cadi/cass/src/main/java/com/att/aaf/cadi/cass/AAFAuthorizer.java

   1 /**
   2  * ============LICENSE_START====================================================
   3  * org.onap.aaf
   4  * ===========================================================================
   5  * Copyright (c) 2018 AT&T Intellectual Property. All rights reserved.
   6  * ===========================================================================
   7  * Licensed under the Apache License, Version 2.0 (the "License");
   8  * you may not use this file except in compliance with the License.
   9  * You may obtain a copy of the License at
  10  *
  11  *      http://www.apache.org/licenses/LICENSE-2.0
  12  *
  13  * Unless required by applicable law or agreed to in writing, software
  14  * distributed under the License is distributed on an "AS IS" BASIS,
  15  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
  16  * See the License for the specific language governing permissions and
  17  * limitations under the License.
  18  * ============LICENSE_END====================================================
  19  *
  20  */
  21
  22 package com.att.aaf.cadi.cass;
  23
  24 import java.util.ArrayList;
  25 import java.util.HashSet;
  26 import java.util.Set;
  27
  28 import org.apache.cassandra.auth.AuthenticatedUser;
  29 import org.apache.cassandra.auth.IAuthorizer;
  30 import org.apache.cassandra.auth.IResource;
  31 import org.apache.cassandra.auth.Permission;
  32 import org.apache.cassandra.auth.PermissionDetails;
  33 import org.apache.cassandra.exceptions.RequestExecutionException;
  34 import org.apache.cassandra.exceptions.RequestValidationException;
  35 import org.onap.aaf.cadi.Access.Level;
  36 import org.onap.aaf.cadi.aaf.v2_0.AbsAAFLur;
  37 import org.onap.aaf.cadi.lur.LocalPermission;
  38
  39 public class AAFAuthorizer extends AAFBase implements IAuthorizer {
  40         // Returns every permission on the resource granted to the user.
  41     public Set<Permission> authorize(AuthenticatedUser user, IResource resource) {
  42         String uname, rname;
  43         access.log(Level.DEBUG,"Authorizing",uname=user.getName(),"for",rname=resource.getName());
  44
  45         Set<Permission> permissions;
  46
  47         if(user instanceof AAFAuthenticatedUser) {
  48                 AAFAuthenticatedUser aafUser = (AAFAuthenticatedUser) user;
  49                         aafUser.setAnonymous(false);
  50
  51                         if(aafUser.isLocal()) {
  52                                 permissions = checkPermissions(aafUser, new LocalPermission(
  53                                         rname.replaceFirst("data", cluster_name)
  54                                 ));
  55                         } else {
  56                                 permissions = checkPermissions(
  57                                                 aafUser,
  58                                                 perm_type,
  59                                                 ':'+rname.replaceFirst("data", cluster_name).replace('/', ':'));
  60                         }
  61         } else {
  62                 permissions = Permission.NONE;
  63         }
  64
  65         access.log(Level.INFO,"Permissions on",rname,"for",uname,':', permissions);
  66
  67         return permissions;
  68     }
  69
  70     /**
  71      * Check only for Localized IDs (see cadi.properties)
  72      * @param aau
  73      * @param perm
  74      * @return
  75      */
  76     private Set<Permission> checkPermissions(AAFAuthenticatedUser aau, LocalPermission perm) {
  77         if(localLur.fish(aau, perm)) {
  78 //              aau.setSuper(true);
  79                 return Permission.ALL;
  80         } else {
  81                 return Permission.NONE;
  82         }
  83     }
  84
  85     /**
  86      * Check remoted AAF Permissions
  87      * @param aau
  88      * @param type
  89      * @param instance
  90      * @return
  91      */
  92     private Set<Permission> checkPermissions(AAFAuthenticatedUser aau, String type, String instance) {
  93                 // Can perform ALL actions
  94         PermHolder ph = new PermHolder(aau);
  95         aafLur.fishOneOf(aau,ph,type,instance,actions);
  96         return ph.permissions;
  97     }
  98
  99     private class PermHolder {
 100         private AAFAuthenticatedUser aau;
 101                 public PermHolder(AAFAuthenticatedUser aau) {
 102                 this.aau = aau;
 103         }
 104         public Set<Permission> permissions = Permission.NONE;
 105                 public void mutable() {
 106                         if(permissions==Permission.NONE) {
 107                                 permissions = new HashSet<Permission>();
 108                         }
 109                 }
 110     };
 111
 112    /**
 113     * This specialty List avoid extra Object Creation, and allows the Lur to do a Vistor on all appropriate Perms
 114     */
 115    private static final ArrayList<AbsAAFLur.Action<PermHolder>> actions = new ArrayList<AbsAAFLur.Action<PermHolder>>();
 116    static {
 117            actions.add(new AbsAAFLur.Action<PermHolder>() {
 118                 public String getName() {
 119                         return "*";
 120                 }
 121
 122                 public boolean exec(PermHolder a) {
 123                 a.aau.setSuper(true);
 124                 a.permissions = Permission.ALL;
 125                         return true;
 126                 }
 127            });
 128
 129            actions.add(new AbsAAFLur.Action<PermHolder>() {
 130                 public String getName() {
 131                         return "SELECT";
 132                 }
 133
 134                 public boolean exec(PermHolder ph) {
 135                         ph.mutable();
 136                 ph.permissions.add(Permission.SELECT);
 137                         return false;
 138                 }
 139            });
 140            actions.add(new AbsAAFLur.Action<PermHolder>() {
 141                 public String getName() {
 142                         return "MODIFY";
 143                 }
 144
 145                 public boolean exec(PermHolder ph) {
 146                         ph.mutable();
 147                 ph.permissions.add(Permission.MODIFY);
 148                         return false;
 149                 }
 150            });
 151            actions.add(new AbsAAFLur.Action<PermHolder>() {
 152                 public String getName() {
 153                         return "CREATE";
 154                 }
 155
 156                 public boolean exec(PermHolder ph) {
 157                         ph.mutable();
 158                 ph.permissions.add(Permission.CREATE);
 159                         return false;
 160                 }
 161            });
 162
 163            actions.add(new AbsAAFLur.Action<PermHolder>() {
 164                 public String getName() {
 165                         return "ALTER";
 166                 }
 167
 168                 public boolean exec(PermHolder ph) {
 169                         ph.mutable();
 170                 ph.permissions.add(Permission.ALTER);
 171                         return false;
 172                 }
 173            });
 174            actions.add(new AbsAAFLur.Action<PermHolder>() {
 175                 public String getName() {
 176                         return "DROP";
 177                 }
 178
 179                 public boolean exec(PermHolder ph) {
 180                         ph.mutable();
 181                 ph.permissions.add(Permission.DROP);
 182                         return false;
 183                 }
 184            });
 185            actions.add(new AbsAAFLur.Action<PermHolder>() {
 186                 public String getName() {
 187                         return "AUTHORIZE";
 188                 }
 189
 190                 public boolean exec(PermHolder ph) {
 191                         ph.mutable();
 192                 ph.permissions.add(Permission.AUTHORIZE);
 193                         return false;
 194                 }
 195            });
 196
 197
 198    };
 199
 200
 201     public void grant(AuthenticatedUser performer, Set<Permission> permissions, IResource resource, String to) throws RequestExecutionException {
 202         access.log(Level.INFO, "Use AAF CLI to grant permission(s) to user/role");
 203     }
 204
 205     public void revoke(AuthenticatedUser performer, Set<Permission> permissions, IResource resource, String from) throws RequestExecutionException {
 206         access.log(Level.INFO,"Use AAF CLI to revoke permission(s) for user/role");
 207     }
 208
 209     public Set<PermissionDetails> list(AuthenticatedUser performer, Set<Permission> permissions, IResource resource, String of) throws RequestValidationException, RequestExecutionException {
 210         access.log(Level.INFO,"Use AAF CLI to find the list of permissions");
 211         return null;
 212     }
 213
 214     // Called prior to deleting the user with DROP USER query. Internal hook, so no permission checks are needed here.
 215     public void revokeAll(String droppedUser) {
 216         access.log(Level.INFO,"Use AAF CLI to revoke permission(s) for user/role");
 217     }
 218
 219     // Called after a resource is removed (DROP KEYSPACE, DROP TABLE, etc.).
 220     public void revokeAll(IResource droppedResource) {
 221         access.log(Level.INFO,"Use AAF CLI to delete the unused permission", droppedResource.getName());
 222     }
 223
 224 }