@Transactional(propagation = Propagation.SUPPORTS)
public boolean hasAccessToDevice(AccessKey accessKey, String deviceGuid) {
Set<AccessKeyPermission> permissions = accessKey.getPermissions();
Set<String> allowedDevices = new HashSet<>();
Set<Long> allowedNetworks = new HashSet<>();
User accessKeyUser = userService.findUserWithNetworks(accessKey.getUser().getId());
Set<AccessKeyPermission> toRemove = new HashSet<>();
Device device =
genericDAO
.createNamedQuery(Device.class, "Device.findByUUID", of(CacheConfig.refresh()))
.setParameter("guid", deviceGuid)
.getSingleResult();
for (AccessKeyPermission currentPermission : permissions) {
if (currentPermission.getDeviceGuidsAsSet() == null) {
allowedDevices.add(null);
} else {
if (!currentPermission.getDeviceGuidsAsSet().contains(deviceGuid)) {
toRemove.add(currentPermission);
} else {
allowedDevices.addAll(currentPermission.getDeviceGuidsAsSet());
}
}
if (currentPermission.getNetworkIdsAsSet() == null) {
allowedNetworks.add(null);
} else {
if (device.getNetwork() != null) {
if (!currentPermission.getNetworkIdsAsSet().contains(device.getNetwork().getId())) {
toRemove.add(currentPermission);
} else {
allowedNetworks.addAll(currentPermission.getNetworkIdsAsSet());
}
}
}
}
permissions.removeAll(toRemove);
boolean hasAccess;
hasAccess =
allowedDevices.contains(null)
? userService.hasAccessToDevice(accessKeyUser, device.getGuid())
: allowedDevices.contains(device.getGuid())
&& userService.hasAccessToDevice(accessKeyUser, device.getGuid());
hasAccess =
hasAccess && allowedNetworks.contains(null)
? accessKeyUser.isAdmin() || accessKeyUser.getNetworks().contains(device.getNetwork())
: (accessKeyUser.isAdmin() || accessKeyUser.getNetworks().contains(device.getNetwork()))
&& allowedNetworks.contains(device.getNetwork().getId());
return hasAccess;
}
@Transactional
public AccessKey create(@NotNull User user, @NotNull AccessKey accessKey) {
if (accessKey.getLabel() == null) {
throw new IllegalParametersException(Messages.LABEL_IS_REQUIRED);
}
Optional<AccessKey> akOpt =
genericDAO
.createNamedQuery(
AccessKey.class, "AccessKey.getByUserAndLabel", Optional.<CacheConfig>empty())
.setParameter("userId", user.getId())
.setParameter("label", accessKey.getLabel())
.getResultList()
.stream()
.findFirst();
if (akOpt.isPresent()) {
logger.error("Access key with label {} already exists", accessKey.getLabel());
throw new ActionNotAllowedException(Messages.DUPLICATE_LABEL_FOUND);
}
if (accessKey.getId() != null) {
logger.error("Access key id shouldn't be present in request parameters");
throw new IllegalParametersException(Messages.INVALID_REQUEST_PARAMETERS);
}
authenticationUtils.validateActions(accessKey);
AccessKeyProcessor keyProcessor = new AccessKeyProcessor();
String key = keyProcessor.generateKey();
accessKey.setKey(key);
accessKey.setUser(user);
genericDAO.persist(accessKey);
for (AccessKeyPermission current : accessKey.getPermissions()) {
AccessKeyPermission permission = preparePermission(current);
permission.setAccessKey(accessKey);
genericDAO.persist(permission);
}
return genericDAO.find(AccessKey.class, accessKey.getId());
}
@Transactional
public AccessKey updateAccessKeyFromOAuthGrant(OAuthGrant grant, User user, Date now) {
AccessKey existing = find(grant.getAccessKey().getId(), user.getId());
deleteAccessKeyPermissions(existing);
if (grant.getAccessType().equals(AccessType.ONLINE)) {
Date expirationDate = new Date(now.getTime() + 600000); // the key is valid for 10 minutes
existing.setExpirationDate(expirationDate);
} else {
existing.setExpirationDate(null);
}
existing.setLabel(
String.format(
Messages.OAUTH_GRANT_TOKEN_LABEL,
grant.getClient().getName(),
System.currentTimeMillis()));
Set<AccessKeyPermission> permissions = new HashSet<>();
AccessKeyPermission permission = new AccessKeyPermission();
permission.setDomainArray(grant.getClient().getDomain());
permission.setActionsArray(StringUtils.split(grant.getScope(), ' '));
permission.setSubnetsArray(grant.getClient().getSubnet());
permission.setNetworkIds(grant.getNetworkIds());
permissions.add(permission);
existing.setPermissions(permissions);
AccessKeyProcessor keyProcessor = new AccessKeyProcessor();
String key = keyProcessor.generateKey();
existing.setKey(key);
for (AccessKeyPermission current : permissions) {
current.setAccessKey(existing);
genericDAO.persist(current);
}
return existing;
}
@Transactional(propagation = Propagation.SUPPORTS)
public boolean hasAccessToNetwork(AccessKey accessKey, Network targetNetwork) {
Set<AccessKeyPermission> permissions = accessKey.getPermissions();
User user = accessKey.getUser();
boolean hasNullPermission =
permissions.stream().anyMatch(perm -> perm.getNetworkIdsAsSet() == null);
if (hasNullPermission) {
return userService.hasAccessToNetwork(user, targetNetwork);
} else {
Set<Long> allowedNetworks =
permissions
.stream()
.map(AccessKeyPermission::getNetworkIdsAsSet)
.flatMap(Collection::stream)
.collect(Collectors.toSet());
user = userService.findUserWithNetworks(user.getId());
return allowedNetworks.contains(targetNetwork.getId())
&& (user.isAdmin() || user.getNetworks().contains(targetNetwork));
}
}
@SuppressWarnings("unchecked")
private static List<Predicate> deviceSpecificPrincipalPredicates(
CriteriaBuilder cb, Root<Device> from, Optional<HivePrincipal> principal) {
final List<Predicate> predicates = new LinkedList<>();
final Join<Device, Network> networkJoin = (Join) from.fetch("network", JoinType.LEFT);
final Join<Device, Network> usersJoin = (Join) networkJoin.fetch("users", JoinType.LEFT);
from.fetch("deviceClass", JoinType.LEFT); // need this fetch to populate deviceClass
principal.ifPresent(
p -> {
User user = p.getUser();
if (user == null && p.getKey() != null) {
user = p.getKey().getUser();
}
if (user != null && !user.isAdmin()) {
predicates.add(cb.equal(usersJoin.<Long>get("id"), user.getId()));
}
if (p.getDevice() != null) {
predicates.add(cb.equal(from.<Long>get("id"), p.getDevice().getId()));
}
if (p.getKey() != null) {
for (AccessKeyBasedFilterForDevices extraFilter :
AccessKeyBasedFilterForDevices.createExtraFilters(p.getKey().getPermissions())) {
if (extraFilter.getDeviceGuids() != null) {
predicates.add(from.<String>get("guid").in(extraFilter.getDeviceGuids()));
}
if (extraFilter.getNetworkIds() != null) {
predicates.add(networkJoin.<Long>get("id").in(extraFilter.getNetworkIds()));
}
}
}
});
return predicates;
}
@Transactional(propagation = Propagation.REQUIRED)
public AccessKey authenticate(@NotNull User user) {
userService.refreshUserLoginData(user);
AccessKey accessKey = authenticationUtils.prepareAccessKey(user);
Set<AccessKeyPermission> permissions = new HashSet<>();
final AccessKeyPermission permission = authenticationUtils.preparePermission(user.getRole());
permissions.add(permission);
accessKey.setPermissions(permissions);
genericDAO.persist(accessKey);
permission.setAccessKey(accessKey);
genericDAO.persist(permission);
return accessKey;
}
@TransactionAttribute(TransactionAttributeType.NOT_SUPPORTED)
public User updateUser(@NotNull Long id, UserUpdate userToUpdate) {
User existing = userDAO.findById(id);
if (existing == null) {
throw new HiveException(
String.format(Messages.USER_NOT_FOUND, id), NOT_FOUND.getStatusCode());
}
if (userToUpdate == null) {
return existing;
}
if (userToUpdate.getLogin() != null) {
String newLogin = StringUtils.trim(userToUpdate.getLogin().getValue());
User withSuchLogin = userDAO.findByLogin(newLogin);
if (withSuchLogin != null && !withSuchLogin.getId().equals(id)) {
throw new HiveException(Messages.DUPLICATE_LOGIN, FORBIDDEN.getStatusCode());
}
existing.setLogin(newLogin);
}
if (userToUpdate.getPassword() != null) {
if (StringUtils.isEmpty(userToUpdate.getPassword().getValue())) {
throw new HiveException(Messages.PASSWORD_REQUIRED, BAD_REQUEST.getStatusCode());
}
String salt = passwordService.generateSalt();
String hash = passwordService.hashPassword(userToUpdate.getPassword().getValue(), salt);
existing.setPasswordSalt(salt);
existing.setPasswordHash(hash);
}
if (userToUpdate.getRole() != null) {
existing.setRole(userToUpdate.getRoleEnum());
}
if (userToUpdate.getStatus() != null) {
existing.setStatus(userToUpdate.getStatusEnum());
}
hiveValidator.validate(existing);
return userDAO.update(existing);
}
@TransactionAttribute(TransactionAttributeType.SUPPORTS)
public Network createOrUpdateNetworkByUser(NullableWrapper<Network> network, User user) {
Network stored;
// case network is not defined
if (network == null || network.getValue() == null) {
return null;
}
Network update = network.getValue();
if (update.getId() != null) {
stored = networkDAO.getWithDevicesAndDeviceClasses(update.getId());
} else {
stored = networkDAO.findByName(update.getName());
}
if (stored != null) {
if (stored.getKey() != null) {
if (!stored.getKey().equals(update.getKey())) {
throw new HiveException(Messages.INVALID_NETWORK_KEY, FORBIDDEN.getStatusCode());
}
}
if (!userService.hasAccessToNetwork(user, stored)) {
throw new HiveException(Messages.NO_ACCESS_TO_NETWORK, FORBIDDEN.getStatusCode());
}
} else if (user.isAdmin()) {
if (update.getId() != null) {
throw new HiveException(Messages.INVALID_REQUEST_PARAMETERS, BAD_REQUEST.getStatusCode());
}
stored = networkDAO.createNetwork(update);
} else {
throw new HiveException(Messages.NETWORK_CREATION_NOT_ALLOWED, FORBIDDEN.getStatusCode());
}
return stored;
}
@TransactionAttribute(TransactionAttributeType.NOT_SUPPORTED)
public User createUser(@NotNull User user, String password) {
if (user.getId() != null) {
throw new HiveException(Messages.ID_NOT_ALLOWED, BAD_REQUEST.getStatusCode());
}
user.setLogin(StringUtils.trim(user.getLogin()));
User existing = userDAO.findByLogin(user.getLogin());
if (existing != null) {
throw new HiveException(Messages.DUPLICATE_LOGIN, FORBIDDEN.getStatusCode());
}
if (StringUtils.isEmpty(password)) {
throw new HiveException(Messages.PASSWORD_REQUIRED, BAD_REQUEST.getStatusCode());
}
String salt = passwordService.generateSalt();
String hash = passwordService.hashPassword(password, salt);
user.setPasswordSalt(salt);
user.setPasswordHash(hash);
user.setLoginAttempts(Constants.INITIAL_LOGIN_ATTEMPTS);
hiveValidator.validate(user);
return userDAO.create(user);
}
/**
* Tries to authenticate with given credentials
*
* @return User object if authentication is successful or null if not
*/
public User authenticate(String login, String password) {
User user = userDAO.findByLogin(login);
if (user == null) {
return null;
}
if (!passwordService.checkPassword(password, user.getPasswordSalt(), user.getPasswordHash())) {
user.setLoginAttempts(user.getLoginAttempts() + 1);
if (user.getLoginAttempts()
>= configurationService.getInt(
Constants.MAX_LOGIN_ATTEMPTS, Constants.MAX_LOGIN_ATTEMPTS_DEFAULT)) {
user.setStatus(UserStatus.LOCKED_OUT);
}
return null;
} else {
if (user.getLoginAttempts() != 0) {
user.setLoginAttempts(0);
}
if (user.getLastLogin() == null
|| System.currentTimeMillis() - user.getLastLogin().getTime()
> configurationService.getLong(
Constants.LAST_LOGIN_TIMEOUT, Constants.LAST_LOGIN_TIMEOUT_DEFAULT)) {
user.setLastLogin(timestampService.getTimestamp());
}
return user;
}
}
@TransactionAttribute(TransactionAttributeType.SUPPORTS)
public boolean hasAccessToNetwork(User user, Network network) {
return user.isAdmin() || userDAO.hasAccessToNetwork(user, network);
}
@TransactionAttribute(TransactionAttributeType.SUPPORTS)
public boolean hasAccessToDevice(User user, Device device) {
return user.isAdmin() || userDAO.hasAccessToDevice(user, device);
}
public static Predicate[] oAuthGrantsListPredicates(
CriteriaBuilder cb,
Root<OAuthGrant> from,
User user,
Optional<Date> startOpt,
Optional<Date> endOpt,
Optional<String> oAuthIdOpt,
Optional<Integer> typeOpt,
Optional<String> scopeOpt,
Optional<String> redirectUri,
Optional<Integer> accessType) {
List<Predicate> predicates = new LinkedList<>();
if (!user.isAdmin()) {
predicates.add(from.join("user").in(user));
}
startOpt.ifPresent(start -> predicates.add(cb.greaterThan(from.get("timestamp"), start)));
endOpt.ifPresent(end -> predicates.add(cb.lessThan(from.get("timestamp"), end)));
oAuthIdOpt.ifPresent(id -> predicates.add(cb.equal(from.join("client").get("oauthId"), id)));
typeOpt.ifPresent(type -> predicates.add(cb.equal(from.get("type"), type)));
scopeOpt.ifPresent(scope -> predicates.add(cb.equal(from.get("scope"), scope)));
redirectUri.ifPresent(uri -> predicates.add(cb.equal(from.get("redirectUri"), uri)));
accessType.ifPresent(at -> predicates.add(cb.equal(from.get("accessType"), at)));
return predicates.toArray(new Predicate[predicates.size()]);
}