1 /*******************************************************************************
\r
2 * ============LICENSE_START====================================================
\r
4 * * ===========================================================================
\r
5 * * Copyright © 2017 AT&T Intellectual Property. All rights reserved.
\r
6 * * ===========================================================================
\r
7 * * Licensed under the Apache License, Version 2.0 (the "License");
\r
8 * * you may not use this file except in compliance with the License.
\r
9 * * You may obtain a copy of the License at
\r
11 * * http://www.apache.org/licenses/LICENSE-2.0
\r
13 * * Unless required by applicable law or agreed to in writing, software
\r
14 * * distributed under the License is distributed on an "AS IS" BASIS,
\r
15 * * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
\r
16 * * See the License for the specific language governing permissions and
\r
17 * * limitations under the License.
\r
18 * * ============LICENSE_END====================================================
\r
20 * * ECOMP is a trademark and service mark of AT&T Intellectual Property.
\r
22 ******************************************************************************/
\r
23 package org.onap.aaf.authz.service.api;
\r
25 import static org.onap.aaf.authz.layer.Result.OK;
\r
26 import static org.onap.aaf.cssa.rserv.HttpMethods.DELETE;
\r
27 import static org.onap.aaf.cssa.rserv.HttpMethods.POST;
\r
29 import javax.servlet.http.HttpServletRequest;
\r
30 import javax.servlet.http.HttpServletResponse;
\r
32 import org.onap.aaf.authz.common.Define;
\r
33 import org.onap.aaf.authz.env.AuthzTrans;
\r
34 import org.onap.aaf.authz.facade.AuthzFacade;
\r
35 import org.onap.aaf.authz.layer.Result;
\r
36 import org.onap.aaf.authz.service.AuthAPI;
\r
37 import org.onap.aaf.authz.service.Code;
\r
38 import org.onap.aaf.authz.service.mapper.Mapper.API;
\r
39 import org.onap.aaf.dao.aaf.cass.Status;
\r
40 import org.onap.aaf.dao.aaf.hl.Question;
\r
41 import org.onap.aaf.dao.session.SessionFilter;
\r
43 import com.att.aft.dme2.internal.jetty.http.HttpStatus;
\r
44 import org.onap.aaf.cadi.taf.dos.DenialOfServiceTaf;
\r
45 import org.onap.aaf.inno.env.Trans;
\r
51 public class API_Mgmt {
\r
53 private static final String SUCCESS = "SUCCESS";
\r
56 * Normal Init level APIs
\r
62 public static void init(final AuthAPI authzAPI, AuthzFacade facade) throws Exception {
\r
65 * Clear Cache Segment
\r
67 authzAPI.route(DELETE,"/mgmt/cache/:area/:segments",API.VOID,new Code(facade,"Clear Cache by Segment", true) {
\r
69 public void handle(AuthzTrans trans, HttpServletRequest req, HttpServletResponse resp) throws Exception {
\r
70 Result<Void> r = context.cacheClear(trans, pathParam(req,"area"), pathParam(req,"segments"));
\r
73 trans.checkpoint(SUCCESS,Trans.ALWAYS);
\r
74 resp.setStatus(HttpStatus.OK_200);
\r
77 context.error(trans,resp,r);
\r
85 authzAPI.route(DELETE,"/mgmt/cache/:area",API.VOID,new Code(facade,"Clear Cache", true) {
\r
87 public void handle(AuthzTrans trans, HttpServletRequest req, HttpServletResponse resp) throws Exception {
\r
90 r = context.cacheClear(trans, area=pathParam(req,"area"));
\r
93 trans.audit().log("Cache " + area + " has been cleared by "+trans.user());
\r
94 trans.checkpoint(SUCCESS,Trans.ALWAYS);
\r
95 resp.setStatus(HttpStatus.OK_200);
\r
98 context.error(trans,resp,r);
\r
104 * Clear DB Sessions
\r
106 authzAPI.route(DELETE,"/mgmt/dbsession",API.VOID,new Code(facade,"Clear DBSessions", true) {
\r
108 public void handle(AuthzTrans trans, HttpServletRequest req, HttpServletResponse resp) throws Exception {
\r
110 if(req.isUserInRole(Define.ROOT_NS+".db|pool|clear")) {
\r
111 SessionFilter.clear();
\r
112 context.dbReset(trans);
\r
114 trans.audit().log("DB Sessions have been cleared by "+trans.user());
\r
116 trans.checkpoint(SUCCESS,Trans.ALWAYS);
\r
117 resp.setStatus(HttpStatus.OK_200);
\r
120 context.error(trans,resp,Result.err(Result.ERR_Denied,"%s is not allowed to clear dbsessions",trans.user()));
\r
121 } catch(Exception e) {
\r
122 trans.error().log(e, "clearing dbsession");
\r
123 context.error(trans,resp,Result.err(e));
\r
131 authzAPI.route(POST, "/mgmt/deny/ip/:ip", API.VOID, new Code(facade,"Deny IP",true) {
\r
133 public void handle(AuthzTrans trans, HttpServletRequest req, HttpServletResponse resp) throws Exception {
\r
134 String ip = pathParam(req,":ip");
\r
135 if(req.isUserInRole(Define.ROOT_NS+".deny|"+Define.ROOT_COMPANY+"|ip")) {
\r
136 if(DenialOfServiceTaf.denyIP(ip)) {
\r
137 trans.audit().log(ip+" has been set to deny by "+trans.user());
\r
138 trans.checkpoint(SUCCESS,Trans.ALWAYS);
\r
140 resp.setStatus(HttpStatus.CREATED_201);
\r
142 context.error(trans,resp,Result.err(Status.ERR_ConflictAlreadyExists,
\r
143 ip + " is already being denied"));
\r
146 trans.audit().log(trans.user(),"has attempted to deny",ip,"without authorization");
\r
147 context.error(trans,resp,Result.err(Status.ERR_Denied,
\r
148 trans.getUserPrincipal().getName() + " is not allowed to set IP Denial"));
\r
154 * Stop Denying an IP
\r
156 authzAPI.route(DELETE, "/mgmt/deny/ip/:ip", API.VOID, new Code(facade,"Stop Denying IP",true) {
\r
158 public void handle(AuthzTrans trans, HttpServletRequest req, HttpServletResponse resp) throws Exception {
\r
159 String ip = pathParam(req,":ip");
\r
160 if(req.isUserInRole(Define.ROOT_NS+".deny|"+Define.ROOT_COMPANY+"|ip")) {
\r
161 if(DenialOfServiceTaf.removeDenyIP(ip)) {
\r
162 trans.audit().log(ip+" has been removed from denial by "+trans.user());
\r
163 trans.checkpoint(SUCCESS,Trans.ALWAYS);
\r
164 resp.setStatus(HttpStatus.OK_200);
\r
166 context.error(trans,resp,Result.err(Status.ERR_NotFound,
\r
167 ip + " is not on the denial list"));
\r
170 trans.audit().log(trans.user(),"has attempted to remove",ip," from being denied without authorization");
\r
171 context.error(trans,resp,Result.err(Status.ERR_Denied,
\r
172 trans.getUserPrincipal().getName() + " is not allowed to remove IP Denial"));
\r
180 authzAPI.route(POST, "/mgmt/deny/id/:id", API.VOID, new Code(facade,"Deny ID",true) {
\r
182 public void handle(AuthzTrans trans, HttpServletRequest req, HttpServletResponse resp) throws Exception {
\r
183 String id = pathParam(req,":id");
\r
184 if(req.isUserInRole(Define.ROOT_NS+".deny|"+Define.ROOT_COMPANY+"|id")) {
\r
185 if(DenialOfServiceTaf.denyID(id)) {
\r
186 trans.audit().log(id+" has been set to deny by "+trans.user());
\r
187 trans.checkpoint(SUCCESS,Trans.ALWAYS);
\r
188 resp.setStatus(HttpStatus.CREATED_201);
\r
190 context.error(trans,resp,Result.err(Status.ERR_ConflictAlreadyExists,
\r
191 id + " is already being denied"));
\r
194 trans.audit().log(trans.user(),"has attempted to deny",id,"without authorization");
\r
195 context.error(trans,resp,Result.err(Status.ERR_Denied,
\r
196 trans.getUserPrincipal().getName() + " is not allowed to set ID Denial"));
\r
202 * Stop Denying an ID
\r
204 authzAPI.route(DELETE, "/mgmt/deny/id/:id", API.VOID, new Code(facade,"Stop Denying ID",true) {
\r
206 public void handle(AuthzTrans trans, HttpServletRequest req, HttpServletResponse resp) throws Exception {
\r
207 String id = pathParam(req,":id");
\r
208 if(req.isUserInRole(Define.ROOT_NS+".deny|"+Define.ROOT_COMPANY+"|id")) {
\r
209 if(DenialOfServiceTaf.removeDenyID(id)) {
\r
210 trans.audit().log(id+" has been removed from denial by " + trans.user());
\r
211 trans.checkpoint(SUCCESS,Trans.ALWAYS);
\r
212 resp.setStatus(HttpStatus.OK_200);
\r
214 context.error(trans,resp,Result.err(Status.ERR_NotFound,
\r
215 id + " is not on the denial list"));
\r
218 trans.audit().log(trans.user(),"has attempted to remove",id," from being denied without authorization");
\r
219 context.error(trans,resp,Result.err(Status.ERR_Denied,
\r
220 trans.getUserPrincipal().getName() + " is not allowed to remove ID Denial"));
\r
228 authzAPI.route(POST, "/mgmt/log/id/:id", API.VOID, new Code(facade,"Special Log ID",true) {
\r
230 public void handle(AuthzTrans trans, HttpServletRequest req, HttpServletResponse resp) throws Exception {
\r
231 String id = pathParam(req,":id");
\r
232 if(req.isUserInRole(Define.ROOT_NS+".log|"+Define.ROOT_COMPANY+"|id")) {
\r
233 if(Question.specialLogOn(trans,id)) {
\r
234 trans.audit().log(id+" has been set to special Log by "+trans.user());
\r
235 trans.checkpoint(SUCCESS,Trans.ALWAYS);
\r
236 resp.setStatus(HttpStatus.CREATED_201);
\r
238 context.error(trans,resp,Result.err(Status.ERR_ConflictAlreadyExists,
\r
239 id + " is already being special Logged"));
\r
242 trans.audit().log(trans.user(),"has attempted to special Log",id,"without authorization");
\r
243 context.error(trans,resp,Result.err(Status.ERR_Denied,
\r
244 trans.getUserPrincipal().getName() + " is not allowed to set ID special Logging"));
\r
250 * Stop Denying an ID
\r
252 authzAPI.route(DELETE, "/mgmt/log/id/:id", API.VOID, new Code(facade,"Stop Special Log ID",true) {
\r
254 public void handle(AuthzTrans trans, HttpServletRequest req, HttpServletResponse resp) throws Exception {
\r
255 String id = pathParam(req,":id");
\r
256 if(req.isUserInRole(Define.ROOT_NS+".log|"+Define.ROOT_COMPANY+"|id")) {
\r
257 if(Question.specialLogOff(trans,id)) {
\r
258 trans.audit().log(id+" has been removed from special Logging by " + trans.user());
\r
259 trans.checkpoint(SUCCESS,Trans.ALWAYS);
\r
260 resp.setStatus(HttpStatus.OK_200);
\r
262 context.error(trans,resp,Result.err(Status.ERR_NotFound,
\r
263 id + " is not on the special Logging list"));
\r
266 trans.audit().log(trans.user(),"has attempted to remove",id," from being special Logged without authorization");
\r
267 context.error(trans,resp,Result.err(Status.ERR_Denied,
\r
268 trans.getUserPrincipal().getName() + " is not allowed to remove ID special Logging"));
\r