Java tutorial
/* * NOTE: This copyright does *not* cover user programs that use HQ * program services by normal system calls through the application * program interfaces provided as part of the Hyperic Plug-in Development * Kit or the Hyperic Client Development Kit - this is merely considered * normal use of the program, and does *not* fall under the heading of * "derived work". * * Copyright (C) [2004-2008], Hyperic, Inc. * This file is part of HQ. * * HQ is free software; you can redistribute it and/or modify * it under the terms version 2 of the GNU General Public License as * published by the Free Software Foundation. This program is distributed * in the hope that it will be useful, but WITHOUT ANY WARRANTY; without * even the implied warranty of MERCHANTABILITY or FITNESS FOR A * PARTICULAR PURPOSE. See the GNU General Public License for more * details. * * You should have received a copy of the GNU General Public License * along with this program; if not, write to the Free Software * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 * USA. */ package org.hyperic.hq.authz.server.session; import java.util.ArrayList; import java.util.Arrays; import java.util.Collection; import java.util.Collections; import java.util.HashSet; import java.util.Iterator; import java.util.List; import java.util.Set; import java.util.TreeMap; import javax.annotation.PostConstruct; import org.apache.commons.logging.Log; import org.apache.commons.logging.LogFactory; import org.hyperic.hq.authz.server.session.events.group.GroupAddedToRolesZevent; import org.hyperic.hq.authz.server.session.events.group.GroupRemovedFromRolesZevent; import org.hyperic.hq.authz.server.session.events.role.GroupsAddedToRoleZevent; import org.hyperic.hq.authz.server.session.events.role.GroupsRemovedFromRoleZevent; import org.hyperic.hq.authz.server.session.events.role.RoleDeletedZevent; import org.hyperic.hq.authz.server.session.events.role.RolePermissionsChangedZevent; import org.hyperic.hq.authz.server.session.events.role.SubjectsAddedToRoleZevent; import org.hyperic.hq.authz.server.session.events.role.SubjectsRemovedFromRoleZevent; import org.hyperic.hq.authz.server.session.events.subject.SubjectAddedToRolesZevent; import org.hyperic.hq.authz.server.session.events.subject.SubjectRemovedFromRolesZevent; import org.hyperic.hq.authz.shared.AuthzConstants; import org.hyperic.hq.authz.shared.AuthzDuplicateNameException; import org.hyperic.hq.authz.shared.AuthzSubjectValue; import org.hyperic.hq.authz.shared.PermissionException; import org.hyperic.hq.authz.shared.PermissionManager; import org.hyperic.hq.authz.shared.ResourceGroupValue; import org.hyperic.hq.authz.shared.ResourceValue; import org.hyperic.hq.authz.shared.RoleManager; import org.hyperic.hq.authz.shared.RoleValue; import org.hyperic.hq.authz.values.OwnedRoleValue; import org.hyperic.hq.common.ApplicationException; import org.hyperic.hq.common.NotFoundException; import org.hyperic.hq.common.server.session.Calendar; import org.hyperic.hq.common.shared.CalendarManager; import org.hyperic.hq.zevents.ZeventManager; import org.hyperic.util.pager.PageControl; import org.hyperic.util.pager.PageList; import org.hyperic.util.pager.Pager; import org.hyperic.util.pager.SortAttribute; import org.springframework.beans.BeansException; import org.springframework.beans.factory.annotation.Autowired; import org.springframework.context.ApplicationContext; import org.springframework.context.ApplicationContextAware; import org.springframework.stereotype.Service; import org.springframework.transaction.annotation.Transactional; /** * Manipulates Roles and Subjects associated with them. All arguments and return * values are value-objects. * */ @Service @Transactional public class RoleManagerImpl implements RoleManager, ApplicationContextAware { private final Log log = LogFactory.getLog(RoleManagerImpl.class); private Pager subjectPager; private Pager rolePager; private Pager groupPager; private Pager ownedRolePager; private static final String SUBJECT_PAGER = "org.hyperic.hq.authz.server.session.PagerProcessor_subject"; private static final String ROLE_PAGER = "org.hyperic.hq.authz.server.session.PagerProcessor_role"; private static final String OWNEDROLE_PAGER = "org.hyperic.hq.authz.server.session.PagerProcessor_ownedRole"; private static final String GROUP_PAGER = "org.hyperic.hq.authz.server.session.PagerProcessor_resourceGroup"; private RoleCalendarDAO roleCalendarDAO; private OperationDAO operationDAO; private ResourceGroupDAO resourceGroupDAO; private ResourceTypeDAO resourceTypeDAO; private RoleDAO roleDAO; private AuthzSubjectDAO authzSubjectDAO; private ResourceDAO resourceDAO; private CalendarManager calendarManager; private PermissionManager permissionManager; private ApplicationContext applicationContext; private ZeventManager zeventManager; @Autowired public RoleManagerImpl(RoleCalendarDAO roleCalendarDAO, OperationDAO operationDAO, ResourceGroupDAO resourceGroupDAO, ResourceTypeDAO resourceTypeDAO, RoleDAO roleDAO, AuthzSubjectDAO authzSubjectDAO, ResourceDAO resourceDAO, CalendarManager calendarManager, PermissionManager permissionManager, ZeventManager zeventManager) { this.roleCalendarDAO = roleCalendarDAO; this.operationDAO = operationDAO; this.resourceGroupDAO = resourceGroupDAO; this.resourceTypeDAO = resourceTypeDAO; this.roleDAO = roleDAO; this.authzSubjectDAO = authzSubjectDAO; this.resourceDAO = resourceDAO; this.calendarManager = calendarManager; this.permissionManager = permissionManager; this.zeventManager = zeventManager; } @PostConstruct public void afterPropertiesSet() throws Exception { subjectPager = Pager.getPager(SUBJECT_PAGER); rolePager = Pager.getPager(ROLE_PAGER); groupPager = Pager.getPager(GROUP_PAGER); ownedRolePager = Pager.getPager(OWNEDROLE_PAGER); } /** * Validate that a role is ok to be added or updated * * @param aRole * @throws AuthzDuplicateNameException */ private void validateRole(RoleValue aRole) throws AuthzDuplicateNameException { Role role = roleDAO.findByName(aRole.getName()); if (role != null) { throw new AuthzDuplicateNameException("A role named: " + aRole.getName() + " already exists"); } } private Role lookupRole(RoleValue role) { return lookupRole(role.getId()); } private Role lookupRole(Integer id) { return roleDAO.findById(id); } private ResourceGroup lookupGroup(Integer id) { return resourceGroupDAO.findById(id); } /** * */ @Transactional(readOnly = true) public boolean isRootRoleMember(AuthzSubject subject) { return getRootRoleIfMember(subject) != null; } @Transactional(readOnly = true) private Role getRootRoleIfMember(AuthzSubject subject) { // Look up the root role Role rootRole = roleDAO.findById(AuthzConstants.rootRoleId); // Look up the calling subject if (rootRole.getSubjects().contains(subject)) { return rootRole; } return null; } /** * Filter a collection of roleLocal objects to only include those viewable * by the specified user * * */ private Collection<Role> filterViewableRoles(AuthzSubject who, Collection<Role> roles) throws PermissionException { return filterViewableRoles(who, roles, null); } /** * Filter a collection of roleLocal object to only include those viewable by * the specific user and not in the list of ids passed in as excluded * * @param who - the user * @param roles - the list of role locals * @param excludeIds - role ids which should be excluded from the return * list * * */ private Collection<Role> filterViewableRoles(AuthzSubject who, Collection<Role> roles, Integer[] excludeIds) throws PermissionException { try { permissionManager.check(who.getId(), resourceTypeDAO.findByName(AuthzConstants.roleResourceTypeName), AuthzConstants.rootResourceId, AuthzConstants.roleOpViewRole); } catch (PermissionException e) { return new ArrayList<Role>(0); } List<Integer> excludeList = null; boolean hasExclude = (excludeIds != null && excludeIds.length > 0); if (hasExclude) { excludeList = Arrays.asList(excludeIds); } // Throw out the excludes for (Iterator<Role> i = roles.iterator(); i.hasNext();) { Role role = i.next(); Integer pk = role.getId(); if (hasExclude && excludeList.contains(pk)) { i.remove(); } } return roles; } /** * Create a role. * * @param whoami The current running user. * @param role The to be created. * @param operations Operations to associate with the new role. Use null if * you want to associate operations later. * @param subjectIds Ids of subjects to add to the new role. Use null to add * subjects later. * @param groupIds Ids of resource groups to add to the new role. Use null * to add subjects later. * @return OwnedRoleValue for the role. * * * @throws PermissionException whoami may not perform createResource on the * covalentAuthzRole ResourceType. * */ public Integer createOwnedRole(AuthzSubject whoami, RoleValue role, Operation[] operations, Integer[] subjectIds, Integer[] groupIds) throws AuthzDuplicateNameException, PermissionException { validateRole(role); permissionManager.check(whoami.getId(), resourceTypeDAO.findTypeResourceType(), AuthzConstants.rootResourceId, AuthzConstants.roleOpCreateRole); Role roleLocal = roleDAO.create(whoami, role); // Associated operations roleLocal.setOperations(toPojos(operations)); if (subjectIds != null) { HashSet<AuthzSubject> sLocals = new HashSet<AuthzSubject>(subjectIds.length); for (int si = 0; si < subjectIds.length; si++) { sLocals.add(authzSubjectDAO.findById(subjectIds[si])); } // Associated subjects roleLocal.setSubjects(sLocals); zeventManager.enqueueEventAfterCommit(new SubjectsAddedToRoleZevent(roleLocal, sLocals)); } if (groupIds != null) { HashSet<ResourceGroup> gLocals = new HashSet<ResourceGroup>(groupIds.length); for (int gi = 0; gi < groupIds.length; gi++) { gLocals.add(lookupGroup(groupIds[gi])); } // Associated resource groups roleLocal.setResourceGroups(gLocals); zeventManager.enqueueEventAfterCommit(new GroupsAddedToRoleZevent(roleLocal, groupIds)); } applicationContext.publishEvent(new RoleCreatedEvent(roleLocal)); return roleLocal.getId(); } /** * Delete the specified role. * * @param whoami The current running user. * @param rolePk The role to delete. * @throws ApplicationException Unable to delete the specified entity. * */ public void removeRole(AuthzSubject whoami, Integer rolePk) throws PermissionException, ApplicationException { // Don't delete the super user role if (rolePk.equals(AuthzConstants.rootRoleId)) { throw new ApplicationException("Superuser role cannot be removed"); } Role role = roleDAO.findById(rolePk); permissionManager.check(whoami.getId(), role.getResource().getResourceType(), role.getId(), AuthzConstants.roleOpRemoveRole); applicationContext.publishEvent(new RoleDeleteRequestedEvent(role)); final Collection<AuthzSubject> subjects = new ArrayList<AuthzSubject>(role.getSubjects()); Collection<ResourceGroup> assignedResourceGroups = new ArrayList<ResourceGroup>(role.getResourceGroups()); for (RoleCalendar c : role.getCalendars()) { removeCalendar(c); } roleDAO.remove(role); zeventManager.enqueueEventAfterCommit(new RoleDeletedZevent(role, assignedResourceGroups, subjects)); } /** * Write the specified entity out to permanent storage. * * @param whoami The current running user. * @param role The role to save. * @throws PermissionException whoami may not perform modifyRole on this * role. * */ public void saveRole(AuthzSubject whoami, RoleValue role) throws AuthzDuplicateNameException, PermissionException { Role roleLocal = lookupRole(role); if (!roleLocal.getName().equals(role.getName())) { // Name has changed... check it validateRole(role); } permissionManager.check(whoami.getId(), roleLocal.getResource().getResourceType(), roleLocal.getId(), AuthzConstants.roleOpModifyRole); roleLocal.setRoleValue(role); } /** * Change the owner of the role. * * @param whoami The current running user. * @param id The ID of the role to change * @param ownerVal The new owner of the role.. * @throws PermissionException whoami may not perform modifyRole on this * role. * */ public void changeOwner(AuthzSubject whoami, Integer id, AuthzSubject owner) throws PermissionException { Role roleLocal = lookupRole(id); permissionManager.check(whoami.getId(), roleLocal.getResource().getResourceType(), roleLocal.getId(), AuthzConstants.roleOpModifyRole); roleLocal.getResource().setOwner(owner); } /** * Associate operations with this role. * * @param whoami The current running user. * @param role The role. * @param operations The operations to associate with the role. * * @throws PermissionException whoami may not perform addOperation on this * role. * */ public void addOperations(AuthzSubject whoami, Role role, Operation[] operations) throws PermissionException { Set<Operation> opLocals = toPojos(operations); // roleLocal.setWhoami(lookupSubject(whoami)); Collection<Operation> orgOperations = role.getOperations(); role.getOperations().addAll(opLocals); zeventManager.enqueueEventAfterCommit(new RolePermissionsChangedZevent(role, orgOperations)); } /** * Disassociate all operations from this role. * * @param whoami The current running user. * @param role The role. * * @throws PermissionException whoami may not perform removeOperation on * this role. * */ public void removeAllOperations(AuthzSubject whoami, Role role) throws PermissionException { // roleLocal.setWhoami(lookupSubject(whoami)); role.getOperations().clear(); } /** * Set the operations for this role. To get the operations call * getOperations() on the value-object. * * @param whoami The current running user. * @param id The ID of the role. * @param operations Operations to associate with this role. * * @throws PermissionException whoami is not allowed to perform * setOperations on this role. * */ public void setOperations(AuthzSubject whoami, Integer id, Operation[] operations) throws PermissionException { if (operations != null) { Role roleLocal = lookupRole(id); permissionManager.check(whoami.getId(), roleLocal.getResource().getResourceType(), roleLocal.getId(), AuthzConstants.roleOpModifyRole); Set<Operation> opLocals = toPojos(operations); Collection<Operation> orgOperations = roleLocal.getOperations(); roleLocal.setOperations(opLocals); zeventManager.enqueueEventAfterCommit(new RolePermissionsChangedZevent(roleLocal, orgOperations)); } } /** * Associate ResourceGroups with this role. * * @param whoami The current running user. * @param role This role. * @param gids The ids of the groups to associate with this role. * * @throws PermissionException whoami is not allowed to perform * addResourceGroup on this role. * */ public void addResourceGroups(AuthzSubject whoami, Integer rid, Integer[] gids) throws PermissionException { Role roleLocal = roleDAO.findById(rid); if (gids != null && gids.length > 0) { for (int i = 0; i < gids.length; i++) { ResourceGroup group = lookupGroup(gids[i]); group.addRole(roleLocal); } zeventManager.enqueueEventAfterCommit(new GroupsAddedToRoleZevent(roleLocal, gids)); } } /** * Associate ResourceGroup with list of roles. * * @param whoami The current running user. * @param roles The roles. * @param ids The id of the group to associate with the roles. * @throws PermissionException whoami is not allowed to perform * addResourceGroup on this role. * * */ public void addResourceGroupRoles(AuthzSubject whoami, Integer gid, Integer[] ids) throws PermissionException { addResourceGroupRoles(whoami, gid, ids, false); } /** * Associate ResourceGroup with list of roles. * * @param whoami The current running user. * @param roles The roles. * @param ids The id of the group to associate with the roles. * @throws PermissionException whoami is not allowed to perform * addResourceGroup on this role. * * */ public void addResourceGroupRoles(AuthzSubject whoami, Integer gid, Integer[] ids, boolean isDuringCalculation) throws PermissionException { ResourceGroup group = lookupGroup(gid); for (int i = 0; i < ids.length; i++) { Role roleLocal = lookupRole(ids[i]); group.addRole(roleLocal); } if (ids != null && ids.length > 0) { zeventManager.enqueueEventAfterCommit(new GroupAddedToRolesZevent(group, isDuringCalculation)); } } /** * Disassociate ResourceGroups from this role. * * @param whoami The current running user. * @param id This role. * @param gids The ids of the groups to disassociate. * * @throws PermissionException whoami is not allowed to perform modifyRole * on this role. * */ public void removeResourceGroups(AuthzSubject whoami, Integer id, Integer[] gids) throws PermissionException { Role roleLocal = lookupRole(id); Collection<ResourceGroup> groups = new HashSet<ResourceGroup>(); permissionManager.check(whoami.getId(), roleLocal.getResource().getResourceType(), roleLocal.getId(), AuthzConstants.roleOpModifyRole); for (int i = 0; i < gids.length; i++) { ResourceGroup group = lookupGroup(gids[i]); roleLocal.removeResourceGroup(group); groups.add(group); } if (gids != null && gids.length > 0) { zeventManager.enqueueEventAfterCommit(new GroupsRemovedFromRoleZevent(roleLocal, groups)); } } /** * Disassociate roles from this ResourceGroup. * * @param whoami The current running user. * @param role This role. * @param ids The ids of the groups to disassociate. * * @throws PermissionException whoami is not allowed to perform modifyRole * on this role. * */ public void removeResourceGroupRoles(AuthzSubject whoami, Integer gid, Integer[] ids) throws PermissionException { removeResourceGroupRoles(whoami, gid, ids, false); } /** * Disassociate roles from this ResourceGroup. * * @param whoami The current running user. * @param role This role. * @param ids The ids of the groups to disassociate. * @param isDuringCalculation true/false if we are in the middle of group membership calculation * * @throws PermissionException whoami is not allowed to perform modifyRole * on this role. * */ public void removeResourceGroupRoles(AuthzSubject whoami, Integer gid, Integer[] ids, boolean isDuringCalculation) throws PermissionException { ResourceGroup group = lookupGroup(gid); Collection<Role> roles = new HashSet<Role>(); for (int i = 0; i < ids.length; i++) { Role roleLocal = lookupRole(ids[i]); permissionManager.check(whoami.getId(), roleLocal.getResource().getResourceType(), roleLocal.getId(), AuthzConstants.roleOpModifyRole); roles.add(roleLocal); roleLocal.removeResourceGroup(group); } if (ids != null && ids.length > 0) { zeventManager .enqueueEventAfterCommit(new GroupRemovedFromRolesZevent(group, roles, isDuringCalculation)); } } /** * Disassociate all ResourceGroups of this role from this role. * * @param whoami The current running user. * @param role This role. * * * @throws PermissionException whoami is not allowed to perform modifyRole * on this role. * */ @SuppressWarnings("unchecked") public void removeAllResourceGroups(AuthzSubject whoami, Role role) throws PermissionException { permissionManager.check(whoami.getId(), role.getResource().getResourceType(), role.getId(), AuthzConstants.roleOpModifyRole); Collection<ResourceGroup> groups = role.getResourceGroups(); role.clearResourceGroups(); if (groups != null && groups.size() > 0) { zeventManager.enqueueEventAfterCommit(new GroupsRemovedFromRoleZevent(role, groups)); } } /** * Get the # of roles within HQ inventory * * */ @Transactional(readOnly = true) public Number getRoleCount() { return new Integer(roleDAO.size()); } /** * Get the # of subjects within HQ inventory * * */ @Transactional(readOnly = true) public Number getSubjectCount() { return new Integer(authzSubjectDAO.size()); } /** * Get a Role by id * * */ @Transactional(readOnly = true) public Role getRoleById(int id) { return roleDAO.get(new Integer(id)); } /** * */ @Transactional(readOnly = true) public Role findRoleById(int id) { return lookupRole(new Integer(id)); } /** * */ @Transactional(readOnly = true) public Role findRoleByName(String name) { return roleDAO.findByName(name); } /** * Create a calendar under a role for a specific type. Calendars created in * this manner are tied directly to the role and should not be used by other * roles. * * @throws PermissionException if user is not allowed to modify role * */ public RoleCalendar createCalendar(AuthzSubject whoami, Role r, String calendarName, RoleCalendarType type) throws PermissionException { permissionManager.check(whoami.getId(), r.getResource().getResourceType(), r.getId(), AuthzConstants.roleOpModifyRole); Calendar cal = calendarManager.createCalendar(calendarName); RoleCalendar res = new RoleCalendar(r, cal, type); r.addCalendar(res); return res; } /** * */ public boolean removeCalendar(RoleCalendar c) { boolean res = c.getRole().removeCalendar(c); roleCalendarDAO.remove(c); calendarManager.remove(c.getCalendar()); return res; } /** * Find the owned role that has the given ID. * * @param id The ID of the role you're looking for. * @return The owned value-object of the role of the given ID. * * */ public OwnedRoleValue findOwnedRoleById(AuthzSubject whoami, Integer id) throws PermissionException { Role local = roleDAO.findById(id); int numSubjects = authzSubjectDAO.size(local.getSubjects()); permissionManager.check(whoami.getId(), local.getResource().getResourceType(), id, AuthzConstants.roleOpViewRole); OwnedRoleValue value = new OwnedRoleValue(local); value.setMemberCount(numSubjects); return value; } /** * Get operations For a given role id, find the resource types and * permissions which are supported by it * * @param subject * @param roleId * @return list - values are lists of operation * */ @Transactional(readOnly = true) public List<Operation> getRoleOperations(AuthzSubject subject, Integer roleId) throws PermissionException { // find the role by id Role role = roleDAO.findById(roleId); return new ArrayList<Operation>(role.getOperations()); } /** * @return a list of {@link Role}s * */ @Transactional(readOnly = true) public Collection<Role> getAllRoles() { return roleDAO.findAll(); } private Collection<Role> getAllRoles(AuthzSubject subject, int sort, boolean asc) { switch (sort) { default: case SortAttribute.ROLE_NAME: return roleDAO.findAll_orderName(asc); } } /** * List all Roles in the system * * @param pc Paging information for the request * @return List a list of RoleValues * */ @Transactional(readOnly = true) public List<RoleValue> getAllRoles(AuthzSubject subject, PageControl pc) { pc = PageControl.initDefaults(pc, SortAttribute.ROLE_NAME); Collection<Role> roles = getAllRoles(subject, pc.getSortattribute(), pc.isAscending()); return rolePager.seek(roles, pc.getPagenum(), pc.getPagesize()); } /** * List all OwnedRoles in the system * * @param subject * @param pc Paging and sorting information. * @return List a list of OwnedRoleValues * */ @Transactional(readOnly = true) public List<OwnedRoleValue> getAllOwnedRoles(AuthzSubject subject, PageControl pc) { Collection<Role> roles = roleDAO.findAll(); pc = PageControl.initDefaults(pc, SortAttribute.ROLE_NAME); return ownedRolePager.seek(roles, pc.getPagenum(), pc.getPagesize()); } /** * List all Roles in the system, except system roles. * * @return List a list of OwnedRoleValues that are not system roles * @throws NotFoundException if sort attribute is unrecognized * */ @Transactional(readOnly = true) public PageList<OwnedRoleValue> getAllNonSystemOwnedRoles(AuthzSubject subject, Integer[] excludeIds, PageControl pc) throws PermissionException, NotFoundException { pc = PageControl.initDefaults(pc, SortAttribute.ROLE_NAME); int attr = pc.getSortattribute(); Collection<Role> roles; switch (attr) { case SortAttribute.ROLE_NAME: roles = roleDAO.findBySystem_orderName(false, !pc.isDescending()); break; default: throw new NotFoundException("Unrecognized sort attribute: " + attr); } // 6729 - if caller is a member of the root role, show it // 5345 - allow access to the root role by the root user so it can // be used by others Role rootRole = getRootRoleIfMember(subject); if (rootRole != null) { ArrayList<Role> newList = new ArrayList<Role>(); newList.add(rootRole); newList.addAll(roles); roles = newList; } roles = filterViewableRoles(subject, roles, excludeIds); PageList<OwnedRoleValue> plist = ownedRolePager.seek(roles, pc.getPagenum(), pc.getPagesize()); plist.setTotalSize(roles.size()); return plist; } /** * Get the roles with the specified ids * * @param subject * @param ids the role ids * @param pc Paging information for the request * * @throws PermissionException * * */ @Transactional(readOnly = true) public PageList<RoleValue> getRolesById(AuthzSubject whoami, Integer[] ids, PageControl pc) throws PermissionException { List<Role> roles = getRolesByIds(whoami, ids, pc); PageList<RoleValue> plist = rolePager.seek(roles, pc.getPagenum(), pc.getPagesize()); plist.setTotalSize(roles.size()); return plist; } private List<Role> getRolesByIds(AuthzSubject whoami, Integer[] ids, PageControl pc) throws PermissionException { permissionManager.check(whoami.getId(), AuthzConstants.roleResourceTypeName, AuthzConstants.rootResourceId, AuthzConstants.roleOpViewRole); Collection<Role> all = getAllRoles(whoami, pc.getSortattribute(), pc.isAscending()); // build an index of ids HashSet<Integer> index = new HashSet<Integer>(); for (int i = 0; i < ids.length; i++) { Integer id = ids[i]; index.add(id); } int numToFind = index.size(); // find the requested roles List<Role> roles = new ArrayList<Role>(ids.length); Iterator<Role> i = all.iterator(); while (i.hasNext() && roles.size() < numToFind) { Role r = i.next(); if (index.contains(r.getId())) { roles.add(r); } } return roles; } /** * Associate roles with this subject. * * @param whoami The current running user. * @param subject The subject. * @param roles The roles to associate with the subject. * @throws PermissionException whoami may not perform addRole on this * subject. * */ public void addRoles(AuthzSubject whoami, AuthzSubject subject, Integer[] roles) throws PermissionException { Collection<Role> roleObjects = new HashSet<Role>(); for (int i = 0; i < roles.length; i++) { Role roleLocal = lookupRole(roles[i]); roleObjects.add(roleLocal); subject.addRole(roleLocal); } if (roles != null && roles.length > 0) { zeventManager.enqueueEventAfterCommit(new SubjectAddedToRolesZevent(subject, roleObjects)); } } /** * Disassociate roles from this subject. * * @param whoami The current running user. * @param subject The subject. * @param roles The subjects to disassociate. * @throws PermissionException whoami may not perform removeRole on this * subject. * */ public void removeRoles(AuthzSubject whoami, AuthzSubject subject, Integer[] roles) throws PermissionException { Collection<Role> roleLocals = getRolesByIds(whoami, roles, PageControl.PAGE_ALL); for (Role role : roleLocals) { subject.removeRole(role); } if (roles != null && roles.length > 0) { zeventManager.enqueueEventAfterCommit(new SubjectRemovedFromRolesZevent(subject, roleLocals)); } } /** * Get the roles for a subject * * @param whoami * @param subject * @param pc Paging and sorting information. * @return Set of Roles * */ @Transactional(readOnly = true) public List<RoleValue> getRoles(AuthzSubject subjectValue, PageControl pc) throws PermissionException { Collection<Role> roles = subjectValue.getRoles(); pc = PageControl.initDefaults(pc, SortAttribute.ROLE_NAME); return rolePager.seek(roles, pc.getPagenum(), pc.getPagesize()); } /** * Get the owned roles for a subject. * * @param whoami * @param subject * @param pc Paging and sorting information. * @return Set of Roles * */ @Transactional(readOnly = true) public List<OwnedRoleValue> getOwnedRoles(AuthzSubject subject, PageControl pc) throws PermissionException { Collection<Role> roles = subject.getRoles(); pc = PageControl.initDefaults(pc, SortAttribute.ROLE_NAME); return ownedRolePager.seek(roles, pc.getPagenum(), pc.getPagesize()); } /** * Get the owned roles for a subject, except system roles. * * @param callerSubjectValue is the subject of caller. * @param intendedSubjectValue is the subject of intended subject. * @param pc The PageControl object for paging results. * @return List a list of OwnedRoleValues that are not system roles * * @throws PermissionException caller is not allowed to perform listRoles on * this role. */ @Transactional(readOnly = true) public PageList<OwnedRoleValue> getNonSystemOwnedRoles(AuthzSubject callerSubjectValue, AuthzSubject intendedSubjectValue, PageControl pc) throws PermissionException { return getNonSystemOwnedRoles(callerSubjectValue, intendedSubjectValue, null, pc); } /** * Get the owned roles for a subject, except system roles. * * @param callerSubjectValue is the subject of caller. * @param intendedSubjectValue is the subject of intended subject. * @param pc The PageControl object for paging results. * @return List a list of OwnedRoleValues that are not system roles * * @throws PermissionException caller is not allowed to perform listRoles on * this role. */ @Transactional(readOnly = true) public PageList<OwnedRoleValue> getNonSystemOwnedRoles(AuthzSubject callerSubjectValue, AuthzSubject intendedSubjectValue, Integer[] excludeIds, PageControl pc) throws PermissionException { // Fetch all roles presently assigned to the assignee Collection<Role> roles; pc = PageControl.initDefaults(pc, SortAttribute.ROLE_NAME); switch (pc.getSortattribute()) { case SortAttribute.ROLE_NAME: roles = roleDAO.findBySystemAndSubject_orderName(false, intendedSubjectValue.getId(), pc.isAscending()); break; case SortAttribute.ROLE_MEMBER_CNT: roles = roleDAO.findBySystemAndSubject_orderMember(false, intendedSubjectValue.getId(), pc.isAscending()); break; default: throw new IllegalArgumentException("Invalid sort parameter"); } if (isRootRoleMember(intendedSubjectValue)) { ArrayList<Role> roleList = new ArrayList<Role>(roles.size() + 1); Role rootRole = roleDAO.findById(AuthzConstants.rootRoleId); // We need to insert into the right place boolean done = false; for (Role role : roles) { if (!done) { if (pc.getSortattribute() == SortAttribute.ROLE_NAME) { if ((pc.isAscending() && role.getName().compareTo(rootRole.getName()) > 0) || (pc.isDescending() && role.getName().compareTo(rootRole.getName()) < 0)) { roleList.add(rootRole); done = true; } } else if (pc.getSortattribute() == SortAttribute.ROLE_MEMBER_CNT) { if ((pc.isAscending() && role.getSubjects().size() > rootRole.getSubjects().size()) || (pc.isDescending() && role.getSubjects().size() < rootRole.getSubjects().size())) { roleList.add(rootRole); done = true; } } } roleList.add(role); } if (!done) { roleList.add(rootRole); } roles = roleList; } // Filter out only those roles that the caller is able to see. Collection<Role> viewableRoles = filterViewableRoles(callerSubjectValue, roles, excludeIds); return ownedRolePager.seek(viewableRoles, pc.getPagenum(), pc.getPagesize()); } /** * List the roles that this subject is not in and that are not one of the * specified roles. * * @param whoami The current running user. * @param system If true, then only system roles are returned. If false, * then only non-system roles are returned. * @param subjectId The id of the subject. * @return List of roles. * @throws NotFoundException Unable to find a given or dependent entities. * @throws PermissionException whoami is not allowed to perform listRoles on * this role. * * */ @Transactional(readOnly = true) public PageList<RoleValue> getAvailableRoles(AuthzSubject whoami, boolean system, Integer subjectId, Integer[] roleIds, PageControl pc) throws PermissionException, NotFoundException { Collection<Role> foundRoles; pc = PageControl.initDefaults(pc, SortAttribute.ROLE_NAME); int attr = pc.getSortattribute(); switch (attr) { case SortAttribute.ROLE_NAME: foundRoles = roleDAO.findBySystemAndAvailableForSubject_orderName(system, whoami.getId(), !pc.isDescending()); break; default: throw new NotFoundException("Unrecognized sort attribute: " + attr); } HashSet<Integer> index = new HashSet<Integer>(); if (roleIds != null) { index.addAll(Arrays.asList(roleIds)); } Collection<Role> roles = new ArrayList<Role>(); for (Role r : foundRoles) { if (!index.contains(r.getId())) { roles.add(r); } } // AUTHZ Check // filter the viewable roles roles = filterViewableRoles(whoami, roles); PageList<RoleValue> plist = new PageList<RoleValue>(); plist = rolePager.seek(roles, pc.getPagenum(), pc.getPagesize()); plist.setTotalSize(roles.size()); // 6729 - if caller is a member of the root role, show it // 5345 - allow access to the root role by the root user so it can // be used by others if (isRootRoleMember(whoami) && pc.getPagenum() == 0 && !index.contains(AuthzConstants.rootRoleId)) { Role role = roleDAO.findAvailableRoleForSubject(AuthzConstants.rootRoleId, subjectId); if (role == null) { return plist; } OwnedRoleValue rootRoleValue = role.getOwnedRoleValue(); PageList<RoleValue> newList = new PageList<RoleValue>(); newList.add(rootRoleValue); newList.addAll(plist); newList.setTotalSize(plist.getTotalSize() + 1); return newList; } return plist; } /** * List the roles that this subject is not in and that are not one of the * specified roles. * * @param whoami The current running user. * @param system If true, then only system roles are returned. If false, * then only non-system roles are returned. * @param groupId The id of the subject. * @return List of roles. * @throws NotFoundException Unable to find a given or dependent entities. * @throws PermissionException whoami is not allowed to perform listRoles on * this role. * @throws NotFoundException if the sort attribute was not recognized * */ @Transactional(readOnly = true) public PageList<RoleValue> getAvailableGroupRoles(AuthzSubject whoami, Integer groupId, Integer[] roleIds, PageControl pc) throws PermissionException, NotFoundException { Collection<Role> foundRoles; pc = PageControl.initDefaults(pc, SortAttribute.ROLE_NAME); int attr = pc.getSortattribute(); switch (attr) { case SortAttribute.ROLE_NAME: foundRoles = roleDAO.findAvailableForGroup(false, groupId); break; default: throw new NotFoundException("Unrecognized sort attribute: " + attr); } log.debug("Found " + foundRoles.size() + " available roles for group " + groupId + " before permission checking"); HashSet<Integer> index = new HashSet<Integer>(); if (roleIds != null) { index.addAll(Arrays.asList(roleIds)); } // Grep out the specified roles ArrayList<Role> roles = new ArrayList<Role>(); for (Role r : foundRoles) { if (!index.contains(r.getId())) { roles.add(r); } } log.debug("Found " + roles.size() + " available roles for group " + groupId + " after exclusions"); // AUTHZ Check - filter the viewable roles roles = (ArrayList) filterViewableRoles(whoami, roles); if (isRootRoleMember(whoami) && pc.getPagenum() == 0 && !index.contains(AuthzConstants.rootRoleId)) { foundRoles = roleDAO.findAvailableForGroup(true, groupId); for (Role role : foundRoles) { if (role.getId().equals(AuthzConstants.rootRoleId)) { roles.add(role); } } } if (pc.isDescending()) { Collections.reverse(roles); } log.debug("Found " + roles.size() + " available roles for group " + groupId + " after permission checking"); PageList<RoleValue> plist = rolePager.seek(roles, pc.getPagenum(), pc.getPagesize()); plist.setTotalSize(roles.size()); return plist; } /** * Get the resource groups applicable to a given role. * @throws NotFoundException * */ @Transactional(readOnly = true) public Collection<ResourceGroup> getResourceGroupsByRole(AuthzSubject subject, Role role) throws PermissionException, NotFoundException { Collection<ResourceGroup> groups = resourceGroupDAO.findByRoleIdAndSystem_orderName(role.getId(), false, true); // now get viewable group pks return filterViewableGroups(subject, groups); } /** * Get the resource groups applicable to a given role. * @throws NotFoundException * */ @Transactional(readOnly = true) public Collection<ResourceGroup> getResourceGroupsByRoleAndGroupType(AuthzSubject subject, Role role, int groupType) throws PermissionException, NotFoundException { Collection<ResourceGroup> viewableGroups = getResourceGroupsByRole(subject, role); return filterByGroupType(viewableGroups, groupType); } /** * Filter a collection of groupLocal objects to only include those viewable * by the specified user */ private Collection<ResourceGroup> filterByGroupType(Collection<ResourceGroup> groups, int groupType) { for (Iterator<ResourceGroup> i = groups.iterator(); i.hasNext();) { ResourceGroup resGrp = i.next(); if (resGrp.getGroupType() != groupType) { i.remove(); } } return groups; } /** * Get the resource groups applicable to a given role * * */ @Transactional(readOnly = true) public PageList<ResourceGroupValue> getResourceGroupsByRoleIdAndSystem(AuthzSubject subject, Integer roleId, boolean system, PageControl pc) throws PermissionException, NotFoundException { // first find the role by its id roleDAO.findById(roleId); // now check to make sure the user can list resource groups Collection<ResourceGroup> groups; pc = PageControl.initDefaults(pc, SortAttribute.RESGROUP_NAME); int attr = pc.getSortattribute(); switch (attr) { case SortAttribute.RESGROUP_NAME: groups = resourceGroupDAO.findByRoleIdAndSystem_orderName(roleId, system, pc.isAscending()); break; default: throw new NotFoundException("Unrecognized sort attribute: " + attr); } // now get viewable group pks groups = filterViewableGroups(subject, groups); PageList<ResourceGroupValue> plist = groupPager.seek(groups, pc); plist.setTotalSize(groups.size()); return plist; } /** * Return the roles of a group * * @throws PermissionException * * */ @Transactional(readOnly = true) public PageList<RoleValue> getResourceGroupRoles(AuthzSubject whoami, Integer groupId, PageControl pc) throws PermissionException { ResourceGroup resGrp = resourceGroupDAO.findById(groupId); permissionManager.check(whoami.getId(), AuthzConstants.authzGroup, resGrp.getId(), AuthzConstants.perm_viewResourceGroup); Collection<Role> roles = resGrp.getRoles(); TreeMap<String, Role> map = new TreeMap<String, Role>(); for (Role role : roles) { int attr = pc.getSortattribute(); switch (attr) { case SortAttribute.ROLE_NAME: default: map.put(role.getName(), role); } } ArrayList<Role> list = new ArrayList<Role>(map.values()); if (pc.isDescending()) { Collections.reverse(list); } PageList<RoleValue> plist = rolePager.seek(list, pc.getPagenum(), pc.getPagesize()); plist.setTotalSize(roles.size()); return plist; } /** * Filter a collection of groupLocal objects to only include those viewable * by the specified user */ private Collection<ResourceGroup> filterViewableGroups(AuthzSubject who, Collection<ResourceGroup> groups) throws PermissionException, NotFoundException { // finally scope down to only the ones the user can see Collection<Integer> viewable = permissionManager.findOperationScopeBySubject(who, AuthzConstants.groupOpViewResourceGroup, AuthzConstants.groupResourceTypeName); for (Iterator<ResourceGroup> i = groups.iterator(); i.hasNext();) { ResourceGroup resGrp = i.next(); if (!viewable.contains(resGrp.getId())) { i.remove(); } } return groups; } /** * List the groups not in this role and not one of the specified groups. * * @param whoami The current running user. * @param roleId The id of the role. * @return List of groups in this role. * @throws PermissionException whoami is not allowed to perform listGroups * on this role. * @throws NotFoundException * */ @Transactional(readOnly = true) public PageList<ResourceGroupValue> getAvailableResourceGroups(AuthzSubject whoami, Integer roleId, Integer[] groupIds, PageControl pc) throws PermissionException, NotFoundException { Role role = roleDAO.findById(roleId); Collection<ResourceGroup> noRoles; Collection<ResourceGroup> otherRoles; pc = PageControl.initDefaults(pc, SortAttribute.RESGROUP_NAME); int attr = pc.getSortattribute(); switch (attr) { case SortAttribute.RESGROUP_NAME: noRoles = resourceGroupDAO.findWithNoRoles_orderName(pc.isAscending()); otherRoles = resourceGroupDAO.findByNotRoleId_orderName(role.getId(), pc.isAscending()); break; default: throw new NotFoundException("Unrecognized sort attribute: " + attr); } // FIXME- merging these two sorted lists probably causes the // final list to not be sorted correctly. fix this by // combining the two finders into one! // FIX for 6924 - dont include duplicate groups for (ResourceGroup group : otherRoles) { if (!noRoles.contains(group)) { noRoles.add(group); } } // build an index of groupIds int numToFind = (groupIds == null) ? 0 : groupIds.length; HashSet<Integer> index = new HashSet<Integer>(); for (int i = 0; i < numToFind; i++) { index.add(groupIds[i]); } // Add the groups that the role already owns Collection<ResourceGroup> belongs = resourceGroupDAO.findByRoleIdAndSystem_orderName(roleId, false, true); for (ResourceGroup s : belongs) { index.add(s.getId()); } // grep out the specified groups Collection<ResourceGroup> groups = new ArrayList<ResourceGroup>(noRoles.size()); for (ResourceGroup s : noRoles) { if (!index.contains(s.getId())) { groups.add(s); } } // AUTHZ Check // finally scope down to only the ones the user can see groups = filterViewableGroups(whoami, groups); PageList<ResourceGroupValue> plist = groupPager.seek(groups, pc.getPagenum(), pc.getPagesize()); plist.setTotalSize(groups.size()); return plist; } /** * List the subjects in this role. * * @param whoami The current running user. * @param roleId The id of the role. * @return List of subjects in this role. * @throws PermissionException whoami is not allowed to perform listSubjects * on this role. * @throws NotFoundException if the sort attribute is not recognized * * */ @Transactional(readOnly = true) public PageList<AuthzSubjectValue> getSubjects(AuthzSubject whoami, Integer roleId, PageControl pc) throws PermissionException, NotFoundException { Role roleLocal = roleDAO.get(roleId); if (roleLocal == null) { return new PageList<AuthzSubjectValue>(); } // check if this user is a member of this role boolean roleHasUser = roleLocal.getSubjects().contains(whoami); // check whether the user can see subjects other than himself try { permissionManager.check(whoami.getId(), resourceTypeDAO.findTypeResourceType(), AuthzConstants.rootResourceId, AuthzConstants.subjectOpViewSubject); } catch (PermissionException e) { // if the user does not have permission to view subjects // but he is in the role, return a collection with only one // item... himself. if (roleHasUser) { PageList<AuthzSubjectValue> subjects = new PageList<AuthzSubjectValue>(); subjects.add(whoami.getAuthzSubjectValue()); subjects.setTotalSize(1); return subjects; } // otherwise return an empty list // fixes 5628 - user viewing role lacking view subjects // causes permissionexception return new PageList<AuthzSubjectValue>(); } Collection<AuthzSubject> subjects; pc = PageControl.initDefaults(pc, SortAttribute.SUBJECT_NAME); switch (pc.getSortattribute()) { case SortAttribute.SUBJECT_NAME: subjects = authzSubjectDAO.findByRoleId_orderName(roleLocal.getId(), pc.isAscending()); break; default: throw new NotFoundException("Unrecognized sort attribute: " + pc.getSortattribute()); } PageList<AuthzSubjectValue> plist = new PageList<AuthzSubjectValue>(); plist = subjectPager.seek(subjects, pc.getPagenum(), pc.getPagesize()); plist.setTotalSize(subjects.size()); return plist; } /** * List the subjects not in this role and not one of the specified subjects. * * @param whoami The current running user. * @param roleId The id of the role. * @return List of subjects in this role. * @throws NotFoundException Unable to find a given or dependent entities. * @throws PermissionException whoami is not allowed to perform listSubjects * on this role. * @throws NotFoundException if the sort attribute is not recognized * * */ @Transactional(readOnly = true) public PageList<AuthzSubjectValue> getAvailableSubjects(AuthzSubject whoami, Integer roleId, Integer[] subjectIds, PageControl pc) throws PermissionException, NotFoundException { Role roleLocal = lookupRole(roleId); /** TODO PermissionCheck scope for viewSubject **/ Collection<AuthzSubject> otherRoles; pc = PageControl.initDefaults(pc, SortAttribute.SUBJECT_NAME); switch (pc.getSortattribute()) { case SortAttribute.SUBJECT_NAME: otherRoles = authzSubjectDAO.findByNotRoleId_orderName(roleLocal.getId(), pc.isAscending()); break; default: throw new NotFoundException("Unrecognized sort attribute: " + pc.getSortattribute()); } // build an index of subjectIds int numToFind = subjectIds.length; HashSet<Integer> index = new HashSet<Integer>(Arrays.asList(subjectIds)); // grep out the specified subjects ArrayList<AuthzSubject> subjects = new ArrayList<AuthzSubject>(numToFind); for (AuthzSubject subj : otherRoles) { if (!index.contains(subj.getId())) { subjects.add(subj); } } PageList<AuthzSubjectValue> plist = new PageList<AuthzSubjectValue>(); plist = subjectPager.seek(subjects, pc.getPagenum(), pc.getPagesize()); plist.setTotalSize(subjects.size()); return plist; } @Transactional(readOnly = true) public Collection<Role> getRoles(AuthzSubject subj) { subj = authzSubjectDAO.get(subj.getId()); final Collection<Role> roles = subj.getRoles(); final Collection<Role> rtn = new ArrayList<Role>(roles.size()); for (final Role role : roles) { final Role r = roleDAO.get(role.getId()); if (r == null) { continue; } rtn.add(r); } return rtn; } /** * Add subjects to this role. * * @param whoami The current running user. * @param id The ID of the role. * @param sids Ids of subjects to add to role. * @throws PermissionException whoami is not allowed to perform addSubject * on this role. * */ public void addSubjects(AuthzSubject whoami, Integer id, Integer[] sids) throws PermissionException { Role role = lookupRole(id); Collection<AuthzSubject> subjects = new HashSet<AuthzSubject>(); if (sids != null && sids.length > 0) { for (int i = 0; i < sids.length; i++) { AuthzSubject subj = authzSubjectDAO.findById(sids[i]); subjects.add(subj); subj.addRole(role); } zeventManager.enqueueEventAfterCommit(new SubjectsAddedToRoleZevent(role, subjects)); } } /** * Remove subjects from this role. * * @param whoami The current running user. * @param id The ID of the role. * @param ids The ids of the subjects to remove. * @throws PermissionException whoami is not allowed to perform * removeSubject on this role. * * */ public void removeSubjects(AuthzSubject whoami, Integer id, Integer[] ids) throws PermissionException { Role roleLocal = lookupRole(id); Collection<AuthzSubject> subjects = new HashSet<AuthzSubject>(); for (int i = 0; i < ids.length; i++) { AuthzSubject subj = authzSubjectDAO.findById(ids[i]); subjects.add(subj); subj.removeRole(roleLocal); } if (ids != null && ids.length > 0) { zeventManager.enqueueEventAfterCommit(new SubjectsRemovedFromRoleZevent(roleLocal, subjects)); } } /** * Find all {@link Operation} objects * * */ @Transactional(readOnly = true) public Collection<Operation> findAllOperations() { return operationDAO.findAllOrderByName(); } protected Set toPojos(Object[] vals) { Set ret = new HashSet(); if (vals == null || vals.length == 0) { return ret; } for (int i = 0; i < vals.length; i++) { if (vals[i] instanceof Operation) { ret.add(vals[i]); } else if (vals[i] instanceof ResourceValue) { ret.add(lookupResource((ResourceValue) vals[i])); } else if (vals[i] instanceof RoleValue) { ret.add(roleDAO.findById(((RoleValue) vals[i]).getId())); } else if (vals[i] instanceof ResourceGroupValue) { ret.add(resourceGroupDAO.findById(((ResourceGroupValue) vals[i]).getId())); } else { log.error("Invalid type."); } } return ret; } private Resource lookupResource(ResourceValue resource) { if (resource.getId() == null) { ResourceType type = resource.getResourceType(); return resourceDAO.findByInstanceId(type, resource.getInstanceId()); } return resourceDAO.findById(resource.getId()); } public void setApplicationContext(ApplicationContext applicationContext) throws BeansException { this.applicationContext = applicationContext; } public void checkCanModify(AuthzSubject authzSubject) throws PermissionException { permissionManager.check(authzSubject.getId(), AuthzConstants.authzRole, AuthzConstants.perm_modifyRole); } }