* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
- *
+ *
* http://www.apache.org/licenses/LICENSE-2.0
- *
+ *
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
public enum FUTURE_OP {
C("Create"),U("Update"),D("Delete"),G("Grant"),UG("UnGrant"),A("Approval");
-
+
private String desc;
-
+
private FUTURE_OP(String desc) {
this.desc = desc;
}
-
+
public String desc() {
return desc;
}
-
+
/**
* Same as valueOf(), but passes back null instead of throwing Exception
* @param value
public enum OP_STATUS {
E("Executed"),D("Denied"),P("Pending"),L("Lapsed");
-
+
private String desc;
public final static Result<OP_STATUS> RE = Result.ok(OP_STATUS.E);
public final static Result<OP_STATUS> RD = Result.ok(OP_STATUS.D);
private OP_STATUS(String desc) {
this.desc = desc;
}
-
+
public String desc() {
return desc;
}
-
+
}
public static final String FOP_CRED = "cred";
/**
* createNS
- *
+ *
* Create Namespace
- *
+ *
* @param trans
* @param org
* @param ns
* @param user
* @return
* @throws DAOException
- *
+ *
* To create an NS, you need to: 1) validate permission to
* modify parent NS 2) Does NS exist already? 3) Create NS with
* a) "user" as owner. NOTE: Per 10-15 request for AAF 1.0 4)
Identity orgUser = org.getIdentity(trans, u);
String reason;
if (orgUser == null) {
- return Result.err(Status.ERR_Policy,"%s is not a valid user at %s",u,org.getName());
+ return Result.err(Status.ERR_Policy,"%s is not a valid user at %s",u,org.getName());
} else if ((reason=orgUser.mayOwn())!=null) {
if (org.isTestEnv()) {
String reason2;
return Result.err(Status.ERR_ConflictAlreadyExists,
"Target Namespace already exists");
}
-
+
// 2.1) Does role exist with that name
if(cname!=null && q.roleDAO().read(trans, parent, cname).isOKhasData()) {
return Result.err(Status.ERR_ConflictAlreadyExists,
trans.error().log(rpdd.errorString());
}
}
-
+
// Save off Old keys
String delP1 = rdd.ns;
String delP2 = rdd.name;
rdd.ns = namespace.name;
rdd.name = (delP2.length() > targetNameDot) ? delP2
.substring(targetNameDot) : "";
-
+
// Need to use non-cached, because switching namespaces, not
// "create" per se
if ((rq = q.roleDAO().create(trans, rdd)).isOK()) {
for (PermDAO.Data pdd : lpdd) {
q.permDAO().addRole(trans, pdd, rdd);
}
- // Change data for User Roles
+ // Change data for User Roles
Result<List<UserRoleDAO.Data>> rurd = q.userRoleDAO().readByRole(trans, rdd.fullName());
if (rurd.isOKhasData()) {
for (UserRoleDAO.Data urd : rurd.value) {
for (PermDAO.Data pdd : rpdc.value) {
// Remove old Perm from Roles, save them off
List<RoleDAO.Data> lrdd = new ArrayList<>();
-
+
for (String rl : pdd.roles(false)) {
Result<RoleDAO.Data> rrdd = RoleDAO.Data.decode(trans,q,rl);
if (rrdd.isOKhasData()) {
trans.error().log(rrdd.errorString());
}
}
-
+
// Save off Old keys
String delP1 = pdd.ns;
String delP2 = pdd.type;
/**
* deleteNS
- *
+ *
* Delete Namespace
- *
+ *
* @param trans
* @param org
* @param ns
* @param user
* @return
* @throws DAOException
- *
- *
+ *
+ *
* To delete an NS, you need to: 1) validate permission to
* modify this NS 2) Find all Roles with this NS, and 2a) if
* Force, delete them, else modify to Parent NS 3) Find all
if (rq.notOK()) {
return Result.err(rq);
}
-
+
rq = q.mayUser(trans, trans.user(), rq.value, Access.write);
if (rq.notOK()) {
Result<List<UserRoleDAO.Data>> ruinr = q.userRoleDAO().readUserInRole(trans, trans.user(),ns+".owner");
return Result.err(Status.ERR_Security,
"%s is not a valid AAF Credential", user);
}
-
+
for (CredDAO.Data cd : cdr.value) {
if (cd.expires.after(now)) {
return Result.ok();
}
rq = q.mayUser(trans, trans.user(), rq.value, Access.write);
- if (rq.notOK()) {
+ if (rq.notOK()) {
// Even though not a "writer", Owners still determine who gets to be an Admin
Result<List<UserRoleDAO.Data>> ruinr = q.userRoleDAO().readUserInRole(trans, trans.user(),ns+".owner");
if (!(ruinr.isOKhasData() && ruinr.value.get(0).expires.after(new Date()))) {
/**
* Helper function that moves permissions from a namespace being deleted to
* its parent namespace
- *
+ *
* @param trans
* @param parent
* @param sb
}
// Remove old Perm from Roles, save them off
List<RoleDAO.Data> lrdd = new ArrayList<>();
-
+
for (String rl : pdd.roles(false)) {
Result<RoleDAO.Data> rrdd = RoleDAO.Data.decode(trans,q,rl);
if (rrdd.isOKhasData()) {
trans.error().log(rrdd.errorString());
}
}
-
+
// Save off Old keys
String delP1 = pdd.ns;
NsSplit nss = new NsSplit(parent, pdd.fullType());
/**
* Helper function that moves roles from a namespace being deleted to its
* parent namespace
- *
+ *
* @param trans
* @param parent
* @param sb
trans.error().log(rpdd.errorString());
}
}
-
+
// Save off Old keys
String delP1 = rdd.ns;
/**
* Create Permission (and any missing Permission between this and Parent) if
* we have permission
- *
+ *
* Pass in the desired Management Permission for this Permission
- *
+ *
* If Force is set, then Roles listed will be created, if allowed,
* pre-granted.
*/
Result<PermDAO.Data> pdr = q.permDAO().create(trans, perm);
if (pdr.isOK()) {
return Result.ok();
- } else {
+ } else {
return Result.err(pdr);
}
}
/**
* Only owner of Permission may add to Role
- *
+ *
* If force set, however, Role will be created before Grant, if User is
* allowed to create.
- *
+ *
* @param trans
* @param role
* @param pd
*/
public Result<Void> addPermToRole(AuthzTrans trans, RoleDAO.Data role,PermDAO.Data pd, boolean fromApproval) {
String user = trans.user();
-
+
if (!fromApproval) {
Result<NsDAO.Data> rRoleCo = q.deriveFirstNsForType(trans, role.ns, NsType.COMPANY);
if (rRoleCo.notOK()) {
return Result.err(r);
}
}
-
+
// Must be Perm Admin, or Granted Special Permission
Result<NsDAO.Data> ucp = q.mayUser(trans, user, pd, Access.write);
if (ucp.notOK()) {
// Don't allow CLI potential Grantees to change their own AAF
// Perms,
- if ((ROOT_NS.equals(pd.ns) && Question.NS.equals(pd.type))
+ if ((ROOT_NS.equals(pd.ns) && Question.NS.equals(pd.type))
|| !q.isGranted(trans, trans.user(),ROOT_NS,Question.PERM, rPermCo.value.name, "grant")) {
// Not otherwise granted
// TODO Needed?
/**
* Either Owner of Role or Permission may delete from Role
- *
+ *
* @param trans
* @param role
* @param pd
/**
* Add a User to Role
- *
+ *
* 1) Role must exist 2) User must be a known Credential (i.e. mechID ok if
* Credential) or known Organizational User
- *
+ *
* @param trans
* @param org
* @param urData
rv = checkValidID(trans, new Date(), urData.user);
}
if (rv.notOK()) {
- return rv;
+ return rv;
}
-
+
// Check if record exists
if (q.userRoleDAO().read(trans, urData).isOKhasData()) {
return Result.err(Status.ERR_ConflictAlreadyExists,
}
urData.expires = trans.org().expiration(null, Expiration.UserInRole, urData.user).getTime();
-
-
+
+
Result<UserRoleDAO.Data> udr = q.userRoleDAO().create(trans, urData);
if (udr.status == OK) {
return Result.ok();
/**
* Extend User Role.
- *
+ *
* extend the Expiration data, according to Organization rules.
- *
+ *
* @param trans
* @param org
* @param urData
return Result.err(Status.ERR_UserRoleNotFound,
"User Role does not exist");
}
-
+
if (q.roleDAO().read(trans, urData.ns, urData.rname).notOKorIsEmpty()) {
return Result.err(Status.ERR_RoleNotFound,
"Role [%s.%s] does not exist", urData.ns,urData.rname);
}
}
}
-
+
if (owners.isEmpty()) {
return Result.err(Result.ERR_NotFound,"No Owners found for " + nsd.name);
}
-
+
// Create Future Object
-
+
Result<FutureDAO.Data> fr = q.futureDAO().create(trans, data, id);
if (fr.isOK()) {
sb.append("Created Future: ");
} catch (Exception e) {
return Result.err(e);
}
-
+
return Result.ok(sb.toString());
}
public interface Lookup<T> {
T get(AuthzTrans trans, Object ... keys);
}
-
+
public Lookup<UserRoleDAO.Data> urDBLookup = new Lookup<UserRoleDAO.Data>() {
@Override
public UserRoleDAO.Data get(AuthzTrans trans, Object ... keys) {
};
/**
- * Note: if "allApprovals for Ticket is null, it will be looked up.
+ * Note: if "allApprovals for Ticket is null, it will be looked up.
* if "fdd" is null, it will be looked up, but
- *
+ *
* They can be passed for performance reasons.
- *
+ *
* @param trans
* @param cd
* @param allApprovalsForTicket
return Result.err(Result.ERR_BadData,"Cannot reconstitute %1",curr.memo);
}
}
-
+
boolean aDenial = false;
int cntSuper=0, appSuper=0,cntOwner=0, appOwner=0;
for (ApprovalDAO.Data add : la.get(trans)) {
break;
}
}
-
+
Result<OP_STATUS> ros=null;
if (aDenial) {
ros = OP_STATUS.RD;
}
}
}
-
+
// Decision: If not Denied, and at least owner, if exists, and at least one Super, if exists
boolean goDecision = (cntOwner>0?appOwner>0:true) && (cntSuper>0?appSuper>0:true);
if (fop == FUTURE_OP.C) {
ros = set(OP_STATUS.RE, q.credDAO().dao().create(trans, data));
}
- }
+ }
} catch (Exception e) {
trans.error().log("Exception: ", e.getMessage(),
" \n occurred while performing", curr.memo,
//return Result.err(Status.ACC_Future, "Full Approvals not obtained: No action taken");
ros = OP_STATUS.RP;
}
-
+
return ros;
}
}
}
- private Result<ApprovalDAO.Data> addIdentity(AuthzTrans trans, StringBuilder sb,
+ private Result<ApprovalDAO.Data> addIdentity(AuthzTrans trans, StringBuilder sb,
Boolean[] first, String user, String memo, FUTURE_OP op, Identity u, UUID ticket, String type) throws OrganizationException {
ApprovalDAO.Data ad = new ApprovalDAO.Data();
// Note ad.id is set by ApprovalDAO Create
Code Review / aaf / authz.git / blobdiff