diff options
| author |   Instrumental <jonathan.gathman@att.com> | 2019-06-06 19:33:19 -0500 |
|---|---|---|
| committer | Instrumental <jonathan.gathman@att.com> | 2019-06-08 09:24:31 -0500 |
| commit | 355b886d817295d2bca5af28f01576bf4a3ded18 (patch) | |
| tree | 354ac6cb61ebc5f5eba23d2e1720c45771968caa | |
| parent | fbcac9be97567ca19b1018861d1ab37d2dea769f (diff) | |
Agent correctly sort Cert Chain/Truststore
GUI fix
Issue-ID: AAF-852
Change-Id: Ie703b7aee0a77074fac5c1aab3bdf402862243ac
Signed-off-by: Instrumental <jonathan.gathman@att.com>
23 files changed, 255 insertions, 124 deletions
diff --git a/auth/auth-cass/src/main/java/org/onap/aaf/auth/direct/DirectRegistrar.java b/auth/auth-cass/src/main/java/org/onap/aaf/auth/direct/DirectRegistrar.java index ec5449df..99421097 100644 --- a/auth/auth-cass/src/main/java/org/onap/aaf/auth/direct/DirectRegistrar.java +++ b/auth/auth-cass/src/main/java/org/onap/aaf/auth/direct/DirectRegistrar.java @@ -49,7 +49,7 @@ public class DirectRegistrar implements Registrant<AuthzEnv> { ldd.add(convert(me)); } } - + private LocateDAO.Data convert(MgmtEndpoint me) { LocateDAO.Data out = new LocateDAO.Data(); out.name=me.getName(); diff --git a/auth/auth-cmd/src/main/java/org/onap/aaf/auth/cmd/user/List.java b/auth/auth-cmd/src/main/java/org/onap/aaf/auth/cmd/user/List.java index 6d993284..7daa51fb 100644 --- a/auth/auth-cmd/src/main/java/org/onap/aaf/auth/cmd/user/List.java +++ b/auth/auth-cmd/src/main/java/org/onap/aaf/auth/cmd/user/List.java @@ -62,14 +62,12 @@ public class List extends BaseCmd<User> { if (!aafcli.isTest()) { date = Chrono.dateOnlyStamp(user.getExpires()); } - String tag=null; - if(user.getType()<200) { - tag = user.getTag(); - } else { - tag = "\n\tfingerprint: " + user.getTag(); - } + String tag=user.getTag(); + Integer type = user.getType(); if(tag==null) { tag=""; + } else if(type!=null && type>=200) { + tag = "\n\tfingerprint: " + tag; } pw().format(format, count? (Integer.valueOf(++idx) + ") " + user.getId()): user.getId(), diff --git a/auth/auth-cmd/src/main/java/org/onap/aaf/auth/cmd/user/ListForRoles.java b/auth/auth-cmd/src/main/java/org/onap/aaf/auth/cmd/user/ListForRoles.java index b534240b..4e539ac2 100644 --- a/auth/auth-cmd/src/main/java/org/onap/aaf/auth/cmd/user/ListForRoles.java +++ b/auth/auth-cmd/src/main/java/org/onap/aaf/auth/cmd/user/ListForRoles.java @@ -21,9 +21,6 @@ package org.onap.aaf.auth.cmd.user; -import java.util.Collections; -import java.util.Comparator; - import org.onap.aaf.auth.cmd.AAFcli; import org.onap.aaf.auth.cmd.Cmd; import org.onap.aaf.auth.cmd.Param; @@ -36,7 +33,6 @@ import org.onap.aaf.cadi.client.Retryable; import org.onap.aaf.misc.env.APIException; import aaf.v2_0.Users; -import aaf.v2_0.Users.User; /** * p @@ -61,13 +57,6 @@ public class ListForRoles extends Cmd { getDF(Users.class) ); if (fp.get(AAFcli.timeout())) { - if (aafcli.isTest()) - Collections.sort(fp.value.getUser(), new Comparator<User>() { - @Override - public int compare(User u1, User u2) { - return u1.getId().compareTo(u2.getId()); - } - }); ((org.onap.aaf.auth.cmd.user.List)parent).report(fp.value,false, HEADER,role); if (fp.code()==404)return 200; } else { diff --git a/auth/auth-core/src/main/java/org/onap/aaf/auth/server/AbsService.java b/auth/auth-core/src/main/java/org/onap/aaf/auth/server/AbsService.java index 02d93512..5fbb951b 100644 --- a/auth/auth-core/src/main/java/org/onap/aaf/auth/server/AbsService.java +++ b/auth/auth-core/src/main/java/org/onap/aaf/auth/server/AbsService.java @@ -76,7 +76,7 @@ public abstract class AbsService<ENV extends BasicEnv, TRANS extends Trans> exte str = Defaults.AAF_VERSION; env.setProperty(Config.AAF_LOCATOR_VERSION, str); } - app_version = str; + app_version = access.getProperty(Config.AAF_DEPLOYED_VERSION, str); // Print Cipher Suites Available if (access.willLog(Level.DEBUG)) { diff --git a/auth/auth-core/src/main/java/org/onap/aaf/auth/server/AbsServiceStarter.java b/auth/auth-core/src/main/java/org/onap/aaf/auth/server/AbsServiceStarter.java index 0e8cb78d..56eea435 100644 --- a/auth/auth-core/src/main/java/org/onap/aaf/auth/server/AbsServiceStarter.java +++ b/auth/auth-core/src/main/java/org/onap/aaf/auth/server/AbsServiceStarter.java @@ -56,7 +56,6 @@ public abstract class AbsServiceStarter<ENV extends RosettaEnv, TRANS extends Tr // do_register - this is used for specialty Debug Situations. Developer can create an Instance for a remote system // for Debugging purposes without fear that real clients will start to call your debug instance do_register = !"TRUE".equalsIgnoreCase(access().getProperty("aaf_locate_no_register",null)); - _propertyAdjustment(); hostname = access().getProperty(Config.HOSTNAME, null); if (hostname==null) { try { @@ -65,6 +64,7 @@ public abstract class AbsServiceStarter<ENV extends RosettaEnv, TRANS extends Tr hostname= "cannotBeDetermined"; } } + _propertyAdjustment(); } diff --git a/auth/auth-gui/src/main/java/org/onap/aaf/auth/gui/AAF_GUI.java b/auth/auth-gui/src/main/java/org/onap/aaf/auth/gui/AAF_GUI.java index f8aeb11b..c33f3d69 100644 --- a/auth/auth-gui/src/main/java/org/onap/aaf/auth/gui/AAF_GUI.java +++ b/auth/auth-gui/src/main/java/org/onap/aaf/auth/gui/AAF_GUI.java @@ -128,7 +128,7 @@ public class AAF_GUI extends AbsService<AuthzEnv, AuthzTrans> implements State<E } slot_httpServletRequest = env.slot(HTTP_SERVLET_REQUEST); - deployedVersion = access.getProperty(Config.AAF_RELEASE, "N/A:2.x"); + deployedVersion = app_version; // Certificate Manager String aaf_url_cm = env.getProperty(Config.AAF_URL_CM,Config.AAF_URL_CM_DEF); diff --git a/auth/auth-locate/src/main/java/org/onap/aaf/auth/locate/service/LocateServiceImpl.java b/auth/auth-locate/src/main/java/org/onap/aaf/auth/locate/service/LocateServiceImpl.java index 6d96ded3..b6e4dfa8 100644 --- a/auth/auth-locate/src/main/java/org/onap/aaf/auth/locate/service/LocateServiceImpl.java +++ b/auth/auth-locate/src/main/java/org/onap/aaf/auth/locate/service/LocateServiceImpl.java @@ -128,6 +128,8 @@ public class LocateServiceImpl<IN,OUT,ERROR> ///// ADDED v1_1 /* (non-Javadoc) * @see org.onap.aaf.auth.locate.service.LocateService#getConfig(org.onap.aaf.auth.env.AuthzTrans, java.lang.String, java.lang.String) + * + * Note: "id" is put in, in case we need to filter, or direct data change in the future by Permission */ @Override public Result<Configuration> getConfig(AuthzTrans trans, String id, String type) { @@ -145,7 +147,6 @@ public class LocateServiceImpl<IN,OUT,ERROR> } } return Result.ok(c); - //return Result.err(Result.ERR_NotImplemented,"not done yet"); } diff --git a/auth/docker/dbash.sh b/auth/docker/dbash.sh index a9c90f99..81e96b4d 100644 --- a/auth/docker/dbash.sh +++ b/auth/docker/dbash.sh @@ -20,4 +20,4 @@ # . ./d.props -${DOCKER:=docker} exec -it aaf-$1 bash -c "cd /opt/app/osaaf/logs && exec bash" +${DOCKER:=docker} exec -it aaf-$1 bash -c "cd /opt/app && exec bash" diff --git a/auth/docker/dinstall.sh b/auth/docker/dinstall.sh new file mode 100644 index 00000000..22ea4c91 --- /dev/null +++ b/auth/docker/dinstall.sh @@ -0,0 +1,29 @@ +#!/bin/bash +######### +# ============LICENSE_START==================================================== +# org.onap.aaf +# =========================================================================== +# Copyright (c) 2017 AT&T Intellectual Property. All rights reserved. +# =========================================================================== +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# ============LICENSE_END==================================================== +# +# This is only called from HEAT, as it needs a single check and wait for Cassandra to be ready +# +cd ../auth-cass/docker +. dinstall.sh $@ +cd - +if [ "$1" = "publish" ]; then + shift +fi +. drun.sh diff --git a/auth/docker/drun.sh b/auth/docker/drun.sh index 648c497a..1910f4a2 100644 --- a/auth/docker/drun.sh +++ b/auth/docker/drun.sh @@ -106,6 +106,7 @@ for AAF_COMPONENT in ${AAF_COMPONENTS}; do --env aaf_locator_container_ns=${NAMESPACE} \ --env aaf_locator_fqdn=${HOSTNAME} \ --env aaf_locator_public_fqdn=${HOSTNAME} \ + --env aaf_deployed_version=${VERSION} \ --env LATITUDE=${LATITUDE} \ --env LONGITUDE=${LONGITUDE} \ --env CASSANDRA_CLUSTER=${CASSANDRA_CLUSTER} \ diff --git a/auth/helm/aaf/Chart.yaml b/auth/helm/aaf/Chart.yaml index 0f0f2761..d0a1d286 100644 --- a/auth/helm/aaf/Chart.yaml +++ b/auth/helm/aaf/Chart.yaml @@ -22,4 +22,4 @@ apiVersion: v1 appVersion: "1.0" description: AAF Helm Chart name: aaf -version: 2.1.12-SNAPSHOT +version: 2.1.14-SNAPSHOT diff --git a/auth/helm/aaf/templates/aaf-gui.yaml b/auth/helm/aaf/templates/aaf-gui.yaml index c31496fc..4c540778 100644 --- a/auth/helm/aaf/templates/aaf-gui.yaml +++ b/auth/helm/aaf/templates/aaf-gui.yaml @@ -90,6 +90,8 @@ spec: value: "{{.Values.services.aaf_locator_name}}" - name: aaf_locator_name_helm value: "{{.Values.services.aaf_locator_name_helm}}" + - name: aaf_deployed_version + value: "{{ .Values.image.version }}" - name: CASSANDRA_CLUSTER value: "{{.Values.services.cass.fqdn}}.{{.Values.services.ns}}" # - name: CASSANDRA_USER diff --git a/auth/sample/bin/service.sh b/auth/sample/bin/service.sh index 29d9f967..c14754ae 100644 --- a/auth/sample/bin/service.sh +++ b/auth/sample/bin/service.sh @@ -33,7 +33,7 @@ echo "# Properties passed in" # Set from CAP Based PROPS, if necessary aaf_env=${aaf_env:-"${AAF_ENV}"} -aaf_release=${aaf_release:-"${VERSION}"} +aaf_deployed_version=${aaf_deployed_version:-"${VERSION}"} cadi_latitude=${cadi_latitude:-"${LATITUDE}"} cadi_longitude=${cadi_longitude:-"${LONGITUDE}"} cadi_x509_issuers=${cadi_x509_issuers:-"${CADI_X509_ISSUERS}"} diff --git a/cadi/aaf/src/main/java/org/onap/aaf/cadi/aaf/v2_0/AAFAuthn.java b/cadi/aaf/src/main/java/org/onap/aaf/cadi/aaf/v2_0/AAFAuthn.java index 606638a4..ec0875c1 100644 --- a/cadi/aaf/src/main/java/org/onap/aaf/cadi/aaf/v2_0/AAFAuthn.java +++ b/cadi/aaf/src/main/java/org/onap/aaf/cadi/aaf/v2_0/AAFAuthn.java @@ -117,7 +117,7 @@ public class AAFAuthn<CLIENT> extends AbsUserCache<AAFPermission> { return "AAF Inaccessible"; case UNVALIDATED: addUser(new User<AAFPermission>(user,bytes,con.timeout)); - return "User/Pass combo invalid for " + user; + return "user/pass combo invalid for " + user; case DENIED: return "AAF denies API for " + user; default: diff --git a/cadi/aaf/src/main/java/org/onap/aaf/cadi/aaf/v2_0/AbsAAFLocator.java b/cadi/aaf/src/main/java/org/onap/aaf/cadi/aaf/v2_0/AbsAAFLocator.java index ac8168b9..3941b155 100644 --- a/cadi/aaf/src/main/java/org/onap/aaf/cadi/aaf/v2_0/AbsAAFLocator.java +++ b/cadi/aaf/src/main/java/org/onap/aaf/cadi/aaf/v2_0/AbsAAFLocator.java @@ -234,7 +234,7 @@ public abstract class AbsAAFLocator<TRANS extends Trans> implements Locator<URI> @Override public Item best() throws LocatorException { if (!hasItems()) { - throw new LocatorException("No Entries found for '" + aaf_locator_uri.toString() + "/locate/" + name + ':' + version + '\''); + throw new LocatorException("No Entries found for '" + aaf_locator_uri.toString() + '/' + name + ':' + version + '\''); } List<EP> lep = new ArrayList<>(); EP first = null; diff --git a/cadi/aaf/src/main/java/org/onap/aaf/cadi/configure/Agent.java b/cadi/aaf/src/main/java/org/onap/aaf/cadi/configure/Agent.java index e50b52d8..4dd86fe0 100644 --- a/cadi/aaf/src/main/java/org/onap/aaf/cadi/configure/Agent.java +++ b/cadi/aaf/src/main/java/org/onap/aaf/cadi/configure/Agent.java @@ -28,12 +28,14 @@ import java.io.IOException; import java.net.ConnectException; import java.net.HttpURLConnection; import java.net.InetAddress; +import java.net.URISyntaxException; import java.net.UnknownHostException; import java.nio.file.Files; import java.security.KeyPair; import java.security.KeyStore; import java.security.cert.X509Certificate; import java.util.ArrayDeque; +import java.util.ArrayList; import java.util.Arrays; import java.util.Deque; import java.util.GregorianCalendar; @@ -233,8 +235,7 @@ public class Agent { aafsso.setLogDefault(); aafsso.setStdErrDefault(); - Map<String, String> aaf_urls = loadURLs(access); - aafsso.addProp(Config.AAF_URL_CM, aaf_urls.get(Config.AAF_URL_CM)); + /*urls=*/loadURLs(access); aafsso.writeFiles(); } @@ -311,28 +312,38 @@ public class Agent { dot_le=dot_le==null?"":'.'+dot_le; String version = access.getProperty(Config.AAF_API_VERSION,Config.AAF_DEFAULT_API_VERSION); for(String u : new String[] {"aaf","locate","oauth","cm","gui","fs","hello","token","introspect"}) { - String proto = "fs".equals(u)?"http://":"https://"; - String lhost; - if("locate".equals(u)) { - lhost=rph.default_fqdn; - } else { - lhost=Config.AAF_LOCATE_URL_TAG; - } - String value = rph.replacements("Agent:loadURLs", - proto + lhost + "/%CNS.%AAF_NS." + ("aaf".equals(u)?"service":u) + ':' + version, - null,dot_le); + String tag; + String append=null; switch(u) { - case "aaf": rv.put(Config.AAF_URL, value); break; - case "locate": rv.put(Config.getAAFLocateUrl(access), value); break; - case "token": rv.put(Config.AAF_OAUTH2_TOKEN_URL, value); break; - case "introspect": rv.put(Config.AAF_OAUTH2_INTROSPECT_URL, value); break; - case "cm": rv.put(Config.AAF_URL_CM, value); break; - case "gui": rv.put(Config.AAF_URL_GUI, value); break; - case "fs": rv.put(Config.AAF_URL_FS, value); break; - case "hello": rv.put(Config.AAF_URL_HELLO, value); break; + case "aaf": tag = Config.AAF_URL; break; + case "locate":tag = Config.AAF_LOCATE_URL; break; + case "oauth": tag = Config.AAF_URL_OAUTH; break; + case "token": tag = Config.AAF_OAUTH2_TOKEN_URL; append="/token"; break; + case "introspect": tag = Config.AAF_OAUTH2_INTROSPECT_URL; append="/introspect"; break; + case "cm": tag = Config.AAF_URL_CM; break; + case "gui": tag = Config.AAF_URL_GUI; break; + case "fs": tag = Config.AAF_URL_FS; break; + case "hello": tag = Config.AAF_URL_HELLO; break; default: - rv.put("aaf_url_" + u, value); + tag = "aaf_url_" + u; + } + String value; + if((value=access.getProperty(tag,null))==null) { + String proto = "fs".equals(u)?"http://":"https://"; + String lhost; + if("locate".equals(u)) { + lhost=rph.default_fqdn; + } else { + lhost=Config.AAF_LOCATE_URL_TAG; + } + value = rph.replacements("Agent:loadURLs", + proto + lhost + "/%CNS.%AAF_NS." + ("aaf".equals(u)?"service":u) + ':' + version, + null,dot_le); + if(append!=null) { + value+=append; + } } + rv.put(tag, value); }; aaf_urls = rv; } @@ -825,9 +836,12 @@ public class Agent { app.add(Config.AAF_LOCATE_URL, Config.getAAFLocateUrl(propAccess)); app.add(Config.AAF_ENV,propAccess, "DEV"); - String release = propAccess.getProperty(Config.AAF_RELEASE); + String release = propAccess.getProperty(Config.AAF_DEPLOYED_VERSION); + if(release==null) { + release = System.getProperty(Config.AAF_DEPLOYED_VERSION,null); + } if(release!=null) { - app.add(Config.AAF_RELEASE, release); + app.add(Config.AAF_DEPLOYED_VERSION, release); } for(Entry<Object, Object> aaf_loc_prop : propAccess.getProperties().entrySet()) { String key = aaf_loc_prop.getKey().toString(); @@ -910,26 +924,15 @@ public class Agent { } else { aafcon = aafcon(propAccess); if (aafcon!=null) { // get Properties from Remote AAF - final String locator = getProperty(propAccess,aafcon.env,false,Config.AAF_LOCATE_URL,"AAF Locator URL: "); - - Future<Configuration> acf = aafcon.client(new SingleEndpointLocator(locator)) - .read("/configure/"+fqi+"/aaf", configDF); - if (acf.get(TIMEOUT)) { - for (Props props : acf.value.getProps()) { - PropHolder ph = CRED_TAGS.contains(props.getTag())?cred:app; - if(props.getTag().endsWith("_password")) { - ph.addEnc(props.getTag(), props.getValue()); - } else { - ph.add(props.getTag(), props.getValue()); - } - } - } else if (acf.code()==401){ - trans.error().log("Bad Password sent to AAF"); - } else if (acf.code()==404){ - trans.error().log("This version of AAF does not support remote Properties"); - } else { - trans.error().log(errMsg.toMsg(acf)); + for (Props props : aafProps(trans,aafcon,getProperty(propAccess,aafcon.env,false,Config.AAF_LOCATE_URL,"AAF Locator URL: "),fqi)) { + PropHolder ph = CRED_TAGS.contains(props.getTag())?cred:app; + if(props.getTag().endsWith("_password")) { + ph.addEnc(props.getTag(), props.getValue()); + } else { + ph.add(props.getTag(), props.getValue()); + } } + } } } @@ -940,6 +943,20 @@ public class Agent { } } + public static List<Props> aafProps(Trans trans, AAFCon<?> aafcon, String locator, String fqi) throws CadiException, APIException, URISyntaxException { + Future<Configuration> acf = aafcon.client(new SingleEndpointLocator(locator)) + .read("/configure/"+fqi+"/aaf", configDF); + if (acf.get(TIMEOUT)) { + return acf.value.getProps(); + } else if (acf.code()==401){ + trans.error().log("Bad Password sent to AAF"); + } else if (acf.code()==404){ + trans.error().log("This version of AAF does not support remote Properties"); + } else { + trans.error().log(errMsg.toMsg(acf)); + } + return new ArrayList<>(); + } private static void validate(final PropAccess pa) throws LocatorException, CadiException, APIException { System.out.println("Validating Configuration..."); diff --git a/cadi/aaf/src/main/java/org/onap/aaf/cadi/configure/PlaceArtifactInKeystore.java b/cadi/aaf/src/main/java/org/onap/aaf/cadi/configure/PlaceArtifactInKeystore.java index 7256af40..67b3df09 100644 --- a/cadi/aaf/src/main/java/org/onap/aaf/cadi/configure/PlaceArtifactInKeystore.java +++ b/cadi/aaf/src/main/java/org/onap/aaf/cadi/configure/PlaceArtifactInKeystore.java @@ -66,17 +66,26 @@ public class PlaceArtifactInKeystore extends ArtifactDir { X509Certificate x509; List<X509Certificate> chainList = new ArrayList<>(); Set<X509Certificate> caSet = new HashSet<>(); + X509Certificate curr = null; for (Certificate c : certColl) { x509 = (X509Certificate)c; // Is a Root (self-signed, anyway) if (x509.getSubjectDN().equals(x509.getIssuerDN())) { caSet.add(x509); } else { - chainList.add(x509); + // Expect Certs in Trust Chain Order. + if(curr==null) { + chainList.add(x509); + curr=x509; + } else { + // Only Add Cert next on the list + if(curr.getIssuerDN().equals(x509.getSubjectDN())) { + chainList.add(x509); + curr=x509; + } + } } } -// chainList.addAll(caSet); - //Collections.reverse(chainList); // Properties, etc // Add CADI Keyfile Entry to Properties diff --git a/cadi/aaf/src/main/java/org/onap/aaf/cadi/oauth/TokenClientFactory.java b/cadi/aaf/src/main/java/org/onap/aaf/cadi/oauth/TokenClientFactory.java index 772040c3..b3cf266e 100644 --- a/cadi/aaf/src/main/java/org/onap/aaf/cadi/oauth/TokenClientFactory.java +++ b/cadi/aaf/src/main/java/org/onap/aaf/cadi/oauth/TokenClientFactory.java @@ -29,6 +29,8 @@ import java.nio.file.Path; import java.security.GeneralSecurityException; import java.security.NoSuchAlgorithmException; import java.util.Map; +import java.util.Set; +import java.util.TreeSet; import java.util.concurrent.ConcurrentHashMap; import java.util.regex.Pattern; @@ -55,6 +57,7 @@ import aafoauth.v2_0.Token; public class TokenClientFactory extends Persist<Token,TimedToken> { private static TokenClientFactory instance; + private final Set<String> alts; private Map<String,AAFConHttp> aafcons = new ConcurrentHashMap<>(); private SecurityInfoC<HttpURLConnection> hsi; // Package on purpose @@ -62,14 +65,26 @@ public class TokenClientFactory extends Persist<Token,TimedToken> { private TokenClientFactory(Access pa) throws APIException, GeneralSecurityException, IOException, CadiException { super(pa, new RosettaEnv(pa.getProperties()),Token.class,"outgoing"); + Map<String, String> aaf_urls = Agent.loadURLs(pa); + alts = new TreeSet<>(); + if (access.getProperty(Config.AAF_OAUTH2_TOKEN_URL,null)==null) { access.getProperties().put(Config.AAF_OAUTH2_TOKEN_URL, aaf_urls.get(Config.AAF_OAUTH2_TOKEN_URL)); // Default to AAF } + if (access.getProperty(Config.AAF_OAUTH2_INTROSPECT_URL,null)==null) { access.getProperties().put(Config.AAF_OAUTH2_INTROSPECT_URL, aaf_urls.get(Config.AAF_OAUTH2_INTROSPECT_URL)); // Default to AAF); } - + + for(String tag : new String[] {Config.AAF_ALT_OAUTH2_TOKEN_URL, Config.AAF_ALT_OAUTH2_INTROSPECT_URL}) { + String value = access.getProperty(tag, null); + if(value!=null) { + alts.add(tag); + alts.add(value); + } + } + symm = Symm.encrypt.obtain(); hsi = SecurityInfoC.instance(access, HttpURLConnection.class); } @@ -105,15 +120,11 @@ public class TokenClientFactory extends Persist<Token,TimedToken> { } } char okind; - if ( Config.AAF_OAUTH2_TOKEN_URL.equals(tagOrURL) || - Config.AAF_OAUTH2_INTROSPECT_URL.equals(tagOrURL) || - tagOrURL.equals(access.getProperty(Config.AAF_OAUTH2_TOKEN_URL, null)) || - tagOrURL.equals(access.getProperty(Config.AAF_OAUTH2_INTROSPECT_URL, null)) - ) { - okind = Kind.AAF_OAUTH; - } else { - okind = Kind.OAUTH; - } + if (alts.contains(tagOrURL)) { + okind = Kind.OAUTH; + } else { + okind = Kind.AAF_OAUTH; + } TokenClient tci = new TokenClient( okind, this, diff --git a/cadi/aaf/src/main/java/org/onap/aaf/cadi/sso/AAFSSO.java b/cadi/aaf/src/main/java/org/onap/aaf/cadi/sso/AAFSSO.java index 10acc887..de31e661 100644 --- a/cadi/aaf/src/main/java/org/onap/aaf/cadi/sso/AAFSSO.java +++ b/cadi/aaf/src/main/java/org/onap/aaf/cadi/sso/AAFSSO.java @@ -29,6 +29,7 @@ import java.io.InputStream; import java.io.PrintStream; import java.lang.reflect.InvocationTargetException; import java.lang.reflect.Method; +import java.net.URISyntaxException; import java.util.ArrayList; import java.util.List; import java.util.Map.Entry; @@ -36,14 +37,24 @@ import java.util.Properties; import org.onap.aaf.cadi.Access.Level; import org.onap.aaf.cadi.CadiException; +import org.onap.aaf.cadi.LocatorException; import org.onap.aaf.cadi.PropAccess; import org.onap.aaf.cadi.Symm; import org.onap.aaf.cadi.aaf.Defaults; +import org.onap.aaf.cadi.aaf.v2_0.AAFCon; +import org.onap.aaf.cadi.client.Future; import org.onap.aaf.cadi.config.Config; import org.onap.aaf.cadi.configure.ArtifactDir; +import org.onap.aaf.cadi.locator.SingleEndpointLocator; import org.onap.aaf.cadi.util.MyConsole; import org.onap.aaf.cadi.util.SubStandardConsole; import org.onap.aaf.cadi.util.TheConsole; +import org.onap.aaf.misc.env.APIException; +import org.onap.aaf.misc.rosetta.env.RosettaDF; +import org.onap.aaf.misc.rosetta.env.RosettaEnv; + +import locate.v1_1.Configuration; +import locate.v1_1.Configuration.Props; public class AAFSSO { public static final MyConsole cons = TheConsole.implemented() ? new TheConsole() : new SubStandardConsole(); @@ -179,16 +190,20 @@ public class AAFSSO { appID=null; } + String aaf_container_ns = ""; if (appID!=null) { - diskprops.setProperty(Config.AAF_APPID,appID); if( access.getProperty(Config.AAF_APPPASS)==null) { - char[] password = cons.readPassword("Password for %s: ", appID); + appID = user = cons.readLine("Deployer ID [%s]: ", user); + access.setProperty(Config.AAF_APPID,appID); + char[] password = cons.readPassword("Password for %s: ", user); if(password.length>0) { String app_pass = access.encrypt(new String(password)); access.setProperty(Config.AAF_APPPASS,app_pass); diskprops.setProperty(Config.AAF_APPPASS,app_pass); } + aaf_container_ns = cons.readLine("Container Namespace (blank if none)? [\"\"]: ", aaf_container_ns); } + diskprops.setProperty(Config.AAF_APPID,appID); } String keystore=access.getProperty(Config.CADI_KEYSTORE); @@ -298,36 +313,6 @@ public class AAFSSO { err.append("-D" + Config.AAF_APPPASS + "=<passwd> "); } - String locateUrl = Config.getAAFLocateUrl(access); - if (locateUrl==null) { - locateUrl=AAFSSO.cons.readLine("AAF Locator URL=https://"); - if (locateUrl==null || locateUrl.length()==0) { - err = new StringBuilder(Config.AAF_LOCATE_URL); - err.append(" is required."); - ok = false; - return; - } else { - locateUrl="https://"+locateUrl; - } - access.setProperty(Config.AAF_LOCATE_URL, locateUrl); - addProp(Config.AAF_LOCATE_URL, locateUrl); - } - - final String apiVersion = access.getProperty(Config.AAF_API_VERSION, Config.AAF_DEFAULT_API_VERSION); - final String aaf_root_ns = access.getProperty(Config.AAF_ROOT_NS); - String locateRoot; - if(aaf_root_ns==null) { - locateRoot=Defaults.AAF_ROOT; - } else { - locateRoot = Defaults.AAF_LOCATE_CONST + "/%CNS." + aaf_root_ns; - } - if(access.getProperty(Config.AAF_URL)==null) { - - access.setProperty(Config.AAF_URL, locateRoot+".service:"+apiVersion); - } - if(access.getProperty(Config.AAF_URL_CM)==null) { - access.setProperty(Config.AAF_URL_CM, locateRoot+".cm:"+apiVersion); - } String cadiLatitude = access.getProperty(Config.CADI_LATITUDE); if (cadiLatitude==null) { System.out.println("# If you do not know your Global Coordinates, we suggest bing.com/maps"); @@ -381,6 +366,55 @@ public class AAFSSO { } ok = err==null; } + String locateUrl = Config.getAAFLocateUrl(access); + if (locateUrl==null) { + locateUrl=AAFSSO.cons.readLine("AAF Locator URL=https://"); + if (locateUrl==null || locateUrl.length()==0) { + err = new StringBuilder(Config.AAF_LOCATE_URL); + err.append(" is required."); + ok = false; + return; + } else { + locateUrl="https://"+locateUrl; + } + access.setProperty(Config.AAF_LOCATE_URL, locateUrl); + addProp(Config.AAF_LOCATE_URL, locateUrl); + try { + if(access.getProperty(Config.AAF_URL)==null) { + access.setProperty(Config.AAF_URL, "https://AAF_LOCATE/AAF_NS.service:2.1"); + } + AAFCon<?> aafCon = AAFCon.newInstance(access); + Future<Configuration> acf; + RosettaDF<Configuration> configDF = new RosettaEnv().newDataFactory(Configuration.class); + acf = aafCon.client(new SingleEndpointLocator(locateUrl)) + .read("/configure/"+user+"/aaf", configDF); + if (acf.get(aafCon.connTimeout)) { + for(Props p : acf.value.getProps()) { + addProp(p.getTag(),p.getValue()); + if(access.getProperty(p.getTag())==null) { + access.setProperty(p.getTag(), p.getValue()); + } + } + } else { + access.log(Level.INFO,acf.body()); + } + } catch (LocatorException | APIException | URISyntaxException e) { + access.log(e); + } + } + + final String apiVersion = access.getProperty(Config.AAF_API_VERSION, Config.AAF_DEFAULT_API_VERSION); + final String aaf_root_ns = access.getProperty(Config.AAF_ROOT_NS); + String locateRoot; + if(aaf_root_ns==null) { + locateRoot=Defaults.AAF_ROOT; + } else { + locateRoot = Defaults.AAF_LOCATE_CONST + "/%CNS." + aaf_root_ns; + } + if(access.getProperty(Config.AAF_URL)==null) { + access.setProperty(Config.AAF_URL, locateRoot+".service:"+apiVersion); + } + writeFiles(); } diff --git a/cadi/aaf/src/test/java/org/onap/aaf/cadi/aaf/v2_0/JU_AAFAuthn.java b/cadi/aaf/src/test/java/org/onap/aaf/cadi/aaf/v2_0/JU_AAFAuthn.java index 41b519b1..962397cc 100644 --- a/cadi/aaf/src/test/java/org/onap/aaf/cadi/aaf/v2_0/JU_AAFAuthn.java +++ b/cadi/aaf/src/test/java/org/onap/aaf/cadi/aaf/v2_0/JU_AAFAuthn.java @@ -87,7 +87,7 @@ public class JU_AAFAuthn { Future<String> futureObj = Mockito.mock(Future.class); Mockito.doReturn(futureObj).when(rcliObj).read( "/authn/basicAuth","text/plain"); realm = authnObj.validate("test", "test","test"); - assertTrue(realm.contains("User/Pass combo invalid")); + assertTrue(realm.contains("user/pass combo invalid")); } catch (Exception e) { // TODO Auto-generated catch block e.printStackTrace(); diff --git a/cadi/aaf/src/test/resources/cadi.properties b/cadi/aaf/src/test/resources/cadi.properties index ee0b719f..d0862909 100644 --- a/cadi/aaf/src/test/resources/cadi.properties +++ b/cadi/aaf/src/test/resources/cadi.properties @@ -23,7 +23,7 @@ AFT_LATITUDE=32.780140 AFT_LONGITUDE=-96.800451 AFT_ENVIRONMENT=AFTUAT -DEPLOYED_VERSION=2.0.MITHRIL +aaf_deployed_version=2.0.MITHRIL cadi_prop_files=/opt/app/aaf/common/com.att.aaf.props #cadi_keystore=/Volumes/Data/src/authz/common/cadiaaf.jks diff --git a/cadi/core/src/main/java/org/onap/aaf/cadi/config/Config.java b/cadi/core/src/main/java/org/onap/aaf/cadi/config/Config.java index 66fbe847..38afa629 100644 --- a/cadi/core/src/main/java/org/onap/aaf/cadi/config/Config.java +++ b/cadi/core/src/main/java/org/onap/aaf/cadi/config/Config.java @@ -157,6 +157,7 @@ public class Config { public static final String AAF_LOCATE_URL = "aaf_locate_url"; //URL for AAF locator public static final String AAF_LOCATE_URL_TAG = "AAF_LOCATE_URL"; // Name of Above for use in Config Variables. public static final String AAF_DEFAULT_API_VERSION = "2.1"; + public static final String AAF_DEPLOYED_VERSION="aaf_deployed_version"; public static final String AAF_API_VERSION = "aaf_api_version"; public static final String AAF_URL = "aaf_url"; //URL for AAF... Use to trigger AAF configuration public static final String AAF_LOCATOR_CLASS = "aaf_locator_class"; @@ -219,8 +220,8 @@ public class Config { public static final String AAF_CERT_IDS = "aaf_cert_ids"; public static final String AAF_DEBUG_IDS = "aaf_debug_ids"; // comma delimited public static final String AAF_DATA_DIR = "aaf_data_dir"; // AAF processes and Components only. - public static final String AAF_RELEASE = "aaf_release"; + public static final String AAF_URL_OAUTH = "aaf_url_oauth"; public static final String AAF_URL_GUI="aaf_url_gui"; public static final String AAF_URL_FS="aaf_url_fs"; public static final String AAF_URL_CM = "aaf_url_cm"; diff --git a/cadi/core/src/main/java/org/onap/aaf/cadi/config/SecurityInfo.java b/cadi/core/src/main/java/org/onap/aaf/cadi/config/SecurityInfo.java index 285c45ec..5d1d23fa 100644 --- a/cadi/core/src/main/java/org/onap/aaf/cadi/config/SecurityInfo.java +++ b/cadi/core/src/main/java/org/onap/aaf/cadi/config/SecurityInfo.java @@ -91,12 +91,6 @@ public class SecurityInfo { this.access = access; // reuse DME2 Properties for convenience if specific Properties don't exist - msgHelp = String.format(INITIALIZING_ERR_FMT,"Keystore", access.getProperty(Config.CADI_KEYSTORE, "")); - initializeKeyManager(); - - msgHelp = String.format(INITIALIZING_ERR_FMT,"Truststore", access.getProperty(Config.CADI_TRUSTSTORE, "")); - initializeTrustManager(); - String str = access.getProperty(Config.CADI_ALIAS, null); if(str==null || str.isEmpty()) { defaultAlias = null; @@ -113,7 +107,14 @@ public class SecurityInfo { } else { defaultClientAlias = str; } + + msgHelp = String.format(INITIALIZING_ERR_FMT,"Keystore", access.getProperty(Config.CADI_KEYSTORE, "")); + initializeKeyManager(); + msgHelp = String.format(INITIALIZING_ERR_FMT,"Truststore", access.getProperty(Config.CADI_TRUSTSTORE, "")); + initializeTrustManager(); + + msgHelp = String.format(INITIALIZING_ERR_FMT,"Trustmasks", access.getProperty(Config.CADI_TRUST_MASKS, "")); initializeTrustMasks(); @@ -239,13 +240,51 @@ public class SecurityInfo { } } } + + StringBuilder sb = null; for (KeyManager keyManager : keyManagerFactory.getKeyManagers()) { if (keyManager instanceof X509KeyManager) { - keyManagers.add((X509KeyManager)keyManager); + X509KeyManager xkm = (X509KeyManager)keyManager; + keyManagers.add(xkm); + if(defaultAlias!=null) { + sb=new StringBuilder("X509 Chain\n"); + x509Info(sb,xkm.getCertificateChain(defaultAlias)); + } + if(defaultClientAlias!=null && !defaultClientAlias.equals(defaultAlias)) { + if(sb==null) { + sb = new StringBuilder(); + } else { + sb.append('\n'); + } + sb.append("X509 Client Chain\n"); + x509Info(sb,xkm.getCertificateChain(defaultAlias)); + } } } x509KeyManager = new X509KeyManager[keyManagers.size()]; keyManagers.toArray(x509KeyManager); + + if(sb!=null) { + access.log(Level.INIT, sb); + } + } + + private void x509Info(StringBuilder sb, X509Certificate[] chain) { + if(chain!=null) { + int i=0; + for(X509Certificate x : chain) { + sb.append(" "); + sb.append(i++); + sb.append(')'); + sb.append("\n Subject: "); + sb.append(x.getSubjectDN()); + sb.append("\n Issuer : "); + sb.append(x.getIssuerDN()); + sb.append("\n Expires: "); + sb.append(x.getNotAfter()); + sb.append('\n'); + } + } } protected void initializeTrustManager() throws NoSuchAlgorithmException, CertificateException, IOException, KeyStoreException, CadiException { |