authz-batch/src/main/java/com/att/authz/reports/CheckNS.java

   1 /*******************************************************************************
   2  * Copyright (c) 2016 AT&T Intellectual Property. All rights reserved.
   3  *******************************************************************************/
   4 package com.att.authz.reports;
   5
   6 import java.io.IOException;
   7 import java.util.List;
   8
   9 import com.att.authz.Batch;
  10 import com.att.authz.env.AuthzTrans;
  11 import com.att.authz.helpers.NS;
  12 import com.att.authz.helpers.NsAttrib;
  13 import com.att.authz.helpers.Perm;
  14 import com.att.authz.helpers.Role;
  15 import com.att.dao.aaf.cass.NsType;
  16 import org.onap.aaf.inno.env.APIException;
  17 import org.onap.aaf.inno.env.Env;
  18 import org.onap.aaf.inno.env.TimeTaken;
  19
  20 public class CheckNS extends Batch{
  21
  22         public CheckNS(AuthzTrans trans) throws APIException, IOException {
  23                 super(trans.env());
  24                 TimeTaken tt = trans.start("Connect to Cluster", Env.REMOTE);
  25                 try {
  26                         session = cluster.connect();
  27                 } finally {
  28                         tt.done();
  29                 }
  30         NS.load(trans, session,NS.v2_0_11);
  31                 Role.load(trans, session);
  32                 Perm.load(trans, session);
  33                 NsAttrib.load(trans, session, NsAttrib.v2_0_11);
  34         }
  35
  36         @Override
  37         protected void run(AuthzTrans trans) {
  38
  39                 String msg;
  40                 String query;
  41         trans.info().log(STARS, msg = "Checking for NS type mis-match", STARS);
  42                 TimeTaken tt = trans.start(msg, Env.SUB);
  43                 try {
  44                         for(NS ns : NS.data.values()) {
  45                                 if(ns.description==null) {
  46                                         trans.warn().log("Namepace description is null. Changing to empty string.");
  47                                         if(dryRun) {
  48                                                 trans.warn().log("Namepace description is null. Changing to empty string");
  49                                         } else {
  50                                 query = "UPDATE authz.ns SET description='' WHERE name='" + ns.name +"';";
  51                                 session.execute(query);
  52                                         }
  53                                 }
  54                                 int scope = count(ns.name,'.');
  55                                 NsType nt;
  56                                 switch(scope) {
  57                                         case 0:
  58                                                 nt = NsType.DOT;
  59                                                 break;
  60                                         case 1:
  61                                                 nt = NsType.ROOT;
  62                                                 break;
  63                                         case 2:
  64                                                 nt = NsType.COMPANY;
  65                                                 break;
  66                                         default:
  67                                                 nt = NsType.APP;
  68                                                 break;
  69                                 }
  70                                 if(ns.type!=nt.type || ns.scope !=scope) {
  71                                         if(dryRun) {
  72                                                 trans.warn().log("Namepace",ns.name,"has no type.  Should change to ",nt.name());
  73                                         } else {
  74                                 query = "UPDATE authz.ns SET type=" + nt.type + ", scope=" + scope + " WHERE name='" + ns.name +"';";
  75                                                 trans.warn().log("Namepace",ns.name,"changing to",nt.name()+":",query);
  76                                 session.execute(query);
  77                                         }
  78                                 }
  79                         }
  80                 } finally {
  81                         tt.done();
  82                 }
  83
  84
  85         trans.info().log(STARS, msg = "Checking for NS admin/owner mis-match", STARS);
  86                 tt = trans.start(msg, Env.SUB);
  87                 try {
  88                 /// Evaluate
  89                 for(NS nk : NS.data.values()) {
  90                         //String name;
  91                         String roleAdmin = nk.name+"|admin";
  92                         String roleAdminPrev = nk.name+".admin";
  93                         String roleOwner = nk.name+"|owner";
  94                         String roleOwnerPrev = nk.name+".owner";
  95                         String permAll = nk.name+"|access|*|*";
  96                         String permAllPrev = nk.name+".access|*|*";
  97                         String permRead = nk.name+"|access|*|read";
  98                         String permReadPrev = nk.name+".access|*|read";
  99                         // Admins
 100
 101                         Role rk = Role.keys.get(roleAdmin); // accomodate new role key
 102                         // Role Admin should exist
 103                         if(rk==null) {
 104                                 if(dryRun) {
 105                                         trans.warn().log(nk.name + " is missing role: " + roleAdmin);
 106                                 } else {
 107                                 query = "INSERT INTO authz.role(ns, name, description, perms) VALUES ('"
 108                                                 + nk.name
 109                                                 + "','admin','Automatic Administration',"
 110                                                 + "{'" + nk.name + "|access|*|*'});";
 111                                 session.execute(query);
 112                                 env.info().log(query);
 113
 114
 115                                 if(Role.keys.get(roleAdminPrev)!=null) {
 116                                                 query = "UPDATE authz.role set perms = perms + "
 117                                                                 + "{'" + roleAdminPrev + "'} "
 118                                                                 + "WHERE ns='"+ nk.name + "' AND "
 119                                                                 + "name='admin'"
 120                                                                 + ";";
 121                                         session.execute(query);
 122                                         env.info().log(query);
 123                                 }
 124                                 }
 125                         } else {
 126                         // Role Admin should be linked to Perm All
 127                                 if(!rk.perms.contains(permAll)) {
 128                                         if(dryRun) {
 129                                                 trans.warn().log(roleAdmin,"is not linked to",permAll);
 130                                         } else {
 131                                                 query = "UPDATE authz.role set perms = perms + "
 132                                                                 + "{'" + nk.name + "|access|*|*'} "
 133                                                                 + "WHERE ns='"+ nk.name + "' AND "
 134                                                                 + "name='admin'"
 135                                                                 + ";";
 136                                                 session.execute(query);
 137                                                 env.info().log(query);
 138
 139                                                 if(rk.perms.contains(permAllPrev)) {
 140                                                         query = "UPDATE authz.role set perms = perms - "
 141                                                                         + "{'" + nk.name + ".access|*|*'} "
 142                                                                         + "WHERE ns='"+ nk.name + "' AND "
 143                                                                         + "name='admin'"
 144                                                                         + ";";
 145                                                         session.execute(query);
 146                                                         env.info().log(query);
 147                                                 }
 148                                         }
 149                                 }
 150                         // Role Admin should not be linked to Perm Read
 151                                 if(rk.perms.contains(permRead)) {
 152                                         if(dryRun) {
 153                                                 trans.warn().log(roleAdmin,"should not be linked to",permRead);
 154                                         } else {
 155                                                 query = "UPDATE authz.role set perms = perms - "
 156                                                                 + "{'" + nk.name + "|access|*|read'} "
 157                                                                 + "WHERE ns='"+ nk.name + "' AND "
 158                                                                 + "name='admin'"
 159                                                                 + ";";
 160                                                 session.execute(query);
 161                                                 env.info().log(query);
 162                                         }
 163                                 }
 164                         }
 165
 166                         Perm pk = Perm.keys.get(permAll);
 167                         if(pk==null) {
 168                                 trans.warn().log(nk.name + " is missing perm: " + permAll);
 169                                 if(!dryRun) {
 170                                 query = "INSERT INTO authz.perm(ns, type,instance,action,description, roles) VALUES ('"
 171                                                 + nk.name
 172                                                 + "','access','*','*','Namespace Write',"
 173                                                 + "{'" + nk.name + "|admin'});";
 174                                 session.execute(query);
 175                                 env.info().log(query);
 176
 177                                 }
 178                         } else {
 179                                 // PermALL should be linked to Role Admin
 180                                 if(!pk.roles.contains(roleAdmin)) {
 181                                         trans.warn().log(permAll,"is not linked to",roleAdmin);
 182                                         if(!dryRun) {
 183                                                 query = "UPDATE authz.perm set roles = roles + "
 184                                                                 + "{'" + nk.name + "|admin'} WHERE "
 185                                                                 + "ns='"+ pk.ns + "' AND "
 186                                                                 + "type='access' AND instance='*' and action='*'"
 187                                                                 + ";";
 188                                                 session.execute(query);
 189                                                 env.info().log(query);
 190
 191                                                 if(pk.roles.contains(roleAdminPrev)) {
 192                                                         query = "UPDATE authz.perm set roles = roles - "
 193                                                                         + "{'" + nk.name + ".admin'} WHERE "
 194                                                                         + "ns='"+ pk.ns + "' AND "
 195                                                                         + "type='access' AND instance='*' and action='*'"
 196                                                                         + ";";
 197                                                         session.execute(query);
 198                                                         env.info().log(query);
 199
 200                                                 }
 201                                         }
 202                                 }
 203
 204                                 // PermALL should be not linked to Role Owner
 205                                 if(pk.roles.contains(roleOwner)) {
 206                                         trans.warn().log(permAll,"should not be linked to",roleOwner);
 207                                         if(!dryRun) {
 208                                                 query = "UPDATE authz.perm set roles = roles - "
 209                                                                 + "{'" + nk.name + "|owner'} WHERE "
 210                                                                 + "ns='"+ pk.ns + "' AND "
 211                                                                 + "type='access' AND instance='*' and action='*'"
 212                                                                 + ";";
 213                                                 session.execute(query);
 214                                                 env.info().log(query);
 215                                         }
 216                                 }
 217
 218                         }
 219
 220
 221
 222                         // Owner
 223                         rk = Role.keys.get(roleOwner);
 224                         if(rk==null) {
 225                                 trans.warn().log(nk.name + " is missing role: " + roleOwner);
 226                                 if(!dryRun) {
 227                                 query = "INSERT INTO authz.role(ns, name, description, perms) VALUES('"
 228                                                 + nk.name
 229                                                 + "','owner','Automatic Owners',"
 230                                                 + "{'" + nk.name + "|access|*|read'});";
 231                                 session.execute(query);
 232                                 env.info().log(query);
 233
 234                                 }
 235                         } else {
 236                                 // Role Owner should be linked to permRead
 237                                 if(!rk.perms.contains(permRead)) {
 238                                         trans.warn().log(roleOwner,"is not linked to",permRead);
 239                                         if(!dryRun) {
 240                                                 query = "UPDATE authz.role set perms = perms + "
 241                                                                 + "{'" + nk.name + "|access|*|read'} "
 242                                                                 + "WHERE ns='"+ nk.name + "' AND "
 243                                                                 + "name='owner'"
 244                                                                 + ";";
 245                                                 session.execute(query);
 246                                                 env.info().log(query);
 247
 248                                                 if(rk.perms.contains(permReadPrev)) {
 249                                                         query = "UPDATE authz.role set perms = perms - "
 250                                                                         + "{'" + nk.name + ".access|*|read'} "
 251                                                                         + "WHERE ns='"+ nk.name + "' AND "
 252                                                                         + "name='owner'"
 253                                                                         + ";";
 254                                                         session.execute(query);
 255                                                         env.info().log(query);
 256
 257                                                 }
 258                                         }
 259                                 }
 260                         // Role Owner should not be linked to PermAll
 261                                 if(rk.perms.contains(permAll)) {
 262                                         trans.warn().log(roleAdmin,"should not be linked to",permAll);
 263                                         if(!dryRun) {
 264                                                 query = "UPDATE authz.role set perms = perms - "
 265                                                                 + "{'" + nk.name + "|access|*|*'} "
 266                                                                 + "WHERE ns='"+ nk.name + "' AND "
 267                                                                 + "name='admin'"
 268                                                                 + ";";
 269                                                 session.execute(query);
 270                                                 env.info().log(query);
 271                                         }
 272                                 }
 273
 274                         }
 275
 276                         pk = Perm.keys.get(permRead);
 277                         if(pk==null) {
 278                                 trans.warn().log(nk.name + " is missing perm: " + permRead);
 279                                 if(!dryRun) {
 280                                 query = "INSERT INTO authz.perm(ns, type,instance,action,description, roles) VALUES ('"
 281                                                 + nk.name
 282                                                 + "','access','*','read','Namespace Read',"
 283                                                 + "{'" + nk.name + "|owner'});";
 284                                 session.execute(query);
 285                                 env.info().log(query);
 286                                 }
 287                         } else {
 288                                 // PermRead should be linked to roleOwner
 289                                 if(!pk.roles.contains(roleOwner)) {
 290                                         trans.warn().log(permRead, "is not linked to", roleOwner);
 291                                         if(!dryRun) {
 292                                                 query = "UPDATE authz.perm set roles = roles + "
 293                                                                 + "{'" + nk.name + "|owner'} WHERE "
 294                                                                 + "ns='"+ pk.ns + "' AND "
 295                                                                 + "type='access' AND instance='*' and action='read'"
 296                                                                 + ";";
 297                                                 session.execute(query);
 298                                                 env.info().log(query);
 299
 300                                                 if(pk.roles.contains(roleOwnerPrev)) {
 301                                                         query = "UPDATE authz.perm set roles = roles - "
 302                                                                         + "{'" + nk.name + ".owner'} WHERE "
 303                                                                         + "ns='"+ pk.ns + "' AND "
 304                                                                         + "type='access' AND instance='*' and action='read'"
 305                                                                         + ";";
 306                                                         session.execute(query);
 307                                                         env.info().log(query);
 308
 309                                                 }
 310                                         }
 311                                 }
 312                                 // PermRead should be not linked to RoleAdmin
 313                                 if(pk.roles.contains(roleAdmin)) {
 314                                         if(dryRun) {
 315                                                 trans.warn().log(permRead,"should not be linked to",roleAdmin);
 316                                         } else {
 317                                                 query = "UPDATE authz.perm set roles = roles - "
 318                                                                 + "{'" + nk.name + "|admin'} WHERE "
 319                                                                 + "ns='"+ pk.ns + "' AND "
 320                                                                 + "type='access' AND instance='*' and action='read'"
 321                                                                 + ";";
 322                                                 session.execute(query);
 323                                                 env.info().log(query);
 324                                         }
 325                                 }
 326                         }
 327
 328
 329                         int dot = nk.name.lastIndexOf('.');
 330                         String parent;
 331                         if(dot<0) {
 332                                 parent = ".";
 333                         } else {
 334                                 parent = nk.name.substring(0, dot);
 335                         }
 336
 337                         if(!parent.equals(nk.parent)) {
 338                                 if(dryRun) {
 339                                         trans.warn().log(nk.name + " is missing namespace data");
 340                                 } else {
 341                                         query = "UPDATE authz.ns SET parent='"+parent+"'" +
 342                                                         " WHERE name='" + nk.name + "';";
 343                                         session.execute(query);
 344                                         env.info().log(query);
 345                                 }
 346                         }
 347
 348                 // During Migration:
 349                 List<NsAttrib> swm = NsAttrib.byNS.get(nk.name);
 350                 boolean hasSwmV1 = false;
 351                 if(swm!=null) {for(NsAttrib na : swm) {
 352                         if("swm".equals(na.key) && "v1".equals(na.value)) {
 353                                 hasSwmV1=true;
 354                                 break;
 355                         }
 356                 }}
 357                 String roleMem = nk.name+"|member";
 358                 Role rm = Role.keys.get(roleMem); // Accommodate new role key
 359                 if(rm==null && hasSwmV1) {
 360                         query = "INSERT INTO authz.role(ns, name, description, perms) VALUES ('"
 361                                         + nk.name
 362                                         + "','member','Member',"
 363                                         + "{'" + nk.name + "|access|*|read'});";
 364                         session.execute(query);
 365                              query = "UPDATE authz.role set perms = perms + "
 366                                                 + "{'" + nk.name + "|access|*|read'} "
 367                                                 + "WHERE ns='"+ nk.name + "' AND "
 368                                                 + "name='member'"
 369                                                 + ";";
 370                         session.execute(query);
 371                         env.info().log(query);
 372                 }
 373                 if(rm!=null)  {
 374                         if(!rm.perms.contains(permRead)) {
 375                                 if(isDryRun()) {
 376                                      env.info().log(nk.name+"|member needs " + nk.name + "|access|*|read");
 377                                 } else {
 378                                         query = "UPDATE authz.perm set roles = roles + "
 379                                                         + "{'" + nk.name + "|member'} WHERE "
 380                                                         + "ns='"+ pk.ns + "' AND "
 381                                                         + "type='access' AND instance='*' and action='read'"
 382                                                         + ";";
 383                                         session.execute(query);
 384                                         env.info().log(query);
 385                                         query = "UPDATE authz.role set perms = perms + "
 386                                                         + "{'" + nk.name + "|access|*|read'"
 387                                                         + (hasSwmV1?",'"+nk.name+"|swm.star|*|*'":"")
 388                                                                 + "} "
 389                                                         + "WHERE ns='"+ nk.name + "' AND "
 390                                                         + "name='member'"
 391                                                         + ";";
 392                                         session.execute(query);
 393                                         env.info().log(query);
 394                                         if(hasSwmV1) {
 395                                                 query = "UPDATE authz.perm set roles = roles + "
 396                                                                 + "{'" + nk.name + "|member'} WHERE "
 397                                                                 + "ns='"+ pk.ns + "' AND "
 398                                                                 + "type='swm.star' AND instance='*' and action='*'"
 399                                                                 + ";";
 400                                                 session.execute(query);
 401                                                 env.info().log(query);
 402                                         }
 403                                 }
 404                         }
 405                 }
 406
 407
 408
 409                 // Best Guess Owner
 410
 411 //              owner = Role.keys.get(ns.)
 412                 }
 413                 } finally {
 414                         tt.done();
 415                 }
 416
 417         }
 418
 419
 420         @Override
 421         protected void _close(AuthzTrans trans) {
 422         session.close();
 423         aspr.info("End " + this.getClass().getSimpleName() + " processing" );
 424         }
 425 }