@Transactional
public AccessKey create(@NotNull User user, @NotNull AccessKey accessKey) {
if (accessKey.getLabel() == null) {
throw new IllegalParametersException(Messages.LABEL_IS_REQUIRED);
}
Optional<AccessKey> akOpt =
genericDAO
.createNamedQuery(
AccessKey.class, "AccessKey.getByUserAndLabel", Optional.<CacheConfig>empty())
.setParameter("userId", user.getId())
.setParameter("label", accessKey.getLabel())
.getResultList()
.stream()
.findFirst();
if (akOpt.isPresent()) {
logger.error("Access key with label {} already exists", accessKey.getLabel());
throw new ActionNotAllowedException(Messages.DUPLICATE_LABEL_FOUND);
}
if (accessKey.getId() != null) {
logger.error("Access key id shouldn't be present in request parameters");
throw new IllegalParametersException(Messages.INVALID_REQUEST_PARAMETERS);
}
authenticationUtils.validateActions(accessKey);
AccessKeyProcessor keyProcessor = new AccessKeyProcessor();
String key = keyProcessor.generateKey();
accessKey.setKey(key);
accessKey.setUser(user);
genericDAO.persist(accessKey);
for (AccessKeyPermission current : accessKey.getPermissions()) {
AccessKeyPermission permission = preparePermission(current);
permission.setAccessKey(accessKey);
genericDAO.persist(permission);
}
return genericDAO.find(AccessKey.class, accessKey.getId());
}
@Transactional(propagation = Propagation.SUPPORTS)
public boolean hasAccessToDevice(AccessKey accessKey, String deviceGuid) {
Set<AccessKeyPermission> permissions = accessKey.getPermissions();
Set<String> allowedDevices = new HashSet<>();
Set<Long> allowedNetworks = new HashSet<>();
User accessKeyUser = userService.findUserWithNetworks(accessKey.getUser().getId());
Set<AccessKeyPermission> toRemove = new HashSet<>();
Device device =
genericDAO
.createNamedQuery(Device.class, "Device.findByUUID", of(CacheConfig.refresh()))
.setParameter("guid", deviceGuid)
.getSingleResult();
for (AccessKeyPermission currentPermission : permissions) {
if (currentPermission.getDeviceGuidsAsSet() == null) {
allowedDevices.add(null);
} else {
if (!currentPermission.getDeviceGuidsAsSet().contains(deviceGuid)) {
toRemove.add(currentPermission);
} else {
allowedDevices.addAll(currentPermission.getDeviceGuidsAsSet());
}
}
if (currentPermission.getNetworkIdsAsSet() == null) {
allowedNetworks.add(null);
} else {
if (device.getNetwork() != null) {
if (!currentPermission.getNetworkIdsAsSet().contains(device.getNetwork().getId())) {
toRemove.add(currentPermission);
} else {
allowedNetworks.addAll(currentPermission.getNetworkIdsAsSet());
}
}
}
}
permissions.removeAll(toRemove);
boolean hasAccess;
hasAccess =
allowedDevices.contains(null)
? userService.hasAccessToDevice(accessKeyUser, device.getGuid())
: allowedDevices.contains(device.getGuid())
&& userService.hasAccessToDevice(accessKeyUser, device.getGuid());
hasAccess =
hasAccess && allowedNetworks.contains(null)
? accessKeyUser.isAdmin() || accessKeyUser.getNetworks().contains(device.getNetwork())
: (accessKeyUser.isAdmin() || accessKeyUser.getNetworks().contains(device.getNetwork()))
&& allowedNetworks.contains(device.getNetwork().getId());
return hasAccess;
}
@Transactional(propagation = Propagation.SUPPORTS)
public boolean hasAccessToNetwork(AccessKey accessKey, Network targetNetwork) {
Set<AccessKeyPermission> permissions = accessKey.getPermissions();
User user = accessKey.getUser();
boolean hasNullPermission =
permissions.stream().anyMatch(perm -> perm.getNetworkIdsAsSet() == null);
if (hasNullPermission) {
return userService.hasAccessToNetwork(user, targetNetwork);
} else {
Set<Long> allowedNetworks =
permissions
.stream()
.map(AccessKeyPermission::getNetworkIdsAsSet)
.flatMap(Collection::stream)
.collect(Collectors.toSet());
user = userService.findUserWithNetworks(user.getId());
return allowedNetworks.contains(targetNetwork.getId())
&& (user.isAdmin() || user.getNetworks().contains(targetNetwork));
}
}
@TransactionAttribute(TransactionAttributeType.NOT_SUPPORTED)
public Network getWithDevicesAndDeviceClasses(
@NotNull Long networkId, @NotNull HivePrincipal principal) {
if (principal.getUser() != null) {
List<Network> found =
networkDAO.getNetworkList(principal.getUser(), null, Arrays.asList(networkId));
if (found.isEmpty()) {
return null;
}
List<Device> devices = deviceService.getList(networkId, principal);
Network result = found.get(0);
result.setDevices(new HashSet<>(devices));
return result;
} else {
AccessKey key = principal.getKey();
User user = userService.findUserWithNetworks(key.getUser().getId());
List<Network> found =
networkDAO.getNetworkList(user, key.getPermissions(), Arrays.asList(networkId));
Network result = found.isEmpty() ? null : found.get(0);
if (result == null) {
return result;
}
// to get proper devices 1) get access key with all permissions 2) get devices for required
// network
key = accessKeyService.find(key.getId(), principal.getKey().getUser().getId());
List<AllowedKeyAction.Action> actions = new ArrayList<>();
actions.add(AllowedKeyAction.Action.GET_DEVICE);
if (!CheckPermissionsHelper.checkAllPermissions(key, actions)) {
result.setDevices(null);
return result;
}
Set<Device> devices = new HashSet<>(deviceService.getList(result.getId(), principal));
result.setDevices(devices);
return result;
}
}