http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/413fcb68/security-admin/src/main/java/org/apache/ranger/biz/AssetMgrBase.java ---------------------------------------------------------------------- diff --git a/security-admin/src/main/java/org/apache/ranger/biz/AssetMgrBase.java b/security-admin/src/main/java/org/apache/ranger/biz/AssetMgrBase.java new file mode 100644 index 0000000..55320b8 --- /dev/null +++ b/security-admin/src/main/java/org/apache/ranger/biz/AssetMgrBase.java @@ -0,0 +1,174 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, + * software distributed under the License is distributed on an + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + * KIND, either express or implied. See the License for the + * specific language governing permissions and limitations + * under the License. + */ + + package org.apache.ranger.biz; + +import org.apache.ranger.common.*; +import org.apache.ranger.service.*; +import org.apache.ranger.view.*; +import org.springframework.beans.factory.annotation.Autowired; +public class AssetMgrBase { + + @Autowired + RESTErrorUtil restErrorUtil; + + @Autowired + XAssetService xAssetService; + + @Autowired + XResourceService xResourceService; + + @Autowired + XCredentialStoreService xCredentialStoreService; + + @Autowired + XPolicyExportAuditService xPolicyExportAuditService; + public VXAsset getXAsset(Long id){ + return (VXAsset)xAssetService.readResource(id); + } + + public VXAsset createXAsset(VXAsset vXAsset){ + vXAsset = (VXAsset)xAssetService.createResource(vXAsset); + return vXAsset; + } + + public VXAsset updateXAsset(VXAsset vXAsset) { + vXAsset = (VXAsset)xAssetService.updateResource(vXAsset); + return vXAsset; + } + + public void deleteXAsset(Long id, boolean force) { + if (force) { + xAssetService.deleteResource(id); + } else { + throw restErrorUtil.createRESTException( + "serverMsg.modelMgrBaseDeleteModel", + MessageEnums.OPER_NOT_ALLOWED_FOR_ENTITY); + } + } + + public VXAssetList searchXAssets(SearchCriteria searchCriteria) { + return xAssetService.searchXAssets(searchCriteria); + } + + public VXLong getXAssetSearchCount(SearchCriteria searchCriteria) { + return xAssetService.getSearchCount(searchCriteria, + xAssetService.searchFields); + } + + public VXResource getXResource(Long id){ + return (VXResource)xResourceService.readResource(id); + } + + public VXResource createXResource(VXResource vXResource){ + vXResource = (VXResource)xResourceService.createResource(vXResource); + return vXResource; + } + + public VXResource updateXResource(VXResource vXResource) { + vXResource = (VXResource)xResourceService.updateResource(vXResource); + return vXResource; + } + + public void deleteXResource(Long id, boolean force) { + if (force) { + xResourceService.deleteResource(id); + } else { + throw restErrorUtil.createRESTException( + "serverMsg.modelMgrBaseDeleteModel", + MessageEnums.OPER_NOT_ALLOWED_FOR_ENTITY); + } + } + + public VXResourceList searchXResources(SearchCriteria searchCriteria) { + return xResourceService.searchXResources(searchCriteria); + } + + public VXLong getXResourceSearchCount(SearchCriteria searchCriteria) { + return xResourceService.getSearchCount(searchCriteria, + xResourceService.searchFields); + } + + public VXCredentialStore getXCredentialStore(Long id){ + return (VXCredentialStore)xCredentialStoreService.readResource(id); + } + + public VXCredentialStore createXCredentialStore(VXCredentialStore vXCredentialStore){ + vXCredentialStore = (VXCredentialStore)xCredentialStoreService.createResource(vXCredentialStore); + return vXCredentialStore; + } + + public VXCredentialStore updateXCredentialStore(VXCredentialStore vXCredentialStore) { + vXCredentialStore = (VXCredentialStore)xCredentialStoreService.updateResource(vXCredentialStore); + return vXCredentialStore; + } + + public void deleteXCredentialStore(Long id, boolean force) { + if (force) { + xCredentialStoreService.deleteResource(id); + } else { + throw restErrorUtil.createRESTException( + "serverMsg.modelMgrBaseDeleteModel", + MessageEnums.OPER_NOT_ALLOWED_FOR_ENTITY); + } + } + + public VXCredentialStoreList searchXCredentialStores(SearchCriteria searchCriteria) { + return xCredentialStoreService.searchXCredentialStores(searchCriteria); + } + + public VXLong getXCredentialStoreSearchCount(SearchCriteria searchCriteria) { + return xCredentialStoreService.getSearchCount(searchCriteria, + xCredentialStoreService.searchFields); + } + + public VXPolicyExportAudit getXPolicyExportAudit(Long id){ + return (VXPolicyExportAudit)xPolicyExportAuditService.readResource(id); + } + + public VXPolicyExportAudit createXPolicyExportAudit(VXPolicyExportAudit vXPolicyExportAudit){ + vXPolicyExportAudit = (VXPolicyExportAudit)xPolicyExportAuditService.createResource(vXPolicyExportAudit); + return vXPolicyExportAudit; + } + + public VXPolicyExportAudit updateXPolicyExportAudit(VXPolicyExportAudit vXPolicyExportAudit) { + vXPolicyExportAudit = (VXPolicyExportAudit)xPolicyExportAuditService.updateResource(vXPolicyExportAudit); + return vXPolicyExportAudit; + } + + public void deleteXPolicyExportAudit(Long id, boolean force) { + if (force) { + xPolicyExportAuditService.deleteResource(id); + } else { + throw restErrorUtil.createRESTException( + "serverMsg.modelMgrBaseDeleteModel", + MessageEnums.OPER_NOT_ALLOWED_FOR_ENTITY); + } + } + + public VXPolicyExportAuditList searchXPolicyExportAudits(SearchCriteria searchCriteria) { + return xPolicyExportAuditService.searchXPolicyExportAudits(searchCriteria); + } + + public VXLong getXPolicyExportAuditSearchCount(SearchCriteria searchCriteria) { + return xPolicyExportAuditService.getSearchCount(searchCriteria, + xPolicyExportAuditService.searchFields); + } + +}
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/413fcb68/security-admin/src/main/java/org/apache/ranger/biz/BaseMgr.java ---------------------------------------------------------------------- diff --git a/security-admin/src/main/java/org/apache/ranger/biz/BaseMgr.java b/security-admin/src/main/java/org/apache/ranger/biz/BaseMgr.java new file mode 100644 index 0000000..be808de --- /dev/null +++ b/security-admin/src/main/java/org/apache/ranger/biz/BaseMgr.java @@ -0,0 +1,79 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, + * software distributed under the License is distributed on an + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + * KIND, either express or implied. See the License for the + * specific language governing permissions and limitations + * under the License. + */ + + /** + * + */ +package org.apache.ranger.biz; + +import org.apache.log4j.Logger; +import org.apache.ranger.common.MessageEnums; +import org.apache.ranger.common.RESTErrorUtil; +import org.apache.ranger.common.XAConstants; +import org.apache.ranger.common.db.BaseDao; +import org.apache.ranger.db.XADaoManager; +import org.apache.ranger.entity.XXDBBase; +import org.springframework.beans.factory.annotation.Autowired; +import org.springframework.stereotype.Component; + +@Component +public abstract class BaseMgr { + static final Logger logger = Logger.getLogger(BaseMgr.class); + + @Autowired + XADaoManager daoManager; + + @Autowired + RESTErrorUtil restErrorUtil; + + public XADaoManager getDaoManager() { + return daoManager; + } + + public void deleteEntity(BaseDao<? extends XXDBBase> baseDao, Long id, + String entityName) { + XXDBBase entity = baseDao.getById(id); + if (entity != null) { + try { + baseDao.remove(id); + } catch (Exception e) { + logger.error("Error deleting " + entityName + ". Id=" + id, e); + throw restErrorUtil.createRESTException("This " + entityName + + " can't be deleted", + MessageEnums.OPER_NOT_ALLOWED_FOR_STATE, id, null, "" + + id + ", error=" + e.getMessage()); + } + } else { + // Return without error + logger.info("Delete ignored for non-existent " + entityName + + " id=" + id); + } + } + + /** + * @param objectClassType + */ + protected void validateClassType(int objectClassType) { + // objectClassType + restErrorUtil.validateMinMax(objectClassType, 1, + XAConstants.ClassTypes_MAX, "Invalid classType", null, + "objectClassType"); + } + +} http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/413fcb68/security-admin/src/main/java/org/apache/ranger/biz/HadoopFSMgr.java ---------------------------------------------------------------------- diff --git a/security-admin/src/main/java/org/apache/ranger/biz/HadoopFSMgr.java b/security-admin/src/main/java/org/apache/ranger/biz/HadoopFSMgr.java new file mode 100644 index 0000000..86e2311 --- /dev/null +++ b/security-admin/src/main/java/org/apache/ranger/biz/HadoopFSMgr.java @@ -0,0 +1,83 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, + * software distributed under the License is distributed on an + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + * KIND, either express or implied. See the License for the + * specific language governing permissions and limitations + * under the License. + */ + + /** + * + */ +package org.apache.ranger.biz; + +import org.apache.log4j.Logger; +import org.apache.ranger.hadoop.client.HadoopFS; +import org.springframework.context.annotation.Scope; +import org.springframework.stereotype.Component; + +/** + * + * + */ + +@Component +@Scope("singleton") +public class HadoopFSMgr { + + private HadoopFS fs; + private String dataSource; + private static Logger logger = Logger.getLogger(HadoopFSMgr.class); + + public HadoopFSMgr() { + init(); + } + + public HadoopFSMgr(String dataSource) { + this.dataSource = dataSource; + init(); + } + + private void init() { + try { +// if (dataSource != null) { +// fs = new HadoopFS(dataSource); +// } else { +// fs = new HadoopFS("hadoopdev"); +// } + } catch (Exception e) { + logger.error("Error connecting hive client", e); + } + } + + protected HadoopFS getInstance(String dataSourceName) { + if (dataSourceName == null) { + logger.info("Hadoop client name not provided."); + return fs; + } else { + if (fs.getDataSource() != null) { + if (fs.getDataSource().equalsIgnoreCase(dataSourceName)) { + return fs; + } else { + fs = new HadoopFS(dataSourceName); + return fs; + } + } else { + fs = new HadoopFS(dataSourceName); + return fs; + } + } + } + +} http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/413fcb68/security-admin/src/main/java/org/apache/ranger/biz/HiveFSMgr.java ---------------------------------------------------------------------- diff --git a/security-admin/src/main/java/org/apache/ranger/biz/HiveFSMgr.java b/security-admin/src/main/java/org/apache/ranger/biz/HiveFSMgr.java new file mode 100644 index 0000000..e6924ea --- /dev/null +++ b/security-admin/src/main/java/org/apache/ranger/biz/HiveFSMgr.java @@ -0,0 +1,83 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, + * software distributed under the License is distributed on an + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + * KIND, either express or implied. See the License for the + * specific language governing permissions and limitations + * under the License. + */ + + /** + * + */ +package org.apache.ranger.biz; + +import org.apache.log4j.Logger; +import org.apache.ranger.hive.client.HiveClient; +import org.springframework.context.annotation.Scope; +import org.springframework.stereotype.Component; + +/** + * + */ + +// @Component +// @Scope("singleton") + +public class HiveFSMgr { + + private HiveClient fs; + private String dataSource; + private static Logger logger = Logger.getLogger(HiveFSMgr.class); + + public HiveFSMgr() { + init(); + } + + public HiveFSMgr(String dataSource) { + this.dataSource = dataSource; + init(); + } + + private void init() { + try { + if (dataSource != null) { + fs = new HiveClient(dataSource); + } else { + fs = new HiveClient("dev-hive"); + } + } catch (Exception e) { + logger.error("Error connecting hive client", e); + } + } + + protected HiveClient getInstance(String dataSourceName) { + if (dataSourceName == null) { + logger.info("Hive client name not provided."); + return fs; + } else { + if (fs.getDataSource() != null) { + if (fs.getDataSource().equalsIgnoreCase(dataSourceName)) { + return fs; + } else { + fs = new HiveClient(dataSourceName); + return fs; + } + } else { + fs = new HiveClient(dataSourceName); + return fs; + } + } + } + +} http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/413fcb68/security-admin/src/main/java/org/apache/ranger/biz/SessionMgr.java ---------------------------------------------------------------------- diff --git a/security-admin/src/main/java/org/apache/ranger/biz/SessionMgr.java b/security-admin/src/main/java/org/apache/ranger/biz/SessionMgr.java new file mode 100644 index 0000000..f273f2b --- /dev/null +++ b/security-admin/src/main/java/org/apache/ranger/biz/SessionMgr.java @@ -0,0 +1,340 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, + * software distributed under the License is distributed on an + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + * KIND, either express or implied. See the License for the + * specific language governing permissions and limitations + * under the License. + */ + + package org.apache.ranger.biz; + +import java.util.ArrayList; +import java.util.List; + +import javax.servlet.http.HttpServletRequest; + +import org.apache.log4j.Logger; +import org.apache.ranger.common.DateUtil; +import org.apache.ranger.common.HTTPUtil; +import org.apache.ranger.common.MessageEnums; +import org.apache.ranger.common.RESTErrorUtil; +import org.apache.ranger.common.SearchCriteria; +import org.apache.ranger.common.StringUtil; +import org.apache.ranger.common.UserSessionBase; +import org.apache.ranger.common.XACommonEnums; +import org.apache.ranger.common.XAConstants; +import org.apache.ranger.db.XADaoManager; +import org.apache.ranger.entity.XXAuthSession; +import org.apache.ranger.entity.XXPortalUser; +import org.apache.ranger.entity.XXPortalUserRole; +import org.apache.ranger.security.context.XAContextHolder; +import org.apache.ranger.security.context.XASecurityContext; +import org.apache.ranger.service.AuthSessionService; +import org.apache.ranger.util.RestUtil; +import org.apache.ranger.view.VXAuthSession; +import org.apache.ranger.view.VXAuthSessionList; +import org.apache.ranger.view.VXLong; +import org.springframework.beans.factory.annotation.Autowired; +import org.springframework.security.core.Authentication; +import org.springframework.security.core.context.SecurityContextHolder; +import org.springframework.security.web.authentication.WebAuthenticationDetails; +import org.springframework.stereotype.Component; +import org.springframework.transaction.annotation.Propagation; +import org.springframework.transaction.annotation.Transactional; + +@Component +@Transactional +public class SessionMgr { + + static final Logger logger = Logger.getLogger(SessionMgr.class); + + @Autowired + RESTErrorUtil restErrorUtil; + + @Autowired + XADaoManager daoManager; + + @Autowired + AuthSessionService authSessionService; + + @Autowired + HTTPUtil httpUtil; + + @Autowired + StringUtil stringUtil; + + public SessionMgr() { + logger.debug("SessionManager created"); + } + + public UserSessionBase processSuccessLogin(int authType, String userAgent) { + return processSuccessLogin(authType, userAgent, null); + } + + public UserSessionBase processSuccessLogin(int authType, String userAgent, + HttpServletRequest httpRequest) { + boolean newSessionCreation = true; + UserSessionBase userSession = null; + + XASecurityContext context = XAContextHolder.getSecurityContext(); + if (context != null) { + userSession = context.getUserSession(); + } + + Authentication authentication = SecurityContextHolder.getContext() + .getAuthentication(); + WebAuthenticationDetails details = (WebAuthenticationDetails) authentication + .getDetails(); + + String currentLoginId = authentication.getName(); + if (userSession != null) { + if (validateUserSession(userSession, currentLoginId)) { + newSessionCreation = false; + } + } + + if (newSessionCreation) { + // Need to build the UserSession + XXPortalUser gjUser = daoManager.getXXPortalUser().findByLoginId(currentLoginId); + if (gjUser == null) { + logger.error( + "Error getting user for loginId=" + currentLoginId, + new Exception()); + return null; + } + + XXAuthSession gjAuthSession = new XXAuthSession(); + gjAuthSession.setLoginId(currentLoginId); + gjAuthSession.setUserId(gjUser.getId()); + gjAuthSession.setAuthTime(DateUtil.getUTCDate()); + gjAuthSession.setAuthStatus(XXAuthSession.AUTH_STATUS_SUCCESS); + gjAuthSession.setAuthType(authType); + if (details != null) { + gjAuthSession.setExtSessionId(details.getSessionId()); + gjAuthSession.setRequestIP(details.getRemoteAddress()); + } + + if (userAgent != null) { + gjAuthSession.setRequestUserAgent(userAgent); + } + gjAuthSession.setDeviceType(httpUtil.getDeviceType(userAgent)); + gjAuthSession = storeAuthSession(gjAuthSession); + + userSession = new UserSessionBase(); + userSession.setXXPortalUser(gjUser); + userSession.setXXAuthSession(gjAuthSession); + resetUserSessionForProfiles(userSession); + + if (details != null) { + logger.info("Login Success: loginId=" + currentLoginId + + ", sessionId=" + gjAuthSession.getId() + + ", sessionId=" + details.getSessionId() + + ", requestId=" + details.getRemoteAddress()); + } else { + logger.info("Login Success: loginId=" + currentLoginId + + ", sessionId=" + gjAuthSession.getId() + + ", details is null"); + } + + } + + return userSession; + } + + public void resetUserSessionForProfiles(UserSessionBase userSession) { + if (userSession == null) { + // Nothing to reset + return; + } + + // Let's get the Current User Again + String currentLoginId = userSession.getLoginId(); + + XXPortalUser gjUser = daoManager.getXXPortalUser().findByLoginId(currentLoginId); + userSession.setXXPortalUser(gjUser); + + setUserRoles(userSession); + + } + + private void setUserRoles(UserSessionBase userSession) { + + List<String> strRoleList = new ArrayList<String>(); + List<XXPortalUserRole> roleList = daoManager.getXXPortalUserRole().findByUserId( + userSession.getUserId()); + for (XXPortalUserRole gjUserRole : roleList) { + String userRole = gjUserRole.getUserRole(); + + strRoleList.add(userRole); + if (userRole.equals(XAConstants.ROLE_SYS_ADMIN)) { + userSession.setUserAdmin(true); + } + } + userSession.setUserRoleList(strRoleList); + } + + public XXAuthSession processFailureLogin(int authStatus, int authType, + String loginId, String remoteAddr, String sessionId) { + XXAuthSession gjAuthSession = new XXAuthSession(); + gjAuthSession.setLoginId(loginId); + gjAuthSession.setUserId(null); + gjAuthSession.setAuthTime(DateUtil.getUTCDate()); + gjAuthSession.setAuthStatus(authStatus); + gjAuthSession.setAuthType(authType); + gjAuthSession.setDeviceType(XACommonEnums.DEVICE_UNKNOWN); + gjAuthSession.setExtSessionId(sessionId); + gjAuthSession.setRequestIP(remoteAddr); + gjAuthSession.setRequestUserAgent(null); + + gjAuthSession = storeAuthSession(gjAuthSession); + return gjAuthSession; + } + + protected boolean validateUserSession(UserSessionBase userSession, + String currentLoginId) { + if (currentLoginId + .equalsIgnoreCase(userSession.getXXPortalUser().getLoginId())) { + return true; + } else { + logger.info( + "loginId doesn't match loginId from HTTPSession. Will create new session. loginId=" + + currentLoginId + ", userSession=" + userSession, + new Exception()); + return false; + } + } + + @Transactional(readOnly = false, propagation = Propagation.REQUIRES_NEW) + protected XXAuthSession storeAuthSession(XXAuthSession gjAuthSession) { + // daoManager.getEntityManager().getTransaction().begin(); + XXAuthSession dbMAuthSession = daoManager.getXXAuthSession().create( + gjAuthSession); + // daoManager.getEntityManager().getTransaction().commit(); + return dbMAuthSession; + } + + // non-WEB processing + public UserSessionBase processStandaloneSuccessLogin(int authType, + String ipAddress) { + Authentication authentication = SecurityContextHolder.getContext() + .getAuthentication(); + + String currentLoginId = authentication.getName(); + + // Need to build the UserSession + XXPortalUser gjUser = daoManager.getXXPortalUser().findByLoginId(currentLoginId); + if (gjUser == null) { + logger.error("Error getting user for loginId=" + currentLoginId, + new Exception()); + return null; + } + + XXAuthSession gjAuthSession = new XXAuthSession(); + gjAuthSession.setLoginId(currentLoginId); + gjAuthSession.setUserId(gjUser.getId()); + gjAuthSession.setAuthTime(DateUtil.getUTCDate()); + gjAuthSession.setAuthStatus(XXAuthSession.AUTH_STATUS_SUCCESS); + gjAuthSession.setAuthType(authType); + gjAuthSession.setDeviceType(XACommonEnums.DEVICE_UNKNOWN); + gjAuthSession.setExtSessionId(null); + gjAuthSession.setRequestIP(ipAddress); + gjAuthSession.setRequestUserAgent(null); + + gjAuthSession = storeAuthSession(gjAuthSession); + + UserSessionBase userSession = new UserSessionBase(); + userSession.setXXPortalUser(gjUser); + userSession.setXXAuthSession(gjAuthSession); + + // create context with user-session and set in thread-local + XASecurityContext context = new XASecurityContext(); + context.setUserSession(userSession); + XAContextHolder.setSecurityContext(context); + + resetUserSessionForProfiles(userSession); + + return userSession; + } + + /** + * @param searchCriteria + * @return + */ + public VXAuthSessionList searchAuthSessions(SearchCriteria searchCriteria) { + + if (searchCriteria != null && searchCriteria.getParamList() != null + && searchCriteria.getParamList().size() > 0) { + + int clientTimeOffsetInMinute=RestUtil.getClientTimeOffset(); + java.util.Date temp = null; + DateUtil dateUtil = new DateUtil(); + if (searchCriteria.getParamList().containsKey("startDate")) { + temp = (java.util.Date) searchCriteria.getParamList().get( + "startDate"); + temp = dateUtil.getDateFromGivenDate(temp, 0, 0, 0, 0); + temp = dateUtil.addTimeOffset(temp, clientTimeOffsetInMinute); + searchCriteria.getParamList().put("startDate", temp); + } + if (searchCriteria.getParamList().containsKey("endDate")) { + temp = (java.util.Date) searchCriteria.getParamList().get( + "endDate"); + temp = dateUtil.getDateFromGivenDate(temp, 0, 23, 59, 59); + temp = dateUtil.addTimeOffset(temp, clientTimeOffsetInMinute); + searchCriteria.getParamList().put("endDate", temp); + } + } + + return authSessionService.search(searchCriteria); + } + + public VXLong countAuthSessions(SearchCriteria searchCriteria) { + return authSessionService.getSearchCount(searchCriteria, + AuthSessionService.AUTH_SESSION_SEARCH_FLDS); + } + + public VXAuthSession getAuthSession(Long id) { + return authSessionService.readResource(id); + } + + public VXAuthSession getAuthSessionBySessionId(String authSessionId) { + if(stringUtil.isEmpty(authSessionId)){ + throw restErrorUtil.createRESTException("Please provide the auth session id.", + MessageEnums.INVALID_INPUT_DATA); + } + + XXAuthSession xXAuthSession = daoManager.getXXAuthSession() + .getAuthSessionBySessionId(authSessionId); + + if(xXAuthSession==null){ + throw restErrorUtil.createRESTException("Please provide a valid " + + "session id.", MessageEnums.INVALID_INPUT_DATA); + } + + VXAuthSession vXAuthSession = authSessionService.populateViewBean(xXAuthSession); + return vXAuthSession; + } + + public boolean isValidXAUser(String loginId) { + XXPortalUser pUser = daoManager.getXXPortalUser().findByLoginId(loginId); + if (pUser == null) { + logger.error("Error getting user for loginId=" + loginId); + return false; + } else { + logger.info(loginId+" is a valid user"); + return true; + } + + } + +} http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/413fcb68/security-admin/src/main/java/org/apache/ranger/biz/UserMgr.java ---------------------------------------------------------------------- diff --git a/security-admin/src/main/java/org/apache/ranger/biz/UserMgr.java b/security-admin/src/main/java/org/apache/ranger/biz/UserMgr.java new file mode 100644 index 0000000..648d80a --- /dev/null +++ b/security-admin/src/main/java/org/apache/ranger/biz/UserMgr.java @@ -0,0 +1,1149 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, + * software distributed under the License is distributed on an + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + * KIND, either express or implied. See the License for the + * specific language governing permissions and limitations + * under the License. + */ + + package org.apache.ranger.biz; + +import java.util.ArrayList; +import java.util.Collection; +import java.util.HashMap; +import java.util.List; + +import javax.persistence.Query; + +import org.apache.log4j.Logger; +import org.apache.ranger.common.AppConstants; +import org.apache.ranger.common.ContextUtil; +import org.apache.ranger.common.DateUtil; +import org.apache.ranger.common.GUIDUtil; +import org.apache.ranger.common.MessageEnums; +import org.apache.ranger.common.RESTErrorUtil; +import org.apache.ranger.common.SearchCriteria; +import org.apache.ranger.common.SearchUtil; +import org.apache.ranger.common.StringUtil; +import org.apache.ranger.common.UserSessionBase; +import org.apache.ranger.common.XACommonEnums; +import org.apache.ranger.common.XAConfigUtil; +import org.apache.ranger.common.XAConstants; +import org.apache.ranger.db.XADaoManager; +import org.apache.ranger.entity.XXPortalUser; +import org.apache.ranger.entity.XXPortalUserRole; +import org.apache.ranger.entity.XXTrxLog; +import org.apache.ranger.service.XPortalUserService; +import org.apache.ranger.view.VXPasswordChange; +import org.apache.ranger.view.VXPortalUser; +import org.apache.ranger.view.VXPortalUserList; +import org.apache.ranger.view.VXResponse; +import org.apache.ranger.view.VXString; +import org.apache.velocity.Template; +import org.apache.velocity.app.VelocityEngine; +import org.springframework.beans.factory.annotation.Autowired; +import org.springframework.security.authentication.encoding.Md5PasswordEncoder; +import org.springframework.stereotype.Component; +import org.springframework.transaction.annotation.Propagation; +import org.springframework.transaction.annotation.Transactional; + +@Component +public class UserMgr { + + static final Logger logger = Logger.getLogger(UserMgr.class); + private static final Md5PasswordEncoder md5Encoder = new Md5PasswordEncoder(); + + @Autowired + XADaoManager daoManager; + + @Autowired + RESTErrorUtil restErrorUtil; + + @Autowired + StringUtil stringUtil; + + @Autowired + SearchUtil searchUtil; + + @Autowired + XABizUtil msBizUtil; + + @Autowired + SessionMgr sessionMgr; + + @Autowired + VelocityEngine velocityEngine; + Template t; + + @Autowired + DateUtil dateUtil; + + @Autowired + XAConfigUtil configUtil; + + @Autowired + XPortalUserService xPortalUserService; + + String publicRoles[] = new String[] { XAConstants.ROLE_USER, + XAConstants.ROLE_OTHER }; + + private static final List<String> DEFAULT_ROLE_LIST = new ArrayList<String>( + 1); + + private static final List<String> VALID_ROLE_LIST = new ArrayList<String>(2); + + static { + DEFAULT_ROLE_LIST.add(XAConstants.ROLE_USER); + VALID_ROLE_LIST.add(XAConstants.ROLE_SYS_ADMIN); + VALID_ROLE_LIST.add(XAConstants.ROLE_USER); + } + + public UserMgr() { + if (logger.isDebugEnabled()) { + logger.debug("UserMgr()"); + } + } + + public XXPortalUser createUser(VXPortalUser userProfile, int userStatus, + Collection<String> userRoleList) { + XXPortalUser user = mapVXPortalUserToXXPortalUser(userProfile); + user = createUser(user, userStatus, userRoleList); + + return user; + } + + public XXPortalUser createUser(XXPortalUser user, int userStatus, + Collection<String> userRoleList) { + user.setStatus(userStatus); + String saltEncodedpasswd = encrypt(user.getLoginId(), + user.getPassword()); + user.setPassword(saltEncodedpasswd); + user = daoManager.getXXPortalUser().create(user); + + // Create the UserRole for this user + List<XXPortalUserRole> gjUserRoleList = new ArrayList<XXPortalUserRole>(); + if (userRoleList != null) { + for (String userRole : userRoleList) { + XXPortalUserRole gjUserRole = addUserRole(user.getId(), userRole); + if (gjUserRole != null) { + gjUserRoleList.add(gjUserRole); + } + } + } + + return user; + } + + public XXPortalUser createUser(VXPortalUser userProfile, int userStatus) { + ArrayList<String> roleList = new ArrayList<String>(); + Collection<String> reqRoleList = userProfile.getUserRoleList(); + if (reqRoleList != null && reqRoleList.size()>0) { + for (String role : reqRoleList) { + roleList.add(role); + } + }else{ + roleList.add(XAConstants.ROLE_USER); + } + + return createUser(userProfile, userStatus, roleList); + } + + /** + * @param userProfile + * @return + */ + public XXPortalUser updateUser(VXPortalUser userProfile) { + XXPortalUser gjUser = daoManager.getXXPortalUser().getById( + userProfile.getId()); + + if (gjUser == null) { + logger.error("updateUser(). User not found. userProfile=" + + userProfile); + return null; + } + + checkAccess(gjUser); + + boolean updateUser = false; + // Selectively update fields + + // status + if (userProfile.getStatus() != gjUser.getStatus()) { + updateUser = true; + } + + // Allowing email address update even when its set to empty. + // emailAddress + String emailAddress = userProfile.getEmailAddress(); + if (stringUtil.isEmpty(emailAddress)) { + String randomString = GUIDUtil.genGUI(); + userProfile.setEmailAddress(randomString); + updateUser = true; + } else { + if (stringUtil.validateEmail(emailAddress)) { + XXPortalUser checkUser = daoManager.getXXPortalUser() + .findByEmailAddress(emailAddress); + if (checkUser != null) { + String loginId = userProfile.getLoginId(); + if (loginId == null) { + throw restErrorUtil.createRESTException( + "Invalid user, please provide valid " + + "username.", + MessageEnums.INVALID_INPUT_DATA); + } else if (!loginId.equals(checkUser.getLoginId())) { + throw restErrorUtil + .createRESTException( + "The email address " + + "you've provided already exists in system.", + MessageEnums.INVALID_INPUT_DATA); + } else { + userProfile.setEmailAddress(emailAddress); + updateUser = true; + } + } else { + userProfile.setEmailAddress(emailAddress); + updateUser = true; + } + } else { + throw restErrorUtil.createRESTException( + "Please provide valid email address.", + MessageEnums.INVALID_INPUT_DATA); + } + } + + // loginId + // if (!stringUtil.isEmpty(userProfile.getLoginId()) + // && !userProfile.getLoginId().equals(gjUser.getLoginId())) { + // gjUser.setLoginId(userProfile.getLoginId()); + // updateUser = true; + // } + + // firstName + if (!stringUtil.isEmpty(userProfile.getFirstName()) + && !userProfile.getFirstName().equals(gjUser.getFirstName())) { + userProfile.setFirstName(stringUtil.toCamelCaseAllWords(userProfile + .getFirstName())); + updateUser = true; + } + + // lastName allowed to be empty + if (userProfile.getLastName() != null + && !userProfile.getLastName().equals(gjUser.getLastName())) { + userProfile.setLastName(stringUtil.toCamelCaseAllWords(userProfile + .getLastName())); + updateUser = true; + } + + // publicScreenName + if (!stringUtil.isEmpty(userProfile.getPublicScreenName()) + && !userProfile.getPublicScreenName().equals( + gjUser.getPublicScreenName())) { + userProfile.setPublicScreenName(userProfile.getFirstName() + " " + + userProfile.getLastName()); + updateUser = true; + } + + // notes + /*if (!stringUtil.isEmpty(userProfile.getNotes()) + && !userProfile.getNotes().equalsIgnoreCase(gjUser.getNotes())) { + updateUser = true; + }*/ + + // userRoleList + updateRoles(userProfile.getId(), userProfile.getUserRoleList()); + + if (updateUser) { + + List<XXTrxLog> trxLogList = xPortalUserService.getTransactionLog( + userProfile, gjUser, "update"); + + userProfile.setPassword(gjUser.getPassword()); + userProfile = xPortalUserService.updateResource(userProfile); + sessionMgr.resetUserSessionForProfiles(ContextUtil + .getCurrentUserSession()); + + msBizUtil.createTrxLog(trxLogList); + } + + return gjUser; + } + + private boolean updateRoles(Long userId, Collection<String> rolesList) { + boolean rolesUpdated = false; + if (rolesList == null || rolesList.size() == 0) { + return false; + } + + // Let's first delete old roles + List<XXPortalUserRole> gjUserRoles = daoManager.getXXPortalUserRole().findByUserId( + userId); + + for (XXPortalUserRole gjUserRole : gjUserRoles) { + boolean found = false; + for (String userRole : rolesList) { + if (gjUserRole.getUserRole().equalsIgnoreCase(userRole)) { + found = true; + break; + } + } + if (!found) { + if (deleteUserRole(userId, gjUserRole)) { + rolesUpdated = true; + } + } + } + + // Let's add new roles + for (String userRole : rolesList) { + boolean found = false; + for (XXPortalUserRole gjUserRole : gjUserRoles) { + if (gjUserRole.getUserRole().equalsIgnoreCase(userRole)) { + found = true; + break; + } + } + if (!found) { + if (addUserRole(userId, userRole) != null) { + rolesUpdated = true; + } + } + } + return rolesUpdated; + } + + /** + * @param userId + * @param vStrings + */ + public void setUserRoles(Long userId, List<VXString> vStringRolesList) { + List<String> stringRolesList = new ArrayList<String>(); + for (VXString vXString : vStringRolesList) { + stringRolesList.add(vXString.getValue()); + } + updateRoles(userId, stringRolesList); + } + + /** + * @param pwdChange + * @return + */ + public VXResponse changePassword(VXPasswordChange pwdChange) { + // First let's get the XXPortalUser for the current logged in user + String currentUserLoginId = ContextUtil.getCurrentUserLoginId(); + XXPortalUser gjUserCurrent = daoManager.getXXPortalUser() + .findByLoginId(currentUserLoginId); + + String encryptedOldPwd = encrypt(gjUserCurrent.getLoginId(), + pwdChange.getOldPassword()); + + VXResponse ret = new VXResponse(); + + if (!stringUtil.equals(encryptedOldPwd, gjUserCurrent.getPassword())) { + logger.info("changePassword(). Invalid old password. userId=" + + pwdChange.getId()); + + throw restErrorUtil.createRESTException( + "serverMsg.userMgrPassword", + MessageEnums.OPER_NO_PERMISSION, null, null, + "" + pwdChange.getId()); + } + + // Get the user for whom we want to change the password + XXPortalUser gjUser = daoManager.getXXPortalUser().getById( + pwdChange.getId()); + if (gjUser == null) { + logger.warn("SECURITY:changePassword(). User not found. userId=" + + pwdChange.getId()); + throw restErrorUtil.createRESTException( + "serverMsg.userMgrInvalidUser", + MessageEnums.DATA_NOT_FOUND, null, null, + "" + pwdChange.getId()); + } + + if (!stringUtil + .validatePassword( + pwdChange.getUpdPassword(), + new String[] { gjUser.getFirstName(), + gjUser.getLastName(), gjUser.getLoginId(), + gjUserCurrent.getFirstName(), + gjUserCurrent.getLastName(), + gjUserCurrent.getLoginId() })) { + logger.warn("SECURITY:changePassword(). Invalid new password. userId=" + + pwdChange.getId()); + + throw restErrorUtil.createRESTException( + "serverMsg.userMgrNewPassword", + MessageEnums.INVALID_PASSWORD, null, null, + "" + pwdChange.getId()); + } + + String encryptedNewPwd = encrypt(gjUser.getLoginId(), + pwdChange.getUpdPassword()); + + String currentPassword = gjUser.getPassword(); + + if (!encryptedNewPwd.equals(currentPassword)) { + + List<XXTrxLog> trxLogList = new ArrayList<XXTrxLog>(); + XXTrxLog xTrxLog = new XXTrxLog(); + + xTrxLog.setAttributeName("Password"); + xTrxLog.setPreviousValue(currentPassword); + xTrxLog.setNewValue(encryptedNewPwd); + xTrxLog.setAction("password change"); + xTrxLog.setObjectClassType(AppConstants.CLASS_TYPE_PASSWORD_CHANGE); + xTrxLog.setObjectId(pwdChange.getId()); + xTrxLog.setObjectName(pwdChange.getLoginId()); + trxLogList.add(xTrxLog); + + msBizUtil.createTrxLog(trxLogList); + + gjUser.setPassword(encryptedNewPwd); + gjUser = daoManager.getXXPortalUser().update(gjUser); + + ret.setMsgDesc("Password successfully updated"); + ret.setStatusCode(VXResponse.STATUS_SUCCESS); + } else { + ret.setMsgDesc("Password update failed"); + ret.setStatusCode(VXResponse.STATUS_ERROR); + throw restErrorUtil.createRESTException( + "serverMsg.userMgrOldPassword", + MessageEnums.INVALID_INPUT_DATA, gjUser.getId(), + "password", gjUser.toString()); + } + return ret; + } + + /** + * @param gjUser + * @param changeEmail + * @return + */ + public VXPortalUser changeEmailAddress(XXPortalUser gjUser, + VXPasswordChange changeEmail) { + + if (gjUser.getEmailAddress() != null) { + throw restErrorUtil.createRESTException( + "serverMsg.userMgrEmailChange", + MessageEnums.OPER_NO_PERMISSION, null, null, "" + + changeEmail); + } + + String encryptedOldPwd = encrypt(gjUser.getLoginId(), + changeEmail.getOldPassword()); + + if (!stringUtil.validateEmail(changeEmail.getEmailAddress())) { + logger.info("Invalid email address." + changeEmail); + throw restErrorUtil.createRESTException( + "serverMsg.userMgrInvalidEmail", + MessageEnums.INVALID_INPUT_DATA, changeEmail.getId(), + "emailAddress", changeEmail.toString()); + + } + + if (!stringUtil.equals(encryptedOldPwd, gjUser.getPassword())) { + logger.info("changeEmailAddress(). Invalid password. changeEmail=" + + changeEmail); + + throw restErrorUtil.createRESTException( + "serverMsg.userMgrWrongPassword", + MessageEnums.OPER_NO_PERMISSION, null, null, "" + + changeEmail); + } + + // Normalize email. Make it lower case + gjUser.setEmailAddress(stringUtil.normalizeEmail(changeEmail + .getEmailAddress())); + + // loginId + gjUser.setLoginId(gjUser.getEmailAddress()); + + String saltEncodedpasswd = encrypt(gjUser.getLoginId(), + changeEmail.getOldPassword()); + + gjUser.setPassword(saltEncodedpasswd); + + daoManager.getXXPortalUser().update(gjUser); + return mapXXPortalUserVXPortalUser(gjUser); + } + + /** + * @param userId + */ + public VXPortalUser deactivateUser(XXPortalUser gjUser) { + if (gjUser != null + && gjUser.getStatus() != XAConstants.ACT_STATUS_DEACTIVATED) { + logger.info("Marking user " + gjUser.getLoginId() + " as deleted"); + gjUser.setStatus(XAConstants.ACT_STATUS_DEACTIVATED); + gjUser = daoManager.getXXPortalUser().update(gjUser); + return mapXXPortalUserVXPortalUser(gjUser); + } + return null; + } + + public VXPortalUser getUserProfile(Long id) { + XXPortalUser user = daoManager.getXXPortalUser().getById(id); + if (user != null) { + checkAccessForRead(user); + return mapXXPortalUserVXPortalUser(user); + } else { + if (logger.isDebugEnabled()) { + logger.debug("User not found. userId=" + id); + } + return null; + } + } + + public VXPortalUser getUserProfileByLoginId() { + String loginId = ContextUtil.getCurrentUserLoginId(); + return getUserProfileByLoginId(loginId); + } + + public VXPortalUser getUserProfileByLoginId(String loginId) { + XXPortalUser user = daoManager.getXXPortalUser().findByLoginId(loginId); + if (user != null) { + return mapXXPortalUserVXPortalUser(user); + } else { + if (logger.isDebugEnabled()) { + logger.debug("User not found. loginId=" + loginId); + } + return null; + } + } + + public XXPortalUser mapVXPortalUserToXXPortalUser(VXPortalUser userProfile) { + XXPortalUser gjUser = new XXPortalUser(); + gjUser.setEmailAddress(userProfile.getEmailAddress()); + gjUser.setFirstName(userProfile.getFirstName()); + gjUser.setLastName(userProfile.getLastName()); + gjUser.setLoginId(userProfile.getLoginId()); + gjUser.setPassword(userProfile.getPassword()); + gjUser.setUserSource(userProfile.getUserSource()); + gjUser.setPublicScreenName(userProfile.getPublicScreenName()); + return gjUser; + } + + /** + * @param user + * @return + */ + public VXPortalUser mapXXPortalUserToVXPortalUser(XXPortalUser user, + Collection<String> userRoleList) { + if (user == null) { + return null; + } + UserSessionBase sess = ContextUtil.getCurrentUserSession(); + if (sess == null) { + return null; + } + + VXPortalUser userProfile = new VXPortalUser(); + gjUserToUserProfile(user, userProfile); + if (sess.isUserAdmin() || sess.getXXPortalUser().getId().equals(user.getId())) { + if (userRoleList == null) { + userRoleList = new ArrayList<String>(); + List<XXPortalUserRole> gjUserRoleList = daoManager.getXXPortalUserRole() + .findByParentId(user.getId()); + + for (XXPortalUserRole userRole : gjUserRoleList) { + userRoleList.add(userRole.getUserRole()); + } + } + + userProfile.setUserRoleList(userRoleList); + } + userProfile.setUserSource(user.getUserSource()); + return userProfile; + } + + private void gjUserToUserProfile(XXPortalUser user, VXPortalUser userProfile) { + UserSessionBase sess = ContextUtil.getCurrentUserSession(); + if (sess == null) { + return; + } + + // Is accessed by peer from the same account + boolean isPeer = false; + boolean isAccountAdmin = false; + + // Admin + if (sess.isUserAdmin() || sess.getXXPortalUser().getId().equals(user.getId())) { + userProfile.setLoginId(user.getLoginId()); + userProfile.setStatus(user.getStatus()); + userProfile.setUserRoleList(new ArrayList<String>()); + String emailAddress = user.getEmailAddress(); + + if (emailAddress != null && stringUtil.validateEmail(emailAddress)) { + userProfile.setEmailAddress(user.getEmailAddress()); + } + + if (sess != null) { + userProfile.setUserSource(sess.getAuthProvider()); + } + + List<XXPortalUserRole> gjUserRoleList = daoManager.getXXPortalUserRole() + .findByParentId(user.getId()); + + for (XXPortalUserRole gjUserRole : gjUserRoleList) { + userProfile.getUserRoleList().add(gjUserRole.getUserRole()); + } + } + + if (sess.isUserAdmin() || sess.getXXPortalUser().getId().equals(user.getId()) + || isPeer) { + userProfile.setId(user.getId()); + userProfile.setFirstName(user.getFirstName()); + userProfile.setLastName(user.getLastName()); + userProfile.setPublicScreenName(user.getPublicScreenName()); + if (isAccountAdmin) { + userProfile.setEmailAddress(user.getEmailAddress()); + } + } + + } + + /** + * Translates XXPortalUser to VUserProfile. This method should be called in the + * same transaction in which the XXPortalUser was retrieved from the database + * + * @param user + * @return + */ + public VXPortalUser mapXXPortalUserVXPortalUser(XXPortalUser user) { + return mapXXPortalUserToVXPortalUser(user, null); + } + + /** + * @param emailId + * @return + */ + public XXPortalUser findByEmailAddress(String emailId) { + return daoManager.getXXPortalUser().findByEmailAddress(emailId); + } + + public XXPortalUser findByLoginId(String loginId) { + return daoManager.getXXPortalUser().findByLoginId(loginId); + } + + @Transactional(readOnly = true, propagation = Propagation.REQUIRED) + public Collection<String> getRolesForUser(XXPortalUser user) { + Collection<String> roleList = new ArrayList<String>(); + + Collection<XXPortalUserRole> roleCollection = daoManager.getXXPortalUserRole() + .findByUserId(user.getId()); + for (XXPortalUserRole role : roleCollection) { + roleList.add(role.getUserRole()); + } + return roleList; + } + + /** + * @param searchCriteria + * @return + */ + public VXPortalUserList searchUsers(SearchCriteria searchCriteria) { + + VXPortalUserList returnList = new VXPortalUserList(); + ArrayList<VXPortalUser> objectList = new ArrayList<VXPortalUser>(); + String queryStr = "SELECT u FROM XXPortalUser u "; + String countQueryStr = "SELECT COUNT(u) FROM XXPortalUser u "; + + // Get total count first + Query query = createUserSearchQuery(countQueryStr, null, searchCriteria); + Long count = (Long) query.getSingleResult(); + if (count == null || count.longValue() == 0) { + return returnList; + } + + // Get actual data + + // Add sort by + String sortBy = searchCriteria.getSortBy(); + String querySortBy = "u.loginId"; + if (!stringUtil.isEmpty(sortBy)) { + sortBy = sortBy.trim(); + if (sortBy.equalsIgnoreCase("userId")) { + querySortBy = "u.id"; + } else if (sortBy.equalsIgnoreCase("loginId")) { + querySortBy = "ua.loginId"; + } else if (sortBy.equalsIgnoreCase("emailAddress")) { + querySortBy = "u.emailAddress"; + } else if (sortBy.equalsIgnoreCase("firstName")) { + querySortBy = "u.firstName"; + } else if (sortBy.equalsIgnoreCase("lastName")) { + querySortBy = "u.lastName"; + } else { + sortBy = "loginId"; + logger.error("Invalid sortBy provided. sortBy=" + sortBy); + } + } else { + sortBy = "loginId"; + } + + // Default sort field + String sortClause = " order by " + querySortBy + " "; + + // Add sort type + String sortType = searchCriteria.getSortType(); + String querySortType = "asc"; + if (sortType != null) { + if (sortType.equalsIgnoreCase("asc") + || sortType.equalsIgnoreCase("desc")) { + querySortType = sortType; + } else { + logger.error("Invalid sortType. sortType=" + sortType); + } + } + sortClause += querySortType; + + query = createUserSearchQuery(queryStr, sortClause, searchCriteria); + + // Set start index + query.setFirstResult(searchCriteria.getStartIndex()); + + searchUtil.updateQueryPageSize(query, searchCriteria); + + @SuppressWarnings("rawtypes") + List resultList = query.getResultList(); + // Iterate over the result list and create the return list + for (Object object : resultList) { + XXPortalUser gjUser = (XXPortalUser) object; + VXPortalUser userProfile = new VXPortalUser(); + gjUserToUserProfile(gjUser, userProfile); + objectList.add(userProfile); + } + + returnList.setPageSize(query.getMaxResults()); + returnList.setSortBy(sortBy); + returnList.setSortType(querySortType); + returnList.setStartIndex(query.getFirstResult()); + returnList.setTotalCount(count.longValue()); + returnList.setVXPortalUsers(objectList); + return returnList; + } + + /** + * @param queryStr + * @param sortClause + * @param searchCriteria + * @return + */ + private Query createUserSearchQuery(String queryStr, String sortClause, + SearchCriteria searchCriteria) { + HashMap<String, Object> paramList = searchCriteria.getParamList(); + + String whereClause = "WHERE 1 = 1 "; + + // roles + @SuppressWarnings("unchecked") + List<String> roleList = (List<String>) paramList.get("roleList"); + if (roleList != null && roleList.size() > 0) { + whereClause = ", XXPortalUserRole ur WHERE u.id = ur.userId"; + if (roleList.size() == 1) { + // For only one role, let's do an equal to + whereClause += " and ur.userRole = :role"; + } else { + whereClause += " and ur.userRole in (:roleList)"; + } + } + + // userId + Long userId = (Long) paramList.get("userId"); + if (userId != null) { + whereClause += " and u.id = :userId "; + } + + // loginId + String loginId = (String) paramList.get("loginId"); + if (loginId != null) { + whereClause += " and LOWER(u.loginId) = :loginId "; + } + + // emailAddress + String emailAddress = (String) paramList.get("emailAddress"); + if (emailAddress != null) { + whereClause += " and LOWER(u.emailAddress) = :emailAddress "; + } + + // firstName + String firstName = (String) paramList.get("firstName"); + if (firstName != null) { + whereClause += " and LOWER(u.firstName) = :firstName "; + } + + // lastName + String lastName = (String) paramList.get("lastName"); + if (lastName != null) { + whereClause += " and LOWER(u.lastName) = :lastName "; + } + + // status + Integer status = null; + @SuppressWarnings("unchecked") + List<Integer> statusList = (List<Integer>) paramList.get("statusList"); + if (statusList != null && statusList.size() == 1) { + // use == condition + whereClause += " and u.status = :status"; + status = statusList.get(0); + } else if (statusList != null && statusList.size() > 1) { + // use in operator + whereClause += " and u.status in (:statusList) "; + } + + // publicScreenName + String publicScreenName = (String) paramList.get("publicScreenName"); + if (publicScreenName != null) { + whereClause += " and LOWER(u.publicScreenName) = :publicScreenName "; + } + + // familyScreenName + String familyScreenName = (String) paramList.get("familyScreenName"); + if (familyScreenName != null) { + whereClause += " and LOWER(u.familyScreenName) = :familyScreenName "; + } + + if (sortClause != null) { + whereClause += sortClause; + } + + Query query = daoManager.getEntityManager().createQuery( + queryStr + whereClause); + + if (roleList != null && roleList.size() > 0) { + if (roleList.size() == 1) { + query.setParameter("role", roleList.get(0)); + } else { + query.setParameter("roleList", roleList); + } + } + + if (status != null) { + query.setParameter("status", status); + } + if (statusList != null && statusList.size() > 1) { + query.setParameter("statusList", statusList); + } + if (emailAddress != null) { + query.setParameter("emailAddress", emailAddress.toLowerCase()); + } + + // userId + if (userId != null) { + query.setParameter("userId", userId); + } + // firstName + if (firstName != null) { + query.setParameter("firstName", firstName.toLowerCase()); + } + // lastName + if (lastName != null) { + query.setParameter("lastName", lastName.toLowerCase()); + } + + // loginId + if (loginId != null) { + query.setParameter("loginId", loginId.toLowerCase()); + } + + // publicScreenName + if (publicScreenName != null) { + query.setParameter("publicScreenName", + publicScreenName.toLowerCase()); + } + + // familyScreenName + if (familyScreenName != null) { + query.setParameter("familyScreenName", + familyScreenName.toLowerCase()); + } + + return query; + } + + public boolean deleteUserRole(Long userId, String userRole) { + List<XXPortalUserRole> roleList = daoManager.getXXPortalUserRole().findByUserId( + userId); + for (XXPortalUserRole gjUserRole : roleList) { + if (gjUserRole.getUserRole().equalsIgnoreCase(userRole)) { + return deleteUserRole(userId, gjUserRole); + } + } + return false; + } + + public boolean deleteUserRole(Long userId, XXPortalUserRole gjUserRole) { + /*if (XAConstants.ROLE_USER.equals(gjUserRole.getUserRole())) { + return false; + }*/ + boolean publicRole = false; + for (int i = 0; i < publicRoles.length; i++) { + if (publicRoles[i].equalsIgnoreCase(gjUserRole.getUserRole())) { + publicRole = true; + break; + } + } + if (!publicRole) { + UserSessionBase sess = ContextUtil.getCurrentUserSession(); + if (sess == null || !sess.isUserAdmin()) { + return false; + } + } + + daoManager.getXXPortalUserRole().remove(gjUserRole.getId()); + return true; + } + + public XXPortalUserRole addUserRole(Long userId, String userRole) { + List<XXPortalUserRole> roleList = daoManager.getXXPortalUserRole().findByUserId( + userId); + boolean publicRole = false; + for (int i = 0; i < publicRoles.length; i++) { + if (publicRoles[i].equalsIgnoreCase(userRole)) { + publicRole = true; + break; + } + } + if (!publicRole) { + UserSessionBase sess = ContextUtil.getCurrentUserSession(); + if (sess == null) { + return null; + } + // Admin + if (!sess.isUserAdmin()) { + logger.error( + "SECURITY WARNING: User trying to add non public role. userId=" + + userId + ", role=" + userRole + ", session=" + + sess.toString(), new Throwable()); + return null; + } + } + + for (XXPortalUserRole gjUserRole : roleList) { + if (userRole.equalsIgnoreCase(gjUserRole.getUserRole())) { + return gjUserRole; + } + } + XXPortalUserRole userRoleObj = new XXPortalUserRole(); + userRoleObj.setUserRole(userRole.toUpperCase()); + userRoleObj.setUserId(userId); + userRoleObj.setStatus(XAConstants.STATUS_ENABLED); + daoManager.getXXPortalUserRole().create(userRoleObj); + + // If role is not OTHER, then remove OTHER + if (!XAConstants.ROLE_OTHER.equalsIgnoreCase(userRole)) { + deleteUserRole(userId, XAConstants.ROLE_OTHER); + } + + sessionMgr.resetUserSessionForProfiles(ContextUtil + .getCurrentUserSession()); + return null; + } + + public void checkAccess(Long userId) { + XXPortalUser gjUser = daoManager.getXXPortalUser().getById(userId); + if (gjUser == null) { + throw restErrorUtil + .create403RESTException("serverMsg.userMgrWrongUser" + + userId); + } + + checkAccess(gjUser); + } + + /** + * @param gjUser + * @return + */ + public void checkAccess(XXPortalUser gjUser) { + if (gjUser == null) { + throw restErrorUtil + .create403RESTException("serverMsg.userMgrWrongUser"); + } + UserSessionBase sess = ContextUtil.getCurrentUserSession(); + if (sess != null) { + + // Admin + if (sess != null && sess.isUserAdmin()) { + return; + } + + // Self + if (sess.getXXPortalUser().getId().equals(gjUser.getId())) { + return; + } + + } + throw restErrorUtil.create403RESTException("User " + + " access denied. loggedInUser=" + + (sess != null ? sess.getXXPortalUser().getId() : "Not Logged In") + + ", accessing user=" + gjUser.getId()); + + } + + public void checkAccessForRead(XXPortalUser gjUser) { + if (gjUser == null) { + throw restErrorUtil + .create403RESTException("serverMsg.userMgrWrongUser"); + } + UserSessionBase sess = ContextUtil.getCurrentUserSession(); + if (sess != null) { + + // Admin + if (sess != null && sess.isUserAdmin()) { + return; + } + + // Self + if (sess.getXXPortalUser().getId().equals(gjUser.getId())) { + return; + } + + } + throw restErrorUtil.create403RESTException("User " + + " access denied. loggedInUser=" + + (sess != null ? sess.getXXPortalUser().getId() : "Not Logged In") + + ", accessing user=" + gjUser.getId()); + + } + + public String encrypt(String loginId, String password) { + String saltEncodedpasswd = md5Encoder.encodePassword(password, loginId); + return saltEncodedpasswd; + } + + public VXPortalUser createUser(VXPortalUser userProfile) { + XXPortalUser xXPortalUser = this + .createUser(userProfile, XACommonEnums.STATUS_ENABLED); + return mapXXPortalUserVXPortalUser(xXPortalUser); + } + + public VXPortalUser createDefaultAccountUser(VXPortalUser userProfile) { + if(userProfile.getPassword()==null||userProfile.getPassword().trim().isEmpty()){ + userProfile.setUserSource(XACommonEnums.USER_EXTERNAL); + } + // access control + UserSessionBase session = ContextUtil.getCurrentUserSession(); + if (session != null) { + if (!session.isUserAdmin()) { + throw restErrorUtil.create403RESTException("User " + + "creation denied. LoggedInUser=" + + (session != null ? session.getXXPortalUser().getId() + : "Not Logged In") + + " ,isn't permitted to perform the action."); + + } + } + + XXPortalUser xXPortalUser = null; + String loginId = userProfile.getLoginId(); + String emailAddress = userProfile.getEmailAddress(); + + if (loginId != null && !loginId.isEmpty()) { + xXPortalUser = this.findByLoginId(loginId); + if (xXPortalUser == null) { + if (emailAddress != null && !emailAddress.isEmpty()) { + xXPortalUser = this.findByEmailAddress(emailAddress); + if (xXPortalUser == null) { + xXPortalUser = this.createUser(userProfile, + XACommonEnums.STATUS_ENABLED); + } else { + throw restErrorUtil + .createRESTException( + "The email address " + + emailAddress + + " you've provided already exists. Please try again with different " + + "email address.", + MessageEnums.OPER_NOT_ALLOWED_FOR_STATE); + } + } else { + String randomEmail = GUIDUtil.genGUI(); + userProfile.setEmailAddress(randomEmail); + xXPortalUser = this.createUser(userProfile, + XACommonEnums.STATUS_ENABLED); + } + } else { + /*throw restErrorUtil + .createRESTException( + "The login id " + + loginId + + " you've provided already exists. Please try again with different " + + "login id.", + MessageEnums.OPER_NOT_ALLOWED_FOR_STATE);*/ + } + } + + return mapXXPortalUserToVXPortalUserForDefaultAccount(xXPortalUser); + } + + private VXPortalUser mapXXPortalUserToVXPortalUserForDefaultAccount(XXPortalUser user) { + + VXPortalUser userProfile = new VXPortalUser(); + + userProfile.setLoginId(user.getLoginId()); + userProfile.setEmailAddress(user.getEmailAddress()); + userProfile.setStatus(user.getStatus()); + userProfile.setUserRoleList(new ArrayList<String>()); + userProfile.setId(user.getId()); + userProfile.setFirstName(user.getFirstName()); + userProfile.setLastName(user.getLastName()); + userProfile.setPublicScreenName(user.getPublicScreenName()); + userProfile.setEmailAddress(user.getEmailAddress()); + + List<XXPortalUserRole> gjUserRoleList = daoManager.getXXPortalUserRole() + .findByParentId(user.getId()); + + for (XXPortalUserRole gjUserRole : gjUserRoleList) { + userProfile.getUserRoleList().add(gjUserRole.getUserRole()); + } + + return userProfile; + } + + public boolean isUserInRole(Long userId, String role) { + XXPortalUserRole xXPortalUserRole = daoManager.getXXPortalUserRole().findByRoleUserId( + userId, role); + if (xXPortalUserRole != null) { + String userRole = xXPortalUserRole.getUserRole(); + if (userRole.equalsIgnoreCase(role)) { + return true; + } + } + return false; + } + + public XXPortalUser updateUserWithPass(VXPortalUser userProfile) { + String updatedPassword = userProfile.getPassword(); + XXPortalUser xXPortalUser = this.updateUser(userProfile); + + if (updatedPassword != null && !updatedPassword.isEmpty()) { + if (!stringUtil.validatePassword(updatedPassword, + new String[] { xXPortalUser.getFirstName(), xXPortalUser.getLastName(), + xXPortalUser.getLoginId() })) { + logger.warn("SECURITY:changePassword(). Invalid new password. userId=" + + xXPortalUser.getId()); + + throw restErrorUtil.createRESTException( + "serverMsg.userMgrNewPassword", + MessageEnums.INVALID_PASSWORD, null, null, + "" + xXPortalUser.getId()); + } + + String encryptedNewPwd = encrypt(xXPortalUser.getLoginId(), + updatedPassword); + xXPortalUser.setPassword(encryptedNewPwd); + xXPortalUser = daoManager.getXXPortalUser().update(xXPortalUser); + } + return xXPortalUser; + } +} http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/413fcb68/security-admin/src/main/java/org/apache/ranger/biz/UserMgrBase.java ---------------------------------------------------------------------- diff --git a/security-admin/src/main/java/org/apache/ranger/biz/UserMgrBase.java b/security-admin/src/main/java/org/apache/ranger/biz/UserMgrBase.java new file mode 100644 index 0000000..568da26 --- /dev/null +++ b/security-admin/src/main/java/org/apache/ranger/biz/UserMgrBase.java @@ -0,0 +1,66 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, + * software distributed under the License is distributed on an + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + * KIND, either express or implied. See the License for the + * specific language governing permissions and limitations + * under the License. + */ + + package org.apache.ranger.biz; + +import org.apache.ranger.common.*; +import org.apache.ranger.service.*; +import org.apache.ranger.view.*; +import org.springframework.beans.factory.annotation.Autowired; +public class UserMgrBase { + + @Autowired + RESTErrorUtil restErrorUtil; + + @Autowired + XPortalUserService xPortalUserService; + public VXPortalUser getXPortalUser(Long id){ + return (VXPortalUser)xPortalUserService.readResource(id); + } + + public VXPortalUser createXPortalUser(VXPortalUser vXPortalUser){ + vXPortalUser = (VXPortalUser)xPortalUserService.createResource(vXPortalUser); + return vXPortalUser; + } + + public VXPortalUser updateXPortalUser(VXPortalUser vXPortalUser) { + vXPortalUser = (VXPortalUser)xPortalUserService.updateResource(vXPortalUser); + return vXPortalUser; + } + + public void deleteXPortalUser(Long id, boolean force) { + if (force) { + xPortalUserService.deleteResource(id); + } else { + throw restErrorUtil.createRESTException( + "serverMsg.modelMgrBaseDeleteModel", + MessageEnums.OPER_NOT_ALLOWED_FOR_ENTITY); + } + } + + public VXPortalUserList searchXPortalUsers(SearchCriteria searchCriteria) { + return xPortalUserService.searchXPortalUsers(searchCriteria); + } + + public VXLong getXPortalUserSearchCount(SearchCriteria searchCriteria) { + return xPortalUserService.getSearchCount(searchCriteria, + xPortalUserService.searchFields); + } + +}
