X-Git-Url: https://gerrit.onap.org/r/gitweb?a=blobdiff_plain;f=src%2Fmain%2Fjava%2Forg%2Fonap%2Fdmaap%2Fdbcapi%2Fservice%2FAafPermissionService.java;fp=src%2Fmain%2Fjava%2Forg%2Fonap%2Fdmaap%2Fdbcapi%2Fservice%2FAafPermissionService.java;h=857b69523340b1dc09da5361571181054f0f8f97;hb=45ccf584c8574e9f96dd6fa3b8016accf24fc541;hp=0000000000000000000000000000000000000000;hpb=d3994fb85f92d429b626013a0bd9f2ff69418c95;p=dmaap%2Fdbcapi.git diff --git a/src/main/java/org/onap/dmaap/dbcapi/service/AafPermissionService.java b/src/main/java/org/onap/dmaap/dbcapi/service/AafPermissionService.java new file mode 100644 index 0000000..857b695 --- /dev/null +++ b/src/main/java/org/onap/dmaap/dbcapi/service/AafPermissionService.java @@ -0,0 +1,133 @@ +/*- + * ============LICENSE_START======================================================= + * org.onap.dmaap + * ================================================================================ + * Copyright (C) 2019 Nokia Intellectual Property. All rights reserved. + * ================================================================================ + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * ============LICENSE_END========================================================= + */ + +package org.onap.dmaap.dbcapi.service; + +import org.onap.dmaap.dbcapi.aaf.AafService; +import org.onap.dmaap.dbcapi.aaf.AafUserRole; +import org.onap.dmaap.dbcapi.aaf.DmaapGrant; +import org.onap.dmaap.dbcapi.aaf.DmaapPerm; +import org.onap.dmaap.dbcapi.logging.BaseLoggingClass; +import org.onap.dmaap.dbcapi.model.ApiError; +import org.onap.dmaap.dbcapi.model.DmaapObject.DmaapObject_Status; +import org.onap.dmaap.dbcapi.model.MR_Client; + +public class AafPermissionService extends BaseLoggingClass { + + private final AafService aafService; + private final DmaapService dmaapService; + + public AafPermissionService() { + this(new AafService(AafService.ServiceType.AAF_TopicMgr), new DmaapService()); + } + + AafPermissionService(AafService aafService, DmaapService dmaapService) { + this.aafService = aafService; + this.dmaapService = dmaapService; + } + + void assignIdentityToRole(MR_Client client, String role, ApiError err) { + okStatus(err); + AafUserRole ur = new AafUserRole(client.getClientIdentity(), role); + client.setStatus(DmaapObject_Status.VALID); + int rc = aafService.addUserRole(ur); + if (rc != 201 && rc != 409) { + client.setStatus(DmaapObject_Status.INVALID); + assignClientToRoleError(err, rc, client.getClientIdentity(), role); + } + } + + void grantClientRolePerms(MR_Client client, ApiError err) { + + okStatus(err); + String instance = ":topic." + client.getFqtn(); + client.setStatus(DmaapObject_Status.VALID); + + for (String action : client.getAction()) { + if (client.getClientRole() != null) { + int rc = grantPermForClientRole(client.getClientRole(), instance, action); + if (rc != 201 && rc != 409) { + client.setStatus(DmaapObject_Status.INVALID); + grantPermsError(err, rc, dmaapService.getTopicPerm(), instance, action, client.getClientRole()); + } + + } else { + logger.warn("No Grant of " + permissionFullName(dmaapService.getTopicPerm(), instance, action) + " because role is null "); + } + } + } + + void revokeClientPerms(MR_Client client, ApiError err) { + okStatus(err); + String instance = ":topic." + client.getFqtn(); + client.setStatus(DmaapObject_Status.VALID); + + for (String action : client.getAction()) { + + int rc = revokePermForClientRole(client.getClientRole(), instance, action); + + if (rc != 200 && rc != 404) { + client.setStatus(DmaapObject_Status.INVALID); + revokePermsError(err, rc, dmaapService.getTopicPerm(), instance, action, client.getClientRole()); + } + } + + } + + private int grantPermForClientRole(String clientRole, String instance, String action) { + DmaapPerm perm = new DmaapPerm(dmaapService.getTopicPerm(), instance, action); + DmaapGrant g = new DmaapGrant(perm, clientRole); + return aafService.addGrant(g); + } + + private int revokePermForClientRole(String clientRole, String instance, String action) { + DmaapPerm perm = new DmaapPerm(dmaapService.getTopicPerm(), instance, action); + DmaapGrant g = new DmaapGrant(perm, clientRole); + return aafService.delGrant(g); + } + + private void assignClientToRoleError(ApiError err, int code, String clientIdentity, String role) { + err.setCode(code); + err.setMessage("Failed to add user " + clientIdentity + " to " + role); + logger.warn(err.getMessage()); + } + + private void grantPermsError(ApiError err, int code, String permission, String instance, String action, String role) { + err.setCode(code); + err.setMessage("Grant of " + permissionFullName(permission, instance, action) + " failed for " + role); + logger.warn(err.getMessage()); + } + + private void revokePermsError(ApiError err, int code, String permission, String instance, String action, String role) { + err.setCode(code); + err.setMessage("Revoke of " + permissionFullName(permission, instance, action) + " failed for " + role); + logger.warn(err.getMessage()); + } + + private String permissionFullName(String permission, String instance, String action) { + return permission + "|" + instance + "|" + action; + } + + private void okStatus(ApiError err) { + err.setCode(200); + err.setMessage("OK"); + } + +}