diff options
| author |   Instrumental <jonathan.gathman@att.com> | 2019-07-30 17:02:46 -0500 |
|---|---|---|
| committer | Instrumental <jonathan.gathman@att.com> | 2019-07-30 17:17:42 -0500 |
| commit | b3814beaec2b6f439ffb7af1594e70b5339a9e5f (patch) | |
| tree | ccdb09730f12cf029d6dc090721601ad4091b20f /auth/auth-service/src/main | |
| parent | 73fe8ba55543a74a249c9adc993ac78ccddbabd6 (diff) | |
Add new JUnit Structure
Issue-ID: AAF-902
Change-Id: I5d13132cedb6b0dae115c160c68c42f2d85277c3
Signed-off-by: Instrumental <jonathan.gathman@att.com>
Diffstat (limited to 'auth/auth-service/src/main')
| -rw-r--r-- | auth/auth-service/src/main/java/org/onap/aaf/auth/service/AuthzCassServiceImpl.java | 32 |
1 files changed, 23 insertions, 9 deletions
diff --git a/auth/auth-service/src/main/java/org/onap/aaf/auth/service/AuthzCassServiceImpl.java b/auth/auth-service/src/main/java/org/onap/aaf/auth/service/AuthzCassServiceImpl.java index 295db4ac..b57b0708 100644 --- a/auth/auth-service/src/main/java/org/onap/aaf/auth/service/AuthzCassServiceImpl.java +++ b/auth/auth-service/src/main/java/org/onap/aaf/auth/service/AuthzCassServiceImpl.java @@ -42,6 +42,7 @@ import java.util.Map; import java.util.Set; import java.util.TreeMap; import java.util.UUID; +import java.util.concurrent.TimeUnit; import javax.servlet.http.HttpServletRequest; @@ -2442,8 +2443,14 @@ public class AuthzCassServiceImpl <NSS,PERMS,PERMKEY,ROLES,USERS,USERROLES,DE return Result.err(rb); } else if (rb.value){ return Result.err(Status.ERR_Policy, "Credential content cannot be reused."); - } else if ((Chrono.dateOnlyStamp(curr.expires).equals(Chrono.dateOnlyStamp(rcred.value.expires)) && curr.type==rcred.value.type)) { - return Result.err(Status.ERR_ConflictAlreadyExists, "Credential with same Expiration Date exists"); + } else if(Chrono.dateOnlyStamp(curr.expires).equals(Chrono.dateOnlyStamp(rcred.value.expires)) + && curr.type==rcred.value.type + ) { + // Allow if expiring differential is greater than 1 day (for TEMP) + // Unless expiring in 1 day + if(System.currentTimeMillis() - rcred.value.expires.getTime() > TimeUnit.DAYS.toMillis(1)) { + return Result.err(Status.ERR_ConflictAlreadyExists, "Credential with same Expiration Date exists"); + } } } } @@ -2501,13 +2508,20 @@ public class AuthzCassServiceImpl <NSS,PERMS,PERMKEY,ROLES,USERS,USERROLES,DE case Status.ACC_Now: try { if (firstID) { - // && !nsr.value.get(0).isAdmin(trans.getUserPrincipal().getName())) { - Result<List<String>> admins = func.getAdmins(trans, nsr.value.get(0).name, false); - // OK, it's a first ID, and not by NS Admin, so let's set TempPassword length - // Note, we only do this on First time, because of possibility of - // prematurely expiring a production id - if (admins.isOKhasData() && !admins.value.contains(trans.user())) { - rcred.value.expires = org.expiration(null, Expiration.TempPassword).getTime(); + // OK, it's a first ID, and not by NS Owner + if(!ques.isOwner(trans,trans.user(),cdd.ns)) { + // Admins are not allowed to set first Cred, but Org has already + // said entity MAY create, typically by Permission + // We can't know which reason they are allowed here, so we + // have to assume that any with Special Permission would not be + // an Admin. + if(ques.isAdmin(trans, trans.user(), cdd.ns)) { + return Result.err(Result.ERR_Denied, + "Only Owners may create first passwords in their Namespace. Admins may modify after one exists" ); + } else { + // Allow IDs that AREN'T part of NS with Org Onboarding Permission (see Org object) to create Temp Passwords. + rcred.value.expires = org.expiration(null, Expiration.TempPassword).getTime(); + } } } } catch (Exception e) { |