@Override public void assignUserToSuperAdminRole(final UserInfo candidateUserInfo, final UserInfo assigningUserInfo) { LOGGER.debug("Assigning super admin role to user={} by user={} ", candidateUserInfo, assigningUserInfo); UserRoleList userRoleList = getUserRoleList(candidateUserInfo.getUsername()); LOGGER.debug("User role list {}", userRoleList); boolean isSuperAdmin = userRoleList.getRoleList().stream().anyMatch((UserRole ur) -> ur.getRole().equals(Role.SUPERADMIN)); Preconditions.checkArgument(!isSuperAdmin, "User %s is already a superadmin", candidateUserInfo.getUsername()); authorizationRepository.assignUserToSuperAdminRole(candidateUserInfo); eventLog.postEvent(new AuthorizationChangeEvent(assigningUserInfo, null, candidateUserInfo, null, Role.SUPERADMIN.toString())); }
UserPermissions getAppSpecificPermission(UserInfo.Username username, Application.Name applicationName) { List<com.intuit.wasabi.repository.cassandra.pojo.UserRole> result = getUserRoleList(username, Optional.ofNullable(applicationName)); if (result.size() != 0) { assert result.size() <= 1 : "More than a single row returned"; com.intuit.wasabi.repository.cassandra.pojo.UserRole role = result.get(0); assert role.getRole() != null : "Role cannot be null"; return UserPermissions.newInstance(applicationName, Role.toRole(role.getRole()).getRolePermissions()) .build(); } return null; }
@Override public List<UserRole> getSuperAdminRoleList() { LOGGER.debug("Getting super admin role list"); List<com.intuit.wasabi.repository.cassandra.pojo.UserRole> allUserRoles = userRoleAccessor.getAllUserRoles().all(); LOGGER.debug("Received all roles {}", allUserRoles); List<UserRole> superAdmins = allUserRoles.stream().filter( userRole -> Role.SUPERADMIN.toString().equalsIgnoreCase( userRole.getRole().toString()) && ALL_APPLICATIONS.equals(userRole.getAppName())).map( userRole -> getRoleWithUserInfo(userRole)).collect(Collectors.toList()); LOGGER.debug("Returning {} roles", superAdmins); return superAdmins; }
/** * Get permissions associated with a specific user role * * @param role User access role * @return Response object */ @GET @Path("/roles/{role}/permissions") @Produces(APPLICATION_JSON) @ApiOperation(value = "Get permissions associated with a specific user role") @Timed public Response getRolePermissions( @PathParam("role") @ApiParam(defaultValue = DEFAULT_ROLE, value = EXAMPLE_ALL_ROLES) final String role) { try { return httpHeader.headers().entity(ImmutableMap.<String, Object>builder().put("permissions", authorization.getPermissionsFromRole(toRole(role))).build()).build(); } catch (Exception exception) { LOGGER.error("getRolePermissions failed for role={} with error:", role, exception); throw exception; } }
@Override public UserPermissionsList getUserPermissionsList(UserInfo.Username userID) { UserPermissionsList userPermissionsList = new UserPermissionsList(); Optional<UserPermissions> superAdminUserPermissions = getSuperAdminUserPermissions(userID, WILDCARD); if (superAdminUserPermissions.isPresent()) { List<String> allAppNames = getAllApplicationNameFromApplicationList(); allAppNames.stream() .map(t -> UserPermissions.newInstance( Application.Name.valueOf(t), superAdminUserPermissions.get().getPermissions() ).build()) .forEach(userPermissionsList::addPermissions); } else { List<com.intuit.wasabi.repository.cassandra.pojo.UserRole> resultList = getUserRoleList(userID, Optional.empty()); resultList.stream() .filter(t -> t.getRole() != null) .map(t -> UserPermissions.newInstance( Application.Name.valueOf(t.getAppName()) , Role.valueOf(t.getRole()).getRolePermissions()).build() ) .forEach(userPermissionsList::addPermissions); } return userPermissionsList; }
@Override public List<Permission> getPermissionsFromRole(Role role) { return role.getRolePermissions(); }
@Override public void assignUserToSuperAdminRole(UserInfo candidateUser) { LOGGER.debug("Adding user {} as superadmin", candidateUser); String superAdminRole = Role.SUPERADMIN.toString().toLowerCase(); String userID = candidateUser.getUsername().toString(); userRoleAccessor.insertUserRoleBy(userID, ALL_APPLICATIONS, superAdminRole); appRoleAccessor.insertAppRoleBy(ALL_APPLICATIONS, userID, superAdminRole); }
r -> UserRole.newInstance( Application.Name.valueOf(r.getAppName()), Role.toRole(r.getRole())
Optional<UserPermissions> getSuperAdminUserPermissions(@Nonnull UserInfo.Username username, @Nonnull Application.Name applicationName) { List<com.intuit.wasabi.repository.cassandra.pojo.UserRole> resultList = getUserRolesWithWildcardAppName( username, applicationName ); return resultList.stream() .filter(t -> SUPERADMIN.equalsIgnoreCase(t.getRole())) .map(m -> UserPermissions.newInstance(applicationName, Role.SUPERADMIN.getRolePermissions()) .build() ) .findAny(); }
@Override public void removeUserFromSuperAdminRole(final UserInfo candidateUserInfo, final UserInfo assigningUserInfo) { LOGGER.debug("Removing user={} from superadmin by assigningUser={}", candidateUserInfo, assigningUserInfo); List<UserRole> allSuperAdmins = getSuperAdminRoleList(); LOGGER.debug("Current superadmins {}", allSuperAdmins); Preconditions.checkArgument(allSuperAdmins.size() > 1, "Cannot delete. SuperAdmins less than 1"); boolean isSuperAdmin = allSuperAdmins.stream().anyMatch((UserRole ur) -> ur.getRole().equals(Role.SUPERADMIN) && ur.getUserID().equals(candidateUserInfo.getUsername())); Preconditions.checkArgument(isSuperAdmin, "User %s is not a superadmin", candidateUserInfo.getUsername()); authorizationRepository.removeUserFromSuperAdminRole(candidateUserInfo); eventLog.postEvent(new AuthorizationChangeEvent(assigningUserInfo, null, candidateUserInfo, Role.SUPERADMIN.toString(), null)); }
private List<Map> updateUserRole( @ApiParam(required = true) UserRoleList userRoleList, @HeaderParam(AUTHORIZATION) @ApiParam(value = EXAMPLE_AUTHORIZATION_HEADER, required = true) String authorizationHeader) { Username subject = authorization.getUser(authorizationHeader); UserInfo admin = authorization.getUserInfo(subject); List<Map> status = newArrayList(); for (UserRole userRole : userRoleList.getRoleList()) { try { authorization.checkUserPermissions(subject, userRole.getApplicationName(), ADMIN); status.add(authorization.setUserRole(userRole, admin)); } catch (AuthenticationException e) { LOGGER.error("Unable to check user permissions", e); status.add(ImmutableMap.<String, String>builder() .put("applicationName", userRole.getApplicationName().toString()) .put("userID", userRole.getUserID().toString()) .put("role", userRole.getRole().toString()) .put("roleAssignmentStatus", "FAILED") .put("reason", "Not Authorized").build()); } } return status; }
private UserRole getRoleWithUserInfo(com.intuit.wasabi.repository.cassandra.pojo.UserRole userRole) { LOGGER.debug("Getting user info for user role={}", userRole); Application.Name appName = userRole.getAppName().equals(ALL_APPLICATIONS) ? WILDCARD : Application.Name.valueOf(userRole.getAppName()); UserInfo userInfo = getUserInfo(UserInfo.Username.valueOf(userRole.getUserId())); UserRole roleWithUserInfo; if (nonNull(userInfo)) { roleWithUserInfo = UserRole.newInstance( appName, Role.toRole(userRole.getRole())). withUserID(UserInfo.Username.valueOf(userRole.getUserId())). withFirstName(userInfo.getFirstName()). withLastName(userInfo.getLastName()). withUserEmail(userInfo.getEmail()).build(); } else { roleWithUserInfo = UserRole.newInstance(appName, Role.toRole(userRole.getRole())) .withUserID(UserInfo.Username.valueOf(userRole.getUserId())).build(); } LOGGER.debug("Role with user info for user role={} is {}", userRole, roleWithUserInfo); return roleWithUserInfo; }
@Override public UserPermissions checkSuperAdminPermissions(UserInfo.Username userID, Application.Name applicationName) { List<com.intuit.wasabi.repository.cassandra.pojo.UserRole> resultList = getUserRolesWithWildcardAppName(userID, applicationName); Optional<com.intuit.wasabi.repository.cassandra.pojo.UserRole> adminRole = resultList .stream() .filter(t -> SUPERADMIN.equalsIgnoreCase(t.getRole())) .findAny(); if (!adminRole.isPresent()) return null; else return UserPermissions.newInstance(applicationName, Role.SUPERADMIN.getRolePermissions()) .build(); } //UserRole related operations
status.put("applicationName", userRole.getApplicationName().toString()); status.put("userID", userRole.getUserID().toString()); status.put("role", userRole.getRole().toString()); oldRole == null || "superadmin".equalsIgnoreCase(oldRole.toString()) ? null : oldRole.toString(), userRole.getRole().toString())); } catch (RepositoryException e) { LOGGER.info("RepoitoryException for setting user Role in DefaultAuthorization ", e);
UserRole convertAppRoleToUserRole(Application.Name applicationName, AppRole appRole) { Role role = Role.toRole(appRole.getRole()); UserInfo.Username userID = UserInfo.Username.valueOf(appRole.getUserId()); UserInfo userInfo = getUserInfo(userID); if (userInfo == null) { userInfo = lookupUser(userID); } return UserRole.newInstance(applicationName, role) .withUserID(userID) .withUserEmail(userInfo.getEmail()) .withFirstName(userInfo.getFirstName()) .withLastName(userInfo.getLastName()) .build(); }
@Override public void setUserRole(UserRole userRole) { BatchStatement batch = new BatchStatement(); batch.add(userRoleAccessor.insertUserRoleStatement( userRole.getUserID().toString(), userRole.getApplicationName().toString(), userRole.getRole().toString() )); batch.add(appRoleAccessor.insertAppRoleStatement( userRole.getApplicationName().toString(), userRole.getUserID().toString(), userRole.getRole().toString() )); manager.getSession().execute(batch); }