NationalSecurityAgency · jwomeara · May 20, 2024 · Apr 8, 2023 · May 8, 2023 · May 24, 2023
diff --git a/api/pom.xml b/api/pom.xml
@@ -4,11 +4,11 @@
     <parent>
         <groupId>gov.nsa.datawave.microservice</groupId>
         <artifactId>datawave-microservice-parent</artifactId>
-        <version>3.0.4</version>
+        <version>4.0.0-SNAPSHOT</version>
         <relativePath>../../../microservice-parent/pom.xml</relativePath>
     </parent>
     <artifactId>authorization-api</artifactId>
-    <version>3.0.1-SNAPSHOT</version>
+    <version>4.0.0-SNAPSHOT</version>
     <url>https://code.nsa.gov/datawave-authorization-service</url>
     <scm>
         <connection>scm:git:https://github.com/NationalSecurityAgency/datawave-authorization-service.git</connection>
@@ -18,6 +18,7 @@
     </scm>
     <properties>
         <datawave.webservice.namespace>http://webservice.datawave.nsa/v1</datawave.webservice.namespace>
+        <version.accumulo>2.1.1</version.accumulo>
         <version.guava>31.1-jre</version.guava>
         <version.jackson>2.10.1</version.jackson>
         <version.jaxb>2.3.3</version.jaxb>
@@ -46,6 +47,29 @@
                 <artifactId>jakarta.xml.bind-api</artifactId>
                 <version>${version.jaxb}</version>
             </dependency>
+            <dependency>
+                <groupId>org.apache.accumulo</groupId>
+                <artifactId>accumulo-core</artifactId>
+                <version>${version.accumulo}</version>
+                <exclusions>
+                    <exclusion>
+                        <artifactId>guava</artifactId>
+                        <groupId>com.google.guava</groupId>
+                    </exclusion>
+                    <exclusion>
+                        <artifactId>hadoop-client</artifactId>
+                        <groupId>org.apache.hadoop</groupId>
+                    </exclusion>
+                    <exclusion>
+                        <artifactId>junit</artifactId>
+                        <groupId>junit</groupId>
+                    </exclusion>
+                    <exclusion>
+                        <artifactId>zookeeper</artifactId>
+                        <groupId>org.apache.zookeeper</groupId>
+                    </exclusion>
+                </exclusions>
+            </dependency>
             <dependency>
                 <groupId>org.slf4j</groupId>
                 <artifactId>slf4j-api</artifactId>
@@ -91,6 +115,10 @@
             <groupId>jakarta.xml.bind</groupId>
             <artifactId>jakarta.xml.bind-api</artifactId>
         </dependency>
+        <dependency>
+            <groupId>org.apache.accumulo</groupId>
+            <artifactId>accumulo-core</artifactId>
+        </dependency>
         <dependency>
             <groupId>org.slf4j</groupId>
             <artifactId>slf4j-api</artifactId>

diff --git a/api/src/main/java/datawave/security/authorization/predicate/AuthorizationsPredicate.java b/api/src/main/java/datawave/security/authorization/predicate/AuthorizationsPredicate.java
@@ -0,0 +1,53 @@
+package datawave.security.authorization.predicate;
+
+import java.util.function.Predicate;
+
+import org.apache.accumulo.core.security.Authorizations;
+import org.apache.accumulo.core.security.ColumnVisibility;
+import org.apache.accumulo.core.security.VisibilityEvaluator;
+import org.apache.accumulo.core.security.VisibilityParseException;
+
+/**
+ * This is a predicate that will test the auths against a specified visibility (as defined by accumulo's ColumnVisibility). In addition to the visibility, one
+ * can specify that only the first of the authorizations is matched (presumably the user).
+ */
+public class AuthorizationsPredicate implements Predicate<Authorizations> {
+
+    // A visibility string to be matched against the auths being used for the query
+    private ColumnVisibility visibility;
+
+    public AuthorizationsPredicate() {}
+
+    public AuthorizationsPredicate(String visibility) {
+        setVisibility(visibility);
+    }
+
+    @Override
+    public boolean test(Authorizations auths) {
+        // match the visibility against the auths.
+        ColumnVisibility vis = getVisibility();
+        VisibilityEvaluator ve = new VisibilityEvaluator(auths);
+        try {
+            return (ve.evaluate(vis));
+        } catch (VisibilityParseException e) {
+            throw new RuntimeException(e);
+        }
+    }
+
+    public ColumnVisibility getVisibility() {
+        return visibility;
+    }
+
+    public void setVisibility(ColumnVisibility visibility) {
+        this.visibility = visibility;
+    }
+
+    public void setVisibility(String visibility) {
+        setVisibility(new ColumnVisibility(visibility));
+    }
+
+    @Override
+    public String toString() {
+        return "(auths =~ " + visibility + ')';
+    }
+}
diff --git a/pom.xml b/pom.xml
@@ -4,11 +4,11 @@
     <parent>
         <groupId>gov.nsa.datawave.microservice</groupId>
         <artifactId>datawave-microservice-parent</artifactId>
-        <version>3.0.4</version>
+        <version>4.0.0-SNAPSHOT</version>
         <relativePath>../../microservice-parent/pom.xml</relativePath>
     </parent>
     <artifactId>authorization-service-parent</artifactId>
-    <version>3.0.1-SNAPSHOT</version>
+    <version>4.0.0-SNAPSHOT</version>
     <packaging>pom</packaging>
     <url>https://code.nsa.gov/datawave-authorization-service</url>
     <modules>

diff --git a/service/pom.xml b/service/pom.xml
@@ -4,11 +4,11 @@
     <parent>
         <groupId>gov.nsa.datawave.microservice</groupId>
         <artifactId>datawave-microservice-service-parent</artifactId>
-        <version>4.0.4</version>
+        <version>5.0.0-SNAPSHOT</version>
         <relativePath>../../../microservice-service-parent/pom.xml</relativePath>
     </parent>
     <artifactId>authorization-service</artifactId>
-    <version>3.0.1-SNAPSHOT</version>
+    <version>4.0.0-SNAPSHOT</version>
     <description>DATAWAVE Authorization Microservice</description>
     <url>https://code.nsa.gov/datawave-authorization-service</url>
     <scm>
@@ -19,10 +19,10 @@
     </scm>
     <properties>
         <start-class>datawave.microservice.authorization.AuthorizationService</start-class>
-        <version.authorization-api>3.0.0</version.authorization-api>
+        <version.authorization-api>4.0.0-SNAPSHOT</version.authorization-api>
         <version.jaxb>2.3.3</version.jaxb>
-        <version.microservice.hazelcast-client>3.0.0</version.microservice.hazelcast-client>
-        <version.microservice.starter>3.0.0</version.microservice.starter>
+        <version.microservice.hazelcast-client>4.0.0-SNAPSHOT</version.microservice.hazelcast-client>
+        <version.microservice.starter>4.0.0-SNAPSHOT</version.microservice.starter>
         <version.zookeeper>3.8.0</version.zookeeper>
     </properties>
     <dependencyManagement>

diff --git a/service/src/main/java/datawave/microservice/authorization/AuthorizationControllerV1.java b/service/src/main/java/datawave/microservice/authorization/AuthorizationControllerV1.java
@@ -21,6 +21,7 @@
 import datawave.security.authorization.DatawaveUser;
 import datawave.security.authorization.DatawaveUserInfo;
 import datawave.user.AuthorizationsListBase;
+import datawave.webservice.result.GenericResponse;
 import io.swagger.v3.oas.annotations.ExternalDocumentation;
 import io.swagger.v3.oas.annotations.Operation;
 import io.swagger.v3.oas.annotations.Parameter;
@@ -55,8 +56,21 @@ public String user(@AuthenticationPrincipal DatawaveUserDetails currentUser) {
     @Operation(summary = "Lists the effective Accumulo user authorizations for the calling user.")
     @RequestMapping(path = "/listEffectiveAuthorizations", method = RequestMethod.GET, produces = {MediaType.APPLICATION_JSON_VALUE,
             MediaType.APPLICATION_XML_VALUE, MediaType.TEXT_XML_VALUE, PROTOSTUFF_VALUE, MediaType.TEXT_HTML_VALUE, "text/x-yaml", "application/x-yaml"})
-    public AuthorizationsListBase<?> listEffectiveAuthorizations(@AuthenticationPrincipal DatawaveUserDetails currentUser) {
-        return authOperations.listEffectiveAuthorizations(currentUser);
+    public AuthorizationsListBase<?> listEffectiveAuthorizations(
+                    @Parameter(description = "Whether the request should be federated to downstream services.") @RequestParam(
+                                    name = "includeRemoteServices") boolean federate,
+                    @AuthenticationPrincipal DatawaveUserDetails currentUser) {
+        return authOperations.listEffectiveAuthorizations(currentUser, federate);
+    }
+
+    @Operation(summary = "Clears any cached credentials for the calling user.")
+    @RequestMapping(path = "/flushCachedCredentials", method = RequestMethod.GET, produces = {MediaType.APPLICATION_JSON_VALUE, MediaType.APPLICATION_XML_VALUE,
+            MediaType.TEXT_XML_VALUE, PROTOSTUFF_VALUE, MediaType.TEXT_HTML_VALUE, "text/x-yaml", "application/x-yaml"})
+    public GenericResponse<String> flushCachedCredentials(
+                    @Parameter(description = "Whether the request should be federated to downstream services.") @RequestParam(
+                                    name = "includeRemoteServices") boolean federate,
+                    @AuthenticationPrincipal DatawaveUserDetails currentUser) {
+        return authOperations.flushCachedCredentials(currentUser, federate);
     }
 
     /**

diff --git a/service/src/main/java/datawave/microservice/authorization/AuthorizationControllerV2.java b/service/src/main/java/datawave/microservice/authorization/AuthorizationControllerV2.java
@@ -21,6 +21,7 @@
 import datawave.security.authorization.DatawaveUser;
 import datawave.security.authorization.DatawaveUserInfo;
 import datawave.user.AuthorizationsListBase;
+import datawave.webservice.result.GenericResponse;
 import io.swagger.v3.oas.annotations.ExternalDocumentation;
 import io.swagger.v3.oas.annotations.Operation;
 import io.swagger.v3.oas.annotations.Parameter;
@@ -55,8 +56,21 @@ public String user(@AuthenticationPrincipal DatawaveUserDetails currentUser) {
     @Operation(summary = "Lists the effective Accumulo user authorizations for the calling user.")
     @RequestMapping(path = "/listEffectiveAuthorizations", method = RequestMethod.GET, produces = {MediaType.APPLICATION_JSON_VALUE,
             MediaType.APPLICATION_XML_VALUE, MediaType.TEXT_XML_VALUE, PROTOSTUFF_VALUE, MediaType.TEXT_HTML_VALUE, "text/x-yaml", "application/x-yaml"})
-    public AuthorizationsListBase<?> listEffectiveAuthorizations(@AuthenticationPrincipal DatawaveUserDetails currentUser) {
-        return authOperations.listEffectiveAuthorizations(currentUser);
+    public AuthorizationsListBase<?> listEffectiveAuthorizations(
+                    @Parameter(description = "Whether the request should be federated to downstream services.") @RequestParam(
+                                    name = "includeRemoteServices") boolean federate,
+                    @AuthenticationPrincipal DatawaveUserDetails currentUser) {
+        return authOperations.listEffectiveAuthorizations(currentUser, federate);
+    }
+
+    @Operation(summary = "Clears any cached credentials for the calling user.")
+    @RequestMapping(path = "/flushCachedCredentials", method = RequestMethod.GET, produces = {MediaType.APPLICATION_JSON_VALUE, MediaType.APPLICATION_XML_VALUE,
+            MediaType.TEXT_XML_VALUE, PROTOSTUFF_VALUE, MediaType.TEXT_HTML_VALUE, "text/x-yaml", "application/x-yaml"})
+    public GenericResponse<String> flushCachedCredentials(
+                    @Parameter(description = "Whether the request should be federated to downstream services.") @RequestParam(
+                                    name = "includeRemoteServices") boolean federate,
+                    @AuthenticationPrincipal DatawaveUserDetails currentUser) {
+        return authOperations.flushCachedCredentials(currentUser, federate);
     }
 
     /**