airavata-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From scnakand...@apache.org
Subject [7/7] airavata git commit: adding more files
Date Thu, 07 Jul 2016 15:43:50 GMT
adding more files


Project: http://git-wip-us.apache.org/repos/asf/airavata/repo
Commit: http://git-wip-us.apache.org/repos/asf/airavata/commit/89e0fdc8
Tree: http://git-wip-us.apache.org/repos/asf/airavata/tree/89e0fdc8
Diff: http://git-wip-us.apache.org/repos/asf/airavata/diff/89e0fdc8

Branch: refs/heads/grouper-integration
Commit: 89e0fdc80740223c44e676a5de4ac36d6cddebcb
Parents: 70f8579
Author: scnakandala <supun.nakandala@gmail.com>
Authored: Thu Jul 7 11:43:40 2016 -0400
Committer: scnakandala <supun.nakandala@gmail.com>
Committed: Thu Jul 7 11:43:40 2016 -0400

----------------------------------------------------------------------
 .../airavata/group_manager_model_constants.cpp  |   34 +
 .../airavata/group_manager_model_constants.h    |   41 +
 .../lib/airavata/group_manager_model_types.cpp  |   57 +
 .../lib/airavata/group_manager_model_types.h    |   62 +
 .../lib/Airavata/Model/Group/Types.php          |   42 +
 .../lib/apache/airavata/model/group/__init__.py |    1 +
 .../apache/airavata/model/group/constants.py    |   11 +
 .../lib/apache/airavata/model/group/ttypes.py   |   54 +
 .../model/group/ResourcePermissionType.java     |   62 +
 .../airavata/model/group/ResourceType.java      |   68 +
 modules/group-manager/pom.xml                   |   58 +
 .../internal/dao/PermissionEntryDAO.java        |  286 ++++
 .../dao/hib3/Hib3PermissionEntryDAO.java        | 1123 +++++++++++++
 .../grouper/permissions/PermissionFinder.java   |  770 +++++++++
 .../airavata/grouper/AiravataGrouperUtil.java   |   35 +
 .../airavata/grouper/GroupManagerCPI.java       |   24 +
 .../airavata/grouper/GroupManagerException.java |   36 +
 .../airavata/grouper/GroupManagerFactory.java   |   42 +
 .../airavata/grouper/GroupManagerImpl.java      |   80 +
 .../apache/airavata/grouper/SubjectType.java    |   14 +
 .../apache/airavata/grouper/group/Group.java    |   94 ++
 .../airavata/grouper/group/GroupMembership.java |   88 +
 .../grouper/group/GroupMembershipType.java      |   12 +
 .../airavata/grouper/group/GroupService.java    |   24 +
 .../grouper/group/GroupServiceImpl.java         |  228 +++
 .../grouper/permission/PermissionAction.java    |   15 +
 .../permission/PermissionServiceImpl.java       |   86 +
 .../airavata/grouper/resource/Resource.java     |  145 ++
 .../resource/ResourceNotFoundException.java     |   35 +
 .../grouper/resource/ResourceServiceImpl.java   |  351 ++++
 .../airavata/grouper/resource/ResourceType.java |   51 +
 .../airavata/grouper/role/RoleServiceImpl.java  |  112 ++
 .../Owasp.CsrfGuard.overlay.properties          |   78 +
 .../main/resources/Owasp.CsrfGuard.properties   |  403 +++++
 .../group-manager/src/main/resources/README.txt |   21 +
 .../src/main/resources/ehcache.xml              | 1517 ++++++++++++++++++
 .../resources/grouper-loader.base.properties    |  351 ++++
 .../main/resources/grouper-loader.properties    |   25 +
 .../src/main/resources/grouper.base.properties  | 1017 ++++++++++++
 .../resources/grouper.client.base.properties    |  552 +++++++
 .../main/resources/grouper.client.properties    |  552 +++++++
 .../resources/grouper.hibernate.base.properties |  120 ++
 .../main/resources/grouper.hibernate.properties |   10 +
 .../src/main/resources/grouper.properties       | 1017 ++++++++++++
 .../src/main/resources/grouperUtf8.txt          |    1 +
 .../src/main/resources/log4j.properties         |  154 ++
 .../src/main/resources/morphString.properties   |   21 +
 .../src/main/resources/server.properties        |   26 +
 .../src/main/resources/sources.xml              |  875 ++++++++++
 .../src/main/resources/spy.properties           |   54 +
 .../group-manager/src/main/resources/sqltool.rc |    6 +
 .../src/main/resources/subject.base.properties  |   46 +
 .../src/main/resources/subject.properties       |   27 +
 53 files changed, 11014 insertions(+)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/airavata/blob/89e0fdc8/airavata-api/airavata-client-sdks/airavata-cpp-sdk/src/main/resources/lib/airavata/group_manager_model_constants.cpp
----------------------------------------------------------------------
diff --git a/airavata-api/airavata-client-sdks/airavata-cpp-sdk/src/main/resources/lib/airavata/group_manager_model_constants.cpp b/airavata-api/airavata-client-sdks/airavata-cpp-sdk/src/main/resources/lib/airavata/group_manager_model_constants.cpp
new file mode 100644
index 0000000..db609ab
--- /dev/null
+++ b/airavata-api/airavata-client-sdks/airavata-cpp-sdk/src/main/resources/lib/airavata/group_manager_model_constants.cpp
@@ -0,0 +1,34 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements.  See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+/**
+ * Autogenerated by Thrift Compiler (0.9.3)
+ *
+ * DO NOT EDIT UNLESS YOU ARE SURE THAT YOU KNOW WHAT YOU ARE DOING
+ *  @generated
+ */
+#include "group_manager_model_constants.h"
+
+namespace apache { namespace airavata { namespace model { namespace group {
+
+const group_manager_modelConstants g_group_manager_model_constants;
+
+group_manager_modelConstants::group_manager_modelConstants() {
+}
+
+}}}} // namespace
+

http://git-wip-us.apache.org/repos/asf/airavata/blob/89e0fdc8/airavata-api/airavata-client-sdks/airavata-cpp-sdk/src/main/resources/lib/airavata/group_manager_model_constants.h
----------------------------------------------------------------------
diff --git a/airavata-api/airavata-client-sdks/airavata-cpp-sdk/src/main/resources/lib/airavata/group_manager_model_constants.h b/airavata-api/airavata-client-sdks/airavata-cpp-sdk/src/main/resources/lib/airavata/group_manager_model_constants.h
new file mode 100644
index 0000000..9df6636
--- /dev/null
+++ b/airavata-api/airavata-client-sdks/airavata-cpp-sdk/src/main/resources/lib/airavata/group_manager_model_constants.h
@@ -0,0 +1,41 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements.  See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+/**
+ * Autogenerated by Thrift Compiler (0.9.3)
+ *
+ * DO NOT EDIT UNLESS YOU ARE SURE THAT YOU KNOW WHAT YOU ARE DOING
+ *  @generated
+ */
+#ifndef group_manager_model_CONSTANTS_H
+#define group_manager_model_CONSTANTS_H
+
+#include "group_manager_model_types.h"
+
+namespace apache { namespace airavata { namespace model { namespace group {
+
+class group_manager_modelConstants {
+ public:
+  group_manager_modelConstants();
+
+};
+
+extern const group_manager_modelConstants g_group_manager_model_constants;
+
+}}}} // namespace
+
+#endif

http://git-wip-us.apache.org/repos/asf/airavata/blob/89e0fdc8/airavata-api/airavata-client-sdks/airavata-cpp-sdk/src/main/resources/lib/airavata/group_manager_model_types.cpp
----------------------------------------------------------------------
diff --git a/airavata-api/airavata-client-sdks/airavata-cpp-sdk/src/main/resources/lib/airavata/group_manager_model_types.cpp b/airavata-api/airavata-client-sdks/airavata-cpp-sdk/src/main/resources/lib/airavata/group_manager_model_types.cpp
new file mode 100644
index 0000000..21c454b
--- /dev/null
+++ b/airavata-api/airavata-client-sdks/airavata-cpp-sdk/src/main/resources/lib/airavata/group_manager_model_types.cpp
@@ -0,0 +1,57 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements.  See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+/**
+ * Autogenerated by Thrift Compiler (0.9.3)
+ *
+ * DO NOT EDIT UNLESS YOU ARE SURE THAT YOU KNOW WHAT YOU ARE DOING
+ *  @generated
+ */
+#include "group_manager_model_types.h"
+
+#include <algorithm>
+#include <ostream>
+
+#include <thrift/TToString.h>
+
+namespace apache { namespace airavata { namespace model { namespace group {
+
+int _kResourceTypeValues[] = {
+  ResourceType::PROJECT,
+  ResourceType::EXPERIMENT,
+  ResourceType::DATA,
+  ResourceType::OTHER
+};
+const char* _kResourceTypeNames[] = {
+  "PROJECT",
+  "EXPERIMENT",
+  "DATA",
+  "OTHER"
+};
+const std::map<int, const char*> _ResourceType_VALUES_TO_NAMES(::apache::thrift::TEnumIterator(4, _kResourceTypeValues, _kResourceTypeNames), ::apache::thrift::TEnumIterator(-1, NULL, NULL));
+
+int _kResourcePermissionTypeValues[] = {
+  ResourcePermissionType::WRITE,
+  ResourcePermissionType::READ
+};
+const char* _kResourcePermissionTypeNames[] = {
+  "WRITE",
+  "READ"
+};
+const std::map<int, const char*> _ResourcePermissionType_VALUES_TO_NAMES(::apache::thrift::TEnumIterator(2, _kResourcePermissionTypeValues, _kResourcePermissionTypeNames), ::apache::thrift::TEnumIterator(-1, NULL, NULL));
+
+}}}} // namespace

http://git-wip-us.apache.org/repos/asf/airavata/blob/89e0fdc8/airavata-api/airavata-client-sdks/airavata-cpp-sdk/src/main/resources/lib/airavata/group_manager_model_types.h
----------------------------------------------------------------------
diff --git a/airavata-api/airavata-client-sdks/airavata-cpp-sdk/src/main/resources/lib/airavata/group_manager_model_types.h b/airavata-api/airavata-client-sdks/airavata-cpp-sdk/src/main/resources/lib/airavata/group_manager_model_types.h
new file mode 100644
index 0000000..4cf43d4
--- /dev/null
+++ b/airavata-api/airavata-client-sdks/airavata-cpp-sdk/src/main/resources/lib/airavata/group_manager_model_types.h
@@ -0,0 +1,62 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements.  See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+/**
+ * Autogenerated by Thrift Compiler (0.9.3)
+ *
+ * DO NOT EDIT UNLESS YOU ARE SURE THAT YOU KNOW WHAT YOU ARE DOING
+ *  @generated
+ */
+#ifndef group_manager_model_TYPES_H
+#define group_manager_model_TYPES_H
+
+#include <iosfwd>
+
+#include <thrift/Thrift.h>
+#include <thrift/TApplicationException.h>
+#include <thrift/protocol/TProtocol.h>
+#include <thrift/transport/TTransport.h>
+
+#include <thrift/cxxfunctional.h>
+#include "airavata_commons_types.h"
+
+
+namespace apache { namespace airavata { namespace model { namespace group {
+
+struct ResourceType {
+  enum type {
+    PROJECT = 0,
+    EXPERIMENT = 1,
+    DATA = 2,
+    OTHER = 3
+  };
+};
+
+extern const std::map<int, const char*> _ResourceType_VALUES_TO_NAMES;
+
+struct ResourcePermissionType {
+  enum type {
+    WRITE = 0,
+    READ = 1
+  };
+};
+
+extern const std::map<int, const char*> _ResourcePermissionType_VALUES_TO_NAMES;
+
+}}}} // namespace
+
+#endif

http://git-wip-us.apache.org/repos/asf/airavata/blob/89e0fdc8/airavata-api/airavata-client-sdks/airavata-php-sdk/src/main/resources/lib/Airavata/Model/Group/Types.php
----------------------------------------------------------------------
diff --git a/airavata-api/airavata-client-sdks/airavata-php-sdk/src/main/resources/lib/Airavata/Model/Group/Types.php b/airavata-api/airavata-client-sdks/airavata-php-sdk/src/main/resources/lib/Airavata/Model/Group/Types.php
new file mode 100644
index 0000000..c416f74
--- /dev/null
+++ b/airavata-api/airavata-client-sdks/airavata-php-sdk/src/main/resources/lib/Airavata/Model/Group/Types.php
@@ -0,0 +1,42 @@
+<?php
+namespace Airavata\Model\Group;
+
+/**
+ * Autogenerated by Thrift Compiler (0.9.3)
+ *
+ * DO NOT EDIT UNLESS YOU ARE SURE THAT YOU KNOW WHAT YOU ARE DOING
+ *  @generated
+ */
+use Thrift\Base\TBase;
+use Thrift\Type\TType;
+use Thrift\Type\TMessageType;
+use Thrift\Exception\TException;
+use Thrift\Exception\TProtocolException;
+use Thrift\Protocol\TProtocol;
+use Thrift\Protocol\TBinaryProtocolAccelerated;
+use Thrift\Exception\TApplicationException;
+
+
+final class ResourceType {
+  const PROJECT = 0;
+  const EXPERIMENT = 1;
+  const DATA = 2;
+  const OTHER = 3;
+  static public $__names = array(
+    0 => 'PROJECT',
+    1 => 'EXPERIMENT',
+    2 => 'DATA',
+    3 => 'OTHER',
+  );
+}
+
+final class ResourcePermissionType {
+  const WRITE = 0;
+  const READ = 1;
+  static public $__names = array(
+    0 => 'WRITE',
+    1 => 'READ',
+  );
+}
+
+

http://git-wip-us.apache.org/repos/asf/airavata/blob/89e0fdc8/airavata-api/airavata-client-sdks/airavata-python-sdk/src/main/resources/lib/apache/airavata/model/group/__init__.py
----------------------------------------------------------------------
diff --git a/airavata-api/airavata-client-sdks/airavata-python-sdk/src/main/resources/lib/apache/airavata/model/group/__init__.py b/airavata-api/airavata-client-sdks/airavata-python-sdk/src/main/resources/lib/apache/airavata/model/group/__init__.py
new file mode 100644
index 0000000..adefd8e
--- /dev/null
+++ b/airavata-api/airavata-client-sdks/airavata-python-sdk/src/main/resources/lib/apache/airavata/model/group/__init__.py
@@ -0,0 +1 @@
+__all__ = ['ttypes', 'constants']

http://git-wip-us.apache.org/repos/asf/airavata/blob/89e0fdc8/airavata-api/airavata-client-sdks/airavata-python-sdk/src/main/resources/lib/apache/airavata/model/group/constants.py
----------------------------------------------------------------------
diff --git a/airavata-api/airavata-client-sdks/airavata-python-sdk/src/main/resources/lib/apache/airavata/model/group/constants.py b/airavata-api/airavata-client-sdks/airavata-python-sdk/src/main/resources/lib/apache/airavata/model/group/constants.py
new file mode 100644
index 0000000..4a6492b
--- /dev/null
+++ b/airavata-api/airavata-client-sdks/airavata-python-sdk/src/main/resources/lib/apache/airavata/model/group/constants.py
@@ -0,0 +1,11 @@
+#
+# Autogenerated by Thrift Compiler (0.9.3)
+#
+# DO NOT EDIT UNLESS YOU ARE SURE THAT YOU KNOW WHAT YOU ARE DOING
+#
+#  options string: py
+#
+
+from thrift.Thrift import TType, TMessageType, TException, TApplicationException
+from ttypes import *
+

http://git-wip-us.apache.org/repos/asf/airavata/blob/89e0fdc8/airavata-api/airavata-client-sdks/airavata-python-sdk/src/main/resources/lib/apache/airavata/model/group/ttypes.py
----------------------------------------------------------------------
diff --git a/airavata-api/airavata-client-sdks/airavata-python-sdk/src/main/resources/lib/apache/airavata/model/group/ttypes.py b/airavata-api/airavata-client-sdks/airavata-python-sdk/src/main/resources/lib/apache/airavata/model/group/ttypes.py
new file mode 100644
index 0000000..7e3ae6e
--- /dev/null
+++ b/airavata-api/airavata-client-sdks/airavata-python-sdk/src/main/resources/lib/apache/airavata/model/group/ttypes.py
@@ -0,0 +1,54 @@
+#
+# Autogenerated by Thrift Compiler (0.9.3)
+#
+# DO NOT EDIT UNLESS YOU ARE SURE THAT YOU KNOW WHAT YOU ARE DOING
+#
+#  options string: py
+#
+
+from thrift.Thrift import TType, TMessageType, TException, TApplicationException
+import apache.airavata.model.commons.ttypes
+
+
+from thrift.transport import TTransport
+from thrift.protocol import TBinaryProtocol, TProtocol
+try:
+  from thrift.protocol import fastbinary
+except:
+  fastbinary = None
+
+
+class ResourceType:
+  PROJECT = 0
+  EXPERIMENT = 1
+  DATA = 2
+  OTHER = 3
+
+  _VALUES_TO_NAMES = {
+    0: "PROJECT",
+    1: "EXPERIMENT",
+    2: "DATA",
+    3: "OTHER",
+  }
+
+  _NAMES_TO_VALUES = {
+    "PROJECT": 0,
+    "EXPERIMENT": 1,
+    "DATA": 2,
+    "OTHER": 3,
+  }
+
+class ResourcePermissionType:
+  WRITE = 0
+  READ = 1
+
+  _VALUES_TO_NAMES = {
+    0: "WRITE",
+    1: "READ",
+  }
+
+  _NAMES_TO_VALUES = {
+    "WRITE": 0,
+    "READ": 1,
+  }
+

http://git-wip-us.apache.org/repos/asf/airavata/blob/89e0fdc8/airavata-api/airavata-data-models/src/main/java/org/apache/airavata/model/group/ResourcePermissionType.java
----------------------------------------------------------------------
diff --git a/airavata-api/airavata-data-models/src/main/java/org/apache/airavata/model/group/ResourcePermissionType.java b/airavata-api/airavata-data-models/src/main/java/org/apache/airavata/model/group/ResourcePermissionType.java
new file mode 100644
index 0000000..b355864
--- /dev/null
+++ b/airavata-api/airavata-data-models/src/main/java/org/apache/airavata/model/group/ResourcePermissionType.java
@@ -0,0 +1,62 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements.  See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+/**
+ * Autogenerated by Thrift Compiler (0.9.3)
+ *
+ * DO NOT EDIT UNLESS YOU ARE SURE THAT YOU KNOW WHAT YOU ARE DOING
+ *  @generated
+ */
+package org.apache.airavata.model.group;
+
+
+import java.util.Map;
+import java.util.HashMap;
+import org.apache.thrift.TEnum;
+
+public enum ResourcePermissionType implements org.apache.thrift.TEnum {
+  WRITE(0),
+  READ(1);
+
+  private final int value;
+
+  private ResourcePermissionType(int value) {
+    this.value = value;
+  }
+
+  /**
+   * Get the integer value of this enum value, as defined in the Thrift IDL.
+   */
+  public int getValue() {
+    return value;
+  }
+
+  /**
+   * Find a the enum type by its integer value, as defined in the Thrift IDL.
+   * @return null if the value is not found.
+   */
+  public static ResourcePermissionType findByValue(int value) { 
+    switch (value) {
+      case 0:
+        return WRITE;
+      case 1:
+        return READ;
+      default:
+        return null;
+    }
+  }
+}

http://git-wip-us.apache.org/repos/asf/airavata/blob/89e0fdc8/airavata-api/airavata-data-models/src/main/java/org/apache/airavata/model/group/ResourceType.java
----------------------------------------------------------------------
diff --git a/airavata-api/airavata-data-models/src/main/java/org/apache/airavata/model/group/ResourceType.java b/airavata-api/airavata-data-models/src/main/java/org/apache/airavata/model/group/ResourceType.java
new file mode 100644
index 0000000..e9b034a
--- /dev/null
+++ b/airavata-api/airavata-data-models/src/main/java/org/apache/airavata/model/group/ResourceType.java
@@ -0,0 +1,68 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements.  See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+/**
+ * Autogenerated by Thrift Compiler (0.9.3)
+ *
+ * DO NOT EDIT UNLESS YOU ARE SURE THAT YOU KNOW WHAT YOU ARE DOING
+ *  @generated
+ */
+package org.apache.airavata.model.group;
+
+
+import java.util.Map;
+import java.util.HashMap;
+import org.apache.thrift.TEnum;
+
+public enum ResourceType implements org.apache.thrift.TEnum {
+  PROJECT(0),
+  EXPERIMENT(1),
+  DATA(2),
+  OTHER(3);
+
+  private final int value;
+
+  private ResourceType(int value) {
+    this.value = value;
+  }
+
+  /**
+   * Get the integer value of this enum value, as defined in the Thrift IDL.
+   */
+  public int getValue() {
+    return value;
+  }
+
+  /**
+   * Find a the enum type by its integer value, as defined in the Thrift IDL.
+   * @return null if the value is not found.
+   */
+  public static ResourceType findByValue(int value) { 
+    switch (value) {
+      case 0:
+        return PROJECT;
+      case 1:
+        return EXPERIMENT;
+      case 2:
+        return DATA;
+      case 3:
+        return OTHER;
+      default:
+        return null;
+    }
+  }
+}

http://git-wip-us.apache.org/repos/asf/airavata/blob/89e0fdc8/modules/group-manager/pom.xml
----------------------------------------------------------------------
diff --git a/modules/group-manager/pom.xml b/modules/group-manager/pom.xml
new file mode 100644
index 0000000..19b522c
--- /dev/null
+++ b/modules/group-manager/pom.xml
@@ -0,0 +1,58 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<project xmlns="http://maven.apache.org/POM/4.0.0"
+         xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+         xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
+    <parent>
+        <artifactId>airavata</artifactId>
+        <groupId>org.apache.airavata</groupId>
+        <version>0.16-SNAPSHOT</version>
+        <relativePath>../../pom.xml</relativePath>
+    </parent>
+    <modelVersion>4.0.0</modelVersion>
+
+    <artifactId>group-manager</artifactId>
+
+
+    <properties>
+        <project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
+    </properties>
+
+    <dependencies>
+
+        <dependency>
+            <groupId>junit</groupId>
+            <artifactId>junit</artifactId>
+            <version>3.8.1</version>
+            <scope>test</scope>
+        </dependency>
+
+        <dependency>
+            <groupId>edu.internet2.middleware.grouper</groupId>
+            <artifactId>grouper</artifactId>
+            <version>2.3.0</version>
+            <exclusions>
+                <exclusion>
+                    <groupId>commons-digester</groupId>
+                    <artifactId>commons-digester</artifactId>
+                </exclusion>
+                <exclusion>
+                    <groupId>xerces</groupId>
+                    <artifactId>xercesImpl</artifactId>
+                </exclusion>
+            </exclusions>
+        </dependency>
+
+        <dependency>
+            <groupId>commons-digester</groupId>
+            <artifactId>commons-digester</artifactId>
+            <version>1.7</version>
+        </dependency>
+
+        <dependency>
+            <groupId>org.hibernate</groupId>
+            <artifactId>hibernate-ehcache</artifactId>
+            <version>5.0.4.Final</version>
+        </dependency>
+
+    </dependencies>
+</project>
\ No newline at end of file

http://git-wip-us.apache.org/repos/asf/airavata/blob/89e0fdc8/modules/group-manager/src/main/java/edu/internet2/middleware/grouper/internal/dao/PermissionEntryDAO.java
----------------------------------------------------------------------
diff --git a/modules/group-manager/src/main/java/edu/internet2/middleware/grouper/internal/dao/PermissionEntryDAO.java b/modules/group-manager/src/main/java/edu/internet2/middleware/grouper/internal/dao/PermissionEntryDAO.java
new file mode 100755
index 0000000..120e82c
--- /dev/null
+++ b/modules/group-manager/src/main/java/edu/internet2/middleware/grouper/internal/dao/PermissionEntryDAO.java
@@ -0,0 +1,286 @@
+/**
+ * Copyright 2014 Internet2
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *   http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+/*
+  Copyright (C) 2007 University Corporation for Advanced Internet Development, Inc.
+  Copyright (C) 2007 The University Of Chicago
+
+  Licensed under the Apache License, Version 2.0 (the "License");
+  you may not use this file except in compliance with the License.
+  You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+  Unless required by applicable law or agreed to in writing, software
+  distributed under the License is distributed on an "AS IS" BASIS,
+  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+  See the License for the specific language governing permissions and
+  limitations under the License.
+*/
+
+package edu.internet2.middleware.grouper.internal.dao;
+
+import edu.internet2.middleware.grouper.Stem;
+import edu.internet2.middleware.grouper.Stem.Scope;
+import edu.internet2.middleware.grouper.permissions.PermissionEntry;
+
+import java.sql.Timestamp;
+import java.util.Collection;
+import java.util.Set;
+
+/** 
+ * Basic <code>PermissionEntry</code> DAO interface.
+ * @author  mchyzer
+ * @version $Id: PermissionEntryDAO.java,v 1.3 2009-10-26 04:52:17 mchyzer Exp $
+ */
+public interface PermissionEntryDAO extends GrouperDAO {
+
+  /**
+   * find all permissions that a subject has
+   * @param memberId
+   * @return the permissions
+   */
+  public Set<PermissionEntry> findByMemberId(String memberId);
+  
+  /**
+   * get attribute assigns by member and attribute def name id
+   * @param memberId
+   * @param attributeDefNameId
+   * @return set of assigns or empty if none there
+   */
+  public Set<PermissionEntry> findByMemberIdAndAttributeDefNameId(String memberId, String attributeDefNameId);
+
+  /**
+   * see if the permission exists and is enabled
+   * @param subjectId
+   * @param sourceId
+   * @param action
+   * @param attributeDefNameName
+   * @return true if has permissions and is enabled
+   */
+  public boolean hasPermissionBySubjectIdSourceIdActionAttributeDefName(String subjectId, String sourceId,
+                                                                        String action, String attributeDefNameName);
+  
+  
+  /**
+   * securely search for assignments.  need to pass in either the assign ids, def ids, def name ids, or group ids
+   * cannot have more than 100 bind variables.  well, you can pass more than 100 members... it will batch
+   * @param attributeDefIds optional
+   * @param attributeDefNameIds mutually exclusive with attributeDefIds
+   * @param roleIds optional
+   * @param actions (null means all actions)
+   * @param enabled (null means all, true means enabled, false means disabled)
+   * @param memberIds
+   * @param noEndDate true if no end date on memberships
+   * @return the permissions
+   */
+  public Set<PermissionEntry> findPermissions(
+          Collection<String> attributeDefIds,
+          Collection<String> attributeDefNameIds,
+          Collection<String> roleIds,
+          Collection<String> actions,
+          Boolean enabled,
+          Collection<String> memberIds,
+          boolean noEndDate);
+
+  /**
+   * securely search for assignments.  need to pass in either the assign ids, def ids, def name ids, or group ids
+   * cannot have more than 100 bind variables.  well, you can pass more than 100 members... it will batch
+   * @param attributeDefIds optional
+   * @param attributeDefNameIds mutually exclusive with attributeDefIds
+   * @param roleIds optional
+   * @param actions (null means all actions)
+   * @param enabled (null means all, true means enabled, false means disabled)
+   * @param memberIds
+   * @param noEndDate true if no end date on memberships
+   * @param permissionNameInStem if looking for permission names in a certain stem, put it here
+   * @param permissionNameInStemScope if looking for permission names in a certain stem, put scope here
+   * @return the permissions
+   */
+  public Set<PermissionEntry> findPermissions(
+          Collection<String> attributeDefIds,
+          Collection<String> attributeDefNameIds,
+          Collection<String> roleIds,
+          Collection<String> actions,
+          Boolean enabled,
+          Collection<String> memberIds,
+          boolean noEndDate, Stem permissionNameInStem, Scope permissionNameInStemScope);
+  
+  /**
+   * securely search for assignments.  need to pass in either the assign ids, def ids, def name ids, or group ids
+   * cannot have more than 100 bind variables.  well, you can pass more than 100 members... it will batch
+   * @param attributeDefIds optional
+   * @param attributeDefNameIds mutually exclusive with attributeDefIds
+   * @param roleIds optional
+   * @param actions (null means all actions)
+   * @param enabled (null means all, true means enabled, false means disabled)
+   * @param memberIds
+   * @param noEndDate true if no end date on memberships
+   * @param permissionNameInStem if looking for permission names in a certain stem, put it here
+   * @param permissionNameInStemScope if looking for permission names in a certain stem, put scope here
+   * @param queryOptions queryOptions for sorting and paging
+   * @return the permissions
+   */
+  public Set<PermissionEntry> findPermissions(
+          Collection<String> attributeDefIds,
+          Collection<String> attributeDefNameIds,
+          Collection<String> roleIds,
+          Collection<String> actions,
+          Boolean enabled,
+          Collection<String> memberIds,
+          boolean noEndDate, Stem permissionNameInStem, Scope permissionNameInStemScope, QueryOptions queryOptions);
+
+
+  /**
+   * securely search for assignments
+   * @param attributeAssignType
+   * @param attributeDefId optional
+   * @param attributeDefNameId mutually exclusive with attributeDefIds
+   * @param ownerRoleId optional
+   * @param ownerStemId optional
+   * @param ownerMemberId optional
+   * @param ownerAttributeDefId optional
+   * @param ownerMembershipId optional
+   * @param action optional
+   * @param enabled (null means all, true means enabled, false means disabled)
+   * @param includeAssignmentsOnAssignments if assignments on assignments should also be included
+   * @return the assignments
+   */
+  public Set<PermissionEntry> findPermissions(
+          String attributeDefId, String attributeDefNameId,
+          String ownerRoleId, String ownerMemberId, String action,
+          Boolean enabled);
+
+  /**
+   * securely search for assignments
+   * @param attributeAssignType
+   * @param attributeDefId optional
+   * @param attributeDefNameId mutually exclusive with attributeDefIds
+   * @param ownerRoleId optional
+   * @param ownerStemId optional
+   * @param ownerAttributeDefId optional
+   * @param ownerMembershipId optional
+   * @param action optional
+   * @param enabled (null means all, true means enabled, false means disabled)
+   * @param includeAssignmentsOnAssignments if assignments on assignments should also be included
+   * @return the assignments
+   */
+  public Set<PermissionEntry> findRolePermissions(
+          String attributeDefId, String attributeDefNameId,
+          String ownerRoleId, String action,
+          Boolean enabled);
+
+  
+  /**
+   * securely search for assignments.  need to pass in either the assign ids, def ids, def name ids, or group ids
+   * cannot have more than 100 bind variables
+   * @param attributeDefIds optional
+   * @param attributeDefNameIds mutually exclusive with attributeDefIds
+   * @param roleIds optional
+   * @param actions (null means all actions)
+   * @param enabled (null means all, true means enabled, false means disabled)
+   * @param memberIds
+   * @return the permissions
+   */
+  public Set<PermissionEntry> findPermissions(
+          Collection<String> attributeDefIds,
+          Collection<String> attributeDefNameIds,
+          Collection<String> roleIds,
+          Collection<String> actions,
+          Boolean enabled,
+          Collection<String> memberIds);
+
+  /**
+   * Find all permissions based on attributeDefinition, and a range of disabled dates
+   * @param attributeDefId 
+   * @param disabledDateFrom null if dont consider
+   * @param disabledDateTo null if dont consider
+   * @return the permission records
+   */
+  public Set<PermissionEntry> findPermissionsByAttributeDefDisabledRange(String attributeDefId,
+                                                                         Timestamp disabledDateFrom, Timestamp disabledDateTo);
+
+
+  /**
+   * find subjects who are not in a group but who have permissions
+   * @param attributeDefId
+   * @param groupId
+   * @param immediateRoleMembershipsOrRoleSubject
+   * @param queryOptions
+   * @param enabled
+   * @param hasNoEndDate
+   * @return the set of members
+   */
+  public Set<PermissionEntry> findAllPermissionsNotInGroupAndType(String attributeDefId, String groupId,
+                                                                  boolean immediateRoleMembershipsOrRoleSubject, QueryOptions queryOptions, Boolean enabled, boolean hasNoEndDate);
+
+  /**
+   * find subjects who are not in a group but who have permissions
+   * @param attributeDefId
+   * @param stem
+   * @param stemScope
+   * @param immediateRoleMembershipsOrRoleSubject
+   * @param queryOptions
+   * @param enabled
+   * @param hasNoEndDate
+   * @return the set of members
+   */
+  public Set<PermissionEntry> findAllPermissionsNotInStem(String attributeDefId, Stem stem, Stem.Scope stemScope,
+                                                          boolean immediateRoleMembershipsOrRoleSubject, QueryOptions queryOptions, Boolean enabled, boolean hasNoEndDate);
+
+  /**
+   * securely search for role assignments.  need to pass in either the assign ids, def ids, def name ids, or group ids
+   * cannot have more than 100 bind variables
+   * @param attributeDefIds optional
+   * @param attributeDefNameIds mutually exclusive with attributeDefIds
+   * @param roleIds optional
+   * @param actions (null means all actions)
+   * @param enabled (null means all, true means enabled, false means disabled)
+   * @param memberIds
+   * @param noEndDate true if no end date on memberships
+   * @return the permissions
+   */
+  public Set<PermissionEntry> findRolePermissions(
+          Collection<String> attributeDefIds,
+          Collection<String> attributeDefNameIds,
+          Collection<String> roleIds,
+          Collection<String> actions,
+          Boolean enabled,
+          boolean noEndDate);
+
+  /**
+   * securely search for role assignments.  need to pass in either the assign ids, def ids, def name ids, or group ids
+   * cannot have more than 100 bind variables
+   * @param attributeDefIds optional
+   * @param attributeDefNameIds mutually exclusive with attributeDefIds
+   * @param roleIds optional
+   * @param actions (null means all actions)
+   * @param enabled (null means all, true means enabled, false means disabled)
+   * @param memberIds
+   * @param noEndDate true if no end date on memberships
+   * @param permissionNameInStem if looking for permission names in a certain stem, put it here
+   * @param permissionNameInStemScope if looking for permission names in a certain stem, put scope here
+   * @return the permissions
+   */
+  public Set<PermissionEntry> findRolePermissions(
+          Collection<String> attributeDefIds,
+          Collection<String> attributeDefNameIds,
+          Collection<String> roleIds,
+          Collection<String> actions,
+          Boolean enabled,
+          boolean noEndDate, Stem permissionNameInStem, Scope permissionNameInStemScope);
+
+} 
+

http://git-wip-us.apache.org/repos/asf/airavata/blob/89e0fdc8/modules/group-manager/src/main/java/edu/internet2/middleware/grouper/internal/dao/hib3/Hib3PermissionEntryDAO.java
----------------------------------------------------------------------
diff --git a/modules/group-manager/src/main/java/edu/internet2/middleware/grouper/internal/dao/hib3/Hib3PermissionEntryDAO.java b/modules/group-manager/src/main/java/edu/internet2/middleware/grouper/internal/dao/hib3/Hib3PermissionEntryDAO.java
new file mode 100755
index 0000000..244d8d2
--- /dev/null
+++ b/modules/group-manager/src/main/java/edu/internet2/middleware/grouper/internal/dao/hib3/Hib3PermissionEntryDAO.java
@@ -0,0 +1,1123 @@
+/**
+ * Copyright 2014 Internet2
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *   http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+/*
+  Copyright (C) 2004-2007 University Corporation for Advanced Internet Development, Inc.
+  Copyright (C) 2004-2007 The University Of Chicago
+
+  Licensed under the Apache License, Version 2.0 (the "License");
+  you may not use this file except in compliance with the License.
+  You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+  Unless required by applicable law or agreed to in writing, software
+  distributed under the License is distributed on an "AS IS" BASIS,
+  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+  See the License for the specific language governing permissions and
+  limitations under the License.
+*/
+
+package edu.internet2.middleware.grouper.internal.dao.hib3;
+import edu.internet2.middleware.grouper.Group;
+import edu.internet2.middleware.grouper.GrouperSession;
+import edu.internet2.middleware.grouper.Stem;
+import edu.internet2.middleware.grouper.Stem.Scope;
+import edu.internet2.middleware.grouper.cfg.GrouperConfig;
+import edu.internet2.middleware.grouper.hibernate.ByHqlStatic;
+import edu.internet2.middleware.grouper.hibernate.HibUtils;
+import edu.internet2.middleware.grouper.hibernate.HibernateSession;
+import edu.internet2.middleware.grouper.internal.dao.PermissionEntryDAO;
+import edu.internet2.middleware.grouper.internal.dao.QueryOptions;
+import edu.internet2.middleware.grouper.internal.dao.QuerySort;
+import edu.internet2.middleware.grouper.permissions.PermissionEntry;
+import edu.internet2.middleware.grouper.permissions.PermissionEntryImpl;
+import edu.internet2.middleware.grouper.privs.AccessPrivilege;
+import edu.internet2.middleware.grouper.privs.AttributeDefPrivilege;
+import edu.internet2.middleware.grouper.util.GrouperUtil;
+import edu.internet2.middleware.subject.Subject;
+import org.apache.commons.lang.StringUtils;
+import org.apache.commons.logging.Log;
+
+import java.sql.Timestamp;
+import java.util.*;
+
+/**
+ * Basic Hibernate <code>PermissionEntry</code> DAO interface.
+ * @author  Chris Hyzer
+ * @version $Id: Hib3PermissionEntryDAO.java,v 1.4 2009-10-26 04:52:17 mchyzer Exp $
+ */
+public class Hib3PermissionEntryDAO extends Hib3DAO implements PermissionEntryDAO {
+
+  /** logger */
+  @SuppressWarnings("unused")
+  private static final Log LOG = GrouperUtil.getLog(Hib3PermissionEntryDAO.class);
+
+  /** */
+  private static final String KLASS = Hib3PermissionEntryDAO.class.getName();
+  
+  private static final String PERMISSION_ENTRY_COLUMNS = "gr.nameDb as roleName, gm.subjectSourceIdDb as subjectSourceId, gm.subjectIdDb as subjectId, gaaa.nameDb as action, gadn.nameDb as attributeDefNameName, gadn.displayNameDb as attributeDefNameDispName, gr.displayNameDb as roleDisplayName, gaa.attributeAssignDelegatableDb as attributeAssignDelegatableDb, gaa.enabledDb as enabledDb, gaa.enabledTimeDb as enabledTimeDb, gaa.disabledTimeDb as disabledTimeDb, gr.uuid as roleId, gadn.attributeDefId as attributeDefId, gm.uuid as memberId, gadn.id as attributeDefNameId, gaaa.id as actionId, gmav.depth as membershipDepth, grs.depth as roleSetDepth, gadns.depth as attributeDefNameSetDepth, gaaas.depth as attributeAssignActionSetDepth, gmav.uuid as membershipId, gaa.id as attributeAssignId, gaa.attributeAssignTypeDb as attributeAssignTypeDb, gaa.notes as assignmentNotes, gmav.enabledTimeDb as immediateMshipEnabledTimeDb, gmav.disabledTimeDb as immediateMshipDisabledTimeDb, gaa.disallowedD
 b as disallowedDb";
+
+  private static final String PERMISSION_ENTRY_TABLES = "Group gr, MembershipEntry gmav, Member gm, Field gf, RoleSet grs, AttributeDef gad, AttributeAssign gaa, AttributeDefName gadn, AttributeDefNameSet gadns, AttributeAssignAction gaaa, AttributeAssignActionSet gaaas";
+  
+  private static final String PERMISSION_ENTRY_WHERE_CLAUSE = "gmav.ownerGroupId = gr.uuid and gmav.fieldId = gf.uuid and gr.typeOfGroupDb = 'role' and gf.typeString = 'list' and gf.name = 'members' and gmav.enabledDb = 'T' and gmav.memberUuid = gm.id and gadn.attributeDefId = gad.id and gad.attributeDefTypeDb = 'perm' and gaa.attributeDefNameId = gadns.ifHasAttributeDefNameId and gadn.id = gadns.thenHasAttributeDefNameId and gaa.attributeAssignActionId = gaaas.ifHasAttrAssignActionId and gaaa.id = gaaas.thenHasAttrAssignActionId and ((grs.ifHasRoleId = gr.uuid and gaa.ownerGroupId = grs.thenHasRoleId  and gaa.attributeAssignTypeDb = 'group') or (grs.ifHasRoleId = gr.uuid and grs.thenHasRoleId = gr.uuid and gmav.ownerGroupId = gaa.ownerGroupId and gmav.memberUuid = gaa.ownerMemberId and gaa.attributeAssignTypeDb = 'any_mem'))";
+  
+  /**
+   * 
+   * @see edu.internet2.middleware.grouper.internal.dao.PermissionEntryDAO#findByMemberId(String)
+   */
+  public Set<PermissionEntry> findByMemberId(String memberId) {
+
+    String sql = 
+      "select distinct " + PERMISSION_ENTRY_COLUMNS + " from " + PERMISSION_ENTRY_TABLES + " where " + PERMISSION_ENTRY_WHERE_CLAUSE + " " +
+      "and gm.uuid = :theMemberId ";
+    
+    Set<PermissionEntryImpl> permissionData = HibernateSession.byHqlStatic().createQuery(sql)
+      .setString("theMemberId", memberId)
+      .assignConvertHqlColumnsToObject(true)
+      .listSet(PermissionEntryImpl.class);
+    
+    return new LinkedHashSet<PermissionEntry>(permissionData);
+  }
+
+  /**
+   * 
+   * @see edu.internet2.middleware.grouper.internal.dao.PermissionEntryDAO#hasPermissionBySubjectIdSourceIdActionAttributeDefName(String, String, String, String)
+   */
+  public boolean hasPermissionBySubjectIdSourceIdActionAttributeDefName(String subjectId, String sourceId, 
+      String action, String attributeDefNameName) {
+    Long count = HibernateSession.byHqlStatic().createQuery(
+        "select count(*) from " + PERMISSION_ENTRY_TABLES + " where " + PERMISSION_ENTRY_WHERE_CLAUSE + " " +
+              "and gm.subjectIdDb = :theSubjectId " +
+              "and gm.subjectSourceIdDb = :theSubjectSourceId " +
+              "and gaaa.nameDb = :theAction " +
+              "and gadn.nameDb = :theAttributeDefNameName")
+        .setString("theSubjectId", subjectId)
+        .setString("theSubjectSourceId", sourceId)
+        .setString("theAction", action)
+        .setString("theAttributeDefNameName", attributeDefNameName)
+        .uniqueResult(Long.class);
+
+    return count > 0;
+  }
+
+  /**
+   * @see edu.internet2.middleware.grouper.internal.dao.PermissionEntryDAO#findByMemberIdAndAttributeDefNameId(String, String)
+   */
+  public Set<PermissionEntry> findByMemberIdAndAttributeDefNameId(String memberId,
+      String attributeDefNameId) {
+    Set<PermissionEntryImpl> permissionEntries = HibernateSession.byHqlStatic().createQuery(
+      "select " + PERMISSION_ENTRY_COLUMNS + " from " + PERMISSION_ENTRY_TABLES + " where " + PERMISSION_ENTRY_WHERE_CLAUSE +
+      " and gm.uuid = :theMemberId" +
+      " and gadn.id = :theAttributeDefNameId")
+      .setString("theMemberId", memberId)
+      .setString("theAttributeDefNameId", attributeDefNameId)
+      .assignConvertHqlColumnsToObject(true)
+      .listSet(PermissionEntryImpl.class);
+  
+    return new LinkedHashSet<PermissionEntry>(permissionEntries);
+  }
+
+  /**
+   * @see edu.internet2.middleware.grouper.internal.dao.PermissionEntryDAO#findPermissions(Collection, Collection, Collection, Collection, Boolean, Collection)
+   */
+  public Set<PermissionEntry> findPermissions(Collection<String> attributeDefIds,
+      Collection<String> attributeDefNameIds, Collection<String> roleIds,
+      Collection<String> actions, Boolean enabled, Collection<String> memberIds) {
+    return findPermissions(attributeDefIds, attributeDefNameIds, roleIds, actions, enabled, memberIds, false);
+  }
+    
+  /**
+   * @see edu.internet2.middleware.grouper.internal.dao.PermissionEntryDAO#findPermissions(Collection, Collection, Collection, Collection, Boolean, Collection, boolean)
+   */
+  public Set<PermissionEntry> findPermissions(Collection<String> attributeDefIds,
+      Collection<String> attributeDefNameIds, Collection<String> roleIds,
+      Collection<String> actions, Boolean enabled, Collection<String> memberIdsTotal, boolean noEndDate) {
+    return findPermissions(attributeDefIds, attributeDefNameIds, roleIds, actions, enabled, memberIdsTotal, false, null, null);
+  }
+    
+  /**
+   * @see edu.internet2.middleware.grouper.internal.dao.PermissionEntryDAO#findPermissions(Collection, Collection, Collection, Collection, Boolean, Collection, boolean, Stem, Scope)
+   */
+  public Set<PermissionEntry> findPermissions(Collection<String> attributeDefIds,
+      Collection<String> attributeDefNameIds, Collection<String> roleIds,
+      Collection<String> actions, Boolean enabled, Collection<String> memberIdsTotal, 
+      boolean noEndDate, Stem permissionNameInStem, Scope permissionNameInStemScope) {
+    
+    Set<PermissionEntry> totalResults = new LinkedHashSet<PermissionEntry>();
+
+    int numberOfMemberBatches = GrouperUtil.batchNumberOfBatches(memberIdsTotal, 100);
+    
+    boolean hasMemberBatches = numberOfMemberBatches > 0;
+    //there needs to be at least one batch
+    numberOfMemberBatches = numberOfMemberBatches == 0 ? 1 : numberOfMemberBatches;
+    
+    List<String> membersIdsTotalList = memberIdsTotal instanceof List ? (List)memberIdsTotal 
+        : new ArrayList<String>(GrouperUtil.nonNull(memberIdsTotal));
+    
+    for (int memberBatchIndex=0;memberBatchIndex<numberOfMemberBatches;memberBatchIndex++) {
+      
+      //if no batches, just use null
+      List<String> memberIds = hasMemberBatches ? GrouperUtil.batchList(membersIdsTotalList, 100, memberBatchIndex) : null;
+      
+      int memberIdsSize = GrouperUtil.length(memberIds);
+      int roleIdsSize = GrouperUtil.length(roleIds);
+      int actionsSize = GrouperUtil.length(actions);
+      int attributeDefIdsSize = GrouperUtil.length(attributeDefIds);
+      int attributeDefNameIdsSize = GrouperUtil.length(attributeDefNameIds);
+      
+      //if (memberIdsSize == 0 && roleIdsSize == 0 && attributeDefIdsSize == 0 && attributeDefNameIdsSize == 0) {
+      //  throw new RuntimeException("Illegal query, you need to pass in members and/or attributeDefId(s) and/or roleId(s) and/or roleNames and/or attributeDefNameIds");
+      //}
+      
+      //too many bind vars... note, we can batch up the memberIds
+      if (memberIdsSize + roleIdsSize + attributeDefIdsSize + attributeDefNameIdsSize + actionsSize > 180) {
+        throw new RuntimeException("Too many memberIdsSize " + memberIdsSize 
+            + " roleIdsSize " + roleIdsSize + " or attributeDefIdsSize " 
+            + attributeDefIdsSize + " or attributeDefNameIds " + attributeDefNameIdsSize + " or actionsSize " + actionsSize );
+      }
+
+      
+      
+      ByHqlStatic byHqlStatic = HibernateSession.byHqlStatic();
+
+      String selectPrefix = "select distinct " + PERMISSION_ENTRY_COLUMNS + " ";
+      
+      //doesnt work due to composite key, hibernate puts parens around it and mysql fails
+      //String countPrefix = "select count(distinct pea) ";
+      
+      StringBuilder sqlTables = new StringBuilder(" from " + PERMISSION_ENTRY_TABLES + " ");
+
+      if (permissionNameInStem != null && permissionNameInStemScope == Scope.ONE) {
+        sqlTables.append(" , AttributeDefName adn2 ");
+      }
+      
+      StringBuilder sqlWhereClause = new StringBuilder(" " + PERMISSION_ENTRY_WHERE_CLAUSE + " ");
+      
+      GrouperSession grouperSession = GrouperSession.staticGrouperSession();
+      
+      Subject grouperSessionSubject = grouperSession.getSubject();
+      
+      grouperSession.getAttributeDefResolver().hqlFilterAttrDefsWhereClause(
+        grouperSessionSubject, byHqlStatic, 
+        sqlTables, sqlWhereClause, "gadn.attributeDefId", AttributeDefPrivilege.ATTR_READ_PRIVILEGES);
+      
+      boolean changedQuery = grouperSession.getAccessResolver().hqlFilterGroupsWhereClause(
+          grouperSessionSubject, byHqlStatic, 
+          sqlTables, "gr.uuid", AccessPrivilege.ATTRIBUTE_READ_PRIVILEGES);
+
+      StringBuilder sql;
+      if (changedQuery) {
+        if (sqlWhereClause.length() > 0) {
+          sql = sqlTables.append(" and ").append(sqlWhereClause);
+        } else {
+          throw new RuntimeException("Unexpected.");
+        }
+      } else {
+        sql = sqlTables.append(" where ").append(sqlWhereClause);
+      }
+      
+      if (enabled != null && enabled) {
+        sql.append(" and gaa.enabledDb = 'T' ");
+      }
+      if (enabled != null && !enabled) {
+        sql.append(" and gaa.enabledDb = 'F' ");
+      }
+      
+      if (permissionNameInStem != null) {
+        switch (permissionNameInStemScope) {
+          case ONE:
+            sql.append(" and gadn.id = adn2.id and adn2.stemId = :stemId ");
+            byHqlStatic.setString("stemId", permissionNameInStem.getUuid());
+            break;
+          case SUB:
+            
+            sql.append(" and gadn.nameDb like :stemSub ");
+            byHqlStatic.setString("stemSub", permissionNameInStem.getName() + ":%");
+            
+            break;
+          default:
+            throw new RuntimeException("Not expecting permissionNameInStemScope: " + permissionNameInStemScope);
+        }
+      }
+
+      
+      if (noEndDate) {
+        sql.append(" and gmav.disabledTimeDb is null ");
+        sql.append(" and gaa.disabledTimeDb is null ");
+      }
+      
+      if (actionsSize > 0) {
+        sql.append(" and gaaa.nameDb in (");
+        sql.append(HibUtils.convertToInClause(actions, byHqlStatic));
+        sql.append(") ");
+      }
+      if (roleIdsSize > 0) {
+        sql.append(" and gr.uuid in (");
+        sql.append(HibUtils.convertToInClause(roleIds, byHqlStatic));
+        sql.append(") ");
+      }
+      if (attributeDefIdsSize > 0) {
+        sql.append(" and gadn.attributeDefId in (");
+        sql.append(HibUtils.convertToInClause(attributeDefIds, byHqlStatic));
+        sql.append(") ");
+      }
+      if (attributeDefNameIdsSize > 0) {
+        sql.append(" and gadn.id in (");
+        sql.append(HibUtils.convertToInClause(attributeDefNameIds, byHqlStatic));
+        sql.append(") ");
+      }
+      if (memberIdsSize > 0) {
+        sql.append(" and gm.uuid in (");
+        sql.append(HibUtils.convertToInClause(memberIds, byHqlStatic));
+        sql.append(") ");
+      }
+      
+      QueryOptions queryOptions = new QueryOptions();
+      QuerySort querySort = new QuerySort("gm.subjectIdDb", true);
+      querySort.insertSortToBeginning("gaaa.nameDb", true);
+      querySort.insertSortToBeginning("gr.displayNameDb", true);
+      querySort.insertSortToBeginning("gadn.displayNameDb", true);
+      queryOptions.sort(querySort);
+      
+      System.out.println("TEST TEST TEST");
+      
+      byHqlStatic
+        .setCacheable(false)
+        .setCacheRegion(KLASS + ".findPermissions").options(queryOptions);
+
+      int maxAssignments = GrouperConfig.retrieveConfig().propertyValueInt("ws.findPermissions.maxResultSize", 30000);
+      
+      String sqlString = sql.toString();
+      
+      //if we did where and, then switch to where
+      sqlString = sqlString.replaceAll("where\\s+and", "where");
+
+      //if we end in where, strip it out
+      sqlString = sqlString.trim();
+      if (sqlString.endsWith("where")) {
+        sqlString = sqlString.substring(0, sqlString.length()-5);
+      }
+
+      Set<PermissionEntryImpl> permissionData = byHqlStatic.createQuery(selectPrefix + sqlString)
+        .assignConvertHqlColumnsToObject(true)
+        .listSet(PermissionEntryImpl.class);
+      
+      int size = GrouperUtil.length(permissionData);
+      if (maxAssignments >= 0) {
+
+        //doesnt work on mysql i think due to hibernate and composite key
+        //size = byHqlStatic.createQuery(countPrefix + sqlString).uniqueResult(long.class);    
+        
+        //see if too many
+        if (size > maxAssignments) {
+          throw new RuntimeException("Too many results: " + size);
+        }
+        
+      }
+      
+
+      //nothing to filter
+      if (size == 0) {
+        continue;
+      }
+      
+      Set<PermissionEntry> results = new LinkedHashSet<PermissionEntry>(permissionData);
+      
+      //if the hql didnt filter, we need to do that here
+      results = grouperSession.getAttributeDefResolver().postHqlFilterPermissions(grouperSessionSubject, results);
+      
+      //we should be down to the secure list
+      totalResults.addAll(results);
+    }
+      
+    return totalResults;
+  }
+  
+  /**
+   * @see edu.internet2.middleware.grouper.internal.dao.PermissionEntryDAO#findPermissions(Collection, Collection, Collection, Collection, Boolean, Collection, boolean, Stem, Scope, QueryOptions)
+   */
+  public Set<PermissionEntry> findPermissions(Collection<String> attributeDefIds,
+      Collection<String> attributeDefNameIds, Collection<String> roleIds,
+      Collection<String> actions, Boolean enabled, Collection<String> memberIdsTotal, 
+      boolean noEndDate, Stem permissionNameInStem, Scope permissionNameInStemScope, QueryOptions queryOptions) {
+    
+    Set<PermissionEntry> totalResults = new LinkedHashSet<PermissionEntry>();
+
+    int numberOfMemberBatches = GrouperUtil.batchNumberOfBatches(memberIdsTotal, 100);
+    
+    boolean hasMemberBatches = numberOfMemberBatches > 0;
+    //there needs to be at least one batch
+    numberOfMemberBatches = numberOfMemberBatches == 0 ? 1 : numberOfMemberBatches;
+    
+    List<String> membersIdsTotalList = memberIdsTotal instanceof List ? (List)memberIdsTotal 
+        : new ArrayList<String>(GrouperUtil.nonNull(memberIdsTotal));
+    
+    for (int memberBatchIndex=0;memberBatchIndex<numberOfMemberBatches;memberBatchIndex++) {
+      
+      //if no batches, just use null
+      List<String> memberIds = hasMemberBatches ? GrouperUtil.batchList(membersIdsTotalList, 100, memberBatchIndex) : null;
+      
+      int memberIdsSize = GrouperUtil.length(memberIds);
+      int roleIdsSize = GrouperUtil.length(roleIds);
+      int actionsSize = GrouperUtil.length(actions);
+      int attributeDefIdsSize = GrouperUtil.length(attributeDefIds);
+      int attributeDefNameIdsSize = GrouperUtil.length(attributeDefNameIds);
+      
+      //if (memberIdsSize == 0 && roleIdsSize == 0 && attributeDefIdsSize == 0 && attributeDefNameIdsSize == 0) {
+      //  throw new RuntimeException("Illegal query, you need to pass in members and/or attributeDefId(s) and/or roleId(s) and/or roleNames and/or attributeDefNameIds");
+      //}
+      
+      //too many bind vars... note, we can batch up the memberIds
+      if (memberIdsSize + roleIdsSize + attributeDefIdsSize + attributeDefNameIdsSize + actionsSize > 180) {
+        throw new RuntimeException("Too many memberIdsSize " + memberIdsSize 
+            + " roleIdsSize " + roleIdsSize + " or attributeDefIdsSize " 
+            + attributeDefIdsSize + " or attributeDefNameIds " + attributeDefNameIdsSize + " or actionsSize " + actionsSize );
+      }
+
+      
+      
+      ByHqlStatic byHqlStatic = HibernateSession.byHqlStatic();
+
+      String selectPrefix = "select distinct " + PERMISSION_ENTRY_COLUMNS + " ";
+      
+      //doesnt work due to composite key, hibernate puts parens around it and mysql fails
+      //String countPrefix = "select count(distinct pea) ";
+      
+      StringBuilder sqlTables = new StringBuilder(" from " + PERMISSION_ENTRY_TABLES + " ");
+
+      if (permissionNameInStem != null && permissionNameInStemScope == Scope.ONE) {
+        sqlTables.append(" , AttributeDefName adn2 ");
+      }
+      
+      StringBuilder sqlWhereClause = new StringBuilder(" " + PERMISSION_ENTRY_WHERE_CLAUSE + " ");
+      
+      GrouperSession grouperSession = GrouperSession.staticGrouperSession();
+      
+      Subject grouperSessionSubject = grouperSession.getSubject();
+      
+      grouperSession.getAttributeDefResolver().hqlFilterAttrDefsWhereClause(
+        grouperSessionSubject, byHqlStatic, 
+        sqlTables, sqlWhereClause, "gadn.attributeDefId", AttributeDefPrivilege.ATTR_READ_PRIVILEGES);
+      
+      boolean changedQuery = grouperSession.getAccessResolver().hqlFilterGroupsWhereClause(
+          grouperSessionSubject, byHqlStatic, 
+          sqlTables, "gr.uuid", AccessPrivilege.ATTRIBUTE_READ_PRIVILEGES);
+
+      StringBuilder sql;
+      if (changedQuery) {
+        if (sqlWhereClause.length() > 0) {
+          sql = sqlTables.append(" and ").append(sqlWhereClause);
+        } else {
+          throw new RuntimeException("Unexpected.");
+        }
+      } else {
+        sql = sqlTables.append(" where ").append(sqlWhereClause);
+      }
+      
+      if (enabled != null && enabled) {
+        sql.append(" and gaa.enabledDb = 'T' ");
+      }
+      if (enabled != null && !enabled) {
+        sql.append(" and gaa.enabledDb = 'F' ");
+      }
+      
+      if (permissionNameInStem != null) {
+        switch (permissionNameInStemScope) {
+          case ONE:
+            sql.append(" and gadn.id = adn2.id and adn2.stemId = :stemId ");
+            byHqlStatic.setString("stemId", permissionNameInStem.getUuid());
+            break;
+          case SUB:
+            
+            sql.append(" and gadn.nameDb like :stemSub ");
+            byHqlStatic.setString("stemSub", permissionNameInStem.getName() + ":%");
+            
+            break;
+          default:
+            throw new RuntimeException("Not expecting permissionNameInStemScope: " + permissionNameInStemScope);
+        }
+      }
+
+      
+      if (noEndDate) {
+        sql.append(" and gmav.disabledTimeDb is null ");
+        sql.append(" and gaa.disabledTimeDb is null ");
+      }
+      
+      if (actionsSize > 0) {
+        sql.append(" and gaaa.nameDb in (");
+        sql.append(HibUtils.convertToInClause(actions, byHqlStatic));
+        sql.append(") ");
+      }
+      if (roleIdsSize > 0) {
+        sql.append(" and gr.uuid in (");
+        sql.append(HibUtils.convertToInClause(roleIds, byHqlStatic));
+        sql.append(") ");
+      }
+      if (attributeDefIdsSize > 0) {
+        sql.append(" and gadn.attributeDefId in (");
+        sql.append(HibUtils.convertToInClause(attributeDefIds, byHqlStatic));
+        sql.append(") ");
+      }
+      if (attributeDefNameIdsSize > 0) {
+        sql.append(" and gadn.id in (");
+        sql.append(HibUtils.convertToInClause(attributeDefNameIds, byHqlStatic));
+        sql.append(") ");
+      }
+      if (memberIdsSize > 0) {
+        sql.append(" and gm.uuid in (");
+        sql.append(HibUtils.convertToInClause(memberIds, byHqlStatic));
+        sql.append(") ");
+      }
+      
+      if (queryOptions == null) {
+        queryOptions = new QueryOptions();
+      }
+      // don't let the client override the sorting settings
+      QuerySort querySort = new QuerySort("gm.subjectIdDb", true);
+      querySort.insertSortToBeginning("gaaa.nameDb", true);
+      querySort.insertSortToBeginning("gr.displayNameDb", true);
+      querySort.insertSortToBeginning("gadn.displayNameDb", true);
+      queryOptions.sort(querySort);
+      
+            
+      byHqlStatic
+        .setCacheable(false)
+        .setCacheRegion(KLASS + ".findPermissions").options(queryOptions);
+
+      int maxAssignments = GrouperConfig.retrieveConfig().propertyValueInt("ws.findPermissions.maxResultSize", 30000);
+      
+      String sqlString = sql.toString();
+      
+      //if we did where and, then switch to where
+      sqlString = sqlString.replaceAll("where\\s+and", "where");
+
+      //if we end in where, strip it out
+      sqlString = sqlString.trim();
+      if (sqlString.endsWith("where")) {
+        sqlString = sqlString.substring(0, sqlString.length()-5);
+      }
+
+      Set<PermissionEntryImpl> permissionData = byHqlStatic.createQuery(selectPrefix + sqlString)
+        .assignConvertHqlColumnsToObject(true)
+        .listSet(PermissionEntryImpl.class);
+      
+      int size = GrouperUtil.length(permissionData);
+      if (maxAssignments >= 0) {
+
+        //doesnt work on mysql i think due to hibernate and composite key
+        //size = byHqlStatic.createQuery(countPrefix + sqlString).uniqueResult(long.class);    
+        
+        //see if too many
+        if (size > maxAssignments) {
+          throw new RuntimeException("Too many results: " + size);
+        }
+        
+      }
+      
+
+      //nothing to filter
+      if (size == 0) {
+        continue;
+      }
+      
+      Set<PermissionEntry> results = new LinkedHashSet<PermissionEntry>(permissionData);
+      
+      //if the hql didnt filter, we need to do that here
+      results = grouperSession.getAttributeDefResolver().postHqlFilterPermissions(grouperSessionSubject, results);
+      
+      //we should be down to the secure list
+      totalResults.addAll(results);
+    }
+      
+    return totalResults;
+  }
+
+  /**
+   * @see PermissionEntryDAO#findPermissionsByAttributeDefDisabledRange(String, Timestamp, Timestamp)
+   * find permissions by attribute definition which are about to expire
+   */
+  public Set<PermissionEntry> findPermissionsByAttributeDefDisabledRange(
+      String attributeDefId, Timestamp disabledDateFrom, Timestamp disabledDateTo) {
+    
+    if (disabledDateFrom == null && disabledDateTo == null) {
+      throw new RuntimeException("Need to pass in disabledFrom or disabledTo");
+    }
+    
+    //if they got it backwards, then fix it for them
+    if (disabledDateFrom != null && disabledDateTo != null 
+        && disabledDateFrom.getTime() > disabledDateTo.getTime()) {
+      
+      Timestamp temp = disabledDateFrom;
+      disabledDateFrom = disabledDateTo;
+      disabledDateTo = temp;
+      
+    }
+    
+    ByHqlStatic byHqlStatic = HibernateSession.byHqlStatic();
+
+    StringBuilder sql = new StringBuilder(
+        "select " + PERMISSION_ENTRY_COLUMNS + " from " + PERMISSION_ENTRY_TABLES + ", AttributeDefName theAttributeDefName where " + PERMISSION_ENTRY_WHERE_CLAUSE
+        + " and gadn.id = theAttributeDefName.id "
+        + " and theAttributeDefName.attributeDefId   = :theAttributeDefId "
+        + " and gm.uuid is not null "
+        + " and gaa.enabledDb = 'T' ");
+    
+    if (disabledDateFrom != null) {
+      sql.append(" and gaa.disabledTimeDb >= :disabledDateFrom ");
+      byHqlStatic.setLong( "disabledDateFrom" , disabledDateFrom.getTime() );
+    }
+    if (disabledDateTo != null) {
+      sql.append(" and gaa.disabledTimeDb <= :disabledDateTo ");
+      byHqlStatic.setLong( "disabledDateTo" , disabledDateTo.getTime() );
+    }
+
+    sql.append(
+        " and not exists ( select gaaInner.id from " + PERMISSION_ENTRY_TABLES.replaceAll("(\\w+) (\\w+)", "$1 $2Inner") + " where " + PERMISSION_ENTRY_WHERE_CLAUSE.replace(".", "Inner.") +
+        " and gadnInner.id = gadn.id " +
+        " and gaaaInner.id = gaaa.id " +
+        //note, who cares which role it is, if the user has the permission...  (not exactly right if not flattening permissions, but thats ok)
+        //" and validPermissionEntry.roleId = thePermissionEntry.roleId " +
+        " and gmInner.uuid = gm.uuid " +
+        " and gaaInner.enabledDb = 'T' and ( gaaInner.disabledTimeDb is null ");
+
+    if (disabledDateTo != null) {
+      sql.append(" or gaaInner.disabledTimeDb > :disabledDateTo ");
+    } else if (disabledDateFrom != null) {
+      sql.append(" or gaaInner.disabledTimeDb < :disabledDateFrom ");
+    }
+    
+    
+    sql.append(") )");
+    
+    Set<PermissionEntryImpl> permissionEntries = byHqlStatic
+      .createQuery(sql.toString())
+      .setCacheable(false)
+      .setCacheRegion(KLASS + ".FindPermissionsByAttributeDefDisabledRange")
+      .setString( "theAttributeDefId" , attributeDefId )
+      .assignConvertHqlColumnsToObject(true)
+      .listSet(PermissionEntryImpl.class);
+
+    return new LinkedHashSet<PermissionEntry>(permissionEntries);
+
+    
+  }
+
+  /**
+   * @see PermissionEntryDAO#findAllPermissionsNotInGroupAndType(String, String, boolean, QueryOptions, Boolean, boolean)
+   */
+  public Set<PermissionEntry> findAllPermissionsNotInGroupAndType(String attributeDefId,
+      String groupId, boolean immediateRoleMembershipsOrRoleSubject, QueryOptions queryOptions,
+      Boolean enabled, boolean hasNoEndDate) {
+
+    StringBuilder sql = new StringBuilder(
+        "select " + PERMISSION_ENTRY_COLUMNS + " from " + PERMISSION_ENTRY_TABLES + ", AttributeDefName theAttributeDefName where " + PERMISSION_ENTRY_WHERE_CLAUSE
+        + " and gadn.id = theAttributeDefName.id "
+        + " and theAttributeDefName.attributeDefId   = :theAttributeDefId "
+        + " and gm.uuid is not null ");
+    
+    if (enabled != null) {
+      sql.append(" and gaa.enabledDb = 'T' ");
+    }
+
+    if (immediateRoleMembershipsOrRoleSubject) {
+      //either t
+      sql.append(" and (gmav.depth = 0 " );
+      sql.append(" or gaa.attributeAssignTypeDb != 'group' ) " );
+    }
+
+    if (hasNoEndDate) {
+      sql.append(" and gaa.disabledTimeDb is null ");
+      sql.append(" and gmav.disabledTimeDb is null ");
+    }
+
+    sql.append(" and  gm.uuid not in ( select notInMembershipEntry.memberUuid from MembershipEntry as notInMembershipEntry " +
+        " where notInMembershipEntry.ownerGroupId = :ownerGroupId "
+        + " and notInMembershipEntry.fieldId = '" + Group.getDefaultList().getUuid() + "' ");
+    if (enabled != null) {
+      if (enabled) {
+        sql.append(" and notInMembershipEntry.enabledDb = 'T' ");
+      } else {
+        sql.append(" and notInMembershipEntry.enabledDb = 'F' ");
+      }
+    }
+    sql.append(" ) ");
+    
+    ByHqlStatic byHqlStatic = HibernateSession.byHqlStatic();
+
+    Set<PermissionEntryImpl> permissionEntries = byHqlStatic
+      .createQuery(sql.toString())
+      .setCacheable(false)
+      .setCacheRegion(KLASS + ".FindAllPermissionsNotInGroupAndType")
+      .setString( "theAttributeDefId" , attributeDefId )
+      .setString( "ownerGroupId" , groupId )
+      .assignConvertHqlColumnsToObject(true)
+      .listSet(PermissionEntryImpl.class);
+
+    return new LinkedHashSet<PermissionEntry>(permissionEntries);
+
+  
+  }
+
+  /**
+   * @see PermissionEntryDAO#findAllPermissionsNotInStem(String, Stem, Stem.Scope, boolean, QueryOptions, Boolean, boolean)
+   */
+  public Set<PermissionEntry> findAllPermissionsNotInStem(String attributeDefId,
+      Stem ownerNotInStem, Stem.Scope stemScope,  boolean immediateRoleMembershipsOrRoleSubject,
+      QueryOptions queryOptions, Boolean enabled, boolean hasNoEndDate) {
+
+    StringBuilder sql = new StringBuilder(
+        "select " + PERMISSION_ENTRY_COLUMNS + " from " + PERMISSION_ENTRY_TABLES + ", AttributeDefName theAttributeDefName where " + PERMISSION_ENTRY_WHERE_CLAUSE
+        + " and gadn.id = theAttributeDefName.id "
+        + " and theAttributeDefName.attributeDefId   = :theAttributeDefId "
+        + " and gm.uuid is not null ");
+    
+    if (enabled != null) {
+      sql.append(" and gaa.enabledDb = 'T' ");
+    }
+
+    if (immediateRoleMembershipsOrRoleSubject) {
+      //either t
+      sql.append(" and (gmav.depth = 0 " );
+      sql.append(" or gaa.attributeAssignTypeDb != 'group' ) " );
+    }
+
+    if (hasNoEndDate) {
+      sql.append(" and gaa.disabledTimeDb is null ");
+      sql.append(" and gmav.disabledTimeDb is null ");
+    }
+
+    sql.append(" and  not exists ( select notInMembershipEntry.memberUuid " +
+        " from MembershipEntry as notInMembershipEntry, Group as theStemGroup " +
+            " where notInMembershipEntry.ownerGroupId = theStemGroup.uuid "
+            + " and notInMembershipEntry.memberUuid = gm.uuid "
+            + " and notInMembershipEntry.fieldId = '" + Group.getDefaultList().getUuid() + "' ");
+
+    ByHqlStatic byHqlStatic = HibernateSession.byHqlStatic();
+
+    switch (stemScope) {
+      case ONE:
+        
+        sql.append(" and theStemGroup.parentUuid = :stemId ");
+        byHqlStatic.setString("stemId", ownerNotInStem.getUuid());
+        break;
+
+      case SUB:
+        
+        sql.append(" and theStemGroup.nameDb like :stemSub ");
+        byHqlStatic.setString("stemSub", ownerNotInStem.getName() + ":%");
+        
+        break;
+      default:
+        throw new RuntimeException("Not expecting scope: " + stemScope);
+    }
+    
+    sql.append(" ) ");
+            
+    
+    Set<PermissionEntryImpl> permissionEntries = byHqlStatic
+      .createQuery(sql.toString())
+      .setCacheable(false)
+      .setCacheRegion(KLASS + ".FindAllPermissionsNotInStem")
+      .setString( "theAttributeDefId" , attributeDefId )
+      .assignConvertHqlColumnsToObject(true)
+      .listSet(PermissionEntryImpl.class);
+
+    return new LinkedHashSet<PermissionEntry>(permissionEntries);
+
+  }
+  
+  /**
+   * find permissions based on filter criteria
+   */
+  public Set<PermissionEntry> findPermissions(String attributeDefId,
+      String attributeDefNameId, String ownerRoleId, String ownerMemberId,
+      String action, Boolean enabled) {
+    
+    ByHqlStatic byHqlStatic = HibernateSession.byHqlStatic();
+
+    String selectPrefix = "select distinct " + PERMISSION_ENTRY_COLUMNS + " ";
+    
+    //doesnt work due to composite key, hibernate puts parens around it and mysql fails
+    //String countPrefix = "select count(distinct pea) ";
+    
+    StringBuilder sqlTables = new StringBuilder(" from " + PERMISSION_ENTRY_TABLES + " ");
+    
+    StringBuilder sqlWhereClause = new StringBuilder(" " + PERMISSION_ENTRY_WHERE_CLAUSE + " ");
+    
+    GrouperSession grouperSession = GrouperSession.staticGrouperSession();
+    
+    Subject grouperSessionSubject = grouperSession.getSubject();
+    
+    grouperSession.getAttributeDefResolver().hqlFilterAttrDefsWhereClause(
+      grouperSessionSubject, byHqlStatic, 
+      sqlTables, sqlWhereClause, "gadn.attributeDefId", AttributeDefPrivilege.ATTR_READ_PRIVILEGES);
+    
+    boolean changedQuery = grouperSession.getAccessResolver().hqlFilterGroupsWhereClause(
+        grouperSessionSubject, byHqlStatic, 
+        sqlTables, "gr.uuid", AccessPrivilege.ATTRIBUTE_READ_PRIVILEGES);
+
+    StringBuilder sql;
+    if (changedQuery) {
+      if (sqlWhereClause.length() > 0) {
+        sql = sqlTables.append(" and ").append(sqlWhereClause);
+      } else {
+        throw new RuntimeException("Unexpected.");
+      }
+    } else {
+      sql = sqlTables.append(" where ").append(sqlWhereClause);
+    }
+    
+    if (enabled != null && enabled) {
+      sql.append(" and gaa.enabledDb = 'T' ");
+    }
+    if (enabled != null && !enabled) {
+      sql.append(" and gaa.enabledDb = 'F' ");
+    }
+    
+    if (!StringUtils.isBlank(ownerRoleId)) {
+      sql.append(" and gr.uuid = :theOwnerRoleId ");
+      byHqlStatic.setString("theOwnerRoleId", ownerRoleId);
+    }
+    
+    if (!StringUtils.isBlank(action)) {
+      sql.append(" and gaaa.nameDb = :theAction ");
+      byHqlStatic.setString("theAction", action);
+    }
+
+    if (!StringUtils.isBlank(attributeDefId)) {
+      sql.append(" and gadn.attributeDefId = :theAttributeDefId ");
+      byHqlStatic.setString("theAttributeDefId", attributeDefId);
+    }
+    if (!StringUtils.isBlank(attributeDefNameId)) {
+      sql.append(" and gadn.id = :theAttributeDefNameId ");
+      byHqlStatic.setString("theAttributeDefNameId", attributeDefNameId);
+    }
+    if (!StringUtils.isBlank(ownerMemberId)) {
+      sql.append(" and gm.uuid = :theOwnerMemberId ");
+      byHqlStatic.setString("theOwnerMemberId", ownerMemberId);
+    }
+    byHqlStatic
+      .setCacheable(false)
+      .setCacheRegion(KLASS + ".findPermissions");
+
+    int maxAssignments = GrouperConfig.retrieveConfig().propertyValueInt("ws.findPermissions.maxResultSize", 30000);
+    
+    String sqlString = sql.toString();
+    
+    //if we did where and, then switch to where
+    sqlString = sqlString.replaceAll("where\\s+and", "where");
+    sqlString = sqlString.replaceAll("where\\s*$", "");
+    
+    Set<PermissionEntryImpl> resultsTemp = byHqlStatic.createQuery(selectPrefix + sqlString)
+      .assignConvertHqlColumnsToObject(true)
+      .listSet(PermissionEntryImpl.class);
+
+    int size = GrouperUtil.length(resultsTemp);
+    if (maxAssignments >= 0) {
+
+      //doesnt work on mysql i think due to hibernate and composite key
+      //size = byHqlStatic.createQuery(countPrefix + sqlString).uniqueResult(long.class);    
+      
+      //see if too many
+      if (size > maxAssignments) {
+        throw new RuntimeException("Too many results: " + size);
+      }
+      
+    }
+    
+    Set<PermissionEntry> results = new LinkedHashSet<PermissionEntry>(resultsTemp);
+    
+
+    //nothing to filter
+    if (size == 0) {
+      return results;
+    }
+    
+    //if the hql didnt filter, we need to do that here
+    results = grouperSession.getAttributeDefResolver().postHqlFilterPermissions(grouperSessionSubject, results);
+    
+    //we should be down to the secure list
+    return results;
+  }
+
+  /**
+   * @see PermissionEntry#findRolePermissions(String attributeDefId, String attributeDefNameId, String ownerRoleId, String action, Boolean enabled)
+   */
+  public Set<PermissionEntry> findRolePermissions(String attributeDefId,
+      String attributeDefNameId, String ownerRoleId, String action, Boolean enabled) {
+    
+    ByHqlStatic byHqlStatic = HibernateSession.byHqlStatic();
+
+    String selectPrefix = "select distinct pea ";
+    
+    //doesnt work due to composite key, hibernate puts parens around it and mysql fails
+    //String countPrefix = "select count(distinct pea) ";
+    
+    StringBuilder sqlTables = new StringBuilder(" from PermissionEntryRoleAssigned pea ");
+    
+    StringBuilder sqlWhereClause = new StringBuilder("");
+    
+    GrouperSession grouperSession = GrouperSession.staticGrouperSession();
+    
+    Subject grouperSessionSubject = grouperSession.getSubject();
+    
+    grouperSession.getAttributeDefResolver().hqlFilterAttrDefsWhereClause(
+      grouperSessionSubject, byHqlStatic, 
+      sqlTables, sqlWhereClause, "pea.attributeDefId", AttributeDefPrivilege.ATTR_READ_PRIVILEGES);
+    
+    boolean changedQuery = grouperSession.getAccessResolver().hqlFilterGroupsWhereClause(
+        grouperSessionSubject, byHqlStatic, 
+        sqlTables, "pea.roleId", AccessPrivilege.ATTRIBUTE_READ_PRIVILEGES);
+
+    StringBuilder sql;
+    if (changedQuery) {
+      if (sqlWhereClause.length() > 0) {
+        sql = sqlTables.append(" and ").append(sqlWhereClause);
+      } else {
+        sql = sqlTables;
+      }
+    } else {
+      sql = sqlTables.append(" where ").append(sqlWhereClause);
+    }
+    
+    if (enabled != null && enabled) {
+      sql.append(" and pea.enabledDb = 'T' ");
+    }
+    if (enabled != null && !enabled) {
+      sql.append(" and pea.enabledDb = 'F' ");
+    }
+    
+    if (!StringUtils.isBlank(ownerRoleId)) {
+      sql.append(" and pea.roleId = :theOwnerRoleId ");
+      byHqlStatic.setString("theOwnerRoleId", ownerRoleId);
+    }
+    
+    if (!StringUtils.isBlank(action)) {
+      sql.append(" and pea.action = :theAction ");
+      byHqlStatic.setString("theAction", action);
+    }
+
+    if (!StringUtils.isBlank(attributeDefId)) {
+      sql.append(" and pea.attributeDefId = :theAttributeDefId ");
+      byHqlStatic.setString("theAttributeDefId", attributeDefId);
+    }
+    if (!StringUtils.isBlank(attributeDefNameId)) {
+      sql.append(" and pea.attributeDefNameId = :theAttributeDefNameId ");
+      byHqlStatic.setString("theAttributeDefNameId", attributeDefNameId);
+    }
+    byHqlStatic
+      .setCacheable(false)
+      .setCacheRegion(KLASS + ".findRolePermissions");
+
+    int maxAssignments = GrouperConfig.retrieveConfig().propertyValueInt("ws.findPermissions.maxResultSize", 30000);
+    
+    String sqlString = sql.toString();
+    
+    //if we did where and, then switch to where
+    sqlString = sqlString.replaceAll("where\\s+and", "where");
+    sqlString = sqlString.replaceAll("where\\s*$", "");
+    
+    Set<PermissionEntry> results = byHqlStatic.createQuery(selectPrefix + sqlString).listSet(PermissionEntry.class);
+
+    int size = GrouperUtil.length(results);
+    if (maxAssignments >= 0) {
+
+      //doesnt work on mysql i think due to hibernate and composite key
+      //size = byHqlStatic.createQuery(countPrefix + sqlString).uniqueResult(long.class);    
+      
+      //see if too many
+      if (size > maxAssignments) {
+        throw new RuntimeException("Too many results: " + size);
+      }
+      
+    }
+    
+
+    //nothing to filter
+    if (size == 0) {
+      return results;
+    }
+    
+    //if the hql didnt filter, we need to do that here
+    results = grouperSession.getAttributeDefResolver().postHqlFilterPermissions(grouperSessionSubject, results);
+    
+    //we should be down to the secure list
+    return results;
+
+  }
+
+  /**
+   * @see PermissionEntryDAO#findRolePermissions(Collection, Collection, Collection, Collection, Boolean, boolean)
+   */
+  public Set<PermissionEntry> findRolePermissions(Collection<String> attributeDefIds,
+      Collection<String> attributeDefNameIds, Collection<String> roleIds,
+      Collection<String> actions, Boolean enabled, boolean noEndDate) {
+    return findRolePermissions(attributeDefIds, attributeDefNameIds, roleIds, actions, enabled, noEndDate, null, null);
+  }
+
+  /**
+   * @see PermissionEntryDAO#findRolePermissions(Collection, Collection, Collection, Collection, Boolean, boolean, Stem, Scope)
+   */
+  public Set<PermissionEntry> findRolePermissions(Collection<String> attributeDefIds,
+      Collection<String> attributeDefNameIds, Collection<String> roleIds,
+      Collection<String> actions, Boolean enabled, boolean noEndDate, 
+      Stem permissionNameInStem, Scope permissionNameInStemScope) {
+    int roleIdsSize = GrouperUtil.length(roleIds);
+    int actionsSize = GrouperUtil.length(actions);
+    int attributeDefIdsSize = GrouperUtil.length(attributeDefIds);
+    int attributeDefNameIdsSize = GrouperUtil.length(attributeDefNameIds);
+
+    //too many bind vars
+    if (roleIdsSize + attributeDefIdsSize + attributeDefNameIdsSize + actionsSize > 100) {
+      throw new RuntimeException("Too many roleIdsSize " + roleIdsSize + " or attributeDefIdsSize " 
+          + attributeDefIdsSize + " or attributeDefNameIds " + attributeDefNameIdsSize + " or actionsSize " + actionsSize );
+    }
+
+    ByHqlStatic byHqlStatic = HibernateSession.byHqlStatic();
+
+    String selectPrefix = "select distinct pea ";
+
+    //doesnt work due to composite key, hibernate puts parens around it and mysql fails
+    //String countPrefix = "select count(distinct pea) ";
+
+    StringBuilder sqlTables = new StringBuilder(" from PermissionEntryRoleAssigned pea ");
+
+    if (permissionNameInStem != null && permissionNameInStemScope == Scope.ONE) {
+      sqlTables.append(" , AttributeDefName adn ");
+    }
+
+    StringBuilder sqlWhereClause = new StringBuilder("");
+
+    GrouperSession grouperSession = GrouperSession.staticGrouperSession();
+
+    Subject grouperSessionSubject = grouperSession.getSubject();
+
+    grouperSession.getAttributeDefResolver().hqlFilterAttrDefsWhereClause(
+      grouperSessionSubject, byHqlStatic, 
+      sqlTables, sqlWhereClause, "pea.attributeDefId", AttributeDefPrivilege.ATTR_READ_PRIVILEGES);
+    
+    boolean changedQuery = grouperSession.getAccessResolver().hqlFilterGroupsWhereClause(
+        grouperSessionSubject, byHqlStatic, 
+        sqlTables, "pea.roleId", AccessPrivilege.ATTRIBUTE_READ_PRIVILEGES);
+
+    StringBuilder sql;
+    if (changedQuery) {
+      if (sqlWhereClause.length() > 0) {
+        sql = sqlTables.append(" and ").append(sqlWhereClause);
+      } else {
+        sql = sqlTables;
+      }
+    } else {
+      sql = sqlTables.append(" where ").append(sqlWhereClause);
+    }
+    
+    if (enabled != null && enabled) {
+      sql.append(" and pea.enabledDb = 'T' ");
+    }
+    if (enabled != null && !enabled) {
+      sql.append(" and pea.enabledDb = 'F' ");
+    }
+    
+    if (noEndDate) {
+      sql.append(" and pea.disabledTimeDb is null ");
+    }
+
+    if (permissionNameInStem != null) {
+      switch (permissionNameInStemScope) {
+        case ONE:
+          sql.append(" and pea.attributeDefNameId = adn.id and adn.stemId = :stemId ");
+          byHqlStatic.setString("stemId", permissionNameInStem.getUuid());
+          break;
+        case SUB:
+          
+          sql.append(" and pea.attributeDefNameName like :stemSub ");
+          byHqlStatic.setString("stemSub", permissionNameInStem.getName() + ":%");
+          
+          break;
+        default:
+          throw new RuntimeException("Not expecting permissionNameInStemScope: " + permissionNameInStemScope);
+      }
+    }
+
+    
+    if (actionsSize > 0) {
+      sql.append(" and pea.action in (");
+      sql.append(HibUtils.convertToInClause(actions, byHqlStatic));
+      sql.append(") ");
+    }
+    if (roleIdsSize > 0) {
+      sql.append(" and pea.roleId in (");
+      sql.append(HibUtils.convertToInClause(roleIds, byHqlStatic));
+      sql.append(") ");
+    }
+    if (attributeDefIdsSize > 0) {
+      sql.append(" and pea.attributeDefId in (");
+      sql.append(HibUtils.convertToInClause(attributeDefIds, byHqlStatic));
+      sql.append(") ");
+    }
+    if (attributeDefNameIdsSize > 0) {
+      sql.append(" and pea.attributeDefNameId in (");
+      sql.append(HibUtils.convertToInClause(attributeDefNameIds, byHqlStatic));
+      sql.append(") ");
+    }
+    
+    QueryOptions queryOptions = new QueryOptions();
+    QuerySort querySort = new QuerySort("pea.action", true);
+    querySort.insertSortToBeginning("pea.roleDisplayName", true);
+    querySort.insertSortToBeginning("pea.attributeDefNameDispName", true);
+    queryOptions.sort(querySort);
+    
+    byHqlStatic
+      .setCacheable(false).options(queryOptions)
+      .setCacheRegion(KLASS + ".findRolePermissions");
+
+    int maxAssignments = GrouperConfig.retrieveConfig().propertyValueInt("ws.findPermissions.maxResultSize", 30000);
+    
+    String sqlString = sql.toString();
+    
+    //if we did where and, then switch to where
+    sqlString = sqlString.replaceAll("where\\s+and", "where");
+    
+    Set<PermissionEntry> results = byHqlStatic.createQuery(selectPrefix + sqlString).listSet(PermissionEntry.class);
+
+    int size = GrouperUtil.length(results);
+    if (maxAssignments >= 0) {
+
+      //doesnt work on mysql i think due to hibernate and composite key
+      //size = byHqlStatic.createQuery(countPrefix + sqlString).uniqueResult(long.class);    
+      
+      //see if too many
+      if (size > maxAssignments) {
+        throw new RuntimeException("Too many results: " + size);
+      }
+      
+    }
+    
+
+    //nothing to filter
+    if (size == 0) {
+      return results;
+    }
+    
+    //if the hql didnt filter, we need to do that here
+    results = grouperSession.getAttributeDefResolver().postHqlFilterPermissions(grouperSessionSubject, results);
+    
+    //we should be down to the secure list
+    return results;
+      
+  }
+}


Mime
View raw message