diff options
Diffstat (limited to 'authz-cass/src/main/java/org/onap/aaf/dao/aaf/hl')
4 files changed, 2919 insertions, 0 deletions
diff --git a/authz-cass/src/main/java/org/onap/aaf/dao/aaf/hl/CassExecutor.java b/authz-cass/src/main/java/org/onap/aaf/dao/aaf/hl/CassExecutor.java new file mode 100644 index 00000000..f05a9172 --- /dev/null +++ b/authz-cass/src/main/java/org/onap/aaf/dao/aaf/hl/CassExecutor.java @@ -0,0 +1,74 @@ +/*******************************************************************************
+ * ============LICENSE_START====================================================
+ * * org.onap.aaf
+ * * ===========================================================================
+ * * Copyright © 2017 AT&T Intellectual Property. All rights reserved.
+ * * ===========================================================================
+ * * Licensed under the Apache License, Version 2.0 (the "License");
+ * * you may not use this file except in compliance with the License.
+ * * You may obtain a copy of the License at
+ * *
+ * * http://www.apache.org/licenses/LICENSE-2.0
+ * *
+ * * Unless required by applicable law or agreed to in writing, software
+ * * distributed under the License is distributed on an "AS IS" BASIS,
+ * * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * * See the License for the specific language governing permissions and
+ * * limitations under the License.
+ * * ============LICENSE_END====================================================
+ * *
+ * * ECOMP is a trademark and service mark of AT&T Intellectual Property.
+ * *
+ ******************************************************************************/
+package org.onap.aaf.dao.aaf.hl;
+
+import org.onap.aaf.authz.env.AuthzTrans;
+import org.onap.aaf.authz.layer.Result;
+import org.onap.aaf.authz.org.Executor;
+import org.onap.aaf.dao.aaf.cass.NsSplit;
+import org.onap.aaf.dao.aaf.cass.NsDAO.Data;
+
+public class CassExecutor implements Executor {
+
+ private Question q;
+ private Function f;
+ private AuthzTrans trans;
+
+ public CassExecutor(AuthzTrans trans, Function f) {
+ this.trans = trans;
+ this.f = f;
+ this.q = this.f.q;
+ }
+
+ @Override
+ public boolean hasPermission(String user, String ns, String type, String instance, String action) {
+ return isGranted(user, ns, type, instance, action);
+ }
+
+ @Override
+ public boolean inRole(String name) {
+ Result<NsSplit> nss = q.deriveNsSplit(trans, name);
+ if(nss.notOK())return false;
+ return q.roleDAO.read(trans, nss.value.ns,nss.value.name).isOKhasData();
+ }
+
+ public boolean isGranted(String user, String ns, String type, String instance, String action) {
+ return q.isGranted(trans, user, ns, type, instance,action);
+ }
+
+ @Override
+ public String namespace() throws Exception {
+ Result<Data> res = q.validNSOfDomain(trans,trans.user());
+ if(res.isOK()) {
+ String user[] = trans.user().split("\\.");
+ return user[user.length-1] + '.' + user[user.length-2];
+ }
+ throw new Exception(res.status + ' ' + res.details);
+ }
+
+ @Override
+ public String id() {
+ return trans.user();
+ }
+
+}
diff --git a/authz-cass/src/main/java/org/onap/aaf/dao/aaf/hl/Function.java b/authz-cass/src/main/java/org/onap/aaf/dao/aaf/hl/Function.java new file mode 100644 index 00000000..0404fee6 --- /dev/null +++ b/authz-cass/src/main/java/org/onap/aaf/dao/aaf/hl/Function.java @@ -0,0 +1,1574 @@ +/*******************************************************************************
+ * ============LICENSE_START====================================================
+ * * org.onap.aaf
+ * * ===========================================================================
+ * * Copyright © 2017 AT&T Intellectual Property. All rights reserved.
+ * * ===========================================================================
+ * * Licensed under the Apache License, Version 2.0 (the "License");
+ * * you may not use this file except in compliance with the License.
+ * * You may obtain a copy of the License at
+ * *
+ * * http://www.apache.org/licenses/LICENSE-2.0
+ * *
+ * * Unless required by applicable law or agreed to in writing, software
+ * * distributed under the License is distributed on an "AS IS" BASIS,
+ * * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * * See the License for the specific language governing permissions and
+ * * limitations under the License.
+ * * ============LICENSE_END====================================================
+ * *
+ * * ECOMP is a trademark and service mark of AT&T Intellectual Property.
+ * *
+ ******************************************************************************/
+package org.onap.aaf.dao.aaf.hl;
+
+import static org.onap.aaf.authz.layer.Result.OK;
+
+import java.io.IOException;
+import java.util.ArrayList;
+import java.util.Date;
+import java.util.HashSet;
+import java.util.List;
+import java.util.Set;
+import java.util.UUID;
+
+import org.onap.aaf.authz.common.Define;
+import org.onap.aaf.authz.env.AuthzTrans;
+import org.onap.aaf.authz.layer.Result;
+import org.onap.aaf.authz.org.Executor;
+import org.onap.aaf.authz.org.Organization;
+import org.onap.aaf.authz.org.Organization.Expiration;
+import org.onap.aaf.authz.org.Organization.Identity;
+import org.onap.aaf.authz.org.Organization.Policy;
+import org.onap.aaf.dao.DAOException;
+import org.onap.aaf.dao.aaf.cass.ApprovalDAO;
+import org.onap.aaf.dao.aaf.cass.CredDAO;
+import org.onap.aaf.dao.aaf.cass.DelegateDAO;
+import org.onap.aaf.dao.aaf.cass.FutureDAO;
+import org.onap.aaf.dao.aaf.cass.Namespace;
+import org.onap.aaf.dao.aaf.cass.NsDAO;
+import org.onap.aaf.dao.aaf.cass.NsSplit;
+import org.onap.aaf.dao.aaf.cass.NsType;
+import org.onap.aaf.dao.aaf.cass.PermDAO;
+import org.onap.aaf.dao.aaf.cass.RoleDAO;
+import org.onap.aaf.dao.aaf.cass.Status;
+import org.onap.aaf.dao.aaf.cass.UserRoleDAO;
+import org.onap.aaf.dao.aaf.cass.NsDAO.Data;
+import org.onap.aaf.dao.aaf.hl.Question.Access;
+
+public class Function {
+
+ public static final String FOP_CRED = "cred";
+ public static final String FOP_DELEGATE = "delegate";
+ public static final String FOP_NS = "ns";
+ public static final String FOP_PERM = "perm";
+ public static final String FOP_ROLE = "role";
+ public static final String FOP_USER_ROLE = "user_role";
+ // First Action should ALWAYS be "write", see "CreateRole"
+ public final Question q;
+
+ public Function(AuthzTrans trans, Question question) {
+ q = question;
+ }
+
+ private class ErrBuilder {
+ private StringBuilder sb;
+ private List<String> ao;
+
+ public void log(Result<?> result) {
+ if (result.notOK()) {
+ if (sb == null) {
+ sb = new StringBuilder();
+ ao = new ArrayList<String>();
+ }
+ sb.append(result.details);
+ sb.append('\n');
+ for (String s : result.variables) {
+ ao.add(s);
+ }
+ }
+ }
+
+ public String[] vars() {
+ String[] rv = new String[ao.size()];
+ ao.toArray(rv);
+ return rv;
+ }
+
+ public boolean hasErr() {
+ return sb != null;
+ }
+
+ @Override
+ public String toString() {
+ return sb == null ? "" : String.format(sb.toString(), ao);
+ }
+ }
+
+ /**
+ * createNS
+ *
+ * Create Namespace
+ *
+ * @param trans
+ * @param org
+ * @param ns
+ * @param user
+ * @return
+ * @throws DAOException
+ *
+ * To create an NS, you need to: 1) validate permission to
+ * modify parent NS 2) Does NS exist already? 3) Create NS with
+ * a) "user" as owner. NOTE: Per 10-15 request for AAF 1.0 4)
+ * Loop through Roles with Parent NS, and map any that start
+ * with this NS into this one 5) Loop through Perms with Parent
+ * NS, and map any that start with this NS into this one
+ */
+ public Result<Void> createNS(AuthzTrans trans, Namespace namespace, boolean fromApproval) {
+ Result<?> rq;
+
+ if (namespace.name.endsWith(Question.DOT_ADMIN)
+ || namespace.name.endsWith(Question.DOT_OWNER)) {
+ return Result.err(Status.ERR_BadData,
+ "'admin' and 'owner' are reserved names in AAF");
+ }
+
+ try {
+ for (String u : namespace.owner) {
+ Organization org = trans.org();
+ Identity orgUser = org.getIdentity(trans, u);
+ if (orgUser == null || !orgUser.isResponsible()) {
+ // check if user has explicit permission
+ String reason;
+ if (org.isTestEnv() && (reason=org.validate(trans, Policy.AS_EMPLOYEE,
+ new CassExecutor(trans, this), u))!=null) {
+ return Result.err(Status.ERR_Policy,reason);
+ }
+ }
+ }
+ } catch (Exception e) {
+ trans.error().log(e,
+ "Could not contact Organization for User Validation");
+ }
+
+ String user = trans.user();
+ // 1) May Change Parent?
+ int idx = namespace.name.lastIndexOf('.');
+ String parent;
+ if (idx < 0) {
+ if (!q.isGranted(trans, user, Define.ROOT_NS,Question.NS, ".", "create")) {
+ return Result.err(Result.ERR_Security,
+ "%s may not create Root Namespaces", user);
+ }
+ parent = null;
+ fromApproval = true;
+ } else {
+ parent = namespace.name.substring(0, idx);
+ }
+
+ if (!fromApproval) {
+ Result<NsDAO.Data> rparent = q.deriveNs(trans, parent);
+ if (rparent.notOK()) {
+ return Result.err(rparent);
+ }
+ rparent = q.mayUser(trans, user, rparent.value, Access.write);
+ if (rparent.notOK()) {
+ return Result.err(rparent);
+ }
+ }
+
+ // 2) Does requested NS exist
+ if (q.nsDAO.read(trans, namespace.name).isOKhasData()) {
+ return Result.err(Status.ERR_ConflictAlreadyExists,
+ "Target Namespace already exists");
+ }
+
+ // Someone must be responsible.
+ if (namespace.owner == null || namespace.owner.isEmpty()) {
+ return Result
+ .err(Status.ERR_Policy,
+ "Namespaces must be assigned at least one responsible party");
+ }
+
+ // 3) Create NS
+ Date now = new Date();
+
+ Result<Void> r;
+ // 3a) Admin
+
+ try {
+ // Originally, added the enterer as Admin, but that's not necessary,
+ // or helpful for Operations folks..
+ // Admins can be empty, because they can be changed by lower level
+ // NSs
+ // if(ns.admin(false).isEmpty()) {
+ // ns.admin(true).add(user);
+ // }
+ if (namespace.admin != null) {
+ for (String u : namespace.admin) {
+ if ((r = checkValidID(trans, now, u)).notOK()) {
+ return r;
+ }
+ }
+ }
+
+ // 3b) Responsible
+ Organization org = trans.org();
+ for (String u : namespace.owner) {
+ Identity orgUser = org.getIdentity(trans, u);
+ if (orgUser == null) {
+ return Result
+ .err(Status.ERR_BadData,
+ "NS must be created with an %s approved Responsible Party",
+ org.getName());
+ }
+ }
+ } catch (Exception e) {
+ return Result.err(Status.ERR_UserNotFound, e.getMessage());
+ }
+
+ // VALIDATIONS done... Add NS
+ if ((rq = q.nsDAO.create(trans, namespace.data())).notOK()) {
+ return Result.err(rq);
+ }
+
+ // Since Namespace is now created, we need to grab all subsequent errors
+ ErrBuilder eb = new ErrBuilder();
+
+ // Add UserRole(s)
+ UserRoleDAO.Data urdd = new UserRoleDAO.Data();
+ urdd.expires = trans.org().expiration(null, Expiration.UserInRole).getTime();
+ urdd.role(namespace.name, Question.ADMIN);
+ for (String admin : namespace.admin) {
+ urdd.user = admin;
+ eb.log(q.userRoleDAO.create(trans, urdd));
+ }
+ urdd.role(namespace.name,Question.OWNER);
+ for (String owner : namespace.owner) {
+ urdd.user = owner;
+ eb.log(q.userRoleDAO.create(trans, urdd));
+ }
+
+ addNSAdminRolesPerms(trans, eb, namespace.name);
+
+ addNSOwnerRolesPerms(trans, eb, namespace.name);
+
+ if (parent != null) {
+ // Build up with any errors
+
+ Result<NsDAO.Data> parentNS = q.deriveNs(trans, parent);
+ String targetNs = parentNS.value.name; // Get the Parent Namespace,
+ // not target
+ String targetName = namespace.name.substring(parentNS.value.name.length() + 1); // Remove the Parent Namespace from the
+ // Target + a dot, and you'll get the name
+ int targetNameDot = targetName.length() + 1;
+
+ // 4) Change any roles with children matching this NS, and
+ Result<List<RoleDAO.Data>> rrdc = q.roleDAO.readChildren(trans, targetNs, targetName);
+ if (rrdc.isOKhasData()) {
+ for (RoleDAO.Data rdd : rrdc.value) {
+ // Remove old Role from Perms, save them off
+ List<PermDAO.Data> lpdd = new ArrayList<PermDAO.Data>();
+ for(String p : rdd.perms(false)) {
+ Result<PermDAO.Data> rpdd = PermDAO.Data.decode(trans,q,p);
+ if(rpdd.isOKhasData()) {
+ PermDAO.Data pdd = rpdd.value;
+ lpdd.add(pdd);
+ q.permDAO.delRole(trans, pdd, rdd);
+ } else{
+ trans.error().log(rpdd.errorString());
+ }
+ }
+
+ // Save off Old keys
+ String delP1 = rdd.ns;
+ String delP2 = rdd.name;
+
+ // Write in new key
+ rdd.ns = namespace.name;
+ rdd.name = (delP2.length() > targetNameDot) ? delP2
+ .substring(targetNameDot) : "";
+
+ // Need to use non-cached, because switching namespaces, not
+ // "create" per se
+ if ((rq = q.roleDAO.create(trans, rdd)).isOK()) {
+ // Put Role back into Perm, with correct info
+ for(PermDAO.Data pdd : lpdd) {
+ q.permDAO.addRole(trans, pdd, rdd);
+ }
+ // Change data for User Roles
+ Result<List<UserRoleDAO.Data>> rurd = q.userRoleDAO.readByRole(trans, rdd.fullName());
+ if(rurd.isOKhasData()) {
+ for(UserRoleDAO.Data urd : rurd.value) {
+ urd.ns = rdd.ns;
+ urd.rname = rdd.name;
+ q.userRoleDAO.update(trans, urd);
+ }
+ }
+ // Now delete old one
+ rdd.ns = delP1;
+ rdd.name = delP2;
+ if ((rq = q.roleDAO.delete(trans, rdd, false)).notOK()) {
+ eb.log(rq);
+ }
+ } else {
+ eb.log(rq);
+ }
+ }
+ }
+
+ // 4) Change any Permissions with children matching this NS, and
+ Result<List<PermDAO.Data>> rpdc = q.permDAO.readChildren(trans,targetNs, targetName);
+ if (rpdc.isOKhasData()) {
+ for (PermDAO.Data pdd : rpdc.value) {
+ // Remove old Perm from Roles, save them off
+ List<RoleDAO.Data> lrdd = new ArrayList<RoleDAO.Data>();
+
+ for(String rl : pdd.roles(false)) {
+ Result<RoleDAO.Data> rrdd = RoleDAO.Data.decode(trans,q,rl);
+ if(rrdd.isOKhasData()) {
+ RoleDAO.Data rdd = rrdd.value;
+ lrdd.add(rdd);
+ q.roleDAO.delPerm(trans, rdd, pdd);
+ } else{
+ trans.error().log(rrdd.errorString());
+ }
+ }
+
+ // Save off Old keys
+ String delP1 = pdd.ns;
+ String delP2 = pdd.type;
+ pdd.ns = namespace.name;
+ pdd.type = (delP2.length() > targetNameDot) ? delP2
+ .substring(targetNameDot) : "";
+ if ((rq = q.permDAO.create(trans, pdd)).isOK()) {
+ // Put Role back into Perm, with correct info
+ for(RoleDAO.Data rdd : lrdd) {
+ q.roleDAO.addPerm(trans, rdd, pdd);
+ }
+
+ pdd.ns = delP1;
+ pdd.type = delP2;
+ if ((rq = q.permDAO.delete(trans, pdd, false)).notOK()) {
+ eb.log(rq);
+ // } else {
+ // Need to invalidate directly, because we're
+ // switching places in NS, not normal cache behavior
+ // q.permDAO.invalidate(trans,pdd);
+ }
+ } else {
+ eb.log(rq);
+ }
+ }
+ }
+ if (eb.hasErr()) {
+ return Result.err(Status.ERR_ActionNotCompleted,eb.sb.toString(), eb.vars());
+ }
+ }
+ return Result.ok();
+ }
+
+ private void addNSAdminRolesPerms(AuthzTrans trans, ErrBuilder eb, String ns) {
+ // Admin Role/Perm
+ RoleDAO.Data rd = new RoleDAO.Data();
+ rd.ns = ns;
+ rd.name = "admin";
+ rd.description = "AAF Namespace Administrators";
+
+ PermDAO.Data pd = new PermDAO.Data();
+ pd.ns = ns;
+ pd.type = "access";
+ pd.instance = Question.ASTERIX;
+ pd.action = Question.ASTERIX;
+ pd.description = "AAF Namespace Write Access";
+
+ rd.perms = new HashSet<String>();
+ rd.perms.add(pd.encode());
+ eb.log(q.roleDAO.create(trans, rd));
+
+ pd.roles = new HashSet<String>();
+ pd.roles.add(rd.encode());
+ eb.log(q.permDAO.create(trans, pd));
+ }
+
+ private void addNSOwnerRolesPerms(AuthzTrans trans, ErrBuilder eb, String ns) {
+ RoleDAO.Data rd = new RoleDAO.Data();
+ rd.ns = ns;
+ rd.name = "owner";
+ rd.description = "AAF Namespace Owners";
+
+ PermDAO.Data pd = new PermDAO.Data();
+ pd.ns = ns;
+ pd.type = "access";
+ pd.instance = Question.ASTERIX;
+ pd.action = Question.READ;
+ pd.description = "AAF Namespace Read Access";
+
+ rd.perms = new HashSet<String>();
+ rd.perms.add(pd.encode());
+ eb.log(q.roleDAO.create(trans, rd));
+
+ pd.roles = new HashSet<String>();
+ pd.roles.add(rd.encode());
+ eb.log(q.permDAO.create(trans, pd));
+ }
+
+ /**
+ * deleteNS
+ *
+ * Delete Namespace
+ *
+ * @param trans
+ * @param org
+ * @param ns
+ * @param force
+ * @param user
+ * @return
+ * @throws DAOException
+ *
+ *
+ * To delete an NS, you need to: 1) validate permission to
+ * modify this NS 2) Find all Roles with this NS, and 2a) if
+ * Force, delete them, else modify to Parent NS 3) Find all
+ * Perms with this NS, and modify to Parent NS 3a) if Force,
+ * delete them, else modify to Parent NS 4) Find all IDs
+ * associated to this NS, and deny if exists. 5) Remove NS
+ */
+ public Result<Void> deleteNS(AuthzTrans trans, String ns) {
+ boolean force = trans.forceRequested();
+ boolean move = trans.moveRequested();
+ // 1) Validate
+ Result<List<NsDAO.Data>> nsl;
+ if ((nsl = q.nsDAO.read(trans, ns)).notOKorIsEmpty()) {
+ return Result.err(Status.ERR_NsNotFound, "%s does not exist", ns);
+ }
+ NsDAO.Data nsd = nsl.value.get(0);
+ NsType nt;
+ if (move && !q.canMove(nt = NsType.fromType(nsd.type))) {
+ return Result.err(Status.ERR_Denied, "Namespace Force=move not permitted for Type %s",nt.name());
+ }
+
+ Result<NsDAO.Data> dnr = q.mayUser(trans, trans.user(), nsd, Access.write);
+ if (dnr.status != Status.OK) {
+ return Result.err(dnr);
+ }
+
+ // 2) Find Parent
+ String user = trans.user();
+ int idx = ns.lastIndexOf('.');
+ NsDAO.Data parent;
+ if (idx < 0) {
+ if (!q.isGranted(trans, user, Define.ROOT_NS,Question.NS, ".", "delete")) {
+ return Result.err(Result.ERR_Security,
+ "%s may not delete Root Namespaces", user);
+ }
+ parent = null;
+ } else {
+ Result<NsDAO.Data> rlparent = q.deriveNs(trans, ns.substring(0, idx));
+ if (rlparent.notOKorIsEmpty()) {
+ return Result.err(rlparent);
+ }
+ parent = rlparent.value;
+ }
+
+ // Build up with any errors
+ // If sb != null below is an indication of error
+ StringBuilder sb = null;
+ ErrBuilder er = new ErrBuilder();
+
+ // 2a) Deny if any IDs on Namespace
+ Result<List<CredDAO.Data>> creds = q.credDAO.readNS(trans, ns);
+ if (creds.isOKhasData()) {
+ if (force || move) {
+ for (CredDAO.Data cd : creds.value) {
+ er.log(q.credDAO.delete(trans, cd, false));
+ // Since we're deleting all the creds, we should delete all
+ // the user Roles for that Cred
+ Result<List<UserRoleDAO.Data>> rlurd = q.userRoleDAO
+ .readByUser(trans, cd.id);
+ if (rlurd.isOK()) {
+ for (UserRoleDAO.Data data : rlurd.value) {
+ q.userRoleDAO.delete(trans, data, false);
+ }
+ }
+
+ }
+ } else {
+ // first possible StringBuilder Create.
+ sb = new StringBuilder();
+ sb.append('[');
+ sb.append(ns);
+ sb.append("] contains users");
+ }
+ }
+
+ // 2b) Find (or delete if forced flag is set) dependencies
+ // First, find if NS Perms are the only ones
+ Result<List<PermDAO.Data>> rpdc = q.permDAO.readNS(trans, ns);
+ if (rpdc.isOKhasData()) {
+ // Since there are now NS perms, we have to count NON-NS perms.
+ // FYI, if we delete them now, and the NS is not deleted, it is in
+ // an inconsistent state.
+ boolean nonaccess = false;
+ for (PermDAO.Data pdd : rpdc.value) {
+ if (!"access".equals(pdd.type)) {
+ nonaccess = true;
+ break;
+ }
+ }
+ if (nonaccess && !force && !move) {
+ if (sb == null) {
+ sb = new StringBuilder();
+ sb.append('[');
+ sb.append(ns);
+ sb.append("] contains ");
+ } else {
+ sb.append(", ");
+ }
+ sb.append("permissions");
+ }
+ }
+
+ Result<List<RoleDAO.Data>> rrdc = q.roleDAO.readNS(trans, ns);
+ if (rrdc.isOKhasData()) {
+ // Since there are now NS roles, we have to count NON-NS roles.
+ // FYI, if we delete th)em now, and the NS is not deleted, it is in
+ // an inconsistent state.
+ int count = rrdc.value.size();
+ for (RoleDAO.Data rdd : rrdc.value) {
+ if ("admin".equals(rdd.name) || "owner".equals(rdd.name)) {
+ --count;
+ }
+ }
+ if (count > 0 && !force && !move) {
+ if (sb == null) {
+ sb = new StringBuilder();
+ sb.append('[');
+ sb.append(ns);
+ sb.append("] contains ");
+ } else {
+ sb.append(", ");
+ }
+ sb.append("roles");
+ }
+ }
+
+ // 2c) Deny if dependencies exist that would be moved to root level
+ // parent is root level parent here. Need to find closest parent ns that
+ // exists
+ if (sb != null) {
+ if (!force && !move) {
+ sb.append(".\n Delete dependencies and try again. Note: using \"force=true\" will delete all. \"force=move\" will delete Creds, but move Roles and Perms to parent.");
+ return Result.err(Status.ERR_DependencyExists, sb.toString());
+ }
+
+ if (move && (parent == null || parent.type == NsType.COMPANY.type)) {
+ return Result
+ .err(Status.ERR_DependencyExists,
+ "Cannot move users, roles or permissions to [%s].\nDelete dependencies and try again",
+ parent.name);
+ }
+ } else if (move && parent != null) {
+ sb = new StringBuilder();
+ // 3) Change any roles with children matching this NS, and
+ moveRoles(trans, parent, sb, rrdc);
+ // 4) Change any Perms with children matching this NS, and
+ movePerms(trans, parent, sb, rpdc);
+ }
+
+ if (sb != null && sb.length() > 0) {
+ return Result.err(Status.ERR_DependencyExists, sb.toString());
+ }
+
+ if (er.hasErr()) {
+ if (trans.debug().isLoggable()) {
+ trans.debug().log(er.toString());
+ }
+ return Result.err(Status.ERR_DependencyExists,
+ "Namespace members cannot be deleted for %s", ns);
+ }
+
+ // 5) OK... good to go for NS Deletion...
+ if (!rpdc.isEmpty()) {
+ for (PermDAO.Data perm : rpdc.value) {
+ deletePerm(trans, perm, true, true);
+ }
+ }
+ if (!rrdc.isEmpty()) {
+ for (RoleDAO.Data role : rrdc.value) {
+ deleteRole(trans, role, true, true);
+ }
+ }
+
+ return q.nsDAO.delete(trans, nsd, false);
+ }
+
+ public Result<List<String>> getOwners(AuthzTrans trans, String ns,
+ boolean includeExpired) {
+ return getUsersByRole(trans, ns + Question.DOT_OWNER, includeExpired);
+ }
+
+ private Result<Void> mayAddOwner(AuthzTrans trans, String ns, String id) {
+ Result<NsDAO.Data> rq = q.deriveNs(trans, ns);
+ if (rq.notOK()) {
+ return Result.err(rq);
+ }
+
+ rq = q.mayUser(trans, trans.user(), rq.value, Access.write);
+ if (rq.notOK()) {
+ return Result.err(rq);
+ }
+
+ Identity user;
+ Organization org = trans.org();
+ try {
+ if ((user = org.getIdentity(trans, id)) == null) {
+ return Result.err(Status.ERR_Policy,
+ "%s reports that this is not a valid credential",
+ org.getName());
+ }
+ if (user.isResponsible()) {
+ return Result.ok();
+ } else {
+ String reason="This is not a Test Environment";
+ if (org.isTestEnv() && (reason = org.validate(trans, Policy.AS_EMPLOYEE,
+ new CassExecutor(trans, this), id))==null) {
+ return Result.ok();
+ }
+ return Result.err(Status.ERR_Policy,reason);
+ }
+ } catch (Exception e) {
+ return Result.err(e);
+ }
+ }
+
+ private Result<Void> mayAddAdmin(AuthzTrans trans, String ns, String id) {
+ // Does NS Exist?
+ Result<Void> r = checkValidID(trans, new Date(), id);
+ if (r.notOK()) {
+ return r;
+ }
+ // Is id able to be an Admin
+ Result<NsDAO.Data> rq = q.deriveNs(trans, ns);
+ if (rq.notOK()) {
+ return Result.err(rq);
+ }
+
+ rq = q.mayUser(trans, trans.user(), rq.value, Access.write);
+ if (rq.notOK()) {
+ return Result.err(rq);
+ }
+ return r;
+ }
+
+ private Result<Void> checkValidID(AuthzTrans trans, Date now, String user) {
+ Organization org = trans.org();
+ if (user.endsWith(org.getRealm())) {
+ try {
+ if (org.getIdentity(trans, user) == null) {
+ return Result.err(Status.ERR_Denied,
+ "%s reports that %s is a faulty ID", org.getName(),
+ user);
+ }
+ return Result.ok();
+ } catch (Exception e) {
+ return Result.err(Result.ERR_Security,
+ "%s is not a valid %s Credential", user, org.getName());
+ }
+ } else {
+ Result<List<CredDAO.Data>> cdr = q.credDAO.readID(trans, user);
+ if (cdr.notOKorIsEmpty()) {
+ return Result.err(Status.ERR_Security,
+ "%s is not a valid AAF Credential", user);
+ }
+
+ for (CredDAO.Data cd : cdr.value) {
+ if (cd.expires.after(now)) {
+ return Result.ok();
+ }
+ }
+ }
+ return Result.err(Result.ERR_Security, "%s has expired", user);
+ }
+
+ public Result<Void> delOwner(AuthzTrans trans, String ns, String id) {
+ Result<NsDAO.Data> rq = q.deriveNs(trans, ns);
+ if (rq.notOK()) {
+ return Result.err(rq);
+ }
+
+ rq = q.mayUser(trans, trans.user(), rq.value, Access.write);
+ if (rq.notOK()) {
+ return Result.err(rq);
+ }
+
+ return delUserRole(trans, id, ns,Question.OWNER);
+ }
+
+ public Result<List<String>> getAdmins(AuthzTrans trans, String ns, boolean includeExpired) {
+ return getUsersByRole(trans, ns + Question.DOT_ADMIN, includeExpired);
+ }
+
+ public Result<Void> delAdmin(AuthzTrans trans, String ns, String id) {
+ Result<NsDAO.Data> rq = q.deriveNs(trans, ns);
+ if (rq.notOK()) {
+ return Result.err(rq);
+ }
+
+ rq = q.mayUser(trans, trans.user(), rq.value, Access.write);
+ if (rq.notOK()) {
+ return Result.err(rq);
+ }
+
+ return delUserRole(trans, id, ns, Question.ADMIN);
+ }
+
+ /**
+ * Helper function that moves permissions from a namespace being deleted to
+ * its parent namespace
+ *
+ * @param trans
+ * @param parent
+ * @param sb
+ * @param rpdc
+ * - list of permissions in namespace being deleted
+ */
+ private void movePerms(AuthzTrans trans, NsDAO.Data parent,
+ StringBuilder sb, Result<List<PermDAO.Data>> rpdc) {
+
+ Result<Void> rv;
+ Result<PermDAO.Data> pd;
+
+ if (rpdc.isOKhasData()) {
+ for (PermDAO.Data pdd : rpdc.value) {
+ String delP2 = pdd.type;
+ if ("access".equals(delP2)) {
+ continue;
+ }
+ // Remove old Perm from Roles, save them off
+ List<RoleDAO.Data> lrdd = new ArrayList<RoleDAO.Data>();
+
+ for(String rl : pdd.roles(false)) {
+ Result<RoleDAO.Data> rrdd = RoleDAO.Data.decode(trans,q,rl);
+ if(rrdd.isOKhasData()) {
+ RoleDAO.Data rdd = rrdd.value;
+ lrdd.add(rdd);
+ q.roleDAO.delPerm(trans, rdd, pdd);
+ } else{
+ trans.error().log(rrdd.errorString());
+ }
+ }
+
+ // Save off Old keys
+ String delP1 = pdd.ns;
+ NsSplit nss = new NsSplit(parent, pdd.fullType());
+ pdd.ns = nss.ns;
+ pdd.type = nss.name;
+ // Use direct Create/Delete, because switching namespaces
+ if ((pd = q.permDAO.create(trans, pdd)).isOK()) {
+ // Put Role back into Perm, with correct info
+ for(RoleDAO.Data rdd : lrdd) {
+ q.roleDAO.addPerm(trans, rdd, pdd);
+ }
+
+ pdd.ns = delP1;
+ pdd.type = delP2;
+ if ((rv = q.permDAO.delete(trans, pdd, false)).notOK()) {
+ sb.append(rv.details);
+ sb.append('\n');
+ // } else {
+ // Need to invalidate directly, because we're switching
+ // places in NS, not normal cache behavior
+ // q.permDAO.invalidate(trans,pdd);
+ }
+ } else {
+ sb.append(pd.details);
+ sb.append('\n');
+ }
+ }
+ }
+ }
+
+ /**
+ * Helper function that moves roles from a namespace being deleted to its
+ * parent namespace
+ *
+ * @param trans
+ * @param parent
+ * @param sb
+ * @param rrdc
+ * - list of roles in namespace being deleted
+ */
+ private void moveRoles(AuthzTrans trans, NsDAO.Data parent,
+ StringBuilder sb, Result<List<RoleDAO.Data>> rrdc) {
+
+ Result<Void> rv;
+ Result<RoleDAO.Data> rd;
+
+ if (rrdc.isOKhasData()) {
+ for (RoleDAO.Data rdd : rrdc.value) {
+ String delP2 = rdd.name;
+ if ("admin".equals(delP2) || "owner".equals(delP2)) {
+ continue;
+ }
+ // Remove old Role from Perms, save them off
+ List<PermDAO.Data> lpdd = new ArrayList<PermDAO.Data>();
+ for(String p : rdd.perms(false)) {
+ Result<PermDAO.Data> rpdd = PermDAO.Data.decode(trans,q,p);
+ if(rpdd.isOKhasData()) {
+ PermDAO.Data pdd = rpdd.value;
+ lpdd.add(pdd);
+ q.permDAO.delRole(trans, pdd, rdd);
+ } else{
+ trans.error().log(rpdd.errorString());
+ }
+ }
+
+ // Save off Old keys
+ String delP1 = rdd.ns;
+
+ NsSplit nss = new NsSplit(parent, rdd.fullName());
+ rdd.ns = nss.ns;
+ rdd.name = nss.name;
+ // Use direct Create/Delete, because switching namespaces
+ if ((rd = q.roleDAO.create(trans, rdd)).isOK()) {
+ // Put Role back into Perm, with correct info
+ for(PermDAO.Data pdd : lpdd) {
+ q.permDAO.addRole(trans, pdd, rdd);
+ }
+
+ rdd.ns = delP1;
+ rdd.name = delP2;
+ if ((rv = q.roleDAO.delete(trans, rdd, true)).notOK()) {
+ sb.append(rv.details);
+ sb.append('\n');
+ // } else {
+ // Need to invalidate directly, because we're switching
+ // places in NS, not normal cache behavior
+ // q.roleDAO.invalidate(trans,rdd);
+ }
+ } else {
+ sb.append(rd.details);
+ sb.append('\n');
+ }
+ }
+ }
+ }
+
+ /**
+ * Create Permission (and any missing Permission between this and Parent) if
+ * we have permission
+ *
+ * Pass in the desired Management Permission for this Permission
+ *
+ * If Force is set, then Roles listed will be created, if allowed,
+ * pre-granted.
+ */
+ public Result<Void> createPerm(AuthzTrans trans, PermDAO.Data perm, boolean fromApproval) {
+ String user = trans.user();
+ // Next, see if User is allowed to Manage Parent Permission
+
+ Result<NsDAO.Data> rnsd;
+ if (!fromApproval) {
+ rnsd = q.mayUser(trans, user, perm, Access.write);
+ if (rnsd.notOK()) {
+ return Result.err(rnsd);
+ }
+ } else {
+ rnsd = q.deriveNs(trans, perm.ns);
+ }
+
+ // Does Child exist?
+ if (!trans.forceRequested()) {
+ if (q.permDAO.read(trans, perm).isOKhasData()) {
+ return Result.err(Status.ERR_ConflictAlreadyExists,
+ "Permission [%s.%s|%s|%s] already exists.", perm.ns,
+ perm.type, perm.instance, perm.action);
+ }
+ }
+
+ // Attempt to add perms to roles, creating as possible
+ Set<String> roles;
+ String pstring = perm.encode();
+
+ // For each Role
+ for (String role : roles = perm.roles(true)) {
+ Result<RoleDAO.Data> rdd = RoleDAO.Data.decode(trans,q,role);
+ if(rdd.isOKhasData()) {
+ RoleDAO.Data rd = rdd.value;
+ if (!fromApproval) {
+ // May User write to the Role in question.
+ Result<NsDAO.Data> rns = q.mayUser(trans, user, rd,
+ Access.write);
+ if (rns.notOK()) {
+ // Remove the role from Add, because
+ roles.remove(role); // Don't allow adding
+ trans.warn()
+ .log("User [%s] does not have permission to relate Permissions to Role [%s]",
+ user, role);
+ }
+ }
+
+ Result<List<RoleDAO.Data>> rlrd;
+ if ((rlrd = q.roleDAO.read(trans, rd)).notOKorIsEmpty()) {
+ rd.perms(true).add(pstring);
+ if (q.roleDAO.create(trans, rd).notOK()) {
+ roles.remove(role); // Role doesn't exist, and can't be
+ // created
+ }
+ } else {
+ rd = rlrd.value.get(0);
+ if (!rd.perms.contains(pstring)) {
+ q.roleDAO.addPerm(trans, rd, perm);
+ }
+ }
+ }
+ }
+
+ Result<PermDAO.Data> pdr = q.permDAO.create(trans, perm);
+ if (pdr.isOK()) {
+ return Result.ok();
+ } else {
+ return Result.err(pdr);
+ }
+ }
+
+ public Result<Void> deletePerm(final AuthzTrans trans, final PermDAO.Data perm, boolean force, boolean fromApproval) {
+ String user = trans.user();
+
+ // Next, see if User is allowed to Manage Permission
+ Result<NsDAO.Data> rnsd;
+ if (!fromApproval) {
+ rnsd = q.mayUser(trans, user, perm, Access.write);
+ if (rnsd.notOK()) {
+ return Result.err(rnsd);
+ }
+ }
+ // Does Perm exist?
+ Result<List<PermDAO.Data>> pdr = q.permDAO.read(trans, perm);
+ if (pdr.notOKorIsEmpty()) {
+ return Result.err(Status.ERR_PermissionNotFound,"Permission [%s.%s|%s|%s] does not exist.",
+ perm.ns,perm.type, perm.instance, perm.action);
+ }
+ // Get perm, but with rest of data.
+ PermDAO.Data fullperm = pdr.value.get(0);
+
+ // Attached to any Roles?
+ if (fullperm.roles != null) {
+ if (force) {
+ for (String role : fullperm.roles) {
+ Result<Void> rv = null;
+ Result<RoleDAO.Data> rrdd = RoleDAO.Data.decode(trans, q, role);
+ if(rrdd.isOKhasData()) {
+ trans.debug().log("Removing", role, "from", fullperm, "on Perm Delete");
+ if ((rv = q.roleDAO.delPerm(trans, rrdd.value, fullperm)).notOK()) {
+ if (rv.notOK()) {
+ trans.error().log("Error removing Role during delFromPermRole: ",
+ trans.getUserPrincipal(),
+ rv.errorString());
+ }
+ }
+ } else {
+ return Result.err(rrdd);
+ }
+ }
+ } else if (!fullperm.roles.isEmpty()) {
+ return Result
+ .err(Status.ERR_DependencyExists,
+ "Permission [%s.%s|%s|%s] cannot be deleted as it is attached to 1 or more roles.",
+ fullperm.ns, fullperm.type, fullperm.instance, fullperm.action);
+ }
+ }
+
+ return q.permDAO.delete(trans, fullperm, false);
+ }
+
+ public Result<Void> deleteRole(final AuthzTrans trans, final RoleDAO.Data role, boolean force, boolean fromApproval) {
+ String user = trans.user();
+
+ // Next, see if User is allowed to Manage Role
+ Result<NsDAO.Data> rnsd;
+ if (!fromApproval) {
+ rnsd = q.mayUser(trans, user, role, Access.write);
+ if (rnsd.notOK()) {
+ return Result.err(rnsd);
+ }
+ }
+
+ // Are there any Users Attached to Role?
+ Result<List<UserRoleDAO.Data>> urdr = q.userRoleDAO.readByRole(trans,role.fullName());
+ if (force) {
+ if (urdr.isOKhasData()) {
+ for (UserRoleDAO.Data urd : urdr.value) {
+ q.userRoleDAO.delete(trans, urd, false);
+ }
+ }
+ } else if (urdr.isOKhasData()) {
+ return Result.err(Status.ERR_DependencyExists,
+ "Role [%s.%s] cannot be deleted as it is used by 1 or more Users.",
+ role.ns, role.name);
+ }
+
+ // Does Role exist?
+ Result<List<RoleDAO.Data>> rdr = q.roleDAO.read(trans, role);
+ if (rdr.notOKorIsEmpty()) {
+ return Result.err(Status.ERR_RoleNotFound,
+ "Role [%s.%s] does not exist", role.ns, role.name);
+ }
+ RoleDAO.Data fullrole = rdr.value.get(0); // full key search
+
+ // Remove Self from Permissions... always, force or not. Force only applies to Dependencies (Users)
+ if (fullrole.perms != null) {
+ for (String perm : fullrole.perms(false)) {
+ Result<PermDAO.Data> rpd = PermDAO.Data.decode(trans,q,perm);
+ if (rpd.isOK()) {
+ trans.debug().log("Removing", perm, "from", fullrole,"on Role Delete");
+
+ Result<?> r = q.permDAO.delRole(trans, rpd.value, fullrole);
+ if (r.notOK()) {
+ trans.error().log("ERR_FDR1 unable to remove",fullrole,"from",perm,':',r.status,'-',r.details);
+ }
+ } else {
+ trans.error().log("ERR_FDR2 Could not remove",perm,"from",fullrole);
+ }
+ }
+ }
+ return q.roleDAO.delete(trans, fullrole, false);
+ }
+
+ /**
+ * Only owner of Permission may add to Role
+ *
+ * If force set, however, Role will be created before Grant, if User is
+ * allowed to create.
+ *
+ * @param trans
+ * @param role
+ * @param pd
+ * @return
+ */
+ public Result<Void> addPermToRole(AuthzTrans trans, RoleDAO.Data role,PermDAO.Data pd, boolean fromApproval) {
+ String user = trans.user();
+
+ if (!fromApproval) {
+ Result<NsDAO.Data> rRoleCo = q.deriveFirstNsForType(trans, role.ns, NsType.COMPANY);
+ if(rRoleCo.notOK()) {
+ return Result.err(rRoleCo);
+ }
+ Result<NsDAO.Data> rPermCo = q.deriveFirstNsForType(trans, pd.ns, NsType.COMPANY);
+ if(rPermCo.notOK()) {
+ return Result.err(rPermCo);
+ }
+
+ // Not from same company
+ if(!rRoleCo.value.name.equals(rPermCo.value.name)) {
+ Result<Data> r;
+ // Only grant if User ALSO has Write ability in Other Company
+ if((r = q.mayUser(trans, user, role, Access.write)).notOK()) {
+ return Result.err(r);
+ }
+ }
+
+
+ // Must be Perm Admin, or Granted Special Permission
+ Result<NsDAO.Data> ucp = q.mayUser(trans, user, pd, Access.write);
+ if (ucp.notOK()) {
+ // Don't allow CLI potential Grantees to change their own AAF
+ // Perms,
+ if ((Define.ROOT_NS.equals(pd.ns) && Question.NS.equals(pd.type))
+ || !q.isGranted(trans, trans.user(),Define.ROOT_NS,Question.PERM, rPermCo.value.name, "grant")) {
+ // Not otherwise granted
+ // TODO Needed?
+ return Result.err(ucp);
+ }
+ // Final Check... Don't allow Grantees to add to Roles they are
+ // part of
+ Result<List<UserRoleDAO.Data>> rlurd = q.userRoleDAO
+ .readByUser(trans, trans.user());
+ if (rlurd.isOK()) {
+ for (UserRoleDAO.Data ur : rlurd.value) {
+ if (role.ns.equals(ur.ns) && role.name.equals(ur.rname)) {
+ return Result.err(ucp);
+ }
+ }
+ }
+ }
+ }
+
+ Result<List<PermDAO.Data>> rlpd = q.permDAO.read(trans, pd);
+ if (rlpd.notOKorIsEmpty()) {
+ return Result.err(Status.ERR_PermissionNotFound,
+ "Permission must exist to add to Role");
+ }
+
+ Result<List<RoleDAO.Data>> rlrd = q.roleDAO.read(trans, role); // Already
+ // Checked
+ // for
+ // can
+ // change
+ // Role
+ Result<Void> rv;
+
+ if (rlrd.notOKorIsEmpty()) {
+ if (trans.forceRequested()) {
+ Result<NsDAO.Data> ucr = q.mayUser(trans, user, role,
+ Access.write);
+ if (ucr.notOK()) {
+ return Result
+ .err(Status.ERR_Denied,
+ "Role [%s.%s] does not exist. User [%s] cannot create.",
+ role.ns, role.name, user);
+ }
+
+ role.perms(true).add(pd.encode());
+ Result<RoleDAO.Data> rdd = q.roleDAO.create(trans, role);
+ if (rdd.isOK()) {
+ rv = Result.ok();
+ } else {
+ rv = Result.err(rdd);
+ }
+ } else {
+ return Result.err(Status.ERR_RoleNotFound,
+ "Role [%s.%s] does not exist.", role.ns, role.name);
+ }
+ } else {
+ role = rlrd.value.get(0);
+ if (role.perms(false).contains(pd.encode())) {
+ return Result.err(Status.ERR_ConflictAlreadyExists,
+ "Permission [%s.%s] is already a member of role [%s,%s]",
+ pd.ns, pd.type, role.ns, role.name);
+ }
+ role.perms(true).add(pd.encode()); // this is added for Caching
+ // access purposes... doesn't
+ // affect addPerm
+ rv = q.roleDAO.addPerm(trans, role, pd);
+ }
+ if (rv.status == Status.OK) {
+ return q.permDAO.addRole(trans, pd, role);
+ // exploring how to add information message to successful http
+ // request
+ }
+ return rv;
+ }
+
+ /**
+ * Either Owner of Role or Permission may delete from Role
+ *
+ * @param trans
+ * @param role
+ * @param pd
+ * @return
+ */
+ public Result<Void> delPermFromRole(AuthzTrans trans, RoleDAO.Data role,PermDAO.Data pd, boolean fromApproval) {
+ String user = trans.user();
+ if (!fromApproval) {
+ Result<NsDAO.Data> ucr = q.mayUser(trans, user, role, Access.write);
+ Result<NsDAO.Data> ucp = q.mayUser(trans, user, pd, Access.write);
+
+ // If Can't change either Role or Perm, then deny
+ if (ucr.notOK() && ucp.notOK()) {
+ return Result.err(Status.ERR_Denied,
+ "User [" + trans.user()
+ + "] does not have permission to delete ["
+ + pd.encode() + "] from Role ["
+ + role.fullName() + ']');
+ }
+ }
+
+ Result<List<RoleDAO.Data>> rlr = q.roleDAO.read(trans, role);
+ if (rlr.notOKorIsEmpty()) {
+ // If Bad Data, clean out
+ Result<List<PermDAO.Data>> rlp = q.permDAO.read(trans, pd);
+ if (rlp.isOKhasData()) {
+ for (PermDAO.Data pv : rlp.value) {
+ q.permDAO.delRole(trans, pv, role);
+ }
+ }
+ return Result.err(rlr);
+ }
+ String perm1 = pd.encode();
+ boolean notFound;
+ if (trans.forceRequested()) {
+ notFound = false;
+ } else { // only check if force not set.
+ notFound = true;
+ for (RoleDAO.Data r : rlr.value) {
+ if (r.perms != null) {
+ for (String perm : r.perms) {
+ if (perm1.equals(perm)) {
+ notFound = false;
+ break;
+ }
+ }
+ if(!notFound) {
+ break;
+ }
+ }
+ }
+ }
+ if (notFound) { // Need to check both, in case of corruption
+ return Result.err(Status.ERR_PermissionNotFound,
+ "Permission [%s.%s|%s|%s] not associated with any Role",
+ pd.ns,pd.type,pd.instance,pd.action);
+ }
+
+ // Read Perm for full data
+ Result<List<PermDAO.Data>> rlp = q.permDAO.read(trans, pd);
+ Result<Void> rv = null;
+ if (rlp.isOKhasData()) {
+ for (PermDAO.Data pv : rlp.value) {
+ if ((rv = q.permDAO.delRole(trans, pv, role)).isOK()) {
+ if ((rv = q.roleDAO.delPerm(trans, role, pv)).notOK()) {
+ trans.error().log(
+ "Error removing Perm during delFromPermRole:",
+ trans.getUserPrincipal(), rv.errorString());
+ }
+ } else {
+ trans.error().log(
+ "Error removing Role during delFromPermRole:",
+ trans.getUserPrincipal(), rv.errorString());
+ }
+ }
+ } else {
+ rv = q.roleDAO.delPerm(trans, role, pd);
+ if (rv.notOK()) {
+ trans.error().log("Error removing Role during delFromPermRole",
+ rv.errorString());
+ }
+ }
+ return rv == null ? Result.ok() : rv;
+ }
+
+ public Result<Void> delPermFromRole(AuthzTrans trans, String role,PermDAO.Data pd) {
+ Result<NsSplit> nss = q.deriveNsSplit(trans, role);
+ if (nss.notOK()) {
+ return Result.err(nss);
+ }
+ RoleDAO.Data rd = new RoleDAO.Data();
+ rd.ns = nss.value.ns;
+ rd.name = nss.value.name;
+ return delPermFromRole(trans, rd, pd, false);
+ }
+
+ /**
+ * Add a User to Role
+ *
+ * 1) Role must exist 2) User must be a known Credential (i.e. mechID ok if
+ * Credential) or known Organizational User
+ *
+ * @param trans
+ * @param org
+ * @param urData
+ * @return
+ * @throws DAOException
+ */
+ public Result<Void> addUserRole(AuthzTrans trans,UserRoleDAO.Data urData) {
+ Result<Void> rv;
+ if(Question.ADMIN.equals(urData.rname)) {
+ rv = mayAddAdmin(trans, urData.ns, urData.user);
+ } else if(Question.OWNER.equals(urData.rname)) {
+ rv = mayAddOwner(trans, urData.ns, urData.user);
+ } else {
+ rv = checkValidID(trans, new Date(), urData.user);
+ }
+ if(rv.notOK()) {
+ return rv;
+ }
+
+ // Check if record exists
+ if (q.userRoleDAO.read(trans, urData).isOKhasData()) {
+ return Result.err(Status.ERR_ConflictAlreadyExists,
+ "User Role exists");
+ }
+ if (q.roleDAO.read(trans, urData.ns, urData.rname).notOKorIsEmpty()) {
+ return Result.err(Status.ERR_RoleNotFound,
+ "Role [%s.%s] does not exist", urData.ns, urData.rname);
+ }
+
+ urData.expires = trans.org().expiration(null, Expiration.UserInRole, urData.user).getTime();
+
+
+ Result<UserRoleDAO.Data> udr = q.userRoleDAO.create(trans, urData);
+ switch (udr.status) {
+ case OK:
+ return Result.ok();
+ default:
+ return Result.err(udr);
+ }
+ }
+
+ public Result<Void> addUserRole(AuthzTrans trans, String user, String ns, String rname) {
+ UserRoleDAO.Data urdd = new UserRoleDAO.Data();
+ urdd.ns = ns;
+ urdd.role(ns, rname);
+ urdd.user = user;
+ return addUserRole(trans,urdd);
+ }
+
+ /**
+ * Extend User Role.
+ *
+ * extend the Expiration data, according to Organization rules.
+ *
+ * @param trans
+ * @param org
+ * @param urData
+ * @return
+ */
+ public Result<Void> extendUserRole(AuthzTrans trans, UserRoleDAO.Data urData, boolean checkForExist) {
+ // Check if record still exists
+ if (checkForExist && q.userRoleDAO.read(trans, urData).notOKorIsEmpty()) {
+ return Result.err(Status.ERR_UserRoleNotFound,
+ "User Role does not exist");
+ }
+ if (q.roleDAO.read(trans, urData.ns, urData.rname).notOKorIsEmpty()) {
+ return Result.err(Status.ERR_RoleNotFound,
+ "Role [%s.%s] does not exist", urData.ns,urData.rname);
+ }
+ // Special case for "Admin" roles. Issue brought forward with Prod
+ // problem 9/26
+
+ urData.expires = trans.org().expiration(null, Expiration.UserInRole).getTime(); // get
+ // Full
+ // time
+ // starting
+ // today
+ return q.userRoleDAO.update(trans, urData);
+ }
+
+ // ////////////////////////////////////////////////////
+ // Special User Role Functions
+ // These exist, because User Roles have Expiration dates, which must be
+ // accounted for
+ // Also, as of July, 2015, Namespace Owners and Admins are now regular User
+ // Roles
+ // ////////////////////////////////////////////////////
+ public Result<List<String>> getUsersByRole(AuthzTrans trans, String role, boolean includeExpired) {
+ Result<List<UserRoleDAO.Data>> rurdd = q.userRoleDAO.readByRole(trans,role);
+ if (rurdd.notOK()) {
+ return Result.err(rurdd);
+ }
+ Date now = new Date();
+ List<UserRoleDAO.Data> list = rurdd.value;
+ List<String> rv = new ArrayList<String>(list.size()); // presize
+ for (UserRoleDAO.Data urdd : rurdd.value) {
+ if (includeExpired || urdd.expires.after(now)) {
+ rv.add(urdd.user);
+ }
+ }
+ return Result.ok(rv);
+ }
+
+ public Result<Void> delUserRole(AuthzTrans trans, String user, String ns, String rname) {
+ UserRoleDAO.Data urdd = new UserRoleDAO.Data();
+ urdd.user = user;
+ urdd.role(ns,rname);
+ Result<List<UserRoleDAO.Data>> r = q.userRoleDAO.read(trans, urdd);
+ if (r.status == 404 || r.isEmpty()) {
+ return Result.err(Status.ERR_UserRoleNotFound,
+ "UserRole [%s] [%s.%s]", user, ns, rname);
+ }
+ if (r.notOK()) {
+ return Result.err(r);
+ }
+
+ return q.userRoleDAO.delete(trans, urdd, false);
+ }
+
+ public Result<List<Identity>> createFuture(AuthzTrans trans, FutureDAO.Data data, String id, String user,
+ NsDAO.Data nsd, String op) {
+ // Create Future Object
+ List<Identity> approvers=null;
+ Result<FutureDAO.Data> fr = q.futureDAO.create(trans, data, id);
+ if (fr.isOK()) {
+ // User Future ID as ticket for Approvals
+ final UUID ticket = fr.value.id;
+ ApprovalDAO.Data ad;
+ try {
+ Organization org = trans.org();
+ approvers = org.getApprovers(trans, user);
+ for (Identity u : approvers) {
+ ad = new ApprovalDAO.Data();
+ // Note ad.id is set by ApprovalDAO Create
+ ad.ticket = ticket;
+ ad.user = user;
+ ad.approver = u.id();
+ ad.status = ApprovalDAO.PENDING;
+ ad.memo = data.memo;
+ ad.type = org.getApproverType();
+ ad.operation = op;
+ // Note ad.updated is created in System
+ Result<ApprovalDAO.Data> ar = q.approvalDAO.create(trans,ad);
+ if (ar.notOK()) {
+ return Result.err(Status.ERR_ActionNotCompleted,
+ "Approval for %s, %s could not be created: %s",
+ ad.user, ad.approver, ar.details);
+ }
+ }
+ if (nsd != null) {
+ Result<List<UserRoleDAO.Data>> rrbr = q.userRoleDAO
+ .readByRole(trans, nsd.name + Question.DOT_OWNER);
+ if (rrbr.isOK()) {
+ for (UserRoleDAO.Data urd : rrbr.value) {
+ ad = new ApprovalDAO.Data();
+ // Note ad.id is set by ApprovalDAO Create
+ ad.ticket = ticket;
+ ad.user = user;
+ ad.approver = urd.user;
+ ad.status = ApprovalDAO.PENDING;
+ ad.memo = data.memo;
+ ad.type = "owner";
+ ad.operation = op;
+ // Note ad.updated is created in System
+ Result<ApprovalDAO.Data> ar = q.approvalDAO.create(trans, ad);
+ if (ar.notOK()) {
+ return Result.err(Status.ERR_ActionNotCompleted,
+ "Approval for %s, %s could not be created: %s",
+ ad.user, ad.approver,
+ ar.details);
+ }
+ }
+ }
+ }
+ } catch (Exception e) {
+ return Result.err(e);
+ }
+ }
+
+ return Result.ok(approvers);
+ }
+
+ public Result<Void> performFutureOp(AuthzTrans trans, ApprovalDAO.Data cd) {
+ Result<List<FutureDAO.Data>> fd = q.futureDAO.read(trans, cd.ticket);
+ Result<List<ApprovalDAO.Data>> allApprovalsForTicket = q.approvalDAO
+ .readByTicket(trans, cd.ticket);
+ Result<Void> rv = Result.ok();
+ for (FutureDAO.Data curr : fd.value) {
+ if ("approved".equalsIgnoreCase(cd.status)) {
+ if (allApprovalsForTicket.value.size() <= 1) {
+ // should check if any other pendings before performing
+ // actions
+ try {
+ if (FOP_ROLE.equalsIgnoreCase(curr.target)) {
+ RoleDAO.Data data = new RoleDAO.Data();
+ data.reconstitute(curr.construct);
+ if ("C".equalsIgnoreCase(cd.operation)) {
+ Result<RoleDAO.Data> rd;
+ if ((rd = q.roleDAO.dao().create(trans, data)).notOK()) {
+ rv = Result.err(rd);
+ }
+ } else if ("D".equalsIgnoreCase(cd.operation)) {
+ rv = deleteRole(trans, data, true, true);
+ }
+
+ } else if (FOP_PERM.equalsIgnoreCase(curr.target)) {
+ PermDAO.Data pdd = new PermDAO.Data();
+ pdd.reconstitute(curr.construct);
+ if ("C".equalsIgnoreCase(cd.operation)) {
+ rv = createPerm(trans, pdd, true);
+ } else if ("D".equalsIgnoreCase(cd.operation)) {
+ rv = deletePerm(trans, pdd, true, true);
+ } else if ("G".equalsIgnoreCase(cd.operation)) {
+ Set<String> roles = pdd.roles(true);
+ Result<RoleDAO.Data> rrdd = null;
+ for (String roleStr : roles) {
+ rrdd = RoleDAO.Data.decode(trans, q, roleStr);
+ if (rrdd.isOKhasData()) {
+ rv = addPermToRole(trans, rrdd.value, pdd, true);
+ } else {
+ trans.error().log(rrdd.errorString());
+ }
+ }
+ } else if ("UG".equalsIgnoreCase(cd.operation)) {
+ Set<String> roles = pdd.roles(true);
+ Result<RoleDAO.Data> rrdd;
+ for (String roleStr : roles) {
+ rrdd = RoleDAO.Data.decode(trans, q, roleStr);
+ if (rrdd.isOKhasData()) {
+ rv = delPermFromRole(trans, rrdd.value, pdd, true);
+ } else {
+ trans.error().log(rrdd.errorString());
+ }
+ }
+ }
+
+ } else if (FOP_USER_ROLE.equalsIgnoreCase(curr.target)) {
+ UserRoleDAO.Data data = new UserRoleDAO.Data();
+ data.reconstitute(curr.construct);
+ // if I am the last to approve, create user role
+ if ("C".equalsIgnoreCase(cd.operation)) {
+ rv = addUserRole(trans, data);
+ } else if ("U".equals(cd.operation)) {
+ rv = extendUserRole(trans, data, true);
+ }
+
+ } else if (FOP_NS.equalsIgnoreCase(curr.target)) {
+ Namespace namespace = new Namespace();
+ namespace.reconstitute(curr.construct);
+
+ if ("C".equalsIgnoreCase(cd.operation)) {
+ rv = createNS(trans, namespace, true);
+ }
+
+ } else if (FOP_DELEGATE.equalsIgnoreCase(curr.target)) {
+ DelegateDAO.Data data = new DelegateDAO.Data();
+ data.reconstitute(curr.construct);
+ if ("C".equalsIgnoreCase(cd.operation)) {
+ Result<DelegateDAO.Data> dd;
+ if ((dd = q.delegateDAO.create(trans, data)).notOK()) {
+ rv = Result.err(dd);
+ }
+ } else if ("U".equalsIgnoreCase(cd.operation)) {
+ rv = q.delegateDAO.update(trans, data);
+ }
+ } else if (FOP_CRED.equalsIgnoreCase(curr.target)) {
+ CredDAO.Data data = new CredDAO.Data();
+ data.reconstitute(curr.construct);
+ if ("C".equalsIgnoreCase(cd.operation)) {
+ Result<CredDAO.Data> rd;
+ if ((rd = q.credDAO.dao().create(trans, data)).notOK()) {
+ rv = Result.err(rd);
+ }
+ }
+ }
+ } catch (IOException e) {
+ trans.error().log("IOException: ", e.getMessage(),
+ " \n occurred while performing", cd.memo,
+ " from approval ", cd.id.toString());
+ }
+ }
+ } else if ("denied".equalsIgnoreCase(cd.status)) {
+ for (ApprovalDAO.Data ad : allApprovalsForTicket.value) {
+ q.approvalDAO.delete(trans, ad, false);
+ }
+ q.futureDAO.delete(trans, curr, false);
+ if (FOP_USER_ROLE.equalsIgnoreCase(curr.target)) {
+ // if I am the last to approve, create user role
+ if ("U".equals(cd.operation)) {
+ UserRoleDAO.Data data = new UserRoleDAO.Data();
+ try {
+ data.reconstitute(curr.construct);
+ } catch (IOException e) {
+ trans.error().log("Cannot reconstitue",curr.memo);
+ }
+ rv = delUserRole(trans, data.user, data.ns, data.rname);
+ }
+ }
+
+ }
+
+ // if I am the last to approve, delete the future object
+ if (rv.isOK() && allApprovalsForTicket.value.size() <= 1) {
+ q.futureDAO.delete(trans, curr, false);
+ }
+
+ } // end for each
+ return rv;
+
+ }
+
+ public Executor newExecutor(AuthzTrans trans) {
+ return new CassExecutor(trans, this);
+ }
+
+}
diff --git a/authz-cass/src/main/java/org/onap/aaf/dao/aaf/hl/PermLookup.java b/authz-cass/src/main/java/org/onap/aaf/dao/aaf/hl/PermLookup.java new file mode 100644 index 00000000..40f59178 --- /dev/null +++ b/authz-cass/src/main/java/org/onap/aaf/dao/aaf/hl/PermLookup.java @@ -0,0 +1,184 @@ +/*******************************************************************************
+ * ============LICENSE_START====================================================
+ * * org.onap.aaf
+ * * ===========================================================================
+ * * Copyright © 2017 AT&T Intellectual Property. All rights reserved.
+ * * ===========================================================================
+ * * Licensed under the Apache License, Version 2.0 (the "License");
+ * * you may not use this file except in compliance with the License.
+ * * You may obtain a copy of the License at
+ * *
+ * * http://www.apache.org/licenses/LICENSE-2.0
+ * *
+ * * Unless required by applicable law or agreed to in writing, software
+ * * distributed under the License is distributed on an "AS IS" BASIS,
+ * * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * * See the License for the specific language governing permissions and
+ * * limitations under the License.
+ * * ============LICENSE_END====================================================
+ * *
+ * * ECOMP is a trademark and service mark of AT&T Intellectual Property.
+ * *
+ ******************************************************************************/
+package org.onap.aaf.dao.aaf.hl;
+
+import java.util.ArrayList;
+import java.util.Date;
+import java.util.HashMap;
+import java.util.List;
+import java.util.Map;
+import java.util.Set;
+import java.util.TreeSet;
+
+import org.onap.aaf.authz.env.AuthzTrans;
+import org.onap.aaf.authz.layer.Result;
+import org.onap.aaf.dao.aaf.cass.PermDAO;
+import org.onap.aaf.dao.aaf.cass.RoleDAO;
+import org.onap.aaf.dao.aaf.cass.Status;
+import org.onap.aaf.dao.aaf.cass.UserRoleDAO;
+
+/**
+ * PermLookup is a Storage class for the various pieces of looking up Permission
+ * during Transactions to avoid duplicate processing
+ *
+ *
+ */
+// Package on purpose
+class PermLookup {
+ private AuthzTrans trans;
+ private String user;
+ private Question q;
+ private Result<List<UserRoleDAO.Data>> userRoles = null;
+ private Result<List<RoleDAO.Data>> roles = null;
+ private Result<Set<String>> permNames = null;
+ private Result<List<PermDAO.Data>> perms = null;
+
+ private PermLookup() {}
+
+ static PermLookup get(AuthzTrans trans, Question q, String user) {
+ PermLookup lp=null;
+ Map<String, PermLookup> permMap = trans.get(Question.PERMS, null);
+ if (permMap == null) {
+ trans.put(Question.PERMS, permMap = new HashMap<String, PermLookup>());
+ } else {
+ lp = permMap.get(user);
+ }
+
+ if (lp == null) {
+ lp = new PermLookup();
+ lp.trans = trans;
+ lp.user = user;
+ lp.q = q;
+ permMap.put(user, lp);
+ }
+ return lp;
+ }
+
+ public Result<List<UserRoleDAO.Data>> getUserRoles() {
+ if(userRoles==null) {
+ userRoles = q.userRoleDAO.readByUser(trans,user);
+ if(userRoles.isOKhasData()) {
+ List<UserRoleDAO.Data> lurdd = new ArrayList<UserRoleDAO.Data>();
+ Date now = new Date();
+ for(UserRoleDAO.Data urdd : userRoles.value) {
+ if(urdd.expires.after(now)) { // Remove Expired
+ lurdd.add(urdd);
+ }
+ }
+ if(lurdd.size()==0) {
+ return userRoles = Result.err(Status.ERR_UserNotFound,
+ "%s not found or not associated with any Roles: ",
+ user);
+ } else {
+ return userRoles = Result.ok(lurdd);
+ }
+ } else {
+ return userRoles;
+ }
+ } else {
+ return userRoles;
+ }
+ }
+
+ public Result<List<RoleDAO.Data>> getRoles() {
+ if(roles==null) {
+ Result<List<UserRoleDAO.Data>> rur = getUserRoles();
+ if(rur.isOK()) {
+ List<RoleDAO.Data> lrdd = new ArrayList<RoleDAO.Data>();
+ for (UserRoleDAO.Data urdata : rur.value) {
+ // Gather all permissions from all Roles
+ if(urdata.ns==null || urdata.rname==null) {
+ trans.error().printf("DB Content Error: nulls in User Role %s %s", urdata.user,urdata.role);
+ } else {
+ Result<List<RoleDAO.Data>> rlrd = q.roleDAO.read(
+ trans, urdata.ns, urdata.rname);
+ if(rlrd.isOK()) {
+ lrdd.addAll(rlrd.value);
+ }
+ }
+ }
+ return roles = Result.ok(lrdd);
+ } else {
+ return roles = Result.err(rur);
+ }
+ } else {
+ return roles;
+ }
+ }
+
+ public Result<Set<String>> getPermNames() {
+ if(permNames==null) {
+ Result<List<RoleDAO.Data>> rlrd = getRoles();
+ if (rlrd.isOK()) {
+ Set<String> pns = new TreeSet<String>();
+ for (RoleDAO.Data rdata : rlrd.value) {
+ pns.addAll(rdata.perms(false));
+ }
+ return permNames = Result.ok(pns);
+ } else {
+ return permNames = Result.err(rlrd);
+ }
+ } else {
+ return permNames;
+ }
+ }
+
+ public Result<List<PermDAO.Data>> getPerms(boolean lookup) {
+ if(perms==null) {
+ // Note: It should be ok for a Valid user to have no permissions -
+ // 8/12/2013
+ Result<Set<String>> rss = getPermNames();
+ if(rss.isOK()) {
+ List<PermDAO.Data> lpdd = new ArrayList<PermDAO.Data>();
+ for (String perm : rss.value) {
+ if(lookup) {
+ Result<String[]> ap = PermDAO.Data.decodeToArray(trans, q, perm);
+ if(ap.isOK()) {
+ Result<List<PermDAO.Data>> rlpd = q.permDAO.read(perm,trans,ap);
+ if (rlpd.isOKhasData()) {
+ for (PermDAO.Data pData : rlpd.value) {
+ lpdd.add(pData);
+ }
+ }
+ } else {
+ trans.error().log("In getPermsByUser, for", user, perm);
+ }
+ } else {
+ Result<PermDAO.Data> pr = PermDAO.Data.decode(trans, q, perm);
+ if (pr.notOK()) {
+ trans.error().log("In getPermsByUser, for", user, pr.errorString());
+ } else {
+ lpdd.add(pr.value);
+ }
+ }
+
+ }
+ return perms = Result.ok(lpdd);
+ } else {
+ return perms = Result.err(rss);
+ }
+ } else {
+ return perms;
+ }
+ }
+}
diff --git a/authz-cass/src/main/java/org/onap/aaf/dao/aaf/hl/Question.java b/authz-cass/src/main/java/org/onap/aaf/dao/aaf/hl/Question.java new file mode 100644 index 00000000..c552cc93 --- /dev/null +++ b/authz-cass/src/main/java/org/onap/aaf/dao/aaf/hl/Question.java @@ -0,0 +1,1087 @@ +/*******************************************************************************
+ * ============LICENSE_START====================================================
+ * * org.onap.aaf
+ * * ===========================================================================
+ * * Copyright © 2017 AT&T Intellectual Property. All rights reserved.
+ * * ===========================================================================
+ * * Licensed under the Apache License, Version 2.0 (the "License");
+ * * you may not use this file except in compliance with the License.
+ * * You may obtain a copy of the License at
+ * *
+ * * http://www.apache.org/licenses/LICENSE-2.0
+ * *
+ * * Unless required by applicable law or agreed to in writing, software
+ * * distributed under the License is distributed on an "AS IS" BASIS,
+ * * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * * See the License for the specific language governing permissions and
+ * * limitations under the License.
+ * * ============LICENSE_END====================================================
+ * *
+ * * ECOMP is a trademark and service mark of AT&T Intellectual Property.
+ * *
+ ******************************************************************************/
+package org.onap.aaf.dao.aaf.hl;
+
+import java.io.IOException;
+import java.nio.ByteBuffer;
+import java.security.NoSuchAlgorithmException;
+import java.security.SecureRandom;
+import java.util.ArrayList;
+import java.util.Collections;
+import java.util.Comparator;
+import java.util.Date;
+import java.util.HashSet;
+import java.util.List;
+import java.util.Set;
+import java.util.TreeSet;
+
+import org.onap.aaf.authz.common.Define;
+import org.onap.aaf.authz.env.AuthzTrans;
+import org.onap.aaf.authz.env.AuthzTransFilter;
+import org.onap.aaf.authz.layer.Result;
+import org.onap.aaf.authz.org.Organization;
+import org.onap.aaf.authz.org.Organization.Identity;
+import org.onap.aaf.dao.AbsCassDAO;
+import org.onap.aaf.dao.CachedDAO;
+import org.onap.aaf.dao.DAOException;
+import org.onap.aaf.dao.aaf.cached.CachedCertDAO;
+import org.onap.aaf.dao.aaf.cached.CachedCredDAO;
+import org.onap.aaf.dao.aaf.cached.CachedNSDAO;
+import org.onap.aaf.dao.aaf.cached.CachedPermDAO;
+import org.onap.aaf.dao.aaf.cached.CachedRoleDAO;
+import org.onap.aaf.dao.aaf.cached.CachedUserRoleDAO;
+import org.onap.aaf.dao.aaf.cass.ApprovalDAO;
+import org.onap.aaf.dao.aaf.cass.CacheInfoDAO;
+import org.onap.aaf.dao.aaf.cass.CertDAO;
+import org.onap.aaf.dao.aaf.cass.CredDAO;
+import org.onap.aaf.dao.aaf.cass.DelegateDAO;
+import org.onap.aaf.dao.aaf.cass.FutureDAO;
+import org.onap.aaf.dao.aaf.cass.HistoryDAO;
+import org.onap.aaf.dao.aaf.cass.NsDAO;
+import org.onap.aaf.dao.aaf.cass.NsSplit;
+import org.onap.aaf.dao.aaf.cass.NsType;
+import org.onap.aaf.dao.aaf.cass.PermDAO;
+import org.onap.aaf.dao.aaf.cass.RoleDAO;
+import org.onap.aaf.dao.aaf.cass.Status;
+import org.onap.aaf.dao.aaf.cass.UserRoleDAO;
+import org.onap.aaf.dao.aaf.cass.NsDAO.Data;
+
+import org.onap.aaf.cadi.Hash;
+import org.onap.aaf.cadi.aaf.PermEval;
+import org.onap.aaf.inno.env.APIException;
+import org.onap.aaf.inno.env.Env;
+import org.onap.aaf.inno.env.Slot;
+import org.onap.aaf.inno.env.TimeTaken;
+import org.onap.aaf.inno.env.util.Chrono;
+import com.datastax.driver.core.Cluster;
+
+/**
+ * Question HL DAO
+ *
+ * A Data Access Combination Object which asks Security and other Questions
+ *
+ *
+ */
+public class Question {
+ // DON'T CHANGE FROM lower Case!!!
+ public static enum Type {
+ ns, role, perm, cred
+ };
+
+ public static final String OWNER="owner";
+ public static final String ADMIN="admin";
+ public static final String DOT_OWNER=".owner";
+ public static final String DOT_ADMIN=".admin";
+ static final String ASTERIX = "*";
+
+ public static enum Access {
+ read, write, create
+ };
+
+ public static final String READ = Access.read.name();
+ public static final String WRITE = Access.write.name();
+ public static final String CREATE = Access.create.name();
+
+ public static final String ROLE = Type.role.name();
+ public static final String PERM = Type.perm.name();
+ public static final String NS = Type.ns.name();
+ public static final String CRED = Type.cred.name();
+ private static final String DELG = "delg";
+ public static final String ATTRIB = "attrib";
+
+
+ public static final int MAX_SCOPE = 10;
+ public static final int APP_SCOPE = 3;
+ public static final int COMPANY_SCOPE = 2;
+ static Slot PERMS;
+
+ private static Set<String> specialLog = null;
+ public static final SecureRandom random = new SecureRandom();
+ private static long traceID = random.nextLong();
+ private static final String SPECIAL_LOG_SLOT = "SPECIAL_LOG_SLOT";
+ private static Slot specialLogSlot = null;
+ private static Slot transIDSlot = null;
+
+
+ public final HistoryDAO historyDAO;
+ public final CachedNSDAO nsDAO;
+ public final CachedRoleDAO roleDAO;
+ public final CachedPermDAO permDAO;
+ public final CachedUserRoleDAO userRoleDAO;
+ public final CachedCredDAO credDAO;
+ public final CachedCertDAO certDAO;
+ public final DelegateDAO delegateDAO;
+ public final FutureDAO futureDAO;
+ public final ApprovalDAO approvalDAO;
+ private final CacheInfoDAO cacheInfoDAO;
+
+ // final ContactDAO contDAO;
+ // private static final String DOMAIN = "@aaf.att.com";
+ // private static final int DOMAIN_LENGTH = 0;
+
+ public Question(AuthzTrans trans, Cluster cluster, String keyspace, boolean startClean) throws APIException, IOException {
+ PERMS = trans.slot("USER_PERMS");
+ trans.init().log("Instantiating DAOs");
+ historyDAO = new HistoryDAO(trans, cluster, keyspace);
+
+ // Deal with Cached Entries
+ cacheInfoDAO = new CacheInfoDAO(trans, historyDAO);
+
+ nsDAO = new CachedNSDAO(new NsDAO(trans, historyDAO, cacheInfoDAO),
+ cacheInfoDAO);
+ permDAO = new CachedPermDAO(
+ new PermDAO(trans, historyDAO, cacheInfoDAO), cacheInfoDAO);
+ roleDAO = new CachedRoleDAO(
+ new RoleDAO(trans, historyDAO, cacheInfoDAO), cacheInfoDAO);
+ userRoleDAO = new CachedUserRoleDAO(new UserRoleDAO(trans, historyDAO,
+ cacheInfoDAO), cacheInfoDAO);
+ credDAO = new CachedCredDAO(
+ new CredDAO(trans, historyDAO, cacheInfoDAO), cacheInfoDAO);
+ certDAO = new CachedCertDAO(
+ new CertDAO(trans, historyDAO, cacheInfoDAO), cacheInfoDAO);
+
+ futureDAO = new FutureDAO(trans, historyDAO);
+ delegateDAO = new DelegateDAO(trans, historyDAO);
+ approvalDAO = new ApprovalDAO(trans, historyDAO);
+
+ // Only want to aggressively cleanse User related Caches... The others,
+ // just normal refresh
+ if(startClean) {
+ CachedDAO.startCleansing(trans.env(), credDAO, userRoleDAO);
+ CachedDAO.startRefresh(trans.env(), cacheInfoDAO);
+ }
+ // Set a Timer to Check Caches to send messages for Caching changes
+
+ if(specialLogSlot==null) {
+ specialLogSlot = trans.slot(SPECIAL_LOG_SLOT);
+ transIDSlot = trans.slot(AuthzTransFilter.TRANS_ID_SLOT);
+ }
+
+ AbsCassDAO.primePSIs(trans);
+ }
+
+
+ public void close(AuthzTrans trans) {
+ historyDAO.close(trans);
+ cacheInfoDAO.close(trans);
+ nsDAO.close(trans);
+ permDAO.close(trans);
+ roleDAO.close(trans);
+ userRoleDAO.close(trans);
+ credDAO.close(trans);
+ certDAO.close(trans);
+ delegateDAO.close(trans);
+ futureDAO.close(trans);
+ approvalDAO.close(trans);
+ }
+
+ public Result<PermDAO.Data> permFrom(AuthzTrans trans, String type,
+ String instance, String action) {
+ Result<NsDAO.Data> rnd = deriveNs(trans, type);
+ if (rnd.isOK()) {
+ return Result.ok(new PermDAO.Data(new NsSplit(rnd.value, type),
+ instance, action));
+ } else {
+ return Result.err(rnd);
+ }
+ }
+
+ /**
+ * getPermsByUser
+ *
+ * Because this call is frequently called internally, AND because we already
+ * look for it in the initial Call, we cache within the Transaction
+ *
+ * @param trans
+ * @param user
+ * @return
+ */
+ public Result<List<PermDAO.Data>> getPermsByUser(AuthzTrans trans, String user, boolean lookup) {
+ return PermLookup.get(trans, this, user).getPerms(lookup);
+ }
+
+ public Result<List<PermDAO.Data>> getPermsByUserFromRolesFilter(AuthzTrans trans, String user, String forUser) {
+ PermLookup plUser = PermLookup.get(trans, this, user);
+ Result<Set<String>> plPermNames = plUser.getPermNames();
+ if(plPermNames.notOK()) {
+ return Result.err(plPermNames);
+ }
+
+ Set<String> nss;
+ if(forUser.equals(user)) {
+ nss = null;
+ } else {
+ // Setup a TreeSet to check on Namespaces to
+ nss = new TreeSet<String>();
+ PermLookup fUser = PermLookup.get(trans, this, forUser);
+ Result<Set<String>> forUpn = fUser.getPermNames();
+ if(forUpn.notOK()) {
+ return Result.err(forUpn);
+ }
+
+ for(String pn : forUpn.value) {
+ Result<String[]> decoded = PermDAO.Data.decodeToArray(trans, this, pn);
+ if(decoded.isOKhasData()) {
+ nss.add(decoded.value[0]);
+ } else {
+ trans.error().log(pn,", derived from a Role, is invalid:",decoded.errorString());
+ }
+ }
+ }
+
+ List<PermDAO.Data> rlpUser = new ArrayList<PermDAO.Data>();
+ Result<PermDAO.Data> rpdd;
+ PermDAO.Data pdd;
+ for(String pn : plPermNames.value) {
+ rpdd = PermDAO.Data.decode(trans, this, pn);
+ if(rpdd.isOKhasData()) {
+ pdd=rpdd.value;
+ if(nss==null || nss.contains(pdd.ns)) {
+ rlpUser.add(pdd);
+ }
+ } else {
+ trans.error().log(pn,", derived from a Role, is invalid. Run Data Cleanup:",rpdd.errorString());
+ }
+ }
+ return Result.ok(rlpUser);
+ }
+
+ public Result<List<PermDAO.Data>> getPermsByType(AuthzTrans trans, String perm) {
+ Result<NsSplit> nss = deriveNsSplit(trans, perm);
+ if (nss.notOK()) {
+ return Result.err(nss);
+ }
+ return permDAO.readByType(trans, nss.value.ns, nss.value.name);
+ }
+
+ public Result<List<PermDAO.Data>> getPermsByName(AuthzTrans trans,
+ String type, String instance, String action) {
+ Result<NsSplit> nss = deriveNsSplit(trans, type);
+ if (nss.notOK()) {
+ return Result.err(nss);
+ }
+ return permDAO.read(trans, nss.value.ns, nss.value.name, instance,action);
+ }
+
+ public Result<List<PermDAO.Data>> getPermsByRole(AuthzTrans trans, String role, boolean lookup) {
+ Result<NsSplit> nss = deriveNsSplit(trans, role);
+ if (nss.notOK()) {
+ return Result.err(nss);
+ }
+
+ Result<List<RoleDAO.Data>> rlrd = roleDAO.read(trans, nss.value.ns,
+ nss.value.name);
+ if (rlrd.notOKorIsEmpty()) {
+ return Result.err(rlrd);
+ }
+ // Using Set to avoid duplicates
+ Set<String> permNames = new HashSet<String>();
+ if (rlrd.isOKhasData()) {
+ for (RoleDAO.Data drr : rlrd.value) {
+ permNames.addAll(drr.perms(false));
+ }
+ }
+
+ // Note: It should be ok for a Valid user to have no permissions -
+ // 8/12/2013
+ List<PermDAO.Data> perms = new ArrayList<PermDAO.Data>();
+ for (String perm : permNames) {
+ Result<PermDAO.Data> pr = PermDAO.Data.decode(trans, this, perm);
+ if (pr.notOK()) {
+ return Result.err(pr);
+ }
+
+ if(lookup) {
+ Result<List<PermDAO.Data>> rlpd = permDAO.read(trans, pr.value);
+ if (rlpd.isOKhasData()) {
+ for (PermDAO.Data pData : rlpd.value) {
+ perms.add(pData);
+ }
+ }
+ } else {
+ perms.add(pr.value);
+ }
+ }
+
+ return Result.ok(perms);
+ }
+
+ public Result<List<RoleDAO.Data>> getRolesByName(AuthzTrans trans,
+ String role) {
+ Result<NsSplit> nss = deriveNsSplit(trans, role);
+ if (nss.notOK()) {
+ return Result.err(nss);
+ }
+ String r = nss.value.name;
+ if (r.endsWith(".*")) { // do children Search
+ return roleDAO.readChildren(trans, nss.value.ns,
+ r.substring(0, r.length() - 2));
+ } else if (ASTERIX.equals(r)) {
+ return roleDAO.readChildren(trans, nss.value.ns, ASTERIX);
+ } else {
+ return roleDAO.read(trans, nss.value.ns, r);
+ }
+ }
+
+ /**
+ * Derive NS
+ *
+ * Given a Child Namespace, figure out what the best Namespace parent is.
+ *
+ * For instance, if in the NS table, the parent "com.att" exists, but not
+ * "com.att.child" or "com.att.a.b.c", then passing in either
+ * "com.att.child" or "com.att.a.b.c" will return "com.att"
+ *
+ * Uses recursive search on Cached DAO data
+ *
+ * @param trans
+ * @param child
+ * @return
+ */
+ public Result<NsDAO.Data> deriveNs(AuthzTrans trans, String child) {
+ Result<List<NsDAO.Data>> r = nsDAO.read(trans, child);
+
+ if (r.isOKhasData()) {
+ return Result.ok(r.value.get(0));
+ } else {
+ int dot = child == null ? -1 : child.lastIndexOf('.');
+ if (dot < 0) {
+ return Result.err(Status.ERR_NsNotFound,
+ "No Namespace for [%s]", child);
+ } else {
+ return deriveNs(trans, child.substring(0, dot));
+ }
+ }
+ }
+
+ public Result<NsDAO.Data> deriveFirstNsForType(AuthzTrans trans, String str, NsType type) {
+ NsDAO.Data nsd;
+
+ System.out.println("value of str before for loop ---------0---++++++++++++++++++" +str);
+ for(int idx = str.indexOf('.');idx>=0;idx=str.indexOf('.',idx+1)) {
+ // System.out.println("printing value of str-----------------1------------++++++++++++++++++++++" +str);
+ Result<List<Data>> rld = nsDAO.read(trans, str.substring(0,idx));
+ System.out.println("value of idx is -----------------++++++++++++++++++++++++++" +idx);
+ System.out.println("printing value of str.substring-----------------1------------++++++++++++++++++++++" + (str.substring(0,idx)));
+ System.out.println("value of ResultListData ------------------2------------+++++++++++++++++++++++++++" +rld);
+ if(rld.isOKhasData()) {
+ System.out.println("In if loop -----------------3-------------- ++++++++++++++++");
+ System.out.println("value of nsd=rld.value.get(0).type -----------4------++++++++++++++++++++++++++++++++++++" +(nsd=rld.value.get(0)).type);
+ System.out.println("value of rld.value.get(0).name.toString()+++++++++++++++++++++++++++++++ " +rld.value.get(0).name);
+ if(type.type == (nsd=rld.value.get(0)).type) {
+ return Result.ok(nsd);
+ }
+ } else {
+ System.out.println("In else loop ----------------4------------+++++++++++++++++++++++");
+ return Result.err(Status.ERR_NsNotFound,"There is no valid Company Namespace for %s",str.substring(0,idx));
+ }
+ }
+ return Result.err(Status.ERR_NotFound, str + " does not contain type " + type.name());
+ }
+
+ public Result<NsSplit> deriveNsSplit(AuthzTrans trans, String child) {
+ Result<NsDAO.Data> ndd = deriveNs(trans, child);
+ if (ndd.isOK()) {
+ NsSplit nss = new NsSplit(ndd.value, child);
+ if (nss.isOK()) {
+ return Result.ok(nss);
+ } else {
+ return Result.err(Status.ERR_NsNotFound,
+ "Cannot split [%s] into valid namespace elements",
+ child);
+ }
+ }
+ return Result.err(ndd);
+ }
+
+ /**
+ * Translate an ID into it's domain
+ *
+ * i.e. myid1234@myapp.att.com results in domain of com.att.myapp
+ *
+ * @param id
+ * @return
+ */
+ public static String domain2ns(String id) {
+ int at = id.indexOf('@');
+ if (at >= 0) {
+ String[] domain = id.substring(at + 1).split("\\.");
+ StringBuilder ns = new StringBuilder(id.length());
+ boolean first = true;
+ for (int i = domain.length - 1; i >= 0; --i) {
+ if (first) {
+ first = false;
+ } else {
+ ns.append('.');
+ }
+ ns.append(domain[i]);
+ }
+ return ns.toString();
+ } else {
+ return "";
+ }
+
+ }
+
+ /**
+ * Validate Namespace of ID@Domain
+ *
+ * Namespace is reverse order of Domain.
+ *
+ * i.e. myid1234@myapp.att.com results in domain of com.att.myapp
+ *
+ * @param trans
+ * @param id
+ * @return
+ */
+ public Result<NsDAO.Data> validNSOfDomain(AuthzTrans trans, String id) {
+ // Take domain, reverse order, and check on NS
+ String ns;
+ if(id.indexOf('@')<0) { // it's already an ns, not an ID
+ ns = id;
+ } else {
+ ns = domain2ns(id);
+ }
+ if (ns.length() > 0) {
+ if(!trans.org().getDomain().equals(ns)) {
+ Result<List<NsDAO.Data>> rlnsd = nsDAO.read(trans, ns);
+ if (rlnsd.isOKhasData()) {
+ return Result.ok(rlnsd.value.get(0));
+ }
+ }
+ }
+ return Result.err(Status.ERR_NsNotFound,
+ "A Namespace is not available for %s", id);
+ }
+
+ public Result<NsDAO.Data> mayUser(AuthzTrans trans, String user,NsDAO.Data ndd, Access access) {
+ // <ns>.access|:role:<role name>|<read|write>
+ String ns = ndd.name;
+ int last;
+ do {
+ if (isGranted(trans, user, ns, "access", ":ns", access.name())) {
+ return Result.ok(ndd);
+ }
+ if ((last = ns.lastIndexOf('.')) >= 0) {
+ ns = ns.substring(0, last);
+ }
+ } while (last >= 0);
+ // <root ns>.ns|:<client ns>:ns|<access>
+ // AAF-724 - Make consistent response for May User", and not take the
+ // last check... too confusing.
+ Result<NsDAO.Data> rv = mayUserVirtueOfNS(trans, user, ndd, ":" + ndd.name + ":ns", access.name());
+ if (rv.isOK()) {
+ return rv;
+ } else if(rv.status==Result.ERR_Backend) {
+ return Result.err(rv);
+ } else {
+ return Result.err(Status.ERR_Denied, "[%s] may not %s in NS [%s]",
+ user, access.name(), ndd.name);
+ }
+ }
+
+ public Result<NsDAO.Data> mayUser(AuthzTrans trans, String user, RoleDAO.Data rdd, Access access) {
+ Result<NsDAO.Data> rnsd = deriveNs(trans, rdd.ns);
+ if (rnsd.isOK()) {
+ return mayUser(trans, user, rnsd.value, rdd, access);
+ }
+ return rnsd;
+ }
+
+ public Result<NsDAO.Data> mayUser(AuthzTrans trans, String user, NsDAO.Data ndd, RoleDAO.Data rdd, Access access) {
+ // 1) Is User in the Role?
+ Result<List<UserRoleDAO.Data>> rurd = userRoleDAO.readUserInRole(trans, user, rdd.fullName());
+ if (rurd.isOKhasData()) {
+ return Result.ok(ndd);
+ }
+
+ String roleInst = ":role:" + rdd.name;
+ // <ns>.access|:role:<role name>|<read|write>
+ String ns = rdd.ns;
+ int last;
+ do {
+ if (isGranted(trans, user, ns,"access", roleInst, access.name())) {
+ return Result.ok(ndd);
+ }
+ if ((last = ns.lastIndexOf('.')) >= 0) {
+ ns = ns.substring(0, last);
+ }
+ } while (last >= 0);
+
+ // Check if Access by Global Role perm
+ // <root ns>.ns|:<client ns>:role:name|<access>
+ Result<NsDAO.Data> rnsd = mayUserVirtueOfNS(trans, user, ndd, ":"
+ + rdd.ns + roleInst, access.name());
+ if (rnsd.isOK()) {
+ return rnsd;
+ } else if(rnsd.status==Result.ERR_Backend) {
+ return Result.err(rnsd);
+ }
+
+ // Check if Access to Whole NS
+ // AAF-724 - Make consistent response for May User", and not take the
+ // last check... too confusing.
+ Result<org.onap.aaf.dao.aaf.cass.NsDAO.Data> rv = mayUserVirtueOfNS(trans, user, ndd,
+ ":" + rdd.ns + ":ns", access.name());
+ if (rv.isOK()) {
+ return rv;
+ } else if(rnsd.status==Result.ERR_Backend) {
+ return Result.err(rnsd);
+ } else {
+ return Result.err(Status.ERR_Denied, "[%s] may not %s Role [%s]",
+ user, access.name(), rdd.fullName());
+ }
+
+ }
+
+ public Result<NsDAO.Data> mayUser(AuthzTrans trans, String user,PermDAO.Data pdd, Access access) {
+ Result<NsDAO.Data> rnsd = deriveNs(trans, pdd.ns);
+ if (rnsd.isOK()) {
+ return mayUser(trans, user, rnsd.value, pdd, access);
+ }
+ return rnsd;
+ }
+
+ public Result<NsDAO.Data> mayUser(AuthzTrans trans, String user,NsDAO.Data ndd, PermDAO.Data pdd, Access access) {
+ if (isGranted(trans, user, pdd.ns, pdd.type, pdd.instance, pdd.action)) {
+ return Result.ok(ndd);
+ }
+ String permInst = ":perm:" + pdd.type + ':' + pdd.instance + ':' + pdd.action;
+ // <ns>.access|:role:<role name>|<read|write>
+ String ns = ndd.name;
+ int last;
+ do {
+ if (isGranted(trans, user, ns, "access", permInst, access.name())) {
+ return Result.ok(ndd);
+ }
+ if ((last = ns.lastIndexOf('.')) >= 0) {
+ ns = ns.substring(0, last);
+ }
+ } while (last >= 0);
+
+ // Check if Access by NS perm
+ // <root ns>.ns|:<client ns>:role:name|<access>
+ Result<NsDAO.Data> rnsd = mayUserVirtueOfNS(trans, user, ndd, ":" + pdd.ns + permInst, access.name());
+ if (rnsd.isOK()) {
+ return rnsd;
+ } else if(rnsd.status==Result.ERR_Backend) {
+ return Result.err(rnsd);
+ }
+
+ // Check if Access to Whole NS
+ // AAF-724 - Make consistent response for May User", and not take the
+ // last check... too confusing.
+ Result<NsDAO.Data> rv = mayUserVirtueOfNS(trans, user, ndd, ":" + pdd.ns + ":ns", access.name());
+ if (rv.isOK()) {
+ return rv;
+ } else {
+ return Result.err(Status.ERR_Denied,
+ "[%s] may not %s Perm [%s|%s|%s]", user, access.name(),
+ pdd.fullType(), pdd.instance, pdd.action);
+ }
+
+ }
+
+ public Result<Void> mayUser(AuthzTrans trans, DelegateDAO.Data dd, Access access) {
+ try {
+ boolean isUser = trans.user().equals(dd.user);
+ boolean isDelegate = dd.delegate != null
+ && (dd.user.equals(dd.delegate) || trans.user().equals(
+ dd.delegate));
+ Organization org = trans.org();
+ switch (access) {
+ case create:
+ if (org.getIdentity(trans, dd.user) == null) {
+ return Result.err(Status.ERR_UserNotFound,
+ "[%s] is not a user in the company database.",
+ dd.user);
+ }
+ if (!dd.user.equals(dd.delegate) && org.getIdentity(trans, dd.delegate) == null) {
+ return Result.err(Status.ERR_UserNotFound,
+ "[%s] is not a user in the company database.",
+ dd.delegate);
+ }
+ if (!trans.forceRequested() && dd.user != null && dd.user.equals(dd.delegate)) {
+ return Result.err(Status.ERR_BadData,
+ "[%s] cannot be a delegate for self", dd.user);
+ }
+ if (!isUser && !isGranted(trans, trans.user(), Define.ROOT_NS,DELG,
+ org.getDomain(), Question.CREATE)) {
+ return Result.err(Status.ERR_Denied,
+ "[%s] may not create a delegate for [%s]",
+ trans.user(), dd.user);
+ }
+ break;
+ case read:
+ case write:
+ if (!isUser && !isDelegate &&
+ !isGranted(trans, trans.user(), Define.ROOT_NS,DELG,org.getDomain(), access.name())) {
+ return Result.err(Status.ERR_Denied,
+ "[%s] may not %s delegates for [%s]", trans.user(),
+ access.name(), dd.user);
+ }
+ break;
+ default:
+ return Result.err(Status.ERR_BadData,"Unknown Access type [%s]", access.name());
+ }
+ } catch (Exception e) {
+ return Result.err(e);
+ }
+ return Result.ok();
+ }
+
+ /*
+ * Check (recursively, if necessary), if able to do something based on NS
+ */
+ private Result<NsDAO.Data> mayUserVirtueOfNS(AuthzTrans trans, String user, NsDAO.Data nsd, String ns_and_type, String access) {
+ String ns = nsd.name;
+
+ // If an ADMIN of the Namespace, then allow
+
+ Result<List<UserRoleDAO.Data>> rurd;
+ if ((rurd = userRoleDAO.readUserInRole(trans, user, nsd.name+ADMIN)).isOKhasData()) {
+ return Result.ok(nsd);
+ } else if(rurd.status==Result.ERR_Backend) {
+ return Result.err(rurd);
+ }
+
+ // If Specially granted Global Permission
+ if (isGranted(trans, user, Define.ROOT_NS,NS, ns_and_type, access)) {
+ return Result.ok(nsd);
+ }
+
+ // Check recur
+
+ int dot = ns.length();
+ if ((dot = ns.lastIndexOf('.', dot - 1)) >= 0) {
+ Result<NsDAO.Data> rnsd = deriveNs(trans, ns.substring(0, dot));
+ if (rnsd.isOK()) {
+ rnsd = mayUserVirtueOfNS(trans, user, rnsd.value, ns_and_type,access);
+ } else if(rnsd.status==Result.ERR_Backend) {
+ return Result.err(rnsd);
+ }
+ if (rnsd.isOK()) {
+ return Result.ok(nsd);
+ } else if(rnsd.status==Result.ERR_Backend) {
+ return Result.err(rnsd);
+ }
+ }
+ return Result.err(Status.ERR_Denied, "%s may not %s %s", user, access,
+ ns_and_type);
+ }
+
+
+ /**
+ * isGranted
+ *
+ * Important function - Check internal Permission Schemes for Permission to
+ * do things
+ *
+ * @param trans
+ * @param type
+ * @param instance
+ * @param action
+ * @return
+ */
+ public boolean isGranted(AuthzTrans trans, String user, String ns, String type,String instance, String action) {
+ Result<List<PermDAO.Data>> perms = getPermsByUser(trans, user, false);
+ if (perms.isOK()) {
+ for (PermDAO.Data pd : perms.value) {
+ if (ns.equals(pd.ns)) {
+ if (type.equals(pd.type)) {
+ if (PermEval.evalInstance(pd.instance, instance)) {
+ if(PermEval.evalAction(pd.action, action)) { // don't return action here, might miss other action
+ return true;
+ }
+ }
+ }
+ }
+ }
+ }
+ return false;
+ }
+
+ public Result<Date> doesUserCredMatch(AuthzTrans trans, String user, byte[] cred) throws DAOException {
+ Result<List<CredDAO.Data>> result;
+ TimeTaken tt = trans.start("Read DB Cred", Env.REMOTE);
+ try {
+ result = credDAO.readID(trans, user);
+ } finally {
+ tt.done();
+ }
+
+ Result<Date> rv = null;
+ if(result.isOK()) {
+ if (result.isEmpty()) {
+ rv = Result.err(Status.ERR_UserNotFound, user);
+ if (willSpecialLog(trans,user)) {
+ trans.audit().log("Special DEBUG:", user, " does not exist in DB");
+ }
+ } else {
+ Date now = new Date();//long now = System.currentTimeMillis();
+ ByteBuffer md5=null;
+
+ // Bug noticed 6/22. Sorting on the result can cause Concurrency Issues.
+ List<CredDAO.Data> cddl;
+ if(result.value.size() > 1) {
+ cddl = new ArrayList<CredDAO.Data>(result.value.size());
+ for(CredDAO.Data old : result.value) {
+ if(old.type==CredDAO.BASIC_AUTH || old.type==CredDAO.BASIC_AUTH_SHA256) {
+ cddl.add(old);
+ }
+ }
+ if(cddl.size()>1) {
+ Collections.sort(cddl,new Comparator<CredDAO.Data>() {
+ @Override
+ public int compare(org.onap.aaf.dao.aaf.cass.CredDAO.Data a,
+ org.onap.aaf.dao.aaf.cass.CredDAO.Data b) {
+ return b.expires.compareTo(a.expires);
+ }
+ });
+ }
+ } else {
+ cddl = result.value;
+ }
+
+ for (CredDAO.Data cdd : cddl) {
+ if (cdd.expires.after(now)) {
+ try {
+ switch(cdd.type) {
+ case CredDAO.BASIC_AUTH:
+ if(md5==null) {
+ md5=ByteBuffer.wrap(Hash.encryptMD5(cred));
+ }
+ if(md5.compareTo(cdd.cred)==0) {
+ return Result.ok(cdd.expires);
+ } else if (willSpecialLog(trans,user)) {
+ trans.audit().log("Special DEBUG:", user, "Client sent: ", trans.encryptor().encrypt(new String(cred)) ,cdd.expires);
+ }
+ break;
+ case CredDAO.BASIC_AUTH_SHA256:
+ ByteBuffer bb = ByteBuffer.allocate(Integer.SIZE + cred.length);
+ bb.putInt(cdd.other);
+ bb.put(cred);
+ byte[] hash = Hash.hashSHA256(bb.array());
+
+ ByteBuffer sha256 = ByteBuffer.wrap(hash);
+ if(sha256.compareTo(cdd.cred)==0) {
+ return Result.ok(cdd.expires);
+ } else if (willSpecialLog(trans,user)) {
+ trans.audit().log("Special DEBUG:", user, "Client sent: ", trans.encryptor().encrypt(new String(cred)) ,cdd.expires);
+ }
+ break;
+ default:
+ trans.error().log("Unknown Credential Type %s for %s, %s",Integer.toString(cdd.type),cdd.id, Chrono.dateTime(cdd.expires));
+ }
+ } catch (NoSuchAlgorithmException e) {
+ trans.error().log(e);
+ }
+ } else {
+ rv = Result.err(Status.ERR_Security,
+ "Credentials expired " + cdd.expires.toString());
+ }
+ } // end for each
+ }
+ } else {
+ return Result.err(result);
+ }
+ return rv == null ? Result.create((Date) null, Status.ERR_Security,
+ "Wrong credential") : rv;
+ }
+
+
+ public Result<CredDAO.Data> userCredSetup(AuthzTrans trans, CredDAO.Data cred) {
+ if(cred.type==CredDAO.RAW) {
+ TimeTaken tt = trans.start("Hash Cred", Env.SUB);
+ try {
+ cred.type = CredDAO.BASIC_AUTH_SHA256;
+ cred.other = random.nextInt();
+ ByteBuffer bb = ByteBuffer.allocate(Integer.SIZE + cred.cred.capacity());
+ bb.putInt(cred.other);
+ bb.put(cred.cred);
+ byte[] hash = Hash.hashSHA256(bb.array());
+ cred.cred = ByteBuffer.wrap(hash);
+ return Result.ok(cred);
+ } catch (NoSuchAlgorithmException e) {
+ return Result.err(Status.ERR_General,e.getLocalizedMessage());
+ } finally {
+ tt.done();
+ }
+
+ }
+ return Result.err(Status.ERR_Security,"invalid/unreadable credential");
+ }
+
+
+ public static final String APPROVED = "APPROVE";
+ public static final String REJECT = "REJECT";
+ public static final String PENDING = "PENDING";
+
+ public Result<Void> canAddUser(AuthzTrans trans, UserRoleDAO.Data data,
+ List<ApprovalDAO.Data> approvals) {
+ // get the approval policy for the organization
+
+ // get the list of approvals with an accept status
+
+ // validate the approvals against the policy
+
+ // for now check if all approvals are received and return
+ // SUCCESS/FAILURE/SKIP
+ boolean bReject = false;
+ boolean bPending = false;
+
+ for (ApprovalDAO.Data approval : approvals) {
+ if (approval.status.equals(REJECT)) {
+ bReject = true;
+ } else if (approval.status.equals(PENDING)) {
+ bPending = true;
+ }
+ }
+ if (bReject) {
+ return Result.err(Status.ERR_Policy,
+ "Approval Polocy not conformed");
+ }
+ if (bPending) {
+ return Result.err(Status.ERR_ActionNotCompleted,
+ "Required Approvals not received");
+ }
+
+ return Result.ok();
+ }
+
+ private static final String NO_CACHE_NAME = "No Cache Data named %s";
+
+ public Result<Void> clearCache(AuthzTrans trans, String cname) {
+ boolean all = "all".equals(cname);
+ Result<Void> rv = null;
+
+ if (all || NsDAO.TABLE.equals(cname)) {
+ int seg[] = series(NsDAO.CACHE_SEG);
+ for(int i: seg) {cacheClear(trans, NsDAO.TABLE,i);}
+ rv = cacheInfoDAO.touch(trans, NsDAO.TABLE, seg);
+ }
+ if (all || PermDAO.TABLE.equals(cname)) {
+ int seg[] = series(NsDAO.CACHE_SEG);
+ for(int i: seg) {cacheClear(trans, PermDAO.TABLE,i);}
+ rv = cacheInfoDAO.touch(trans, PermDAO.TABLE,seg);
+ }
+ if (all || RoleDAO.TABLE.equals(cname)) {
+ int seg[] = series(NsDAO.CACHE_SEG);
+ for(int i: seg) {cacheClear(trans, RoleDAO.TABLE,i);}
+ rv = cacheInfoDAO.touch(trans, RoleDAO.TABLE,seg);
+ }
+ if (all || UserRoleDAO.TABLE.equals(cname)) {
+ int seg[] = series(NsDAO.CACHE_SEG);
+ for(int i: seg) {cacheClear(trans, UserRoleDAO.TABLE,i);}
+ rv = cacheInfoDAO.touch(trans, UserRoleDAO.TABLE,seg);
+ }
+ if (all || CredDAO.TABLE.equals(cname)) {
+ int seg[] = series(NsDAO.CACHE_SEG);
+ for(int i: seg) {cacheClear(trans, CredDAO.TABLE,i);}
+ rv = cacheInfoDAO.touch(trans, CredDAO.TABLE,seg);
+ }
+ if (all || CertDAO.TABLE.equals(cname)) {
+ int seg[] = series(NsDAO.CACHE_SEG);
+ for(int i: seg) {cacheClear(trans, CertDAO.TABLE,i);}
+ rv = cacheInfoDAO.touch(trans, CertDAO.TABLE,seg);
+ }
+
+ if (rv == null) {
+ rv = Result.err(Status.ERR_BadData, NO_CACHE_NAME, cname);
+ }
+ return rv;
+ }
+
+ public Result<Void> cacheClear(AuthzTrans trans, String cname,Integer segment) {
+ Result<Void> rv;
+ if (NsDAO.TABLE.equals(cname)) {
+ rv = nsDAO.invalidate(segment);
+ } else if (PermDAO.TABLE.equals(cname)) {
+ rv = permDAO.invalidate(segment);
+ } else if (RoleDAO.TABLE.equals(cname)) {
+ rv = roleDAO.invalidate(segment);
+ } else if (UserRoleDAO.TABLE.equals(cname)) {
+ rv = userRoleDAO.invalidate(segment);
+ } else if (CredDAO.TABLE.equals(cname)) {
+ rv = credDAO.invalidate(segment);
+ } else if (CertDAO.TABLE.equals(cname)) {
+ rv = certDAO.invalidate(segment);
+ } else {
+ rv = Result.err(Status.ERR_BadData, NO_CACHE_NAME, cname);
+ }
+ return rv;
+ }
+
+ private int[] series(int max) {
+ int[] series = new int[max];
+ for (int i = 0; i < max; ++i)
+ series[i] = i;
+ return series;
+ }
+
+ public boolean isDelegated(AuthzTrans trans, String user, String approver) {
+ Result<List<DelegateDAO.Data>> userDelegatedFor = delegateDAO
+ .readByDelegate(trans, user);
+ for (DelegateDAO.Data curr : userDelegatedFor.value) {
+ if (curr.user.equals(approver) && curr.delegate.equals(user)
+ && curr.expires.after(new Date())) {
+ return true;
+ }
+ }
+ return false;
+ }
+
+ public static boolean willSpecialLog(AuthzTrans trans, String user) {
+ Boolean b = trans.get(specialLogSlot, null);
+ if(b==null) {
+ if(specialLog==null) {
+ return false;
+ } else {
+ b = specialLog.contains(user);
+ trans.put(specialLogSlot, b);
+ }
+ }
+ return b;
+ }
+
+ public static void logEncryptTrace(AuthzTrans trans, String data) {
+ long ti;
+ trans.put(transIDSlot, ti=nextTraceID());
+ trans.trace().log("id="+Long.toHexString(ti)+",data=\""+trans.env().encryptor().encrypt(data)+'"');
+ }
+
+ private synchronized static long nextTraceID() {
+ return ++traceID;
+ }
+
+ public static synchronized boolean specialLogOn(AuthzTrans trans, String id) {
+ if (specialLog == null) {
+ specialLog = new HashSet<String>();
+ }
+ boolean rc = specialLog.add(id);
+ if(rc) {
+ trans.trace().log("Trace on for",id);
+ }
+ return rc;
+ }
+
+ public static synchronized boolean specialLogOff(AuthzTrans trans, String id) {
+ if(specialLog==null) {
+ return false;
+ }
+ boolean rv = specialLog.remove(id);
+ if (specialLog.isEmpty()) {
+ specialLog = null;
+ }
+ if(rv) {
+ trans.trace().log("Trace off for",id);
+ }
+ return rv;
+ }
+
+ /**
+ * canMove
+ * Which Types can be moved
+ * @param nsType
+ * @return
+ */
+ public boolean canMove(NsType nsType) {
+ boolean rv;
+ switch(nsType) {
+ case DOT:
+ case ROOT:
+ case COMPANY:
+ case UNKNOWN:
+ rv = false;
+ break;
+ default:
+ rv = true;
+ }
+ return rv;
+ }
+
+ public Result<String> isOwnerSponsor(AuthzTrans trans, String user, String ns, Identity mechID) {
+
+ Identity caller;
+ Organization org = trans.org();
+ try {
+ caller = org.getIdentity(trans, user);
+ if(caller==null || !caller.isFound()) {
+ return Result.err(Status.ERR_NotFound,"%s is not a registered %s entity",user,org.getName());
+ }
+ } catch (Exception e) {
+ return Result.err(e);
+ }
+ String sponsor = mechID.responsibleTo();
+ Result<List<UserRoleDAO.Data>> rur = userRoleDAO.read(trans, user,ns+DOT_OWNER);
+ boolean isOwner = false;
+ if(rur.isOKhasData()) {for(UserRoleDAO.Data urdd : rur.value){
+ if(urdd.expires.after(new Date())) {
+ isOwner = true;
+ }
+ }};
+ if(!isOwner) {
+ return Result.err(Status.ERR_Policy,"%s is not a current owner of %s",user,ns);
+ }
+
+ if(!caller.id().equals(sponsor)) {
+ return Result.err(Status.ERR_Denied,"%s is not the sponsor of %s",user,mechID.id());
+ }
+ return Result.ok(sponsor);
+ }
+
+ public boolean isAdmin(AuthzTrans trans, String user, String ns) {
+ Date now = new Date();
+ Result<List<UserRoleDAO.Data>> rur = userRoleDAO.read(trans, user,ns+ADMIN);
+ if(rur.isOKhasData()) {for(UserRoleDAO.Data urdd : rur.value){
+ if(urdd.expires.after(now)) {
+ return true;
+ }
+ }};
+ return false;
+ }
+
+ public boolean isOwner(AuthzTrans trans, String user, String ns) {
+ Result<List<UserRoleDAO.Data>> rur = userRoleDAO.read(trans, user,ns+DOT_OWNER);
+ Date now = new Date();
+ if(rur.isOKhasData()) {for(UserRoleDAO.Data urdd : rur.value){
+ if(urdd.expires.after(now)) {
+ return true;
+ }
+ }};
+ return false;
+ }
+
+ public int countOwner(AuthzTrans trans, String user, String ns) {
+ Result<List<UserRoleDAO.Data>> rur = userRoleDAO.read(trans, user,ns+DOT_OWNER);
+ Date now = new Date();
+ int count = 0;
+ if(rur.isOKhasData()) {for(UserRoleDAO.Data urdd : rur.value){
+ if(urdd.expires.after(now)) {
+ ++count;
+ }
+ }};
+ return count;
+ }
+
+}
|