X-Git-Url: https://git.opendaylight.org/gerrit/gitweb?a=blobdiff_plain;f=opendaylight%2Fusermanager%2Fsrc%2Fmain%2Fjava%2Forg%2Fopendaylight%2Fcontroller%2Fusermanager%2Finternal%2FUserManagerImpl.java;h=e835887606273ce478ae0cdc63c534b9bab8c253;hb=9c8108faabf300747a2a5529dc7a8ef76e79c2bc;hp=1b9c749163ab02bbea1e6f2c676d62770b7eae54;hpb=286d94196561feb6de722b2c21a52245ae36e213;p=controller.git

diff --git a/opendaylight/usermanager/src/main/java/org/opendaylight/controller/usermanager/internal/UserManagerImpl.java b/opendaylight/usermanager/src/main/java/org/opendaylight/controller/usermanager/internal/UserManagerImpl.java
index 1b9c749163..e835887606 100644
--- a/opendaylight/usermanager/src/main/java/org/opendaylight/controller/usermanager/internal/UserManagerImpl.java
+++ b/opendaylight/usermanager/src/main/java/org/opendaylight/controller/usermanager/internal/UserManagerImpl.java
@@ -82,17 +82,12 @@ public class UserManagerImpl implements IUserManager, IObjectReader,
     private static final String authFileName = ROOT + "authorization.conf";
     private ConcurrentMap<String, UserConfig> localUserConfigList;
     private ConcurrentMap<String, ServerConfig> remoteServerConfigList;
-    private ConcurrentMap<String, AuthorizationConfig> authorizationConfList; // local
-                                                                              // authorization
-                                                                              // info
-                                                                              // for
-                                                                              // remotely
-                                                                              // authenticated
-                                                                              // users
+    // local authorization info for remotely authenticated users
+    private ConcurrentMap<String, AuthorizationConfig> authorizationConfList;
     private ConcurrentMap<String, AuthenticatedUser> activeUsers;
     private ConcurrentMap<String, IAAAProvider> authProviders;
     private ConcurrentMap<Long, String> localUserListSaveConfigEvent,
-            remoteServerSaveConfigEvent, authorizationSaveConfigEvent;
+    remoteServerSaveConfigEvent, authorizationSaveConfigEvent;
     private IClusterGlobalServices clusterGlobalService = null;
     private SecurityContextRepository securityContextRepo = new UserSecurityContextRepository();
     private IContainerAuthorization containerAuthorizationClient;
@@ -120,6 +115,7 @@ public class UserManagerImpl implements IUserManager, IObjectReader,
         return authProviders.get(name);
     }
 
+    @Override
     public Set<String> getAAAProviderNames() {
         return authProviders.keySet();
     }
@@ -160,9 +156,9 @@ public class UserManagerImpl implements IUserManager, IObjectReader,
                     "usermanager.authorizationSaveConfigEvent",
                     EnumSet.of(IClusterServices.cacheMode.NON_TRANSACTIONAL));
         } catch (CacheConfigException cce) {
-            logger.error("\nCache configuration invalid - check cache mode");
+            logger.error("Cache configuration invalid - check cache mode");
         } catch (CacheExistException ce) {
-            logger.error("\nCache already exits - destroy and recreate if needed");
+            logger.debug("Skipping cache creation as already present");
         }
     }
 
@@ -176,43 +172,43 @@ public class UserManagerImpl implements IUserManager, IObjectReader,
         activeUsers = (ConcurrentMap<String, AuthenticatedUser>) clusterGlobalService
                 .getCache("usermanager.activeUsers");
         if (activeUsers == null) {
-            logger.error("\nFailed to get cache for activeUsers");
+            logger.error("Failed to get cache for activeUsers");
         }
 
         localUserConfigList = (ConcurrentMap<String, UserConfig>) clusterGlobalService
                 .getCache("usermanager.localUserConfigList");
         if (localUserConfigList == null) {
-            logger.error("\nFailed to get cache for localUserConfigList");
+            logger.error("Failed to get cache for localUserConfigList");
         }
 
         remoteServerConfigList = (ConcurrentMap<String, ServerConfig>) clusterGlobalService
                 .getCache("usermanager.remoteServerConfigList");
         if (remoteServerConfigList == null) {
-            logger.error("\nFailed to get cache for remoteServerConfigList");
+            logger.error("Failed to get cache for remoteServerConfigList");
         }
 
         authorizationConfList = (ConcurrentMap<String, AuthorizationConfig>) clusterGlobalService
                 .getCache("usermanager.authorizationConfList");
         if (authorizationConfList == null) {
-            logger.error("\nFailed to get cache for authorizationConfList");
+            logger.error("Failed to get cache for authorizationConfList");
         }
 
         localUserListSaveConfigEvent = (ConcurrentMap<Long, String>) clusterGlobalService
                 .getCache("usermanager.localUserSaveConfigEvent");
         if (localUserListSaveConfigEvent == null) {
-            logger.error("\nFailed to get cache for localUserSaveConfigEvent");
+            logger.error("Failed to get cache for localUserSaveConfigEvent");
         }
 
         remoteServerSaveConfigEvent = (ConcurrentMap<Long, String>) clusterGlobalService
                 .getCache("usermanager.remoteServerSaveConfigEvent");
         if (remoteServerSaveConfigEvent == null) {
-            logger.error("\nFailed to get cache for remoteServerSaveConfigEvent");
+            logger.error("Failed to get cache for remoteServerSaveConfigEvent");
         }
 
         authorizationSaveConfigEvent = (ConcurrentMap<Long, String>) clusterGlobalService
                 .getCache("usermanager.authorizationSaveConfigEvent");
         if (authorizationSaveConfigEvent == null) {
-            logger.error("\nFailed to get cache for authorizationSaveConfigEvent");
+            logger.error("Failed to get cache for authorizationSaveConfigEvent");
         }
     }
 
@@ -243,8 +239,10 @@ public class UserManagerImpl implements IUserManager, IObjectReader,
         // If startup config is not there, it's old or it was deleted,
         // need to add Default Admin
         if (!localUserConfigList.containsKey(defaultAdmin)) {
+            List<String> roles = new ArrayList<String>(1);
+            roles.add(defaultAdminRole);
             localUserConfigList.put(defaultAdmin, new UserConfig(defaultAdmin,
-                    defaultAdminPassword, defaultAdminRole));
+                    defaultAdminPassword, roles));
         }
     }
 
@@ -253,7 +251,6 @@ public class UserManagerImpl implements IUserManager, IObjectReader,
         IAAAProvider aaaClient;
         AuthResponse rcResponse = null;
         AuthenticatedUser result;
-        String[] adminRoles = null;
         boolean remotelyAuthenticated = false;
         boolean authorizationInfoIsPresent = false;
         boolean authorized = false;
@@ -275,14 +272,14 @@ public class UserManagerImpl implements IUserManager, IObjectReader,
                     break;
                 } else if (rcResponse.getStatus() == AuthResultEnum.AUTH_REJECT) {
                     logger.info(
-                            "Remote Authentication Rejected User: \"{}\", from Server: {}, Reason: "
-                                    + rcResponse.getStatus().toString(),
-                            userName, aaaServer.getAddress());
+                            "Remote Authentication Rejected User: \"{}\", from Server: {}, Reason:{}",
+                            new Object[] { userName, aaaServer.getAddress(),
+                                    rcResponse.getStatus().toString() });
                 } else {
                     logger.info(
-                            "Remote Authentication Failed for User: \"{}\", from Server: {}, Reason: "
-                                    + rcResponse.getStatus().toString(),
-                            userName, aaaServer.getAddress());
+                            "Remote Authentication Failed for User: \"{}\", from Server: {}, Reason:{}",
+                            new Object[] { userName, aaaServer.getAddress(),
+                                    rcResponse.getStatus().toString() });
                 }
             }
         }
@@ -342,7 +339,7 @@ public class UserManagerImpl implements IUserManager, IObjectReader,
             if (resource != null) {
                 logger.info("Found Local Authorization Info for User: \"{}\"",
                         userName);
-                attributes = resource.getRolesData();
+                attributes = resource.getRolesString();
 
             }
             authorizationInfoIsPresent = checkAuthorizationInfo(attributes);
@@ -354,8 +351,7 @@ public class UserManagerImpl implements IUserManager, IObjectReader,
          */
         if (authorizationInfoIsPresent) {
             // Identifying the administrative role
-            adminRoles = attributes.split(" ");
-            result.setRoleList(adminRoles);
+            result.setRoleList(attributes.split(" "));
             authorized = true;
         } else {
             logger.info("Not able to find Authorization Info for User: \"{}\"",
@@ -367,8 +363,8 @@ public class UserManagerImpl implements IUserManager, IObjectReader,
          */
         putUserInActiveList(userName, result);
         if (authorized) {
-            logger.info("User \"{}\" authorized for the following role(s): "
-                    + result.getUserRoles(), userName);
+            logger.info("User \"{}\" authorized for the following role(s): {}",
+                    userName, result.getUserRoles());
         } else {
             logger.info("User \"{}\" Not Authorized for any role ", userName);
         }
@@ -395,6 +391,7 @@ public class UserManagerImpl implements IUserManager, IObjectReader,
         activeUsers.remove(user);
     }
 
+    @Override
     public Status saveLocalUserList() {
         // Publish the save config event to the cluster nodes
         localUserListSaveConfigEvent.put(new Date().getTime(), SAVE);
@@ -407,6 +404,7 @@ public class UserManagerImpl implements IUserManager, IObjectReader,
                 localUserConfigList), usersFileName);
     }
 
+    @Override
     public Status saveAAAServerList() {
         // Publish the save config event to the cluster nodes
         remoteServerSaveConfigEvent.put(new Date().getTime(), SAVE);
@@ -419,6 +417,7 @@ public class UserManagerImpl implements IUserManager, IObjectReader,
                 remoteServerConfigList), serversFileName);
     }
 
+    @Override
     public Status saveAuthorizationList() {
         // Publish the save config event to the cluster nodes
         authorizationSaveConfigEvent.put(new Date().getTime(), SAVE);
@@ -504,6 +503,12 @@ public class UserManagerImpl implements IUserManager, IObjectReader,
                 return new Status(StatusCode.NOTALLOWED, msg);
             }
             localUserConfigList.remove(AAAconf.getUser());
+            /*
+             * A user account has been removed form local database, we assume
+             * admin does not want this user to stay connected, in case he has
+             * an open session. So we clean the active list as well.
+             */
+            removeUserFromActiveList(AAAconf.getUser());
         } else {
             if (AAAconf.getUser().equals(UserManagerImpl.defaultAdmin)) {
                 String msg = "Invalid Request: Default Network Admin  User "
@@ -621,16 +626,17 @@ public class UserManagerImpl implements IUserManager, IObjectReader,
         if (targetConfigEntry == null) {
             return new Status(StatusCode.NOTFOUND, "User not found");
         }
-        if (false == targetConfigEntry.update(curPassword, newPassword, null)) {
-            return new Status(StatusCode.BADREQUEST,
-                    "Current password is incorrect");
+        Status status = targetConfigEntry
+                .update(curPassword, newPassword, null);
+        if (!status.isSuccess()) {
+            return status;
         }
-        localUserConfigList.put(user, targetConfigEntry); // trigger cluster
-                                                          // update
+        // Trigger cluster update
+        localUserConfigList.put(user, targetConfigEntry);
 
         logger.info("Password changed for User \"{}\"", user);
 
-        return new Status(StatusCode.SUCCESS, null);
+        return status;
     }
 
     @Override
@@ -702,34 +708,43 @@ public class UserManagerImpl implements IUserManager, IObjectReader,
         String password = ci.nextArgument();
         String role = ci.nextArgument();
 
+        List<String> roles = new ArrayList<String>();
+        while (role != null) {
+            if (!role.trim().isEmpty()) {
+                roles.add(role);
+            }
+            role = ci.nextArgument();
+        }
+
         if (userName == null || userName.trim().isEmpty() || password == null
-                || password.trim().isEmpty() || role == null
-                || role.trim().isEmpty()) {
+                || password.trim().isEmpty() || roles == null
+                || roles.isEmpty()) {
             ci.println("Invalid Arguments");
             ci.println("umAddUser <user_name> <password> <user_role>");
             return;
         }
-        this.addLocalUser(new UserConfig(userName, password, role));
+        ci.print(this.addLocalUser(new UserConfig(userName, password, roles)));
     }
 
     public void _umRemUser(CommandInterpreter ci) {
         String userName = ci.nextArgument();
-        String password = ci.nextArgument();
-        String role = ci.nextArgument();
 
-        if (userName == null || userName.trim().isEmpty() || password == null
-                || password.trim().isEmpty() || role == null
-                || role.trim().isEmpty()) {
+        if (userName == null || userName.trim().isEmpty()) {
             ci.println("Invalid Arguments");
-            ci.println("umRemUser <user_name> <password> <user_role>");
+            ci.println("umRemUser <user_name>");
             return;
         }
-        this.removeLocalUser(new UserConfig(userName, password, role));
+        UserConfig target = localUserConfigList.get(userName);
+        if (target == null) {
+            ci.println("User not found");
+            return;
+        }
+        ci.println(this.removeLocalUser(target));
     }
 
     public void _umGetUsers(CommandInterpreter ci) {
         for (UserConfig conf : this.getLocalUserList()) {
-            ci.println(conf.getUser() + " " + conf.getRole());
+            ci.println(conf.getUser() + " " + conf.getRoles());
         }
     }
 
@@ -761,7 +776,6 @@ public class UserManagerImpl implements IUserManager, IObjectReader,
 
     public void _printAAAServers(CommandInterpreter ci) {
         for (ServerConfig aaaServer : remoteServerConfigList.values()) {
-            String protocol = aaaServer.getProtocol();
             ci.println(aaaServer.getAddress() + "-" + aaaServer.getProtocol());
         }
     }
@@ -805,7 +819,7 @@ public class UserManagerImpl implements IUserManager, IObjectReader,
     /**
      * Function called by the dependency manager when all the required
      * dependencies are satisfied
-     * 
+     *
      */
     void init() {
     }
@@ -814,7 +828,7 @@ public class UserManagerImpl implements IUserManager, IObjectReader,
      * Function called by the dependency manager when at least one dependency
      * become unsatisfied or when the component is shutting down because for
      * example bundle is being stopped.
-     * 
+     *
      */
     void destroy() {
     }
@@ -822,7 +836,7 @@ public class UserManagerImpl implements IUserManager, IObjectReader,
     /**
      * Function called by dependency manager after "init ()" is called and after
      * the services provided by the class are registered in the service registry
-     * 
+     *
      */
     void start() {
         authProviders = new ConcurrentHashMap<String, IAAAProvider>();
@@ -845,60 +859,114 @@ public class UserManagerImpl implements IUserManager, IObjectReader,
      * Function called by the dependency manager before the services exported by
      * the component are unregistered, this will be followed by a "destroy ()"
      * calls
-     * 
+     *
      */
     void stop() {
     }
 
     @Override
     public List<String> getUserRoles(String userName) {
-        if (userName == null) {
-            return new ArrayList<String>(0);
+        List<String> roles = null;
+        if (userName != null) {
+            /*
+             * First look in active users then in local configured users,
+             * finally in local authorized users
+             */
+            if (activeUsers.containsKey(userName)) {
+                roles = activeUsers.get(userName).getUserRoles();
+            } else if (localUserConfigList.containsKey(userName)) {
+                roles = localUserConfigList.get(userName).getRoles();
+            } else if (authorizationConfList.containsKey(userName)) {
+                roles = authorizationConfList.get(userName).getRoles();
+            }
         }
-        AuthenticatedUser locatedUser = activeUsers.get(userName);
-        return (locatedUser == null) ? new ArrayList<String>(0) : locatedUser
-                .getUserRoles();
+        return (roles == null) ? new ArrayList<String>(0) : roles;
     }
 
     @Override
     public UserLevel getUserLevel(String username) {
-        // Returns the controller well-know user level for the passed user
-        String roleName = null;
+        // Returns the highest controller user level for the passed user
+        List<String> rolesNames = getUserRoles(username);
 
-        // First check in active users then in local configured users
-        if (activeUsers.containsKey(username)) {
-            roleName = activeUsers.get(username).getUserRoles().get(0);
-        } else if (localUserConfigList.containsKey(username)) {
-            roleName = localUserConfigList.get(username).getRole();
-        }
-
-        if (roleName == null) {
+        if (rolesNames.isEmpty()) {
             return UserLevel.NOUSER;
         }
 
-        // For now only one role per user is allowed
-        if (roleName.equals(UserLevel.SYSTEMADMIN.toString())) {
+        // Check against the well known controller roles first
+        if (rolesNames.contains(UserLevel.SYSTEMADMIN.toString())) {
             return UserLevel.SYSTEMADMIN;
         }
-        if (roleName.equals(UserLevel.NETWORKADMIN.toString())) {
+        if (rolesNames.contains(UserLevel.NETWORKADMIN.toString())) {
             return UserLevel.NETWORKADMIN;
         }
-        if (roleName.equals(UserLevel.NETWORKOPERATOR.toString())) {
+        if (rolesNames.contains(UserLevel.NETWORKOPERATOR.toString())) {
             return UserLevel.NETWORKOPERATOR;
         }
-        if (this.containerAuthorizationClient != null
-                && this.containerAuthorizationClient
-                        .isApplicationRole(roleName)) {
-            return UserLevel.CONTAINERUSER;
+        // Check if container user now
+        if (containerAuthorizationClient != null) {
+            for (String roleName : rolesNames) {
+                if (containerAuthorizationClient.isApplicationRole(roleName)) {
+                    return UserLevel.CONTAINERUSER;
+                }
+            }
         }
-        for (IResourceAuthorization client : this.applicationAuthorizationClients) {
-            if (client.isApplicationRole(roleName)) {
-                return UserLevel.APPUSER;
+        // Finally check if application user
+        if (applicationAuthorizationClients != null) {
+            for (String roleName : rolesNames) {
+                for (IResourceAuthorization client : this.applicationAuthorizationClients) {
+                    if (client.isApplicationRole(roleName)) {
+                        return UserLevel.APPUSER;
+                    }
+                }
             }
         }
         return UserLevel.NOUSER;
     }
 
+
+    @Override
+    public List<UserLevel> getUserLevels(String username) {
+        // Returns the controller user levels for the passed user
+        List<String> rolesNames =  getUserRoles(username);
+        List<UserLevel> levels = new ArrayList<UserLevel>();
+
+        if (rolesNames.isEmpty()) {
+            return levels;
+        }
+
+        // Check against the well known controller roles first
+        if (rolesNames.contains(UserLevel.SYSTEMADMIN.toString())) {
+            levels.add(UserLevel.SYSTEMADMIN);
+        }
+        if (rolesNames.contains(UserLevel.NETWORKADMIN.toString())) {
+            levels.add(UserLevel.NETWORKADMIN);
+        }
+        if (rolesNames.contains(UserLevel.NETWORKOPERATOR.toString())) {
+            levels.add(UserLevel.NETWORKOPERATOR);
+        }
+        // Check if container user now
+        if (containerAuthorizationClient != null) {
+            for (String roleName : rolesNames) {
+                if (containerAuthorizationClient.isApplicationRole(roleName)) {
+                    levels.add(UserLevel.CONTAINERUSER);
+                    break;
+                }
+            }
+        }
+        // Finally check if application user
+        if (applicationAuthorizationClients != null) {
+            for (String roleName : rolesNames) {
+                for (IResourceAuthorization client : this.applicationAuthorizationClients) {
+                    if (client.isApplicationRole(roleName)) {
+                        levels.add(UserLevel.APPUSER);
+                        break;
+                    }
+                }
+            }
+        }
+        return levels;
+    }
+
     @Override
     public Status saveConfiguration() {
         boolean success = true;
@@ -938,8 +1006,9 @@ public class UserManagerImpl implements IUserManager, IObjectReader,
                     .getPassword(), enabled, accountNonExpired,
                     credentialsNonExpired, accountNonLocked,
                     user.getGrantedAuthorities(getUserLevel(username)));
-        } else
+        } else {
             throw new UsernameNotFoundException("User not found " + username);
+        }
     }
 
     @Override
@@ -991,13 +1060,14 @@ public class UserManagerImpl implements IUserManager, IObjectReader,
                             .getName())));
             return authentication;
 
-        } else
+        } else {
             throw new BadCredentialsException(
                     "Username or credentials did not match");
+        }
 
     }
 
-    // following are setters for use in unit testing
+    // Following are setters for use in unit testing
     void setLocalUserConfigList(ConcurrentMap<String, UserConfig> ucl) {
         if (ucl != null) {
             this.localUserConfigList = ucl;
@@ -1037,7 +1107,36 @@ public class UserManagerImpl implements IUserManager, IObjectReader,
         this.sessionMgr = sessionMgr;
     }
 
+    @Override
     public String getPassword(String username) {
         return localUserConfigList.get(username).getPassword();
     }
+
+    @Override
+    public boolean isRoleInUse(String role) {
+        if (role == null || role.isEmpty()) {
+            return false;
+        }
+        // Check against controller roles
+        if (role.equals(UserLevel.SYSTEMADMIN.toString())
+                || role.equals(UserLevel.NETWORKADMIN.toString())
+                || role.equals(UserLevel.NETWORKOPERATOR.toString())) {
+            return true;
+        }
+        // Check if container roles
+        if (containerAuthorizationClient != null) {
+            if (containerAuthorizationClient.isApplicationRole(role)) {
+                return true;
+            }
+        }
+        // Finally if application role
+        if (applicationAuthorizationClients != null) {
+            for (IResourceAuthorization client : this.applicationAuthorizationClients) {
+                if (client.isApplicationRole(role)) {
+                    return true;
+                }
+            }
+        }
+        return false;
+    }
 }