Result> rlnd = ques.nsDAO().dao().getChildren(trans, parent); if (rlnd.isOK()) { if (rlnd.isEmpty()) { return Result.err(Status.ERR_NotFound, "No data found for %s",parent); @@ -727,7 +732,7 @@ public class AuthzCassServiceImpl > rlnd = ques.nsDAO.read(trans, namespace.name); + Result> rlnd = ques.nsDAO().read(trans, namespace.name); if (rlnd.notOKorIsEmpty()) { return Result.err(Status.ERR_NotFound, "Namespace [%s] does not exist",namespace.name); @@ -737,7 +742,7 @@ public class AuthzCassServiceImpl rdr = ques.nsDAO.dao().addDescription(trans, namespace.name, namespace.description); + Result rdr = ques.nsDAO().dao().addDescription(trans, namespace.name, namespace.description); if (rdr.isOK()) { return Result.ok(); } else { @@ -797,56 +802,129 @@ public class AuthzCassServiceImpl createPerm(final AuthzTrans trans,REQUEST rreq) { final Result newPd = mapper.perm(trans, rreq); + final ServiceValidator v = new ServiceValidator(); if (v.perm(newPd).err()) { return Result.err(Status.ERR_BadData,v.errs()); } - - Result fd = mapper.future(trans, PermDAO.TABLE, rreq, newPd.value,false, - new Mapper.Memo() { - @Override - public String get() { - return "Create Permission [" + - newPd.value.fullType() + '|' + - newPd.value.instance + '|' + - newPd.value.action + ']'; - } - }, - new MayChange() { - private Result nsd; - @Override - public Result mayChange() { - if (nsd==null) { - nsd = ques.mayUser(trans, trans.user(), newPd.value, Access.write); - } - return nsd; - } - }); - Result> nsr = ques.nsDAO.read(trans, newPd.value.ns); - if (nsr.notOKorIsEmpty()) { - return Result.err(nsr); + + // User Permission mechanism + if(newPd.value.ns.indexOf('@')>0) { + PermDAO.Data pdd = newPd.value; + if(trans.user().equals(newPd.value.ns)) { + CachedPermDAO permDAO = ques.permDAO(); + Result> rlpdd = permDAO.read(trans, pdd); + if(rlpdd.notOK()) { + return Result.err(rlpdd); + } + if(!rlpdd.isEmpty()) { + return Result.err(Result.ERR_ConflictAlreadyExists,"Permission already exists"); + } + + RoleDAO.Data rdd = new RoleDAO.Data(); + rdd.ns = pdd.ns; + rdd.name = "user"; + + pdd.roles(true).add(rdd.encode()); + Result rpdd = permDAO.create(trans, pdd); + if(rpdd.notOK()) { + return Result.err(rpdd); + } + + CachedRoleDAO roleDAO = ques.roleDAO(); + Result> rlrdd = roleDAO.read(trans, rdd); + if(rlrdd.notOK()) { + return Result.err(rlrdd); + } else { + if(!rlrdd.isEmpty()) { + rdd = rlrdd.value.get(0); + } + } + + String eperm = pdd.encode(); + rdd.perms(true).add(eperm); + Result rv = roleDAO.update(trans, rdd); + if(rv.notOK()) { + return rv; + } + + CachedUserRoleDAO urDAO = ques.userRoleDAO(); + UserRoleDAO.Data urdd = new UserRoleDAO.Data(); + urdd.user = trans.user(); + urdd.ns = rdd.ns; + urdd.rname = rdd.name; + urdd.role = rdd.fullName(); + Result> rlurdd = urDAO.read(trans, urdd); + if(rlurdd.notOK()) { + return Result.err(rlrdd); + } else if(rlurdd.isEmpty()) { + GregorianCalendar gc = trans.org().expiration(null, Expiration.UserInRole); + if(gc==null) { + return Result.err(Result.ERR_Policy,"Organzation does not grant Expiration for UserRole"); + } else { + urdd.expires = gc.getTime(); + } + Result rurdd = urDAO.create(trans, urdd); + return Result.err(rurdd); + } + return rv; + } else { + return Result.err(Result.ERR_Security,"Only the User can create User Permissions"); + } + } else { + // Does Perm Type exist as a Namespace? + if(newPd.value.type.isEmpty() || ques.nsDAO().read(trans, newPd.value.fullType()).isOKhasData()) { + return Result.err(Status.ERR_ConflictAlreadyExists, + "Permission Type exists as a Namespace"); + } + + Result fd = mapper.future(trans, PermDAO.TABLE, rreq, newPd.value,false, + new Mapper.Memo() { + @Override + public String get() { + return "Create Permission [" + + newPd.value.fullType() + '|' + + newPd.value.instance + '|' + + newPd.value.action + ']'; + } + }, + new MayChange() { + private Result nsd; + @Override + public Result mayChange() { + if (nsd==null) { + nsd = ques.mayUser(trans, trans.user(), newPd.value, Access.write); + } + return nsd; + } + }); + + Result> nsr = ques.nsDAO().read(trans, newPd.value.ns); + if (nsr.notOKorIsEmpty()) { + return Result.err(nsr); + } + switch(fd.status) { + case OK: + Result rfc = func.createFuture(trans,fd.value, + newPd.value.fullType() + '|' + newPd.value.instance + '|' + newPd.value.action, + trans.user(), + nsr.value.get(0), + FUTURE_OP.C); + if (rfc.isOK()) { + return Result.err(Status.ACC_Future, "Perm [%s.%s|%s|%s] is saved for future processing", + newPd.value.ns, + newPd.value.type, + newPd.value.instance, + newPd.value.action); + } else { + return Result.err(rfc); + } + case Status.ACC_Now: + return func.createPerm(trans, newPd.value, true); + default: + return Result.err(fd); + } } - switch(fd.status) { - case OK: - Result rfc = func.createFuture(trans,fd.value, - newPd.value.fullType() + '|' + newPd.value.instance + '|' + newPd.value.action, - trans.user(), - nsr.value.get(0), - FUTURE_OP.C); - if (rfc.isOK()) { - return Result.err(Status.ACC_Future, "Perm [%s.%s|%s|%s] is saved for future processing", - newPd.value.ns, - newPd.value.type, - newPd.value.instance, - newPd.value.action); - } else { - return Result.err(rfc); - } - case Status.ACC_Now: - return func.createPerm(trans, newPd.value, true); - default: - return Result.err(fd); - } } @ApiDoc( @@ -1138,7 +1216,7 @@ public class AuthzCassServiceImpl > rlpd = ques.permDAO.readNS(trans, ns); + Result> rlpd = ques.permDAO().readNS(trans, ns); if (rlpd.notOK()) { return Result.err(rlpd); } @@ -1176,7 +1254,7 @@ public class AuthzCassServiceImpl nss = ques.deriveNsSplit(trans, origType); - Result> origRlpd = ques.permDAO.read(trans, nss.value.ns, nss.value.name, origInstance, origAction); + Result> origRlpd = ques.permDAO().read(trans, nss.value.ns, nss.value.name, origInstance, origAction); if (origRlpd.notOKorIsEmpty()) { return Result.err(Status.ERR_PermissionNotFound, @@ -1235,7 +1313,7 @@ public class AuthzCassServiceImpl > nsr = ques.nsDAO.read(trans, pd.value.ns); + Result> nsr = ques.nsDAO().read(trans, pd.value.ns); if (nsr.notOKorIsEmpty()) { return Result.err(nsr); } - Result rdr = ques.permDAO.addDescription(trans, perm.ns, perm.type, perm.instance, + Result rdr = ques.permDAO().addDescription(trans, perm.ns, perm.type, perm.instance, perm.action, perm.description); if (rdr.isOK()) { return Result.ok(); @@ -1287,7 +1365,7 @@ public class AuthzCassServiceImpl > rcurr = ques.permDAO.read(trans, + Result> rcurr = ques.permDAO().read(trans, updt.value.ns, updt.value.type, updt.value.instance, @@ -1321,7 +1399,7 @@ public class AuthzCassServiceImpl key = RoleDAO.Data.decode(trans, ques, role); if (key.isOKhasData()) { - Result> rrd = ques.roleDAO.read(trans, key.value); + Result> rrd = ques.roleDAO().read(trans, key.value); if (rrd.isOKhasData()) { for (RoleDAO.Data r : rrd.value) { rv = func.addPermToRole(trans, r, curr, false); @@ -1341,7 +1419,7 @@ public class AuthzCassServiceImpl key = RoleDAO.Data.decode(trans, ques, role); if (key.isOKhasData()) { - Result> rdd = ques.roleDAO.read(trans, key.value); + Result> rdd = ques.roleDAO().read(trans, key.value); if (rdd.isOKhasData()) { for (RoleDAO.Data r : rdd.value) { rv = func.delPermFromRole(trans, r, curr, true); @@ -1380,11 +1458,11 @@ public class AuthzCassServiceImpl fd = mapper.future(trans,PermDAO.TABLE,from,perm,false, new Mapper.Memo() { @Override @@ -1405,7 +1483,7 @@ public class AuthzCassServiceImpl > nsr = ques.nsDAO.read(trans, perm.ns); + Result> nsr = ques.nsDAO().read(trans, perm.ns); if (nsr.notOKorIsEmpty()) { return Result.err(nsr); } @@ -1483,12 +1561,17 @@ public class AuthzCassServiceImpl createRole(final AuthzTrans trans, REQUEST from) { final Result rd = mapper.role(trans, from); + // Does Perm Type exist as a Namespace? + if(rd.value.name.isEmpty() || ques.nsDAO().read(trans, rd.value.fullName()).isOKhasData()) { + return Result.err(Status.ERR_ConflictAlreadyExists, + "Role exists as a Namespace"); + } final ServiceValidator v = new ServiceValidator(); if (v.role(rd).err()) { return Result.err(Status.ERR_BadData,v.errs()); } final RoleDAO.Data role = rd.value; - if (ques.roleDAO.read(trans, role.ns, role.name).isOKhasData()) { + if (ques.roleDAO().read(trans, role.ns, role.name).isOKhasData()) { return Result.err(Status.ERR_ConflictAlreadyExists, "Role [" + role.fullName() + "] already exists"); } @@ -1512,7 +1595,7 @@ public class AuthzCassServiceImpl > nsr = ques.nsDAO.read(trans, rd.value.ns); + Result> nsr = ques.nsDAO().read(trans, rd.value.ns); if (nsr.notOKorIsEmpty()) { return Result.err(nsr); } @@ -1529,7 +1612,7 @@ public class AuthzCassServiceImpl rdr = ques.roleDAO.create(trans, role); + Result rdr = ques.roleDAO().create(trans, role); if (rdr.isOK()) { return Result.ok(); } else { @@ -1608,10 +1691,10 @@ public class AuthzCassServiceImpl > rlrd; - Result> rlurd = ques.userRoleDAO.readByUser(trans, user); + Result> rlurd = ques.userRoleDAO().readByUser(trans, user); if (rlurd.isOKhasData()) { for (UserRoleDAO.Data urd : rlurd.value ) { - rlrd = ques.roleDAO.read(trans, urd.ns,urd.rname); + rlrd = ques.roleDAO().read(trans, urd.ns,urd.rname); // Note: Mapper will restrict what can be viewed // if user is the same as that which is looked up, no filtering is required if (rlrd.isOKhasData()) { @@ -1658,7 +1741,7 @@ public class AuthzCassServiceImpl > rlrd = ques.roleDAO.readNS(trans, ns); + Result> rlrd = ques.roleDAO().readNS(trans, ns); if (rlrd.isOK()) { if (!rlrd.isEmpty()) { // Note: Mapper doesn't need to restrict what can be viewed, because we did it already. @@ -1700,7 +1783,7 @@ public class AuthzCassServiceImpl > rlrd = ques.roleDAO.readName(trans, name); + Result> rlrd = ques.roleDAO().readName(trans, name); if (rlrd.isOK()) { if (!rlrd.isEmpty()) { // Note: Mapper will restrict what can be viewed @@ -1757,13 +1840,13 @@ public class AuthzCassServiceImpl > pdlr = ques.permDAO.read(trans, pdd); + Result> pdlr = ques.permDAO().read(trans, pdd); if (pdlr.isOK())for (PermDAO.Data pd : pdlr.value) { Result> rlrd; for (String r : pd.roles) { Result rs = RoleDAO.Data.decodeToArray(trans, ques, r); if (rs.isOK()) { - rlrd = ques.roleDAO.read(trans, rs.value[0],rs.value[1]); + rlrd = ques.roleDAO().read(trans, rs.value[0],rs.value[1]); // Note: Mapper will restrict what can be viewed if (rlrd.isOKhasData()) { mapper.roles(trans,rlrd.value,roles,true); @@ -1799,7 +1882,7 @@ public class AuthzCassServiceImpl > nsr = ques.nsDAO.read(trans, rd.value.ns); + Result> nsr = ques.nsDAO().read(trans, rd.value.ns); if (nsr.notOKorIsEmpty()) { return Result.err(nsr); } - Result rdr = ques.roleDAO.addDescription(trans, role.ns, role.name, role.description); + Result rdr = ques.roleDAO().addDescription(trans, role.ns, role.name, role.description); if (rdr.isOK()) { return Result.ok(); } else { @@ -1861,13 +1944,13 @@ public class AuthzCassServiceImpl > rlrd = ques.roleDAO.read(trans, rrd.value.ns, rrd.value.name); + Result> rlrd = ques.roleDAO().read(trans, rrd.value.ns, rrd.value.name); if (rlrd.notOKorIsEmpty()) { return Result.err(Status.ERR_RoleNotFound, "Role [%s] does not exist", rrd.value.fullName()); } // Check Status of Data in DB (does it exist) - Result> rlpd = ques.permDAO.read(trans, rpd.value.ns, + Result> rlpd = ques.permDAO().read(trans, rpd.value.ns, rpd.value.type, rpd.value.instance, rpd.value.action); PermDAO.Data createPerm = null; // if not null, create first if (rlpd.notOKorIsEmpty()) { // Permission doesn't exist @@ -1908,7 +1991,7 @@ public class AuthzCassServiceImpl > nsr = ques.nsDAO.read(trans, rpd.value.ns); + Result> nsr = ques.nsDAO().read(trans, rpd.value.ns); if (nsr.notOKorIsEmpty()) { return Result.err(nsr); } @@ -1980,7 +2063,7 @@ public class AuthzCassServiceImpl delPermFromRole(final AuthzTrans trans, PermDAO.Data pdd, RoleDAO.Data rdd, REQUEST rreq) { - Result> rlpd = ques.permDAO.read(trans, pdd.ns, pdd.type, + Result> rlpd = ques.permDAO().read(trans, pdd.ns, pdd.type, pdd.instance, pdd.action); if (rlpd.notOKorIsEmpty()) { @@ -2007,7 +2090,7 @@ public class AuthzCassServiceImpl > nsr = ques.nsDAO.read(trans, pdd.ns); + Result> nsr = ques.nsDAO().read(trans, pdd.ns); if (nsr.notOKorIsEmpty()) { return Result.err(nsr); } @@ -2070,12 +2153,12 @@ public class AuthzCassServiceImpl > rrd = ques.roleDAO.read(trans, rrns.value.parent, rrns.value.name); + final Result> rrd = ques.roleDAO().read(trans, rrns.value.parent, rrns.value.name); if (rrd.notOKorIsEmpty()) { return Result.err(rrd); } - final Result> rpd = ques.permDAO.read(trans, rpns.value.parent, rpns.value.name, instance, action); + final Result> rpd = ques.permDAO().read(trans, rpns.value.parent, rpns.value.name, instance, action); if (rpd.notOKorIsEmpty()) { return Result.err(rpd); } @@ -2131,7 +2214,7 @@ public class AuthzCassServiceImpl > nsr = ques.nsDAO.read(trans, rd.value.ns); + Result> nsr = ques.nsDAO().read(trans, rd.value.ns); if (nsr.notOKorIsEmpty()) { return Result.err(nsr); } @@ -2277,7 +2360,6 @@ public class AuthzCassServiceImpl rcred = mapper.cred(trans, from, true); if (rcred.isOKhasData()) { - byte[] rawCred = rcred.value.cred.array(); rcred = ques.userCredSetup(trans, rcred.value); final ServiceValidator v = new ServiceValidator(); @@ -2299,7 +2381,7 @@ public class AuthzCassServiceImpl > nsr = ques.nsDAO.read(trans, rcred.value.ns); + Result> nsr = ques.nsDAO().read(trans, rcred.value.ns); if (nsr.notOKorIsEmpty()) { return Result.err(Status.ERR_NsNotFound,"Cannot provision %s on non-existent Namespace %s",mechID.id(),rcred.value.ns); } @@ -2309,7 +2391,7 @@ public class AuthzCassServiceImpl > rlcd = ques.credDAO.readID(trans, rcred.value.id); + Result> rlcd = ques.credDAO().readID(trans, rcred.value.id); if (rlcd.isOKhasData()) { if (!org.canHaveMultipleCreds(rcred.value.id)) { return Result.err(Status.ERR_ConflictAlreadyExists, "Credential exists"); @@ -2320,7 +2402,9 @@ public class AuthzCassServiceImpl udr = ques.credDAO.create(trans, rcred.value); + Resultudr = ques.credDAO().create(trans, rcred.value); if (udr.isOK()) { return Result.ok(); } @@ -2442,7 +2526,7 @@ public class AuthzCassServiceImpl > rlcd = ques.credDAO.readNS(trans, ns); + Result> rlcd = ques.credDAO().readNS(trans, ns); if (rlcd.isOK()) { if (!rlcd.isEmpty()) { @@ -2489,7 +2573,7 @@ public class AuthzCassServiceImpl > rlcd = ques.credDAO.readID(trans, id); + Result> rlcd = ques.credDAO().readID(trans, id); if (rlcd.isOK()) { if (!rlcd.isEmpty()) { @@ -2519,7 +2603,7 @@ public class AuthzCassServiceImpl > rlcd = ques.certDAO.readID(trans, id); + Result> rlcd = ques.certDAO().readID(trans, id); if (rlcd.isOK()) { if (!rlcd.isEmpty()) { @@ -2560,7 +2644,7 @@ public class AuthzCassServiceImpl > rlcd = ques.credDAO.readID(trans, rcred.value.id); + Result> rlcd = ques.credDAO().readID(trans, rcred.value.id); if (rlcd.notOKorIsEmpty()) { return Result.err(Status.ERR_UserNotFound, "Credential does not exist"); } @@ -2592,7 +2676,7 @@ public class AuthzCassServiceImpl > nsr = ques.nsDAO.read(trans, rcred.value.ns); + Result> nsr = ques.nsDAO().read(trans, rcred.value.ns); if (nsr.notOKorIsEmpty()) { return Result.err(nsr); } @@ -2634,9 +2718,9 @@ public class AuthzCassServiceImpl > rlcd = ques.credDAO.readID(trans, cred.value.id); + Result> rlcd = ques.credDAO().readID(trans, cred.value.id); if (rlcd.notOKorIsEmpty()) { return Result.err(Status.ERR_UserNotFound, "Credential does not exist"); } @@ -2731,10 +2815,11 @@ public class AuthzCassServiceImpl > rlcd = ques.credDAO.readID(trans, cred.value.id); + Result> rlcd = ques.credDAO().readID(trans, cred.value.id); if (rlcd.notOKorIsEmpty()) { // Empty Creds should have no user_roles. - Result> rlurd = ques.userRoleDAO.readByUser(trans, cred.value.id); + Result> rlurd = ques.userRoleDAO().readByUser(trans, cred.value.id); if (rlurd.isOK()) { for (UserRoleDAO.Data data : rlurd.value) { - ques.userRoleDAO.delete(trans, data, false); + ques.userRoleDAO().delete(trans, data, false); } } return Result.err(Status.ERR_UserNotFound, "Credential does not exist"); @@ -2858,7 +2943,7 @@ public class AuthzCassServiceImpl > nsr = ques.nsDAO.read(trans, cred.value.ns); + Result> nsr = ques.nsDAO().read(trans, cred.value.ns); if (nsr.notOKorIsEmpty()) { return Result.err(nsr); } @@ -2879,20 +2964,20 @@ public class AuthzCassServiceImpl = rlcd.value.size()) { return Result.err(Status.ERR_BadData,"Invalid Choice [" + entry + "] chosen for Delete [%s] is saved for future processing",cred.value.id); } - udr = ques.credDAO.delete(trans, rlcd.value.get(entry),false); + udr = ques.credDAO().delete(trans, rlcd.value.get(entry),false); } else { for (CredDAO.Data curr : rlcd.value) { - udr = ques.credDAO.delete(trans, curr, false); + udr = ques.credDAO().delete(trans, curr, false); if (udr.notOK()) { return Result.err(udr); } } } if (isLastCred) { - Result> rlurd = ques.userRoleDAO.readByUser(trans, cred.value.id); + Result> rlurd = ques.userRoleDAO().readByUser(trans, cred.value.id); if (rlurd.isOK()) { for (UserRoleDAO.Data data : rlurd.value) { - ques.userRoleDAO.delete(trans, data, false); + ques.userRoleDAO().delete(trans, data, false); } } } @@ -3093,7 +3178,7 @@ public class AuthzCassServiceImpl userSet = new HashSet<>(); - Result> rlurd = ques.userRoleDAO.readByRole(trans, role); + Result> rlurd = ques.userRoleDAO().readByRole(trans, role); if (rlurd.isOK()) { for (UserRoleDAO.Data data : rlurd.value) { userSet.add(data); @@ -3126,7 +3211,7 @@ public class AuthzCassServiceImpl > rlurd = ques.userRoleDAO.readByUser(trans, user); + Result> rlurd = ques.userRoleDAO().readByUser(trans, user); if (rlurd.notOK()) { return Result.err(rlurd); } @@ -3187,172 +3272,9 @@ public class AuthzCassServiceImpl resetRolesForUser(AuthzTrans trans, REQUEST rreq) { - Result rurdd = mapper.userRole(trans, rreq); - final ServiceValidator v = new ServiceValidator(); - if (rurdd.notOKorIsEmpty()) { - return Result.err(rurdd); - } - if (v.user(trans.org(), rurdd.value.user).err()) { - return Result.err(Status.ERR_BadData,v.errs()); - } - - Set currRoles = new HashSet<>(); - Result> rlurd = ques.userRoleDAO.readByUser(trans, rurdd.value.user); - if (rlurd.isOK()) { - for (UserRoleDAO.Data data : rlurd.value) { - currRoles.add(data.role); - } - } - - Result rv = null; - String[] roles; - if (rurdd.value.role==null) { - roles = new String[0]; - } else { - roles = rurdd.value.role.split(","); - } - - for (String role : roles) { - if (v.role(role).err()) { - return Result.err(Status.ERR_BadData,v.errs()); - } - Result rrdd = RoleDAO.Data.decode(trans, ques, role); - if (rrdd.notOK()) { - return Result.err(rrdd); - } - - rurdd.value.role(rrdd.value); - - Result nsd = ques.mayUser(trans, trans.user(), rrdd.value,Access.write); - if (nsd.notOK()) { - return Result.err(nsd); - } - Result nsr = ques.deriveNs(trans, role); - if (nsr.notOKorIsEmpty()) { - return Result.err(nsr); - } - - if (currRoles.contains(role)) { - currRoles.remove(role); - } else { - rv = func.addUserRole(trans, rurdd.value); - if (rv.notOK()) { - return rv; - } - } - } - - for (String role : currRoles) { - rurdd.value.role(trans,ques,role); - rv = ques.userRoleDAO.delete(trans, rurdd.value, false); - if (rv.notOK()) { - trans.info().log(rurdd.value.user,"/",rurdd.value.role, "expected to be deleted, but does not exist"); - // return rv; // if it doesn't exist, don't error out - } - - } - - return Result.ok(); - - } - - @ApiDoc( - method = PUT, - path = "/authz/userRole/role", - params = {}, - expectedCode = 200, - errorCodes = {403,404,406}, - text = { "Set a Role's users to the users specified in the UserRoleRequest object.", - "WARNING: Users supplied will be the ONLY users attached to this role", - "If no users are supplied, role's users are reset." - } - ) - @Override - public Result resetUsersForRole(AuthzTrans trans, REQUEST rreq) { - Result rurdd = mapper.userRole(trans, rreq); - if (rurdd.notOKorIsEmpty()) { - return Result.err(rurdd); - } - final ServiceValidator v = new ServiceValidator(); - if (v.user_role(rurdd.value).err()) { - return Result.err(Status.ERR_BadData,v.errs()); - } - - RoleDAO.Data rd = RoleDAO.Data.decode(rurdd.value); - - Result nsd = ques.mayUser(trans, trans.user(), rd, Access.write); - if (nsd.notOK()) { - return Result.err(nsd); - } - - Result nsr = ques.deriveNs(trans, rurdd.value.role); - if (nsr.notOKorIsEmpty()) { - return Result.err(nsr); - } - - Set currUsers = new HashSet<>(); - Result> rlurd = ques.userRoleDAO.readByRole(trans, rurdd.value.role); - if (rlurd.isOK()) { - for (UserRoleDAO.Data data : rlurd.value) { - currUsers.add(data.user); - } - } - - // found when connected remotely to DEVL, can't replicate locally - // inconsistent errors with cmd: role user setTo [nothing] - // deleteUserRole --> read --> get --> cacheIdx(?) - // sometimes returns idx for last added user instead of user passed in - // cache bug? - - - Result rv = null; - String[] users = {}; - if (rurdd.value.user != null) { - users = rurdd.value.user.split(","); - } - - for (String user : users) { - if (v.user(trans.org(), user).err()) { - return Result.err(Status.ERR_BadData,v.errs()); - } - rurdd.value.user = user; - - if (currUsers.contains(user)) { - currUsers.remove(user); - } else { - rv = func.addUserRole(trans, rurdd.value); - if (rv.notOK()) { - return rv; - } - } - } - - for (String user : currUsers) { - rurdd.value.user = user; - rv = ques.userRoleDAO.delete(trans, rurdd.value, false); - if (rv.notOK()) { - trans.info().log(rurdd.value, "expected to be deleted, but not exists"); - return rv; - } - } - - return Result.ok(); - } + - @ApiDoc( + @ApiDoc( method = GET, path = "/authz/userRole/extend/:user/:role", params = { "user|string|true", @@ -3385,7 +3307,7 @@ public class AuthzCassServiceImpl > rr = ques.userRoleDAO.read(trans, user,role); + Result> rr = ques.userRoleDAO().read(trans, user,role); if (rr.notOK()) { return Result.err(rr); } @@ -3460,7 +3382,7 @@ public class AuthzCassServiceImpl > rulr; - if ((rulr=ques.userRoleDAO.read(trans, usr, role)).notOKorIsEmpty()) { + if ((rulr=ques.userRoleDAO().read(trans, usr, role)).notOKorIsEmpty()) { return Result.err(Status.ERR_UserRoleNotFound, "User [ "+usr+" ] is not " + "Assigned to the Role [ " + role + " ]"); } @@ -3484,7 +3406,7 @@ public class AuthzCassServiceImpl userSet = new HashSet<>(); - Result> rlurd = ques.userRoleDAO.readUserInRole(trans, user, role); + Result> rlurd = ques.userRoleDAO().readUserInRole(trans, user, role); if (rlurd.isOK()) { for (UserRoleDAO.Data data : rlurd.value) { userSet.add(data); @@ -3572,7 +3494,7 @@ public class AuthzCassServiceImpl userSet = new HashSet<>(); - Result> rlurd = ques.userRoleDAO.readByRole(trans, role); + Result> rlurd = ques.userRoleDAO().readByRole(trans, role); if (rlurd.isOK()) { for (UserRoleDAO.Data data : rlurd.value) { if (contactOnly) { //scrub data @@ -3625,7 +3547,7 @@ public class AuthzCassServiceImpl > nsd = ques.nsDAO.read(trans, nss.value.ns); + Result> nsd = ques.nsDAO().read(trans, nss.value.ns); if (nsd.notOK()) { return Result.err(nsd); } @@ -3639,7 +3561,7 @@ public class AuthzCassServiceImpl userSet = new HashSet<>(); if (!nss.isEmpty()) { - Result> rlp = ques.permDAO.readByType(trans, nss.value.ns, nss.value.name); + Result> rlp = ques.permDAO().readByType(trans, nss.value.ns, nss.value.name); if (rlp.isOKhasData()) { for (PermDAO.Data pd : rlp.value) { if ((allInstance || pd.instance.equals(instance)) && @@ -3648,7 +3570,7 @@ public class AuthzCassServiceImpl > rlurd = ques.userRoleDAO.readByRole(trans, role.replace('|', '.')); + Result> rlurd = ques.userRoleDAO().readByRole(trans, role.replace('|', '.')); if (rlurd.isOKhasData()) { for (UserRoleDAO.Data urd : rlurd.value) { userSet.add(urd); @@ -3702,7 +3624,7 @@ public class AuthzCassServiceImpl > resp = ques.historyDAO.readByUser(trans, user, yyyymm); + Result> resp = ques.historyDAO().readByUser(trans, user, yyyymm); if (resp.notOK()) { return Result.err(resp); } @@ -3725,7 +3647,7 @@ public class AuthzCassServiceImpl > resp = ques.historyDAO.readBySubject(trans, role, "role", yyyymm); + Result> resp = ques.historyDAO().readBySubject(trans, role, "role", yyyymm); if (resp.notOK()) { return Result.err(resp); } @@ -3750,7 +3672,7 @@ public class AuthzCassServiceImpl > resp = ques.historyDAO.readBySubject(trans, type, "perm", yyyymm); + Result> resp = ques.historyDAO().readBySubject(trans, type, "perm", yyyymm); if (resp.notOK()) { return Result.err(resp); } @@ -3774,7 +3696,7 @@ public class AuthzCassServiceImpl > resp = ques.historyDAO.readBySubject(trans, ns, "ns", yyyymm); + Result> resp = ques.historyDAO().readBySubject(trans, ns, "ns", yyyymm); if (resp.notOK()) { return Result.err(resp); } @@ -3804,7 +3726,7 @@ public class AuthzCassServiceImpl > ddr = ques.delegateDAO.read(trans, dd); + Result> ddr = ques.delegateDAO().read(trans, dd); if (access==Access.create && ddr.isOKhasData()) { return Result.err(Status.ERR_ConflictAlreadyExists, "[%s] already delegates to [%s]", dd.user, ddr.value.get(0).delegate); } else if (access!=Access.create && ddr.notOKorIsEmpty()) { @@ -3844,14 +3766,14 @@ public class AuthzCassServiceImpl rdr = ques.delegateDAO.create(trans, dd); + Result rdr = ques.delegateDAO().create(trans, dd); if (rdr.isOK()) { return Result.ok(); } else { return Result.err(rdr); } } else { - return ques.delegateDAO.update(trans, dd); + return ques.delegateDAO().update(trans, dd); } default: return Result.err(fd); @@ -3867,7 +3789,7 @@ public class AuthzCassServiceImpl > ddl; - if ((ddl=ques.delegateDAO.read(trans, rd.value)).notOKorIsEmpty()) { + if ((ddl=ques.delegateDAO().read(trans, rd.value)).notOKorIsEmpty()) { return Result.err(Status.ERR_DelegateNotFound,"Cannot delete non-existent Delegate"); } final DelegateDAO.Data dd = ddl.value.get(0); @@ -3876,7 +3798,7 @@ public class AuthzCassServiceImpl > ddl; - if ((ddl=ques.delegateDAO.read(trans, dd)).notOKorIsEmpty()) { + if ((ddl=ques.delegateDAO().read(trans, dd)).notOKorIsEmpty()) { return Result.err(Status.ERR_DelegateNotFound,"Cannot delete non-existent Delegate"); } dd = ddl.value.get(0); @@ -3897,7 +3819,7 @@ public class AuthzCassServiceImpl > dbDelgs = ques.delegateDAO.read(trans, user); + Result> dbDelgs = ques.delegateDAO().read(trans, user); try { if (dbDelgs.isOKhasData()) { return mapper.delegate(dbDelgs.value); @@ -3945,7 +3867,7 @@ public class AuthzCassServiceImpl > dbDelgs = ques.delegateDAO.readByDelegate(trans, delegate); + Result> dbDelgs = ques.delegateDAO().readByDelegate(trans, delegate); try { if (dbDelgs.isOKhasData()) { return mapper.delegate(dbDelgs.value); @@ -3978,16 +3900,16 @@ public class AuthzCassServiceImpl > apprByTicket=null; for (ApprovalDAO.Data updt : rlad.value) { if (updt.ticket!=null) { - curr = ques.approvalDAO.readByTicket(trans, updt.ticket); + curr = ques.approvalDAO().readByTicket(trans, updt.ticket); if (curr.isOKhasData()) { final List add = curr.value; // Store a Pre-Lookup apprByTicket = (trans1, noop) -> add; } } else if (updt.id!=null) { - curr = ques.approvalDAO.read(trans, updt); + curr = ques.approvalDAO().read(trans, updt); } else if (updt.approver!=null) { - curr = ques.approvalDAO.readByApprover(trans, updt.approver); + curr = ques.approvalDAO().readByApprover(trans, updt.approver); } else { return Result.err(Status.ERR_BadData,"Approvals need ID, Ticket or Approval data to update"); } @@ -4017,13 +3939,13 @@ public class AuthzCassServiceImpl rfdd = ques.futureDAO.readPrimKey(trans, cd.ticket); + Result rfdd = ques.futureDAO().readPrimKey(trans, cd.ticket); if (rfdd.isOK()) { fdd = rfdd.value; // null is ok } else { @@ -4066,7 +3988,7 @@ public class AuthzCassServiceImpl > rapd = ques.approvalDAO.readByUser(trans, user); + Result> rapd = ques.approvalDAO().readByUser(trans, user); if (rapd.isOK()) { return mapper.approvals(rapd.value); } else { @@ -4130,7 +4052,7 @@ public class AuthzCassServiceImpl > rapd = ques.approvalDAO.readByTicket(trans, uuid); + Result> rapd = ques.approvalDAO().readByTicket(trans, uuid); if (rapd.isOK()) { return mapper.approvals(rapd.value); } else { @@ -4147,19 +4069,19 @@ public class AuthzCassServiceImpl listRapds = new ArrayList<>(); - Result> myRapd = ques.approvalDAO.readByApprover(trans, approver); + Result> myRapd = ques.approvalDAO().readByApprover(trans, approver); if (myRapd.notOK()) { return Result.err(myRapd); } listRapds.addAll(myRapd.value); - Result> delegatedFor = ques.delegateDAO.readByDelegate(trans, approver); + Result> delegatedFor = ques.delegateDAO().readByDelegate(trans, approver); if (delegatedFor.isOK()) { for (DelegateDAO.Data dd : delegatedFor.value) { if (dd.expires.after(new Date())) { String delegator = dd.user; - Result> rapd = ques.approvalDAO.readByApprover(trans, delegator); + Result> rapd = ques.approvalDAO().readByApprover(trans, delegator); if (rapd.isOK()) { for (ApprovalDAO.Data d : rapd.value) { if (!d.user.equals(trans.user())) { @@ -4209,7 +4131,7 @@ public class AuthzCassServiceImpl