package org.ovirt.engine.core.bll;
import java.util.List;
import org.apache.commons.lang.StringUtils;
import org.ovirt.engine.core.common.VdcObjectType;
import org.ovirt.engine.core.common.businessentities.Permission;
import org.ovirt.engine.core.common.businessentities.Role;
import org.ovirt.engine.core.common.businessentities.aaa.DbUser;
import org.ovirt.engine.core.common.config.Config;
import org.ovirt.engine.core.common.config.ConfigValues;
import org.ovirt.engine.core.compat.Guid;
import org.ovirt.engine.core.dal.dbbroker.DbFacade;
import org.ovirt.engine.core.dao.DbUserDao;
import org.ovirt.engine.core.dao.PermissionDao;
import org.ovirt.engine.core.dao.RoleDao;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
/**
* This class caches config values for used with many commands
*
*/
public class MultiLevelAdministrationHandler {
public static final Guid SYSTEM_OBJECT_ID = new Guid("AAA00000-0000-0000-0000-123456789AAA");
public static final Guid EVERYONE_OBJECT_ID = new Guid("EEE00000-0000-0000-0000-123456789EEE");
/*
* bottom is an object which all the objects in the system are its parents
* useful to denote we want all objects when checking for permissions
*/
public static final Guid BOTTOM_OBJECT_ID = new Guid("BBB00000-0000-0000-0000-123456789BBB");
private static final Logger log = LoggerFactory.getLogger(MultiLevelAdministrationHandler.class);
public static PermissionDao getPermissionDao() {
return DbFacade.getInstance().getPermissionDao();
}
public static RoleDao getRoleDao() {
return DbFacade.getInstance().getRoleDao();
}
public static DbUserDao getDbUserDao() {
return DbFacade.getInstance().getDbUserDao();
}
/**
* Admin user is a user with at least one permission that contains admin
* role
*
* @return True if user is admin
*/
public static boolean isAdminUser(DbUser user) {
List<Role> userRoles =
getRoleDao().getAnyAdminRoleForUserAndGroups(user.getId(), StringUtils.join(user.getGroupIds(), ","));
if (!userRoles.isEmpty()) {
log.debug("LoginAdminUser: User logged to admin using role '{}'", userRoles.get(0).getName());
return true;
}
return false;
}
public static void addPermission(Permission... permissions) {
for (Permission perms : permissions) {
getPermissionDao().save(perms);
}
}
public static void setIsAdminGUIFlag(Guid userId, boolean hasPermissions) {
DbUser user = getDbUserDao().get(userId);
if (user.isAdmin() != hasPermissions) {
user.setAdmin(hasPermissions);
getDbUserDao().update(user);
}
}
/**
* Checks if supplied role is the last (or maybe only) role with super user privileges.
*
* @param roleId
* the role id.
* @return true if role is the last with Super User privileges, otherwise, false
*/
public static boolean isLastSuperUserPermission(Guid roleId) {
boolean retValue=false;
if (PredefinedRoles.SUPER_USER.getId().equals(roleId)) {
// check that there is at least one super-user left in the system
List<Permission> permissions = getPermissionDao().getAllForRole(
PredefinedRoles.SUPER_USER.getId());
if (permissions.size() <= 1) {
retValue = true;
}
}
return retValue;
}
/**
* Checks if supplied group is the last (or maybe only) with super user privileges.
*
* @param groupId
* the group is
* @return true if group is the last with Super User privileges, otherwise, false
*/
public static boolean isLastSuperUserGroup(Guid groupId) {
boolean retValue=false;
// check that there is at least one super-user left in the system
List<Permission> permissions = getPermissionDao().getAllForRole(
PredefinedRoles.SUPER_USER.getId());
if (permissions.size() <= 1) {
// get group role
permissions = getPermissionDao().getAllForAdElement(groupId);
for (Permission permission : permissions){
if (permission.getRoleId().equals(PredefinedRoles.SUPER_USER.getId())){
retValue = true;
break;
}
}
}
return retValue;
}
public static boolean isMultilevelAdministrationOn() {
return Config.<Boolean> getValue(ConfigValues.IsMultilevelAdministrationOn);
}
public static void addPermission(Guid userId, Guid entityId, PredefinedRoles role, VdcObjectType objectType) {
Permission perms = new Permission();
perms.setAdElementId(userId);
perms.setObjectType(objectType);
perms.setObjectId(entityId);
perms.setRoleId(role.getId());
addPermission(perms);
}
}