* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
- *
+ *
* http://www.apache.org/licenses/LICENSE-2.0
- *
+ *
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
public enum FUTURE_OP {
C("Create"),U("Update"),D("Delete"),G("Grant"),UG("UnGrant"),A("Approval");
-
+
private String desc;
-
+
private FUTURE_OP(String desc) {
this.desc = desc;
}
-
+
public String desc() {
return desc;
}
-
+
/**
* Same as valueOf(), but passes back null instead of throwing Exception
* @param value
* @return
*/
public static FUTURE_OP toFO(String value) {
- if(value!=null) {
- for(FUTURE_OP fo : values()) {
- if(fo.name().equals(value)){
+ if (value!=null) {
+ for (FUTURE_OP fo : values()) {
+ if (fo.name().equals(value)){
return fo;
}
}
public enum OP_STATUS {
E("Executed"),D("Denied"),P("Pending"),L("Lapsed");
-
+
private String desc;
- public final static Result<OP_STATUS> RE = Result.ok(OP_STATUS.E);
- public final static Result<OP_STATUS> RD = Result.ok(OP_STATUS.D);
- public final static Result<OP_STATUS> RP = Result.ok(OP_STATUS.P);
- public final static Result<OP_STATUS> RL = Result.ok(OP_STATUS.L);
+ public static final Result<OP_STATUS> RE = Result.ok(OP_STATUS.E);
+ public static final Result<OP_STATUS> RD = Result.ok(OP_STATUS.D);
+ public static final Result<OP_STATUS> RP = Result.ok(OP_STATUS.P);
+ public static final Result<OP_STATUS> RL = Result.ok(OP_STATUS.L);
private OP_STATUS(String desc) {
this.desc = desc;
}
-
+
public String desc() {
return desc;
}
-
+
}
public static final String FOP_CRED = "cred";
sb = new StringBuilder();
ao = new ArrayList<>();
}
- sb.append(result.details);
+ sb.append(String.format(result.details,result.variables));
sb.append('\n');
- for (String s : result.variables) {
- ao.add(s);
- }
}
}
/**
* createNS
- *
+ *
* Create Namespace
- *
+ *
* @param trans
* @param org
* @param ns
* @param user
* @return
* @throws DAOException
- *
+ *
* To create an NS, you need to: 1) validate permission to
* modify parent NS 2) Does NS exist already? 3) Create NS with
* a) "user" as owner. NOTE: Per 10-15 request for AAF 1.0 4)
*/
public Result<Void> createNS(AuthzTrans trans, Namespace namespace, boolean fromApproval) {
Result<?> rq;
-// if (namespace.name.endsWith(Question.DOT_ADMIN)
-// || namespace.name.endsWith(Question.DOT_OWNER)) {
-// return Result.err(Status.ERR_BadData,
-// "'admin' and 'owner' are reserved names in AAF");
-// }
try {
for (String u : namespace.owner) {
Identity orgUser = org.getIdentity(trans, u);
String reason;
if (orgUser == null) {
- return Result.err(Status.ERR_Policy,"%s is not a valid user at %s",u,org.getName());
- } else if((reason=orgUser.mayOwn())!=null) {
+ return Result.err(Status.ERR_Policy,"%s is not a valid user at %s",u,org.getName());
+ } else if ((reason=orgUser.mayOwn())!=null) {
if (org.isTestEnv()) {
String reason2;
- if((reason2=org.validate(trans, Policy.AS_RESPONSIBLE,new CassExecutor(trans, this), u))!=null) { // can masquerade as responsible
+ if ((reason2=org.validate(trans, Policy.AS_RESPONSIBLE,new CassExecutor(trans, this), u))!=null) { // can masquerade as responsible
trans.debug().log(reason2);
return Result.err(Status.ERR_Policy,CANNOT_BE_THE_OWNER_OF_A_NAMESPACE,orgUser.fullName(),orgUser.id(),namespace.name,reason);
}
// a null means ok
} else {
- if(orgUser.isFound()) {
+ if (orgUser.isFound()) {
return Result.err(Status.ERR_Policy,CANNOT_BE_THE_OWNER_OF_A_NAMESPACE,orgUser.fullName(),orgUser.id(),namespace.name, reason);
} else {
return Result.err(Status.ERR_Policy,u + " is an invalid Identity");
if (rparent.notOK()) {
return Result.err(rparent);
}
+ parent = rparent.value.parent;
if (!fromApproval) {
rparent = q.mayUser(trans, user, rparent.value, Access.write);
if (rparent.notOK()) {
}
}
parent = namespace.parent = rparent.value.name; // Correct Namespace from real data
+ String cname = parent.length()<1 || namespace.name.equals(parent)?null:namespace.name.substring(parent.length()+1);
// 2) Does requested NS exist
- if (q.nsDAO.read(trans, namespace.name).isOKhasData()) {
+ if (q.nsDAO().read(trans, namespace.name).isOKhasData()) {
return Result.err(Status.ERR_ConflictAlreadyExists,
"Target Namespace already exists");
}
+ // 2.1) Does role exist with that name
+ if(cname!=null && q.roleDAO().read(trans, parent, cname).isOKhasData()) {
+ return Result.err(Status.ERR_ConflictAlreadyExists,
+ "Role exists with that name");
+ }
+
+ // 2.2) Do perms exist with that name
+ if(cname!=null && q.permDAO().readByType(trans, parent, cname).isOKhasData()) {
+ return Result.err(Status.ERR_ConflictAlreadyExists,
+ "Perms exist with that name");
+ }
+
// Someone must be responsible.
if (namespace.owner == null || namespace.owner.isEmpty()) {
return Result
// or helpful for Operations folks..
// Admins can be empty, because they can be changed by lower level
// NSs
- // if(ns.admin(false).isEmpty()) {
- // ns.admin(true).add(user);
- // }
if (namespace.admin != null) {
for (String u : namespace.admin) {
if ((r = checkValidID(trans, now, u)).notOK()) {
}
// VALIDATIONS done... Add NS
- if ((rq = q.nsDAO.create(trans, namespace.data())).notOK()) {
+ rq = q.nsDAO().create(trans, namespace.data());
+ if (rq.notOK()) {
return Result.err(rq);
}
urdd.role(namespace.name, Question.ADMIN);
for (String admin : namespace.admin) {
urdd.user = admin;
- eb.log(q.userRoleDAO.create(trans, urdd));
+ eb.log(q.userRoleDAO().create(trans, urdd));
}
urdd.role(namespace.name,Question.OWNER);
for (String owner : namespace.owner) {
urdd.user = owner;
- eb.log(q.userRoleDAO.create(trans, urdd));
+ eb.log(q.userRoleDAO().create(trans, urdd));
}
addNSAdminRolesPerms(trans, eb, namespace.name);
int targetNameDot = targetName.length() + 1;
// 4) Change any roles with children matching this NS, and
- Result<List<RoleDAO.Data>> rrdc = q.roleDAO.readChildren(trans, targetNs, targetName);
+ Result<List<RoleDAO.Data>> rrdc = q.roleDAO().readChildren(trans, targetNs, targetName);
if (rrdc.isOKhasData()) {
for (RoleDAO.Data rdd : rrdc.value) {
// Remove old Role from Perms, save them off
List<PermDAO.Data> lpdd = new ArrayList<>();
- for(String p : rdd.perms(false)) {
+ for (String p : rdd.perms(false)) {
Result<PermDAO.Data> rpdd = PermDAO.Data.decode(trans,q,p);
- if(rpdd.isOKhasData()) {
+ if (rpdd.isOKhasData()) {
PermDAO.Data pdd = rpdd.value;
lpdd.add(pdd);
- q.permDAO.delRole(trans, pdd, rdd);
+ q.permDAO().delRole(trans, pdd, rdd);
} else{
trans.error().log(rpdd.errorString());
}
}
-
+
// Save off Old keys
String delP1 = rdd.ns;
String delP2 = rdd.name;
rdd.ns = namespace.name;
rdd.name = (delP2.length() > targetNameDot) ? delP2
.substring(targetNameDot) : "";
-
+
// Need to use non-cached, because switching namespaces, not
// "create" per se
- if ((rq = q.roleDAO.create(trans, rdd)).isOK()) {
+ if ((rq = q.roleDAO().create(trans, rdd)).isOK()) {
// Put Role back into Perm, with correct info
- for(PermDAO.Data pdd : lpdd) {
- q.permDAO.addRole(trans, pdd, rdd);
+ for (PermDAO.Data pdd : lpdd) {
+ q.permDAO().addRole(trans, pdd, rdd);
}
- // Change data for User Roles
- Result<List<UserRoleDAO.Data>> rurd = q.userRoleDAO.readByRole(trans, rdd.fullName());
- if(rurd.isOKhasData()) {
- for(UserRoleDAO.Data urd : rurd.value) {
+ // Change data for User Roles
+ Result<List<UserRoleDAO.Data>> rurd = q.userRoleDAO().readByRole(trans, rdd.fullName());
+ if (rurd.isOKhasData()) {
+ for (UserRoleDAO.Data urd : rurd.value) {
urd.ns = rdd.ns;
urd.rname = rdd.name;
- q.userRoleDAO.update(trans, urd);
+ q.userRoleDAO().update(trans, urd);
}
}
// Now delete old one
rdd.ns = delP1;
rdd.name = delP2;
- if ((rq = q.roleDAO.delete(trans, rdd, false)).notOK()) {
+ if ((rq = q.roleDAO().delete(trans, rdd, false)).notOK()) {
eb.log(rq);
}
} else {
}
// 4) Change any Permissions with children matching this NS, and
- Result<List<PermDAO.Data>> rpdc = q.permDAO.readChildren(trans,targetNs, targetName);
+ Result<List<PermDAO.Data>> rpdc = q.permDAO().readChildren(trans,targetNs, targetName);
if (rpdc.isOKhasData()) {
for (PermDAO.Data pdd : rpdc.value) {
// Remove old Perm from Roles, save them off
List<RoleDAO.Data> lrdd = new ArrayList<>();
-
- for(String rl : pdd.roles(false)) {
+
+ for (String rl : pdd.roles(false)) {
Result<RoleDAO.Data> rrdd = RoleDAO.Data.decode(trans,q,rl);
- if(rrdd.isOKhasData()) {
+ if (rrdd.isOKhasData()) {
RoleDAO.Data rdd = rrdd.value;
lrdd.add(rdd);
- q.roleDAO.delPerm(trans, rdd, pdd);
+ q.roleDAO().delPerm(trans, rdd, pdd);
} else{
trans.error().log(rrdd.errorString());
}
}
-
+
// Save off Old keys
String delP1 = pdd.ns;
String delP2 = pdd.type;
pdd.ns = namespace.name;
pdd.type = (delP2.length() > targetNameDot) ? delP2
.substring(targetNameDot) : "";
- if ((rq = q.permDAO.create(trans, pdd)).isOK()) {
+ if ((rq = q.permDAO().create(trans, pdd)).isOK()) {
// Put Role back into Perm, with correct info
- for(RoleDAO.Data rdd : lrdd) {
- q.roleDAO.addPerm(trans, rdd, pdd);
+ for (RoleDAO.Data rdd : lrdd) {
+ q.roleDAO().addPerm(trans, rdd, pdd);
}
pdd.ns = delP1;
pdd.type = delP2;
- if ((rq = q.permDAO.delete(trans, pdd, false)).notOK()) {
+ if ((rq = q.permDAO().delete(trans, pdd, false)).notOK()) {
eb.log(rq);
- // } else {
// Need to invalidate directly, because we're
// switching places in NS, not normal cache behavior
- // q.permDAO.invalidate(trans,pdd);
}
} else {
eb.log(rq);
}
}
if (eb.hasErr()) {
- return Result.err(Status.ERR_ActionNotCompleted,eb.sb.toString(), eb.vars());
+ return Result.err(Status.ERR_ActionNotCompleted,eb.sb.toString(), (Object[])eb.vars());
}
}
return Result.ok();
rd.perms = new HashSet<>();
rd.perms.add(pd.encode());
- eb.log(q.roleDAO.create(trans, rd));
+ eb.log(q.roleDAO().create(trans, rd));
pd.roles = new HashSet<>();
pd.roles.add(rd.encode());
- eb.log(q.permDAO.create(trans, pd));
+ eb.log(q.permDAO().create(trans, pd));
}
private void addNSOwnerRolesPerms(AuthzTrans trans, ErrBuilder eb, String ns) {
rd.perms = new HashSet<>();
rd.perms.add(pd.encode());
- eb.log(q.roleDAO.create(trans, rd));
+ eb.log(q.roleDAO().create(trans, rd));
pd.roles = new HashSet<>();
pd.roles.add(rd.encode());
- eb.log(q.permDAO.create(trans, pd));
+ eb.log(q.permDAO().create(trans, pd));
}
/**
* deleteNS
- *
+ *
* Delete Namespace
- *
+ *
* @param trans
* @param org
* @param ns
* @param user
* @return
* @throws DAOException
- *
- *
+ *
+ *
* To delete an NS, you need to: 1) validate permission to
* modify this NS 2) Find all Roles with this NS, and 2a) if
* Force, delete them, else modify to Parent NS 3) Find all
boolean move = trans.requested(REQD_TYPE.move);
// 1) Validate
Result<List<NsDAO.Data>> nsl;
- if ((nsl = q.nsDAO.read(trans, ns)).notOKorIsEmpty()) {
+ if ((nsl = q.nsDAO().read(trans, ns)).notOKorIsEmpty()) {
return Result.err(Status.ERR_NsNotFound, "%s does not exist", ns);
}
NsDAO.Data nsd = nsl.value.get(0);
ErrBuilder er = new ErrBuilder();
// 2a) Deny if any IDs on Namespace
- Result<List<CredDAO.Data>> creds = q.credDAO.readNS(trans, ns);
+ Result<List<CredDAO.Data>> creds = q.credDAO().readNS(trans, ns);
if (creds.isOKhasData()) {
if (force || move) {
for (CredDAO.Data cd : creds.value) {
- er.log(q.credDAO.delete(trans, cd, false));
+ er.log(q.credDAO().delete(trans, cd, false));
// Since we're deleting all the creds, we should delete all
// the user Roles for that Cred
- Result<List<UserRoleDAO.Data>> rlurd = q.userRoleDAO
+ Result<List<UserRoleDAO.Data>> rlurd = q.userRoleDAO()
.readByUser(trans, cd.id);
if (rlurd.isOK()) {
for (UserRoleDAO.Data data : rlurd.value) {
- q.userRoleDAO.delete(trans, data, false);
+ q.userRoleDAO().delete(trans, data, false);
}
}
// 2b) Find (or delete if forced flag is set) dependencies
// First, find if NS Perms are the only ones
- Result<List<PermDAO.Data>> rpdc = q.permDAO.readNS(trans, ns);
+ Result<List<PermDAO.Data>> rpdc = q.permDAO().readNS(trans, ns);
if (rpdc.isOKhasData()) {
// Since there are now NS perms, we have to count NON-NS perms.
// FYI, if we delete them now, and the NS is not deleted, it is in
}
}
- Result<List<RoleDAO.Data>> rrdc = q.roleDAO.readNS(trans, ns);
+ Result<List<RoleDAO.Data>> rrdc = q.roleDAO().readNS(trans, ns);
if (rrdc.isOKhasData()) {
// Since there are now NS roles, we have to count NON-NS roles.
// FYI, if we delete th)em now, and the NS is not deleted, it is in
}
}
- return q.nsDAO.delete(trans, nsd, false);
+ return q.nsDAO().delete(trans, nsd, false);
}
public Result<List<String>> getOwners(AuthzTrans trans, String ns,
} else {
if (org.isTestEnv()) {
String reason2;
- if((reason2 = org.validate(trans, Policy.AS_RESPONSIBLE, new CassExecutor(trans, this), id))==null) {
+ if ((reason2 = org.validate(trans, Policy.AS_RESPONSIBLE, new CassExecutor(trans, this), id))==null) {
return Result.ok();
} else {
trans.debug().log(reason2);
if (rq.notOK()) {
return Result.err(rq);
}
-
+
rq = q.mayUser(trans, trans.user(), rq.value, Access.write);
if (rq.notOK()) {
- Result<List<UserRoleDAO.Data>> ruinr = q.userRoleDAO.readUserInRole(trans, trans.user(),ns+".owner");
- if(!(ruinr.isOKhasData() && ruinr.value.get(0).expires.after(new Date()))) {
+ Result<List<UserRoleDAO.Data>> ruinr = q.userRoleDAO().readUserInRole(trans, trans.user(),ns+".owner");
+ if (!(ruinr.isOKhasData() && ruinr.value.get(0).expires.after(new Date()))) {
return Result.err(rq);
}
}
try {
if (org.getIdentity(trans, user) == null) {
return Result.err(Status.ERR_Denied,
- "%s reports that %s is a faulty ID", org.getName(),
+ "%s reports that %s is an invalid ID", org.getName(),
user);
}
return Result.ok();
"%s is not a valid %s Credential", user, org.getName());
}
//TODO find out how to make sure good ALTERNATE OAUTH DOMAIN USER
-// } else if(user.endsWith(ALTERNATE OAUTH DOMAIN)) {
+// } else if (user.endsWith(ALTERNATE OAUTH DOMAIN)) {
// return Result.ok();
} else {
- Result<List<CredDAO.Data>> cdr = q.credDAO.readID(trans, user);
+ Result<List<CredDAO.Data>> cdr = q.credDAO().readID(trans, user);
if (cdr.notOKorIsEmpty()) {
return Result.err(Status.ERR_Security,
"%s is not a valid AAF Credential", user);
}
-
+
for (CredDAO.Data cd : cdr.value) {
if (cd.expires.after(now)) {
return Result.ok();
}
rq = q.mayUser(trans, trans.user(), rq.value, Access.write);
- if (rq.notOK()) {
+ if (rq.notOK()) {
// Even though not a "writer", Owners still determine who gets to be an Admin
- Result<List<UserRoleDAO.Data>> ruinr = q.userRoleDAO.readUserInRole(trans, trans.user(),ns+".owner");
- if(!(ruinr.isOKhasData() && ruinr.value.get(0).expires.after(new Date()))) {
+ Result<List<UserRoleDAO.Data>> ruinr = q.userRoleDAO().readUserInRole(trans, trans.user(),ns+".owner");
+ if (!(ruinr.isOKhasData() && ruinr.value.get(0).expires.after(new Date()))) {
return Result.err(rq);
}
}
/**
* Helper function that moves permissions from a namespace being deleted to
* its parent namespace
- *
+ *
* @param trans
* @param parent
* @param sb
}
// Remove old Perm from Roles, save them off
List<RoleDAO.Data> lrdd = new ArrayList<>();
-
- for(String rl : pdd.roles(false)) {
+
+ for (String rl : pdd.roles(false)) {
Result<RoleDAO.Data> rrdd = RoleDAO.Data.decode(trans,q,rl);
- if(rrdd.isOKhasData()) {
+ if (rrdd.isOKhasData()) {
RoleDAO.Data rdd = rrdd.value;
lrdd.add(rdd);
- q.roleDAO.delPerm(trans, rdd, pdd);
+ q.roleDAO().delPerm(trans, rdd, pdd);
} else{
trans.error().log(rrdd.errorString());
}
}
-
+
// Save off Old keys
String delP1 = pdd.ns;
NsSplit nss = new NsSplit(parent, pdd.fullType());
pdd.ns = nss.ns;
pdd.type = nss.name;
// Use direct Create/Delete, because switching namespaces
- if ((pd = q.permDAO.create(trans, pdd)).isOK()) {
+ if ((pd = q.permDAO().create(trans, pdd)).isOK()) {
// Put Role back into Perm, with correct info
- for(RoleDAO.Data rdd : lrdd) {
- q.roleDAO.addPerm(trans, rdd, pdd);
+ for (RoleDAO.Data rdd : lrdd) {
+ q.roleDAO().addPerm(trans, rdd, pdd);
}
pdd.ns = delP1;
pdd.type = delP2;
- if ((rv = q.permDAO.delete(trans, pdd, false)).notOK()) {
+ if ((rv = q.permDAO().delete(trans, pdd, false)).notOK()) {
sb.append(rv.details);
sb.append('\n');
// } else {
// Need to invalidate directly, because we're switching
// places in NS, not normal cache behavior
- // q.permDAO.invalidate(trans,pdd);
+ // q.permDAO().invalidate(trans,pdd);
}
} else {
sb.append(pd.details);
/**
* Helper function that moves roles from a namespace being deleted to its
* parent namespace
- *
+ *
* @param trans
* @param parent
* @param sb
}
// Remove old Role from Perms, save them off
List<PermDAO.Data> lpdd = new ArrayList<>();
- for(String p : rdd.perms(false)) {
+ for (String p : rdd.perms(false)) {
Result<PermDAO.Data> rpdd = PermDAO.Data.decode(trans,q,p);
- if(rpdd.isOKhasData()) {
+ if (rpdd.isOKhasData()) {
PermDAO.Data pdd = rpdd.value;
lpdd.add(pdd);
- q.permDAO.delRole(trans, pdd, rdd);
+ q.permDAO().delRole(trans, pdd, rdd);
} else{
trans.error().log(rpdd.errorString());
}
}
-
+
// Save off Old keys
String delP1 = rdd.ns;
rdd.ns = nss.ns;
rdd.name = nss.name;
// Use direct Create/Delete, because switching namespaces
- if ((rd = q.roleDAO.create(trans, rdd)).isOK()) {
+ if ((rd = q.roleDAO().create(trans, rdd)).isOK()) {
// Put Role back into Perm, with correct info
- for(PermDAO.Data pdd : lpdd) {
- q.permDAO.addRole(trans, pdd, rdd);
+ for (PermDAO.Data pdd : lpdd) {
+ q.permDAO().addRole(trans, pdd, rdd);
}
rdd.ns = delP1;
rdd.name = delP2;
- if ((rv = q.roleDAO.delete(trans, rdd, true)).notOK()) {
+ if ((rv = q.roleDAO().delete(trans, rdd, true)).notOK()) {
sb.append(rv.details);
sb.append('\n');
// } else {
// Need to invalidate directly, because we're switching
// places in NS, not normal cache behavior
- // q.roleDAO.invalidate(trans,rdd);
+ // q.roleDAO().invalidate(trans,rdd);
}
} else {
sb.append(rd.details);
/**
* Create Permission (and any missing Permission between this and Parent) if
* we have permission
- *
+ *
* Pass in the desired Management Permission for this Permission
- *
+ *
* If Force is set, then Roles listed will be created, if allowed,
* pre-granted.
*/
return Result.err(rnsd);
}
} else {
- rnsd = q.deriveNs(trans, perm.ns);
+ q.deriveNs(trans, perm.ns);
}
// Does Child exist?
if (!trans.requested(REQD_TYPE.force)) {
- if (q.permDAO.read(trans, perm).isOKhasData()) {
+ if (q.permDAO().read(trans, perm).isOKhasData()) {
return Result.err(Status.ERR_ConflictAlreadyExists,
"Permission [%s.%s|%s|%s] already exists.", perm.ns,
perm.type, perm.instance, perm.action);
// For each Role
for (String role : roles = perm.roles(true)) {
Result<RoleDAO.Data> rdd = RoleDAO.Data.decode(trans,q,role);
- if(rdd.isOKhasData()) {
+ if (rdd.isOKhasData()) {
RoleDAO.Data rd = rdd.value;
if (!fromApproval) {
// May User write to the Role in question.
}
Result<List<RoleDAO.Data>> rlrd;
- if ((rlrd = q.roleDAO.read(trans, rd)).notOKorIsEmpty()) {
+ if ((rlrd = q.roleDAO().read(trans, rd)).notOKorIsEmpty()) {
rd.perms(true).add(pstring);
- if (q.roleDAO.create(trans, rd).notOK()) {
+ if (q.roleDAO().create(trans, rd).notOK()) {
roles.remove(role); // Role doesn't exist, and can't be
// created
}
} else {
rd = rlrd.value.get(0);
if (!rd.perms.contains(pstring)) {
- q.roleDAO.addPerm(trans, rd, perm);
+ q.roleDAO().addPerm(trans, rd, perm);
}
}
}
}
- Result<PermDAO.Data> pdr = q.permDAO.create(trans, perm);
+ Result<PermDAO.Data> pdr = q.permDAO().create(trans, perm);
if (pdr.isOK()) {
return Result.ok();
- } else {
+ } else {
return Result.err(pdr);
}
}
}
}
// Does Perm exist?
- Result<List<PermDAO.Data>> pdr = q.permDAO.read(trans, perm);
+ Result<List<PermDAO.Data>> pdr = q.permDAO().read(trans, perm);
if (pdr.notOKorIsEmpty()) {
return Result.err(Status.ERR_PermissionNotFound,"Permission [%s.%s|%s|%s] does not exist.",
perm.ns,perm.type, perm.instance, perm.action);
// Attached to any Roles?
if (fullperm.roles != null) {
- if (force) {
+ if (force || fullperm.roles.contains(user+":user")) {
for (String role : fullperm.roles) {
Result<Void> rv = null;
Result<RoleDAO.Data> rrdd = RoleDAO.Data.decode(trans, q, role);
- if(rrdd.isOKhasData()) {
+ if (rrdd.isOKhasData()) {
trans.debug().log("Removing", role, "from", fullperm, "on Perm Delete");
- if ((rv = q.roleDAO.delPerm(trans, rrdd.value, fullperm)).notOK()) {
+ if ((rv = q.roleDAO().delPerm(trans, rrdd.value, fullperm)).notOK()) {
if (rv.notOK()) {
trans.error().log("Error removing Role during delFromPermRole: ",
trans.getUserPrincipal(),
} else if (!fullperm.roles.isEmpty()) {
return Result
.err(Status.ERR_DependencyExists,
- "Permission [%s.%s|%s|%s] cannot be deleted as it is attached to 1 or more roles.",
- fullperm.ns, fullperm.type, fullperm.instance, fullperm.action);
+ "Permission [%s] cannot be deleted as it is attached to 1 or more roles.",
+ fullperm.fullPerm());
}
}
- return q.permDAO.delete(trans, fullperm, false);
+ return q.permDAO().delete(trans, fullperm, false);
}
public Result<Void> deleteRole(final AuthzTrans trans, final RoleDAO.Data role, boolean force, boolean fromApproval) {
}
// Are there any Users Attached to Role?
- Result<List<UserRoleDAO.Data>> urdr = q.userRoleDAO.readByRole(trans,role.fullName());
+ Result<List<UserRoleDAO.Data>> urdr = q.userRoleDAO().readByRole(trans,role.fullName());
if (force) {
if (urdr.isOKhasData()) {
for (UserRoleDAO.Data urd : urdr.value) {
- q.userRoleDAO.delete(trans, urd, false);
+ q.userRoleDAO().delete(trans, urd, false);
}
}
} else if (urdr.isOKhasData()) {
}
// Does Role exist?
- Result<List<RoleDAO.Data>> rdr = q.roleDAO.read(trans, role);
+ Result<List<RoleDAO.Data>> rdr = q.roleDAO().read(trans, role);
if (rdr.notOKorIsEmpty()) {
return Result.err(Status.ERR_RoleNotFound,
"Role [%s.%s] does not exist", role.ns, role.name);
if (rpd.isOK()) {
trans.debug().log("Removing", perm, "from", fullrole,"on Role Delete");
- Result<?> r = q.permDAO.delRole(trans, rpd.value, fullrole);
+ Result<?> r = q.permDAO().delRole(trans, rpd.value, fullrole);
if (r.notOK()) {
trans.error().log("ERR_FDR1 unable to remove",fullrole,"from",perm,':',r.status,'-',r.details);
}
}
}
}
- return q.roleDAO.delete(trans, fullrole, false);
+ return q.roleDAO().delete(trans, fullrole, false);
}
/**
* Only owner of Permission may add to Role
- *
+ *
* If force set, however, Role will be created before Grant, if User is
* allowed to create.
- *
+ *
* @param trans
* @param role
* @param pd
*/
public Result<Void> addPermToRole(AuthzTrans trans, RoleDAO.Data role,PermDAO.Data pd, boolean fromApproval) {
String user = trans.user();
-
+
if (!fromApproval) {
Result<NsDAO.Data> rRoleCo = q.deriveFirstNsForType(trans, role.ns, NsType.COMPANY);
- if(rRoleCo.notOK()) {
+ if (rRoleCo.notOK()) {
return Result.err(rRoleCo);
}
Result<NsDAO.Data> rPermCo = q.deriveFirstNsForType(trans, pd.ns, NsType.COMPANY);
- if(rPermCo.notOK()) {
+ if (rPermCo.notOK()) {
return Result.err(rPermCo);
}
// Not from same company
- if(!rRoleCo.value.name.equals(rPermCo.value.name)) {
+ if (!rRoleCo.value.name.equals(rPermCo.value.name)) {
Result<Data> r;
// Only grant if User ALSO has Write ability in Other Company
- if((r = q.mayUser(trans, user, role, Access.write)).notOK()) {
+ if ((r = q.mayUser(trans, user, role, Access.write)).notOK()) {
return Result.err(r);
}
}
-
+
// Must be Perm Admin, or Granted Special Permission
Result<NsDAO.Data> ucp = q.mayUser(trans, user, pd, Access.write);
if (ucp.notOK()) {
// Don't allow CLI potential Grantees to change their own AAF
// Perms,
- if ((ROOT_NS.equals(pd.ns) && Question.NS.equals(pd.type))
+ if ((ROOT_NS.equals(pd.ns) && Question.NS.equals(pd.type))
|| !q.isGranted(trans, trans.user(),ROOT_NS,Question.PERM, rPermCo.value.name, "grant")) {
// Not otherwise granted
// TODO Needed?
}
// Final Check... Don't allow Grantees to add to Roles they are
// part of
- Result<List<UserRoleDAO.Data>> rlurd = q.userRoleDAO
+ Result<List<UserRoleDAO.Data>> rlurd = q.userRoleDAO()
.readByUser(trans, trans.user());
if (rlurd.isOK()) {
for (UserRoleDAO.Data ur : rlurd.value) {
}
}
- Result<List<PermDAO.Data>> rlpd = q.permDAO.read(trans, pd);
+ Result<List<PermDAO.Data>> rlpd = q.permDAO().read(trans, pd);
if (rlpd.notOKorIsEmpty()) {
return Result.err(Status.ERR_PermissionNotFound,
"Permission must exist to add to Role");
}
- Result<List<RoleDAO.Data>> rlrd = q.roleDAO.read(trans, role); // Already
+ Result<List<RoleDAO.Data>> rlrd = q.roleDAO().read(trans, role); // Already
// Checked
// for
// can
}
role.perms(true).add(pd.encode());
- Result<RoleDAO.Data> rdd = q.roleDAO.create(trans, role);
+ Result<RoleDAO.Data> rdd = q.roleDAO().create(trans, role);
if (rdd.isOK()) {
rv = Result.ok();
} else {
role.perms(true).add(pd.encode()); // this is added for Caching
// access purposes... doesn't
// affect addPerm
- rv = q.roleDAO.addPerm(trans, role, pd);
+ rv = q.roleDAO().addPerm(trans, role, pd);
}
if (rv.status == Status.OK) {
- return q.permDAO.addRole(trans, pd, role);
+ return q.permDAO().addRole(trans, pd, role);
// exploring how to add information message to successful http
// request
}
/**
* Either Owner of Role or Permission may delete from Role
- *
+ *
* @param trans
* @param role
* @param pd
}
}
- Result<List<RoleDAO.Data>> rlr = q.roleDAO.read(trans, role);
+ Result<List<RoleDAO.Data>> rlr = q.roleDAO().read(trans, role);
if (rlr.notOKorIsEmpty()) {
// If Bad Data, clean out
- Result<List<PermDAO.Data>> rlp = q.permDAO.read(trans, pd);
+ Result<List<PermDAO.Data>> rlp = q.permDAO().read(trans, pd);
if (rlp.isOKhasData()) {
for (PermDAO.Data pv : rlp.value) {
- q.permDAO.delRole(trans, pv, role);
+ q.permDAO().delRole(trans, pv, role);
}
}
return Result.err(rlr);
break;
}
}
- if(!notFound) {
+ if (!notFound) {
break;
}
}
}
// Read Perm for full data
- Result<List<PermDAO.Data>> rlp = q.permDAO.read(trans, pd);
+ Result<List<PermDAO.Data>> rlp = q.permDAO().read(trans, pd);
Result<Void> rv = null;
if (rlp.isOKhasData()) {
for (PermDAO.Data pv : rlp.value) {
- if ((rv = q.permDAO.delRole(trans, pv, role)).isOK()) {
- if ((rv = q.roleDAO.delPerm(trans, role, pv)).notOK()) {
+ if ((rv = q.permDAO().delRole(trans, pv, role)).isOK()) {
+ if ((rv = q.roleDAO().delPerm(trans, role, pv)).notOK()) {
trans.error().log(
"Error removing Perm during delFromPermRole:",
trans.getUserPrincipal(), rv.errorString());
}
}
} else {
- rv = q.roleDAO.delPerm(trans, role, pd);
+ rv = q.roleDAO().delPerm(trans, role, pd);
if (rv.notOK()) {
trans.error().log("Error removing Role during delFromPermRole",
rv.errorString());
/**
* Add a User to Role
- *
+ *
* 1) Role must exist 2) User must be a known Credential (i.e. mechID ok if
* Credential) or known Organizational User
- *
+ *
* @param trans
* @param org
* @param urData
*/
public Result<Void> addUserRole(AuthzTrans trans,UserRoleDAO.Data urData) {
Result<Void> rv;
- if(Question.ADMIN.equals(urData.rname)) {
+ if (Question.ADMIN.equals(urData.rname)) {
rv = mayAddAdmin(trans, urData.ns, urData.user);
- } else if(Question.OWNER.equals(urData.rname)) {
+ } else if (Question.OWNER.equals(urData.rname)) {
rv = mayAddOwner(trans, urData.ns, urData.user);
} else {
rv = checkValidID(trans, new Date(), urData.user);
}
- if(rv.notOK()) {
- return rv;
+ if (rv.notOK()) {
+ return rv;
}
-
+
// Check if record exists
- if (q.userRoleDAO.read(trans, urData).isOKhasData()) {
+ if (q.userRoleDAO().read(trans, urData).isOKhasData()) {
return Result.err(Status.ERR_ConflictAlreadyExists,
"User Role exists");
}
- if (q.roleDAO.read(trans, urData.ns, urData.rname).notOKorIsEmpty()) {
+ if (q.roleDAO().read(trans, urData.ns, urData.rname).notOKorIsEmpty()) {
return Result.err(Status.ERR_RoleNotFound,
"Role [%s.%s] does not exist", urData.ns, urData.rname);
}
urData.expires = trans.org().expiration(null, Expiration.UserInRole, urData.user).getTime();
-
-
- Result<UserRoleDAO.Data> udr = q.userRoleDAO.create(trans, urData);
- switch (udr.status) {
- case OK:
+
+
+ Result<UserRoleDAO.Data> udr = q.userRoleDAO().create(trans, urData);
+ if (udr.status == OK) {
return Result.ok();
- default:
- return Result.err(udr);
}
+ return Result.err(udr);
}
public Result<Void> addUserRole(AuthzTrans trans, String user, String ns, String rname) {
try {
- if(trans.org().getIdentity(trans, user)==null) {
+ if (trans.org().getIdentity(trans, user)==null) {
return Result.err(Result.ERR_BadData,user+" is an Invalid Identity for " + trans.org().getName());
}
} catch (OrganizationException e) {
/**
* Extend User Role.
- *
+ *
* extend the Expiration data, according to Organization rules.
- *
+ *
* @param trans
* @param org
* @param urData
*/
public Result<Void> extendUserRole(AuthzTrans trans, UserRoleDAO.Data urData, boolean checkForExist) {
// Check if record still exists
- if (checkForExist && q.userRoleDAO.read(trans, urData).notOKorIsEmpty()) {
+ if (checkForExist && q.userRoleDAO().read(trans, urData).notOKorIsEmpty()) {
return Result.err(Status.ERR_UserRoleNotFound,
"User Role does not exist");
}
-
- if (q.roleDAO.read(trans, urData.ns, urData.rname).notOKorIsEmpty()) {
+
+ if (q.roleDAO().read(trans, urData.ns, urData.rname).notOKorIsEmpty()) {
return Result.err(Status.ERR_RoleNotFound,
"Role [%s.%s] does not exist", urData.ns,urData.rname);
}
// time
// starting
// today
- return q.userRoleDAO.update(trans, urData);
+ return q.userRoleDAO().update(trans, urData);
}
// ////////////////////////////////////////////////////
// Roles
// ////////////////////////////////////////////////////
public Result<List<String>> getUsersByRole(AuthzTrans trans, String role, boolean includeExpired) {
- Result<List<UserRoleDAO.Data>> rurdd = q.userRoleDAO.readByRole(trans,role);
+ Result<List<UserRoleDAO.Data>> rurdd = q.userRoleDAO().readByRole(trans,role);
if (rurdd.notOK()) {
return Result.err(rurdd);
}
UserRoleDAO.Data urdd = new UserRoleDAO.Data();
urdd.user = user;
urdd.role(ns,rname);
- Result<List<UserRoleDAO.Data>> r = q.userRoleDAO.read(trans, urdd);
+ Result<List<UserRoleDAO.Data>> r = q.userRoleDAO().read(trans, urdd);
if (r.status == 404 || r.isEmpty()) {
return Result.err(Status.ERR_UserRoleNotFound,
"UserRole [%s] [%s.%s]", user, ns, rname);
return Result.err(r);
}
- return q.userRoleDAO.delete(trans, urdd, false);
+ return q.userRoleDAO().delete(trans, urdd, false);
}
public Result<String> createFuture(AuthzTrans trans, FutureDAO.Data data, String id, String user,
List<Identity> approvers = op.equals(FUTURE_OP.A)?NO_ADDL_APPROVE:org.getApprovers(trans, user);
List<Identity> owners = new ArrayList<>();
if (nsd != null) {
- Result<List<UserRoleDAO.Data>> rrbr = q.userRoleDAO
+ Result<List<UserRoleDAO.Data>> rrbr = q.userRoleDAO()
.readByRole(trans, nsd.name + Question.DOT_OWNER);
if (rrbr.isOKhasData()) {
- for(UserRoleDAO.Data urd : rrbr.value) {
+ for (UserRoleDAO.Data urd : rrbr.value) {
Identity owner = org.getIdentity(trans, urd.user);
- if(owner==null) {
+ if (owner==null) {
return Result.err(Result.ERR_NotFound,urd.user + " is not a Valid Owner of " + nsd.name);
} else {
owners.add(owner);
}
}
}
-
- if(owners.isEmpty()) {
+
+ if (owners.isEmpty()) {
return Result.err(Result.ERR_NotFound,"No Owners found for " + nsd.name);
}
-
+
// Create Future Object
-
- Result<FutureDAO.Data> fr = q.futureDAO.create(trans, data, id);
+
+ Result<FutureDAO.Data> fr = q.futureDAO().create(trans, data, id);
if (fr.isOK()) {
sb.append("Created Future: ");
sb.append(data.id);
// User Future ID as ticket for Approvals
final UUID ticket = fr.value.id;
sb.append(", Approvals: ");
- Boolean first[] = new Boolean[]{true};
- if(op!=FUTURE_OP.A) {
+ Boolean[] first = new Boolean[]{true};
+ if (op!=FUTURE_OP.A) {
for (Identity u : approvers) {
Result<ApprovalDAO.Data> r = addIdentity(trans,sb,first,user,data.memo,op,u,ticket,org.getApproverType());
- if(r.notOK()) {
+ if (r.notOK()) {
return Result.err(r);
}
}
}
for (Identity u : owners) {
Result<ApprovalDAO.Data> r = addIdentity(trans,sb,first,user,data.memo,op,u,ticket,"owner");
- if(r.notOK()) {
+ if (r.notOK()) {
return Result.err(r);
}
}
} catch (Exception e) {
return Result.err(e);
}
-
+
return Result.ok(sb.toString());
}
public interface Lookup<T> {
T get(AuthzTrans trans, Object ... keys);
}
-
+
public Lookup<UserRoleDAO.Data> urDBLookup = new Lookup<UserRoleDAO.Data>() {
@Override
public UserRoleDAO.Data get(AuthzTrans trans, Object ... keys) {
- Result<List<UserRoleDAO.Data>> r = q.userRoleDAO.read(trans, keys);
- if(r.isOKhasData()) {
+ Result<List<UserRoleDAO.Data>> r = q.userRoleDAO().read(trans, keys);
+ if (r.isOKhasData()) {
return r.value.get(0);
} else {
return null;
};
/**
- * Note: if "allApprovals for Ticket is null, it will be looked up.
+ * Note: if "allApprovals for Ticket is null, it will be looked up.
* if "fdd" is null, it will be looked up, but
- *
+ *
* They can be passed for performance reasons.
- *
+ *
* @param trans
* @param cd
* @param allApprovalsForTicket
public Result<OP_STATUS> performFutureOp(final AuthzTrans trans, FUTURE_OP fop, FutureDAO.Data curr, Lookup<List<ApprovalDAO.Data>> la, Lookup<UserRoleDAO.Data> lur) {
// Pre-Evaluate if ReApproval is already done.
UserRoleDAO.Data urdd = null;
- if(fop.equals(FUTURE_OP.A) && curr.target.equals(FOP_USER_ROLE) && curr.construct!=null) {
+ if (fop.equals(FUTURE_OP.A) && curr.target.equals(FOP_USER_ROLE) && curr.construct!=null) {
try {
// Get Expected UserRole from Future
urdd = new UserRoleDAO.Data();
urdd.reconstitute(curr.construct);
// Get Current UserRole from lookup
UserRoleDAO.Data lurdd = lur.get(trans, urdd.user,urdd.role);
- if(lurdd==null) {
- q.futureDAO.delete(trans, curr, false);
+ if (lurdd==null) {
+ q.futureDAO().delete(trans, curr, false);
return OP_STATUS.RL;
} else {
- if(curr.expires.compareTo(lurdd.expires)<0) {
- q.futureDAO.delete(trans, curr, false);
+ if (curr.expires.compareTo(lurdd.expires)<0) {
+ q.futureDAO().delete(trans, curr, false);
return OP_STATUS.RL;
}
}
return Result.err(Result.ERR_BadData,"Cannot reconstitute %1",curr.memo);
}
}
-
+
boolean aDenial = false;
int cntSuper=0, appSuper=0,cntOwner=0, appOwner=0;
- for(ApprovalDAO.Data add : la.get(trans)) {
+ for (ApprovalDAO.Data add : la.get(trans)) {
switch(add.status) {
case "approved":
- if("owner".equals(add.type)) {
+ if ("owner".equals(add.type)) {
++cntOwner;
++appOwner;
- } else if("supervisor".equals(add.type)) {
+ } else if ("supervisor".equals(add.type)) {
++cntSuper;
++appSuper;
}
break;
case "pending":
- if("owner".equals(add.type)) {
+ if ("owner".equals(add.type)) {
++cntOwner;
- } else if("supervisor".equals(add.type)) {
+ } else if ("supervisor".equals(add.type)) {
++cntSuper;
}
break;
case "denied":
aDenial=true;
break;
+ default:
+ break;
}
}
-
+
Result<OP_STATUS> ros=null;
- if(aDenial) {
- // Note: Denial will be Audit-logged.
-// for (ApprovalDAO.Data ad : allApprovalsForTicket.value) {
-// q.approvalDAO.delete(trans, ad, false);
-// }
+ if (aDenial) {
ros = OP_STATUS.RD;
- if(q.futureDAO.delete(trans, curr, false).notOK()) {
+ if (q.futureDAO().delete(trans, curr, false).notOK()) {
trans.info().printf("Future %s could not be deleted", curr.id.toString());
} else {
if (FOP_USER_ROLE.equalsIgnoreCase(curr.target)) {
// A Denial means we must remove UserRole
- if(fop.equals(FUTURE_OP.U) || fop.equals(FUTURE_OP.A)) {
+ if (fop.equals(FUTURE_OP.U) || fop.equals(FUTURE_OP.A)) {
UserRoleDAO.Data data = new UserRoleDAO.Data();
try {
data.reconstitute(curr.construct);
}
}
}
-
+
// Decision: If not Denied, and at least owner, if exists, and at least one Super, if exists
boolean goDecision = (cntOwner>0?appOwner>0:true) && (cntSuper>0?appSuper>0:true);
- if(goDecision) {
+ if (goDecision) {
// should check if any other pendings before performing
// actions
try {
data.reconstitute(curr.construct);
switch(fop) {
case C:
- ros = set(OP_STATUS.RE,q.roleDAO.dao().create(trans, data));
+ ros = set(OP_STATUS.RE,q.roleDAO().dao().create(trans, data));
break;
case D:
ros = set(OP_STATUS.RE,deleteRole(trans, data, true, true));
default:
}
} else if (FOP_USER_ROLE.equalsIgnoreCase(curr.target)) {
- if(urdd==null) {
+ if (urdd==null) {
urdd = new UserRoleDAO.Data();
urdd.reconstitute(curr.construct);
}
} else if (FOP_NS.equalsIgnoreCase(curr.target)) {
Namespace namespace = new Namespace();
namespace.reconstitute(curr.construct);
- switch(fop) {
- case C:
- ros = set(OP_STATUS.RE,createNS(trans, namespace, true));
- break;
- default:
+ if (fop == FUTURE_OP.C) {
+ ros = set(OP_STATUS.RE, createNS(trans, namespace, true));
}
} else if (FOP_DELEGATE.equalsIgnoreCase(curr.target)) {
DelegateDAO.Data data = new DelegateDAO.Data();
data.reconstitute(curr.construct);
switch(fop) {
case C:
- ros = set(OP_STATUS.RE,q.delegateDAO.create(trans, data));
+ ros = set(OP_STATUS.RE,q.delegateDAO().create(trans, data));
break;
case U:
- ros = set(OP_STATUS.RE,q.delegateDAO.update(trans, data));
+ ros = set(OP_STATUS.RE,q.delegateDAO().update(trans, data));
break;
default:
}
} else if (FOP_CRED.equalsIgnoreCase(curr.target)) {
CredDAO.Data data = new CredDAO.Data();
data.reconstitute(curr.construct);
- switch(fop) {
- case C:
- ros = set(OP_STATUS.RE,q.credDAO.dao().create(trans, data));
- break;
- default:
+ if (fop == FUTURE_OP.C) {
+ ros = set(OP_STATUS.RE, q.credDAO().dao().create(trans, data));
}
- }
+ }
} catch (Exception e) {
trans.error().log("Exception: ", e.getMessage(),
" \n occurred while performing", curr.memo,
" from Ticket ", curr.id.toString());
}
- q.futureDAO.delete(trans, curr, false);
+ q.futureDAO().delete(trans, curr, false);
} // end for goDecision
- if(ros==null) {
+ if (ros==null) {
//return Result.err(Status.ACC_Future, "Full Approvals not obtained: No action taken");
ros = OP_STATUS.RP;
}
-
+
return ros;
}
// Convenience method for setting OPSTatus Results
private Result<OP_STATUS> set(Result<OP_STATUS> rs, Result<?> orig) {
- if(orig.isOK()) {
+ if (orig.isOK()) {
return rs;
} else {
return Result.err(orig);
}
}
- private Result<ApprovalDAO.Data> addIdentity(AuthzTrans trans, StringBuilder sb,
+ private Result<ApprovalDAO.Data> addIdentity(AuthzTrans trans, StringBuilder sb,
Boolean[] first, String user, String memo, FUTURE_OP op, Identity u, UUID ticket, String type) throws OrganizationException {
ApprovalDAO.Data ad = new ApprovalDAO.Data();
// Note ad.id is set by ApprovalDAO Create
ad.type = type;
ad.operation = op.name();
// Note ad.updated is created in System
- Result<ApprovalDAO.Data> r = q.approvalDAO.create(trans,ad);
- if(r.isOK()) {
- if(first[0]) {
+ Result<ApprovalDAO.Data> r = q.approvalDAO().create(trans,ad);
+ if (r.isOK()) {
+ if (first[0]) {
first[0] = false;
} else {
sb.append(", ");
Code Review / aaf / authz.git / blobdiff