diff options
Diffstat (limited to 'auth/auth-service/src')
8 files changed, 153 insertions, 376 deletions
diff --git a/auth/auth-service/src/main/java/org/onap/aaf/auth/service/AAF_Service.java b/auth/auth-service/src/main/java/org/onap/aaf/auth/service/AAF_Service.java index 90d4744a..6a63907d 100644 --- a/auth/auth-service/src/main/java/org/onap/aaf/auth/service/AAF_Service.java +++ b/auth/auth-service/src/main/java/org/onap/aaf/auth/service/AAF_Service.java @@ -25,6 +25,7 @@ import javax.servlet.Filter; import org.onap.aaf.auth.cache.Cache; import org.onap.aaf.auth.dao.CassAccess; +import org.onap.aaf.auth.dao.cass.CacheInfoDAO; import org.onap.aaf.auth.dao.hl.Question; import org.onap.aaf.auth.direct.DirectAAFLur; import org.onap.aaf.auth.direct.DirectAAFUserPass; @@ -96,8 +97,10 @@ public class AAF_Service extends AbsService<AuthzEnv,AuthzTrans> { // Need Question for Security purposes (direct User/Authz Query in Filter) // Start Background Processing - question = new Question(trans, cluster, CassAccess.KEYSPACE, true); - DirectCertIdentity.set(question.certDAO); + question = new Question(trans, cluster, CassAccess.KEYSPACE); + question.startTimers(env); + + DirectCertIdentity.set(question.certDAO()); // Have AAFLocator object Create DirectLocators for Location needs AbsAAFLocator.setCreator(new DirectLocatorCreator(env, question.locateDAO)); @@ -190,10 +193,20 @@ public class AAF_Service extends AbsService<AuthzEnv,AuthzTrans> { new DirectRegistrar(access,question.locateDAO, actualPort) }; } + + @Override + public void postStartup(final String hostname, final int port) throws APIException { + try { + CacheInfoDAO.startUpdate(env, aafCon().hman(), aafCon().securityInfo().defSS,hostname,port); + } catch (CadiException | LocatorException e) { + throw new APIException(e); + } + } @Override public void destroy() { Cache.stopTimer(); + CacheInfoDAO.stopUpdate(); if (cluster!=null) { cluster.close(); } diff --git a/auth/auth-service/src/main/java/org/onap/aaf/auth/service/AuthzCassServiceImpl.java b/auth/auth-service/src/main/java/org/onap/aaf/auth/service/AuthzCassServiceImpl.java index 81a9d5ec..751825c1 100644 --- a/auth/auth-service/src/main/java/org/onap/aaf/auth/service/AuthzCassServiceImpl.java +++ b/auth/auth-service/src/main/java/org/onap/aaf/auth/service/AuthzCassServiceImpl.java @@ -168,6 +168,7 @@ public class AuthzCassServiceImpl <NSS,PERMS,PERMKEY,ROLES,USERS,USERROLES,DE return Result.err(parentNs); } + // Note: Data validate occurs in func.createNS if (namespace.name.lastIndexOf('.')<0) { // Root Namespace... Function will check if allowed return func.createNS(trans, namespace, false); } @@ -299,7 +300,7 @@ public class AuthzCassServiceImpl <NSS,PERMS,PERMKEY,ROLES,USERS,USERROLES,DE } // Check if exists already - Result<List<Data>> rlnsd = ques.nsDAO.read(trans, ns); + Result<List<Data>> rlnsd = ques.nsDAO().read(trans, ns); if (rlnsd.notOKorIsEmpty()) { return Result.err(rlnsd); } @@ -318,7 +319,8 @@ public class AuthzCassServiceImpl <NSS,PERMS,PERMKEY,ROLES,USERS,USERROLES,DE // Add Attrib nsd.attrib.put(key, value); - ques.nsDAO.dao().attribAdd(trans,ns,key,value); + ques.nsDAO().dao().attribAdd(trans,ns,key,value); + ques.nsDAO().invalidate(trans, nsd); return Result.ok(); } finally { tt.done(); @@ -349,7 +351,7 @@ public class AuthzCassServiceImpl <NSS,PERMS,PERMKEY,ROLES,USERS,USERROLES,DE return Result.err(Status.ERR_Denied,"%s may not read NS by Attrib '%s'",trans.user(),key); } - Result<Set<String>> rsd = ques.nsDAO.dao().readNsByAttrib(trans, key); + Result<Set<String>> rsd = ques.nsDAO().dao().readNsByAttrib(trans, key); if (rsd.notOK()) { return Result.err(rsd); } @@ -382,7 +384,7 @@ public class AuthzCassServiceImpl <NSS,PERMS,PERMKEY,ROLES,USERS,USERROLES,DE } // Check if exists already (NS must exist) - Result<List<Data>> rlnsd = ques.nsDAO.read(trans, ns); + Result<List<Data>> rlnsd = ques.nsDAO().read(trans, ns); if (rlnsd.notOKorIsEmpty()) { return Result.err(rlnsd); } @@ -401,8 +403,8 @@ public class AuthzCassServiceImpl <NSS,PERMS,PERMKEY,ROLES,USERS,USERROLES,DE // Add Attrib nsd.attrib.put(key, value); - - return ques.nsDAO.update(trans,nsd); + ques.nsDAO().invalidate(trans, nsd); + return ques.nsDAO().update(trans,nsd); } finally { tt.done(); @@ -433,7 +435,7 @@ public class AuthzCassServiceImpl <NSS,PERMS,PERMKEY,ROLES,USERS,USERROLES,DE } // Check if exists already - Result<List<Data>> rlnsd = ques.nsDAO.read(trans, ns); + Result<List<Data>> rlnsd = ques.nsDAO().read(trans, ns); if (rlnsd.notOKorIsEmpty()) { return Result.err(rlnsd); } @@ -451,7 +453,8 @@ public class AuthzCassServiceImpl <NSS,PERMS,PERMKEY,ROLES,USERS,USERROLES,DE // Add Attrib nsd.attrib.remove(key); - ques.nsDAO.dao().attribRemove(trans,ns,key); + ques.nsDAO().dao().attribRemove(trans,ns,key); + ques.nsDAO().invalidate(trans, nsd); return Result.ok(); } finally { tt.done(); @@ -465,8 +468,7 @@ public class AuthzCassServiceImpl <NSS,PERMS,PERMKEY,ROLES,USERS,USERROLES,DE expectedCode = 200, errorCodes = { 404,406 }, text = { - "Lists the Admin(s), Responsible Party(s), Role(s), Permission(s)", - "Credential(s) and Expiration of Credential(s) in Namespace :id", + "Lists the Owner(s), Admin(s), Description, and Attributes of Namespace :id", } ) @Override @@ -476,7 +478,7 @@ public class AuthzCassServiceImpl <NSS,PERMS,PERMKEY,ROLES,USERS,USERROLES,DE return Result.err(Status.ERR_BadData,v.errs()); } - Result<List<NsDAO.Data>> rlnd = ques.nsDAO.read(trans, ns); + Result<List<NsDAO.Data>> rlnd = ques.nsDAO().read(trans, ns); if (rlnd.isOK()) { if (rlnd.isEmpty()) { return Result.err(Status.ERR_NotFound, "No data found for %s",ns); @@ -563,7 +565,7 @@ public class AuthzCassServiceImpl <NSS,PERMS,PERMKEY,ROLES,USERS,USERROLES,DE } private Result<Collection<Namespace>> loadNamepace(AuthzTrans trans, String user, String endsWith, boolean full) { - Result<List<UserRoleDAO.Data>> urd = ques.userRoleDAO.readByUser(trans, user); + Result<List<UserRoleDAO.Data>> urd = ques.userRoleDAO().readByUser(trans, user); if (urd.notOKorIsEmpty()) { return Result.err(urd); } @@ -679,7 +681,7 @@ public class AuthzCassServiceImpl <NSS,PERMS,PERMKEY,ROLES,USERS,USERROLES,DE } Set<Namespace> lm = new HashSet<>(); - Result<List<NsDAO.Data>> rlnd = ques.nsDAO.dao().getChildren(trans, parent); + Result<List<NsDAO.Data>> rlnd = ques.nsDAO().dao().getChildren(trans, parent); if (rlnd.isOK()) { if (rlnd.isEmpty()) { return Result.err(Status.ERR_NotFound, "No data found for %s",parent); @@ -727,7 +729,7 @@ public class AuthzCassServiceImpl <NSS,PERMS,PERMKEY,ROLES,USERS,USERROLES,DE } Namespace namespace = nsd.value; - Result<List<NsDAO.Data>> rlnd = ques.nsDAO.read(trans, namespace.name); + Result<List<NsDAO.Data>> rlnd = ques.nsDAO().read(trans, namespace.name); if (rlnd.notOKorIsEmpty()) { return Result.err(Status.ERR_NotFound, "Namespace [%s] does not exist",namespace.name); @@ -737,7 +739,7 @@ public class AuthzCassServiceImpl <NSS,PERMS,PERMKEY,ROLES,USERS,USERROLES,DE return Result.err(Status.ERR_Denied, "You do not have approval to change %s",namespace.name); } - Result<Void> rdr = ques.nsDAO.dao().addDescription(trans, namespace.name, namespace.description); + Result<Void> rdr = ques.nsDAO().dao().addDescription(trans, namespace.name, namespace.description); if (rdr.isOK()) { return Result.ok(); } else { @@ -797,6 +799,12 @@ public class AuthzCassServiceImpl <NSS,PERMS,PERMKEY,ROLES,USERS,USERROLES,DE @Override public Result<Void> createPerm(final AuthzTrans trans,REQUEST rreq) { final Result<PermDAO.Data> newPd = mapper.perm(trans, rreq); + // Does Perm Type exist as a Namespace? + if(newPd.value.type.isEmpty() || ques.nsDAO().read(trans, newPd.value.fullType()).isOKhasData()) { + return Result.err(Status.ERR_ConflictAlreadyExists, + "Permission Type exists as a Namespace"); + } + final ServiceValidator v = new ServiceValidator(); if (v.perm(newPd).err()) { return Result.err(Status.ERR_BadData,v.errs()); @@ -822,7 +830,7 @@ public class AuthzCassServiceImpl <NSS,PERMS,PERMKEY,ROLES,USERS,USERROLES,DE return nsd; } }); - Result<List<NsDAO.Data>> nsr = ques.nsDAO.read(trans, newPd.value.ns); + Result<List<NsDAO.Data>> nsr = ques.nsDAO().read(trans, newPd.value.ns); if (nsr.notOKorIsEmpty()) { return Result.err(nsr); } @@ -1138,7 +1146,7 @@ public class AuthzCassServiceImpl <NSS,PERMS,PERMKEY,ROLES,USERS,USERROLES,DE return Result.err(rnd); } - Result<List<PermDAO.Data>> rlpd = ques.permDAO.readNS(trans, ns); + Result<List<PermDAO.Data>> rlpd = ques.permDAO().readNS(trans, ns); if (rlpd.notOK()) { return Result.err(rlpd); } @@ -1176,7 +1184,7 @@ public class AuthzCassServiceImpl <NSS,PERMS,PERMKEY,ROLES,USERS,USERROLES,DE } Result<NsSplit> nss = ques.deriveNsSplit(trans, origType); - Result<List<PermDAO.Data>> origRlpd = ques.permDAO.read(trans, nss.value.ns, nss.value.name, origInstance, origAction); + Result<List<PermDAO.Data>> origRlpd = ques.permDAO().read(trans, nss.value.ns, nss.value.name, origInstance, origAction); if (origRlpd.notOKorIsEmpty()) { return Result.err(Status.ERR_PermissionNotFound, @@ -1235,7 +1243,7 @@ public class AuthzCassServiceImpl <NSS,PERMS,PERMKEY,ROLES,USERS,USERROLES,DE return Result.err(Status.ERR_BadData,v.errs()); } final PermDAO.Data perm = pd.value; - if (ques.permDAO.read(trans, perm.ns, perm.type, perm.instance,perm.action).notOKorIsEmpty()) { + if (ques.permDAO().read(trans, perm.ns, perm.type, perm.instance,perm.action).notOKorIsEmpty()) { return Result.err(Status.ERR_NotFound, "Permission [%s.%s|%s|%s] does not exist", perm.ns,perm.type,perm.instance,perm.action); } @@ -1245,12 +1253,12 @@ public class AuthzCassServiceImpl <NSS,PERMS,PERMKEY,ROLES,USERS,USERROLES,DE perm.ns,perm.type,perm.instance,perm.action); } - Result<List<NsDAO.Data>> nsr = ques.nsDAO.read(trans, pd.value.ns); + Result<List<NsDAO.Data>> nsr = ques.nsDAO().read(trans, pd.value.ns); if (nsr.notOKorIsEmpty()) { return Result.err(nsr); } - Result<Void> rdr = ques.permDAO.addDescription(trans, perm.ns, perm.type, perm.instance, + Result<Void> rdr = ques.permDAO().addDescription(trans, perm.ns, perm.type, perm.instance, perm.action, perm.description); if (rdr.isOK()) { return Result.ok(); @@ -1287,7 +1295,7 @@ public class AuthzCassServiceImpl <NSS,PERMS,PERMKEY,ROLES,USERS,USERROLES,DE } // Read full set to get CURRENT values - Result<List<PermDAO.Data>> rcurr = ques.permDAO.read(trans, + Result<List<PermDAO.Data>> rcurr = ques.permDAO().read(trans, updt.value.ns, updt.value.type, updt.value.instance, @@ -1321,7 +1329,7 @@ public class AuthzCassServiceImpl <NSS,PERMS,PERMKEY,ROLES,USERS,USERROLES,DE if (!currRoles.contains(role)) { Result<RoleDAO.Data> key = RoleDAO.Data.decode(trans, ques, role); if (key.isOKhasData()) { - Result<List<RoleDAO.Data>> rrd = ques.roleDAO.read(trans, key.value); + Result<List<RoleDAO.Data>> rrd = ques.roleDAO().read(trans, key.value); if (rrd.isOKhasData()) { for (RoleDAO.Data r : rrd.value) { rv = func.addPermToRole(trans, r, curr, false); @@ -1341,7 +1349,7 @@ public class AuthzCassServiceImpl <NSS,PERMS,PERMKEY,ROLES,USERS,USERROLES,DE if (!updtRoles.contains(role)) { Result<RoleDAO.Data> key = RoleDAO.Data.decode(trans, ques, role); if (key.isOKhasData()) { - Result<List<RoleDAO.Data>> rdd = ques.roleDAO.read(trans, key.value); + Result<List<RoleDAO.Data>> rdd = ques.roleDAO().read(trans, key.value); if (rdd.isOKhasData()) { for (RoleDAO.Data r : rdd.value) { rv = func.delPermFromRole(trans, r, curr, true); @@ -1380,7 +1388,7 @@ public class AuthzCassServiceImpl <NSS,PERMS,PERMKEY,ROLES,USERS,USERROLES,DE return Result.err(Status.ERR_BadData,v.errs()); } final PermDAO.Data perm = pd.value; - if (ques.permDAO.read(trans, perm).notOKorIsEmpty()) { + if (ques.permDAO().read(trans, perm).notOKorIsEmpty()) { return Result.err(Status.ERR_PermissionNotFound, "Permission [%s.%s|%s|%s] does not exist", perm.ns,perm.type,perm.instance,perm.action ); } @@ -1405,7 +1413,7 @@ public class AuthzCassServiceImpl <NSS,PERMS,PERMKEY,ROLES,USERS,USERROLES,DE switch(fd.status) { case OK: - Result<List<NsDAO.Data>> nsr = ques.nsDAO.read(trans, perm.ns); + Result<List<NsDAO.Data>> nsr = ques.nsDAO().read(trans, perm.ns); if (nsr.notOKorIsEmpty()) { return Result.err(nsr); } @@ -1483,12 +1491,17 @@ public class AuthzCassServiceImpl <NSS,PERMS,PERMKEY,ROLES,USERS,USERROLES,DE @Override public Result<Void> createRole(final AuthzTrans trans, REQUEST from) { final Result<RoleDAO.Data> rd = mapper.role(trans, from); + // Does Perm Type exist as a Namespace? + if(rd.value.name.isEmpty() || ques.nsDAO().read(trans, rd.value.fullName()).isOKhasData()) { + return Result.err(Status.ERR_ConflictAlreadyExists, + "Role exists as a Namespace"); + } final ServiceValidator v = new ServiceValidator(); if (v.role(rd).err()) { return Result.err(Status.ERR_BadData,v.errs()); } final RoleDAO.Data role = rd.value; - if (ques.roleDAO.read(trans, role.ns, role.name).isOKhasData()) { + if (ques.roleDAO().read(trans, role.ns, role.name).isOKhasData()) { return Result.err(Status.ERR_ConflictAlreadyExists, "Role [" + role.fullName() + "] already exists"); } @@ -1512,7 +1525,7 @@ public class AuthzCassServiceImpl <NSS,PERMS,PERMKEY,ROLES,USERS,USERROLES,DE } }); - Result<List<NsDAO.Data>> nsr = ques.nsDAO.read(trans, rd.value.ns); + Result<List<NsDAO.Data>> nsr = ques.nsDAO().read(trans, rd.value.ns); if (nsr.notOKorIsEmpty()) { return Result.err(nsr); } @@ -1529,7 +1542,7 @@ public class AuthzCassServiceImpl <NSS,PERMS,PERMKEY,ROLES,USERS,USERROLES,DE return Result.err(rfc); } case Status.ACC_Now: - Result<RoleDAO.Data> rdr = ques.roleDAO.create(trans, role); + Result<RoleDAO.Data> rdr = ques.roleDAO().create(trans, role); if (rdr.isOK()) { return Result.ok(); } else { @@ -1608,10 +1621,10 @@ public class AuthzCassServiceImpl <NSS,PERMS,PERMKEY,ROLES,USERS,USERROLES,DE ROLES roles = mapper.newInstance(API.ROLES); // Get list of roles per user, then add to Roles as we go Result<List<RoleDAO.Data>> rlrd; - Result<List<UserRoleDAO.Data>> rlurd = ques.userRoleDAO.readByUser(trans, user); + Result<List<UserRoleDAO.Data>> rlurd = ques.userRoleDAO().readByUser(trans, user); if (rlurd.isOKhasData()) { for (UserRoleDAO.Data urd : rlurd.value ) { - rlrd = ques.roleDAO.read(trans, urd.ns,urd.rname); + rlrd = ques.roleDAO().read(trans, urd.ns,urd.rname); // Note: Mapper will restrict what can be viewed // if user is the same as that which is looked up, no filtering is required if (rlrd.isOKhasData()) { @@ -1658,7 +1671,7 @@ public class AuthzCassServiceImpl <NSS,PERMS,PERMKEY,ROLES,USERS,USERROLES,DE try { ROLES roles = mapper.newInstance(API.ROLES); // Get list of roles per user, then add to Roles as we go - Result<List<RoleDAO.Data>> rlrd = ques.roleDAO.readNS(trans, ns); + Result<List<RoleDAO.Data>> rlrd = ques.roleDAO().readNS(trans, ns); if (rlrd.isOK()) { if (!rlrd.isEmpty()) { // Note: Mapper doesn't need to restrict what can be viewed, because we did it already. @@ -1700,7 +1713,7 @@ public class AuthzCassServiceImpl <NSS,PERMS,PERMKEY,ROLES,USERS,USERROLES,DE try { ROLES roles = mapper.newInstance(API.ROLES); // Get list of roles per user, then add to Roles as we go - Result<List<RoleDAO.Data>> rlrd = ques.roleDAO.readName(trans, name); + Result<List<RoleDAO.Data>> rlrd = ques.roleDAO().readName(trans, name); if (rlrd.isOK()) { if (!rlrd.isEmpty()) { // Note: Mapper will restrict what can be viewed @@ -1757,13 +1770,13 @@ public class AuthzCassServiceImpl <NSS,PERMS,PERMKEY,ROLES,USERS,USERROLES,DE return Result.err(res); } - Result<List<PermDAO.Data>> pdlr = ques.permDAO.read(trans, pdd); + Result<List<PermDAO.Data>> pdlr = ques.permDAO().read(trans, pdd); if (pdlr.isOK())for (PermDAO.Data pd : pdlr.value) { Result<List<RoleDAO.Data>> rlrd; for (String r : pd.roles) { Result<String[]> rs = RoleDAO.Data.decodeToArray(trans, ques, r); if (rs.isOK()) { - rlrd = ques.roleDAO.read(trans, rs.value[0],rs.value[1]); + rlrd = ques.roleDAO().read(trans, rs.value[0],rs.value[1]); // Note: Mapper will restrict what can be viewed if (rlrd.isOKhasData()) { mapper.roles(trans,rlrd.value,roles,true); @@ -1799,7 +1812,7 @@ public class AuthzCassServiceImpl <NSS,PERMS,PERMKEY,ROLES,USERS,USERROLES,DE } } final RoleDAO.Data role = rd.value; - if (ques.roleDAO.read(trans, role.ns, role.name).notOKorIsEmpty()) { + if (ques.roleDAO().read(trans, role.ns, role.name).notOKorIsEmpty()) { return Result.err(Status.ERR_NotFound, "Role [" + role.fullName() + "] does not exist"); } @@ -1807,12 +1820,12 @@ public class AuthzCassServiceImpl <NSS,PERMS,PERMKEY,ROLES,USERS,USERROLES,DE return Result.err(Status.ERR_Denied, "You do not have approval to change " + role.fullName()); } - Result<List<NsDAO.Data>> nsr = ques.nsDAO.read(trans, rd.value.ns); + Result<List<NsDAO.Data>> nsr = ques.nsDAO().read(trans, rd.value.ns); if (nsr.notOKorIsEmpty()) { return Result.err(nsr); } - Result<Void> rdr = ques.roleDAO.addDescription(trans, role.ns, role.name, role.description); + Result<Void> rdr = ques.roleDAO().addDescription(trans, role.ns, role.name, role.description); if (rdr.isOK()) { return Result.ok(); } else { @@ -1861,13 +1874,13 @@ public class AuthzCassServiceImpl <NSS,PERMS,PERMKEY,ROLES,USERS,USERROLES,DE return Result.err(Status.ERR_BadData,v.errs()); } - Result<List<RoleDAO.Data>> rlrd = ques.roleDAO.read(trans, rrd.value.ns, rrd.value.name); + Result<List<RoleDAO.Data>> rlrd = ques.roleDAO().read(trans, rrd.value.ns, rrd.value.name); if (rlrd.notOKorIsEmpty()) { return Result.err(Status.ERR_RoleNotFound, "Role [%s] does not exist", rrd.value.fullName()); } // Check Status of Data in DB (does it exist) - Result<List<PermDAO.Data>> rlpd = ques.permDAO.read(trans, rpd.value.ns, + Result<List<PermDAO.Data>> rlpd = ques.permDAO().read(trans, rpd.value.ns, rpd.value.type, rpd.value.instance, rpd.value.action); PermDAO.Data createPerm = null; // if not null, create first if (rlpd.notOKorIsEmpty()) { // Permission doesn't exist @@ -1908,7 +1921,7 @@ public class AuthzCassServiceImpl <NSS,PERMS,PERMKEY,ROLES,USERS,USERROLES,DE return nsd; } }); - Result<List<NsDAO.Data>> nsr = ques.nsDAO.read(trans, rpd.value.ns); + Result<List<NsDAO.Data>> nsr = ques.nsDAO().read(trans, rpd.value.ns); if (nsr.notOKorIsEmpty()) { return Result.err(nsr); } @@ -1980,7 +1993,7 @@ public class AuthzCassServiceImpl <NSS,PERMS,PERMKEY,ROLES,USERS,USERROLES,DE } private Result<Void> delPermFromRole(final AuthzTrans trans, PermDAO.Data pdd, RoleDAO.Data rdd, REQUEST rreq) { - Result<List<PermDAO.Data>> rlpd = ques.permDAO.read(trans, pdd.ns, pdd.type, + Result<List<PermDAO.Data>> rlpd = ques.permDAO().read(trans, pdd.ns, pdd.type, pdd.instance, pdd.action); if (rlpd.notOKorIsEmpty()) { @@ -2007,7 +2020,7 @@ public class AuthzCassServiceImpl <NSS,PERMS,PERMKEY,ROLES,USERS,USERROLES,DE return nsd; } }); - Result<List<NsDAO.Data>> nsr = ques.nsDAO.read(trans, pdd.ns); + Result<List<NsDAO.Data>> nsr = ques.nsDAO().read(trans, pdd.ns); if (nsr.notOKorIsEmpty()) { return Result.err(nsr); } @@ -2070,12 +2083,12 @@ public class AuthzCassServiceImpl <NSS,PERMS,PERMKEY,ROLES,USERS,USERROLES,DE return Result.err(rrns); } - final Result<List<RoleDAO.Data>> rrd = ques.roleDAO.read(trans, rrns.value.parent, rrns.value.name); + final Result<List<RoleDAO.Data>> rrd = ques.roleDAO().read(trans, rrns.value.parent, rrns.value.name); if (rrd.notOKorIsEmpty()) { return Result.err(rrd); } - final Result<List<PermDAO.Data>> rpd = ques.permDAO.read(trans, rpns.value.parent, rpns.value.name, instance, action); + final Result<List<PermDAO.Data>> rpd = ques.permDAO().read(trans, rpns.value.parent, rpns.value.name, instance, action); if (rpd.notOKorIsEmpty()) { return Result.err(rpd); } @@ -2131,7 +2144,7 @@ public class AuthzCassServiceImpl <NSS,PERMS,PERMKEY,ROLES,USERS,USERROLES,DE return Result.err(Status.ERR_BadData,v.errs()); } final RoleDAO.Data role = rd.value; - if (ques.roleDAO.read(trans, role).notOKorIsEmpty() && !trans.requested(force)) { + if (ques.roleDAO().read(trans, role).notOKorIsEmpty() && !trans.requested(force)) { return Result.err(Status.ERR_RoleNotFound, "Role [" + role.fullName() + "] does not exist"); } @@ -2151,7 +2164,7 @@ public class AuthzCassServiceImpl <NSS,PERMS,PERMKEY,ROLES,USERS,USERROLES,DE switch(fd.status) { case OK: - Result<List<NsDAO.Data>> nsr = ques.nsDAO.read(trans, rd.value.ns); + Result<List<NsDAO.Data>> nsr = ques.nsDAO().read(trans, rd.value.ns); if (nsr.notOKorIsEmpty()) { return Result.err(nsr); } @@ -2299,7 +2312,7 @@ public class AuthzCassServiceImpl <NSS,PERMS,PERMKEY,ROLES,USERS,USERROLES,DE return Result.err(Status.ERR_Policy,"MechIDs must be registered with %s before provisioning in AAF",org.getName()); } - Result<List<NsDAO.Data>> nsr = ques.nsDAO.read(trans, rcred.value.ns); + Result<List<NsDAO.Data>> nsr = ques.nsDAO().read(trans, rcred.value.ns); if (nsr.notOKorIsEmpty()) { return Result.err(Status.ERR_NsNotFound,"Cannot provision %s on non-existent Namespace %s",mechID.id(),rcred.value.ns); } @@ -2309,7 +2322,7 @@ public class AuthzCassServiceImpl <NSS,PERMS,PERMKEY,ROLES,USERS,USERROLES,DE MayChange mc; CassExecutor exec = new CassExecutor(trans, func); - Result<List<CredDAO.Data>> rlcd = ques.credDAO.readID(trans, rcred.value.id); + Result<List<CredDAO.Data>> rlcd = ques.credDAO().readID(trans, rcred.value.id); if (rlcd.isOKhasData()) { if (!org.canHaveMultipleCreds(rcred.value.id)) { return Result.err(Status.ERR_ConflictAlreadyExists, "Credential exists"); @@ -2335,7 +2348,7 @@ public class AuthzCassServiceImpl <NSS,PERMS,PERMKEY,ROLES,USERS,USERROLES,DE String theMechID = rcred.value.id; Boolean otherMechIDs = false; // find out if this is the only mechID. other MechIDs mean special handling (not automated) - for (CredDAO.Data cd : ques.credDAO.readNS(trans,nsr.value.get(0).name).value) { + for (CredDAO.Data cd : ques.credDAO().readNS(trans,nsr.value.get(0).name).value) { if (!cd.id.equals(theMechID)) { otherMechIDs = true; break; @@ -2396,7 +2409,7 @@ public class AuthzCassServiceImpl <NSS,PERMS,PERMKEY,ROLES,USERS,USERROLES,DE trans.error().log(e, "While setting expiration to TempPassword"); } - Result<?>udr = ques.credDAO.create(trans, rcred.value); + Result<?>udr = ques.credDAO().create(trans, rcred.value); if (udr.isOK()) { return Result.ok(); } @@ -2442,7 +2455,7 @@ public class AuthzCassServiceImpl <NSS,PERMS,PERMKEY,ROLES,USERS,USERROLES,DE TimeTaken tt = trans.start("MAP Creds by NS to Creds", Env.SUB); try { USERS users = mapper.newInstance(API.USERS); - Result<List<CredDAO.Data>> rlcd = ques.credDAO.readNS(trans, ns); + Result<List<CredDAO.Data>> rlcd = ques.credDAO().readNS(trans, ns); if (rlcd.isOK()) { if (!rlcd.isEmpty()) { @@ -2489,7 +2502,7 @@ public class AuthzCassServiceImpl <NSS,PERMS,PERMKEY,ROLES,USERS,USERROLES,DE TimeTaken tt = trans.start("MAP Creds by ID to Creds", Env.SUB); try { USERS users = mapper.newInstance(API.USERS); - Result<List<CredDAO.Data>> rlcd = ques.credDAO.readID(trans, id); + Result<List<CredDAO.Data>> rlcd = ques.credDAO().readID(trans, id); if (rlcd.isOK()) { if (!rlcd.isEmpty()) { @@ -2519,7 +2532,7 @@ public class AuthzCassServiceImpl <NSS,PERMS,PERMKEY,ROLES,USERS,USERROLES,DE TimeTaken tt = trans.start("Get Cert Info by ID", Env.SUB); try { CERTS certs = mapper.newInstance(API.CERTS); - Result<List<CertDAO.Data>> rlcd = ques.certDAO.readID(trans, id); + Result<List<CertDAO.Data>> rlcd = ques.certDAO().readID(trans, id); if (rlcd.isOK()) { if (!rlcd.isEmpty()) { @@ -2560,7 +2573,7 @@ public class AuthzCassServiceImpl <NSS,PERMS,PERMKEY,ROLES,USERS,USERROLES,DE if (v.cred(trans, trans.org(),rcred,false).err()) {// Note: Creates have stricter Validations return Result.err(Status.ERR_BadData,v.errs()); } - Result<List<CredDAO.Data>> rlcd = ques.credDAO.readID(trans, rcred.value.id); + Result<List<CredDAO.Data>> rlcd = ques.credDAO().readID(trans, rcred.value.id); if (rlcd.notOKorIsEmpty()) { return Result.err(Status.ERR_UserNotFound, "Credential does not exist"); } @@ -2592,7 +2605,7 @@ public class AuthzCassServiceImpl <NSS,PERMS,PERMKEY,ROLES,USERS,USERROLES,DE }, mc); - Result<List<NsDAO.Data>> nsr = ques.nsDAO.read(trans, rcred.value.ns); + Result<List<NsDAO.Data>> nsr = ques.nsDAO().read(trans, rcred.value.ns); if (nsr.notOKorIsEmpty()) { return Result.err(nsr); } @@ -2634,9 +2647,9 @@ public class AuthzCassServiceImpl <NSS,PERMS,PERMKEY,ROLES,USERS,USERROLES,DE rcred.value.expires = org.expiration(null,exp).getTime(); } - udr = ques.credDAO.create(trans, rcred.value); + udr = ques.credDAO().create(trans, rcred.value); if (udr.isOK()) { - udr = ques.credDAO.delete(trans, rlcd.value.get(entry),false); + udr = ques.credDAO().delete(trans, rlcd.value.get(entry),false); } if (udr.isOK()) { return Result.ok(); @@ -2712,7 +2725,7 @@ public class AuthzCassServiceImpl <NSS,PERMS,PERMKEY,ROLES,USERS,USERROLES,DE } // Get the list of Cred Entries - Result<List<CredDAO.Data>> rlcd = ques.credDAO.readID(trans, cred.value.id); + Result<List<CredDAO.Data>> rlcd = ques.credDAO().readID(trans, cred.value.id); if (rlcd.notOKorIsEmpty()) { return Result.err(Status.ERR_UserNotFound, "Credential does not exist"); } @@ -2735,7 +2748,7 @@ public class AuthzCassServiceImpl <NSS,PERMS,PERMKEY,ROLES,USERS,USERROLES,DE cd.expires = org.expiration(null, Expiration.ExtendPassword,days).getTime(); cd.tag = found.tag; - cred = ques.credDAO.create(trans, cd); + cred = ques.credDAO().create(trans, cd); if (cred.isOK()) { return Result.ok(); } @@ -2796,13 +2809,13 @@ public class AuthzCassServiceImpl <NSS,PERMS,PERMKEY,ROLES,USERS,USERROLES,DE return Result.err(Status.ERR_BadData,v.errs()); } - Result<List<CredDAO.Data>> rlcd = ques.credDAO.readID(trans, cred.value.id); + Result<List<CredDAO.Data>> rlcd = ques.credDAO().readID(trans, cred.value.id); if (rlcd.notOKorIsEmpty()) { // Empty Creds should have no user_roles. - Result<List<UserRoleDAO.Data>> rlurd = ques.userRoleDAO.readByUser(trans, cred.value.id); + Result<List<UserRoleDAO.Data>> rlurd = ques.userRoleDAO().readByUser(trans, cred.value.id); if (rlurd.isOK()) { for (UserRoleDAO.Data data : rlurd.value) { - ques.userRoleDAO.delete(trans, data, false); + ques.userRoleDAO().delete(trans, data, false); } } return Result.err(Status.ERR_UserNotFound, "Credential does not exist"); @@ -2859,7 +2872,7 @@ public class AuthzCassServiceImpl <NSS,PERMS,PERMKEY,ROLES,USERS,USERROLES,DE ']', mc); - Result<List<NsDAO.Data>> nsr = ques.nsDAO.read(trans, cred.value.ns); + Result<List<NsDAO.Data>> nsr = ques.nsDAO().read(trans, cred.value.ns); if (nsr.notOKorIsEmpty()) { return Result.err(nsr); } @@ -2880,20 +2893,20 @@ public class AuthzCassServiceImpl <NSS,PERMS,PERMKEY,ROLES,USERS,USERROLES,DE if (entry<0 || entry >= rlcd.value.size()) { return Result.err(Status.ERR_BadData,"Invalid Choice [" + entry + "] chosen for Delete [%s] is saved for future processing",cred.value.id); } - udr = ques.credDAO.delete(trans, rlcd.value.get(entry),false); + udr = ques.credDAO().delete(trans, rlcd.value.get(entry),false); } else { for (CredDAO.Data curr : rlcd.value) { - udr = ques.credDAO.delete(trans, curr, false); + udr = ques.credDAO().delete(trans, curr, false); if (udr.notOK()) { return Result.err(udr); } } } if (isLastCred) { - Result<List<UserRoleDAO.Data>> rlurd = ques.userRoleDAO.readByUser(trans, cred.value.id); + Result<List<UserRoleDAO.Data>> rlurd = ques.userRoleDAO().readByUser(trans, cred.value.id); if (rlurd.isOK()) { for (UserRoleDAO.Data data : rlurd.value) { - ques.userRoleDAO.delete(trans, data, false); + ques.userRoleDAO().delete(trans, data, false); } } } @@ -3094,7 +3107,7 @@ public class AuthzCassServiceImpl <NSS,PERMS,PERMKEY,ROLES,USERS,USERROLES,DE // Get list of roles per user, then add to Roles as we go HashSet<UserRoleDAO.Data> userSet = new HashSet<>(); - Result<List<UserRoleDAO.Data>> rlurd = ques.userRoleDAO.readByRole(trans, role); + Result<List<UserRoleDAO.Data>> rlurd = ques.userRoleDAO().readByRole(trans, role); if (rlurd.isOK()) { for (UserRoleDAO.Data data : rlurd.value) { userSet.add(data); @@ -3127,7 +3140,7 @@ public class AuthzCassServiceImpl <NSS,PERMS,PERMKEY,ROLES,USERS,USERROLES,DE } // Get list of roles per user, then add to Roles as we go - Result<List<UserRoleDAO.Data>> rlurd = ques.userRoleDAO.readByUser(trans, user); + Result<List<UserRoleDAO.Data>> rlurd = ques.userRoleDAO().readByUser(trans, user); if (rlurd.notOK()) { return Result.err(rlurd); } @@ -3188,172 +3201,9 @@ public class AuthzCassServiceImpl <NSS,PERMS,PERMKEY,ROLES,USERS,USERROLES,DE } - @ApiDoc( - method = PUT, - path = "/authz/userRole/user", - params = {}, - expectedCode = 200, - errorCodes = {403,404,406}, - text = { "Set a User's roles to the roles specified in the UserRoleRequest object.", - "WARNING: Roles supplied will be the ONLY roles attached to this user", - "If no roles are supplied, user's roles are reset." - } - ) - @Override - public Result<Void> resetRolesForUser(AuthzTrans trans, REQUEST rreq) { - Result<UserRoleDAO.Data> rurdd = mapper.userRole(trans, rreq); - final ServiceValidator v = new ServiceValidator(); - if (rurdd.notOKorIsEmpty()) { - return Result.err(rurdd); - } - if (v.user(trans.org(), rurdd.value.user).err()) { - return Result.err(Status.ERR_BadData,v.errs()); - } - - Set<String> currRoles = new HashSet<>(); - Result<List<UserRoleDAO.Data>> rlurd = ques.userRoleDAO.readByUser(trans, rurdd.value.user); - if (rlurd.isOK()) { - for (UserRoleDAO.Data data : rlurd.value) { - currRoles.add(data.role); - } - } - - Result<Void> rv = null; - String[] roles; - if (rurdd.value.role==null) { - roles = new String[0]; - } else { - roles = rurdd.value.role.split(","); - } - - for (String role : roles) { - if (v.role(role).err()) { - return Result.err(Status.ERR_BadData,v.errs()); - } - Result<RoleDAO.Data> rrdd = RoleDAO.Data.decode(trans, ques, role); - if (rrdd.notOK()) { - return Result.err(rrdd); - } - - rurdd.value.role(rrdd.value); - - Result<NsDAO.Data> nsd = ques.mayUser(trans, trans.user(), rrdd.value,Access.write); - if (nsd.notOK()) { - return Result.err(nsd); - } - Result<NsDAO.Data> nsr = ques.deriveNs(trans, role); - if (nsr.notOKorIsEmpty()) { - return Result.err(nsr); - } - - if (currRoles.contains(role)) { - currRoles.remove(role); - } else { - rv = func.addUserRole(trans, rurdd.value); - if (rv.notOK()) { - return rv; - } - } - } - - for (String role : currRoles) { - rurdd.value.role(trans,ques,role); - rv = ques.userRoleDAO.delete(trans, rurdd.value, false); - if (rv.notOK()) { - trans.info().log(rurdd.value.user,"/",rurdd.value.role, "expected to be deleted, but does not exist"); - // return rv; // if it doesn't exist, don't error out - } - - } - - return Result.ok(); - - } - - @ApiDoc( - method = PUT, - path = "/authz/userRole/role", - params = {}, - expectedCode = 200, - errorCodes = {403,404,406}, - text = { "Set a Role's users to the users specified in the UserRoleRequest object.", - "WARNING: Users supplied will be the ONLY users attached to this role", - "If no users are supplied, role's users are reset." - } - ) - @Override - public Result<Void> resetUsersForRole(AuthzTrans trans, REQUEST rreq) { - Result<UserRoleDAO.Data> rurdd = mapper.userRole(trans, rreq); - if (rurdd.notOKorIsEmpty()) { - return Result.err(rurdd); - } - final ServiceValidator v = new ServiceValidator(); - if (v.user_role(rurdd.value).err()) { - return Result.err(Status.ERR_BadData,v.errs()); - } - - RoleDAO.Data rd = RoleDAO.Data.decode(rurdd.value); - - Result<NsDAO.Data> nsd = ques.mayUser(trans, trans.user(), rd, Access.write); - if (nsd.notOK()) { - return Result.err(nsd); - } - - Result<NsDAO.Data> nsr = ques.deriveNs(trans, rurdd.value.role); - if (nsr.notOKorIsEmpty()) { - return Result.err(nsr); - } - - Set<String> currUsers = new HashSet<>(); - Result<List<UserRoleDAO.Data>> rlurd = ques.userRoleDAO.readByRole(trans, rurdd.value.role); - if (rlurd.isOK()) { - for (UserRoleDAO.Data data : rlurd.value) { - currUsers.add(data.user); - } - } - - // found when connected remotely to DEVL, can't replicate locally - // inconsistent errors with cmd: role user setTo [nothing] - // deleteUserRole --> read --> get --> cacheIdx(?) - // sometimes returns idx for last added user instead of user passed in - // cache bug? - - - Result<Void> rv = null; - String[] users = {}; - if (rurdd.value.user != null) { - users = rurdd.value.user.split(","); - } - - for (String user : users) { - if (v.user(trans.org(), user).err()) { - return Result.err(Status.ERR_BadData,v.errs()); - } - rurdd.value.user = user; - - if (currUsers.contains(user)) { - currUsers.remove(user); - } else { - rv = func.addUserRole(trans, rurdd.value); - if (rv.notOK()) { - return rv; - } - } - } - - for (String user : currUsers) { - rurdd.value.user = user; - rv = ques.userRoleDAO.delete(trans, rurdd.value, false); - if (rv.notOK()) { - trans.info().log(rurdd.value, "expected to be deleted, but not exists"); - return rv; - } - } - - return Result.ok(); - } + - @ApiDoc( + @ApiDoc( method = GET, path = "/authz/userRole/extend/:user/:role", params = { "user|string|true", @@ -3386,7 +3236,7 @@ public class AuthzCassServiceImpl <NSS,PERMS,PERMKEY,ROLES,USERS,USERROLES,DE return Result.err(rcr); } - Result<List<UserRoleDAO.Data>> rr = ques.userRoleDAO.read(trans, user,role); + Result<List<UserRoleDAO.Data>> rr = ques.userRoleDAO().read(trans, user,role); if (rr.notOK()) { return Result.err(rr); } @@ -3461,7 +3311,7 @@ public class AuthzCassServiceImpl <NSS,PERMS,PERMKEY,ROLES,USERS,USERROLES,DE } Result<List<UserRoleDAO.Data>> rulr; - if ((rulr=ques.userRoleDAO.read(trans, usr, role)).notOKorIsEmpty()) { + if ((rulr=ques.userRoleDAO().read(trans, usr, role)).notOKorIsEmpty()) { return Result.err(Status.ERR_UserRoleNotFound, "User [ "+usr+" ] is not " + "Assigned to the Role [ " + role + " ]"); } @@ -3485,7 +3335,7 @@ public class AuthzCassServiceImpl <NSS,PERMS,PERMKEY,ROLES,USERS,USERROLES,DE return Result.err(rfc); } } else { - return ques.userRoleDAO.delete(trans, rulr.value.get(0), false); + return ques.userRoleDAO().delete(trans, rulr.value.get(0), false); } } @@ -3521,7 +3371,7 @@ public class AuthzCassServiceImpl <NSS,PERMS,PERMKEY,ROLES,USERS,USERROLES,DE } HashSet<UserRoleDAO.Data> userSet = new HashSet<>(); - Result<List<UserRoleDAO.Data>> rlurd = ques.userRoleDAO.readUserInRole(trans, user, role); + Result<List<UserRoleDAO.Data>> rlurd = ques.userRoleDAO().readUserInRole(trans, user, role); if (rlurd.isOK()) { for (UserRoleDAO.Data data : rlurd.value) { userSet.add(data); @@ -3573,7 +3423,7 @@ public class AuthzCassServiceImpl <NSS,PERMS,PERMKEY,ROLES,USERS,USERROLES,DE } HashSet<UserRoleDAO.Data> userSet = new HashSet<>(); - Result<List<UserRoleDAO.Data>> rlurd = ques.userRoleDAO.readByRole(trans, role); + Result<List<UserRoleDAO.Data>> rlurd = ques.userRoleDAO().readByRole(trans, role); if (rlurd.isOK()) { for (UserRoleDAO.Data data : rlurd.value) { if (contactOnly) { //scrub data @@ -3626,7 +3476,7 @@ public class AuthzCassServiceImpl <NSS,PERMS,PERMKEY,ROLES,USERS,USERROLES,DE return Result.err(nss); } - Result<List<NsDAO.Data>> nsd = ques.nsDAO.read(trans, nss.value.ns); + Result<List<NsDAO.Data>> nsd = ques.nsDAO().read(trans, nss.value.ns); if (nsd.notOK()) { return Result.err(nsd); } @@ -3640,7 +3490,7 @@ public class AuthzCassServiceImpl <NSS,PERMS,PERMKEY,ROLES,USERS,USERROLES,DE Set<UserRoleDAO.Data> userSet = new HashSet<>(); if (!nss.isEmpty()) { - Result<List<PermDAO.Data>> rlp = ques.permDAO.readByType(trans, nss.value.ns, nss.value.name); + Result<List<PermDAO.Data>> rlp = ques.permDAO().readByType(trans, nss.value.ns, nss.value.name); if (rlp.isOKhasData()) { for (PermDAO.Data pd : rlp.value) { if ((allInstance || pd.instance.equals(instance)) && @@ -3649,7 +3499,7 @@ public class AuthzCassServiceImpl <NSS,PERMS,PERMKEY,ROLES,USERS,USERROLES,DE for (String role : pd.roles) { if (!roleUsed.contains(role)) { // avoid evaluating Role many times roleUsed.add(role); - Result<List<UserRoleDAO.Data>> rlurd = ques.userRoleDAO.readByRole(trans, role.replace('|', '.')); + Result<List<UserRoleDAO.Data>> rlurd = ques.userRoleDAO().readByRole(trans, role.replace('|', '.')); if (rlurd.isOKhasData()) { for (UserRoleDAO.Data urd : rlurd.value) { userSet.add(urd); @@ -3703,7 +3553,7 @@ public class AuthzCassServiceImpl <NSS,PERMS,PERMKEY,ROLES,USERS,USERROLES,DE } } } - Result<List<HistoryDAO.Data>> resp = ques.historyDAO.readByUser(trans, user, yyyymm); + Result<List<HistoryDAO.Data>> resp = ques.historyDAO().readByUser(trans, user, yyyymm); if (resp.notOK()) { return Result.err(resp); } @@ -3726,7 +3576,7 @@ public class AuthzCassServiceImpl <NSS,PERMS,PERMKEY,ROLES,USERS,USERROLES,DE if (rnd.notOK()) { return Result.err(rnd); } - Result<List<HistoryDAO.Data>> resp = ques.historyDAO.readBySubject(trans, role, "role", yyyymm); + Result<List<HistoryDAO.Data>> resp = ques.historyDAO().readBySubject(trans, role, "role", yyyymm); if (resp.notOK()) { return Result.err(resp); } @@ -3751,7 +3601,7 @@ public class AuthzCassServiceImpl <NSS,PERMS,PERMKEY,ROLES,USERS,USERROLES,DE if (rnd.notOK()) { return Result.err(rnd); } - Result<List<HistoryDAO.Data>> resp = ques.historyDAO.readBySubject(trans, type, "perm", yyyymm); + Result<List<HistoryDAO.Data>> resp = ques.historyDAO().readBySubject(trans, type, "perm", yyyymm); if (resp.notOK()) { return Result.err(resp); } @@ -3775,7 +3625,7 @@ public class AuthzCassServiceImpl <NSS,PERMS,PERMKEY,ROLES,USERS,USERROLES,DE return Result.err(rnd); } - Result<List<HistoryDAO.Data>> resp = ques.historyDAO.readBySubject(trans, ns, "ns", yyyymm); + Result<List<HistoryDAO.Data>> resp = ques.historyDAO().readBySubject(trans, ns, "ns", yyyymm); if (resp.notOK()) { return Result.err(resp); } @@ -3805,7 +3655,7 @@ public class AuthzCassServiceImpl <NSS,PERMS,PERMKEY,ROLES,USERS,USERROLES,DE final DelegateDAO.Data dd = rd.value; - Result<List<DelegateDAO.Data>> ddr = ques.delegateDAO.read(trans, dd); + Result<List<DelegateDAO.Data>> ddr = ques.delegateDAO().read(trans, dd); if (access==Access.create && ddr.isOKhasData()) { return Result.err(Status.ERR_ConflictAlreadyExists, "[%s] already delegates to [%s]", dd.user, ddr.value.get(0).delegate); } else if (access!=Access.create && ddr.notOKorIsEmpty()) { @@ -3845,14 +3695,14 @@ public class AuthzCassServiceImpl <NSS,PERMS,PERMKEY,ROLES,USERS,USERROLES,DE } case Status.ACC_Now: if (access==Access.create) { - Result<DelegateDAO.Data> rdr = ques.delegateDAO.create(trans, dd); + Result<DelegateDAO.Data> rdr = ques.delegateDAO().create(trans, dd); if (rdr.isOK()) { return Result.ok(); } else { return Result.err(rdr); } } else { - return ques.delegateDAO.update(trans, dd); + return ques.delegateDAO().update(trans, dd); } default: return Result.err(fd); @@ -3868,7 +3718,7 @@ public class AuthzCassServiceImpl <NSS,PERMS,PERMKEY,ROLES,USERS,USERROLES,DE } Result<List<DelegateDAO.Data>> ddl; - if ((ddl=ques.delegateDAO.read(trans, rd.value)).notOKorIsEmpty()) { + if ((ddl=ques.delegateDAO().read(trans, rd.value)).notOKorIsEmpty()) { return Result.err(Status.ERR_DelegateNotFound,"Cannot delete non-existent Delegate"); } final DelegateDAO.Data dd = ddl.value.get(0); @@ -3877,7 +3727,7 @@ public class AuthzCassServiceImpl <NSS,PERMS,PERMKEY,ROLES,USERS,USERROLES,DE return rv; } - return ques.delegateDAO.delete(trans, dd, false); + return ques.delegateDAO().delete(trans, dd, false); } @Override @@ -3889,7 +3739,7 @@ public class AuthzCassServiceImpl <NSS,PERMS,PERMKEY,ROLES,USERS,USERROLES,DE } dd.user = userName; Result<List<DelegateDAO.Data>> ddl; - if ((ddl=ques.delegateDAO.read(trans, dd)).notOKorIsEmpty()) { + if ((ddl=ques.delegateDAO().read(trans, dd)).notOKorIsEmpty()) { return Result.err(Status.ERR_DelegateNotFound,"Cannot delete non-existent Delegate"); } dd = ddl.value.get(0); @@ -3898,7 +3748,7 @@ public class AuthzCassServiceImpl <NSS,PERMS,PERMKEY,ROLES,USERS,USERROLES,DE return rv; } - return ques.delegateDAO.delete(trans, dd, false); + return ques.delegateDAO().delete(trans, dd, false); } @Override @@ -3918,7 +3768,7 @@ public class AuthzCassServiceImpl <NSS,PERMS,PERMKEY,ROLES,USERS,USERROLES,DE TimeTaken tt = trans.start("Get delegates for a user", Env.SUB); - Result<List<DelegateDAO.Data>> dbDelgs = ques.delegateDAO.read(trans, user); + Result<List<DelegateDAO.Data>> dbDelgs = ques.delegateDAO().read(trans, user); try { if (dbDelgs.isOKhasData()) { return mapper.delegate(dbDelgs.value); @@ -3946,7 +3796,7 @@ public class AuthzCassServiceImpl <NSS,PERMS,PERMKEY,ROLES,USERS,USERROLES,DE TimeTaken tt = trans.start("Get users for a delegate", Env.SUB); - Result<List<DelegateDAO.Data>> dbDelgs = ques.delegateDAO.readByDelegate(trans, delegate); + Result<List<DelegateDAO.Data>> dbDelgs = ques.delegateDAO().readByDelegate(trans, delegate); try { if (dbDelgs.isOKhasData()) { return mapper.delegate(dbDelgs.value); @@ -3979,16 +3829,16 @@ public class AuthzCassServiceImpl <NSS,PERMS,PERMKEY,ROLES,USERS,USERROLES,DE Lookup<List<ApprovalDAO.Data>> apprByTicket=null; for (ApprovalDAO.Data updt : rlad.value) { if (updt.ticket!=null) { - curr = ques.approvalDAO.readByTicket(trans, updt.ticket); + curr = ques.approvalDAO().readByTicket(trans, updt.ticket); if (curr.isOKhasData()) { final List<ApprovalDAO.Data> add = curr.value; // Store a Pre-Lookup apprByTicket = (trans1, noop) -> add; } } else if (updt.id!=null) { - curr = ques.approvalDAO.read(trans, updt); + curr = ques.approvalDAO().read(trans, updt); } else if (updt.approver!=null) { - curr = ques.approvalDAO.readByApprover(trans, updt.approver); + curr = ques.approvalDAO().readByApprover(trans, updt.approver); } else { return Result.err(Status.ERR_BadData,"Approvals need ID, Ticket or Approval data to update"); } @@ -4024,7 +3874,7 @@ public class AuthzCassServiceImpl <NSS,PERMS,PERMKEY,ROLES,USERS,USERROLES,DE if (cd.ticket!=null) { FutureDAO.Data fdd = futureCache.get(cd.ticket); if (fdd==null) { // haven't processed ticket yet - Result<FutureDAO.Data> rfdd = ques.futureDAO.readPrimKey(trans, cd.ticket); + Result<FutureDAO.Data> rfdd = ques.futureDAO().readPrimKey(trans, cd.ticket); if (rfdd.isOK()) { fdd = rfdd.value; // null is ok } else { @@ -4067,7 +3917,7 @@ public class AuthzCassServiceImpl <NSS,PERMS,PERMKEY,ROLES,USERS,USERROLES,DE ++numProcessed; } if (ch.hasChanged()) { - ques.approvalDAO.update(trans, cd, true); + ques.approvalDAO().update(trans, cd, true); } } } @@ -4110,7 +3960,7 @@ public class AuthzCassServiceImpl <NSS,PERMS,PERMKEY,ROLES,USERS,USERROLES,DE return Result.err(Status.ERR_BadData,v.errs()); } - Result<List<ApprovalDAO.Data>> rapd = ques.approvalDAO.readByUser(trans, user); + Result<List<ApprovalDAO.Data>> rapd = ques.approvalDAO().readByUser(trans, user); if (rapd.isOK()) { return mapper.approvals(rapd.value); } else { @@ -4131,7 +3981,7 @@ public class AuthzCassServiceImpl <NSS,PERMS,PERMKEY,ROLES,USERS,USERROLES,DE return Result.err(Status.ERR_BadData,e.getMessage()); } - Result<List<ApprovalDAO.Data>> rapd = ques.approvalDAO.readByTicket(trans, uuid); + Result<List<ApprovalDAO.Data>> rapd = ques.approvalDAO().readByTicket(trans, uuid); if (rapd.isOK()) { return mapper.approvals(rapd.value); } else { @@ -4148,19 +3998,19 @@ public class AuthzCassServiceImpl <NSS,PERMS,PERMKEY,ROLES,USERS,USERROLES,DE List<ApprovalDAO.Data> listRapds = new ArrayList<>(); - Result<List<ApprovalDAO.Data>> myRapd = ques.approvalDAO.readByApprover(trans, approver); + Result<List<ApprovalDAO.Data>> myRapd = ques.approvalDAO().readByApprover(trans, approver); if (myRapd.notOK()) { return Result.err(myRapd); } listRapds.addAll(myRapd.value); - Result<List<DelegateDAO.Data>> delegatedFor = ques.delegateDAO.readByDelegate(trans, approver); + Result<List<DelegateDAO.Data>> delegatedFor = ques.delegateDAO().readByDelegate(trans, approver); if (delegatedFor.isOK()) { for (DelegateDAO.Data dd : delegatedFor.value) { if (dd.expires.after(new Date())) { String delegator = dd.user; - Result<List<ApprovalDAO.Data>> rapd = ques.approvalDAO.readByApprover(trans, delegator); + Result<List<ApprovalDAO.Data>> rapd = ques.approvalDAO().readByApprover(trans, delegator); if (rapd.isOK()) { for (ApprovalDAO.Data d : rapd.value) { if (!d.user.equals(trans.user())) { @@ -4210,7 +4060,7 @@ public class AuthzCassServiceImpl <NSS,PERMS,PERMKEY,ROLES,USERS,USERROLES,DE */ @Override public void dbReset(AuthzTrans trans) { - ques.historyDAO.reportPerhapsReset(trans, null); + ques.historyDAO().reportPerhapsReset(trans, null); } } diff --git a/auth/auth-service/src/main/java/org/onap/aaf/auth/service/AuthzService.java b/auth/auth-service/src/main/java/org/onap/aaf/auth/service/AuthzService.java index 178e1aae..a89f64ed 100644 --- a/auth/auth-service/src/main/java/org/onap/aaf/auth/service/AuthzService.java +++ b/auth/auth-service/src/main/java/org/onap/aaf/auth/service/AuthzService.java @@ -566,21 +566,10 @@ public interface AuthzService<NSS,PERMS,PERMKEY,ROLES,USERS,USERROLES,DELGS,CERT */ public Result<USERROLES> getUserRolesByUser(AuthzTrans trans, String user); - /** - * - * @param trans - * @param from - * @return - */ - public Result<Void> resetRolesForUser(AuthzTrans trans, REQUEST from); - - /** - * - * @param trans - * @param from - * @return + /* + * Note: Removed "resetRolesForUsers" because it was too dangerous, and + * removed "resetUsersForRoles" because it was being misused. */ - public Result<Void> resetUsersForRole(AuthzTrans trans, REQUEST from); /** * diff --git a/auth/auth-service/src/main/java/org/onap/aaf/auth/service/api/API_Creds.java b/auth/auth-service/src/main/java/org/onap/aaf/auth/service/api/API_Creds.java index 7a028c91..c8bae9f0 100644 --- a/auth/auth-service/src/main/java/org/onap/aaf/auth/service/api/API_Creds.java +++ b/auth/auth-service/src/main/java/org/onap/aaf/auth/service/api/API_Creds.java @@ -112,7 +112,6 @@ public class API_Creds { decoded.substring(0,colon), CredVal.Type.PASSWORD , decoded.substring(colon+1).getBytes(),trans)) { - resp.setStatus(HttpStatus.OK_200); } else { // DME2 at this version crashes without some sort of response diff --git a/auth/auth-service/src/main/java/org/onap/aaf/auth/service/api/API_UserRole.java b/auth/auth-service/src/main/java/org/onap/aaf/auth/service/api/API_UserRole.java index 7937a184..a56b7c26 100644 --- a/auth/auth-service/src/main/java/org/onap/aaf/auth/service/api/API_UserRole.java +++ b/auth/auth-service/src/main/java/org/onap/aaf/auth/service/api/API_UserRole.java @@ -104,21 +104,17 @@ public class API_UserRole { } }); - + /* TODO + * REMOVE dangerous resetUsersForRole and resetRolesForUser APIs + */ + final Result<Object> removeAPI = Result.err(Result.ERR_NotFound,"API Removed, use /authz/userRole instead."); /** * Update roles attached to user in path */ authzAPI.route(PUT,"/authz/userRole/user",API.USER_ROLE_REQ,new Code(facade,"Update Roles for a user", true) { @Override public void handle(AuthzTrans trans, HttpServletRequest req, HttpServletResponse resp) throws Exception { - Result<Void> r = context.resetRolesForUser(trans, resp, req); - switch(r.status) { - case OK: - resp.setStatus(HttpStatus.OK_200); - break; - default: - context.error(trans,resp,r); - } + context.error(trans,resp,removeAPI); } }); @@ -129,16 +125,14 @@ public class API_UserRole { authzAPI.route(PUT,"/authz/userRole/role",API.USER_ROLE_REQ,new Code(facade,"Update Users for a role", true) { @Override public void handle(AuthzTrans trans, HttpServletRequest req, HttpServletResponse resp) throws Exception { - Result<Void> r = context.resetUsersForRole(trans, resp, req); - switch(r.status) { - case OK: - resp.setStatus(HttpStatus.OK_200); - break; - default: - context.error(trans,resp,r); - } + context.error(trans,resp,removeAPI); } }); + + /* + * END REMOVE Dangerous API + */ + /** * Extend Expiration Date (according to Organizational rules) diff --git a/auth/auth-service/src/main/java/org/onap/aaf/auth/service/facade/AuthzFacade.java b/auth/auth-service/src/main/java/org/onap/aaf/auth/service/facade/AuthzFacade.java index a08e958f..463de35f 100644 --- a/auth/auth-service/src/main/java/org/onap/aaf/auth/service/facade/AuthzFacade.java +++ b/auth/auth-service/src/main/java/org/onap/aaf/auth/service/facade/AuthzFacade.java @@ -210,10 +210,10 @@ public interface AuthzFacade { public abstract Result<Void> getUserRolesByUser(AuthzTrans trans, HttpServletResponse resp, String user); public abstract Result<Void> deleteUserRole(AuthzTrans trans, HttpServletResponse resp, String user, String role); - - public abstract Result<Void> resetUsersForRole(AuthzTrans trans, HttpServletResponse resp, HttpServletRequest req); - public abstract Result<Void> resetRolesForUser(AuthzTrans trans, HttpServletResponse resp, HttpServletRequest req); + /* + * resetUsersForRoles and resetRolesForUsers is too dangerous and not helpful. + */ public abstract Result<Void> extendUserRoleExpiration(AuthzTrans trans, HttpServletResponse resp, String user, String role); diff --git a/auth/auth-service/src/main/java/org/onap/aaf/auth/service/facade/AuthzFacadeImpl.java b/auth/auth-service/src/main/java/org/onap/aaf/auth/service/facade/AuthzFacadeImpl.java index a2fb2209..02fa842f 100644 --- a/auth/auth-service/src/main/java/org/onap/aaf/auth/service/facade/AuthzFacadeImpl.java +++ b/auth/auth-service/src/main/java/org/onap/aaf/auth/service/facade/AuthzFacadeImpl.java @@ -66,9 +66,9 @@ import org.onap.aaf.auth.service.mapper.Mapper.API; import org.onap.aaf.cadi.aaf.client.Examples; import org.onap.aaf.misc.env.APIException; import org.onap.aaf.misc.env.Data; +import org.onap.aaf.misc.env.Data.TYPE; import org.onap.aaf.misc.env.Env; import org.onap.aaf.misc.env.TimeTaken; -import org.onap.aaf.misc.env.Data.TYPE; import org.onap.aaf.misc.env.util.Chrono; import org.onap.aaf.misc.rosetta.Marshal; import org.onap.aaf.misc.rosetta.env.RosettaDF; @@ -1939,8 +1939,8 @@ public abstract class AuthzFacadeImpl<NSS,PERMS,PERMKEY,ROLES,USERS,USERROLES,DE private static final String GET_USERROLES = "getUserRoles"; private static final String GET_USERROLES_BY_ROLE = "getUserRolesByRole"; private static final String GET_USERROLES_BY_USER = "getUserRolesByUser"; - private static final String SET_ROLES_FOR_USER = "setRolesForUser"; - private static final String SET_USERS_FOR_ROLE = "setUsersForRole"; +// private static final String SET_ROLES_FOR_USER = "setRolesForUser"; +// private static final String SET_USERS_FOR_ROLE = "setUsersForRole"; private static final String EXTEND_USER_ROLE = "extendUserRole"; private static final String DELETE_USER_ROLE = "deleteUserRole"; @Override @@ -2060,75 +2060,6 @@ public abstract class AuthzFacadeImpl<NSS,PERMS,PERMKEY,ROLES,USERS,USERROLES,DE } - @Override - public Result<Void> resetUsersForRole(AuthzTrans trans, HttpServletResponse resp, HttpServletRequest req) { - TimeTaken tt = trans.start(SET_USERS_FOR_ROLE, Env.SUB|Env.ALWAYS); - try { - REQUEST rreq; - try { - RosettaData<REQUEST> data = userRoleRequestDF.newData().load(req.getInputStream()); - if (Question.willSpecialLog(trans, trans.user())) { - Question.logEncryptTrace(trans,data.asString()); - } - rreq = data.asObject(); - } catch (APIException e) { - trans.error().log("Invalid Input",IN, SET_USERS_FOR_ROLE); - return Result.err(Status.ERR_BadData,"Invalid Input"); - } - - Result<Void> rp = service.resetUsersForRole(trans, rreq); - - switch(rp.status) { - case OK: - setContentType(resp,permsDF.getOutType()); - return Result.ok(); - default: - return Result.err(rp); - } - } catch (Exception e) { - trans.error().log(e,IN,SET_USERS_FOR_ROLE); - return Result.err(e); - } finally { - tt.done(); - } - - } - - @Override - public Result<Void> resetRolesForUser(AuthzTrans trans, HttpServletResponse resp, HttpServletRequest req) { - TimeTaken tt = trans.start(SET_ROLES_FOR_USER, Env.SUB|Env.ALWAYS); - try { - REQUEST rreq; - try { - RosettaData<REQUEST> data = userRoleRequestDF.newData().load(req.getInputStream()); - if (Question.willSpecialLog(trans, trans.user())) { - Question.logEncryptTrace(trans,data.asString()); - } - - rreq = data.asObject(); - } catch (APIException e) { - trans.error().log("Invalid Input",IN, SET_ROLES_FOR_USER); - return Result.err(Status.ERR_BadData,"Invalid Input"); - } - - Result<Void> rp = service.resetRolesForUser(trans, rreq); - - switch(rp.status) { - case OK: - setContentType(resp,permsDF.getOutType()); - return Result.ok(); - default: - return Result.err(rp); - } - } catch (Exception e) { - trans.error().log(e,IN,SET_ROLES_FOR_USER); - return Result.err(e); - } finally { - tt.done(); - } - - } - /* (non-Javadoc) * @see com.att.authz.facade.AuthzFacade#extendUserRoleExpiration(org.onap.aaf.auth.env.test.AuthzTrans, javax.servlet.http.HttpServletRequest, javax.servlet.http.HttpServletResponse, java.lang.String, java.lang.String) */ diff --git a/auth/auth-service/src/main/java/org/onap/aaf/auth/service/mapper/Mapper_2_0.java b/auth/auth-service/src/main/java/org/onap/aaf/auth/service/mapper/Mapper_2_0.java index 2d322390..72a24d21 100644 --- a/auth/auth-service/src/main/java/org/onap/aaf/auth/service/mapper/Mapper_2_0.java +++ b/auth/auth-service/src/main/java/org/onap/aaf/auth/service/mapper/Mapper_2_0.java @@ -541,6 +541,7 @@ public class Mapper_2_0 implements Mapper<Nss, Perms, Pkey, Roles, Users, UserRo user.setId(cred.id); user.setExpires(Chrono.timeStamp(cred.expires)); user.setType(cred.type); + user.setTag(cred.tag); cu.add(user); } return Result.ok(to); |