summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorInstrumental <jonathan.gathman@att.com>2018-07-19 16:44:02 -0500
committerInstrumental <jonathan.gathman@att.com>2018-07-19 16:44:13 -0500
commit87da9feacd0abb0d60b98cc00c4755121fc73bbb (patch)
treee916ccb1420b7fcfa04f19d7db3965e53d0fe119
parent32cdd553a8668e6d03a9cf5b11b360d35a63c87f (diff)
add check and showpass
Issue-ID: AAF-378 Change-Id: If06c33ffd45eb61ab881cdb89f9689dae951f82c Signed-off-by: Instrumental <jonathan.gathman@att.com>
-rw-r--r--auth/auth-certman/src/main/java/org/onap/aaf/auth/cm/ca/LocalCA.java2
-rw-r--r--auth/docker/.gitignore1
-rw-r--r--auth/docker/aaf.props15
-rwxr-xr-xauth/docker/dbuild.sh1
-rw-r--r--auth/sample/bin/client.sh9
-rw-r--r--cadi/aaf/src/main/java/org/onap/aaf/cadi/aaf/AAFPermission.java22
-rw-r--r--cadi/aaf/src/main/java/org/onap/aaf/cadi/aaf/TestConnectivity.java2
-rw-r--r--cadi/aaf/src/main/java/org/onap/aaf/cadi/aaf/v2_0/AAFLurPerm.java8
-rw-r--r--cadi/aaf/src/main/java/org/onap/aaf/cadi/configure/Agent.java24
-rw-r--r--cadi/aaf/src/main/java/org/onap/aaf/cadi/configure/PlaceArtifactInKeystore.java5
-rw-r--r--cadi/aaf/src/test/java/org/onap/aaf/cadi/cm/test/JU_ArtifactDir.java3
-rw-r--r--cadi/aaf/src/test/java/org/onap/aaf/cadi/cm/test/JU_PlaceArtifactInKeystore.java23
12 files changed, 67 insertions, 48 deletions
diff --git a/auth/auth-certman/src/main/java/org/onap/aaf/auth/cm/ca/LocalCA.java b/auth/auth-certman/src/main/java/org/onap/aaf/auth/cm/ca/LocalCA.java
index af2d2f6b..893e9f32 100644
--- a/auth/auth-certman/src/main/java/org/onap/aaf/auth/cm/ca/LocalCA.java
+++ b/auth/auth-certman/src/main/java/org/onap/aaf/auth/cm/ca/LocalCA.java
@@ -203,7 +203,7 @@ public class LocalCA extends CA {
public X509andChain sign(Trans trans, CSRMeta csrmeta) throws IOException, CertException {
GregorianCalendar gc = new GregorianCalendar();
Date start = gc.getTime();
- gc.add(GregorianCalendar.MONTH, 2);
+ gc.add(GregorianCalendar.MONTH, 6);
Date end = gc.getTime();
X509Certificate x509;
TimeTaken tt = trans.start("Create/Sign Cert",Env.SUB);
diff --git a/auth/docker/.gitignore b/auth/docker/.gitignore
index a03737d0..c058b043 100644
--- a/auth/docker/.gitignore
+++ b/auth/docker/.gitignore
@@ -1,2 +1,3 @@
local
d.props
+aaf.props
diff --git a/auth/docker/aaf.props b/auth/docker/aaf.props
index 8d18f55d..5c654806 100644
--- a/auth/docker/aaf.props
+++ b/auth/docker/aaf.props
@@ -1,14 +1,11 @@
-FQI=clamp@clamp.onap.org
-VOLUME=clamp_aaf
-LONGITUDE=-92
-FQDN=meriadoc.mithril.sbc.com
VERSION=2.1.2-SNAPSHOT
-DRIVER=local
-LATITUDE=38
-FQDN_IP=192.168.99.100
AAF_FQDN=meriadoc.mithril.sbc.com
-AAF_AAF_FQDN_IP=192.168.99.100
DEPLOY_FQI=deployer@people.osaaf.org
-DEPLOY_PASSWORD=demo123456!
APP_FQDN=meriadoc.mithril.sbc.com
APP_FQI=clamp@clamp.onap.org
+VOLUME=clamp_aaf
+DRIVER=local
+LATITUDE=38.432899
+LONGITUDE=-90.43248
+AAF_AAF_FQDN_IP=192.168.99.100
+DEPLOY_PASSWORD=demo123456!
diff --git a/auth/docker/dbuild.sh b/auth/docker/dbuild.sh
index 10ca9d95..da0b9b64 100755
--- a/auth/docker/dbuild.sh
+++ b/auth/docker/dbuild.sh
@@ -24,7 +24,6 @@ docker build -t ${ORG}/${PROJECT}/aaf_agent:${VERSION} sample
# Clean up
rm sample/Dockerfile sample/bin/aaf-cadi-aaf-${VERSION}-full.jar
cd -
-
########
# Second, build a core Docker Image
echo Building aaf_$AAF_COMPONENT...
diff --git a/auth/sample/bin/client.sh b/auth/sample/bin/client.sh
index 2c736142..46c85be9 100644
--- a/auth/sample/bin/client.sh
+++ b/auth/sample/bin/client.sh
@@ -87,9 +87,16 @@ if [ ! "$CMD" = "" ]; then
rsync -uh --exclude=.gitignore /opt/app/aaf_config/$D/* /opt/app/osaaf/$D
done
;;
+ showpass)
+ echo "## Show Passwords"
+ $JAVA -jar /opt/app/aaf_config/bin/aaf-cadi-aaf-*-full.jar showpass ${APP_FQI} ${APP_FQDN}
+ ;;
+ check)
+ $JAVA -Dcadi_prop_files=/opt/app/osaaf/local/${NS}.props -jar /opt/app/aaf_config/bin/aaf-cadi-aaf-*-full.jar check ${APP_FQI} ${APP_FQDN}
+ ;;
validate)
echo "## validate requested"
- $JAVA -jar /opt/app/aaf_config/bin/aaf-cadi-aaf-*-full.jar validate cadi_prop_files=/opt/app/osaaf/local/${NS}.props
+ $JAVA -jar /opt/app/aaf_config/bin/aaf-cadi-aaf-*-full.jar validate /opt/app/osaaf/local/${NS}.props
;;
bash)
if [ ! -e ~/.bash_aliases ]; then
diff --git a/cadi/aaf/src/main/java/org/onap/aaf/cadi/aaf/AAFPermission.java b/cadi/aaf/src/main/java/org/onap/aaf/cadi/aaf/AAFPermission.java
index 6b69f790..c4ca8082 100644
--- a/cadi/aaf/src/main/java/org/onap/aaf/cadi/aaf/AAFPermission.java
+++ b/cadi/aaf/src/main/java/org/onap/aaf/cadi/aaf/AAFPermission.java
@@ -50,7 +50,11 @@ public class AAFPermission implements Permission {
type = name;
this.instance = instance;
this.action = action;
- key = ns + '|' + type + '|' + instance + '|' + action;
+ if(ns==null) {
+ key = type + '|' + instance + '|' + action;
+ } else {
+ key = ns + '|' + type + '|' + instance + '|' + action;
+ }
this.roles = NO_ROLES;
}
@@ -60,7 +64,11 @@ public class AAFPermission implements Permission {
type = name;
this.instance = instance;
this.action = action;
- key = ns + '|' + type + '|' + instance + '|' + action;
+ if(ns==null) {
+ key = type + '|' + instance + '|' + action;
+ } else {
+ key = ns + '|' + type + '|' + instance + '|' + action;
+ }
this.roles = roles==null?NO_ROLES:roles;
}
@@ -117,7 +125,15 @@ public class AAFPermission implements Permission {
}
}
boolean typeMatches;
- if(aafNS.length() == ns.length()) {
+ if(aafNS==null) {
+ if(ns==null) {
+ typeMatches = aafType.equals(type);
+ } else {
+ typeMatches = aafType.equals(ns+'.'+type);
+ }
+ } else if(ns==null) {
+ typeMatches = type.equals(aafNS+'.'+aafType);
+ } else if(aafNS.length() == ns.length()) {
typeMatches = aafNS.equals(ns) && aafType.equals(type);
} else { // Allow for restructuring of NS/Perm structure
typeMatches = (aafNS+'.'+aafType).equals(ns+'.'+type);
diff --git a/cadi/aaf/src/main/java/org/onap/aaf/cadi/aaf/TestConnectivity.java b/cadi/aaf/src/main/java/org/onap/aaf/cadi/aaf/TestConnectivity.java
index 3e90087c..df2ad4f8 100644
--- a/cadi/aaf/src/main/java/org/onap/aaf/cadi/aaf/TestConnectivity.java
+++ b/cadi/aaf/src/main/java/org/onap/aaf/cadi/aaf/TestConnectivity.java
@@ -55,7 +55,7 @@ public class TestConnectivity {
System.out.println("Usage: ConnectivityTester <cadi_prop_files> [<AAF FQDN (i.e. aaf.dev.att.com)>]");
} else {
print(true,"START OF CONNECTIVITY TESTS",new Date().toString(),System.getProperty("user.name"),
- "Note: All API Calls are /authz/perms/user/<MechID/Alias of the caller>");
+ "Note: All API Calls are /authz/perms/user/<AppID/Alias of the caller>");
if(!args[0].contains(Config.CADI_PROP_FILES+'=')) {
args[0]=Config.CADI_PROP_FILES+'='+args[0];
diff --git a/cadi/aaf/src/main/java/org/onap/aaf/cadi/aaf/v2_0/AAFLurPerm.java b/cadi/aaf/src/main/java/org/onap/aaf/cadi/aaf/v2_0/AAFLurPerm.java
index b7cf62cd..a5ef6d14 100644
--- a/cadi/aaf/src/main/java/org/onap/aaf/cadi/aaf/v2_0/AAFLurPerm.java
+++ b/cadi/aaf/src/main/java/org/onap/aaf/cadi/aaf/v2_0/AAFLurPerm.java
@@ -62,7 +62,7 @@ public class AAFLurPerm extends AbsAAFLur<AAFPermission> {
private static final String ORG_OSAAF_CADI_OAUTH_O_AUTH2_LUR = "org.osaaf.cadi.oauth.OAuth2Lur";
/**
- * Need to be able to transmutate a Principal into either ATTUID or MechID, which are the only ones accepted at this
+ * Need to be able to transmutate a Principal into either Person or AppID, which are the only ones accepted at this
* point by AAF. There is no "domain", aka, no "@att.com" in "ab1234@att.com".
*
* The only thing that matters here for AAF is that we don't waste calls with IDs that obviously aren't valid.
@@ -107,12 +107,6 @@ public class AAFLurPerm extends AbsAAFLur<AAFPermission> {
protected User<AAFPermission> loadUser(final Principal principal) {
final String name = principal.getName();
-// // Note: The rules for AAF is that it only stores permissions for ATTUID and MechIDs, which don't
-// // have domains. We are going to make the Transitive Class (see this.transmutative) to convert
-// final Principal tp = principal; //transmutate.mutate(principal);
-// if(tp==null) {
-// return null; // if not a valid Transmutated credential, don't bother calling...
-// }
// TODO Create a dynamic way to declare domains supported.
final long start = System.nanoTime();
final boolean[] success = new boolean[]{false};
diff --git a/cadi/aaf/src/main/java/org/onap/aaf/cadi/configure/Agent.java b/cadi/aaf/src/main/java/org/onap/aaf/cadi/configure/Agent.java
index b3de9754..ef73adaa 100644
--- a/cadi/aaf/src/main/java/org/onap/aaf/cadi/configure/Agent.java
+++ b/cadi/aaf/src/main/java/org/onap/aaf/cadi/configure/Agent.java
@@ -89,8 +89,8 @@ public class Agent {
private static final String HASHES = "################################################################";
private static final String PRINT = "print";
private static final String FILE = "file";
- private static final String PKCS12 = "pkcs12";
- private static final String JKS = "jks";
+ public static final String PKCS12 = "pkcs12";
+ public static final String JKS = "jks";
private static final String SCRIPT="script";
private static final String CM_VER = "1.0";
@@ -127,7 +127,7 @@ public class Agent {
AAFSSO aafsso=null;
PropAccess access;
- if(args.length>1 && args[0].equals("validate")) {
+ if(args.length>1 && args[0].equals("validate") ) {
int idx = args[1].indexOf('=');
aafsso = null;
access = new PropAccess(
@@ -329,7 +329,7 @@ public class Agent {
private static String fqi(Deque<String> cmds) {
if(cmds.size()<1) {
String alias = env.getProperty(Config.CADI_ALIAS);
- return alias!=null?alias:AAFSSO.cons.readLine("MechID: ");
+ return alias!=null?alias:AAFSSO.cons.readLine("AppID: ");
}
return cmds.removeFirst();
}
@@ -360,11 +360,11 @@ public class Agent {
Artifacts artifacts = new Artifacts();
Artifact arti = new Artifact();
artifacts.getArtifact().add(arti);
- arti.setMechid(mechID!=null?mechID:AAFSSO.cons.readLine("MechID: "));
+ arti.setMechid(mechID!=null?mechID:AAFSSO.cons.readLine("AppID: "));
arti.setMachine(machine!=null?machine:AAFSSO.cons.readLine("Machine (%s): ",InetAddress.getLocalHost().getHostName()));
arti.setCa(AAFSSO.cons.readLine("CA: (%s): ","aaf"));
- String resp = AAFSSO.cons.readLine("Types [file,jks,script] (%s): ", "jks");
+ String resp = AAFSSO.cons.readLine("Types [file,pkcs12,jks,script] (%s): ", PKCS12);
for(String s : Split.splitTrim(',', resp)) {
arti.getType().add(s);
}
@@ -419,7 +419,7 @@ public class Agent {
if(future.get(TIMEOUT)) {
boolean printed = false;
for(Artifact a : future.value.getArtifact()) {
- AAFSSO.cons.printf("MechID: %s\n",a.getMechid());
+ AAFSSO.cons.printf("AppID: %s\n",a.getMechid());
AAFSSO.cons.printf(" Sponsor: %s\n",a.getSponsor());
AAFSSO.cons.printf("Machine: %s\n",a.getMachine());
AAFSSO.cons.printf("CA: %s\n",a.getCa());
@@ -650,7 +650,7 @@ public class Agent {
// Have to wait for JDK 1.7 source...
//switch(artifact.getType()) {
if(acf.value.getArtifact()==null || acf.value.getArtifact().isEmpty()) {
- AAFSSO.cons.printf("No Artifacts found for %s on %s", mechID, machine);
+ AAFSSO.cons.printf("No Artifacts found for %s on %s ", mechID, machine);
} else {
String id = aafcon.defID();
boolean allowed;
@@ -660,7 +660,7 @@ public class Agent {
&& aafcon.securityInfo().defSS.getClass().isAssignableFrom(HBasicAuthSS.class)));
if(!allowed) {
Future<String> pf = aafcon.client(CM_VER).read("/cert/may/" +
- a.getNs() + ".certman|"+a.getCa()+"|showpass","*/*");
+ a.getNs()+"|certman|"+a.getCa()+"|showpass","*/*");
if(pf.get(TIMEOUT)) {
allowed = true;
} else {
@@ -1017,13 +1017,13 @@ public class Agent {
String prop;
File f;
- if((prop=props.getProperty(Config.CADI_KEYFILE))==null ||
+ if((prop=trans.getProperty(Config.CADI_KEYFILE))==null ||
!(f=new File(prop)).exists()) {
trans.error().printf("Keyfile must exist to check Certificates for %s on %s",
a.getMechid(), a.getMachine());
} else {
- String ksf = props.getProperty(Config.CADI_KEYSTORE);
- String ksps = props.getProperty(Config.CADI_KEYSTORE_PASSWORD);
+ String ksf = trans.getProperty(Config.CADI_KEYSTORE);
+ String ksps = trans.getProperty(Config.CADI_KEYSTORE_PASSWORD);
if(ksf==null || ksps == null) {
trans.error().printf("Properties %s and %s must exist to check Certificates for %s on %s",
Config.CADI_KEYSTORE, Config.CADI_KEYSTORE_PASSWORD,a.getMechid(), a.getMachine());
diff --git a/cadi/aaf/src/main/java/org/onap/aaf/cadi/configure/PlaceArtifactInKeystore.java b/cadi/aaf/src/main/java/org/onap/aaf/cadi/configure/PlaceArtifactInKeystore.java
index 3123b89e..c5413919 100644
--- a/cadi/aaf/src/main/java/org/onap/aaf/cadi/configure/PlaceArtifactInKeystore.java
+++ b/cadi/aaf/src/main/java/org/onap/aaf/cadi/configure/PlaceArtifactInKeystore.java
@@ -28,7 +28,6 @@ import java.security.cert.Certificate;
import java.security.cert.X509Certificate;
import java.util.ArrayList;
import java.util.Collection;
-import java.util.Collections;
import java.util.HashSet;
import java.util.List;
import java.util.Set;
@@ -51,7 +50,7 @@ public class PlaceArtifactInKeystore extends ArtifactDir {
@Override
public boolean _place(Trans trans, CertInfo certInfo, Artifact arti) throws CadiException {
- File fks = new File(dir,arti.getNs()+'.'+(kst=="pkcs12"?"p12":kst));
+ File fks = new File(dir,arti.getNs()+'.'+(kst==Agent.PKCS12?"p12":kst));
try {
KeyStore jks = KeyStore.getInstance(kst);
if(fks.exists()) {
@@ -125,7 +124,7 @@ public class PlaceArtifactInKeystore extends ArtifactDir {
fks.renameTo(backup);
}
- jks = KeyStore.getInstance("jks");
+ jks = KeyStore.getInstance(Agent.JKS);
// Set Truststore Password
addProperty(Config.CADI_TRUSTSTORE,fks.getAbsolutePath());
diff --git a/cadi/aaf/src/test/java/org/onap/aaf/cadi/cm/test/JU_ArtifactDir.java b/cadi/aaf/src/test/java/org/onap/aaf/cadi/cm/test/JU_ArtifactDir.java
index ecadb6ed..d50b87a2 100644
--- a/cadi/aaf/src/test/java/org/onap/aaf/cadi/cm/test/JU_ArtifactDir.java
+++ b/cadi/aaf/src/test/java/org/onap/aaf/cadi/cm/test/JU_ArtifactDir.java
@@ -42,6 +42,7 @@ import org.junit.Test;
import org.mockito.Mock;
import org.mockito.MockitoAnnotations;
import org.onap.aaf.cadi.CadiException;
+import org.onap.aaf.cadi.configure.Agent;
import org.onap.aaf.cadi.configure.ArtifactDir;
import org.onap.aaf.cadi.util.Chmod;
import org.onap.aaf.misc.env.Trans;
@@ -112,7 +113,7 @@ public class JU_ArtifactDir {
} catch(NullPointerException e) {
}
- KeyStore ks = KeyStore.getInstance("pkcs12");
+ KeyStore ks = KeyStore.getInstance(Agent.PKCS12);
try {
ArtifactDir.write(writableFile, Chmod.to755, ks, luggagePassword.toCharArray());
fail("Should've thrown an exception");
diff --git a/cadi/aaf/src/test/java/org/onap/aaf/cadi/cm/test/JU_PlaceArtifactInKeystore.java b/cadi/aaf/src/test/java/org/onap/aaf/cadi/cm/test/JU_PlaceArtifactInKeystore.java
index 0b086f11..d61ac499 100644
--- a/cadi/aaf/src/test/java/org/onap/aaf/cadi/cm/test/JU_PlaceArtifactInKeystore.java
+++ b/cadi/aaf/src/test/java/org/onap/aaf/cadi/cm/test/JU_PlaceArtifactInKeystore.java
@@ -21,9 +21,11 @@
package org.onap.aaf.cadi.cm.test;
-import static org.junit.Assert.*;
-import static org.hamcrest.CoreMatchers.*;
-import static org.mockito.Mockito.*;
+import static org.hamcrest.CoreMatchers.is;
+import static org.junit.Assert.assertThat;
+import static org.junit.Assert.fail;
+import static org.mockito.Mockito.mock;
+import static org.mockito.Mockito.when;
import java.io.BufferedReader;
import java.io.ByteArrayOutputStream;
@@ -31,14 +33,17 @@ import java.io.File;
import java.io.FileNotFoundException;
import java.io.FileReader;
import java.io.IOException;
+import java.security.cert.CertificateException;
import java.util.ArrayList;
import java.util.List;
-import java.security.cert.CertificateException;
-
-import org.junit.*;
-import org.mockito.*;
+import org.junit.AfterClass;
+import org.junit.Before;
+import org.junit.Test;
+import org.mockito.Mock;
+import org.mockito.MockitoAnnotations;
import org.onap.aaf.cadi.CadiException;
+import org.onap.aaf.cadi.configure.Agent;
import org.onap.aaf.cadi.configure.PlaceArtifactInKeystore;
import org.onap.aaf.misc.env.Env;
import org.onap.aaf.misc.env.TimeTaken;
@@ -97,12 +102,12 @@ public class JU_PlaceArtifactInKeystore {
@Test
public void test() throws CadiException {
// Note: PKCS12 can't be tested in JDK 7 and earlier. Can't handle Trusting Certificates.
- PlaceArtifactInKeystore placer = new PlaceArtifactInKeystore("jks");
+ PlaceArtifactInKeystore placer = new PlaceArtifactInKeystore(Agent.JKS);
certs.add(x509String);
certs.add(x509Chain);
assertThat(placer.place(transMock, certInfoMock, artiMock, "machine"), is(true));
- for (String ext : new String[] {"chal", "keyfile", "jks", "trust.jks", "cred.props"}) {
+ for (String ext : new String[] {"chal", "keyfile", Agent.JKS, "trust.jks", "cred.props"}) {
File f = new File(dirName + '/' + nsName + '.' + ext);
assertThat(f.exists(), is(true));
}