@Transactional(propagation = Propagation.SUPPORTS) public boolean hasAccessToDevice(AccessKey accessKey, String deviceGuid) { Set<AccessKeyPermission> permissions = accessKey.getPermissions(); Set<String> allowedDevices = new HashSet<>(); Set<Long> allowedNetworks = new HashSet<>(); User accessKeyUser = userService.findUserWithNetworks(accessKey.getUser().getId()); Set<AccessKeyPermission> toRemove = new HashSet<>(); Device device = genericDAO .createNamedQuery(Device.class, "Device.findByUUID", of(CacheConfig.refresh())) .setParameter("guid", deviceGuid) .getSingleResult(); for (AccessKeyPermission currentPermission : permissions) { if (currentPermission.getDeviceGuidsAsSet() == null) { allowedDevices.add(null); } else { if (!currentPermission.getDeviceGuidsAsSet().contains(deviceGuid)) { toRemove.add(currentPermission); } else { allowedDevices.addAll(currentPermission.getDeviceGuidsAsSet()); } } if (currentPermission.getNetworkIdsAsSet() == null) { allowedNetworks.add(null); } else { if (device.getNetwork() != null) { if (!currentPermission.getNetworkIdsAsSet().contains(device.getNetwork().getId())) { toRemove.add(currentPermission); } else { allowedNetworks.addAll(currentPermission.getNetworkIdsAsSet()); } } } } permissions.removeAll(toRemove); boolean hasAccess; hasAccess = allowedDevices.contains(null) ? userService.hasAccessToDevice(accessKeyUser, device.getGuid()) : allowedDevices.contains(device.getGuid()) && userService.hasAccessToDevice(accessKeyUser, device.getGuid()); hasAccess = hasAccess && allowedNetworks.contains(null) ? accessKeyUser.isAdmin() || accessKeyUser.getNetworks().contains(device.getNetwork()) : (accessKeyUser.isAdmin() || accessKeyUser.getNetworks().contains(device.getNetwork())) && allowedNetworks.contains(device.getNetwork().getId()); return hasAccess; }
@Transactional public AccessKey create(@NotNull User user, @NotNull AccessKey accessKey) { if (accessKey.getLabel() == null) { throw new IllegalParametersException(Messages.LABEL_IS_REQUIRED); } Optional<AccessKey> akOpt = genericDAO .createNamedQuery( AccessKey.class, "AccessKey.getByUserAndLabel", Optional.<CacheConfig>empty()) .setParameter("userId", user.getId()) .setParameter("label", accessKey.getLabel()) .getResultList() .stream() .findFirst(); if (akOpt.isPresent()) { logger.error("Access key with label {} already exists", accessKey.getLabel()); throw new ActionNotAllowedException(Messages.DUPLICATE_LABEL_FOUND); } if (accessKey.getId() != null) { logger.error("Access key id shouldn't be present in request parameters"); throw new IllegalParametersException(Messages.INVALID_REQUEST_PARAMETERS); } authenticationUtils.validateActions(accessKey); AccessKeyProcessor keyProcessor = new AccessKeyProcessor(); String key = keyProcessor.generateKey(); accessKey.setKey(key); accessKey.setUser(user); genericDAO.persist(accessKey); for (AccessKeyPermission current : accessKey.getPermissions()) { AccessKeyPermission permission = preparePermission(current); permission.setAccessKey(accessKey); genericDAO.persist(permission); } return genericDAO.find(AccessKey.class, accessKey.getId()); }
@Transactional public AccessKey updateAccessKeyFromOAuthGrant(OAuthGrant grant, User user, Date now) { AccessKey existing = find(grant.getAccessKey().getId(), user.getId()); deleteAccessKeyPermissions(existing); if (grant.getAccessType().equals(AccessType.ONLINE)) { Date expirationDate = new Date(now.getTime() + 600000); // the key is valid for 10 minutes existing.setExpirationDate(expirationDate); } else { existing.setExpirationDate(null); } existing.setLabel( String.format( Messages.OAUTH_GRANT_TOKEN_LABEL, grant.getClient().getName(), System.currentTimeMillis())); Set<AccessKeyPermission> permissions = new HashSet<>(); AccessKeyPermission permission = new AccessKeyPermission(); permission.setDomainArray(grant.getClient().getDomain()); permission.setActionsArray(StringUtils.split(grant.getScope(), ' ')); permission.setSubnetsArray(grant.getClient().getSubnet()); permission.setNetworkIds(grant.getNetworkIds()); permissions.add(permission); existing.setPermissions(permissions); AccessKeyProcessor keyProcessor = new AccessKeyProcessor(); String key = keyProcessor.generateKey(); existing.setKey(key); for (AccessKeyPermission current : permissions) { current.setAccessKey(existing); genericDAO.persist(current); } return existing; }
@Transactional(propagation = Propagation.SUPPORTS) public boolean hasAccessToNetwork(AccessKey accessKey, Network targetNetwork) { Set<AccessKeyPermission> permissions = accessKey.getPermissions(); User user = accessKey.getUser(); boolean hasNullPermission = permissions.stream().anyMatch(perm -> perm.getNetworkIdsAsSet() == null); if (hasNullPermission) { return userService.hasAccessToNetwork(user, targetNetwork); } else { Set<Long> allowedNetworks = permissions .stream() .map(AccessKeyPermission::getNetworkIdsAsSet) .flatMap(Collection::stream) .collect(Collectors.toSet()); user = userService.findUserWithNetworks(user.getId()); return allowedNetworks.contains(targetNetwork.getId()) && (user.isAdmin() || user.getNetworks().contains(targetNetwork)); } }
@SuppressWarnings("unchecked") private static List<Predicate> deviceSpecificPrincipalPredicates( CriteriaBuilder cb, Root<Device> from, Optional<HivePrincipal> principal) { final List<Predicate> predicates = new LinkedList<>(); final Join<Device, Network> networkJoin = (Join) from.fetch("network", JoinType.LEFT); final Join<Device, Network> usersJoin = (Join) networkJoin.fetch("users", JoinType.LEFT); from.fetch("deviceClass", JoinType.LEFT); // need this fetch to populate deviceClass principal.ifPresent( p -> { User user = p.getUser(); if (user == null && p.getKey() != null) { user = p.getKey().getUser(); } if (user != null && !user.isAdmin()) { predicates.add(cb.equal(usersJoin.<Long>get("id"), user.getId())); } if (p.getDevice() != null) { predicates.add(cb.equal(from.<Long>get("id"), p.getDevice().getId())); } if (p.getKey() != null) { for (AccessKeyBasedFilterForDevices extraFilter : AccessKeyBasedFilterForDevices.createExtraFilters(p.getKey().getPermissions())) { if (extraFilter.getDeviceGuids() != null) { predicates.add(from.<String>get("guid").in(extraFilter.getDeviceGuids())); } if (extraFilter.getNetworkIds() != null) { predicates.add(networkJoin.<Long>get("id").in(extraFilter.getNetworkIds())); } } } }); return predicates; }
@Transactional(propagation = Propagation.REQUIRED) public AccessKey authenticate(@NotNull User user) { userService.refreshUserLoginData(user); AccessKey accessKey = authenticationUtils.prepareAccessKey(user); Set<AccessKeyPermission> permissions = new HashSet<>(); final AccessKeyPermission permission = authenticationUtils.preparePermission(user.getRole()); permissions.add(permission); accessKey.setPermissions(permissions); genericDAO.persist(accessKey); permission.setAccessKey(accessKey); genericDAO.persist(permission); return accessKey; }
@TransactionAttribute(TransactionAttributeType.NOT_SUPPORTED) public User updateUser(@NotNull Long id, UserUpdate userToUpdate) { User existing = userDAO.findById(id); if (existing == null) { throw new HiveException( String.format(Messages.USER_NOT_FOUND, id), NOT_FOUND.getStatusCode()); } if (userToUpdate == null) { return existing; } if (userToUpdate.getLogin() != null) { String newLogin = StringUtils.trim(userToUpdate.getLogin().getValue()); User withSuchLogin = userDAO.findByLogin(newLogin); if (withSuchLogin != null && !withSuchLogin.getId().equals(id)) { throw new HiveException(Messages.DUPLICATE_LOGIN, FORBIDDEN.getStatusCode()); } existing.setLogin(newLogin); } if (userToUpdate.getPassword() != null) { if (StringUtils.isEmpty(userToUpdate.getPassword().getValue())) { throw new HiveException(Messages.PASSWORD_REQUIRED, BAD_REQUEST.getStatusCode()); } String salt = passwordService.generateSalt(); String hash = passwordService.hashPassword(userToUpdate.getPassword().getValue(), salt); existing.setPasswordSalt(salt); existing.setPasswordHash(hash); } if (userToUpdate.getRole() != null) { existing.setRole(userToUpdate.getRoleEnum()); } if (userToUpdate.getStatus() != null) { existing.setStatus(userToUpdate.getStatusEnum()); } hiveValidator.validate(existing); return userDAO.update(existing); }
@TransactionAttribute(TransactionAttributeType.SUPPORTS) public Network createOrUpdateNetworkByUser(NullableWrapper<Network> network, User user) { Network stored; // case network is not defined if (network == null || network.getValue() == null) { return null; } Network update = network.getValue(); if (update.getId() != null) { stored = networkDAO.getWithDevicesAndDeviceClasses(update.getId()); } else { stored = networkDAO.findByName(update.getName()); } if (stored != null) { if (stored.getKey() != null) { if (!stored.getKey().equals(update.getKey())) { throw new HiveException(Messages.INVALID_NETWORK_KEY, FORBIDDEN.getStatusCode()); } } if (!userService.hasAccessToNetwork(user, stored)) { throw new HiveException(Messages.NO_ACCESS_TO_NETWORK, FORBIDDEN.getStatusCode()); } } else if (user.isAdmin()) { if (update.getId() != null) { throw new HiveException(Messages.INVALID_REQUEST_PARAMETERS, BAD_REQUEST.getStatusCode()); } stored = networkDAO.createNetwork(update); } else { throw new HiveException(Messages.NETWORK_CREATION_NOT_ALLOWED, FORBIDDEN.getStatusCode()); } return stored; }
@TransactionAttribute(TransactionAttributeType.NOT_SUPPORTED) public User createUser(@NotNull User user, String password) { if (user.getId() != null) { throw new HiveException(Messages.ID_NOT_ALLOWED, BAD_REQUEST.getStatusCode()); } user.setLogin(StringUtils.trim(user.getLogin())); User existing = userDAO.findByLogin(user.getLogin()); if (existing != null) { throw new HiveException(Messages.DUPLICATE_LOGIN, FORBIDDEN.getStatusCode()); } if (StringUtils.isEmpty(password)) { throw new HiveException(Messages.PASSWORD_REQUIRED, BAD_REQUEST.getStatusCode()); } String salt = passwordService.generateSalt(); String hash = passwordService.hashPassword(password, salt); user.setPasswordSalt(salt); user.setPasswordHash(hash); user.setLoginAttempts(Constants.INITIAL_LOGIN_ATTEMPTS); hiveValidator.validate(user); return userDAO.create(user); }
/** * Tries to authenticate with given credentials * * @return User object if authentication is successful or null if not */ public User authenticate(String login, String password) { User user = userDAO.findByLogin(login); if (user == null) { return null; } if (!passwordService.checkPassword(password, user.getPasswordSalt(), user.getPasswordHash())) { user.setLoginAttempts(user.getLoginAttempts() + 1); if (user.getLoginAttempts() >= configurationService.getInt( Constants.MAX_LOGIN_ATTEMPTS, Constants.MAX_LOGIN_ATTEMPTS_DEFAULT)) { user.setStatus(UserStatus.LOCKED_OUT); } return null; } else { if (user.getLoginAttempts() != 0) { user.setLoginAttempts(0); } if (user.getLastLogin() == null || System.currentTimeMillis() - user.getLastLogin().getTime() > configurationService.getLong( Constants.LAST_LOGIN_TIMEOUT, Constants.LAST_LOGIN_TIMEOUT_DEFAULT)) { user.setLastLogin(timestampService.getTimestamp()); } return user; } }
@TransactionAttribute(TransactionAttributeType.SUPPORTS) public boolean hasAccessToNetwork(User user, Network network) { return user.isAdmin() || userDAO.hasAccessToNetwork(user, network); }
@TransactionAttribute(TransactionAttributeType.SUPPORTS) public boolean hasAccessToDevice(User user, Device device) { return user.isAdmin() || userDAO.hasAccessToDevice(user, device); }
public static Predicate[] oAuthGrantsListPredicates( CriteriaBuilder cb, Root<OAuthGrant> from, User user, Optional<Date> startOpt, Optional<Date> endOpt, Optional<String> oAuthIdOpt, Optional<Integer> typeOpt, Optional<String> scopeOpt, Optional<String> redirectUri, Optional<Integer> accessType) { List<Predicate> predicates = new LinkedList<>(); if (!user.isAdmin()) { predicates.add(from.join("user").in(user)); } startOpt.ifPresent(start -> predicates.add(cb.greaterThan(from.get("timestamp"), start))); endOpt.ifPresent(end -> predicates.add(cb.lessThan(from.get("timestamp"), end))); oAuthIdOpt.ifPresent(id -> predicates.add(cb.equal(from.join("client").get("oauthId"), id))); typeOpt.ifPresent(type -> predicates.add(cb.equal(from.get("type"), type))); scopeOpt.ifPresent(scope -> predicates.add(cb.equal(from.get("scope"), scope))); redirectUri.ifPresent(uri -> predicates.add(cb.equal(from.get("redirectUri"), uri))); accessType.ifPresent(at -> predicates.add(cb.equal(from.get("accessType"), at))); return predicates.toArray(new Predicate[predicates.size()]); }