src/java/org/apache/cassandra/cql3/statements/ListRolesStatement.java

/*
 * Licensed to the Apache Software Foundation (ASF) under one
 * or more contributor license agreements.  See the NOTICE file
 * distributed with this work for additional information
 * regarding copyright ownership.  The ASF licenses this file
 * to you under the Apache License, Version 2.0 (the
 * "License"); you may not use this file except in compliance
 * with the License.  You may obtain a copy of the License at
 *
 *     http://www.apache.org/licenses/LICENSE-2.0
 *
 * Unless required by applicable law or agreed to in writing, software
 * distributed under the License is distributed on an "AS IS" BASIS,
 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 * See the License for the specific language governing permissions and
 * limitations under the License.
 */
package org.apache.cassandra.cql3.statements;

import java.util.Collections;
import java.util.List;
import java.util.Set;

import com.google.common.collect.ImmutableList;
import com.google.common.collect.Lists;

import org.apache.cassandra.auth.*;
import org.apache.cassandra.config.DatabaseDescriptor;
import org.apache.cassandra.config.SchemaConstants;
import org.apache.cassandra.cql3.*;
import org.apache.cassandra.db.marshal.BooleanType;
import org.apache.cassandra.db.marshal.MapType;
import org.apache.cassandra.db.marshal.UTF8Type;
import org.apache.cassandra.exceptions.*;
import org.apache.cassandra.service.ClientState;
import org.apache.cassandra.transport.messages.ResultMessage;

public class ListRolesStatement extends AuthorizationStatement
{
    // pseudo-virtual cf as the actual datasource is dependent on the IRoleManager impl
    private static final String KS = SchemaConstants.AUTH_KEYSPACE_NAME;
    private static final String CF = AuthKeyspace.ROLES;

    private static final MapType optionsType = MapType.getInstance(UTF8Type.instance, UTF8Type.instance, false);
    private static final List<ColumnSpecification> metadata =
        ImmutableList.of(new ColumnSpecification(KS, CF, new ColumnIdentifier("role", true), UTF8Type.instance),
                         new ColumnSpecification(KS, CF, new ColumnIdentifier("super", true), BooleanType.instance),
                         new ColumnSpecification(KS, CF, new ColumnIdentifier("login", true), BooleanType.instance),
                         new ColumnSpecification(KS, CF, new ColumnIdentifier("options", true), optionsType));

    private final RoleResource grantee;
    private final boolean recursive;

    public ListRolesStatement()
    {
        this(new RoleName(), false);
    }

    public ListRolesStatement(RoleName grantee, boolean recursive)
    {
        this.grantee = grantee.hasName() ? RoleResource.role(grantee.getName()) : null;
        this.recursive = recursive;
    }

    public void validate(ClientState state) throws UnauthorizedException, InvalidRequestException
    {
        state.ensureNotAnonymous();

        if ((grantee != null) && !DatabaseDescriptor.getRoleManager().isExistingRole(grantee))
            throw new InvalidRequestException(String.format("%s doesn't exist", grantee));
    }

    public void checkAccess(ClientState state) throws InvalidRequestException
    {
    }

    public ResultMessage execute(ClientState state) throws RequestValidationException, RequestExecutionException
    {
        // If the executing user has DESCRIBE permission on the root roles resource, let them list any and all roles
        boolean hasRootLevelSelect = DatabaseDescriptor.getAuthorizer()
                                                       .authorize(state.getUser(), RoleResource.root())
                                                       .contains(Permission.DESCRIBE);
        if (hasRootLevelSelect)
        {
            if (grantee == null)
                return resultMessage(DatabaseDescriptor.getRoleManager().getAllRoles());
            else
                return resultMessage(DatabaseDescriptor.getRoleManager().getRoles(grantee, recursive));
        }
        else
        {
            RoleResource currentUser = RoleResource.role(state.getUser().getName());
            if (grantee == null)
                return resultMessage(DatabaseDescriptor.getRoleManager().getRoles(currentUser, recursive));
            if (DatabaseDescriptor.getRoleManager().getRoles(currentUser, true).contains(grantee))
                return resultMessage(DatabaseDescriptor.getRoleManager().getRoles(grantee, recursive));
            else
                throw new UnauthorizedException(String.format("You are not authorized to view roles granted to %s ", grantee.getRoleName()));
        }
    }

    private ResultMessage resultMessage(Set<RoleResource> roles)
    {
        if (roles.isEmpty())
            return new ResultMessage.Void();

        List<RoleResource> sorted = Lists.newArrayList(roles);
        Collections.sort(sorted);
        return formatResults(sorted);
    }

    // overridden in ListUsersStatement to include legacy metadata
    protected ResultMessage formatResults(List<RoleResource> sortedRoles)
    {
        ResultSet result = new ResultSet(metadata);

        IRoleManager roleManager = DatabaseDescriptor.getRoleManager();
        for (RoleResource role : sortedRoles)
        {
            result.addColumnValue(UTF8Type.instance.decompose(role.getRoleName()));
            result.addColumnValue(BooleanType.instance.decompose(roleManager.isSuper(role)));
            result.addColumnValue(BooleanType.instance.decompose(roleManager.canLogin(role)));
            result.addColumnValue(optionsType.decompose(roleManager.getCustomOptions(role)));
        }
        return new ResultMessage.Rows(result);
    }
}