org.apache.ranger.biz.UserMgr.java Source code

Java tutorial

Introduction

Here is the source code for org.apache.ranger.biz.UserMgr.java

Source

/*
 * Licensed to the Apache Software Foundation (ASF) under one
 * or more contributor license agreements.  See the NOTICE file
 * distributed with this work for additional information
 * regarding copyright ownership.  The ASF licenses this file
 * to you under the Apache License, Version 2.0 (the
 * "License"); you may not use this file except in compliance
 * with the License.  You may obtain a copy of the License at
 *
 * http://www.apache.org/licenses/LICENSE-2.0
 *
 * Unless required by applicable law or agreed to in writing,
 * software distributed under the License is distributed on an
 * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
 * KIND, either express or implied.  See the License for the
 * specific language governing permissions and limitations
 * under the License.
 */

package org.apache.ranger.biz;

import java.util.ArrayList;
import java.util.Collection;
import java.util.HashMap;
import java.util.List;

import javax.persistence.Query;
import javax.servlet.http.HttpServletResponse;
import org.apache.commons.lang.StringUtils;
import org.apache.log4j.Logger;
import org.apache.ranger.common.AppConstants;
import org.apache.ranger.common.ContextUtil;
import org.apache.ranger.common.DateUtil;
import org.apache.ranger.common.GUIDUtil;
import org.apache.ranger.common.MessageEnums;
import org.apache.ranger.common.PropertiesUtil;
import org.apache.ranger.common.RESTErrorUtil;
import org.apache.ranger.common.RangerCommonEnums;
import org.apache.ranger.common.RangerConfigUtil;
import org.apache.ranger.common.RangerConstants;
import org.apache.ranger.common.SearchCriteria;
import org.apache.ranger.common.SearchUtil;
import org.apache.ranger.common.StringUtil;
import org.apache.ranger.common.UserSessionBase;
import org.apache.ranger.db.RangerDaoManager;
import org.apache.ranger.entity.XXGroupPermission;
import org.apache.ranger.entity.XXPortalUser;
import org.apache.ranger.entity.XXPortalUserRole;
import org.apache.ranger.entity.XXTrxLog;
import org.apache.ranger.entity.XXUserPermission;
import org.apache.ranger.service.XGroupPermissionService;
import org.apache.ranger.service.XPortalUserService;
import org.apache.ranger.service.XUserPermissionService;
import org.apache.ranger.view.VXGroupPermission;
import org.apache.ranger.view.VXPasswordChange;
import org.apache.ranger.view.VXPortalUser;
import org.apache.ranger.view.VXPortalUserList;
import org.apache.ranger.view.VXResponse;
import org.apache.ranger.view.VXString;
import org.apache.ranger.view.VXUserPermission;
import org.apache.velocity.Template;
import org.apache.velocity.app.VelocityEngine;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.security.authentication.encoding.Md5PasswordEncoder;
import org.springframework.stereotype.Component;
import org.springframework.transaction.annotation.Propagation;
import org.springframework.transaction.annotation.Transactional;
import org.springframework.security.authentication.encoding.ShaPasswordEncoder;

@Component
public class UserMgr {

    static final Logger logger = Logger.getLogger(UserMgr.class);
    private static final Md5PasswordEncoder md5Encoder = new Md5PasswordEncoder();
    private static final ShaPasswordEncoder sha256Encoder = new ShaPasswordEncoder(256);
    @Autowired
    RangerDaoManager daoManager;

    @Autowired
    RESTErrorUtil restErrorUtil;

    @Autowired
    StringUtil stringUtil;

    @Autowired
    SearchUtil searchUtil;

    @Autowired
    RangerBizUtil msBizUtil;

    @Autowired
    SessionMgr sessionMgr;

    @Autowired
    VelocityEngine velocityEngine;
    Template t;

    @Autowired
    DateUtil dateUtil;

    @Autowired
    RangerConfigUtil configUtil;

    @Autowired
    XPortalUserService xPortalUserService;

    @Autowired
    XUserPermissionService xUserPermissionService;

    @Autowired
    XGroupPermissionService xGroupPermissionService;

    @Autowired
    XUserMgr xUserMgr;

    @Autowired
    GUIDUtil guidUtil;

    String publicRoles[] = new String[] { RangerConstants.ROLE_USER, RangerConstants.ROLE_OTHER };

    private static final List<String> DEFAULT_ROLE_LIST = new ArrayList<String>(1);

    private static final List<String> VALID_ROLE_LIST = new ArrayList<String>(2);

    static {
        DEFAULT_ROLE_LIST.add(RangerConstants.ROLE_USER);
        VALID_ROLE_LIST.add(RangerConstants.ROLE_SYS_ADMIN);
        VALID_ROLE_LIST.add(RangerConstants.ROLE_USER);
        VALID_ROLE_LIST.add(RangerConstants.ROLE_KEY_ADMIN);
    }

    public UserMgr() {
        if (logger.isDebugEnabled()) {
            logger.debug("UserMgr()");
        }
    }

    public XXPortalUser createUser(VXPortalUser userProfile, int userStatus, Collection<String> userRoleList) {
        XXPortalUser user = mapVXPortalUserToXXPortalUser(userProfile);
        checkAdminAccess();
        user = createUser(user, userStatus, userRoleList);

        return user;
    }

    public XXPortalUser createUser(XXPortalUser user, int userStatus, Collection<String> userRoleList) {
        user.setStatus(userStatus);
        String saltEncodedpasswd = encrypt(user.getLoginId(), user.getPassword());
        user.setPassword(saltEncodedpasswd);
        user = daoManager.getXXPortalUser().create(user);

        // Create the UserRole for this user
        List<XXPortalUserRole> gjUserRoleList = new ArrayList<XXPortalUserRole>();
        if (userRoleList != null) {
            for (String userRole : userRoleList) {
                XXPortalUserRole gjUserRole = addUserRole(user.getId(), userRole);
                if (gjUserRole != null) {
                    gjUserRoleList.add(gjUserRole);
                }
            }
        }

        return user;
    }

    public XXPortalUser createUser(VXPortalUser userProfile, int userStatus) {
        ArrayList<String> roleList = new ArrayList<String>();
        Collection<String> reqRoleList = userProfile.getUserRoleList();
        if (reqRoleList != null && reqRoleList.size() > 0) {
            for (String role : reqRoleList) {
                roleList.add(role);
            }
        } else {
            roleList.add(RangerConstants.ROLE_USER);
        }

        return createUser(userProfile, userStatus, roleList);
    }

    /**
     * @param userProfile
     * @return
     */
    public XXPortalUser updateUser(VXPortalUser userProfile) {
        XXPortalUser gjUser = daoManager.getXXPortalUser().getById(userProfile.getId());

        if (gjUser == null) {
            logger.error("updateUser(). User not found. userProfile=" + userProfile);
            return null;
        }

        checkAccess(gjUser);

        boolean updateUser = false;
        // Selectively update fields

        // status
        if (userProfile.getStatus() != gjUser.getStatus()) {
            updateUser = true;
        }

        // Allowing email address update even when its set to empty.
        // emailAddress
        String emailAddress = userProfile.getEmailAddress();
        if (stringUtil.isEmpty(emailAddress)) {
            userProfile.setEmailAddress(null);
            updateUser = true;
        } else {
            if (stringUtil.validateEmail(emailAddress)) {
                XXPortalUser checkUser = daoManager.getXXPortalUser().findByEmailAddress(emailAddress);
                if (checkUser != null) {
                    String loginId = userProfile.getLoginId();
                    if (loginId == null) {
                        throw restErrorUtil.createRESTException("Invalid user, please provide valid " + "username.",
                                MessageEnums.INVALID_INPUT_DATA);
                    } else if (!loginId.equals(checkUser.getLoginId())) {
                        throw restErrorUtil.createRESTException(
                                "The email address " + "you've provided already exists in system.",
                                MessageEnums.INVALID_INPUT_DATA);
                    } else {
                        userProfile.setEmailAddress(emailAddress);
                        updateUser = true;
                    }
                } else {
                    userProfile.setEmailAddress(emailAddress);
                    updateUser = true;
                }
            } else {
                throw restErrorUtil.createRESTException("Please provide valid email address.",
                        MessageEnums.INVALID_INPUT_DATA);
            }
        }

        // loginId
        // if (!stringUtil.isEmpty(userProfile.getLoginId())
        // && !userProfile.getLoginId().equals(gjUser.getLoginId())) {
        // gjUser.setLoginId(userProfile.getLoginId());
        // updateUser = true;
        // }

        // firstName
        if ("null".equalsIgnoreCase(userProfile.getFirstName())) {
            userProfile.setFirstName("");
        }
        if (!stringUtil.isEmpty(userProfile.getFirstName())
                && !userProfile.getFirstName().equals(gjUser.getFirstName())) {
            userProfile.setFirstName(stringUtil.toCamelCaseAllWords(userProfile.getFirstName()));
            updateUser = true;
        }

        if ("null".equalsIgnoreCase(userProfile.getLastName())) {
            userProfile.setLastName("");
        }
        if (!stringUtil.isEmpty(userProfile.getLastName())
                && !userProfile.getLastName().equals(gjUser.getLastName())) {
            userProfile.setLastName(stringUtil.toCamelCaseAllWords(userProfile.getLastName()));
            updateUser = true;
        }

        // publicScreenName
        if (userProfile.getFirstName() != null && userProfile.getLastName() != null
                && !userProfile.getFirstName().trim().isEmpty() && !userProfile.getLastName().trim().isEmpty()) {
            userProfile.setPublicScreenName(userProfile.getFirstName() + " " + userProfile.getLastName());
            updateUser = true;
        } else {
            userProfile.setPublicScreenName(gjUser.getLoginId());
            updateUser = true;
        }

        // notes
        /*
         * if (!stringUtil.isEmpty(userProfile.getNotes()) &&
         * !userProfile.getNotes().equalsIgnoreCase(gjUser.getNotes())) {
         * updateUser = true; }
         */

        // userRoleList
        updateRoles(userProfile.getId(), userProfile.getUserRoleList());

        if (updateUser) {

            List<XXTrxLog> trxLogList = xPortalUserService.getTransactionLog(userProfile, gjUser, "update");

            userProfile.setPassword(gjUser.getPassword());
            xPortalUserService.updateResource(userProfile);
            sessionMgr.resetUserSessionForProfiles(ContextUtil.getCurrentUserSession());

            msBizUtil.createTrxLog(trxLogList);
        }

        return gjUser;
    }

    public boolean updateRoles(Long userId, Collection<String> rolesList) {
        boolean rolesUpdated = false;
        if (rolesList == null || rolesList.size() == 0) {
            return false;
        }

        // Let's first delete old roles
        List<XXPortalUserRole> gjUserRoles = daoManager.getXXPortalUserRole().findByUserId(userId);

        for (XXPortalUserRole gjUserRole : gjUserRoles) {
            boolean found = false;
            for (String userRole : rolesList) {
                if (gjUserRole.getUserRole().equalsIgnoreCase(userRole)) {
                    found = true;
                    break;
                }
            }
            if (!found) {
                if (deleteUserRole(userId, gjUserRole)) {
                    rolesUpdated = true;
                }
            }
        }

        // Let's add new roles
        for (String userRole : rolesList) {
            boolean found = false;
            for (XXPortalUserRole gjUserRole : gjUserRoles) {
                if (gjUserRole.getUserRole().equalsIgnoreCase(userRole)) {
                    found = true;
                    break;
                }
            }
            if (!found) {
                if (addUserRole(userId, userRole) != null) {
                    rolesUpdated = true;
                }
            }
        }
        return rolesUpdated;
    }

    /**
     * @param userId
     * @param vStrings
     */
    public void setUserRoles(Long userId, List<VXString> vStringRolesList) {
        List<String> stringRolesList = new ArrayList<String>();
        for (VXString vXString : vStringRolesList) {
            stringRolesList.add(vXString.getValue());
        }
        xUserMgr.checkAccessRoles(stringRolesList);
        VXPortalUser oldUserProfile = getUserProfile(userId);
        xUserMgr.updateUserRolesPermissions(oldUserProfile, stringRolesList);
    }

    /**
     * @param pwdChange
     * @return
     */
    public VXResponse changePassword(VXPasswordChange pwdChange) {
        VXResponse ret = new VXResponse();

        // First let's get the XXPortalUser for the current logged in user
        String currentUserLoginId = ContextUtil.getCurrentUserLoginId();
        XXPortalUser gjUserCurrent = daoManager.getXXPortalUser().findByLoginId(currentUserLoginId);
        checkAccessForUpdate(gjUserCurrent);

        // Get the user of whom we want to change the password
        XXPortalUser gjUser = daoManager.getXXPortalUser().findByLoginId(pwdChange.getLoginId());
        if (gjUser == null) {
            logger.warn("SECURITY:changePassword(). User not found. LoginId=" + pwdChange.getLoginId());
            throw restErrorUtil.createRESTException("serverMsg.userMgrInvalidUser", MessageEnums.DATA_NOT_FOUND,
                    null, null, pwdChange.getLoginId());
        }

        //check current password and provided old password is same or not
        String encryptedOldPwd = encrypt(pwdChange.getLoginId(), pwdChange.getOldPassword());
        if (!stringUtil.equals(encryptedOldPwd, gjUser.getPassword())) {
            logger.info("changePassword(). Invalid old password. LoginId=" + pwdChange.getLoginId());
            throw restErrorUtil.createRESTException("serverMsg.userMgrOldPassword", MessageEnums.INVALID_INPUT_DATA,
                    null, null, pwdChange.getLoginId());
        }

        //validate new password
        if (!stringUtil.validatePassword(pwdChange.getUpdPassword(),
                new String[] { gjUser.getFirstName(), gjUser.getLastName(), gjUser.getLoginId() })) {
            logger.warn("SECURITY:changePassword(). Invalid new password. LoginId=" + pwdChange.getLoginId());
            throw restErrorUtil.createRESTException("serverMsg.userMgrNewPassword", MessageEnums.INVALID_PASSWORD,
                    null, null, pwdChange.getLoginId());
        }

        String encryptedNewPwd = encrypt(pwdChange.getLoginId(), pwdChange.getUpdPassword());
        String currentPassword = gjUser.getPassword();
        if (!encryptedNewPwd.equals(currentPassword)) {
            List<XXTrxLog> trxLogList = new ArrayList<XXTrxLog>();
            XXTrxLog xTrxLog = new XXTrxLog();
            xTrxLog.setAttributeName("Password");
            xTrxLog.setPreviousValue(currentPassword);
            xTrxLog.setNewValue(encryptedNewPwd);
            xTrxLog.setAction("password change");
            xTrxLog.setObjectClassType(AppConstants.CLASS_TYPE_PASSWORD_CHANGE);
            xTrxLog.setObjectId(pwdChange.getId());
            xTrxLog.setObjectName(pwdChange.getLoginId());
            trxLogList.add(xTrxLog);
            msBizUtil.createTrxLog(trxLogList);
            gjUser.setPassword(encryptedNewPwd);
            gjUser = daoManager.getXXPortalUser().update(gjUser);
            ret.setMsgDesc("Password successfully updated");
            ret.setStatusCode(VXResponse.STATUS_SUCCESS);
        } else {
            ret.setMsgDesc("Password update failed");
            ret.setStatusCode(VXResponse.STATUS_ERROR);
            throw restErrorUtil.createRESTException("serverMsg.userMgrNewPassword", MessageEnums.INVALID_INPUT_DATA,
                    gjUser.getId(), "password", gjUser.toString());
        }
        return ret;
    }

    /**
     * @param gjUser
     * @param changeEmail
     * @return
     */
    public VXPortalUser changeEmailAddress(XXPortalUser gjUser, VXPasswordChange changeEmail) {
        checkAccessForUpdate(gjUser);
        if (StringUtils.isEmpty(changeEmail.getEmailAddress())) {
            throw restErrorUtil.createRESTException("serverMsg.userMgrInvalidEmail",
                    MessageEnums.INVALID_INPUT_DATA, changeEmail.getId(), "emailAddress", changeEmail.toString());
        }

        String encryptedOldPwd = encrypt(gjUser.getLoginId(), changeEmail.getOldPassword());

        if (!stringUtil.validateEmail(changeEmail.getEmailAddress())) {
            logger.info("Invalid email address." + changeEmail);
            throw restErrorUtil.createRESTException("serverMsg.userMgrInvalidEmail",
                    MessageEnums.INVALID_INPUT_DATA, changeEmail.getId(), "emailAddress", changeEmail.toString());

        }

        if (!stringUtil.equals(encryptedOldPwd, gjUser.getPassword())) {
            logger.info("changeEmailAddress(). Invalid  password. changeEmail=" + changeEmail);

            throw restErrorUtil.createRESTException("serverMsg.userMgrWrongPassword",
                    MessageEnums.OPER_NO_PERMISSION, null, null, "" + changeEmail);
        }

        // Normalize email. Make it lower case
        gjUser.setEmailAddress(stringUtil.normalizeEmail(changeEmail.getEmailAddress()));

        String saltEncodedpasswd = encrypt(gjUser.getLoginId(), changeEmail.getOldPassword());

        gjUser.setPassword(saltEncodedpasswd);

        daoManager.getXXPortalUser().update(gjUser);
        return mapXXPortalUserVXPortalUser(gjUser);
    }

    /**
     * @param userId
     */
    public VXPortalUser deactivateUser(XXPortalUser gjUser) {
        checkAdminAccess();
        if (gjUser != null && gjUser.getStatus() != RangerConstants.ACT_STATUS_DEACTIVATED) {
            logger.info("Marking user " + gjUser.getLoginId() + " as deleted");
            gjUser.setStatus(RangerConstants.ACT_STATUS_DEACTIVATED);
            gjUser = daoManager.getXXPortalUser().update(gjUser);
            return mapXXPortalUserVXPortalUser(gjUser);
        }
        return null;
    }

    public VXPortalUser getUserProfile(Long id) {
        XXPortalUser user = daoManager.getXXPortalUser().getById(id);
        if (user != null) {
            checkAccess(user);
            return mapXXPortalUserVXPortalUser(user);
        } else {
            if (logger.isDebugEnabled()) {
                logger.debug("User not found. userId=" + id);
            }
            return null;
        }
    }

    public VXPortalUser getUserProfileByLoginId() {
        String loginId = ContextUtil.getCurrentUserLoginId();
        return getUserProfileByLoginId(loginId);
    }

    public VXPortalUser getUserProfileByLoginId(String loginId) {
        XXPortalUser user = daoManager.getXXPortalUser().findByLoginId(loginId);
        if (user != null) {
            return mapXXPortalUserVXPortalUser(user);
        } else {
            if (logger.isDebugEnabled()) {
                logger.debug("User not found. loginId=" + loginId);
            }
            return null;
        }
    }

    public XXPortalUser mapVXPortalUserToXXPortalUser(VXPortalUser userProfile) {
        XXPortalUser gjUser = new XXPortalUser();
        gjUser.setEmailAddress(userProfile.getEmailAddress());
        if ("null".equalsIgnoreCase(userProfile.getFirstName())) {
            userProfile.setFirstName("");
        }
        gjUser.setFirstName(userProfile.getFirstName());
        if ("null".equalsIgnoreCase(userProfile.getLastName())) {
            userProfile.setLastName("");
        }
        gjUser.setLastName(userProfile.getLastName());
        if (userProfile.getLoginId() == null || userProfile.getLoginId().trim().isEmpty()
                || "null".equalsIgnoreCase(userProfile.getLoginId())) {
            throw restErrorUtil.createRESTException("LoginId should not be null or blank, It is",
                    MessageEnums.INVALID_INPUT_DATA);
        }
        gjUser.setLoginId(userProfile.getLoginId());
        gjUser.setPassword(userProfile.getPassword());
        gjUser.setUserSource(userProfile.getUserSource());
        gjUser.setPublicScreenName(userProfile.getPublicScreenName());
        if (userProfile.getFirstName() != null && userProfile.getLastName() != null
                && !userProfile.getFirstName().trim().isEmpty() && !userProfile.getLastName().trim().isEmpty()) {
            gjUser.setPublicScreenName(userProfile.getFirstName() + " " + userProfile.getLastName());
        } else {
            gjUser.setPublicScreenName(userProfile.getLoginId());
        }
        return gjUser;
    }

    /**
     * @param user
     * @return
     */
    public VXPortalUser mapXXPortalUserToVXPortalUser(XXPortalUser user, Collection<String> userRoleList) {
        if (user == null) {
            return null;
        }
        UserSessionBase sess = ContextUtil.getCurrentUserSession();
        if (sess == null) {
            return null;
        }

        VXPortalUser userProfile = new VXPortalUser();
        gjUserToUserProfile(user, userProfile);
        if (sess.isUserAdmin() || sess.isKeyAdmin() || sess.getXXPortalUser().getId().equals(user.getId())) {
            if (userRoleList == null) {
                userRoleList = new ArrayList<String>();
                List<XXPortalUserRole> gjUserRoleList = daoManager.getXXPortalUserRole()
                        .findByParentId(user.getId());

                for (XXPortalUserRole userRole : gjUserRoleList) {
                    userRoleList.add(userRole.getUserRole());
                }
            }

            userProfile.setUserRoleList(userRoleList);
        }
        userProfile.setUserSource(user.getUserSource());
        return userProfile;
    }

    private void gjUserToUserProfile(XXPortalUser user, VXPortalUser userProfile) {
        UserSessionBase sess = ContextUtil.getCurrentUserSession();
        if (sess == null) {
            return;
        }

        // Admin
        if (sess.isUserAdmin() || sess.isKeyAdmin() || sess.getXXPortalUser().getId().equals(user.getId())) {
            userProfile.setLoginId(user.getLoginId());
            userProfile.setStatus(user.getStatus());
            userProfile.setUserRoleList(new ArrayList<String>());

            String emailAddress = user.getEmailAddress();

            if (emailAddress != null && stringUtil.validateEmail(emailAddress)) {
                userProfile.setEmailAddress(user.getEmailAddress());
            }

            if (sess != null) {
                userProfile.setUserSource(sess.getAuthProvider());
            }

            List<XXPortalUserRole> gjUserRoleList = daoManager.getXXPortalUserRole().findByParentId(user.getId());

            for (XXPortalUserRole gjUserRole : gjUserRoleList) {
                userProfile.getUserRoleList().add(gjUserRole.getUserRole());
            }
        }

        if (sess.isUserAdmin() || sess.isKeyAdmin() || sess.getXXPortalUser().getId().equals(user.getId())) {
            userProfile.setId(user.getId());
            List<XXUserPermission> xUserPermissions = daoManager.getXXUserPermission()
                    .findByUserPermissionIdAndIsAllowed(userProfile.getId());
            List<XXGroupPermission> xxGroupPermissions = daoManager.getXXGroupPermission()
                    .findbyVXPortalUserId(userProfile.getId());

            List<VXGroupPermission> groupPermissions = new ArrayList<VXGroupPermission>();
            List<VXUserPermission> vxUserPermissions = new ArrayList<VXUserPermission>();
            for (XXGroupPermission xxGroupPermission : xxGroupPermissions) {
                VXGroupPermission groupPermission = xGroupPermissionService.populateViewBean(xxGroupPermission);
                groupPermission.setModuleName(
                        daoManager.getXXModuleDef().findByModuleId(groupPermission.getModuleId()).getModule());
                groupPermissions.add(groupPermission);
            }
            for (XXUserPermission xUserPermission : xUserPermissions) {
                VXUserPermission vXUserPermission = xUserPermissionService.populateViewBean(xUserPermission);
                vXUserPermission.setModuleName(
                        daoManager.getXXModuleDef().findByModuleId(vXUserPermission.getModuleId()).getModule());
                vxUserPermissions.add(vXUserPermission);
            }
            userProfile.setGroupPermissions(groupPermissions);
            userProfile.setUserPermList(vxUserPermissions);
            userProfile.setFirstName(user.getFirstName());
            userProfile.setLastName(user.getLastName());
            userProfile.setPublicScreenName(user.getPublicScreenName());
        }

    }

    /**
     * Translates XXPortalUser to VUserProfile. This method should be called in
     * the same transaction in which the XXPortalUser was retrieved from the
     * database
     *
     * @param user
     * @return
     */
    public VXPortalUser mapXXPortalUserVXPortalUser(XXPortalUser user) {
        return mapXXPortalUserToVXPortalUser(user, null);
    }

    /**
     * @param emailId
     * @return
     */
    public XXPortalUser findByEmailAddress(String emailId) {
        return daoManager.getXXPortalUser().findByEmailAddress(emailId);
    }

    public XXPortalUser findByLoginId(String loginId) {
        return daoManager.getXXPortalUser().findByLoginId(loginId);
    }

    @Transactional(readOnly = true, propagation = Propagation.REQUIRED)
    public Collection<String> getRolesForUser(XXPortalUser user) {
        Collection<String> roleList = new ArrayList<String>();

        Collection<XXPortalUserRole> roleCollection = daoManager.getXXPortalUserRole().findByUserId(user.getId());
        for (XXPortalUserRole role : roleCollection) {
            roleList.add(role.getUserRole());
        }
        return roleList;
    }

    /**
     * @param searchCriteria
     * @return
     */
    public VXPortalUserList searchUsers(SearchCriteria searchCriteria) {

        VXPortalUserList returnList = new VXPortalUserList();
        ArrayList<VXPortalUser> objectList = new ArrayList<VXPortalUser>();
        String queryStr = "SELECT u FROM  XXPortalUser u ";
        String countQueryStr = "SELECT COUNT(u) FROM XXPortalUser u ";

        // Get total count first
        Query query = createUserSearchQuery(countQueryStr, null, searchCriteria);
        Long count = (Long) query.getSingleResult();
        int resultSize = count != null ? count.intValue() : 0;
        if (resultSize == 0) {
            return returnList;
        }

        // Get actual data

        // Add sort by
        String sortBy = searchCriteria.getSortBy();
        String querySortBy = "u.loginId";
        if (!stringUtil.isEmpty(sortBy)) {
            sortBy = sortBy.trim();
            if (sortBy.equalsIgnoreCase("userId")) {
                querySortBy = "u.id";
            } else if (sortBy.equalsIgnoreCase("loginId")) {
                querySortBy = "ua.loginId";
            } else if (sortBy.equalsIgnoreCase("emailAddress")) {
                querySortBy = "u.emailAddress";
            } else if (sortBy.equalsIgnoreCase("firstName")) {
                querySortBy = "u.firstName";
            } else if (sortBy.equalsIgnoreCase("lastName")) {
                querySortBy = "u.lastName";
            } else {
                sortBy = "loginId";
                logger.error("Invalid sortBy provided. sortBy=" + sortBy);
            }
        } else {
            sortBy = "loginId";
        }

        // Default sort field
        String sortClause = " order by " + querySortBy + " ";

        // Add sort type
        String sortType = searchCriteria.getSortType();
        String querySortType = "asc";
        if (sortType != null) {
            if (sortType.equalsIgnoreCase("asc") || sortType.equalsIgnoreCase("desc")) {
                querySortType = sortType;
            } else {
                logger.error("Invalid sortType. sortType=" + sortType);
            }
        }
        sortClause += querySortType;

        query = createUserSearchQuery(queryStr, sortClause, searchCriteria);

        // Set start index
        query.setFirstResult(searchCriteria.getStartIndex());

        searchUtil.updateQueryPageSize(query, searchCriteria);

        @SuppressWarnings("rawtypes")
        List resultList = query.getResultList();
        // Iterate over the result list and create the return list
        for (Object object : resultList) {
            XXPortalUser gjUser = (XXPortalUser) object;
            VXPortalUser userProfile = new VXPortalUser();
            gjUserToUserProfile(gjUser, userProfile);
            objectList.add(userProfile);
        }

        returnList.setResultSize(resultSize);
        returnList.setPageSize(query.getMaxResults());
        returnList.setSortBy(sortBy);
        returnList.setSortType(querySortType);
        returnList.setStartIndex(query.getFirstResult());
        returnList.setTotalCount(count.longValue());
        returnList.setVXPortalUsers(objectList);
        return returnList;
    }

    /**
     * @param queryStr
     * @param sortClause
     * @param searchCriteria
     * @return
     */
    private Query createUserSearchQuery(String queryStr, String sortClause, SearchCriteria searchCriteria) {
        HashMap<String, Object> paramList = searchCriteria.getParamList();

        String whereClause = "WHERE 1 = 1 ";

        // roles
        @SuppressWarnings("unchecked")
        List<String> roleList = (List<String>) paramList.get("roleList");
        if (roleList != null && roleList.size() > 0) {
            whereClause = ", XXPortalUserRole ur WHERE u.id = ur.userId";
            if (roleList.size() == 1) {
                // For only one role, let's do an equal to
                whereClause += " and ur.userRole = :role";
            } else {
                whereClause += " and ur.userRole in (:roleList)";
            }
        }

        // userId
        Long userId = (Long) paramList.get("userId");
        if (userId != null) {
            whereClause += " and u.id = :userId ";
        }

        // loginId
        String loginId = (String) paramList.get("loginId");
        if (loginId != null) {
            whereClause += " and LOWER(u.loginId) = :loginId ";
        }

        // emailAddress
        String emailAddress = (String) paramList.get("emailAddress");
        if (emailAddress != null) {
            whereClause += " and LOWER(u.emailAddress) = :emailAddress ";
        }

        // firstName
        String firstName = (String) paramList.get("firstName");
        if (firstName != null) {
            whereClause += " and LOWER(u.firstName) = :firstName ";
        }

        // lastName
        String lastName = (String) paramList.get("lastName");
        if (lastName != null) {
            whereClause += " and LOWER(u.lastName) = :lastName ";
        }

        // status
        Integer status = null;
        @SuppressWarnings("unchecked")
        List<Integer> statusList = (List<Integer>) paramList.get("statusList");
        if (statusList != null && statusList.size() == 1) {
            // use == condition
            whereClause += " and u.status = :status";
            status = statusList.get(0);
        } else if (statusList != null && statusList.size() > 1) {
            // use in operator
            whereClause += " and u.status in (:statusList) ";
        }

        // publicScreenName
        String publicScreenName = (String) paramList.get("publicScreenName");
        if (publicScreenName != null) {
            whereClause += " and LOWER(u.publicScreenName) = :publicScreenName ";
        }

        // familyScreenName
        String familyScreenName = (String) paramList.get("familyScreenName");
        if (familyScreenName != null) {
            whereClause += " and LOWER(u.familyScreenName) = :familyScreenName ";
        }

        if (sortClause != null) {
            whereClause += sortClause;
        }

        Query query = daoManager.getEntityManager().createQuery(queryStr + whereClause);

        if (roleList != null && roleList.size() > 0) {
            if (roleList.size() == 1) {
                query.setParameter("role", roleList.get(0));
            } else {
                query.setParameter("roleList", roleList);
            }
        }

        if (status != null) {
            query.setParameter("status", status);
        }
        if (statusList != null && statusList.size() > 1) {
            query.setParameter("statusList", statusList);
        }
        if (emailAddress != null) {
            query.setParameter("emailAddress", emailAddress.toLowerCase());
        }

        // userId
        if (userId != null) {
            query.setParameter("userId", userId);
        }
        // firstName
        if (firstName != null) {
            query.setParameter("firstName", firstName.toLowerCase());
        }
        // lastName
        if (lastName != null) {
            query.setParameter("lastName", lastName.toLowerCase());
        }

        // loginId
        if (loginId != null) {
            query.setParameter("loginId", loginId.toLowerCase());
        }

        // publicScreenName
        if (publicScreenName != null) {
            query.setParameter("publicScreenName", publicScreenName.toLowerCase());
        }

        // familyScreenName
        if (familyScreenName != null) {
            query.setParameter("familyScreenName", familyScreenName.toLowerCase());
        }

        return query;
    }

    public boolean deleteUserRole(Long userId, String userRole) {
        List<XXPortalUserRole> roleList = daoManager.getXXPortalUserRole().findByUserId(userId);
        for (XXPortalUserRole gjUserRole : roleList) {
            if (gjUserRole.getUserRole().equalsIgnoreCase(userRole)) {
                return deleteUserRole(userId, gjUserRole);
            }
        }
        return false;
    }

    public boolean deleteUserRole(Long userId, XXPortalUserRole gjUserRole) {
        /*
         * if (RangerConstants.ROLE_USER.equals(gjUserRole.getUserRole())) {
         * return false; }
         */
        boolean publicRole = false;
        for (int i = 0; i < publicRoles.length; i++) {
            if (publicRoles[i].equalsIgnoreCase(gjUserRole.getUserRole())) {
                publicRole = true;
                break;
            }
        }
        if (!publicRole) {
            UserSessionBase sess = ContextUtil.getCurrentUserSession();
            if (sess == null || (!sess.isUserAdmin() && !sess.isKeyAdmin())) {
                return false;
            }
        }

        daoManager.getXXPortalUserRole().remove(gjUserRole.getId());
        return true;
    }

    public XXPortalUserRole addUserRole(Long userId, String userRole) {
        List<XXPortalUserRole> roleList = daoManager.getXXPortalUserRole().findByUserId(userId);
        boolean publicRole = false;
        for (int i = 0; i < publicRoles.length; i++) {
            if (publicRoles[i].equalsIgnoreCase(userRole)) {
                publicRole = true;
                break;
            }
        }
        if (!publicRole) {
            UserSessionBase sess = ContextUtil.getCurrentUserSession();
            if (sess == null) {
                return null;
            }
            // Admin
            if (!sess.isUserAdmin() && !sess.isKeyAdmin()) {
                logger.error("SECURITY WARNING: User trying to add non public role. userId=" + userId + ", role="
                        + userRole + ", session=" + sess.toString(), new Throwable());
                return null;
            }
        }

        for (XXPortalUserRole gjUserRole : roleList) {
            if (userRole.equalsIgnoreCase(gjUserRole.getUserRole())) {
                return gjUserRole;
            }
        }
        XXPortalUserRole userRoleObj = new XXPortalUserRole();
        userRoleObj.setUserRole(userRole.toUpperCase());
        userRoleObj.setUserId(userId);
        userRoleObj.setStatus(RangerConstants.STATUS_ENABLED);
        daoManager.getXXPortalUserRole().create(userRoleObj);

        // If role is not OTHER, then remove OTHER
        if (!RangerConstants.ROLE_OTHER.equalsIgnoreCase(userRole)) {
            deleteUserRole(userId, RangerConstants.ROLE_OTHER);
        }

        sessionMgr.resetUserSessionForProfiles(ContextUtil.getCurrentUserSession());
        return null;
    }

    public void checkAccess(Long userId) {
        XXPortalUser gjUser = daoManager.getXXPortalUser().getById(userId);
        if (gjUser == null) {
            throw restErrorUtil.create403RESTException("serverMsg.userMgrWrongUser" + userId);
        }

        checkAccess(gjUser);
    }

    /**
     * @param gjUser
     * @return
     */
    public void checkAccess(XXPortalUser gjUser) {
        if (gjUser == null) {
            throw restErrorUtil.create403RESTException("serverMsg.userMgrWrongUser");
        }
        UserSessionBase sess = ContextUtil.getCurrentUserSession();
        if (sess != null) {

            // Admin
            if (sess != null && sess.isUserAdmin() || sess.isKeyAdmin()) {
                return;
            }

            // Self
            if (sess.getXXPortalUser().getId().equals(gjUser.getId())) {
                return;
            }

        }
        throw restErrorUtil.create403RESTException("User " + " access denied. loggedInUser="
                + (sess != null ? sess.getXXPortalUser().getId() : "Not Logged In") + ", accessing user="
                + gjUser.getId());

    }

    public void checkAccessForUpdate(XXPortalUser gjUser) {
        if (gjUser == null) {
            throw restErrorUtil.create403RESTException("serverMsg.userMgrWrongUser");
        }
        UserSessionBase sess = ContextUtil.getCurrentUserSession();
        if (sess != null) {

            // Admin
            if (sess != null && sess.isUserAdmin()) {
                return;
            }

            // Self
            if (sess.getXXPortalUser().getId().equals(gjUser.getId())) {
                return;
            }

        }
        VXResponse vXResponse = new VXResponse();
        vXResponse.setStatusCode(HttpServletResponse.SC_FORBIDDEN);
        vXResponse.setMsgDesc("User " + " access denied. loggedInUser="
                + (sess != null ? sess.getXXPortalUser().getId() : "Not Logged In") + ", accessing user="
                + gjUser.getId());
        throw restErrorUtil.generateRESTException(vXResponse);

    }

    public String encrypt(String loginId, String password) {
        String sha256PasswordUpdateDisable = PropertiesUtil.getProperty("ranger.sha256Password.update.disable",
                "false");
        String saltEncodedpasswd = "";
        if ("false".equalsIgnoreCase(sha256PasswordUpdateDisable)) {
            saltEncodedpasswd = sha256Encoder.encodePassword(password, loginId);
        } else {
            saltEncodedpasswd = md5Encoder.encodePassword(password, loginId);
        }
        return saltEncodedpasswd;
    }

    public VXPortalUser createUser(VXPortalUser userProfile) {
        checkAdminAccess();
        XXPortalUser xXPortalUser = this.createUser(userProfile, RangerCommonEnums.STATUS_ENABLED);
        return mapXXPortalUserVXPortalUser(xXPortalUser);
    }

    public VXPortalUser createDefaultAccountUser(VXPortalUser userProfile) {
        if (userProfile.getPassword() == null || userProfile.getPassword().trim().isEmpty()) {
            userProfile.setUserSource(RangerCommonEnums.USER_EXTERNAL);
        }
        // access control
        checkAdminAccess();
        logger.info("create:" + userProfile.getLoginId());
        XXPortalUser xXPortalUser = null;
        String loginId = userProfile.getLoginId();
        String emailAddress = userProfile.getEmailAddress();

        if (loginId != null && !loginId.isEmpty()) {
            xXPortalUser = this.findByLoginId(loginId);
            if (xXPortalUser == null) {
                if (!stringUtil.isEmpty(emailAddress)) {
                    xXPortalUser = this.findByEmailAddress(emailAddress);
                    if (xXPortalUser == null) {
                        xXPortalUser = this.createUser(userProfile, RangerCommonEnums.STATUS_ENABLED);
                    } else {
                        throw restErrorUtil.createRESTException("The email address " + emailAddress
                                + " you've provided already exists. Please try again with different "
                                + "email address.", MessageEnums.OPER_NOT_ALLOWED_FOR_STATE);
                    }
                } else {
                    userProfile.setEmailAddress(null);
                    xXPortalUser = this.createUser(userProfile, RangerCommonEnums.STATUS_ENABLED);
                }
            } else { //NOPMD
                /*
                 * throw restErrorUtil .createRESTException( "The login id " +
                 * loginId +
                 * " you've provided already exists. Please try again with different "
                 * + "login id.", MessageEnums.OPER_NOT_ALLOWED_FOR_STATE);
                 */
            }
        }
        if (xXPortalUser != null) {
            return mapXXPortalUserToVXPortalUserForDefaultAccount(xXPortalUser);
        } else {
            return null;
        }
    }

    protected VXPortalUser mapXXPortalUserToVXPortalUserForDefaultAccount(XXPortalUser user) {

        VXPortalUser userProfile = new VXPortalUser();

        userProfile.setLoginId(user.getLoginId());
        userProfile.setEmailAddress(user.getEmailAddress());
        userProfile.setStatus(user.getStatus());
        userProfile.setUserRoleList(new ArrayList<String>());
        userProfile.setId(user.getId());
        userProfile.setFirstName(user.getFirstName());
        userProfile.setLastName(user.getLastName());
        userProfile.setPublicScreenName(user.getPublicScreenName());
        userProfile.setEmailAddress(user.getEmailAddress());

        List<XXPortalUserRole> gjUserRoleList = daoManager.getXXPortalUserRole().findByParentId(user.getId());

        for (XXPortalUserRole gjUserRole : gjUserRoleList) {
            userProfile.getUserRoleList().add(gjUserRole.getUserRole());
        }

        return userProfile;
    }

    public boolean isUserInRole(Long userId, String role) {
        XXPortalUserRole xXPortalUserRole = daoManager.getXXPortalUserRole().findByRoleUserId(userId, role);
        if (xXPortalUserRole != null) {
            String userRole = xXPortalUserRole.getUserRole();
            if (userRole.equalsIgnoreCase(role)) {
                return true;
            }
        }
        return false;
    }

    public XXPortalUser updateUserWithPass(VXPortalUser userProfile) {
        String updatedPassword = userProfile.getPassword();
        XXPortalUser xXPortalUser = this.updateUser(userProfile);

        if (xXPortalUser == null) {
            return null;
        }

        if (updatedPassword != null && !updatedPassword.isEmpty()) {
            if (!stringUtil.validatePassword(updatedPassword, new String[] { xXPortalUser.getFirstName(),
                    xXPortalUser.getLastName(), xXPortalUser.getLoginId() })) {
                logger.warn("SECURITY:changePassword(). Invalid new password. userId=" + xXPortalUser.getId());

                throw restErrorUtil.createRESTException("serverMsg.userMgrNewPassword",
                        MessageEnums.INVALID_PASSWORD, null, null, "" + xXPortalUser.getId());
            }

            String encryptedNewPwd = encrypt(xXPortalUser.getLoginId(), updatedPassword);
            xXPortalUser.setPassword(encryptedNewPwd);
            xXPortalUser = daoManager.getXXPortalUser().update(xXPortalUser);
        }
        return xXPortalUser;
    }

    @Transactional(readOnly = false, propagation = Propagation.REQUIRED)
    public XXPortalUser updatePasswordInSHA256(String userName, String userPassword) {
        if (userName == null || userPassword == null || userName.trim().isEmpty()
                || userPassword.trim().isEmpty()) {
            return null;
        }

        XXPortalUser xXPortalUser = this.findByLoginId(userName);

        if (xXPortalUser == null) {
            return null;
        }

        String encryptedNewPwd = encrypt(xXPortalUser.getLoginId(), userPassword);
        xXPortalUser.setPassword(encryptedNewPwd);
        xXPortalUser = daoManager.getXXPortalUser().update(xXPortalUser);

        return xXPortalUser;
    }

    public void checkAdminAccess() {
        UserSessionBase sess = ContextUtil.getCurrentUserSession();
        if (sess != null && sess.isUserAdmin()) {
            return;
        }
        throw restErrorUtil.create403RESTException("Operation not allowed." + " loggedInUser="
                + (sess != null ? sess.getXXPortalUser().getId() : "Not Logged In"));
    }

    public Collection<String> getRolesByLoginId(String loginId) {
        if (loginId == null || loginId.trim().isEmpty()) {
            return DEFAULT_ROLE_LIST;
        }
        XXPortalUser xXPortalUser = daoManager.getXXPortalUser().findByLoginId(loginId);
        if (xXPortalUser == null) {
            return DEFAULT_ROLE_LIST;
        }
        Collection<XXPortalUserRole> xXPortalUserRoles = daoManager.getXXPortalUserRole()
                .findByUserId(xXPortalUser.getId());
        if (xXPortalUserRoles == null) {
            return DEFAULT_ROLE_LIST;
        }
        Collection<String> roleList = new ArrayList<String>();
        for (XXPortalUserRole role : xXPortalUserRoles) {
            if (role != null && VALID_ROLE_LIST.contains(role.getUserRole())) {
                if (!roleList.contains(role.getUserRole())) {
                    roleList.add(role.getUserRole());
                }
            }
        }
        if (roleList == null || roleList.size() == 0) {
            return DEFAULT_ROLE_LIST;
        }
        return roleList;
    }
}