AT&T 2.0.19 Code drop, stage 3

Issue-ID: AAF-197
Change-Id: I8b02cb073ccba318ccaf6ea0276446bdce88fb82
Signed-off-by: Instrumental <jcgmisc@stl.gathman.org>

4 files changed, 1042 insertions, 0 deletions

diff --git a/auth/auth-deforg/src/main/java/org/onap/aaf/org/DefaultOrg.java b/auth/auth-deforg/src/main/java/org/onap/aaf/org/DefaultOrg.java
new file mode 100644
index 00000000..63e83901
--- /dev/null
+++ b/auth/auth-deforg/src/main/java/org/onap/aaf/org/DefaultOrg.java
@@ -0,0 +1,666 @@
+/*******************************************************************************
+ * ============LICENSE_START====================================================
+ * * org.onap.aaf
+ * * ===========================================================================
+ * * Copyright © 2017 AT&T Intellectual Property. All rights reserved.
+ * * ===========================================================================
+ * * Licensed under the Apache License, Version 2.0 (the "License");
+ * * you may not use this file except in compliance with the License.
+ * * You may obtain a copy of the License at
+ * * 
+ *  *      http://www.apache.org/licenses/LICENSE-2.0
+ * * 
+ *  * Unless required by applicable law or agreed to in writing, software
+ * * distributed under the License is distributed on an "AS IS" BASIS,
+ * * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * * See the License for the specific language governing permissions and
+ * * limitations under the License.
+ * * ============LICENSE_END====================================================
+ * *
+ * *
+ ******************************************************************************/
+package org.onap.aaf.org;
+
+import java.io.File;
+import java.io.IOException;
+import java.util.ArrayList;
+import java.util.Date;
+import java.util.GregorianCalendar;
+import java.util.HashSet;
+import java.util.List;
+import java.util.Set;
+import java.util.regex.Pattern;
+
+import javax.mail.Address;
+import javax.mail.Message;
+import javax.mail.MessagingException;
+import javax.mail.Session;
+import javax.mail.Transport;
+import javax.mail.internet.InternetAddress;
+import javax.mail.internet.MimeMessage;
+
+import org.onap.aaf.auth.env.AuthzTrans;
+import org.onap.aaf.auth.org.EmailWarnings;
+import org.onap.aaf.auth.org.Executor;
+import org.onap.aaf.auth.org.Organization;
+import org.onap.aaf.auth.org.OrganizationException;
+import org.onap.aaf.cadi.util.FQI;
+import org.onap.aaf.misc.env.Env;
+
+public class DefaultOrg implements Organization {
+	private static final String AAF_DATA_DIR = "aaf_data_dir";
+	private static final String PROPERTY_IS_REQUIRED = " property is Required";
+	// Package on Purpose
+	final String domain;
+	final String atDomain;
+	final String realm;
+	
+	private final String NAME,mailHost,mailFrom;
+
+	public DefaultOrg(Env env, String realm) throws OrganizationException {
+		this.realm = realm;
+		domain=FQI.reverseDomain(realm);
+		atDomain = '@'+domain;
+		String s;
+		NAME=env.getProperty(realm + ".name","Default Organization");
+		mailHost = env.getProperty(s=(realm + ".mailHost"), null);
+		if(mailHost==null) {
+			throw new OrganizationException(s + PROPERTY_IS_REQUIRED);
+		}
+		mailFrom = env.getProperty(s=(realm + ".mailFrom"), null);
+		if(mailFrom==null) {
+			throw new OrganizationException(s + PROPERTY_IS_REQUIRED);
+		}
+		
+		System.getProperties().setProperty("mail.smtp.host",mailHost);
+		System.getProperties().setProperty("mail.user", mailFrom);
+		// Get the default Session object.
+		session = Session.getDefaultInstance(System.getProperties());
+
+		try {
+			String defFile;
+			String temp=env.getProperty(defFile = (getClass().getName()+".file"));
+			File fIdentities=null;
+			if(temp==null) {
+				temp = env.getProperty(AAF_DATA_DIR);
+				if(temp!=null) {
+					env.warn().log(defFile, "is not defined. Using default: ",temp+"/identities.dat");
+					File dir = new File(temp);
+					fIdentities=new File(dir,"identities.dat");
+					if(!fIdentities.exists()) {
+						env.warn().log("No",fIdentities.getCanonicalPath(),"exists.  Creating.");
+						if(!dir.exists()) {
+							dir.mkdirs();
+						}
+						fIdentities.createNewFile();
+					}
+				}
+			} else {
+				fIdentities = new File(temp);
+				if(!fIdentities.exists()) {
+					String dataDir = env.getProperty(AAF_DATA_DIR);
+					if(dataDir!=null) {
+						fIdentities = new File(dataDir,temp);
+					}
+				}
+			}
+			
+			if(fIdentities!=null && fIdentities.exists()) {
+				identities = new Identities(fIdentities);
+			} else {
+				throw new OrganizationException(fIdentities.getCanonicalPath() + " does not exist.");
+			}
+		} catch (IOException e) {
+			throw new OrganizationException(e);
+		}
+	}
+	
+	// Implement your own Delegation System
+	static final List<String> NULL_DELEGATES = new ArrayList<String>();
+
+	public Identities identities;
+	private boolean dryRun;
+	private Session session;
+	public enum Types {Employee, Contractor, Application, NotActive};
+	private final static Set<String> typeSet;
+	
+	static {
+		typeSet = new HashSet<String>();
+		for(Types t : Types.values()) {
+			typeSet.add(t.name());
+		}
+	}
+	
+	private static final EmailWarnings emailWarnings = new DefaultOrgWarnings();
+
+	@Override
+	public String getName() {
+		return NAME;
+	}
+
+	@Override
+	public String getRealm() {
+		return realm;
+	}
+
+	@Override
+	public String getDomain() {
+		return domain;
+	}
+
+	@Override
+	public DefaultOrgIdentity getIdentity(AuthzTrans trans, String id) throws OrganizationException {
+		int at = id.indexOf('@');
+		return new DefaultOrgIdentity(trans,at<0?id:id.substring(0, at),this);
+	}
+
+	// Note: Return a null if found; return a String Message explaining why not found. 
+	@Override
+	public String isValidID(final AuthzTrans trans, final String id) {
+		try {
+			DefaultOrgIdentity u = getIdentity(trans,id);
+			return (u==null||!u.isFound())?id + "is not an Identity in " + getName():null;
+		} catch (OrganizationException e) {
+			return getName() + " could not lookup " + id + ": " + e.getLocalizedMessage();
+		}
+	}
+	// Possible ID Pattern
+	//	private static final Pattern ID_PATTERN=Pattern.compile("([\\w.-]+@[\\w.-]+).{4-13}");
+	// Another one: ID_PATTERN = "(a-z[a-z0-9]{5-8}@.*).{4-13}";
+
+	@Override
+	public boolean isValidCred(final AuthzTrans trans, final String id) {
+		// have domain?
+		int at = id.indexOf('@');
+		String sid;
+		if(at > 0) {
+			// Use this to prevent passwords to any but THIS domain.
+//			if(!id.regionMatches(at+1, domain, 0, id.length()-at-1)) {
+//				return false;
+//			}
+			sid = id.substring(0,at); 
+		} else {
+			sid = id;
+		}
+		// We'll validate that it exists, rather than check patterns.
+		
+		return isValidID(trans, sid)==null;
+		// Check Pattern (if checking existing is too long)
+		//		if(id.endsWith(SUFFIX) && ID_PATTERN.matcher(id).matches()) {
+		//			return true;
+		//		}
+		//		return false; 
+	}
+
+	private static final String SPEC_CHARS = "!@#$%^*-+?/,:;.";
+	private static final Pattern PASS_PATTERN=Pattern.compile("((?=.*\\d)(?=.*[a-z])(?=.*[A-Z])(?=.*[" + SPEC_CHARS +"]).{6,20})");
+	/**
+	 *  Attribution: from mkyong.com
+	 *  (				# Start of group
+	 *  (?=.*\d)			#   must contains one digit from 0-9
+	 *  (?=.*[a-z])		#   must contains one lowercase characters
+	 *  (?=.*[A-Z])		#   must contains one uppercase characters
+	 *  (?=.*[@#$%])		#   must contains one special symbols in the list SPEC_CHARS
+	 *        	.		#     match anything with previous condition checking
+	 *          {6,20}	#        length at least 6 characters and maximum of 20
+	 *  )				# End of group
+	 */
+	@Override
+	public String isValidPassword(final AuthzTrans trans, final String user, final String password, final String... prev) {
+		for(String p : prev) {
+			if(password.contains(p)) { // A more sophisticated algorithm might be better.
+				return "Password too similar to previous passwords";
+			}
+		}
+		// If you have an Organization user/Password scheme, replace the following
+		if(PASS_PATTERN.matcher(password).matches()) {
+			return "";
+		}
+		return "Password does not match " + NAME + " Password Standards";
+	}
+
+	private static final String[] rules = new String[] {
+			"Passwords must contain one digit from 0-9",
+			"Passwords must contain one lowercase character",
+			"Passwords must contain one uppercase character",
+			"Passwords must contain one special symbols in the list \""+ SPEC_CHARS + '"',
+			"Passwords must be between 6 and 20 chars in length"
+	};
+
+	@Override
+	public String[] getPasswordRules() {
+		return rules;
+	}
+
+	@Override
+	public Set<String> getIdentityTypes() {
+		return typeSet;
+	}
+
+	@Override
+	public Response notify(AuthzTrans trans, Notify type, String url, String[] identities, String[] ccs, String summary, Boolean urgent) {
+		String system = trans.getProperty("CASS_ENV", "");
+
+		ArrayList<String> toList = new ArrayList<String>();
+		Identity identity;
+		if (identities != null) {
+			for (String user : identities) {
+				try {
+					identity = getIdentity(trans, user);
+					if (identity == null) {
+						trans.error().log(
+								"Failure to obtain User " + user + " for "
+										+ getName());
+					} else {
+						toList.add(identity.email());
+					}
+				} catch (Exception e) {
+					trans.error().log(
+							e,
+							"Failure to obtain User " + user + " for "
+									+ getName());
+				}
+			}
+		}
+
+		if (toList.isEmpty()) {
+			trans.error().log("No Users listed to email");
+			return Response.ERR_NotificationFailure;
+		}
+
+		ArrayList<String> ccList = new ArrayList<String>();
+
+		// If we're sending an urgent email, CC the user's supervisor
+		//
+		if (urgent) {
+			trans.info().log("urgent msg for: " + identities[0]);
+			try {
+				List<Identity> supervisors = getApprovers(trans, identities[0]);
+				for (Identity us : supervisors) {
+					trans.info().log("supervisor: " + us.email());
+					ccList.add(us.email());
+				}
+			} catch (Exception e) {
+				trans.error().log(e,
+						"Failed to find supervisor for  " + identities[0]);
+			}
+		}
+
+		if (ccs != null) {
+			for (String user : ccs) {
+				try {
+					identity = getIdentity(trans, user);
+					ccList.add(identity.email());
+				} catch (Exception e) {
+					trans.error().log(
+							e,
+							"Failure to obtain User " + user + " for "
+									+ getName());
+				}
+			}
+		}
+
+		if (summary == null) {
+			summary = "";
+		}
+
+		switch (type) {
+		case Approval:
+			try {
+				sendEmail(trans, toList, ccList,
+						"AAF Approval Notification "
+								+ (system.length() == 0 ? "" : "(ENV: "
+										+ system + ")"),
+						"AAF is the "
+						+ NAME
+						+ "System for Fine-Grained Authorizations.  You are being asked to Approve"
+								+ (system.length() == 0 ? "" : " in the "
+										+ system + " environment")
+								+ " before AAF Actions can be taken.\n\n"
+								+ "Please follow this link: \n\n\t" + url
+								+ "\n\n" + summary, urgent);
+			} catch (Exception e) {
+				trans.error().log(e, "Failure to send Email");
+				return Response.ERR_NotificationFailure;
+			}
+			break;
+		case PasswordExpiration:
+			try {
+				sendEmail(trans,
+						toList,
+						ccList,
+						"AAF Password Expiration Warning "
+								+ (system.length() == 0 ? "" : "(ENV: "
+										+ system + ")"),
+						"AAF is the "
+						+ NAME
+						+ " System for Authorizations.\n\nOne or more passwords will expire soon or have expired"
+								+ (system.length() == 0 ? "" : " in the "
+										+ system + " environment")
+								+ ".\n\nPasswords expired for more than 30 days without action are subject to deletion.\n\n"
+								+ "Please follow each link to add a New Password with Expiration Date. Either are valid until expiration. "
+								+ "Use this time to change the passwords on your system. If issues, reply to this email.\n\n"
+								+ summary, urgent);
+			} catch (Exception e) {
+				trans.error().log(e, "Failure to send Email");
+				return Response.ERR_NotificationFailure;
+			}
+			break;
+
+		case RoleExpiration:
+			try {
+				sendEmail(
+						trans,
+						toList,
+						ccList,
+						"AAF Role Expiration Warning "
+								+ (system.length() == 0 ? "" : "(ENV: "
+										+ system + ")"),
+						"AAF is the "
+						+ NAME
+						+ " System for Authorizations. One or more roles will expire soon"
+								+ (system.length() == 0 ? "" : " in the "
+										+ system + " environment")
+								+ ".\n\nRoles expired for more than 30 days are subject to deletion."
+								+ "Please follow this link the GUI Command line, and either 'extend' or 'del' the user in the role.\n"
+								+ "If issues, reply to this email.\n\n\t" + url
+								+ "\n\n" + summary, urgent);
+			} catch (Exception e) {
+				trans.error().log(e, "Failure to send Email");
+				return Response.ERR_NotificationFailure;
+			}
+			break;
+		default:
+			return Response.ERR_NotImplemented;
+		}
+		return Response.OK;
+	}
+
+	@Override
+	public int sendEmail(AuthzTrans trans, List<String> toList, List<String> ccList, String subject, String body,
+			Boolean urgent) throws OrganizationException {
+		int status = 1;
+		
+		List<String> to = new ArrayList<String>();
+		for(String em : toList) {
+			if(em.indexOf('@')<0) {
+				to.add(new DefaultOrgIdentity(trans, em, this).email());
+			} else {
+				to.add(em);
+			}
+		}
+		
+		List<String> cc = new ArrayList<String>();
+		if(ccList!=null && !ccList.isEmpty()) {
+			for(String em : ccList) {
+				if(em.indexOf('@')<0) {
+					cc.add(new DefaultOrgIdentity(trans, em, this).email());
+				} else {
+					cc.add(em);
+				}
+			}
+		}
+		
+	
+		// for now, I want all emails so we can see what goes out. Remove later
+		if (!ccList.contains(mailFrom)) {
+			ccList.add(mailFrom);
+		}
+
+		try {
+			// Create a default MimeMessage object.
+			MimeMessage message = new MimeMessage(session);
+
+			// Set From: header field of the header.
+			message.setFrom(new InternetAddress(mailFrom));
+
+			if (!dryRun) {
+				// Set To: header field of the header. This is a required field
+				// and calling module should make sure that it is not null or
+				// blank
+				message.addRecipients(Message.RecipientType.TO,getAddresses(to));
+
+				// Set CC: header field of the header.
+				if ((ccList != null) && (ccList.size() > 0)) {
+					message.addRecipients(Message.RecipientType.CC,getAddresses(cc));
+				}
+
+				// Set Subject: header field
+				message.setSubject(subject);
+
+				if (urgent) {
+					message.addHeader("X-Priority", "1");
+				}
+
+				// Now set the actual message
+				message.setText(body);
+			} else {
+				// override recipients
+				message.addRecipients(Message.RecipientType.TO,
+						InternetAddress.parse(mailFrom));
+
+				// Set Subject: header field
+				message.setSubject("[TESTMODE] " + subject);
+
+				if (urgent) {
+					message.addHeader("X-Priority", "1");
+				}
+
+				ArrayList<String> newBody = new ArrayList<String>();
+
+				Address temp[] = getAddresses(to);
+				String headerString = "TO:\t" + InternetAddress.toString(temp) + "\n";
+
+				temp = getAddresses(cc);
+				headerString += "CC:\t" + InternetAddress.toString(temp) + "\n";
+
+				newBody.add(headerString);
+
+				newBody.add("Text: \n");
+
+				newBody.add(body);
+				String outString = "";
+				for (String s : newBody) {
+					outString += s + "\n";
+				}
+
+				message.setText(outString);
+			}
+			// Send message
+			Transport.send(message);
+			status = 0;
+
+		} catch (MessagingException mex) {
+			throw new OrganizationException("Exception send email message "
+					+ mex.getMessage());
+		}
+
+		return status;	
+	}
+
+	/**
+	 * Default Policy is to set to 6 Months for Notification Types.
+	 * add others/change as required
+	 */
+	@Override
+	public Date whenToValidate(Notify type, Date lastValidated) {
+		switch(type) {
+			case Approval:
+			case PasswordExpiration:
+				return null;
+			default:
+				GregorianCalendar gc = new GregorianCalendar();
+				gc.setTime(lastValidated);
+				gc.add(GregorianCalendar.MONTH, 6);  // 6 month policy
+				return gc.getTime();
+		}
+	}
+
+	@Override
+	public GregorianCalendar expiration(GregorianCalendar gc, Expiration exp, String... extra) {
+        GregorianCalendar now = new GregorianCalendar();
+        GregorianCalendar rv = gc==null?now:(GregorianCalendar)gc.clone();
+		switch (exp) {
+			case ExtendPassword:
+				// Extending Password give 5 extra days, max 8 days from now
+				rv.add(GregorianCalendar.DATE, 5);
+				now.add(GregorianCalendar.DATE, 8);
+				if(rv.after(now)) {
+					rv = now;
+				}
+				break;
+			case Future:
+				// Future requests last 15 days.
+				now.add(GregorianCalendar.DATE, 15);
+				rv = now;
+				break;
+			case Password:
+				// Passwords expire in 90 days
+				now.add(GregorianCalendar.DATE, 90);
+				rv = now;
+				break;
+			case TempPassword:
+				// Temporary Passwords last for 12 hours.
+				now.add(GregorianCalendar.DATE, 90);
+				rv = now;
+				break;
+			case UserDelegate:
+				// Delegations expire max in 2 months, renewable to 3
+				rv.add(GregorianCalendar.MONTH, 2);
+				now.add(GregorianCalendar.MONTH, 3);
+				if(rv.after(now)) {
+					rv = now;
+				}
+				break;
+			case UserInRole:
+				// Roles expire in 6 months
+				now.add(GregorianCalendar.MONTH, 6);
+				rv = now;
+				break;
+			default:
+				// Unless other wise set, 6 months is default
+				now.add(GregorianCalendar.MONTH, 6);
+				rv = now;
+				break;
+		}
+		return rv;
+	}
+
+	@Override
+	public EmailWarnings emailWarningPolicy() {
+		return emailWarnings;
+	}
+
+	/**
+	 * Assume the Supervisor is the Approver.
+	 */
+	@Override
+	public List<Identity> getApprovers(AuthzTrans trans, String user) throws OrganizationException {
+		Identity orgIdentity = getIdentity(trans, user);
+		List<Identity> orgIdentitys = new ArrayList<Identity>();
+		if(orgIdentity!=null) {
+			Identity supervisor = orgIdentity.responsibleTo();
+			if(supervisor!=null) {
+				orgIdentitys.add(supervisor);
+			}
+		}
+		return orgIdentitys;	
+	}
+
+	@Override
+	public String getApproverType() {
+		return "supervisor";
+	}
+
+	@Override
+	public int startOfDay() {
+		// TODO Auto-generated method stub
+		return 0;
+	}
+
+	@Override
+	public boolean canHaveMultipleCreds(String id) {
+		// External entities are likely mono-password... if you change it, it is a global change.
+		// This is great for people, but horrible for Applications.  
+		//
+		// AAF's Password can have multiple Passwords, each with their own Expiration Date.
+		// For Default Org, we'll assume true for all, but when you add your external
+		// Identity stores, you need to return "false" if they cannot support multiple Passwords like AAF
+		return true;
+	}
+
+	@Override
+	public String validate(AuthzTrans trans, Policy policy, Executor executor, String... vars) throws OrganizationException {
+		switch(policy) {
+			case OWNS_MECHID:
+			case CREATE_MECHID:
+				if(vars.length>0) {
+					DefaultOrgIdentity thisID = getIdentity(trans,vars[0]);
+					if("a".equals(thisID.identity.status)) { // MechID
+						DefaultOrgIdentity requestor = getIdentity(trans, trans.user());
+						if(requestor!=null) {
+							Identity mechid = getIdentity(trans, vars[0]);
+							if(mechid!=null) {
+								Identity sponsor = mechid.responsibleTo();
+								if(sponsor!=null && requestor.equals(sponsor.fullID())) {
+									return null;
+								} else {
+									return trans.user() + " is not the Sponsor of MechID " + vars[0];
+								}
+							}
+						}
+					}
+				}
+				return null;
+				
+			case CREATE_MECHID_BY_PERM_ONLY:
+				return getName() + " only allows sponsors to create MechIDs";
+				
+			default:
+				return policy.name() + " is unsupported at " + getName();
+		}	
+	}
+
+	@Override
+	public boolean isTestEnv() {
+		return false;
+	}
+
+	@Override
+	public void setTestMode(boolean dryRun) {
+		this.dryRun = dryRun;
+	}
+
+	/**
+	 * Convert the delimiter String into Internet addresses with the default
+	 * delimiter of ";"
+	 * @param strAddress
+	 * @return
+	 */
+	private Address[] getAddresses(List<String> strAddress) throws OrganizationException {
+		return this.getAddresses(strAddress,";");
+	}
+	/**
+	 * Convert the delimiter String into Internet addresses with the 
+	 * delimiter of provided
+	 * @param strAddress
+	 * @param delimiter
+	 * @return
+	 */
+	private Address[] getAddresses(List<String> strAddresses, String delimiter) throws OrganizationException {
+		Address[] addressArray = new Address[strAddresses.size()];
+		int count = 0;
+		for (String addr : strAddresses)
+		{
+            try{
+            	addressArray[count] = new InternetAddress(addr);
+            	count++;
+            }catch(Exception e){
+            	throw new OrganizationException("Failed to parse the email address "+ addr +": "+e.getMessage());
+            }
+        }
+        return addressArray;
+	}
+
+			
+	}
diff --git a/auth/auth-deforg/src/main/java/org/onap/aaf/org/DefaultOrgIdentity.java b/auth/auth-deforg/src/main/java/org/onap/aaf/org/DefaultOrgIdentity.java
new file mode 100644
index 00000000..6d9003fd
--- /dev/null
+++ b/auth/auth-deforg/src/main/java/org/onap/aaf/org/DefaultOrgIdentity.java
@@ -0,0 +1,170 @@
+/*******************************************************************************
+ * ============LICENSE_START====================================================
+ * * org.onap.aaf
+ * * ===========================================================================
+ * * Copyright © 2017 AT&T Intellectual Property. All rights reserved.
+ * * ===========================================================================
+ * * Licensed under the Apache License, Version 2.0 (the "License");
+ * * you may not use this file except in compliance with the License.
+ * * You may obtain a copy of the License at
+ * * 
+ *  *      http://www.apache.org/licenses/LICENSE-2.0
+ * * 
+ *  * Unless required by applicable law or agreed to in writing, software
+ * * distributed under the License is distributed on an "AS IS" BASIS,
+ * * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * * See the License for the specific language governing permissions and
+ * * limitations under the License.
+ * * ============LICENSE_END====================================================
+ * *
+ * *
+ ******************************************************************************/
+package org.onap.aaf.org;
+
+import java.io.IOException;
+import java.util.List;
+
+import org.onap.aaf.auth.env.AuthzTrans;
+import org.onap.aaf.auth.local.AbsData.Reuse;
+import org.onap.aaf.auth.org.Organization;
+import org.onap.aaf.auth.org.OrganizationException;
+import org.onap.aaf.auth.org.Organization.Identity;
+import org.onap.aaf.cadi.config.Config;
+import org.onap.aaf.org.Identities.Data;
+
+/**
+ * Org Users are essential representations of Identities within the Org.  Since this is a highly individual 
+ * thing for most Orgs, i.e. some use LDAP, some need feed, some use something else, this object will allow
+ * the Organization to connect to their own Identity systems...
+ * 
+ *
+ */
+public class DefaultOrgIdentity implements Identity {
+	private static final String CONTRACTOR = "c";
+	private static final String EMPLOYEE = "e";
+	private static final String APPLICATION = "a";
+    private static final String NON_ACTIVE = "n";
+
+	private final static int TIMEOUT = Integer.parseInt(Config.AAF_CONN_TIMEOUT_DEF);
+	
+	private DefaultOrg org;
+	//package on purpose
+	Data identity;
+	private AuthzTrans trans;
+
+	public DefaultOrgIdentity(AuthzTrans trans, String key, DefaultOrg dorg) throws OrganizationException {
+		this.trans = trans;
+		org = dorg;
+		identity=null;
+		try {
+			org.identities.open(trans, TIMEOUT);
+			try {
+				Reuse r = org.identities.reuse();
+				int at = key.indexOf(dorg.atDomain);
+				String search;
+				if(at>=0) {
+					search = key.substring(0,at);
+				} else {
+					search = key;
+				}
+				identity = org.identities.find(search, r);
+				if(identity==null) {
+					identity = Identities.NO_DATA;
+				}
+			} finally {
+				org.identities.close(trans);
+			}
+		} catch (IOException e) {
+			throw new OrganizationException(e);
+		}
+	}
+	
+	@Override
+	public boolean equals(Object b) {
+		if(b instanceof DefaultOrgIdentity) {
+			return identity.id.equals(((DefaultOrgIdentity)b).identity.id);
+		}
+		return false;
+	}
+
+	@Override
+	public String id() {
+		return identity.id;
+	}
+
+	@Override
+	public String fullID() {
+		return identity.id+'@'+org.getDomain();
+	}
+
+	@Override
+	public String type() {
+		switch(identity.status) {
+			case EMPLOYEE: return DefaultOrg.Types.Employee.name();
+			case CONTRACTOR: return DefaultOrg.Types.Contractor.name();
+			case APPLICATION: return DefaultOrg.Types.Application.name();
+			case NON_ACTIVE: return DefaultOrg.Types.NotActive.name();
+			default:
+				return "Unknown";
+		}
+	}
+
+	@Override
+	public Identity responsibleTo() throws OrganizationException {
+		if("".equals(identity.responsibleTo) && isFound()) { // cover the situation of Top Dog... reports to no-one.
+			return this;
+		} else {
+			return org.getIdentity(trans, identity.responsibleTo);
+		}
+	}
+
+	@Override
+	public List<String> delegate() {
+		//NOTE:  implement Delegate system, if desired
+		return DefaultOrg.NULL_DELEGATES;
+	}
+
+	@Override
+	public String email() {
+		return identity.email;
+	}
+
+	@Override
+	public String fullName() {
+		return identity.name;
+	}
+
+	@Override
+	public String firstName() {
+		return identity.fname;
+	}
+
+	@Override
+	public String mayOwn() {
+		// Assume only Employees are responsible for Resources.
+		if(identity.status==null|| identity.status.length()==0) {
+			return "Identity must have valid status";
+		} else if(EMPLOYEE.equals(identity.status)) {
+			return null; // This is "Yes, is Responsible"
+		} else {
+			return "Reponsible Party must be an Employee";
+		}
+	}
+
+	@Override
+	public boolean isFound() {
+		return identity!=Identities.NO_DATA; // yes, object comparison intended
+	}
+
+	@Override
+	public boolean isPerson() {
+		return !identity.status.equals(APPLICATION);
+	}
+
+	@Override
+	public Organization org() {
+		return org;
+	}
+
+
+}
diff --git a/auth/auth-deforg/src/main/java/org/onap/aaf/org/DefaultOrgWarnings.java b/auth/auth-deforg/src/main/java/org/onap/aaf/org/DefaultOrgWarnings.java
new file mode 100644
index 00000000..c04707ee
--- /dev/null
+++ b/auth/auth-deforg/src/main/java/org/onap/aaf/org/DefaultOrgWarnings.java
@@ -0,0 +1,63 @@
+/*******************************************************************************
+ * ============LICENSE_START====================================================
+ * * org.onap.aaf
+ * * ===========================================================================
+ * * Copyright © 2017 AT&T Intellectual Property. All rights reserved.
+ * * ===========================================================================
+ * * Licensed under the Apache License, Version 2.0 (the "License");
+ * * you may not use this file except in compliance with the License.
+ * * You may obtain a copy of the License at
+ * * 
+ *  *      http://www.apache.org/licenses/LICENSE-2.0
+ * * 
+ *  * Unless required by applicable law or agreed to in writing, software
+ * * distributed under the License is distributed on an "AS IS" BASIS,
+ * * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * * See the License for the specific language governing permissions and
+ * * limitations under the License.
+ * * ============LICENSE_END====================================================
+ * *
+ * *
+ ******************************************************************************/
+package org.onap.aaf.org;
+
+import org.onap.aaf.auth.org.EmailWarnings;
+
+public class DefaultOrgWarnings implements EmailWarnings {
+
+	@Override
+    public long credEmailInterval()
+    {
+        return 604800000L; // 7 days in millis 1000 * 86400 * 7
+    }
+    
+	@Override
+    public long roleEmailInterval()
+    {
+        return 604800000L; // 7 days in millis 1000 * 86400 * 7
+    }
+	
+	@Override
+	public long apprEmailInterval() {
+        return 259200000L; // 3 days in millis 1000 * 86400 * 3
+	}
+    
+	@Override
+    public long  credExpirationWarning()
+    {
+        return( 2592000000L ); // One month, in milliseconds 1000 * 86400 * 30  in milliseconds
+    }
+    
+	@Override
+    public long roleExpirationWarning()
+    {
+        return( 2592000000L ); // One month, in milliseconds 1000 * 86400 * 30  in milliseconds
+    }
+
+	@Override
+    public long emailUrgentWarning()
+    {
+        return( 1209600000L ); // Two weeks, in milliseconds 1000 * 86400 * 14  in milliseconds
+    }
+
+}
diff --git a/auth/auth-deforg/src/main/java/org/onap/aaf/org/Identities.java b/auth/auth-deforg/src/main/java/org/onap/aaf/org/Identities.java
new file mode 100644
index 00000000..f3067fe6
--- /dev/null
+++ b/auth/auth-deforg/src/main/java/org/onap/aaf/org/Identities.java
@@ -0,0 +1,143 @@
+/*******************************************************************************
+ * ============LICENSE_START====================================================
+ * * org.onap.aaf
+ * * ===========================================================================
+ * * Copyright © 2017 AT&T Intellectual Property. All rights reserved.
+ * * ===========================================================================
+ * * Licensed under the Apache License, Version 2.0 (the "License");
+ * * you may not use this file except in compliance with the License.
+ * * You may obtain a copy of the License at
+ * * 
+ *  *      http://www.apache.org/licenses/LICENSE-2.0
+ * * 
+ *  * Unless required by applicable law or agreed to in writing, software
+ * * distributed under the License is distributed on an "AS IS" BASIS,
+ * * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * * See the License for the specific language governing permissions and
+ * * limitations under the License.
+ * * ============LICENSE_END====================================================
+ * *
+ * *
+ ******************************************************************************/
+package org.onap.aaf.org;
+
+import java.io.File;
+import java.io.IOException;
+
+import org.onap.aaf.auth.local.AbsData;
+import org.onap.aaf.auth.local.DataFile.Token.Field;
+
+/*
+ * Example User Data file, which can be modified for many different kinds of Data Feeds.
+ * 
+ * Note: This has shown to be extremely effective in AT&T, an acknowledged very large organizations, 
+ * 	     because there is no need to synchronize records.  AAF simply receives a Data Feed in Organization
+ * 		 defined intervals.  (You might want to check for validity, such as size, etc), then is copied into
+ * 		 Data Directory.  You will want to do so first creating a "lock" file.  Assuming the File name is "users.dat",
+ * 		 the Lock File is "users.lock".  
+ * 
+ * 		 After the movement of the Datafile into place, it is best to remove the Index File, then remove the lock file.
+ * 
+ * 		 Note, Any AAF Programs needing this data WILL wait on the Lock file, so you should get fresh Data files
+ *       in a "stage" directory, from WEB, or wherever, and then, after it is correct, do the following as fast as feasible.
+ *       
+ *       	a) lock
+ *          b) copy from stage
+ *          c) remove idx
+ *          d) unlock
+ * 
+ * 	     If the Index File is either non-existent or out of date from the Data File, it will be reindexed, which
+ * 		 has proven to be a very quick function, even with large numbers of entries.
+ * 
+ * This Sample Feed is set for a file with delimiter of "|".  512 is maximum expected line length. The "0" is the
+ *       field offset for the "key" to the record,  which, for user, should be the unique Organization Identity.
+ *       
+ */
+public class Identities extends AbsData {
+	public final static Data NO_DATA = new Data();
+	
+	public Identities(File users) {
+		super(users,'|',512,0);
+	}
+
+	/*
+	 * Example Field Layout.  note, in this example, Application IDs and People IDs are mixed.  You may want to split
+	 *   out AppIDs, choose your own status indicators, or whatever you use.
+	 * 0 - unique ID
+	 * 1 - full name
+	 * 2 - first name
+	 * 3 - last name
+	 * 4 - phone
+	 * 5 - official email
+	 * 6 - employment status e=employee, c=contractor, a=application, n=no longer with company
+	 * 7 - responsible to (i.e Supervisor for People, or AppOwner, if it's an App ID)
+	 */
+	public static class Data {
+		public final String id;
+		public final String name;
+		public final String fname;
+		public final String lname;
+		public final String phone;
+		public final String email;
+		public final String status;
+		public final String responsibleTo;
+		
+		private Data(Field f) {
+			f.reset();
+			id=f.next();
+			name=f.next();
+			fname=f.next();
+			lname=f.next();
+			phone=f.next();
+			email=f.next();
+			status=f.next();
+			responsibleTo =f.next();
+		}
+		
+		private Data() {
+			id = name = fname = lname =
+			phone = email = status = responsibleTo 
+			= "";
+		}
+
+		public String toString() {
+			return  id + '|' +
+					name + '|' +
+					lname + '|' +
+					fname + '|' +
+					phone + '|' +
+					email + '|' +
+					status + '|' +
+					responsibleTo;
+		}
+		
+		// Here, make up your own Methods which help you easily determine your Organization's structure
+		// in your Organization Object
+        public boolean hasStatus(String possible) {
+            return possible.contains(status);
+	    }
+
+	    public boolean isEmployee() {
+	            return "e".equals(status);
+	    }
+	
+	    public boolean isContractor() {
+	            return "c".equals(status);
+	    }
+	
+	    public boolean isApplication() {
+	            return "a".equals(status);
+	    }
+	}
+	
+    public Data find(Object key,Reuse r) throws IOException {
+        r.reset();
+        // These are new, to allow for Thread Safety
+        int rec = ti.find(key,r,0);
+        if(rec<0) {
+            return null;
+        }
+        r.pos(rec);
+		return new Data(r.getFieldData());
+    }
+}