2 * ============LICENSE_START====================================================
4 * ===========================================================================
5 * Copyright (c) 2018 AT&T Intellectual Property. All rights reserved.
6 * ===========================================================================
7 * Licensed under the Apache License, Version 2.0 (the "License");
8 * you may not use this file except in compliance with the License.
9 * You may obtain a copy of the License at
11 * http://www.apache.org/licenses/LICENSE-2.0
13 * Unless required by applicable law or agreed to in writing, software
14 * distributed under the License is distributed on an "AS IS" BASIS,
15 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
16 * See the License for the specific language governing permissions and
17 * limitations under the License.
18 * ============LICENSE_END====================================================
22 package org.onap.aaf.auth.service.api;
24 import static org.onap.aaf.auth.layer.Result.OK;
25 import static org.onap.aaf.auth.rserv.HttpMethods.DELETE;
26 import static org.onap.aaf.auth.rserv.HttpMethods.POST;
28 import javax.servlet.http.HttpServletRequest;
29 import javax.servlet.http.HttpServletResponse;
31 import org.eclipse.jetty.http.HttpStatus;
32 import org.onap.aaf.auth.common.Define;
33 import org.onap.aaf.auth.dao.cass.Status;
34 import org.onap.aaf.auth.dao.hl.Question;
35 import org.onap.aaf.auth.env.AuthzTrans;
36 import org.onap.aaf.auth.layer.Result;
37 import org.onap.aaf.auth.service.AAF_Service;
38 import org.onap.aaf.auth.service.Code;
39 import org.onap.aaf.auth.service.facade.AuthzFacade;
40 import org.onap.aaf.auth.service.mapper.Mapper.API;
41 import org.onap.aaf.cadi.taf.dos.DenialOfServiceTaf;
42 import org.onap.aaf.misc.env.Trans;
49 public class API_Mgmt {
51 private static final String SUCCESS = "SUCCESS";
52 private final static String PERM_DB_POOL_CLEAR=Define.ROOT_NS()+".db|pool|clear";
53 private final static String PERM_DENY_IP = Define.ROOT_NS()+".deny|" + Define.ROOT_COMPANY() + "|ip";
54 private final static String PERM_DENY_ID = Define.ROOT_NS()+".deny|" + Define.ROOT_COMPANY() + "|id";
55 private final static String PERM_LOG_ID = Define.ROOT_NS()+".deny|" + Define.ROOT_COMPANY() + "|id";
58 * Normal Init level APIs
64 public static void init(final AAF_Service authzAPI, AuthzFacade facade) throws Exception {
69 authzAPI.route(DELETE,"/mgmt/cache/:area/:segments",API.VOID,new Code(facade,"Clear Cache by Segment", true) {
71 public void handle(AuthzTrans trans, HttpServletRequest req, HttpServletResponse resp) throws Exception {
72 Result<Void> r = context.cacheClear(trans, pathParam(req,"area"), pathParam(req,"segments"));
75 trans.checkpoint(SUCCESS,Trans.ALWAYS);
76 resp.setStatus(HttpStatus.OK_200);
79 context.error(trans,resp,r);
87 authzAPI.route(DELETE,"/mgmt/cache/:area",API.VOID,new Code(facade,"Clear Cache", true) {
89 public void handle(AuthzTrans trans, HttpServletRequest req, HttpServletResponse resp) throws Exception {
92 r = context.cacheClear(trans, area=pathParam(req,"area"));
95 trans.audit().log("Cache " + area + " has been cleared by "+trans.user());
96 trans.checkpoint(SUCCESS,Trans.ALWAYS);
97 resp.setStatus(HttpStatus.OK_200);
100 context.error(trans,resp,r);
108 authzAPI.route(DELETE,"/mgmt/dbsession",API.VOID,new Code(facade,"Clear DBSessions", true) {
110 public void handle(AuthzTrans trans, HttpServletRequest req, HttpServletResponse resp) throws Exception {
112 if(req.isUserInRole(PERM_DB_POOL_CLEAR)) {
113 context.dbReset(trans);
115 trans.audit().log("DB Sessions have been cleared by "+trans.user());
117 trans.checkpoint(SUCCESS,Trans.ALWAYS);
118 resp.setStatus(HttpStatus.OK_200);
121 context.error(trans,resp,Result.err(Result.ERR_Denied,"%s is not allowed to clear dbsessions",trans.user()));
122 } catch(Exception e) {
123 trans.error().log(e, "clearing dbsession");
124 context.error(trans,resp,Result.err(e));
132 authzAPI.route(POST, "/mgmt/deny/ip/:ip", API.VOID, new Code(facade,"Deny IP",true) {
134 public void handle(AuthzTrans trans, HttpServletRequest req, HttpServletResponse resp) throws Exception {
135 String ip = pathParam(req,":ip");
136 if(req.isUserInRole(PERM_DENY_IP)) {
137 if(DenialOfServiceTaf.denyIP(ip)) {
138 trans.audit().log(ip+" has been set to deny by "+trans.user());
139 trans.checkpoint(SUCCESS,Trans.ALWAYS);
141 resp.setStatus(HttpStatus.CREATED_201);
143 context.error(trans,resp,Result.err(Status.ERR_ConflictAlreadyExists,
144 ip + " is already being denied"));
147 trans.audit().log(trans.user(),"has attempted to deny",ip,"without authorization");
148 context.error(trans,resp,Result.err(Status.ERR_Denied,
149 trans.getUserPrincipal().getName() + " is not allowed to set IP Denial"));
157 authzAPI.route(DELETE, "/mgmt/deny/ip/:ip", API.VOID, new Code(facade,"Stop Denying IP",true) {
159 public void handle(AuthzTrans trans, HttpServletRequest req, HttpServletResponse resp) throws Exception {
160 String ip = pathParam(req,":ip");
161 if(req.isUserInRole(PERM_DENY_IP)) {
162 if(DenialOfServiceTaf.removeDenyIP(ip)) {
163 trans.audit().log(ip+" has been removed from denial by "+trans.user());
164 trans.checkpoint(SUCCESS,Trans.ALWAYS);
165 resp.setStatus(HttpStatus.OK_200);
167 context.error(trans,resp,Result.err(Status.ERR_NotFound,
168 ip + " is not on the denial list"));
171 trans.audit().log(trans.user(),"has attempted to remove",ip," from being denied without authorization");
172 context.error(trans,resp,Result.err(Status.ERR_Denied,
173 trans.getUserPrincipal().getName() + " is not allowed to remove IP Denial"));
181 authzAPI.route(POST, "/mgmt/deny/id/:id", API.VOID, new Code(facade,"Deny ID",true) {
183 public void handle(AuthzTrans trans, HttpServletRequest req, HttpServletResponse resp) throws Exception {
184 String id = pathParam(req,":id");
185 if(req.isUserInRole(PERM_DENY_ID)) {
186 if(DenialOfServiceTaf.denyID(id)) {
187 trans.audit().log(id+" has been set to deny by "+trans.user());
188 trans.checkpoint(SUCCESS,Trans.ALWAYS);
189 resp.setStatus(HttpStatus.CREATED_201);
191 context.error(trans,resp,Result.err(Status.ERR_ConflictAlreadyExists,
192 id + " is already being denied"));
195 trans.audit().log(trans.user(),"has attempted to deny",id,"without authorization");
196 context.error(trans,resp,Result.err(Status.ERR_Denied,
197 trans.getUserPrincipal().getName() + " is not allowed to set ID Denial"));
205 authzAPI.route(DELETE, "/mgmt/deny/id/:id", API.VOID, new Code(facade,"Stop Denying ID",true) {
207 public void handle(AuthzTrans trans, HttpServletRequest req, HttpServletResponse resp) throws Exception {
208 String id = pathParam(req,":id");
209 if(req.isUserInRole(PERM_DENY_ID)) {
210 if(DenialOfServiceTaf.removeDenyID(id)) {
211 trans.audit().log(id+" has been removed from denial by " + trans.user());
212 trans.checkpoint(SUCCESS,Trans.ALWAYS);
213 resp.setStatus(HttpStatus.OK_200);
215 context.error(trans,resp,Result.err(Status.ERR_NotFound,
216 id + " is not on the denial list"));
219 trans.audit().log(trans.user(),"has attempted to remove",id," from being denied without authorization");
220 context.error(trans,resp,Result.err(Status.ERR_Denied,
221 trans.getUserPrincipal().getName() + " is not allowed to remove ID Denial"));
229 authzAPI.route(POST, "/mgmt/log/id/:id", API.VOID, new Code(facade,"Special Log ID",true) {
231 public void handle(AuthzTrans trans, HttpServletRequest req, HttpServletResponse resp) throws Exception {
232 String id = pathParam(req,":id");
233 if(req.isUserInRole(PERM_LOG_ID)) {
234 if(Question.specialLogOn(trans,id)) {
235 trans.audit().log(id+" has been set to special Log by "+trans.user());
236 trans.checkpoint(SUCCESS,Trans.ALWAYS);
237 resp.setStatus(HttpStatus.CREATED_201);
239 context.error(trans,resp,Result.err(Status.ERR_ConflictAlreadyExists,
240 id + " is already being special Logged"));
243 trans.audit().log(trans.user(),"has attempted to special Log",id,"without authorization");
244 context.error(trans,resp,Result.err(Status.ERR_Denied,
245 trans.getUserPrincipal().getName() + " is not allowed to set ID special Logging"));
253 authzAPI.route(DELETE, "/mgmt/log/id/:id", API.VOID, new Code(facade,"Stop Special Log ID",true) {
255 public void handle(AuthzTrans trans, HttpServletRequest req, HttpServletResponse resp) throws Exception {
256 String id = pathParam(req,":id");
257 if(req.isUserInRole(PERM_LOG_ID)) {
258 if(Question.specialLogOff(trans,id)) {
259 trans.audit().log(id+" has been removed from special Logging by " + trans.user());
260 trans.checkpoint(SUCCESS,Trans.ALWAYS);
261 resp.setStatus(HttpStatus.OK_200);
263 context.error(trans,resp,Result.err(Status.ERR_NotFound,
264 id + " is not on the special Logging list"));
267 trans.audit().log(trans.user(),"has attempted to remove",id," from being special Logged without authorization");
268 context.error(trans,resp,Result.err(Status.ERR_Denied,
269 trans.getUserPrincipal().getName() + " is not allowed to remove ID special Logging"));
Code Review / aaf / authz.git / blob