From ff1417ff60baee231a28272f9a16ef2c9c8ea0a2 Mon Sep 17 00:00:00 2001 From: Instrumental Date: Wed, 29 May 2019 04:58:50 -0500 Subject: Post Init Service Starter minor fixes Remove JU generated garbage files Issue-ID: AAF-835 Change-Id: I476291f1f1140f0640ed49452f8a5dabb28d9c30 Signed-off-by: Instrumental --- .../org/onap/aaf/auth/service/AAF_Service.java | 17 +- .../aaf/auth/service/AuthzCassServiceImpl.java | 384 +++++++-------------- .../org/onap/aaf/auth/service/AuthzService.java | 17 +- .../org/onap/aaf/auth/service/api/API_Creds.java | 1 - .../onap/aaf/auth/service/api/API_UserRole.java | 28 +- .../onap/aaf/auth/service/facade/AuthzFacade.java | 6 +- .../aaf/auth/service/facade/AuthzFacadeImpl.java | 75 +--- .../onap/aaf/auth/service/mapper/Mapper_2_0.java | 1 + 8 files changed, 153 insertions(+), 376 deletions(-) (limited to 'auth/auth-service/src/main') diff --git a/auth/auth-service/src/main/java/org/onap/aaf/auth/service/AAF_Service.java b/auth/auth-service/src/main/java/org/onap/aaf/auth/service/AAF_Service.java index 90d4744a..6a63907d 100644 --- a/auth/auth-service/src/main/java/org/onap/aaf/auth/service/AAF_Service.java +++ b/auth/auth-service/src/main/java/org/onap/aaf/auth/service/AAF_Service.java @@ -25,6 +25,7 @@ import javax.servlet.Filter; import org.onap.aaf.auth.cache.Cache; import org.onap.aaf.auth.dao.CassAccess; +import org.onap.aaf.auth.dao.cass.CacheInfoDAO; import org.onap.aaf.auth.dao.hl.Question; import org.onap.aaf.auth.direct.DirectAAFLur; import org.onap.aaf.auth.direct.DirectAAFUserPass; @@ -96,8 +97,10 @@ public class AAF_Service extends AbsService { // Need Question for Security purposes (direct User/Authz Query in Filter) // Start Background Processing - question = new Question(trans, cluster, CassAccess.KEYSPACE, true); - DirectCertIdentity.set(question.certDAO); + question = new Question(trans, cluster, CassAccess.KEYSPACE); + question.startTimers(env); + + DirectCertIdentity.set(question.certDAO()); // Have AAFLocator object Create DirectLocators for Location needs AbsAAFLocator.setCreator(new DirectLocatorCreator(env, question.locateDAO)); @@ -190,10 +193,20 @@ public class AAF_Service extends AbsService { new DirectRegistrar(access,question.locateDAO, actualPort) }; } + + @Override + public void postStartup(final String hostname, final int port) throws APIException { + try { + CacheInfoDAO.startUpdate(env, aafCon().hman(), aafCon().securityInfo().defSS,hostname,port); + } catch (CadiException | LocatorException e) { + throw new APIException(e); + } + } @Override public void destroy() { Cache.stopTimer(); + CacheInfoDAO.stopUpdate(); if (cluster!=null) { cluster.close(); } diff --git a/auth/auth-service/src/main/java/org/onap/aaf/auth/service/AuthzCassServiceImpl.java b/auth/auth-service/src/main/java/org/onap/aaf/auth/service/AuthzCassServiceImpl.java index 81a9d5ec..751825c1 100644 --- a/auth/auth-service/src/main/java/org/onap/aaf/auth/service/AuthzCassServiceImpl.java +++ b/auth/auth-service/src/main/java/org/onap/aaf/auth/service/AuthzCassServiceImpl.java @@ -168,6 +168,7 @@ public class AuthzCassServiceImpl > rlnsd = ques.nsDAO.read(trans, ns); + Result> rlnsd = ques.nsDAO().read(trans, ns); if (rlnsd.notOKorIsEmpty()) { return Result.err(rlnsd); } @@ -318,7 +319,8 @@ public class AuthzCassServiceImpl > rsd = ques.nsDAO.dao().readNsByAttrib(trans, key); + Result> rsd = ques.nsDAO().dao().readNsByAttrib(trans, key); if (rsd.notOK()) { return Result.err(rsd); } @@ -382,7 +384,7 @@ public class AuthzCassServiceImpl > rlnsd = ques.nsDAO.read(trans, ns); + Result> rlnsd = ques.nsDAO().read(trans, ns); if (rlnsd.notOKorIsEmpty()) { return Result.err(rlnsd); } @@ -401,8 +403,8 @@ public class AuthzCassServiceImpl > rlnsd = ques.nsDAO.read(trans, ns); + Result> rlnsd = ques.nsDAO().read(trans, ns); if (rlnsd.notOKorIsEmpty()) { return Result.err(rlnsd); } @@ -451,7 +453,8 @@ public class AuthzCassServiceImpl > rlnd = ques.nsDAO.read(trans, ns); + Result> rlnd = ques.nsDAO().read(trans, ns); if (rlnd.isOK()) { if (rlnd.isEmpty()) { return Result.err(Status.ERR_NotFound, "No data found for %s",ns); @@ -563,7 +565,7 @@ public class AuthzCassServiceImpl > loadNamepace(AuthzTrans trans, String user, String endsWith, boolean full) { - Result> urd = ques.userRoleDAO.readByUser(trans, user); + Result> urd = ques.userRoleDAO().readByUser(trans, user); if (urd.notOKorIsEmpty()) { return Result.err(urd); } @@ -679,7 +681,7 @@ public class AuthzCassServiceImpl lm = new HashSet<>(); - Result> rlnd = ques.nsDAO.dao().getChildren(trans, parent); + Result> rlnd = ques.nsDAO().dao().getChildren(trans, parent); if (rlnd.isOK()) { if (rlnd.isEmpty()) { return Result.err(Status.ERR_NotFound, "No data found for %s",parent); @@ -727,7 +729,7 @@ public class AuthzCassServiceImpl > rlnd = ques.nsDAO.read(trans, namespace.name); + Result> rlnd = ques.nsDAO().read(trans, namespace.name); if (rlnd.notOKorIsEmpty()) { return Result.err(Status.ERR_NotFound, "Namespace [%s] does not exist",namespace.name); @@ -737,7 +739,7 @@ public class AuthzCassServiceImpl rdr = ques.nsDAO.dao().addDescription(trans, namespace.name, namespace.description); + Result rdr = ques.nsDAO().dao().addDescription(trans, namespace.name, namespace.description); if (rdr.isOK()) { return Result.ok(); } else { @@ -797,6 +799,12 @@ public class AuthzCassServiceImpl createPerm(final AuthzTrans trans,REQUEST rreq) { final Result newPd = mapper.perm(trans, rreq); + // Does Perm Type exist as a Namespace? + if(newPd.value.type.isEmpty() || ques.nsDAO().read(trans, newPd.value.fullType()).isOKhasData()) { + return Result.err(Status.ERR_ConflictAlreadyExists, + "Permission Type exists as a Namespace"); + } + final ServiceValidator v = new ServiceValidator(); if (v.perm(newPd).err()) { return Result.err(Status.ERR_BadData,v.errs()); @@ -822,7 +830,7 @@ public class AuthzCassServiceImpl > nsr = ques.nsDAO.read(trans, newPd.value.ns); + Result> nsr = ques.nsDAO().read(trans, newPd.value.ns); if (nsr.notOKorIsEmpty()) { return Result.err(nsr); } @@ -1138,7 +1146,7 @@ public class AuthzCassServiceImpl > rlpd = ques.permDAO.readNS(trans, ns); + Result> rlpd = ques.permDAO().readNS(trans, ns); if (rlpd.notOK()) { return Result.err(rlpd); } @@ -1176,7 +1184,7 @@ public class AuthzCassServiceImpl nss = ques.deriveNsSplit(trans, origType); - Result> origRlpd = ques.permDAO.read(trans, nss.value.ns, nss.value.name, origInstance, origAction); + Result> origRlpd = ques.permDAO().read(trans, nss.value.ns, nss.value.name, origInstance, origAction); if (origRlpd.notOKorIsEmpty()) { return Result.err(Status.ERR_PermissionNotFound, @@ -1235,7 +1243,7 @@ public class AuthzCassServiceImpl > nsr = ques.nsDAO.read(trans, pd.value.ns); + Result> nsr = ques.nsDAO().read(trans, pd.value.ns); if (nsr.notOKorIsEmpty()) { return Result.err(nsr); } - Result rdr = ques.permDAO.addDescription(trans, perm.ns, perm.type, perm.instance, + Result rdr = ques.permDAO().addDescription(trans, perm.ns, perm.type, perm.instance, perm.action, perm.description); if (rdr.isOK()) { return Result.ok(); @@ -1287,7 +1295,7 @@ public class AuthzCassServiceImpl > rcurr = ques.permDAO.read(trans, + Result> rcurr = ques.permDAO().read(trans, updt.value.ns, updt.value.type, updt.value.instance, @@ -1321,7 +1329,7 @@ public class AuthzCassServiceImpl key = RoleDAO.Data.decode(trans, ques, role); if (key.isOKhasData()) { - Result> rrd = ques.roleDAO.read(trans, key.value); + Result> rrd = ques.roleDAO().read(trans, key.value); if (rrd.isOKhasData()) { for (RoleDAO.Data r : rrd.value) { rv = func.addPermToRole(trans, r, curr, false); @@ -1341,7 +1349,7 @@ public class AuthzCassServiceImpl key = RoleDAO.Data.decode(trans, ques, role); if (key.isOKhasData()) { - Result> rdd = ques.roleDAO.read(trans, key.value); + Result> rdd = ques.roleDAO().read(trans, key.value); if (rdd.isOKhasData()) { for (RoleDAO.Data r : rdd.value) { rv = func.delPermFromRole(trans, r, curr, true); @@ -1380,7 +1388,7 @@ public class AuthzCassServiceImpl > nsr = ques.nsDAO.read(trans, perm.ns); + Result> nsr = ques.nsDAO().read(trans, perm.ns); if (nsr.notOKorIsEmpty()) { return Result.err(nsr); } @@ -1483,12 +1491,17 @@ public class AuthzCassServiceImpl createRole(final AuthzTrans trans, REQUEST from) { final Result rd = mapper.role(trans, from); + // Does Perm Type exist as a Namespace? + if(rd.value.name.isEmpty() || ques.nsDAO().read(trans, rd.value.fullName()).isOKhasData()) { + return Result.err(Status.ERR_ConflictAlreadyExists, + "Role exists as a Namespace"); + } final ServiceValidator v = new ServiceValidator(); if (v.role(rd).err()) { return Result.err(Status.ERR_BadData,v.errs()); } final RoleDAO.Data role = rd.value; - if (ques.roleDAO.read(trans, role.ns, role.name).isOKhasData()) { + if (ques.roleDAO().read(trans, role.ns, role.name).isOKhasData()) { return Result.err(Status.ERR_ConflictAlreadyExists, "Role [" + role.fullName() + "] already exists"); } @@ -1512,7 +1525,7 @@ public class AuthzCassServiceImpl > nsr = ques.nsDAO.read(trans, rd.value.ns); + Result> nsr = ques.nsDAO().read(trans, rd.value.ns); if (nsr.notOKorIsEmpty()) { return Result.err(nsr); } @@ -1529,7 +1542,7 @@ public class AuthzCassServiceImpl rdr = ques.roleDAO.create(trans, role); + Result rdr = ques.roleDAO().create(trans, role); if (rdr.isOK()) { return Result.ok(); } else { @@ -1608,10 +1621,10 @@ public class AuthzCassServiceImpl > rlrd; - Result> rlurd = ques.userRoleDAO.readByUser(trans, user); + Result> rlurd = ques.userRoleDAO().readByUser(trans, user); if (rlurd.isOKhasData()) { for (UserRoleDAO.Data urd : rlurd.value ) { - rlrd = ques.roleDAO.read(trans, urd.ns,urd.rname); + rlrd = ques.roleDAO().read(trans, urd.ns,urd.rname); // Note: Mapper will restrict what can be viewed // if user is the same as that which is looked up, no filtering is required if (rlrd.isOKhasData()) { @@ -1658,7 +1671,7 @@ public class AuthzCassServiceImpl > rlrd = ques.roleDAO.readNS(trans, ns); + Result> rlrd = ques.roleDAO().readNS(trans, ns); if (rlrd.isOK()) { if (!rlrd.isEmpty()) { // Note: Mapper doesn't need to restrict what can be viewed, because we did it already. @@ -1700,7 +1713,7 @@ public class AuthzCassServiceImpl > rlrd = ques.roleDAO.readName(trans, name); + Result> rlrd = ques.roleDAO().readName(trans, name); if (rlrd.isOK()) { if (!rlrd.isEmpty()) { // Note: Mapper will restrict what can be viewed @@ -1757,13 +1770,13 @@ public class AuthzCassServiceImpl > pdlr = ques.permDAO.read(trans, pdd); + Result> pdlr = ques.permDAO().read(trans, pdd); if (pdlr.isOK())for (PermDAO.Data pd : pdlr.value) { Result> rlrd; for (String r : pd.roles) { Result rs = RoleDAO.Data.decodeToArray(trans, ques, r); if (rs.isOK()) { - rlrd = ques.roleDAO.read(trans, rs.value[0],rs.value[1]); + rlrd = ques.roleDAO().read(trans, rs.value[0],rs.value[1]); // Note: Mapper will restrict what can be viewed if (rlrd.isOKhasData()) { mapper.roles(trans,rlrd.value,roles,true); @@ -1799,7 +1812,7 @@ public class AuthzCassServiceImpl > nsr = ques.nsDAO.read(trans, rd.value.ns); + Result> nsr = ques.nsDAO().read(trans, rd.value.ns); if (nsr.notOKorIsEmpty()) { return Result.err(nsr); } - Result rdr = ques.roleDAO.addDescription(trans, role.ns, role.name, role.description); + Result rdr = ques.roleDAO().addDescription(trans, role.ns, role.name, role.description); if (rdr.isOK()) { return Result.ok(); } else { @@ -1861,13 +1874,13 @@ public class AuthzCassServiceImpl > rlrd = ques.roleDAO.read(trans, rrd.value.ns, rrd.value.name); + Result> rlrd = ques.roleDAO().read(trans, rrd.value.ns, rrd.value.name); if (rlrd.notOKorIsEmpty()) { return Result.err(Status.ERR_RoleNotFound, "Role [%s] does not exist", rrd.value.fullName()); } // Check Status of Data in DB (does it exist) - Result> rlpd = ques.permDAO.read(trans, rpd.value.ns, + Result> rlpd = ques.permDAO().read(trans, rpd.value.ns, rpd.value.type, rpd.value.instance, rpd.value.action); PermDAO.Data createPerm = null; // if not null, create first if (rlpd.notOKorIsEmpty()) { // Permission doesn't exist @@ -1908,7 +1921,7 @@ public class AuthzCassServiceImpl > nsr = ques.nsDAO.read(trans, rpd.value.ns); + Result> nsr = ques.nsDAO().read(trans, rpd.value.ns); if (nsr.notOKorIsEmpty()) { return Result.err(nsr); } @@ -1980,7 +1993,7 @@ public class AuthzCassServiceImpl delPermFromRole(final AuthzTrans trans, PermDAO.Data pdd, RoleDAO.Data rdd, REQUEST rreq) { - Result> rlpd = ques.permDAO.read(trans, pdd.ns, pdd.type, + Result> rlpd = ques.permDAO().read(trans, pdd.ns, pdd.type, pdd.instance, pdd.action); if (rlpd.notOKorIsEmpty()) { @@ -2007,7 +2020,7 @@ public class AuthzCassServiceImpl > nsr = ques.nsDAO.read(trans, pdd.ns); + Result> nsr = ques.nsDAO().read(trans, pdd.ns); if (nsr.notOKorIsEmpty()) { return Result.err(nsr); } @@ -2070,12 +2083,12 @@ public class AuthzCassServiceImpl > rrd = ques.roleDAO.read(trans, rrns.value.parent, rrns.value.name); + final Result> rrd = ques.roleDAO().read(trans, rrns.value.parent, rrns.value.name); if (rrd.notOKorIsEmpty()) { return Result.err(rrd); } - final Result> rpd = ques.permDAO.read(trans, rpns.value.parent, rpns.value.name, instance, action); + final Result> rpd = ques.permDAO().read(trans, rpns.value.parent, rpns.value.name, instance, action); if (rpd.notOKorIsEmpty()) { return Result.err(rpd); } @@ -2131,7 +2144,7 @@ public class AuthzCassServiceImpl > nsr = ques.nsDAO.read(trans, rd.value.ns); + Result> nsr = ques.nsDAO().read(trans, rd.value.ns); if (nsr.notOKorIsEmpty()) { return Result.err(nsr); } @@ -2299,7 +2312,7 @@ public class AuthzCassServiceImpl > nsr = ques.nsDAO.read(trans, rcred.value.ns); + Result> nsr = ques.nsDAO().read(trans, rcred.value.ns); if (nsr.notOKorIsEmpty()) { return Result.err(Status.ERR_NsNotFound,"Cannot provision %s on non-existent Namespace %s",mechID.id(),rcred.value.ns); } @@ -2309,7 +2322,7 @@ public class AuthzCassServiceImpl > rlcd = ques.credDAO.readID(trans, rcred.value.id); + Result> rlcd = ques.credDAO().readID(trans, rcred.value.id); if (rlcd.isOKhasData()) { if (!org.canHaveMultipleCreds(rcred.value.id)) { return Result.err(Status.ERR_ConflictAlreadyExists, "Credential exists"); @@ -2335,7 +2348,7 @@ public class AuthzCassServiceImpl udr = ques.credDAO.create(trans, rcred.value); + Resultudr = ques.credDAO().create(trans, rcred.value); if (udr.isOK()) { return Result.ok(); } @@ -2442,7 +2455,7 @@ public class AuthzCassServiceImpl > rlcd = ques.credDAO.readNS(trans, ns); + Result> rlcd = ques.credDAO().readNS(trans, ns); if (rlcd.isOK()) { if (!rlcd.isEmpty()) { @@ -2489,7 +2502,7 @@ public class AuthzCassServiceImpl > rlcd = ques.credDAO.readID(trans, id); + Result> rlcd = ques.credDAO().readID(trans, id); if (rlcd.isOK()) { if (!rlcd.isEmpty()) { @@ -2519,7 +2532,7 @@ public class AuthzCassServiceImpl > rlcd = ques.certDAO.readID(trans, id); + Result> rlcd = ques.certDAO().readID(trans, id); if (rlcd.isOK()) { if (!rlcd.isEmpty()) { @@ -2560,7 +2573,7 @@ public class AuthzCassServiceImpl > rlcd = ques.credDAO.readID(trans, rcred.value.id); + Result> rlcd = ques.credDAO().readID(trans, rcred.value.id); if (rlcd.notOKorIsEmpty()) { return Result.err(Status.ERR_UserNotFound, "Credential does not exist"); } @@ -2592,7 +2605,7 @@ public class AuthzCassServiceImpl > nsr = ques.nsDAO.read(trans, rcred.value.ns); + Result> nsr = ques.nsDAO().read(trans, rcred.value.ns); if (nsr.notOKorIsEmpty()) { return Result.err(nsr); } @@ -2634,9 +2647,9 @@ public class AuthzCassServiceImpl > rlcd = ques.credDAO.readID(trans, cred.value.id); + Result> rlcd = ques.credDAO().readID(trans, cred.value.id); if (rlcd.notOKorIsEmpty()) { return Result.err(Status.ERR_UserNotFound, "Credential does not exist"); } @@ -2735,7 +2748,7 @@ public class AuthzCassServiceImpl > rlcd = ques.credDAO.readID(trans, cred.value.id); + Result> rlcd = ques.credDAO().readID(trans, cred.value.id); if (rlcd.notOKorIsEmpty()) { // Empty Creds should have no user_roles. - Result> rlurd = ques.userRoleDAO.readByUser(trans, cred.value.id); + Result> rlurd = ques.userRoleDAO().readByUser(trans, cred.value.id); if (rlurd.isOK()) { for (UserRoleDAO.Data data : rlurd.value) { - ques.userRoleDAO.delete(trans, data, false); + ques.userRoleDAO().delete(trans, data, false); } } return Result.err(Status.ERR_UserNotFound, "Credential does not exist"); @@ -2859,7 +2872,7 @@ public class AuthzCassServiceImpl > nsr = ques.nsDAO.read(trans, cred.value.ns); + Result> nsr = ques.nsDAO().read(trans, cred.value.ns); if (nsr.notOKorIsEmpty()) { return Result.err(nsr); } @@ -2880,20 +2893,20 @@ public class AuthzCassServiceImpl = rlcd.value.size()) { return Result.err(Status.ERR_BadData,"Invalid Choice [" + entry + "] chosen for Delete [%s] is saved for future processing",cred.value.id); } - udr = ques.credDAO.delete(trans, rlcd.value.get(entry),false); + udr = ques.credDAO().delete(trans, rlcd.value.get(entry),false); } else { for (CredDAO.Data curr : rlcd.value) { - udr = ques.credDAO.delete(trans, curr, false); + udr = ques.credDAO().delete(trans, curr, false); if (udr.notOK()) { return Result.err(udr); } } } if (isLastCred) { - Result> rlurd = ques.userRoleDAO.readByUser(trans, cred.value.id); + Result> rlurd = ques.userRoleDAO().readByUser(trans, cred.value.id); if (rlurd.isOK()) { for (UserRoleDAO.Data data : rlurd.value) { - ques.userRoleDAO.delete(trans, data, false); + ques.userRoleDAO().delete(trans, data, false); } } } @@ -3094,7 +3107,7 @@ public class AuthzCassServiceImpl userSet = new HashSet<>(); - Result> rlurd = ques.userRoleDAO.readByRole(trans, role); + Result> rlurd = ques.userRoleDAO().readByRole(trans, role); if (rlurd.isOK()) { for (UserRoleDAO.Data data : rlurd.value) { userSet.add(data); @@ -3127,7 +3140,7 @@ public class AuthzCassServiceImpl > rlurd = ques.userRoleDAO.readByUser(trans, user); + Result> rlurd = ques.userRoleDAO().readByUser(trans, user); if (rlurd.notOK()) { return Result.err(rlurd); } @@ -3188,172 +3201,9 @@ public class AuthzCassServiceImpl resetRolesForUser(AuthzTrans trans, REQUEST rreq) { - Result rurdd = mapper.userRole(trans, rreq); - final ServiceValidator v = new ServiceValidator(); - if (rurdd.notOKorIsEmpty()) { - return Result.err(rurdd); - } - if (v.user(trans.org(), rurdd.value.user).err()) { - return Result.err(Status.ERR_BadData,v.errs()); - } - - Set currRoles = new HashSet<>(); - Result> rlurd = ques.userRoleDAO.readByUser(trans, rurdd.value.user); - if (rlurd.isOK()) { - for (UserRoleDAO.Data data : rlurd.value) { - currRoles.add(data.role); - } - } - - Result rv = null; - String[] roles; - if (rurdd.value.role==null) { - roles = new String[0]; - } else { - roles = rurdd.value.role.split(","); - } - - for (String role : roles) { - if (v.role(role).err()) { - return Result.err(Status.ERR_BadData,v.errs()); - } - Result rrdd = RoleDAO.Data.decode(trans, ques, role); - if (rrdd.notOK()) { - return Result.err(rrdd); - } - - rurdd.value.role(rrdd.value); - - Result nsd = ques.mayUser(trans, trans.user(), rrdd.value,Access.write); - if (nsd.notOK()) { - return Result.err(nsd); - } - Result nsr = ques.deriveNs(trans, role); - if (nsr.notOKorIsEmpty()) { - return Result.err(nsr); - } - - if (currRoles.contains(role)) { - currRoles.remove(role); - } else { - rv = func.addUserRole(trans, rurdd.value); - if (rv.notOK()) { - return rv; - } - } - } - - for (String role : currRoles) { - rurdd.value.role(trans,ques,role); - rv = ques.userRoleDAO.delete(trans, rurdd.value, false); - if (rv.notOK()) { - trans.info().log(rurdd.value.user,"/",rurdd.value.role, "expected to be deleted, but does not exist"); - // return rv; // if it doesn't exist, don't error out - } - - } - - return Result.ok(); - - } - - @ApiDoc( - method = PUT, - path = "/authz/userRole/role", - params = {}, - expectedCode = 200, - errorCodes = {403,404,406}, - text = { "Set a Role's users to the users specified in the UserRoleRequest object.", - "WARNING: Users supplied will be the ONLY users attached to this role", - "If no users are supplied, role's users are reset." - } - ) - @Override - public Result resetUsersForRole(AuthzTrans trans, REQUEST rreq) { - Result rurdd = mapper.userRole(trans, rreq); - if (rurdd.notOKorIsEmpty()) { - return Result.err(rurdd); - } - final ServiceValidator v = new ServiceValidator(); - if (v.user_role(rurdd.value).err()) { - return Result.err(Status.ERR_BadData,v.errs()); - } - - RoleDAO.Data rd = RoleDAO.Data.decode(rurdd.value); - - Result nsd = ques.mayUser(trans, trans.user(), rd, Access.write); - if (nsd.notOK()) { - return Result.err(nsd); - } - - Result nsr = ques.deriveNs(trans, rurdd.value.role); - if (nsr.notOKorIsEmpty()) { - return Result.err(nsr); - } - - Set currUsers = new HashSet<>(); - Result> rlurd = ques.userRoleDAO.readByRole(trans, rurdd.value.role); - if (rlurd.isOK()) { - for (UserRoleDAO.Data data : rlurd.value) { - currUsers.add(data.user); - } - } - - // found when connected remotely to DEVL, can't replicate locally - // inconsistent errors with cmd: role user setTo [nothing] - // deleteUserRole --> read --> get --> cacheIdx(?) - // sometimes returns idx for last added user instead of user passed in - // cache bug? - - - Result rv = null; - String[] users = {}; - if (rurdd.value.user != null) { - users = rurdd.value.user.split(","); - } - - for (String user : users) { - if (v.user(trans.org(), user).err()) { - return Result.err(Status.ERR_BadData,v.errs()); - } - rurdd.value.user = user; - - if (currUsers.contains(user)) { - currUsers.remove(user); - } else { - rv = func.addUserRole(trans, rurdd.value); - if (rv.notOK()) { - return rv; - } - } - } - - for (String user : currUsers) { - rurdd.value.user = user; - rv = ques.userRoleDAO.delete(trans, rurdd.value, false); - if (rv.notOK()) { - trans.info().log(rurdd.value, "expected to be deleted, but not exists"); - return rv; - } - } - - return Result.ok(); - } + - @ApiDoc( + @ApiDoc( method = GET, path = "/authz/userRole/extend/:user/:role", params = { "user|string|true", @@ -3386,7 +3236,7 @@ public class AuthzCassServiceImpl > rr = ques.userRoleDAO.read(trans, user,role); + Result> rr = ques.userRoleDAO().read(trans, user,role); if (rr.notOK()) { return Result.err(rr); } @@ -3461,7 +3311,7 @@ public class AuthzCassServiceImpl > rulr; - if ((rulr=ques.userRoleDAO.read(trans, usr, role)).notOKorIsEmpty()) { + if ((rulr=ques.userRoleDAO().read(trans, usr, role)).notOKorIsEmpty()) { return Result.err(Status.ERR_UserRoleNotFound, "User [ "+usr+" ] is not " + "Assigned to the Role [ " + role + " ]"); } @@ -3485,7 +3335,7 @@ public class AuthzCassServiceImpl userSet = new HashSet<>(); - Result> rlurd = ques.userRoleDAO.readUserInRole(trans, user, role); + Result> rlurd = ques.userRoleDAO().readUserInRole(trans, user, role); if (rlurd.isOK()) { for (UserRoleDAO.Data data : rlurd.value) { userSet.add(data); @@ -3573,7 +3423,7 @@ public class AuthzCassServiceImpl userSet = new HashSet<>(); - Result> rlurd = ques.userRoleDAO.readByRole(trans, role); + Result> rlurd = ques.userRoleDAO().readByRole(trans, role); if (rlurd.isOK()) { for (UserRoleDAO.Data data : rlurd.value) { if (contactOnly) { //scrub data @@ -3626,7 +3476,7 @@ public class AuthzCassServiceImpl > nsd = ques.nsDAO.read(trans, nss.value.ns); + Result> nsd = ques.nsDAO().read(trans, nss.value.ns); if (nsd.notOK()) { return Result.err(nsd); } @@ -3640,7 +3490,7 @@ public class AuthzCassServiceImpl userSet = new HashSet<>(); if (!nss.isEmpty()) { - Result> rlp = ques.permDAO.readByType(trans, nss.value.ns, nss.value.name); + Result> rlp = ques.permDAO().readByType(trans, nss.value.ns, nss.value.name); if (rlp.isOKhasData()) { for (PermDAO.Data pd : rlp.value) { if ((allInstance || pd.instance.equals(instance)) && @@ -3649,7 +3499,7 @@ public class AuthzCassServiceImpl > rlurd = ques.userRoleDAO.readByRole(trans, role.replace('|', '.')); + Result> rlurd = ques.userRoleDAO().readByRole(trans, role.replace('|', '.')); if (rlurd.isOKhasData()) { for (UserRoleDAO.Data urd : rlurd.value) { userSet.add(urd); @@ -3703,7 +3553,7 @@ public class AuthzCassServiceImpl > resp = ques.historyDAO.readByUser(trans, user, yyyymm); + Result> resp = ques.historyDAO().readByUser(trans, user, yyyymm); if (resp.notOK()) { return Result.err(resp); } @@ -3726,7 +3576,7 @@ public class AuthzCassServiceImpl > resp = ques.historyDAO.readBySubject(trans, role, "role", yyyymm); + Result> resp = ques.historyDAO().readBySubject(trans, role, "role", yyyymm); if (resp.notOK()) { return Result.err(resp); } @@ -3751,7 +3601,7 @@ public class AuthzCassServiceImpl > resp = ques.historyDAO.readBySubject(trans, type, "perm", yyyymm); + Result> resp = ques.historyDAO().readBySubject(trans, type, "perm", yyyymm); if (resp.notOK()) { return Result.err(resp); } @@ -3775,7 +3625,7 @@ public class AuthzCassServiceImpl > resp = ques.historyDAO.readBySubject(trans, ns, "ns", yyyymm); + Result> resp = ques.historyDAO().readBySubject(trans, ns, "ns", yyyymm); if (resp.notOK()) { return Result.err(resp); } @@ -3805,7 +3655,7 @@ public class AuthzCassServiceImpl > ddr = ques.delegateDAO.read(trans, dd); + Result> ddr = ques.delegateDAO().read(trans, dd); if (access==Access.create && ddr.isOKhasData()) { return Result.err(Status.ERR_ConflictAlreadyExists, "[%s] already delegates to [%s]", dd.user, ddr.value.get(0).delegate); } else if (access!=Access.create && ddr.notOKorIsEmpty()) { @@ -3845,14 +3695,14 @@ public class AuthzCassServiceImpl rdr = ques.delegateDAO.create(trans, dd); + Result rdr = ques.delegateDAO().create(trans, dd); if (rdr.isOK()) { return Result.ok(); } else { return Result.err(rdr); } } else { - return ques.delegateDAO.update(trans, dd); + return ques.delegateDAO().update(trans, dd); } default: return Result.err(fd); @@ -3868,7 +3718,7 @@ public class AuthzCassServiceImpl > ddl; - if ((ddl=ques.delegateDAO.read(trans, rd.value)).notOKorIsEmpty()) { + if ((ddl=ques.delegateDAO().read(trans, rd.value)).notOKorIsEmpty()) { return Result.err(Status.ERR_DelegateNotFound,"Cannot delete non-existent Delegate"); } final DelegateDAO.Data dd = ddl.value.get(0); @@ -3877,7 +3727,7 @@ public class AuthzCassServiceImpl > ddl; - if ((ddl=ques.delegateDAO.read(trans, dd)).notOKorIsEmpty()) { + if ((ddl=ques.delegateDAO().read(trans, dd)).notOKorIsEmpty()) { return Result.err(Status.ERR_DelegateNotFound,"Cannot delete non-existent Delegate"); } dd = ddl.value.get(0); @@ -3898,7 +3748,7 @@ public class AuthzCassServiceImpl > dbDelgs = ques.delegateDAO.read(trans, user); + Result> dbDelgs = ques.delegateDAO().read(trans, user); try { if (dbDelgs.isOKhasData()) { return mapper.delegate(dbDelgs.value); @@ -3946,7 +3796,7 @@ public class AuthzCassServiceImpl > dbDelgs = ques.delegateDAO.readByDelegate(trans, delegate); + Result> dbDelgs = ques.delegateDAO().readByDelegate(trans, delegate); try { if (dbDelgs.isOKhasData()) { return mapper.delegate(dbDelgs.value); @@ -3979,16 +3829,16 @@ public class AuthzCassServiceImpl > apprByTicket=null; for (ApprovalDAO.Data updt : rlad.value) { if (updt.ticket!=null) { - curr = ques.approvalDAO.readByTicket(trans, updt.ticket); + curr = ques.approvalDAO().readByTicket(trans, updt.ticket); if (curr.isOKhasData()) { final List add = curr.value; // Store a Pre-Lookup apprByTicket = (trans1, noop) -> add; } } else if (updt.id!=null) { - curr = ques.approvalDAO.read(trans, updt); + curr = ques.approvalDAO().read(trans, updt); } else if (updt.approver!=null) { - curr = ques.approvalDAO.readByApprover(trans, updt.approver); + curr = ques.approvalDAO().readByApprover(trans, updt.approver); } else { return Result.err(Status.ERR_BadData,"Approvals need ID, Ticket or Approval data to update"); } @@ -4024,7 +3874,7 @@ public class AuthzCassServiceImpl rfdd = ques.futureDAO.readPrimKey(trans, cd.ticket); + Result rfdd = ques.futureDAO().readPrimKey(trans, cd.ticket); if (rfdd.isOK()) { fdd = rfdd.value; // null is ok } else { @@ -4067,7 +3917,7 @@ public class AuthzCassServiceImpl > rapd = ques.approvalDAO.readByUser(trans, user); + Result> rapd = ques.approvalDAO().readByUser(trans, user); if (rapd.isOK()) { return mapper.approvals(rapd.value); } else { @@ -4131,7 +3981,7 @@ public class AuthzCassServiceImpl > rapd = ques.approvalDAO.readByTicket(trans, uuid); + Result> rapd = ques.approvalDAO().readByTicket(trans, uuid); if (rapd.isOK()) { return mapper.approvals(rapd.value); } else { @@ -4148,19 +3998,19 @@ public class AuthzCassServiceImpl listRapds = new ArrayList<>(); - Result> myRapd = ques.approvalDAO.readByApprover(trans, approver); + Result> myRapd = ques.approvalDAO().readByApprover(trans, approver); if (myRapd.notOK()) { return Result.err(myRapd); } listRapds.addAll(myRapd.value); - Result> delegatedFor = ques.delegateDAO.readByDelegate(trans, approver); + Result> delegatedFor = ques.delegateDAO().readByDelegate(trans, approver); if (delegatedFor.isOK()) { for (DelegateDAO.Data dd : delegatedFor.value) { if (dd.expires.after(new Date())) { String delegator = dd.user; - Result> rapd = ques.approvalDAO.readByApprover(trans, delegator); + Result> rapd = ques.approvalDAO().readByApprover(trans, delegator); if (rapd.isOK()) { for (ApprovalDAO.Data d : rapd.value) { if (!d.user.equals(trans.user())) { @@ -4210,7 +4060,7 @@ public class AuthzCassServiceImpl getUserRolesByUser(AuthzTrans trans, String user); - /** - * - * @param trans - * @param from - * @return - */ - public Result resetRolesForUser(AuthzTrans trans, REQUEST from); - - /** - * - * @param trans - * @param from - * @return + /* + * Note: Removed "resetRolesForUsers" because it was too dangerous, and + * removed "resetUsersForRoles" because it was being misused. */ - public Result resetUsersForRole(AuthzTrans trans, REQUEST from); /** * diff --git a/auth/auth-service/src/main/java/org/onap/aaf/auth/service/api/API_Creds.java b/auth/auth-service/src/main/java/org/onap/aaf/auth/service/api/API_Creds.java index 7a028c91..c8bae9f0 100644 --- a/auth/auth-service/src/main/java/org/onap/aaf/auth/service/api/API_Creds.java +++ b/auth/auth-service/src/main/java/org/onap/aaf/auth/service/api/API_Creds.java @@ -112,7 +112,6 @@ public class API_Creds { decoded.substring(0,colon), CredVal.Type.PASSWORD , decoded.substring(colon+1).getBytes(),trans)) { - resp.setStatus(HttpStatus.OK_200); } else { // DME2 at this version crashes without some sort of response diff --git a/auth/auth-service/src/main/java/org/onap/aaf/auth/service/api/API_UserRole.java b/auth/auth-service/src/main/java/org/onap/aaf/auth/service/api/API_UserRole.java index 7937a184..a56b7c26 100644 --- a/auth/auth-service/src/main/java/org/onap/aaf/auth/service/api/API_UserRole.java +++ b/auth/auth-service/src/main/java/org/onap/aaf/auth/service/api/API_UserRole.java @@ -104,21 +104,17 @@ public class API_UserRole { } }); - + /* TODO + * REMOVE dangerous resetUsersForRole and resetRolesForUser APIs + */ + final Result removeAPI = Result.err(Result.ERR_NotFound,"API Removed, use /authz/userRole instead."); /** * Update roles attached to user in path */ authzAPI.route(PUT,"/authz/userRole/user",API.USER_ROLE_REQ,new Code(facade,"Update Roles for a user", true) { @Override public void handle(AuthzTrans trans, HttpServletRequest req, HttpServletResponse resp) throws Exception { - Result r = context.resetRolesForUser(trans, resp, req); - switch(r.status) { - case OK: - resp.setStatus(HttpStatus.OK_200); - break; - default: - context.error(trans,resp,r); - } + context.error(trans,resp,removeAPI); } }); @@ -129,16 +125,14 @@ public class API_UserRole { authzAPI.route(PUT,"/authz/userRole/role",API.USER_ROLE_REQ,new Code(facade,"Update Users for a role", true) { @Override public void handle(AuthzTrans trans, HttpServletRequest req, HttpServletResponse resp) throws Exception { - Result r = context.resetUsersForRole(trans, resp, req); - switch(r.status) { - case OK: - resp.setStatus(HttpStatus.OK_200); - break; - default: - context.error(trans,resp,r); - } + context.error(trans,resp,removeAPI); } }); + + /* + * END REMOVE Dangerous API + */ + /** * Extend Expiration Date (according to Organizational rules) diff --git a/auth/auth-service/src/main/java/org/onap/aaf/auth/service/facade/AuthzFacade.java b/auth/auth-service/src/main/java/org/onap/aaf/auth/service/facade/AuthzFacade.java index a08e958f..463de35f 100644 --- a/auth/auth-service/src/main/java/org/onap/aaf/auth/service/facade/AuthzFacade.java +++ b/auth/auth-service/src/main/java/org/onap/aaf/auth/service/facade/AuthzFacade.java @@ -210,10 +210,10 @@ public interface AuthzFacade { public abstract Result getUserRolesByUser(AuthzTrans trans, HttpServletResponse resp, String user); public abstract Result deleteUserRole(AuthzTrans trans, HttpServletResponse resp, String user, String role); - - public abstract Result resetUsersForRole(AuthzTrans trans, HttpServletResponse resp, HttpServletRequest req); - public abstract Result resetRolesForUser(AuthzTrans trans, HttpServletResponse resp, HttpServletRequest req); + /* + * resetUsersForRoles and resetRolesForUsers is too dangerous and not helpful. + */ public abstract Result extendUserRoleExpiration(AuthzTrans trans, HttpServletResponse resp, String user, String role); diff --git a/auth/auth-service/src/main/java/org/onap/aaf/auth/service/facade/AuthzFacadeImpl.java b/auth/auth-service/src/main/java/org/onap/aaf/auth/service/facade/AuthzFacadeImpl.java index a2fb2209..02fa842f 100644 --- a/auth/auth-service/src/main/java/org/onap/aaf/auth/service/facade/AuthzFacadeImpl.java +++ b/auth/auth-service/src/main/java/org/onap/aaf/auth/service/facade/AuthzFacadeImpl.java @@ -66,9 +66,9 @@ import org.onap.aaf.auth.service.mapper.Mapper.API; import org.onap.aaf.cadi.aaf.client.Examples; import org.onap.aaf.misc.env.APIException; import org.onap.aaf.misc.env.Data; +import org.onap.aaf.misc.env.Data.TYPE; import org.onap.aaf.misc.env.Env; import org.onap.aaf.misc.env.TimeTaken; -import org.onap.aaf.misc.env.Data.TYPE; import org.onap.aaf.misc.env.util.Chrono; import org.onap.aaf.misc.rosetta.Marshal; import org.onap.aaf.misc.rosetta.env.RosettaDF; @@ -1939,8 +1939,8 @@ public abstract class AuthzFacadeImpl resetUsersForRole(AuthzTrans trans, HttpServletResponse resp, HttpServletRequest req) { - TimeTaken tt = trans.start(SET_USERS_FOR_ROLE, Env.SUB|Env.ALWAYS); - try { - REQUEST rreq; - try { - RosettaData data = userRoleRequestDF.newData().load(req.getInputStream()); - if (Question.willSpecialLog(trans, trans.user())) { - Question.logEncryptTrace(trans,data.asString()); - } - rreq = data.asObject(); - } catch (APIException e) { - trans.error().log("Invalid Input",IN, SET_USERS_FOR_ROLE); - return Result.err(Status.ERR_BadData,"Invalid Input"); - } - - Result rp = service.resetUsersForRole(trans, rreq); - - switch(rp.status) { - case OK: - setContentType(resp,permsDF.getOutType()); - return Result.ok(); - default: - return Result.err(rp); - } - } catch (Exception e) { - trans.error().log(e,IN,SET_USERS_FOR_ROLE); - return Result.err(e); - } finally { - tt.done(); - } - - } - - @Override - public Result resetRolesForUser(AuthzTrans trans, HttpServletResponse resp, HttpServletRequest req) { - TimeTaken tt = trans.start(SET_ROLES_FOR_USER, Env.SUB|Env.ALWAYS); - try { - REQUEST rreq; - try { - RosettaData data = userRoleRequestDF.newData().load(req.getInputStream()); - if (Question.willSpecialLog(trans, trans.user())) { - Question.logEncryptTrace(trans,data.asString()); - } - - rreq = data.asObject(); - } catch (APIException e) { - trans.error().log("Invalid Input",IN, SET_ROLES_FOR_USER); - return Result.err(Status.ERR_BadData,"Invalid Input"); - } - - Result rp = service.resetRolesForUser(trans, rreq); - - switch(rp.status) { - case OK: - setContentType(resp,permsDF.getOutType()); - return Result.ok(); - default: - return Result.err(rp); - } - } catch (Exception e) { - trans.error().log(e,IN,SET_ROLES_FOR_USER); - return Result.err(e); - } finally { - tt.done(); - } - - } - /* (non-Javadoc) * @see com.att.authz.facade.AuthzFacade#extendUserRoleExpiration(org.onap.aaf.auth.env.test.AuthzTrans, javax.servlet.http.HttpServletRequest, javax.servlet.http.HttpServletResponse, java.lang.String, java.lang.String) */ diff --git a/auth/auth-service/src/main/java/org/onap/aaf/auth/service/mapper/Mapper_2_0.java b/auth/auth-service/src/main/java/org/onap/aaf/auth/service/mapper/Mapper_2_0.java index 2d322390..72a24d21 100644 --- a/auth/auth-service/src/main/java/org/onap/aaf/auth/service/mapper/Mapper_2_0.java +++ b/auth/auth-service/src/main/java/org/onap/aaf/auth/service/mapper/Mapper_2_0.java @@ -541,6 +541,7 @@ public class Mapper_2_0 implements Mapper