common,gplazma-multimap,dcache-qos: qos role authorization, revised

Motivation:

https://rb.dcache.org/r/14070/
master@410762eb5596ab73b49d45fd9635a9204ad7f0b1

introduced qos role authorization principals
using multimap definitions.  This first pass,
however, was based on a misunderstanding.

Modification:

This patch rectifies the misunderstanding. The syntax and semantics
for role definition is now as follows:

The RolePrincipal will contain a set of roles.
It will be constructable in the multimap file using `roles:admin,qos-user,qos-group`.

- `admin` translates to current admin privileges (all files)
- `qos-user` translates to qos privileges on files where the file owner matches
   the UidPrincipal to which the user is mapped.
- `qos-group` translates to qos privileges on files where the file group matchs
   the primary GidPrincipal to which the user is mapped.

Both qos roles can be assigned to a user at the same time if desired.

Result:

A more proper implementation of the concept.

Target: master
Patch: https://rb.dcache.org/r/14080/
Requires-notes: yes
Acked-by: Tigran

modules/common/src/main/java/org/dcache/auth/AbstractUidPrincipal.java → modules/common/src/main/java/org/dcache/auth/AbstractIdPrincipal.java

@@ -65,35 +65,31 @@ LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING
 /*
  *  Base class for both UidPrincipal and UidRolePrincipal.
  */
-abstract class AbstractUidPrincipal implements Principal, Serializable {
+abstract class AbstractIdPrincipal implements Principal, Serializable {
 
-    private static final long serialVersionUID = -8815120327854777479L;
+    private static final long serialVersionUID = 6512883936234057609L;
 
-    protected final long uid;
+    protected final long id;
 
-    protected AbstractUidPrincipal(long uid) {
-        if (uid < 0) {
+    protected AbstractIdPrincipal(long id) {
+        if (id < 0) {
             throw new IllegalArgumentException("UID must be non-negative");
         }
-        this.uid = uid;
+        this.id = id;
     }
 
-    protected AbstractUidPrincipal(String uid) {
-        this(Long.parseLong(uid));
-    }
-
-    public long getUid() {
-        return uid;
+    protected AbstractIdPrincipal(String id) {
+        this(Long.parseLong(id));
     }
 
     @Override
     public String getName() {
-        return String.valueOf(getUid());
+        return String.valueOf(getId());
     }
 
     @Override
     public int hashCode() {
-        return (int) getUid();
+        return (int) getId();
     }
 
     @Override
@@ -109,12 +105,16 @@ public boolean equals(Object other) {
         if (!(this.getClass().equals(other.getClass()))) {
             return false;
         }
-        AbstractUidPrincipal otherUid = (AbstractUidPrincipal) other;
-        return (otherUid.getUid() == getUid());
+        AbstractIdPrincipal otherUid = (AbstractIdPrincipal) other;
+        return (otherUid.getId() == getId());
     }
 
     @Override
     public String toString() {
         return getClass().getSimpleName() + '[' + getName() + ']';
     }
+
+    protected long getId() {
+        return id;
+    }
 }

modules/common/src/main/java/org/dcache/auth/UidRolePrincipal.java → modules/common/src/main/java/org/dcache/auth/RolePrincipal.java

@@ -59,6 +59,13 @@ LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING
  */
 package org.dcache.auth;
 
+import com.google.common.base.Splitter;
+import java.util.HashSet;
+import java.util.List;
+import java.util.Locale;
+import java.util.Set;
+import java.util.UUID;
+
 /**
  *  A Principal which assigns a role-based authorization with respect to a uid.
  *  While this code replicates the UidPrincipal, it needs to be independent so
@@ -67,15 +74,63 @@ LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING
  */
 @AuthenticationOutput
 @AuthenticationInput
-abstract class UidRolePrincipal extends AbstractUidPrincipal {
+public class RolePrincipal extends AbstractIdPrincipal {
+
+    private static final long serialVersionUID = -208608738074565124L;
+
+    private static final long PLACEHOLDER_ID = Long.MAX_VALUE;
+
+    private final long internalId;
+
+    public enum Role {
+        ADMIN("admin"),
+        QOS_USER("qos-user"),
+        QOS_GROUP("qos-group");
+
+        private final String tag;
+
+        Role(String tag) {
+            this.tag = tag;
+        }
+
+        public String getTag() {
+            return tag;
+        }
 
-    private static final long serialVersionUID = 3405254609909807921L;
+        static Role fromTag(String tag) {
+            switch (tag.toUpperCase(Locale.ROOT)) {
+                case "ADMIN":
+                    return ADMIN;
+                case "QOS-USER":
+                    return QOS_USER;
+                case "QOS-GROUP":
+                    return QOS_GROUP;
+            }
+
+            throw new IllegalArgumentException("Unrecognized role: " + tag);
+        }
+    }
+
+    private final Set<Role> roles = new HashSet<>();
+
+    public RolePrincipal(String roles) {
+        super(PLACEHOLDER_ID);
+        internalId = UUID.randomUUID().getLeastSignificantBits();
+        List<String> parts = Splitter.on(',').splitToList(roles);
+        for (String role: parts) {
+            this.roles.add(Role.fromTag(role));
+        }
+    }
+
+    public long getId() {
+        return internalId;
+    }
 
-    protected UidRolePrincipal(long uid) {
-        super(uid);
+    public Set<Role> getRoles() {
+        return Set.copyOf(roles);
     }
 
-    protected UidRolePrincipal(String uid) {
-        super(uid);
+    public boolean hasRole(Role role) {
+        return roles.contains(role);
     }
 }