@Transactional(propagation = Propagation.SUPPORTS)
  public boolean hasAccessToDevice(AccessKey accessKey, String deviceGuid) {
    Set<AccessKeyPermission> permissions = accessKey.getPermissions();
    Set<String> allowedDevices = new HashSet<>();
    Set<Long> allowedNetworks = new HashSet<>();

    User accessKeyUser = userService.findUserWithNetworks(accessKey.getUser().getId());
    Set<AccessKeyPermission> toRemove = new HashSet<>();

    Device device =
        genericDAO
            .createNamedQuery(Device.class, "Device.findByUUID", of(CacheConfig.refresh()))
            .setParameter("guid", deviceGuid)
            .getSingleResult();

    for (AccessKeyPermission currentPermission : permissions) {
      if (currentPermission.getDeviceGuidsAsSet() == null) {
        allowedDevices.add(null);
      } else {
        if (!currentPermission.getDeviceGuidsAsSet().contains(deviceGuid)) {
          toRemove.add(currentPermission);
        } else {
          allowedDevices.addAll(currentPermission.getDeviceGuidsAsSet());
        }
      }
      if (currentPermission.getNetworkIdsAsSet() == null) {
        allowedNetworks.add(null);
      } else {
        if (device.getNetwork() != null) {
          if (!currentPermission.getNetworkIdsAsSet().contains(device.getNetwork().getId())) {
            toRemove.add(currentPermission);
          } else {
            allowedNetworks.addAll(currentPermission.getNetworkIdsAsSet());
          }
        }
      }
    }
    permissions.removeAll(toRemove);
    boolean hasAccess;
    hasAccess =
        allowedDevices.contains(null)
            ? userService.hasAccessToDevice(accessKeyUser, device.getGuid())
            : allowedDevices.contains(device.getGuid())
                && userService.hasAccessToDevice(accessKeyUser, device.getGuid());

    hasAccess =
        hasAccess && allowedNetworks.contains(null)
            ? accessKeyUser.isAdmin() || accessKeyUser.getNetworks().contains(device.getNetwork())
            : (accessKeyUser.isAdmin() || accessKeyUser.getNetworks().contains(device.getNetwork()))
                && allowedNetworks.contains(device.getNetwork().getId());

    return hasAccess;
  }
 @Transactional
 public AccessKey create(@NotNull User user, @NotNull AccessKey accessKey) {
   if (accessKey.getLabel() == null) {
     throw new IllegalParametersException(Messages.LABEL_IS_REQUIRED);
   }
   Optional<AccessKey> akOpt =
       genericDAO
           .createNamedQuery(
               AccessKey.class, "AccessKey.getByUserAndLabel", Optional.<CacheConfig>empty())
           .setParameter("userId", user.getId())
           .setParameter("label", accessKey.getLabel())
           .getResultList()
           .stream()
           .findFirst();
   if (akOpt.isPresent()) {
     logger.error("Access key with label {} already exists", accessKey.getLabel());
     throw new ActionNotAllowedException(Messages.DUPLICATE_LABEL_FOUND);
   }
   if (accessKey.getId() != null) {
     logger.error("Access key id shouldn't be present in request parameters");
     throw new IllegalParametersException(Messages.INVALID_REQUEST_PARAMETERS);
   }
   authenticationUtils.validateActions(accessKey);
   AccessKeyProcessor keyProcessor = new AccessKeyProcessor();
   String key = keyProcessor.generateKey();
   accessKey.setKey(key);
   accessKey.setUser(user);
   genericDAO.persist(accessKey);
   for (AccessKeyPermission current : accessKey.getPermissions()) {
     AccessKeyPermission permission = preparePermission(current);
     permission.setAccessKey(accessKey);
     genericDAO.persist(permission);
   }
   return genericDAO.find(AccessKey.class, accessKey.getId());
 }
 @Transactional
 public AccessKey updateAccessKeyFromOAuthGrant(OAuthGrant grant, User user, Date now) {
   AccessKey existing = find(grant.getAccessKey().getId(), user.getId());
   deleteAccessKeyPermissions(existing);
   if (grant.getAccessType().equals(AccessType.ONLINE)) {
     Date expirationDate = new Date(now.getTime() + 600000); // the key is valid for 10 minutes
     existing.setExpirationDate(expirationDate);
   } else {
     existing.setExpirationDate(null);
   }
   existing.setLabel(
       String.format(
           Messages.OAUTH_GRANT_TOKEN_LABEL,
           grant.getClient().getName(),
           System.currentTimeMillis()));
   Set<AccessKeyPermission> permissions = new HashSet<>();
   AccessKeyPermission permission = new AccessKeyPermission();
   permission.setDomainArray(grant.getClient().getDomain());
   permission.setActionsArray(StringUtils.split(grant.getScope(), ' '));
   permission.setSubnetsArray(grant.getClient().getSubnet());
   permission.setNetworkIds(grant.getNetworkIds());
   permissions.add(permission);
   existing.setPermissions(permissions);
   AccessKeyProcessor keyProcessor = new AccessKeyProcessor();
   String key = keyProcessor.generateKey();
   existing.setKey(key);
   for (AccessKeyPermission current : permissions) {
     current.setAccessKey(existing);
     genericDAO.persist(current);
   }
   return existing;
 }
 @Transactional(propagation = Propagation.SUPPORTS)
 public boolean hasAccessToNetwork(AccessKey accessKey, Network targetNetwork) {
   Set<AccessKeyPermission> permissions = accessKey.getPermissions();
   User user = accessKey.getUser();
   boolean hasNullPermission =
       permissions.stream().anyMatch(perm -> perm.getNetworkIdsAsSet() == null);
   if (hasNullPermission) {
     return userService.hasAccessToNetwork(user, targetNetwork);
   } else {
     Set<Long> allowedNetworks =
         permissions
             .stream()
             .map(AccessKeyPermission::getNetworkIdsAsSet)
             .flatMap(Collection::stream)
             .collect(Collectors.toSet());
     user = userService.findUserWithNetworks(user.getId());
     return allowedNetworks.contains(targetNetwork.getId())
         && (user.isAdmin() || user.getNetworks().contains(targetNetwork));
   }
 }
  @SuppressWarnings("unchecked")
  private static List<Predicate> deviceSpecificPrincipalPredicates(
      CriteriaBuilder cb, Root<Device> from, Optional<HivePrincipal> principal) {
    final List<Predicate> predicates = new LinkedList<>();
    final Join<Device, Network> networkJoin = (Join) from.fetch("network", JoinType.LEFT);
    final Join<Device, Network> usersJoin = (Join) networkJoin.fetch("users", JoinType.LEFT);
    from.fetch("deviceClass", JoinType.LEFT); // need this fetch to populate deviceClass
    principal.ifPresent(
        p -> {
          User user = p.getUser();
          if (user == null && p.getKey() != null) {
            user = p.getKey().getUser();
          }
          if (user != null && !user.isAdmin()) {
            predicates.add(cb.equal(usersJoin.<Long>get("id"), user.getId()));
          }

          if (p.getDevice() != null) {
            predicates.add(cb.equal(from.<Long>get("id"), p.getDevice().getId()));
          }

          if (p.getKey() != null) {
            for (AccessKeyBasedFilterForDevices extraFilter :
                AccessKeyBasedFilterForDevices.createExtraFilters(p.getKey().getPermissions())) {
              if (extraFilter.getDeviceGuids() != null) {
                predicates.add(from.<String>get("guid").in(extraFilter.getDeviceGuids()));
              }
              if (extraFilter.getNetworkIds() != null) {
                predicates.add(networkJoin.<Long>get("id").in(extraFilter.getNetworkIds()));
              }
            }
          }
        });

    return predicates;
  }
  @Transactional(propagation = Propagation.REQUIRED)
  public AccessKey authenticate(@NotNull User user) {
    userService.refreshUserLoginData(user);

    AccessKey accessKey = authenticationUtils.prepareAccessKey(user);

    Set<AccessKeyPermission> permissions = new HashSet<>();
    final AccessKeyPermission permission = authenticationUtils.preparePermission(user.getRole());
    permissions.add(permission);
    accessKey.setPermissions(permissions);
    genericDAO.persist(accessKey);

    permission.setAccessKey(accessKey);
    genericDAO.persist(permission);
    return accessKey;
  }
Esempio n. 7
0
  @TransactionAttribute(TransactionAttributeType.NOT_SUPPORTED)
  public User updateUser(@NotNull Long id, UserUpdate userToUpdate) {
    User existing = userDAO.findById(id);

    if (existing == null) {
      throw new HiveException(
          String.format(Messages.USER_NOT_FOUND, id), NOT_FOUND.getStatusCode());
    }
    if (userToUpdate == null) {
      return existing;
    }
    if (userToUpdate.getLogin() != null) {
      String newLogin = StringUtils.trim(userToUpdate.getLogin().getValue());
      User withSuchLogin = userDAO.findByLogin(newLogin);
      if (withSuchLogin != null && !withSuchLogin.getId().equals(id)) {
        throw new HiveException(Messages.DUPLICATE_LOGIN, FORBIDDEN.getStatusCode());
      }
      existing.setLogin(newLogin);
    }
    if (userToUpdate.getPassword() != null) {
      if (StringUtils.isEmpty(userToUpdate.getPassword().getValue())) {
        throw new HiveException(Messages.PASSWORD_REQUIRED, BAD_REQUEST.getStatusCode());
      }
      String salt = passwordService.generateSalt();
      String hash = passwordService.hashPassword(userToUpdate.getPassword().getValue(), salt);
      existing.setPasswordSalt(salt);
      existing.setPasswordHash(hash);
    }
    if (userToUpdate.getRole() != null) {
      existing.setRole(userToUpdate.getRoleEnum());
    }
    if (userToUpdate.getStatus() != null) {
      existing.setStatus(userToUpdate.getStatusEnum());
    }

    hiveValidator.validate(existing);
    return userDAO.update(existing);
  }
  @TransactionAttribute(TransactionAttributeType.SUPPORTS)
  public Network createOrUpdateNetworkByUser(NullableWrapper<Network> network, User user) {
    Network stored;

    // case network is not defined
    if (network == null || network.getValue() == null) {
      return null;
    }

    Network update = network.getValue();

    if (update.getId() != null) {
      stored = networkDAO.getWithDevicesAndDeviceClasses(update.getId());
    } else {
      stored = networkDAO.findByName(update.getName());
    }

    if (stored != null) {
      if (stored.getKey() != null) {
        if (!stored.getKey().equals(update.getKey())) {
          throw new HiveException(Messages.INVALID_NETWORK_KEY, FORBIDDEN.getStatusCode());
        }
      }
      if (!userService.hasAccessToNetwork(user, stored)) {
        throw new HiveException(Messages.NO_ACCESS_TO_NETWORK, FORBIDDEN.getStatusCode());
      }
    } else if (user.isAdmin()) {
      if (update.getId() != null) {
        throw new HiveException(Messages.INVALID_REQUEST_PARAMETERS, BAD_REQUEST.getStatusCode());
      }
      stored = networkDAO.createNetwork(update);

    } else {
      throw new HiveException(Messages.NETWORK_CREATION_NOT_ALLOWED, FORBIDDEN.getStatusCode());
    }
    return stored;
  }
Esempio n. 9
0
  @TransactionAttribute(TransactionAttributeType.NOT_SUPPORTED)
  public User createUser(@NotNull User user, String password) {
    if (user.getId() != null) {
      throw new HiveException(Messages.ID_NOT_ALLOWED, BAD_REQUEST.getStatusCode());
    }
    user.setLogin(StringUtils.trim(user.getLogin()));
    User existing = userDAO.findByLogin(user.getLogin());
    if (existing != null) {
      throw new HiveException(Messages.DUPLICATE_LOGIN, FORBIDDEN.getStatusCode());
    }
    if (StringUtils.isEmpty(password)) {
      throw new HiveException(Messages.PASSWORD_REQUIRED, BAD_REQUEST.getStatusCode());
    }
    String salt = passwordService.generateSalt();
    String hash = passwordService.hashPassword(password, salt);
    user.setPasswordSalt(salt);
    user.setPasswordHash(hash);
    user.setLoginAttempts(Constants.INITIAL_LOGIN_ATTEMPTS);

    hiveValidator.validate(user);
    return userDAO.create(user);
  }
Esempio n. 10
0
 /**
  * Tries to authenticate with given credentials
  *
  * @return User object if authentication is successful or null if not
  */
 public User authenticate(String login, String password) {
   User user = userDAO.findByLogin(login);
   if (user == null) {
     return null;
   }
   if (!passwordService.checkPassword(password, user.getPasswordSalt(), user.getPasswordHash())) {
     user.setLoginAttempts(user.getLoginAttempts() + 1);
     if (user.getLoginAttempts()
         >= configurationService.getInt(
             Constants.MAX_LOGIN_ATTEMPTS, Constants.MAX_LOGIN_ATTEMPTS_DEFAULT)) {
       user.setStatus(UserStatus.LOCKED_OUT);
     }
     return null;
   } else {
     if (user.getLoginAttempts() != 0) {
       user.setLoginAttempts(0);
     }
     if (user.getLastLogin() == null
         || System.currentTimeMillis() - user.getLastLogin().getTime()
             > configurationService.getLong(
                 Constants.LAST_LOGIN_TIMEOUT, Constants.LAST_LOGIN_TIMEOUT_DEFAULT)) {
       user.setLastLogin(timestampService.getTimestamp());
     }
     return user;
   }
 }
Esempio n. 11
0
 @TransactionAttribute(TransactionAttributeType.SUPPORTS)
 public boolean hasAccessToNetwork(User user, Network network) {
   return user.isAdmin() || userDAO.hasAccessToNetwork(user, network);
 }
Esempio n. 12
0
 @TransactionAttribute(TransactionAttributeType.SUPPORTS)
 public boolean hasAccessToDevice(User user, Device device) {
   return user.isAdmin() || userDAO.hasAccessToDevice(user, device);
 }
  public static Predicate[] oAuthGrantsListPredicates(
      CriteriaBuilder cb,
      Root<OAuthGrant> from,
      User user,
      Optional<Date> startOpt,
      Optional<Date> endOpt,
      Optional<String> oAuthIdOpt,
      Optional<Integer> typeOpt,
      Optional<String> scopeOpt,
      Optional<String> redirectUri,
      Optional<Integer> accessType) {
    List<Predicate> predicates = new LinkedList<>();

    if (!user.isAdmin()) {
      predicates.add(from.join("user").in(user));
    }

    startOpt.ifPresent(start -> predicates.add(cb.greaterThan(from.get("timestamp"), start)));
    endOpt.ifPresent(end -> predicates.add(cb.lessThan(from.get("timestamp"), end)));
    oAuthIdOpt.ifPresent(id -> predicates.add(cb.equal(from.join("client").get("oauthId"), id)));
    typeOpt.ifPresent(type -> predicates.add(cb.equal(from.get("type"), type)));
    scopeOpt.ifPresent(scope -> predicates.add(cb.equal(from.get("scope"), scope)));
    redirectUri.ifPresent(uri -> predicates.add(cb.equal(from.get("redirectUri"), uri)));
    accessType.ifPresent(at -> predicates.add(cb.equal(from.get("accessType"), at)));

    return predicates.toArray(new Predicate[predicates.size()]);
  }