diff options
Diffstat (limited to 'auth/auth-batch')
-rw-r--r-- | auth/auth-batch/src/main/java/org/onap/aaf/auth/batch/reports/Analyze.java | 22 | ||||
-rw-r--r-- | auth/auth-batch/src/main/java/org/onap/aaf/auth/batch/reports/ApprovedRpt.java | 9 |
2 files changed, 23 insertions, 8 deletions
diff --git a/auth/auth-batch/src/main/java/org/onap/aaf/auth/batch/reports/Analyze.java b/auth/auth-batch/src/main/java/org/onap/aaf/auth/batch/reports/Analyze.java index 5cab5297..227717b7 100644 --- a/auth/auth-batch/src/main/java/org/onap/aaf/auth/batch/reports/Analyze.java +++ b/auth/auth-batch/src/main/java/org/onap/aaf/auth/batch/reports/Analyze.java @@ -57,6 +57,7 @@ import org.onap.aaf.auth.batch.helpers.X509; import org.onap.aaf.auth.dao.cass.CredDAO; import org.onap.aaf.auth.dao.cass.UserRoleDAO; import org.onap.aaf.auth.env.AuthzTrans; +import org.onap.aaf.auth.org.Organization.Expiration; import org.onap.aaf.auth.org.Organization.Identity; import org.onap.aaf.auth.org.OrganizationException; import org.onap.aaf.cadi.configure.Factory; @@ -392,12 +393,33 @@ public class Analyze extends Batch { } return; } + if(org.isRevoked(trans, ur.user())) { + GregorianCalendar gc = new GregorianCalendar(); + gc.setTime(ur.expires()); + GregorianCalendar gracePeriodEnds = org.expiration(gc, Expiration.RevokedGracePeriodEnds, ur.user()); + if(now.after(gracePeriodEnds.getTime())) { + ur.row(deleteCW, UserRole.UR,"Revoked ID, no grace period left"); + } else { + ur.row(notCompliantCW, UserRole.UR, "Revoked ID: WARNING! GracePeriod Ends " + gracePeriodEnds.toString()); + } + return; + } ur.row(deleteCW, UserRole.UR,"Not in Organization"); return; } else if(Role.byName.get(ur.role())==null) { ur.row(deleteCW, UserRole.UR,String.format("Role %s does not exist", ur.role())); return; + // Make sure owners can still be owners. + } else if(ur.role().endsWith(".owner")) { + String err = identity.mayOwn(); + if(err!=null) { + ur.row(deleteCW, UserRole.UR,String.format("%s may not be an owner: %s",ur.user(),err)); + return; + } } + + + // Just let expired UserRoles sit until deleted if(futureRange.inRange(ur.expires())&&(!mur.containsKey(ur.user() + '|' + ur.role()))) { // Cannot just delete owners, unless there is at least one left. Process later diff --git a/auth/auth-batch/src/main/java/org/onap/aaf/auth/batch/reports/ApprovedRpt.java b/auth/auth-batch/src/main/java/org/onap/aaf/auth/batch/reports/ApprovedRpt.java index 408a17bc..f346f7dd 100644 --- a/auth/auth-batch/src/main/java/org/onap/aaf/auth/batch/reports/ApprovedRpt.java +++ b/auth/auth-batch/src/main/java/org/onap/aaf/auth/batch/reports/ApprovedRpt.java @@ -26,11 +26,9 @@ import java.io.File; import java.io.IOException; import java.util.Date; import java.util.GregorianCalendar; -import java.util.Iterator; import java.util.List; -import java.util.Map; -import java.util.TreeMap; import java.util.UUID; + import org.onap.aaf.auth.batch.Batch; import org.onap.aaf.auth.env.AuthzTrans; import org.onap.aaf.auth.org.OrganizationException; @@ -42,11 +40,6 @@ import org.onap.aaf.misc.env.TimeTaken; import org.onap.aaf.misc.env.util.Chrono; import org.onap.aaf.misc.env.util.Split; -import com.datastax.driver.core.ResultSet; -import com.datastax.driver.core.Row; -import com.datastax.driver.core.SimpleStatement; -import com.datastax.driver.core.Statement; - public class ApprovedRpt extends Batch { |