1
2
3
4
5
6
7 package gov.bnl.gums.admin;
8
9 import gov.bnl.gums.*;
10 import gov.bnl.gums.account.AccountMapper;
11 import gov.bnl.gums.account.AccountPoolMapper;
12 import gov.bnl.gums.account.ManualAccountMapper;
13 import gov.bnl.gums.configuration.Configuration;
14 import gov.bnl.gums.configuration.ConfigurationToolkit;
15 import gov.bnl.gums.configuration.FileConfigurationStore;
16 import gov.bnl.gums.userGroup.ManualUserGroup;
17 import gov.bnl.gums.userGroup.UserGroup;
18 import gov.bnl.gums.hostToGroup.HostToGroupMapping;
19
20 import java.io.BufferedReader;
21 import java.io.ByteArrayInputStream;
22 import java.io.FileInputStream;
23 import java.io.FileReader;
24 import java.io.IOException;
25 import java.io.InputStream;
26 import java.io.InputStreamReader;
27 import java.io.StringBufferInputStream;
28 import java.net.URL;
29 import java.net.URLConnection;
30 import java.util.Collection;
31 import java.util.Iterator;
32 import java.util.Map;
33
34 import org.apache.log4j.Logger;
35
36 import gov.bnl.gums.db.AccountPoolMapperDB;
37 import gov.bnl.gums.db.ManualAccountMapperDB;
38 import gov.bnl.gums.db.ManualUserGroupDB;
39
40 import gov.bnl.gums.persistence.PersistenceFactory;
41
42
43
44
45
46
47 public class GUMSAPIImpl implements GUMSAPI {
48 static private GUMS gums;
49 private Logger log = Logger.getLogger(GUMSAPI.class);
50 private Logger gumsAdminLog = Logger.getLogger(GUMS.gumsAdminLogName);
51 private Logger siteAdminLog = Logger.getLogger(GUMS.siteAdminLogName);
52 private boolean isInWeb = false;
53
54 {
55 try {
56 Class.forName("javax.servlet.Filter");
57 isInWeb = true;
58 } catch (ClassNotFoundException e) {
59 isInWeb = false;
60 }
61 }
62
63 public void addAccountRange2(String accountPoolMapperName, String range) {
64 try {
65 if (hasWriteAccess(currentUser())) {
66 String firstAccount = range.substring(0, range.indexOf('-'));
67 String lastAccountN = range.substring(range.indexOf('-') + 1);
68 String firstAccountN = firstAccount.substring(firstAccount.length() - lastAccountN.length());
69 String accountBase = firstAccount.substring(0, firstAccount.length() - lastAccountN.length());
70 int nFirstAccount = Integer.parseInt(firstAccountN);
71 int nLastAccount = Integer.parseInt(lastAccountN);
72
73 StringBuffer last = new StringBuffer(firstAccount);
74 String nLastAccountString = Integer.toString(nLastAccount);
75 last.replace(firstAccount.length() - nLastAccountString.length(), firstAccount.length(), nLastAccountString);
76
77 StringBuffer buf = new StringBuffer(firstAccount);
78 int len = firstAccount.length();
79 Map reverseMap = getAccountPoolMapperDB(accountPoolMapperName).retrieveReverseAccountMap();
80 for (int account = nFirstAccount; account <= nLastAccount; account++) {
81 String nAccount = Integer.toString(account);
82 buf.replace(len - nAccount.length(), len, nAccount);
83 if (reverseMap.get(buf.toString())!=null) {
84 String message = "One or more accounts already exist for '"+accountPoolMapperName+" "+range+"'. None were added.";
85 gumsAdminLog.warn(message);
86 throw new RuntimeException(message);
87 }
88 }
89 buf = new StringBuffer(firstAccount);
90 for (int account = nFirstAccount; account <= nLastAccount; account++) {
91 String nAccount = Integer.toString(account);
92 buf.replace(len - nAccount.length(), len, nAccount);
93 getAccountPoolMapperDB(accountPoolMapperName).addAccount(buf.toString());
94 }
95 }
96 else {
97 String message = logUserAccess() + "Unauthorized access to addAccountRange2 for '"+accountPoolMapperName+" "+range+"'";
98 gumsAdminLog.warn(message);
99 siteAdminLog.warn(message);
100 throw new AuthorizationDeniedException();
101 }
102 } catch (Exception e) {
103 throw new RuntimeException(e.getMessage());
104 }
105 }
106
107 public void backupConfiguration(String name) {
108 try {
109 if (hasWriteAccess(currentUser()))
110 gums().setConfiguration(gums().getConfiguration(), true, name);
111 else {
112 String message = logUserAccess() + "Unauthorized access to backupConfiguration";
113 gumsAdminLog.warn(message);
114 siteAdminLog.warn(message);
115 throw new AuthorizationDeniedException();
116 }
117 } catch (Exception e) {
118 throw new RuntimeException(e.getMessage());
119 }
120 }
121
122 public void deleteBackupConfiguration(String name) {
123 try {
124 if (hasWriteAccess(currentUser()))
125 gums().deleteBackupConfiguration(name);
126 else {
127 String message = logUserAccess() + "Unauthorized access to deleteBackupConfiguration for '"+name+"'";
128 gumsAdminLog.warn(message);
129 siteAdminLog.warn(message);
130 throw new AuthorizationDeniedException();
131 }
132 } catch (Exception e) {
133 throw new RuntimeException(e.getMessage());
134 }
135 }
136
137 public String generateEmailMapfile(String hostname) {
138 try {
139 if (hasReadAllAccess(currentUser(), hostname)) {
140 String map = gums().getCoreLogic().generateGridMapfile(hostname, false, true, true);
141 if (gumsAdminLog.isDebugEnabled())
142 gumsAdminLog.debug(logUserAccess() + "Generated email mapfile for host '" + hostname + "': " + map);
143 else
144 gumsAdminLog.info(logUserAccess() + "Generated email mapfile for host '" + hostname + "'");
145 return map;
146 } else {
147 String message = logUserAccess() + "Unauthorized access to generateEmailMapfile for host '"+hostname+"'";
148 gumsAdminLog.warn(message);
149 siteAdminLog.warn(message);
150 throw new AuthorizationDeniedException();
151 }
152 } catch (Exception e) {
153 throw new RuntimeException(e.getMessage());
154 }
155 }
156
157 public String generateFqanMapfile(String hostname) {
158 try {
159 if (hasReadAllAccess(currentUser(), hostname)) {
160 String map = gums().getCoreLogic().generateFqanMapfile(hostname);
161 if (gumsAdminLog.isDebugEnabled())
162 gumsAdminLog.debug(logUserAccess() + "Generated fqan mapfile for host '" + hostname + "': " + map);
163 else
164 gumsAdminLog.info(logUserAccess() + "Generated fqan mapfile for host '" + hostname + "'");
165 return map;
166 } else {
167 String message = logUserAccess() + "Unauthorized access to generateFqanMapfile for host '"+hostname+"'";
168 gumsAdminLog.warn(message);
169 siteAdminLog.warn(message);
170 throw new AuthorizationDeniedException();
171 }
172 } catch (Exception e) {
173 throw new RuntimeException(e.getMessage());
174 }
175 }
176
177 public String generateGrid3UserVoMap(String hostname) {
178 return generateOsgUserVoMap(hostname);
179 }
180
181 public String generateGridMapfile(String hostname) {
182 try {
183 if (!gums().getConfiguration().getAllowGridmapFiles())
184 throw new RuntimeException("Grid Mapfile generation has been disabled (probably to conserve pool accounts)");
185
186 if (hasReadAllAccess(currentUser(), hostname)) {
187 String map = gums().getCoreLogic().generateGridMapfile(hostname, true, false, false);
188 if (gumsAdminLog.isDebugEnabled())
189 gumsAdminLog.debug(logUserAccess() + "Generated grid mapfile for host '" + hostname + "': " + map);
190 else
191 gumsAdminLog.info(logUserAccess() + "Generated grid mapfile for host '" + hostname + "'");
192 return map;
193 } else {
194 String message = logUserAccess() + "Unauthorized access to generateGridMapfile for host '"+hostname+"'";
195 gumsAdminLog.warn(message);
196 siteAdminLog.warn(message);
197 throw new AuthorizationDeniedException();
198 }
199 } catch (Exception e) {
200 throw new RuntimeException(e.getMessage());
201 }
202 }
203
204 public String generateOsgUserVoMap(String hostname) {
205 try {
206 if (hasReadAllAccess(currentUser(), hostname)) {
207 String map = gums().getCoreLogic().generateOsgUserVoMap(hostname);
208 if (gumsAdminLog.isDebugEnabled())
209 gumsAdminLog.debug(logUserAccess() + "Generated osg vo-user map for host '" + hostname + "': " + map);
210 else
211 gumsAdminLog.info(logUserAccess() + "Generated osg vo-user map for host '" + hostname + "'");
212 return map;
213 } else {
214 String message = logUserAccess() + "Unauthorized access to generateOsgUserVoMap for host '"+hostname+"'";
215 gumsAdminLog.warn(message);
216 siteAdminLog.warn(message);
217 throw new AuthorizationDeniedException();
218 }
219 } catch (Exception e) {
220 throw new RuntimeException(e.getMessage());
221 }
222 }
223
224 public String generateVoGridMapfile(String hostname) {
225 try {
226 if (!gums().getConfiguration().getAllowGridmapFiles())
227 throw new RuntimeException("Grid Mapfile generation has been disabled (probably to conserve pool accounts)");
228
229 if (hasReadAllAccess(currentUser(), hostname)) {
230 String map = gums().getCoreLogic().generateGridMapfile(hostname, true, true, false);
231 if (gumsAdminLog.isDebugEnabled())
232 gumsAdminLog.debug(logUserAccess() + "Generated vo grid mapfile for host '" + hostname + "':" + map);
233 else
234 gumsAdminLog.info(logUserAccess() + "Generated vo grid mapfile for host '" + hostname + "'");
235 return map;
236 } else {
237 String message = logUserAccess() + "Unauthorized access to generateVoGridMapfile for host '"+hostname+"'";
238 gumsAdminLog.warn(message);
239 siteAdminLog.warn(message);
240 throw new AuthorizationDeniedException();
241 }
242 } catch (Exception e) {
243 throw new RuntimeException(e.getMessage());
244 }
245 }
246
247 public Collection getBackupNames() {
248 try {
249 Collection backupConfigDates = null;
250 if (hasReadAllAccess(currentUser(), null)) {
251 backupConfigDates = gums().getBackupNames();
252 }
253 else {
254 String message = logUserAccess() + "Unauthorized access to getBackupConfigDates";
255 gumsAdminLog.warn(message);
256 siteAdminLog.warn(message);
257 throw new AuthorizationDeniedException();
258 }
259 return backupConfigDates;
260 } catch (Exception e) {
261 throw new RuntimeException(e.getMessage());
262 }
263 }
264
265 public Configuration getConfiguration() {
266 try {
267 if (hasReadAllAccess(currentUser(), null) && isInWeb) {
268 return gums().getConfiguration();
269 }
270 else {
271 String message = logUserAccess() + "Unauthorized access to getConfiguration";
272 gumsAdminLog.warn(message);
273 siteAdminLog.warn(message);
274 throw new AuthorizationDeniedException();
275 }
276 } catch (Exception e) {
277 throw new RuntimeException(e.getMessage());
278 }
279 }
280
281 public String getPoolAccountAssignments(String accountPoolMapperName) {
282 try {
283 if (hasReadAllAccess(currentUser(), null)) {
284 if (gums().getConfiguration().getAccountMapper(accountPoolMapperName) instanceof AccountPoolMapper)
285 return ((AccountPoolMapper)gums().getConfiguration().getAccountMapper(accountPoolMapperName)).getAssignments();
286 else
287 return "";
288 }
289 else {
290 String message = logUserAccess() + "Unauthorized access to getPoolAccountAssignments for '"+accountPoolMapperName+"'";
291 gumsAdminLog.warn(message);
292 siteAdminLog.warn(message);
293 throw new AuthorizationDeniedException();
294 }
295 } catch (Exception e) {
296 throw new RuntimeException(e.getMessage());
297 }
298 }
299
300 public String getVersion() {
301 return GUMS.getVersion();
302 }
303
304 public void manualGroupAdd2(String manualUserGroupName, String userDN) {
305 try {
306 if (hasWriteAccess(currentUser())) {
307 ((ManualUserGroup)gums().getConfiguration().getUserGroup(manualUserGroupName)).addMember(new GridUser(userDN, null));
308 gumsAdminLog.info(logUserAccess() + "Added to user group '" + manualUserGroupName + "' user '" + userDN + "'");
309 siteAdminLog.info(logUserAccess() + "Added to user group '" + manualUserGroupName + "' user '" + userDN + "'");
310 } else {
311 String message = logUserAccess() + "Unauthorized access to manualGroupAdd2 for user group '" + manualUserGroupName + "' user '" + userDN + "'";
312 gumsAdminLog.warn(message);
313 siteAdminLog.warn(message);
314 throw new AuthorizationDeniedException();
315 }
316 } catch (Exception e) {
317 throw new RuntimeException(e.getMessage());
318 }
319 }
320
321 public void manualGroupAdd3(String manualUserGroupName, String userDN, String fqan, String email) {
322 try {
323 if (hasWriteAccess(currentUser())) {
324 ((ManualUserGroup)gums().getConfiguration().getUserGroup(manualUserGroupName)).addMember(new GridUser(userDN, fqan, email, false));
325 gumsAdminLog.info(logUserAccess() + "Added to user group '" + manualUserGroupName + "' user '" + userDN + "' fqan '" + fqan + "' email '" + email + "'");
326 siteAdminLog.info(logUserAccess() + "Added to user group '" + manualUserGroupName + "' user '" + userDN + "' fqan '" + fqan + "' email '" + email + "'");
327 } else {
328 String message = logUserAccess() + "Unauthorized access to manualGroupAdd3 for user group '" + manualUserGroupName + "' user '" + userDN + "' fqan '" + fqan + "' email '" + email + "'";
329 gumsAdminLog.warn(message);
330 siteAdminLog.warn(message);
331 throw new AuthorizationDeniedException();
332 }
333 } catch (Exception e) {
334 throw new RuntimeException(e.getMessage());
335 }
336 }
337
338 public void manualGroupRemove2(String manualUserGroupName, String userDN) {
339 try {
340 if (hasWriteAccess(currentUser())) {
341 ((ManualUserGroup)gums().getConfiguration().getUserGroup(manualUserGroupName)).removeMember(new GridUser(userDN, null));
342 gumsAdminLog.info(logUserAccess() + "Removed from user group '" + manualUserGroupName + "' user '" + userDN + "'");
343 siteAdminLog.info(logUserAccess() + "Removed from user group '" + manualUserGroupName + "' user '" + userDN + "'");
344 } else {
345 String message = logUserAccess() + "Unauthorized access to manualGroupRemove2 for user group '" + manualUserGroupName + "' user '" + userDN + "'";
346 gumsAdminLog.warn(message);
347 siteAdminLog.warn(message);
348 throw new AuthorizationDeniedException();
349 }
350 } catch (Exception e) {
351 throw new RuntimeException(e.getMessage());
352 }
353 }
354
355 public void manualGroupRemove3(String manualUserGroupName, String userDN, String fqan) {
356 try {
357 if (hasWriteAccess(currentUser())) {
358 ((ManualUserGroup)gums().getConfiguration().getUserGroup(manualUserGroupName)).removeMember(new GridUser(userDN, fqan, false));
359 gumsAdminLog.info(logUserAccess() + "Removed from user group '" + manualUserGroupName + "' user '" + userDN + "' fqan '" + fqan + "'");
360 siteAdminLog.info(logUserAccess() + "Removed from user group '" + manualUserGroupName + "' user '" + userDN + "' fqan '" + fqan + "'");
361 } else {
362 String message = logUserAccess() + "Unauthorized access to manualGroupRemove2 for user group '" + manualUserGroupName + "' user '" + userDN + "' fqan '"+fqan+"'";
363 gumsAdminLog.warn(message);
364 siteAdminLog.warn(message);
365 throw new AuthorizationDeniedException();
366 }
367 } catch (Exception e) {
368 throw new RuntimeException(e.getMessage());
369 }
370 }
371
372 public void manualMappingAdd2(String manualAccountMapperName, String userDN, String account) {
373 try {
374 if (hasWriteAccess(currentUser())) {
375 getManualAccountMapperDB(manualAccountMapperName).createMapping(userDN, account);
376 gumsAdminLog.info(logUserAccess() + "Added mapping to account mapper '" + manualAccountMapperName + "' for user '" + userDN + "' to account '" + account + "'");
377 siteAdminLog.info(logUserAccess() + "Added mapping to account mapper '" + manualAccountMapperName + "' for user '" + userDN + "' to account '" + account + "'");
378 } else {
379 String message = logUserAccess() + "Unauthorized access to manualMappingAdd2 for account mapper '" + manualAccountMapperName + "' user '" + userDN + "' account '"+account+"'";
380 gumsAdminLog.warn(message);
381 siteAdminLog.warn(message);
382 throw new AuthorizationDeniedException();
383 }
384 } catch (Exception e) {
385 throw new RuntimeException(e.getMessage());
386 }
387 }
388
389 public void mergeConfiguration(Configuration conf, String newConfUri, String persistenceFactory, String hostToGroupMapping)
390 {
391 InputStream inputStream = null;
392 try {
393 if (hasWriteAccess(currentUser())) {
394 if (newConfUri.startsWith("http")) {
395 URL url = new URL(newConfUri);
396 URLConnection connection = url.openConnection();
397 inputStream = connection.getInputStream();
398 }
399 else if (newConfUri.startsWith("file://")) {
400 inputStream = new FileInputStream(newConfUri.substring(7));
401 }
402 else {
403 String message = "Unsupported non-members URI: " + newConfUri;
404 log.error(message);
405 throw new RuntimeException(message);
406 }
407 StringBuffer configBuffer = new StringBuffer();
408 int ch;
409 while ((ch = inputStream.read()) != -1)
410 configBuffer.append((char)ch);
411 Configuration newConf = ConfigurationToolkit.parseConfiguration(configBuffer.toString(), false);
412 conf.mergeConfiguration(newConf, persistenceFactory, hostToGroupMapping);
413 }
414 else {
415 String message = logUserAccess() + "Unauthorized access to mergeConfiguration";
416 gumsAdminLog.warn(message);
417 siteAdminLog.warn(message);
418 throw new AuthorizationDeniedException();
419 }
420 } catch (Exception e) {
421 throw new RuntimeException(e.getMessage());
422 } finally {
423 if (inputStream != null) {
424 try {
425 inputStream.close();
426 } catch (IOException e) {
427 log.error(e.getMessage());
428 }
429 }
430 }
431 }
432
433 public void manualMappingRemove2(String manualAccountMapperName, String userDN) {
434 try {
435 if (hasWriteAccess(currentUser())) {
436 getManualAccountMapperDB(manualAccountMapperName).removeMapping(userDN);
437 gumsAdminLog.info(logUserAccess() + "Removed mapping from account mapper '" + manualAccountMapperName + "' for user '" + userDN + "'");
438 siteAdminLog.info(logUserAccess() + "Removed mapping from account mapper '" + manualAccountMapperName + "' for user '" + userDN + "'");
439 } else {
440 String message = logUserAccess() + "Unauthorized access to manualMappingRemove2 for user group '" + manualAccountMapperName + "' user '" + userDN + "'";
441 gumsAdminLog.warn(message);
442 siteAdminLog.warn(message);
443 throw new AuthorizationDeniedException();
444 }
445 } catch (Exception e) {
446 throw new RuntimeException(e.getMessage());
447 }
448 }
449
450 public String mapAccount(String accountName) {
451 try {
452 if (hasReadAllAccess(currentUser(), null)) {
453 String DNs = gums().getCoreLogic().mapAccount(accountName);
454 gumsAdminLog.info(logUserAccess() + "Mapped the account '" + accountName + "' to '" + DNs + "'");
455 return DNs;
456 } else {
457 String message = logUserAccess() + "Unauthorized access to mapAccount for account '" + accountName + "'";
458 gumsAdminLog.warn(message);
459 siteAdminLog.warn(message);
460 throw new AuthorizationDeniedException();
461 }
462 } catch (Exception e) {
463 throw new RuntimeException(e.getMessage());
464 }
465 }
466
467 public String mapUser(String hostname, String userDN, String fqan) {
468 try {
469 if ( (hasReadSelfAccess(currentUser()) && currentUser().compareDn(userDN)==0) || hasReadAllAccess(currentUser(), hostname)) {
470 GridUser user = new GridUser(userDN, fqan);
471 String account = null;
472 boolean isUserBanned = gums().isUserBanned(user);
473 if (!isUserBanned)
474 account = gums().getCoreLogic().map(hostname, user, false);
475 if (account==null && isUserBanned) {
476 String message = logUserAccess() + "Mapped on host '" + hostname + "' the banned user '" + userDN + "' / '" + fqan + "' to '" + account + "'";
477 gumsAdminLog.warn(message);
478 siteAdminLog.warn(message);
479 }
480 else
481 gumsAdminLog.info(logUserAccess() + "Mapped on host '" + hostname + "' the user '" + userDN + "' / '" + fqan + "' to '" + account + "'");
482 return account;
483 } else {
484 String message = logUserAccess() + "Unauthorized access to mapUser for '" + hostname + "' from user '" + userDN + "' / '" + fqan + "'";
485 gumsAdminLog.warn(message);
486 siteAdminLog.warn(message);
487 throw new AuthorizationDeniedException();
488 }
489 } catch (Exception e) {
490 throw new RuntimeException(e.getMessage());
491 }
492 }
493
494 public void removeAccountRange(String accountPoolMapperName, String range) {
495 try {
496 if (hasWriteAccess(currentUser())) {
497 String firstAccount = range.substring(0, range.indexOf('-'));
498 String lastAccountN = range.substring(range.indexOf('-') + 1);
499 String firstAccountN = firstAccount.substring(firstAccount.length() - lastAccountN.length());
500 String accountBase = firstAccount.substring(0, firstAccount.length() - lastAccountN.length());
501 int nFirstAccount = Integer.parseInt(firstAccountN);
502 int nLastAccount = Integer.parseInt(lastAccountN);
503
504 StringBuffer last = new StringBuffer(firstAccount);
505 String nLastAccountString = Integer.toString(nLastAccount);
506 last.replace(firstAccount.length() - nLastAccountString.length(), firstAccount.length(), nLastAccountString);
507
508 StringBuffer buf = new StringBuffer(firstAccount);
509 int len = firstAccount.length();
510 for (int account = nFirstAccount; account <= nLastAccount; account++) {
511 String nAccount = Integer.toString(account);
512 buf.replace(len - nAccount.length(), len, nAccount);
513 getAccountPoolMapperDB(accountPoolMapperName).removeAccount(buf.toString());
514 }
515 }
516 else {
517 String message = logUserAccess() + "Unauthorized access to removeAccountRange for '"+accountPoolMapperName+" "+range+"'";
518 gumsAdminLog.warn(message);
519 siteAdminLog.warn(message);
520 throw new AuthorizationDeniedException();
521 }
522 } catch (Exception e) {
523 throw new RuntimeException(e.getMessage());
524 }
525 }
526
527 public void restoreConfiguration(String name) throws Exception {
528 try {
529 if (hasWriteAccess(currentUser()))
530 gums().restoreConfiguration(name);
531 else {
532 String message = logUserAccess() + "Unauthorized access to restoreConfiguration for '"+name+"'";
533 gumsAdminLog.warn(message);
534 siteAdminLog.warn(message);
535 throw new AuthorizationDeniedException();
536 }
537 } catch (Exception e) {
538 throw new RuntimeException(e.getMessage());
539 }
540 }
541
542 public void setConfiguration(Configuration configuration) throws Exception {
543 try {
544 if (hasWriteAccess(currentUser()))
545 gums().setConfiguration(configuration, false, null);
546 else {
547 String message = logUserAccess() + "Unauthorized access to setConfiguration";
548 gumsAdminLog.warn(message);
549 siteAdminLog.warn(message);
550 throw new AuthorizationDeniedException();
551 }
552 gumsAdminLog.debug("Configuration was set: " + configuration.toXml());
553 siteAdminLog.debug("Configuration was set: " + configuration.toXml());
554 } catch (Exception e) {
555 throw new RuntimeException(e.getMessage());
556 }
557 }
558
559 public void unassignAccountRange(String accountPoolMapperName, String range) {
560 try {
561 if (hasWriteAccess(currentUser())) {
562 String firstAccount = range.substring(0, range.indexOf('-'));
563 String lastAccountN = range.substring(range.indexOf('-') + 1);
564 String firstAccountN = firstAccount.substring(firstAccount.length() - lastAccountN.length());
565 String accountBase = firstAccount.substring(0, firstAccount.length() - lastAccountN.length());
566 int nFirstAccount = Integer.parseInt(firstAccountN);
567 int nLastAccount = Integer.parseInt(lastAccountN);
568
569 StringBuffer last = new StringBuffer(firstAccount);
570 String nLastAccountString = Integer.toString(nLastAccount);
571 last.replace(firstAccount.length() - nLastAccountString.length(), firstAccount.length(), nLastAccountString);
572
573 StringBuffer buf = new StringBuffer(firstAccount);
574 int len = firstAccount.length();
575 for (int account = nFirstAccount; account <= nLastAccount; account++) {
576 String nAccount = Integer.toString(account);
577 buf.replace(len - nAccount.length(), len, nAccount);
578 getAccountPoolMapperDB(accountPoolMapperName).unassignAccount(buf.toString());
579 }
580
581 gumsAdminLog.info(logUserAccess() + "Unassigned accounts from account mapper '" + accountPoolMapperName + "'");
582 siteAdminLog.info(logUserAccess() + "Unassigned accounts from account mapper '" + accountPoolMapperName + "'");
583 }
584 else {
585 String message = logUserAccess() + "Unauthorized access to unassignAccountRange for '"+accountPoolMapperName+" "+range+"'";
586 gumsAdminLog.warn(message);
587 siteAdminLog.warn(message);
588 throw new AuthorizationDeniedException();
589 }
590 } catch (Exception e) {
591 throw new RuntimeException(e.getMessage());
592 }
593 }
594
595 public void updateGroups() {
596 try {
597 if (hasWriteAccess(currentUser())) {
598 gums().getCoreLogic().updateGroups();
599 gumsAdminLog.info(logUserAccess() + "Groups updated");
600 siteAdminLog.info(logUserAccess() + "Groups updated");
601 } else {
602 String message = logUserAccess() + "Unauthorized access to updateGroups";
603 gumsAdminLog.warn(message);
604 siteAdminLog.warn(message);
605 throw new AuthorizationDeniedException();
606 }
607 } catch (Exception e) {
608 throw new RuntimeException(e.getMessage());
609 }
610 }
611
612 public String getCurrentDn() {
613 return currentUser().getCertificateDN();
614 }
615
616
617
618 public void manualGroupAdd(String persistanceFactory, String group, String userDN) {
619 try {
620 if (hasWriteAccess(currentUser())) {
621 Collection userGroups = gums().getConfiguration().getUserGroups().values();
622 Iterator it = userGroups.iterator();
623 boolean found = false;
624 while (it.hasNext()) {
625 UserGroup userGroup = (UserGroup)it.next();
626 if (userGroup instanceof ManualUserGroup) {
627 if (((ManualUserGroup)userGroup).getName().equals(group))
628 found = true;
629 }
630 }
631 if (!found)
632 throw new RuntimeException("No manual user group named " + group);
633
634 ((ManualUserGroup)gums().getConfiguration().getUserGroup(group)).addMember(new GridUser(userDN, null));
635 gumsAdminLog.info(logUserAccess() + "Added to persistence '" + persistanceFactory + "' group '" + group + "' user '" + userDN + "'");
636 siteAdminLog.info(logUserAccess() + "Added to persistence '" + persistanceFactory + "' group '" + group + "' user '" + userDN + "'");
637 } else {
638 String message = logUserAccess() + "Unauthorized access to manualGroupAdd for persistance '" + persistanceFactory + "' user group '" + group + "' user '" + userDN + "'";
639 gumsAdminLog.warn(message);
640 siteAdminLog.warn(message);
641 throw new AuthorizationDeniedException();
642 }
643 } catch (Exception e) {
644 throw new RuntimeException(e.getMessage());
645 }
646 }
647
648 public void manualGroupRemove(String persistanceFactory, String group, String userDN) {
649 try {
650 if (hasWriteAccess(currentUser())) {
651 Collection userGroups = gums().getConfiguration().getUserGroups().values();
652 Iterator it = userGroups.iterator();
653 boolean found = false;
654 while (it.hasNext()) {
655 UserGroup userGroup = (UserGroup)it.next();
656 if (userGroup instanceof ManualUserGroup) {
657 if (((ManualUserGroup)userGroup).getName().equals(group))
658 found = true;
659 }
660 }
661 if (!found)
662 throw new RuntimeException("No manual user group named " + group);
663
664 ((ManualUserGroup)gums().getConfiguration().getUserGroup(group)).removeMember(new GridUser(userDN, null));
665 gumsAdminLog.info(logUserAccess() + "Removed from persistence '" + persistanceFactory + "' group '" + group + "' user '" + userDN + "'");
666 siteAdminLog.info(logUserAccess() + "Removed from persistence '" + persistanceFactory + "' group '" + group + "' user '" + userDN + "'");
667 } else {
668 String message = logUserAccess() + "Unauthorized access to manualGroupRemove for persistance '" + persistanceFactory + "' user group '" + group + "' user '" + userDN + "'";
669 gumsAdminLog.warn(message);
670 siteAdminLog.warn(message);
671 throw new AuthorizationDeniedException();
672 }
673 } catch (Exception e) {
674 throw new RuntimeException(e.getMessage());
675 }
676 }
677
678 public void manualMappingAdd(String persistanceFactory, String group, String userDN, String account) {
679 try {
680 if (hasWriteAccess(currentUser())) {
681 Collection accountMappers = gums().getConfiguration().getAccountMappers().values();
682 Iterator it = accountMappers.iterator();
683 boolean found = false;
684 while (it.hasNext()) {
685 AccountMapper accountMapper = (AccountMapper)it.next();
686 if (accountMapper instanceof ManualAccountMapper) {
687 if (((ManualAccountMapper)accountMapper).getName().equals(group))
688 found = true;
689 }
690 }
691 if (!found)
692 throw new RuntimeException("No manual account mapper named " + group);
693
694 PersistenceFactory factory = (PersistenceFactory) gums().getConfiguration().getPersistenceFactories().get(persistanceFactory);
695 ManualAccountMapperDB db = factory.retrieveManualAccountMapperDB(group);
696 db.createMapping(userDN, account);
697 gumsAdminLog.info(logUserAccess() + "Added mapping to persistence '" + persistanceFactory + "' group '" + group + "' for user '" + userDN + "' to account '" + account + "'");
698 siteAdminLog.info(logUserAccess() + "Added mapping to persistence '" + persistanceFactory + "' group '" + group + "' for user '" + userDN + "' to account '" + account + "'");
699 } else {
700 String message = "Unauthorized access to manualMappingAdd for persistence '" + persistanceFactory + "' group '" + group + "' for user '" + userDN + "' to account '" + account + "'";
701 gumsAdminLog.warn(message);
702 siteAdminLog.warn(message);
703 throw new AuthorizationDeniedException();
704 }
705 } catch (Exception e) {
706 throw new RuntimeException(e.getMessage());
707 }
708 }
709
710 public void manualMappingRemove(String persistanceFactory, String group, String userDN) {
711 try {
712 if (hasWriteAccess(currentUser())) {
713 Collection accountMappers = gums().getConfiguration().getAccountMappers().values();
714 Iterator it = accountMappers.iterator();
715 boolean found = false;
716 while (it.hasNext()) {
717 AccountMapper accountMapper = (AccountMapper)it.next();
718 if (accountMapper instanceof ManualAccountMapper) {
719 if (((ManualAccountMapper)accountMapper).getName().equals(group))
720 found = true;
721 }
722 }
723 if (!found)
724 throw new RuntimeException("No manual account mapper named " + group);
725
726 PersistenceFactory factory = (PersistenceFactory) gums().getConfiguration().getPersistenceFactories().get(persistanceFactory);
727 ManualAccountMapperDB db = factory.retrieveManualAccountMapperDB(group);
728 db.removeMapping(userDN);
729 gumsAdminLog.info(logUserAccess() + "Removed mapping from persistence '" + persistanceFactory + "' group '" + group + "' for user '" + userDN + "'");
730 siteAdminLog.info(logUserAccess() + "Removed mapping from persistence '" + persistanceFactory + "' group '" + group + "' for user '" + userDN + "'");
731 } else {
732 String message = "Unauthorized access to manualMappingRemove for persistence '" + persistanceFactory + "' group '" + group + "' for user '" + userDN + "'";
733 gumsAdminLog.warn(message);
734 siteAdminLog.warn(message);
735 throw new AuthorizationDeniedException();
736 }
737 } catch (Exception e) {
738 throw new RuntimeException(e.getMessage());
739 }
740 }
741
742 public void poolAddAccount(String persistanceFactory, String group, String accountName) {
743 try {
744 if (hasWriteAccess(currentUser())) {
745 Collection accountMappers = gums().getConfiguration().getAccountMappers().values();
746 Iterator it = accountMappers.iterator();
747 boolean found = false;
748 while (it.hasNext()) {
749 AccountMapper accountMapper = (AccountMapper)it.next();
750 if (accountMapper instanceof AccountPoolMapper) {
751 if (((AccountPoolMapper)accountMapper).getAccountPool().equals(group))
752 found = true;
753 }
754 }
755 if (!found)
756 throw new RuntimeException("No pool account mapper with group " + group);
757
758 PersistenceFactory factory = (PersistenceFactory) gums().getConfiguration().getPersistenceFactories().get(persistanceFactory);
759 if (factory == null) {
760 throw new RuntimeException("PersistenceFactory '" + persistanceFactory + "' does not exist");
761 }
762 AccountPoolMapperDB db = factory.retrieveAccountPoolMapperDB(group);
763 db.addAccount(accountName);
764 gumsAdminLog.info(logUserAccess() + "Added account to pool: persistence '" + persistanceFactory + "' group '" + group + "' account '" + accountName + "'");
765 siteAdminLog.info(logUserAccess() + "Added account to pool: persistence '" + persistanceFactory + "' group '" + group + "' account '" + accountName + "'");
766 } else {
767 String message = "Unauthorized access to poolAddAccount for persistence '" + persistanceFactory + "' group '" + group + "' account '" + accountName + "'";
768 gumsAdminLog.warn(message);
769 siteAdminLog.warn(message);
770 throw new AuthorizationDeniedException();
771 }
772 } catch (Exception e) {
773 throw new RuntimeException(e.getMessage());
774 }
775 }
776
777
778
779 private GridUser currentUser() {
780 if (!isInWeb) return null;
781 String DN = CertCache.getUserDN();
782 if (DN != null) {
783 return new GridUser(DN, null);
784 } else {
785 return null;
786 }
787 }
788
789 private String getAccountPoolMapper(String pool) throws Exception {
790 Collection accountMappers = gums().getConfiguration().getAccountMappers().values();
791 Iterator it = accountMappers.iterator();
792 while (it.hasNext()) {
793 AccountMapper accountMapper = (AccountMapper)it.next();
794 if ( accountMapper instanceof AccountPoolMapper && ((AccountPoolMapper)accountMapper).getAccountPoolRoot().equals(pool))
795 return accountMapper.getName();
796 }
797 return null;
798 }
799
800 private AccountPoolMapperDB getAccountPoolMapperDB(String accountPoolMapperName) throws Exception {
801 return ((AccountPoolMapper) gums().getConfiguration().getAccountMapper(accountPoolMapperName)).getDB();
802 }
803
804 private ManualAccountMapperDB getManualAccountMapperDB(String manualAccountMapperName) throws Exception {
805 return ((ManualAccountMapper) gums().getConfiguration().getAccountMapper(manualAccountMapperName)).getDB();
806 }
807
808 private GUMS gums() {
809 if (gums == null) {
810 FileConfigurationStore confStore = new FileConfigurationStore(CertCache.getConfigDir());
811 gums = new GUMS(confStore);
812 }
813 return gums;
814 }
815
816 private boolean hasReadAllAccess(GridUser user, String hostname) throws Exception {
817 if (user == null)
818 return false;
819 Collection readAllUserGroups;
820 if ((readAllUserGroups = gums().getConfiguration().getReadAllUserGroups()) != null) {
821 Iterator it = readAllUserGroups.iterator();
822 while (it.hasNext()) {
823 UserGroup userGroup = (UserGroup)it.next();
824 if (userGroup.isInGroup(user))
825 return true;
826 }
827 }
828
829 if (hostname!=null && user.getCertificateDN().indexOf(hostname) != -1)
830 return true;
831
832 if (hostToGroupMapping(user.getCertificateDN()) != null)
833 return true;
834 return false;
835 }
836
837 private boolean hasReadSelfAccess(GridUser currentUser) throws Exception {
838 if (currentUser == null)
839 return false;
840 if (gums().getConfiguration().getReadSelfUserGroups() == null)
841 return false;
842 Collection readSelfUserGroups = gums().getConfiguration().getReadSelfUserGroups();
843 Iterator it = readSelfUserGroups.iterator();
844 while (it.hasNext()) {
845 UserGroup userGroup = (UserGroup)it.next();
846 if (userGroup.isInGroup(currentUser))
847 return true;
848 }
849 return false;
850 }
851
852 private boolean hasWriteAccess(GridUser user) throws Exception {
853 if (user == null)
854 return false;
855 if (gums().getConfiguration().getWriteUserGroups() == null)
856 return false;
857 Collection writeUserGroups = gums().getConfiguration().getWriteUserGroups();
858 Iterator it = writeUserGroups.iterator();
859 while (it.hasNext()) {
860 UserGroup userGroup = (UserGroup)it.next();
861 if (userGroup.isInGroup(user))
862 return true;
863 }
864 return false;
865 }
866
867 private HostToGroupMapping hostToGroupMapping(String hostname) {
868 try {
869 Collection hostToGroupMappers = gums().getConfiguration().getHostToGroupMappings();
870 Iterator it = hostToGroupMappers.iterator();
871 while (it.hasNext()) {
872 HostToGroupMapping hostToGroupMapper = (HostToGroupMapping) it.next();
873 if (hostToGroupMapper.isInGroup(hostname)) {
874 return hostToGroupMapper;
875 }
876 }
877 } catch (Exception e) {
878 throw new RuntimeException(e.getMessage());
879 }
880 return null;
881 }
882
883 private String logUserAccess() {
884 if (currentUser() == null) {
885 return "No AuthN - ";
886 } else {
887 return currentUser() + " - ";
888 }
889 }
890
891 private String getVersionNoPatch() {
892 String version = getVersion();
893 int lastDot = version.lastIndexOf(".");
894 if (lastDot!=-1)
895 version = version.substring(0, lastDot);
896 return version;
897 }
898
899 }