auth/auth-service/src/main/java/org/onap/aaf/auth/service/api/API_Mgmt.java

   1 /**
   2  * ============LICENSE_START====================================================
   3  * org.onap.aaf
   4  * ===========================================================================
   5  * Copyright (c) 2018 AT&T Intellectual Property. All rights reserved.
   6  * ===========================================================================
   7  * Licensed under the Apache License, Version 2.0 (the "License");
   8  * you may not use this file except in compliance with the License.
   9  * You may obtain a copy of the License at
  10  *
  11  *      http://www.apache.org/licenses/LICENSE-2.0
  12  *
  13  * Unless required by applicable law or agreed to in writing, software
  14  * distributed under the License is distributed on an "AS IS" BASIS,
  15  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
  16  * See the License for the specific language governing permissions and
  17  * limitations under the License.
  18  * ============LICENSE_END====================================================
  19  *
  20  */
  21
  22 package org.onap.aaf.auth.service.api;
  23
  24 import static org.onap.aaf.auth.layer.Result.OK;
  25 import static org.onap.aaf.auth.rserv.HttpMethods.DELETE;
  26 import static org.onap.aaf.auth.rserv.HttpMethods.POST;
  27
  28 import javax.servlet.http.HttpServletRequest;
  29 import javax.servlet.http.HttpServletResponse;
  30
  31 import org.eclipse.jetty.http.HttpStatus;
  32 import org.onap.aaf.auth.common.Define;
  33 import org.onap.aaf.auth.dao.cass.Status;
  34 import org.onap.aaf.auth.dao.hl.Question;
  35 import org.onap.aaf.auth.env.AuthzTrans;
  36 import org.onap.aaf.auth.layer.Result;
  37 import org.onap.aaf.auth.service.AAF_Service;
  38 import org.onap.aaf.auth.service.Code;
  39 import org.onap.aaf.auth.service.facade.AuthzFacade;
  40 import org.onap.aaf.auth.service.mapper.Mapper.API;
  41 import org.onap.aaf.cadi.taf.dos.DenialOfServiceTaf;
  42 import org.onap.aaf.misc.env.Trans;
  43
  44 /**
  45  * User Role APIs
  46  * @author Jonathan
  47  *
  48  */
  49 public class API_Mgmt {
  50
  51     private static final String SUCCESS = "SUCCESS";
  52     private final static String PERM_DB_POOL_CLEAR=Define.ROOT_NS()+".db|pool|clear";
  53     private final static String PERM_DENY_IP = Define.ROOT_NS()+".deny|" + Define.ROOT_COMPANY() + "|ip";
  54     private final static String PERM_DENY_ID = Define.ROOT_NS()+".deny|" + Define.ROOT_COMPANY() + "|id";
  55     private final static String PERM_LOG_ID = Define.ROOT_NS()+".log|" + Define.ROOT_COMPANY() + "|id";
  56
  57     /**
  58      * Normal Init level APIs
  59      *
  60      * @param authzAPI
  61      * @param facade
  62      * @throws Exception
  63      */
  64     public static void init(final AAF_Service authzAPI, AuthzFacade facade) throws Exception {
  65
  66         /**
  67          * Clear Cache Segment
  68          */
  69         authzAPI.route(DELETE,"/mgmt/cache/:area/:segments",API.VOID,new Code(facade,"Clear Cache by Segment", true) {
  70             @Override
  71             public void handle(AuthzTrans trans, HttpServletRequest req, HttpServletResponse resp) throws Exception {
  72                 Result<Void> r = context.cacheClear(trans, pathParam(req,"area"), pathParam(req,"segments"));
  73                 switch(r.status) {
  74                     case OK:
  75                         trans.checkpoint(SUCCESS,Trans.ALWAYS);
  76                         resp.setStatus(HttpStatus.OK_200);
  77                         break;
  78                     default:
  79                         context.error(trans,resp,r);
  80                 }
  81             }
  82         });
  83
  84         /**
  85          * Clear Cache
  86          */
  87         authzAPI.route(DELETE,"/mgmt/cache/:area",API.VOID,new Code(facade,"Clear Cache", true) {
  88             @Override
  89             public void handle(AuthzTrans trans, HttpServletRequest req, HttpServletResponse resp) throws Exception {
  90                 Result<Void> r;
  91                 String area;
  92                 r = context.cacheClear(trans, area=pathParam(req,"area"));
  93                 switch(r.status) {
  94                     case OK:
  95                         trans.audit().log("Cache " + area + " has been cleared by "+trans.user());
  96                         trans.checkpoint(SUCCESS,Trans.ALWAYS);
  97                         resp.setStatus(HttpStatus.OK_200);
  98                         break;
  99                     default:
 100                         context.error(trans,resp,r);
 101                 }
 102             }
 103         });
 104
 105         /**
 106          * Clear DB Sessions
 107          */
 108         authzAPI.route(DELETE,"/mgmt/dbsession",API.VOID,new Code(facade,"Clear DBSessions", true) {
 109             @Override
 110             public void handle(AuthzTrans trans, HttpServletRequest req, HttpServletResponse resp) throws Exception {
 111                 try {
 112                     if (req.isUserInRole(PERM_DB_POOL_CLEAR)) {
 113                         context.dbReset(trans);
 114
 115                         trans.audit().log("DB Sessions have been cleared by "+trans.user());
 116
 117                         trans.checkpoint(SUCCESS,Trans.ALWAYS);
 118                         resp.setStatus(HttpStatus.OK_200);
 119                         return;
 120                     }
 121                     context.error(trans,resp,Result.err(Result.ERR_Denied,"%s is not allowed to clear dbsessions",trans.user()));
 122                 } catch (Exception e) {
 123                     trans.error().log(e, "clearing dbsession");
 124                     context.error(trans,resp,Result.err(e));
 125                 }
 126             }
 127         });
 128
 129         /**
 130          * Deny an IP
 131          */
 132         authzAPI.route(POST, "/mgmt/deny/ip/:ip", API.VOID, new Code(facade,"Deny IP",true) {
 133             @Override
 134             public void handle(AuthzTrans trans, HttpServletRequest req, HttpServletResponse resp) throws Exception {
 135                 String ip = pathParam(req,":ip");
 136                 if (req.isUserInRole(PERM_DENY_IP)) {
 137                     if (DenialOfServiceTaf.denyIP(ip)) {
 138                         trans.audit().log(ip+" has been set to deny by "+trans.user());
 139                         trans.checkpoint(SUCCESS,Trans.ALWAYS);
 140
 141                         resp.setStatus(HttpStatus.CREATED_201);
 142                     } else {
 143                         context.error(trans,resp,Result.err(Status.ERR_ConflictAlreadyExists,
 144                                 ip + " is already being denied"));
 145                     }
 146                 } else {
 147                     trans.audit().log(trans.user(),"has attempted to deny",ip,"without authorization");
 148                     context.error(trans,resp,Result.err(Status.ERR_Denied,
 149                         trans.getUserPrincipal().getName() + " is not allowed to set IP Denial"));
 150                 }
 151             }
 152         });
 153
 154         /**
 155          * Stop Denying an IP
 156          */
 157         authzAPI.route(DELETE, "/mgmt/deny/ip/:ip", API.VOID, new Code(facade,"Stop Denying IP",true) {
 158             @Override
 159             public void handle(AuthzTrans trans, HttpServletRequest req, HttpServletResponse resp) throws Exception {
 160                 String ip = pathParam(req,":ip");
 161                 if (req.isUserInRole(PERM_DENY_IP)) {
 162                     if (DenialOfServiceTaf.removeDenyIP(ip)) {
 163                         trans.audit().log(ip+" has been removed from denial by "+trans.user());
 164                         trans.checkpoint(SUCCESS,Trans.ALWAYS);
 165                         resp.setStatus(HttpStatus.OK_200);
 166                     } else {
 167                         context.error(trans,resp,Result.err(Status.ERR_NotFound,
 168                                 ip + " is not on the denial list"));
 169                     }
 170                 } else {
 171                     trans.audit().log(trans.user(),"has attempted to remove",ip," from being denied without authorization");
 172                     context.error(trans,resp,Result.err(Status.ERR_Denied,
 173                         trans.getUserPrincipal().getName() + " is not allowed to remove IP Denial"));
 174                 }
 175             }
 176         });
 177
 178         /**
 179          * Deny an ID
 180          */
 181         authzAPI.route(POST, "/mgmt/deny/id/:id", API.VOID, new Code(facade,"Deny ID",true) {
 182             @Override
 183             public void handle(AuthzTrans trans, HttpServletRequest req, HttpServletResponse resp) throws Exception {
 184                 String id = pathParam(req,":id");
 185                 if (req.isUserInRole(PERM_DENY_ID)) {
 186                     if (DenialOfServiceTaf.denyID(id)) {
 187                         trans.audit().log(id+" has been set to deny by "+trans.user());
 188                         trans.checkpoint(SUCCESS,Trans.ALWAYS);
 189                         resp.setStatus(HttpStatus.CREATED_201);
 190                     } else {
 191                         context.error(trans,resp,Result.err(Status.ERR_ConflictAlreadyExists,
 192                                 id + " is already being denied"));
 193                     }
 194                 } else {
 195                     trans.audit().log(trans.user(),"has attempted to deny",id,"without authorization");
 196                     context.error(trans,resp,Result.err(Status.ERR_Denied,
 197                         trans.getUserPrincipal().getName() + " is not allowed to set ID Denial"));
 198                 }
 199             }
 200         });
 201
 202         /**
 203          * Stop Denying an ID
 204          */
 205         authzAPI.route(DELETE, "/mgmt/deny/id/:id", API.VOID, new Code(facade,"Stop Denying ID",true) {
 206             @Override
 207             public void handle(AuthzTrans trans, HttpServletRequest req, HttpServletResponse resp) throws Exception {
 208                 String id = pathParam(req,":id");
 209                 if (req.isUserInRole(PERM_DENY_ID)) {
 210                     if (DenialOfServiceTaf.removeDenyID(id)) {
 211                         trans.audit().log(id+" has been removed from denial by " + trans.user());
 212                         trans.checkpoint(SUCCESS,Trans.ALWAYS);
 213                         resp.setStatus(HttpStatus.OK_200);
 214                     } else {
 215                         context.error(trans,resp,Result.err(Status.ERR_NotFound,
 216                                 id + " is not on the denial list"));
 217                     }
 218                 } else {
 219                     trans.audit().log(trans.user(),"has attempted to remove",id," from being denied without authorization");
 220                     context.error(trans,resp,Result.err(Status.ERR_Denied,
 221                         trans.getUserPrincipal().getName() + " is not allowed to remove ID Denial"));
 222                 }
 223             }
 224         });
 225
 226         /**
 227          * Deny an ID
 228          */
 229         authzAPI.route(POST, "/mgmt/log/id/:id", API.VOID, new Code(facade,"Special Log ID",true) {
 230             @Override
 231             public void handle(AuthzTrans trans, HttpServletRequest req, HttpServletResponse resp) throws Exception {
 232                 String id = pathParam(req,":id");
 233                 if (req.isUserInRole(PERM_LOG_ID)) {
 234                     if (Question.specialLogOn(trans,id)) {
 235                         trans.audit().log(id+" has been set to special Log by "+trans.user());
 236                         trans.checkpoint(SUCCESS,Trans.ALWAYS);
 237                         resp.setStatus(HttpStatus.CREATED_201);
 238                     } else {
 239                         context.error(trans,resp,Result.err(Status.ERR_ConflictAlreadyExists,
 240                                 id + " is already being special Logged"));
 241                     }
 242                 } else {
 243                     trans.audit().log(trans.user(),"has attempted to special Log",id,"without authorization");
 244                     context.error(trans,resp,Result.err(Status.ERR_Denied,
 245                         trans.getUserPrincipal().getName() + " is not allowed to set ID special Logging"));
 246                 }
 247             }
 248         });
 249
 250         /**
 251          * Stop Denying an ID
 252          */
 253         authzAPI.route(DELETE, "/mgmt/log/id/:id", API.VOID, new Code(facade,"Stop Special Log ID",true) {
 254             @Override
 255             public void handle(AuthzTrans trans, HttpServletRequest req, HttpServletResponse resp) throws Exception {
 256                 String id = pathParam(req,":id");
 257                 if (req.isUserInRole(PERM_LOG_ID)) {
 258                     if (Question.specialLogOff(trans,id)) {
 259                         trans.audit().log(id+" has been removed from special Logging by " + trans.user());
 260                         trans.checkpoint(SUCCESS,Trans.ALWAYS);
 261                         resp.setStatus(HttpStatus.OK_200);
 262                     } else {
 263                         context.error(trans,resp,Result.err(Status.ERR_NotFound,
 264                                 id + " is not on the special Logging list"));
 265                     }
 266                 } else {
 267                     trans.audit().log(trans.user(),"has attempted to remove",id," from being special Logged without authorization");
 268                     context.error(trans,resp,Result.err(Status.ERR_Denied,
 269                         trans.getUserPrincipal().getName() + " is not allowed to remove ID special Logging"));
 270                 }
 271             }
 272         });
 273
 274
 275     }
 276 }