X-Git-Url: https://gerrit.onap.org/r/gitweb?a=blobdiff_plain;f=cadi%2Faaf%2Fsrc%2Fmain%2Fjava%2Forg%2Fonap%2Faaf%2Fcadi%2Faaf%2Fv2_0%2FAAFLurPerm.java;h=8b91c74a84baa0f5e776a138e11daf105d604020;hb=deb396a3d53a84b2eb5a46d40122b4902d72c601;hp=682540eae950a326d4150b47c2f5fc4389f5a398;hpb=8206227ce04d26834a0023b4497d6b2ad67e906b;p=aaf%2Fauthz.git diff --git a/cadi/aaf/src/main/java/org/onap/aaf/cadi/aaf/v2_0/AAFLurPerm.java b/cadi/aaf/src/main/java/org/onap/aaf/cadi/aaf/v2_0/AAFLurPerm.java index 682540ea..8b91c74a 100644 --- a/cadi/aaf/src/main/java/org/onap/aaf/cadi/aaf/v2_0/AAFLurPerm.java +++ b/cadi/aaf/src/main/java/org/onap/aaf/cadi/aaf/v2_0/AAFLurPerm.java @@ -7,9 +7,9 @@ * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. * You may obtain a copy of the License at - * + * * http://www.apache.org/licenses/LICENSE-2.0 - * + * * Unless required by applicable law or agreed to in writing, software * distributed under the License is distributed on an "AS IS" BASIS, * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. @@ -38,11 +38,11 @@ import org.onap.aaf.cadi.Permission; import org.onap.aaf.cadi.User; import org.onap.aaf.cadi.aaf.AAFPermission; import org.onap.aaf.cadi.client.Future; -import org.onap.aaf.cadi.client.Holder; import org.onap.aaf.cadi.client.Rcli; import org.onap.aaf.cadi.client.Retryable; import org.onap.aaf.cadi.config.Config; import org.onap.aaf.cadi.lur.LocalPermission; +import org.onap.aaf.cadi.util.Holder; import org.onap.aaf.cadi.util.Timing; import org.onap.aaf.misc.env.APIException; import org.onap.aaf.misc.env.util.Split; @@ -52,206 +52,211 @@ import aaf.v2_0.Perms; /** * Use AAF Service as Permission Service. - * + * * This Lur goes after AAF Permissions, which are elements of Roles, not the Roles themselves. - * + * * If you want a simple Role Lur, use AAFRoleLur - * + * * @author Jonathan * */ public class AAFLurPerm extends AbsAAFLur { - private static final String ORG_OSAAF_CADI_OAUTH_O_AUTH2_LUR = "org.osaaf.cadi.oauth.OAuth2Lur"; + private static final String ORG_OSAAF_CADI_OAUTH_O_AUTH2_LUR = "org.osaaf.cadi.oauth.OAuth2Lur"; + + /** + * Need to be able to transmutate a Principal into either Person or AppID, which are the only ones accepted at this + * point by AAF. There is no "domain", aka, no "@att.com" in "ab1234@att.com". + * + * The only thing that matters here for AAF is that we don't waste calls with IDs that obviously aren't valid. + * Thus, we validate that the ID portion follows the rules before we waste time accessing AAF remotely + * @throws APIException + * @throws URISyntaxException + * @throws DME2Exception + */ + // Package on purpose + AAFLurPerm(AAFCon con) throws CadiException, APIException { + super(con); + attachOAuth2(con); + } + + // Package on purpose + AAFLurPerm(AAFCon con, AbsUserCache auc) throws APIException { + super(con,auc); + attachOAuth2(con); + } + + private void attachOAuth2(AAFCon con) throws APIException { + String oauth2_url; + Class tmcls = Config.loadClass(access,"org.osaaf.cadi.oauth.TokenMgr"); + if (tmcls!=null) { + if ((oauth2_url = con.access.getProperty(Config.CADI_OAUTH2_URL,null))!=null) { + try { + Constructor tmconst = tmcls.getConstructor(AAFCon.class,String.class); + Object tokMangr = tmconst.newInstance(con,oauth2_url); + @SuppressWarnings("unchecked") + Class oa2cls = (Class)Config.loadClass(access,ORG_OSAAF_CADI_OAUTH_O_AUTH2_LUR); + Constructor oa2const = oa2cls.getConstructor(tmcls); + Lur oa2 = oa2const.newInstance(tokMangr); + setPreemptiveLur(oa2); + } catch (NoSuchMethodException | SecurityException | InstantiationException | IllegalAccessException | IllegalArgumentException | InvocationTargetException e) { + throw new APIException(e); + } + } else { + access.log(Level.INIT, "Both cadi-oauth jar and Property",Config.CADI_OAUTH2_URL,"is required to initialize OAuth2"); + } + } + } + + protected User loadUser(final Principal principal) { + final String name = principal.getName(); + final long start = System.nanoTime(); + final Holder remote = new Holder(0f); + + final boolean[] success = new boolean[]{false}; + + try { + return aaf.best(new Retryable>() { + @Override + public User code(Rcli client) throws CadiException, ConnectException, APIException { + final long remoteStart = System.nanoTime(); + StringBuilder sb = new StringBuilder("/authz/perms/user/"); + sb.append(name); + if(details) { + sb.append("?force"); + } + Future fp = client.read(sb.toString(),aaf.permsDF); + + // In the meantime, lookup User, create if necessary + User user = getUser(principal); + Principal p; + if (user!=null && user.principal == null) { + p = new Principal() {// Create a holder for lookups + private String n = name; + public String getName() { + return n; + } + }; + } else { + p = principal; + } - /** - * Need to be able to transmutate a Principal into either Person or AppID, which are the only ones accepted at this - * point by AAF. There is no "domain", aka, no "@att.com" in "ab1234@att.com". - * - * The only thing that matters here for AAF is that we don't waste calls with IDs that obviously aren't valid. - * Thus, we validate that the ID portion follows the rules before we waste time accessing AAF remotely - * @throws APIException - * @throws URISyntaxException - * @throws DME2Exception - */ - // Package on purpose - AAFLurPerm(AAFCon con) throws CadiException, APIException { - super(con); - attachOAuth2(con); - } + if (user==null) { + addUser(user = new User(p,aaf.userExpires)); // no password + } - // Package on purpose - AAFLurPerm(AAFCon con, AbsUserCache auc) throws APIException { - super(con,auc); - attachOAuth2(con); - } - - private void attachOAuth2(AAFCon con) throws APIException { - String oauth2_url; - Class tmcls = Config.loadClass(access,"org.osaaf.cadi.oauth.TokenMgr"); - if(tmcls!=null) { - if((oauth2_url = con.access.getProperty(Config.CADI_OAUTH2_URL,null))!=null) { - try { - Constructor tmconst = tmcls.getConstructor(AAFCon.class,String.class); - Object tokMangr = tmconst.newInstance(con,oauth2_url); - @SuppressWarnings("unchecked") - Class oa2cls = (Class)Config.loadClass(access,ORG_OSAAF_CADI_OAUTH_O_AUTH2_LUR); - Constructor oa2const = oa2cls.getConstructor(tmcls); - Lur oa2 = oa2const.newInstance(tokMangr); - setPreemptiveLur(oa2); - } catch (NoSuchMethodException | SecurityException | InstantiationException | IllegalAccessException | IllegalArgumentException | InvocationTargetException e) { - throw new APIException(e); - } - } else { - access.log(Level.INIT, "Both cadi-oauth jar and Property",Config.CADI_OAUTH2_URL,"is required to initialize OAuth2"); - } - } - } + // OK, done all we can, now get content + boolean ok = fp.get(aaf.timeout); + remote.set(Timing.millis(remoteStart)); + if (ok) { + success[0]=true; + Map newMap = user.newMap(); + boolean willLog = aaf.access.willLog(Level.DEBUG); + for (Perm perm : fp.value.getPerm()) { + user.add(newMap,new AAFPermission(perm.getNs(),perm.getType(),perm.getInstance(),perm.getAction(),perm.getRoles())); + if (willLog) { + aaf.access.log(Level.DEBUG, name,"has '",perm.getType(),'|',perm.getInstance(),'|',perm.getAction(),'\''); + } + } + user.setMap(newMap); + } else { + int code; + switch(code=fp.code()) { + case 401: + aaf.access.log(Access.Level.ERROR, code, "Unauthorized to make AAF calls"); + break; + case 404: + user.setNoPerms(); + break; + default: + aaf.access.log(Access.Level.ERROR, code, fp.body()); + } + } - protected User loadUser(final Principal principal) { - final String name = principal.getName(); - final long start = System.nanoTime(); - final Holder remote = new Holder(0f); + return user; + } + }); + } catch (Exception e) { + aaf.access.log(e,"Calling","/authz/perms/user/"+name); + success[0]=false; + return null; + } finally { + aaf.access.printf(Level.INFO, "AAFLurPerm: %s %s perms from AAF in %f ms, remote=%f", + (success[0]?"Loaded":"Load Failure"),name,Timing.millis(start),remote.get()); + } + } - final boolean[] success = new boolean[]{false}; - - try { - return aaf.best(new Retryable>() { - @Override - public User code(Rcli client) throws CadiException, ConnectException, APIException { - final long remoteStart = System.nanoTime(); - Future fp = client.read("/authz/perms/user/"+name,aaf.permsDF); - - // In the meantime, lookup User, create if necessary - User user = getUser(principal); - Principal p; - if(user!=null && user.principal == null) { - p = new Principal() {// Create a holder for lookups - private String n = name; - public String getName() { - return n; - } - }; - } else { - p = principal; - } - - if(user==null) { - addUser(user = new User(p,aaf.userExpires)); // no password - } - - // OK, done all we can, now get content - boolean ok = fp.get(aaf.timeout); - remote.set(Timing.millis(remoteStart)); - if(ok) { - success[0]=true; - Map newMap = user.newMap(); - boolean willLog = aaf.access.willLog(Level.DEBUG); - for(Perm perm : fp.value.getPerm()) { - user.add(newMap,new AAFPermission(perm.getNs(),perm.getType(),perm.getInstance(),perm.getAction(),perm.getRoles())); - if(willLog) { - aaf.access.log(Level.DEBUG, name,"has '",perm.getType(),'|',perm.getInstance(),'|',perm.getAction(),'\''); - } - } - user.setMap(newMap); - } else { - int code; - switch(code=fp.code()) { - case 401: - aaf.access.log(Access.Level.ERROR, code, "Unauthorized to make AAF calls"); - break; - case 404: - user.setNoPerms(); - break; - default: - aaf.access.log(Access.Level.ERROR, code, fp.body()); - } - } + public Resp reload(final User user) { + final String name = user.name; + long start = System.nanoTime(); + final Holder remote = new Holder(0f); + final Holder success = new Holder(false); + try { + Resp rv = aaf.best(new Retryable() { + @Override + public Resp code(Rcli client) throws CadiException, ConnectException, APIException { + final long remoteStart = System.nanoTime(); + Future fp = aaf.client().read( + "/authz/perms/user/"+name, + aaf.permsDF + ); - return user; - } - }); - } catch (Exception e) { - aaf.access.log(e,"Calling","/authz/perms/user/"+name); - success[0]=false; - return null; - } finally { - aaf.access.printf(Level.INFO, "AAFLurPerm: %s %s perms from AAF in %f ms, remote=%f", - (success[0]?"Loaded":"Load Failure"),name,Timing.millis(start),remote.get()); - } - } + // OK, done all we can, now get content + boolean ok = fp.get(aaf.timeout); + remote.set(Timing.millis(remoteStart)); + if (ok) { + success.set(true); + Map newMap = user.newMap(); + boolean willLog = aaf.access.willLog(Level.DEBUG); + for (Perm perm : fp.value.getPerm()) { + user.add(newMap, new AAFPermission(perm.getNs(),perm.getType(),perm.getInstance(),perm.getAction(),perm.getRoles())); + if (willLog) { + aaf.access.log(Level.DEBUG, name,"has",perm.getType(),perm.getInstance(),perm.getAction()); + } + } + user.renewPerm(); + return Resp.REVALIDATED; + } else { + int code; + switch(code=fp.code()) { + case 401: + aaf.access.log(Access.Level.ERROR, code, "Unauthorized to make AAF calls"); + break; + default: + aaf.access.log(Access.Level.ERROR, code, fp.body()); + } + return Resp.UNVALIDATED; + } + } + }); + return rv; + } catch (Exception e) { + aaf.access.log(e,"Calling","/authz/perms/user/"+name); + return Resp.INACCESSIBLE; + } finally { + aaf.access.printf(Level.INFO, "AAFLurPerm: %s %s perms from AAF in %f ms (remote=%f)", + (success.get()?"Reloaded":"Reload Failure"),name,Timing.millis(start),remote.get()); + } + } - public Resp reload(final User user) { - final String name = user.name; - long start = System.nanoTime(); - final Holder remote = new Holder(0f); - final Holder success = new Holder(false); - try { - Resp rv = aaf.best(new Retryable() { - @Override - public Resp code(Rcli client) throws CadiException, ConnectException, APIException { - final long remoteStart = System.nanoTime(); - Future fp = aaf.client(Config.AAF_DEFAULT_VERSION).read( - "/authz/perms/user/"+name, - aaf.permsDF - ); - - // OK, done all we can, now get content - boolean ok = fp.get(aaf.timeout); - remote.set(Timing.millis(remoteStart)); - if(ok) { - success.set(true); - Map newMap = user.newMap(); - boolean willLog = aaf.access.willLog(Level.DEBUG); - for(Perm perm : fp.value.getPerm()) { - user.add(newMap, new AAFPermission(perm.getNs(),perm.getType(),perm.getInstance(),perm.getAction(),perm.getRoles())); - if(willLog) { - aaf.access.log(Level.DEBUG, name,"has",perm.getType(),perm.getInstance(),perm.getAction()); - } - } - user.renewPerm(); - return Resp.REVALIDATED; - } else { - int code; - switch(code=fp.code()) { - case 401: - aaf.access.log(Access.Level.ERROR, code, "Unauthorized to make AAF calls"); - break; - default: - aaf.access.log(Access.Level.ERROR, code, fp.body()); - } - return Resp.UNVALIDATED; - } - } - }); - return rv; - } catch (Exception e) { - aaf.access.log(e,"Calling","/authz/perms/user/"+name); - return Resp.INACCESSIBLE; - } finally { - aaf.access.printf(Level.INFO, "AAFLurPerm: %s %s perms from AAF in %f ms (remote=%f)", - (success.get()?"Reloaded":"Reload Failure"),name,Timing.millis(start),remote.get()); - } - } + @Override + protected boolean isCorrectPermType(Permission pond) { + return pond instanceof AAFPermission; + } - @Override - protected boolean isCorrectPermType(Permission pond) { - return pond instanceof AAFPermission; - } + /* (non-Javadoc) + * @see org.onap.aaf.cadi.Lur#createPerm(java.lang.String) + */ + @Override + public Permission createPerm(String p) { + String[] params = Split.split('|', p); + switch(params.length) { + case 3: + return new AAFPermission(null,params[0],params[1],params[2]); + case 4: + return new AAFPermission(params[0],params[1],params[2],params[3]); + default: + return new LocalPermission(p); + } + } - /* (non-Javadoc) - * @see org.onap.aaf.cadi.Lur#createPerm(java.lang.String) - */ - @Override - public Permission createPerm(String p) { - String[] params = Split.split('|', p); - switch(params.length) { - case 3: - return new AAFPermission(null,params[0],params[1],params[2]); - case 4: - return new AAFPermission(params[0],params[1],params[2],params[3]); - default: - return new LocalPermission(p); - } - } - }