1
2
3
4
5
6
7 package gov.bnl.gums.admin;
8
9 import gov.bnl.gums.*;
10 import gov.bnl.gums.account.AccountMapper;
11 import gov.bnl.gums.account.AccountPoolMapper;
12 import gov.bnl.gums.account.ManualAccountMapper;
13 import gov.bnl.gums.configuration.Configuration;
14 import gov.bnl.gums.configuration.FileConfigurationStore;
15 import gov.bnl.gums.configuration.Version;
16 import gov.bnl.gums.userGroup.ManualUserGroup;
17 import gov.bnl.gums.userGroup.UserGroup;
18
19 import java.util.Collection;
20 import java.util.Iterator;
21 import java.util.Map;
22
23 import org.apache.commons.digester.Digester;
24 import org.apache.commons.logging.Log;
25 import org.apache.commons.logging.LogFactory;
26
27 import gov.bnl.gums.db.AccountPoolMapperDB;
28 import gov.bnl.gums.db.ManualAccountMapperDB;
29 import gov.bnl.gums.db.ManualUserGroupDB;
30
31 import gov.bnl.gums.persistence.PersistenceFactory;
32
33
34
35
36
37
38 public class GUMSAPIImpl implements GUMSAPI {
39 static private GUMS gums;
40 private Log log = LogFactory.getLog(GUMSAPI.class);
41 private Log gumsResourceAdminLog = LogFactory.getLog(GUMS.resourceAdminLog);
42 private Log siteLog = LogFactory.getLog(GUMS.siteAdminLog);
43 private boolean isInWeb = false;
44 private String version = null;
45
46 {
47 try {
48 Class.forName("javax.servlet.Filter");
49 isInWeb = true;
50 } catch (ClassNotFoundException e) {
51 isInWeb = false;
52 }
53 }
54
55 public void addAccountRange2(String accountPoolMapperName, String range) {
56 if (hasWriteAccess(currentUser())) {
57 String firstAccount = range.substring(0, range.indexOf('-'));
58 String lastAccountN = range.substring(range.indexOf('-') + 1);
59 String firstAccountN = firstAccount.substring(firstAccount.length() - lastAccountN.length());
60 String accountBase = firstAccount.substring(0, firstAccount.length() - lastAccountN.length());
61 int nFirstAccount = Integer.parseInt(firstAccountN);
62 int nLastAccount = Integer.parseInt(lastAccountN);
63
64 StringBuffer last = new StringBuffer(firstAccount);
65 String nLastAccountString = Integer.toString(nLastAccount);
66 last.replace(firstAccount.length() - nLastAccountString.length(), firstAccount.length(), nLastAccountString);
67
68 StringBuffer buf = new StringBuffer(firstAccount);
69 int len = firstAccount.length();
70 Map reverseMap = getAccountPoolMapperDB(accountPoolMapperName).retrieveReverseAccountMap();
71 for (int account = nFirstAccount; account <= nLastAccount; account++) {
72 String nAccount = Integer.toString(account);
73 buf.replace(len - nAccount.length(), len, nAccount);
74 if (reverseMap.get(buf.toString())!=null)
75 throw new RuntimeException("One or more accounts already exist. None were added.");
76 }
77 buf = new StringBuffer(firstAccount);
78 for (int account = nFirstAccount; account <= nLastAccount; account++) {
79 String nAccount = Integer.toString(account);
80 buf.replace(len - nAccount.length(), len, nAccount);
81 getAccountPoolMapperDB(accountPoolMapperName).addAccount(buf.toString());
82 }
83 }
84 else {
85 gumsResourceAdminLog.info(logUserAccess() + "Failed to add account range because user doesn't have administrative access");
86 siteLog.info(logUserAccess() + "Failed to add account range because user doesn't have administrative access");
87 throw new AuthorizationDeniedException();
88 }
89 }
90
91 public void backupConfiguration() {
92 if (hasWriteAccess(currentUser()))
93 gums().setConfiguration(gums().getConfiguration(), true);
94 else {
95 gumsResourceAdminLog.info(logUserAccess() + "Failed to backup configuration because user doesn't have administrative access");
96 siteLog.info(logUserAccess() + "Failed to backup configuration because user doesn't have administrative access");
97 throw new AuthorizationDeniedException();
98 }
99 }
100
101 public void deleteBackupConfiguration(String dateStr) {
102 if (hasWriteAccess(currentUser()))
103 gums().deleteBackupConfiguration(dateStr);
104 else {
105 gumsResourceAdminLog.info(logUserAccess() + "Failed to delete configuration because user doesn't have administrative access");
106 siteLog.info(logUserAccess() + "Failed to delete configuration because user doesn't have administrative access");
107 throw new AuthorizationDeniedException();
108 }
109 }
110
111 public String generateFqanMapfile(String hostname) {
112 try {
113 if (hasReadAllAccess(currentUser(), hostname)) {
114 String map = gums().getResourceManager().generateFqanMapfile(hostname);
115 gumsResourceAdminLog.info(logUserAccess() + "Generated fqan mapfile for host '" + hostname + "': " + map);
116 return map;
117 } else {
118 throw new AuthorizationDeniedException();
119 }
120 } catch (AuthorizationDeniedException e) {
121 gumsResourceAdminLog.info(logUserAccess() + "Failed to generate fqan mapfile for host '" + hostname + "' - " + e.getMessage());
122 siteLog.info(logUserAccess() + "Unauthorized access to generate fqan mapfile for host '" + hostname + "'");
123 throw e;
124 } catch (RuntimeException e) {
125 gumsResourceAdminLog.error(logUserAccess() + "Failed to generate fqanmapfile for host '" + hostname + "' - " + e.getMessage());
126 throw e;
127 }
128 }
129
130 public String generateGrid3UserVoMap(String hostname) {
131 return generateOsgUserVoMap(hostname);
132 }
133
134 public String generateGridMapfile(String hostname) {
135 try {
136 if (hasReadAllAccess(currentUser(), hostname)) {
137 String map = gums().getResourceManager().generateGridMapfile(hostname, false);
138 gumsResourceAdminLog.info(logUserAccess() + "Generated grid mapfile for host '" + hostname + "': " + map);
139 return map;
140 } else {
141 throw new AuthorizationDeniedException();
142 }
143 } catch (AuthorizationDeniedException e) {
144 gumsResourceAdminLog.info(logUserAccess() + "Failed to generate grid mapfile for host '" + hostname + "' - " + e.getMessage());
145 siteLog.info(logUserAccess() + "Unauthorized access to generate grid mapfile for host '" + hostname + "'");
146 throw e;
147 } catch (RuntimeException e) {
148 gumsResourceAdminLog.error(logUserAccess() + "Failed to generate grid mapfile for host '" + hostname + "' - " + e.getMessage());
149 throw e;
150 }
151 }
152
153 public String generateOsgUserVoMap(String hostname) {
154 try {
155 if (hasReadAllAccess(currentUser(), hostname)) {
156 String map = gums().getResourceManager().generateOsgUserVoMap(hostname);
157 gumsResourceAdminLog.info(logUserAccess() + "Generated grid3 vo-user map for host '" + hostname + "': " + map);
158 return map;
159 } else {
160 throw new AuthorizationDeniedException();
161 }
162 } catch (AuthorizationDeniedException e) {
163 gumsResourceAdminLog.info(logUserAccess() + "Failed to generate grid3 vo-user map for host '" + hostname + "' - " + e.getMessage());
164 siteLog.info(logUserAccess() + "Unauthorized access to generate grid3 vo-user map for host '" + hostname + "'");
165 throw e;
166 } catch (RuntimeException e) {
167 gumsResourceAdminLog.error(logUserAccess() + "Failed to generate grid3 vo-user map for host '" + hostname + "' - " + e.getMessage());
168 throw e;
169 }
170 }
171
172 public String generateVoGridMapfile(String hostname) {
173 try {
174 if (hasReadAllAccess(currentUser(), hostname)) {
175 String map = gums().getResourceManager().generateGridMapfile(hostname, true);
176 gumsResourceAdminLog.info(logUserAccess() + "Generated mapfile for host '" + hostname + "': " + map);
177 return map;
178 } else {
179 throw new AuthorizationDeniedException();
180 }
181 } catch (AuthorizationDeniedException e) {
182 gumsResourceAdminLog.info(logUserAccess() + "Failed to generate mapfile for host '" + hostname + "' - " + e.getMessage());
183 siteLog.info(logUserAccess() + "Unauthorized access to generate mapfile for host '" + hostname + "'");
184 throw e;
185 } catch (RuntimeException e) {
186 gumsResourceAdminLog.error(logUserAccess() + "Failed to generate mapfile for host '" + hostname + "' - " + e.getMessage());
187 throw e;
188 }
189 }
190
191 public Collection getBackupConfigDates() {
192 Collection backupConfigDates = null;
193 if (hasReadAllAccess(currentUser(), null))
194 backupConfigDates = gums().getBackupConfigDates();
195 else {
196 gumsResourceAdminLog.info(logUserAccess() + "Failed to get backup config dates because user doesn't have administrative access");
197 siteLog.info(logUserAccess() + "Failed to get backup config dates because user doesn't have administrative access");
198 throw new AuthorizationDeniedException();
199 }
200 return backupConfigDates;
201 }
202
203 public Configuration getConfiguration() {
204 if (hasReadAllAccess(currentUser(), null) && isInWeb)
205 return gums().getConfiguration();
206 else {
207 gumsResourceAdminLog.info(logUserAccess() + "Failed to get configuration because user doesn't have administrative access");
208 siteLog.info(logUserAccess() + "Failed to get configuration because user doesn't have administrative access");
209 throw new AuthorizationDeniedException();
210 }
211 }
212
213 public String getPoolAccountAssignments(String accountPoolMapperName) {
214 if (hasReadAllAccess(currentUser(), null)) {
215 if (gums().getConfiguration().getAccountMapper(accountPoolMapperName) instanceof AccountPoolMapper)
216 return ((AccountPoolMapper)gums().getConfiguration().getAccountMapper(accountPoolMapperName)).getAssignments();
217 else
218 return "";
219 }
220 else {
221 gumsResourceAdminLog.info(logUserAccess() + "Failed to get pool account assignments because user doesn't have administrative access");
222 siteLog.info(logUserAccess() + "Failed to get pool account assignments because user doesn't have administrative access");
223 throw new AuthorizationDeniedException();
224 }
225 }
226
227 public String getVersion() {
228 if (version==null) {
229 String pomFile = CertCache.getMetaDir()+"/maven/gums/gums-service/pom.xml";
230 Digester digester = new Digester();
231 digester.addObjectCreate("project/version", Version.class);
232 digester.addCallMethod("project/version","setVersion",0);
233 log.trace("Loading GUMS version from pom file '" + pomFile + "'");
234 Version versionCls = null;
235 try {
236 versionCls = (Version)digester.parse("file://"+pomFile);
237 } catch (Exception e) {
238 gumsResourceAdminLog.error("Cannot get version from "+pomFile);
239 log.error("Cannot get version from "+pomFile, e);
240 }
241 if (versionCls == null)
242 return "?";
243 else
244 log.trace("GUMS version " + versionCls.getVersion() );
245 version = versionCls.getVersion();
246 }
247 return version;
248 }
249
250 public void manualGroupAdd2(String manualUserGroupName, String userDN) {
251 try {
252 if (hasWriteAccess(currentUser())) {
253 getManualUserGroupDB(manualUserGroupName).addMember(new GridUser(userDN, null));
254 gumsResourceAdminLog.info(logUserAccess() + "Added to group '" + manualUserGroupName + "' user '" + userDN + "'");
255 siteLog.info(logUserAccess() + "Added to group '" + manualUserGroupName + "' user '" + userDN + "'");
256 } else {
257 throw new AuthorizationDeniedException();
258 }
259 } catch (AuthorizationDeniedException e) {
260 gumsResourceAdminLog.info(logUserAccess() + "Failed to add to group '" + manualUserGroupName + "' user '" + userDN + "' - " + e.getMessage());
261 siteLog.info(logUserAccess() + "Unauthorized access to add to group '" + manualUserGroupName + "' user '" + userDN + "'");
262 throw e;
263 } catch (RuntimeException e) {
264 gumsResourceAdminLog.error(logUserAccess() + "Failed to add to group '" + manualUserGroupName + "' user '" + userDN + "' - " + e.getMessage());
265 siteLog.info(logUserAccess() + "Failed to add to group '" + manualUserGroupName + "' user '" + userDN + "' - " + e.getMessage());
266 throw e;
267 }
268 }
269
270 public void manualGroupRemove2(String manualUserGroupName, String userDN) {
271 try {
272 if (hasWriteAccess(currentUser())) {
273 getManualUserGroupDB(manualUserGroupName).removeMember(new GridUser(userDN, null));
274 gumsResourceAdminLog.info(logUserAccess() + "Removed from group '" + manualUserGroupName + "' user '" + userDN + "'");
275 siteLog.info(logUserAccess() + "Removed from group '" + manualUserGroupName + "' user '" + userDN + "'");
276 } else {
277 throw new AuthorizationDeniedException();
278 }
279 } catch (AuthorizationDeniedException e) {
280 gumsResourceAdminLog.info(logUserAccess() + "Failed to remove from group '" + manualUserGroupName + "' user '" + userDN + "' - " + e.getMessage());
281 siteLog.info(logUserAccess() + "Unauthorized access to remove from group '" + manualUserGroupName + "' user '" + userDN + "'");
282 throw e;
283 } catch (RuntimeException e) {
284 gumsResourceAdminLog.error(logUserAccess() + "Failed to remove from group '" + manualUserGroupName + "' user '" + userDN + "' - " + e.getMessage());
285 siteLog.info(logUserAccess() + "Failed to remove from group '" + manualUserGroupName + "' user '" + userDN + "' - " + e.getMessage());
286 throw e;
287 }
288 }
289
290 public void manualMappingAdd2(String manualAccountMapperName, String userDN, String account) {
291 try {
292 if (hasWriteAccess(currentUser())) {
293 getManualAccountMapperDB(manualAccountMapperName).createMapping(userDN, account);
294 gumsResourceAdminLog.info(logUserAccess() + "Added mapping to account mapper '" + manualAccountMapperName + "' for user '" + userDN + "' to account '" + account + "'");
295 siteLog.info(logUserAccess() + "Added mapping to account mapper '" + manualAccountMapperName + "' for user '" + userDN + "' to account '" + account + "'");
296 } else {
297 throw new AuthorizationDeniedException();
298 }
299 } catch (AuthorizationDeniedException e) {
300 gumsResourceAdminLog.info(logUserAccess() + "Failed to add mapping to account mapper '" + manualAccountMapperName + "' for user '" + userDN + "' to account '" + account + "' - " + e.getMessage());
301 siteLog.info(logUserAccess() + "Unauthorized access to add mapping to account mapper '" + manualAccountMapperName + "' for user '" + userDN + "' to account '" + account + "'");
302 throw e;
303 } catch (RuntimeException e) {
304 gumsResourceAdminLog.error(logUserAccess() + "Failed to add mapping to account mapper '" + manualAccountMapperName + "' for user '" + userDN + "' to account '" + account + "' - " + e.getMessage());
305 siteLog.info(logUserAccess() + "Failed to add mapping to persistence account mapper '" + manualAccountMapperName + "' for user '" + userDN + "' to account '" + account + "' - " + e.getMessage());
306 throw e;
307 }
308 }
309
310 public void manualMappingRemove2(String manualAccountMapperName, String userDN) {
311 try {
312 if (hasWriteAccess(currentUser())) {
313 getManualAccountMapperDB(manualAccountMapperName).removeMapping(userDN);
314 gumsResourceAdminLog.info(logUserAccess() + "Removed mapping from account mapper '" + manualAccountMapperName + "' for user '" + userDN + "'");
315 siteLog.info(logUserAccess() + "Removed mapping from account mapper '" + manualAccountMapperName + "' for user '" + userDN + "'");
316 } else {
317 throw new AuthorizationDeniedException();
318 }
319 } catch (AuthorizationDeniedException e) {
320 gumsResourceAdminLog.info(logUserAccess() + "Failed to remove mapping from account mapper '" + manualAccountMapperName + "' for user '" + userDN + "' - " + e.getMessage());
321 siteLog.info(logUserAccess() + "Unauthorized access to remove mapping from account mapper '" + manualAccountMapperName + "' for user '" + userDN + "'");
322 throw e;
323 } catch (RuntimeException e) {
324 gumsResourceAdminLog.error(logUserAccess() + "Failed to remove mapping from account mapper '" + manualAccountMapperName + "' for user '" + userDN + "' - " + e.getMessage());
325 siteLog.info(logUserAccess() + "Failed to remove mapping from persistence account mapper '" + manualAccountMapperName + "' for user '" + userDN + "' - " + e.getMessage());
326 throw e;
327 }
328 }
329
330 public String mapAccount(String accountName) {
331 try {
332 if (hasReadAllAccess(currentUser(), null)) {
333 String DNs = gums().getResourceManager().mapAccount(accountName);
334 gumsResourceAdminLog.info(logUserAccess() + "Mapped the account '" + accountName + "' to '" + DNs + "'");
335 return DNs;
336 } else {
337 throw new AuthorizationDeniedException();
338 }
339 } catch (AuthorizationDeniedException e) {
340 gumsResourceAdminLog.info(logUserAccess() + "Failed to map the account '" + accountName + "' - " + e.getMessage());
341 siteLog.info(logUserAccess() + "Unauthorized access to map the account '" + accountName + "'");
342 throw e;
343 } catch (RuntimeException e) {
344 gumsResourceAdminLog.error(logUserAccess() + "Failed to map the account '" + accountName + "' - " + e.getMessage());
345 throw e;
346 }
347 }
348
349 public String mapUser(String hostname, String userDN, String fqan) {
350 try {
351 if ( (hasReadSelfAccess(currentUser()) && currentUser().compareDn(userDN)==0) || hasReadAllAccess(currentUser(), hostname)) {
352 String account = gums().getResourceManager().map(hostname, new GridUser(userDN, fqan));
353 gumsResourceAdminLog.info(logUserAccess() + "Mapped on host '" + hostname + "' the user '" + userDN + "' / '" + fqan + "' to '" + account + "'");
354 return account;
355 } else {
356 throw new AuthorizationDeniedException();
357 }
358 } catch (AuthorizationDeniedException e) {
359 gumsResourceAdminLog.info(logUserAccess() + "Failed to map on host '" + hostname + "' the user '" + userDN + "' / '" + fqan + "' - " + e.getMessage());
360 siteLog.info(logUserAccess() + "Unauthorized access to map on host '" + hostname + "' the user '" + userDN + "' / '" + fqan + "'");
361 throw e;
362 } catch (RuntimeException e) {
363 gumsResourceAdminLog.error(logUserAccess() + "Failed to map on host '" + hostname + "' the user '" + userDN + "' / '" + fqan + "' - " + e.getMessage());
364 throw e;
365 }
366 }
367
368 public void removeAccountRange(String accountPoolMapperName, String range) {
369 if (hasWriteAccess(currentUser())) {
370 String firstAccount = range.substring(0, range.indexOf('-'));
371 String lastAccountN = range.substring(range.indexOf('-') + 1);
372 String firstAccountN = firstAccount.substring(firstAccount.length() - lastAccountN.length());
373 String accountBase = firstAccount.substring(0, firstAccount.length() - lastAccountN.length());
374 int nFirstAccount = Integer.parseInt(firstAccountN);
375 int nLastAccount = Integer.parseInt(lastAccountN);
376
377 StringBuffer last = new StringBuffer(firstAccount);
378 String nLastAccountString = Integer.toString(nLastAccount);
379 last.replace(firstAccount.length() - nLastAccountString.length(), firstAccount.length(), nLastAccountString);
380
381 StringBuffer buf = new StringBuffer(firstAccount);
382 int len = firstAccount.length();
383 for (int account = nFirstAccount; account <= nLastAccount; account++) {
384 String nAccount = Integer.toString(account);
385 buf.replace(len - nAccount.length(), len, nAccount);
386 getAccountPoolMapperDB(accountPoolMapperName).removeAccount(buf.toString());
387 }
388 }
389 else {
390 gumsResourceAdminLog.info(logUserAccess() + "Failed to remove account range because user doesn't have administrative access");
391 siteLog.info(logUserAccess() + "Failed to remove account range because user doesn't have administrative access");
392 throw new AuthorizationDeniedException();
393 }
394 }
395
396 public void restoreConfiguration(String dateStr) throws Exception {
397 if (hasWriteAccess(currentUser()))
398 gums().restoreConfiguration(dateStr);
399 else {
400 gumsResourceAdminLog.info(logUserAccess() + "Failed to set configuration because user doesn't have administrative access");
401 siteLog.info(logUserAccess() + "Failed to set configuration because user doesn't have administrative access");
402 throw new AuthorizationDeniedException();
403 }
404 }
405
406 public void setConfiguration(Configuration configuration) throws Exception {
407 if (hasWriteAccess(currentUser()))
408 gums().setConfiguration(configuration, false);
409 else {
410 gumsResourceAdminLog.info(logUserAccess() + "Failed to set configuration because user doesn't have administrative access");
411 siteLog.info(logUserAccess() + "Failed to set configuration because user doesn't have administrative access");
412 throw new AuthorizationDeniedException();
413 }
414 }
415
416 public void unassignAccountRange(String accountPoolMapperName, String range) {
417 if (hasWriteAccess(currentUser())) {
418 String firstAccount = range.substring(0, range.indexOf('-'));
419 String lastAccountN = range.substring(range.indexOf('-') + 1);
420 String firstAccountN = firstAccount.substring(firstAccount.length() - lastAccountN.length());
421 String accountBase = firstAccount.substring(0, firstAccount.length() - lastAccountN.length());
422 int nFirstAccount = Integer.parseInt(firstAccountN);
423 int nLastAccount = Integer.parseInt(lastAccountN);
424
425 StringBuffer last = new StringBuffer(firstAccount);
426 String nLastAccountString = Integer.toString(nLastAccount);
427 last.replace(firstAccount.length() - nLastAccountString.length(), firstAccount.length(), nLastAccountString);
428
429 StringBuffer buf = new StringBuffer(firstAccount);
430 int len = firstAccount.length();
431 for (int account = nFirstAccount; account <= nLastAccount; account++) {
432 String nAccount = Integer.toString(account);
433 buf.replace(len - nAccount.length(), len, nAccount);
434 getAccountPoolMapperDB(accountPoolMapperName).unassignAccount(buf.toString());
435 }
436
437 gumsResourceAdminLog.info(logUserAccess() + "Unassigned accounts from account mapper '" + accountPoolMapperName + "'");
438 siteLog.info(logUserAccess() + "Unassigned accounts from account mapper '" + accountPoolMapperName + "'");
439 }
440 else {
441 gumsResourceAdminLog.info(logUserAccess() + "Failed to unassign accounts because user doesn't have administrative access");
442 siteLog.info(logUserAccess() + "Failed to unassign accounts because user doesn't have administrative access");
443 throw new AuthorizationDeniedException();
444 }
445 }
446
447 public void updateGroups() {
448 try {
449 if (hasWriteAccess(currentUser())) {
450 gums().getResourceManager().updateGroups();
451 gumsResourceAdminLog.info(logUserAccess() + "Groups updated");
452 siteLog.info(logUserAccess() + "Groups updated");
453 } else {
454 throw new AuthorizationDeniedException();
455 }
456 } catch (AuthorizationDeniedException e) {
457 gumsResourceAdminLog.info(logUserAccess() + "Failed to update all groups - " + e.getMessage());
458 siteLog.info(logUserAccess() + "Unauthorized access to update all groups");
459 throw e;
460 } catch (RuntimeException e) {
461 gumsResourceAdminLog.error(logUserAccess() + "Failed to update all groups - " + e.getMessage());
462 siteLog.info(logUserAccess() + "Failed to update all groups - " + e.getMessage());
463 throw e;
464 }
465 }
466
467 public String getCurrentDn() {
468 try {
469 return currentUser().getCertificateDN();
470 }
471 catch(Exception e) {
472 return "UNKNOWN";
473 }
474 }
475
476
477
478 public void manualGroupAdd(String persistanceFactory, String group, String userDN) {
479 try {
480 if (hasWriteAccess(currentUser())) {
481 Collection userGroups = gums().getConfiguration().getUserGroups().values();
482 Iterator it = userGroups.iterator();
483 boolean found = false;
484 while (it.hasNext()) {
485 UserGroup userGroup = (UserGroup)it.next();
486 if (userGroup instanceof ManualUserGroup) {
487 if (((ManualUserGroup)userGroup).getName().equals(group))
488 found = true;
489 }
490 }
491 if (!found)
492 throw new RuntimeException("No manual user group named " + group);
493
494 PersistenceFactory factory = (PersistenceFactory) gums().getConfiguration().getPersistenceFactories().get(persistanceFactory);
495 ManualUserGroupDB db = factory.retrieveManualUserGroupDB(group);
496 db.addMember(new GridUser(userDN, null));
497 gumsResourceAdminLog.info(logUserAccess() + "Added to persistence '" + persistanceFactory + "' group '" + group + "' user '" + userDN + "'");
498 siteLog.info(logUserAccess() + "Added to persistence '" + persistanceFactory + "' group '" + group + "' user '" + userDN + "'");
499 } else {
500 throw new AuthorizationDeniedException();
501 }
502 } catch (AuthorizationDeniedException e) {
503 gumsResourceAdminLog.info(logUserAccess() + "Failed to add to persistence '" + persistanceFactory + "' group '" + group + "' user '" + userDN + "' - " + e.getMessage());
504 siteLog.info(logUserAccess() + "Unauthorized access to add to persistence '" + persistanceFactory + "' group '" + group + "' user '" + userDN + "'");
505 } catch (RuntimeException e) {
506 gumsResourceAdminLog.error(logUserAccess() + "Failed to add to persistence '" + persistanceFactory + "' group '" + group + "' user '" + userDN + "' - " + e.getMessage());
507 siteLog.info(logUserAccess() + "Failed to add to persistence '" + persistanceFactory + "' group '" + group + "' user '" + userDN + "' - " + e.getMessage());
508 throw e;
509 }
510 }
511
512 public void manualGroupRemove(String persistanceFactory, String group, String userDN) {
513 try {
514 if (hasWriteAccess(currentUser())) {
515 Collection userGroups = gums().getConfiguration().getUserGroups().values();
516 Iterator it = userGroups.iterator();
517 boolean found = false;
518 while (it.hasNext()) {
519 UserGroup userGroup = (UserGroup)it.next();
520 if (userGroup instanceof ManualUserGroup) {
521 if (((ManualUserGroup)userGroup).getName().equals(group))
522 found = true;
523 }
524 }
525 if (!found)
526 throw new RuntimeException("No manual user group named " + group);
527
528 PersistenceFactory factory = (PersistenceFactory) gums().getConfiguration().getPersistenceFactories().get(persistanceFactory);
529 ManualUserGroupDB db = factory.retrieveManualUserGroupDB(group);
530 db.removeMember(new GridUser(userDN, null));
531 gumsResourceAdminLog.info(logUserAccess() + "Removed from persistence '" + persistanceFactory + "' group '" + group + "' user '" + userDN + "'");
532 siteLog.info(logUserAccess() + "Removed from persistence '" + persistanceFactory + "' group '" + group + "' user '" + userDN + "'");
533 } else {
534 throw new AuthorizationDeniedException();
535 }
536 } catch (AuthorizationDeniedException e) {
537 gumsResourceAdminLog.info(logUserAccess() + "Failed to remove from persistence '" + persistanceFactory + "' group '" + group + "' user '" + userDN + "' - " + e.getMessage());
538 siteLog.info(logUserAccess() + "Unauthorized access to remove from persistence '" + persistanceFactory + "' group '" + group + "' user '" + userDN + "'");
539 throw e;
540 } catch (RuntimeException e) {
541 gumsResourceAdminLog.error(logUserAccess() + "Failed to remove from persistence '" + persistanceFactory + "' group '" + group + "' user '" + userDN + "' - " + e.getMessage());
542 siteLog.info(logUserAccess() + "Failed to remove from persistence '" + persistanceFactory + "' group '" + group + "' user '" + userDN + "' - " + e.getMessage());
543 throw e;
544 }
545 }
546
547 public void manualMappingAdd(String persistanceFactory, String group, String userDN, String account) {
548 try {
549 if (hasWriteAccess(currentUser())) {
550 Collection accountMappers = gums().getConfiguration().getAccountMappers().values();
551 Iterator it = accountMappers.iterator();
552 boolean found = false;
553 while (it.hasNext()) {
554 AccountMapper accountMapper = (AccountMapper)it.next();
555 if (accountMapper instanceof ManualAccountMapper) {
556 if (((ManualAccountMapper)accountMapper).getName().equals(group))
557 found = true;
558 }
559 }
560 if (!found)
561 throw new RuntimeException("No manual account mapper named " + group);
562
563 PersistenceFactory factory = (PersistenceFactory) gums().getConfiguration().getPersistenceFactories().get(persistanceFactory);
564 ManualAccountMapperDB db = factory.retrieveManualAccountMapperDB(group);
565 db.createMapping(userDN, account);
566 gumsResourceAdminLog.info(logUserAccess() + "Added mapping to persistence '" + persistanceFactory + "' group '" + group + "' for user '" + userDN + "' to account '" + account + "'");
567 siteLog.info(logUserAccess() + "Added mapping to persistence '" + persistanceFactory + "' group '" + group + "' for user '" + userDN + "' to account '" + account + "'");
568 } else {
569 throw new AuthorizationDeniedException();
570 }
571 } catch (AuthorizationDeniedException e) {
572 gumsResourceAdminLog.info(logUserAccess() + "Failed to add mapping to persistence '" + persistanceFactory + "' group '" + group + "' for user '" + userDN + "' to account '" + account + "' - " + e.getMessage());
573 siteLog.info(logUserAccess() + "Unauthorized access to add mapping to persistence '" + persistanceFactory + "' group '" + group + "' for user '" + userDN + "' to account '" + account + "'");
574 throw e;
575 } catch (RuntimeException e) {
576 gumsResourceAdminLog.error(logUserAccess() + "Failed to add mapping to persistence '" + persistanceFactory + "' group '" + group + "' for user '" + userDN + "' to account '" + account + "' - " + e.getMessage());
577 siteLog.info(logUserAccess() + "Failed to add mapping to persistence '" + persistanceFactory + "' group '" + group + "' for user '" + userDN + "' to account '" + account + "' - " + e.getMessage());
578 throw e;
579 }
580 }
581
582 public void manualMappingRemove(String persistanceFactory, String group, String userDN) {
583 try {
584 if (hasWriteAccess(currentUser())) {
585 Collection accountMappers = gums().getConfiguration().getAccountMappers().values();
586 Iterator it = accountMappers.iterator();
587 boolean found = false;
588 while (it.hasNext()) {
589 AccountMapper accountMapper = (AccountMapper)it.next();
590 if (accountMapper instanceof ManualAccountMapper) {
591 if (((ManualAccountMapper)accountMapper).getName().equals(group))
592 found = true;
593 }
594 }
595 if (!found)
596 throw new RuntimeException("No manual account mapper named " + group);
597
598 PersistenceFactory factory = (PersistenceFactory) gums().getConfiguration().getPersistenceFactories().get(persistanceFactory);
599 ManualAccountMapperDB db = factory.retrieveManualAccountMapperDB(group);
600 db.removeMapping(userDN);
601 gumsResourceAdminLog.info(logUserAccess() + "Removed mapping from persistence '" + persistanceFactory + "' group '" + group + "' for user '" + userDN + "'");
602 siteLog.info(logUserAccess() + "Removed mapping from persistence '" + persistanceFactory + "' group '" + group + "' for user '" + userDN + "'");
603 } else {
604 throw new AuthorizationDeniedException();
605 }
606 } catch (AuthorizationDeniedException e) {
607 gumsResourceAdminLog.info(logUserAccess() + "Failed to remove mapping from persistence '" + persistanceFactory + "' group '" + group + "' for user '" + userDN + "' - " + e.getMessage());
608 siteLog.info(logUserAccess() + "Unauthorized access to remove mapping from persistence '" + persistanceFactory + "' group '" + group + "' for user '" + userDN + "'");
609 throw e;
610 } catch (RuntimeException e) {
611 gumsResourceAdminLog.error(logUserAccess() + "Failed to remove mapping from persistence '" + persistanceFactory + "' group '" + group + "' for user '" + userDN + "' - " + e.getMessage());
612 siteLog.info(logUserAccess() + "Failed to remove mapping from persistence '" + persistanceFactory + "' group '" + group + "' for user '" + userDN + "' - " + e.getMessage());
613 throw e;
614 }
615 }
616
617 public void poolAddAccount(String persistanceFactory, String group, String username) {
618 try {
619 if (hasWriteAccess(currentUser())) {
620 Collection accountMappers = gums().getConfiguration().getAccountMappers().values();
621 Iterator it = accountMappers.iterator();
622 boolean found = false;
623 while (it.hasNext()) {
624 AccountMapper accountMapper = (AccountMapper)it.next();
625 if (accountMapper instanceof AccountPoolMapper) {
626 if (((AccountPoolMapper)accountMapper).getAccountPool().equals(group))
627 found = true;
628 }
629 }
630 if (!found)
631 throw new RuntimeException("No pool account mapper with group " + group);
632
633 PersistenceFactory factory = (PersistenceFactory) gums().getConfiguration().getPersistenceFactories().get(persistanceFactory);
634 if (factory == null) {
635 throw new RuntimeException("PersistenceFactory '" + persistanceFactory + "' does not exist");
636 }
637 AccountPoolMapperDB db = factory.retrieveAccountPoolMapperDB(group);
638 db.addAccount(username);
639 gumsResourceAdminLog.info(logUserAccess() + "Added account to pool: persistence '" + persistanceFactory + "' group '" + group + "' username '" + username + "'");
640 siteLog.info(logUserAccess() + "Added account to pool: persistence '" + persistanceFactory + "' group '" + group + "' username '" + username + "'");
641 } else {
642 throw new AuthorizationDeniedException();
643 }
644 } catch (AuthorizationDeniedException e) {
645 gumsResourceAdminLog.info(logUserAccess() + "Failed to add account to pool: persistence '" + persistanceFactory + "' group '" + group + "' username '" + username + "' - " + e.getMessage());
646 siteLog.info(logUserAccess() + "Unauthorized access to add account to pool: persistence '" + persistanceFactory + "' group '" + group + "' username '" + username + "'");
647 throw e;
648 } catch (RuntimeException e) {
649 gumsResourceAdminLog.error(logUserAccess() + "Failed to add account to pool: persistence '" + persistanceFactory + "' group '" + group + "' username '" + username + "' - " + e.getMessage());
650 siteLog.info(logUserAccess() + "Failed to add account to pool: persistence '" + persistanceFactory + "' group '" + group + "' username '" + username + "' - " + e.getMessage());
651 throw e;
652 }
653 }
654
655
656
657 private GridUser currentUser() {
658 if (!isInWeb) return null;
659 String DN = CertCache.getUserDN();
660 if (DN != null) {
661 return new GridUser(DN, null);
662 } else {
663 return null;
664 }
665 }
666
667 private String getAccountPoolMapper(String pool) {
668 Collection accountMappers = gums().getConfiguration().getAccountMappers().values();
669 Iterator it = accountMappers.iterator();
670 while (it.hasNext()) {
671 AccountMapper accountMapper = (AccountMapper)it.next();
672 if ( accountMapper instanceof AccountPoolMapper && ((AccountPoolMapper)accountMapper).getAccountPoolRoot().equals(pool))
673 return accountMapper.getName();
674 }
675 return null;
676 }
677
678 private AccountPoolMapperDB getAccountPoolMapperDB(String accountPoolMapperName) {
679 return ((AccountPoolMapper) gums().getConfiguration().getAccountMapper(accountPoolMapperName)).getDB();
680 }
681
682 private ManualAccountMapperDB getManualAccountMapperDB(String manualAccountMapperName) {
683 return ((ManualAccountMapper) gums().getConfiguration().getAccountMapper(manualAccountMapperName)).getDB();
684 }
685
686 private ManualUserGroupDB getManualUserGroupDB(String manualUserGroupName) {
687 return ((ManualUserGroup) gums().getConfiguration().getUserGroup(manualUserGroupName)).getDB();
688 }
689
690 private GUMS gums() {
691 if (gums == null) {
692 FileConfigurationStore confStore = new FileConfigurationStore(CertCache.getConfigDir(), CertCache.getResourceDir(), getVersionNoPatch(), true);
693 gums = new GUMS(confStore);
694 }
695 return gums;
696 }
697
698 private boolean hasReadAllAccess(GridUser user, String hostname) {
699 if (user == null) return false;
700 if (gums().getConfiguration().getReadAllUserGroups() != null) {
701 Collection readAllUserGroups = gums().getConfiguration().getReadAllUserGroups();
702 Iterator it = readAllUserGroups.iterator();
703 while (it.hasNext()) {
704 UserGroup userGroup = (UserGroup)it.next();
705 if (userGroup.isInGroup(user))
706 return true;
707 }
708 }
709 if (hostname!=null)
710 return user.getCertificateDN().indexOf(hostname) != -1;
711 return false;
712 }
713
714 private boolean hasReadSelfAccess(GridUser currentUser) {
715 if (currentUser == null) return false;
716 if (gums().getConfiguration().getReadSelfUserGroups() == null)
717 return false;
718 Collection readSelfUserGroups = gums().getConfiguration().getReadSelfUserGroups();
719 Iterator it = readSelfUserGroups.iterator();
720 while (it.hasNext()) {
721 UserGroup userGroup = (UserGroup)it.next();
722 if (userGroup.isInGroup(currentUser))
723 return true;
724 }
725 return false;
726 }
727
728 private boolean hasWriteAccess(GridUser user) {
729 if (user == null) return false;
730 if (gums().getConfiguration().getWriteUserGroups() == null)
731 return false;
732 Collection writeUserGroups = gums().getConfiguration().getWriteUserGroups();
733 Iterator it = writeUserGroups.iterator();
734 while (it.hasNext()) {
735 UserGroup userGroup = (UserGroup)it.next();
736 if (userGroup.isInGroup(user))
737 return true;
738 }
739 return false;
740 }
741
742 private String logUserAccess() {
743 if (currentUser() == null) {
744 return "No AuthN - ";
745 } else {
746 return currentUser() + " - ";
747 }
748 }
749
750 private String getVersionNoPatch() {
751 String version = getVersion();
752 int lastDot = version.lastIndexOf(".");
753 if (lastDot!=-1)
754 version = version.substring(0, lastDot);
755 return version;
756 }
757
758 }