summaryrefslogtreecommitdiffstats
path: root/auth
diff options
context:
space:
mode:
authorInstrumental <jonathan.gathman@att.com>2019-06-26 07:05:51 -0500
committerInstrumental <jonathan.gathman@att.com>2019-06-26 07:05:59 -0500
commitba989d05eca8d2a98c51ed9d38c4c3345db23349 (patch)
treeef269eb99c9578559e9b7811c9540c4b04713fef /auth
parente84b431dab21d38cd39119970b7d1fd82efa99f2 (diff)
Changes from Onsite Tests
Issue-ID: AAF-857 Change-Id: I3fbed32ff5b2bb8f05f4f932c8dc2f4012c8b429 Signed-off-by: Instrumental <jonathan.gathman@att.com>
Diffstat (limited to 'auth')
-rw-r--r--auth/auth-cass/src/main/java/org/onap/aaf/auth/dao/cass/RoleDAO.java35
-rw-r--r--auth/auth-cass/src/main/java/org/onap/aaf/auth/dao/hl/Question.java43
-rw-r--r--auth/auth-certman/src/main/java/org/onap/aaf/auth/cm/ca/CA.java8
-rw-r--r--auth/auth-certman/src/main/java/org/onap/aaf/auth/cm/service/CMService.java1
-rw-r--r--auth/auth-core/src/main/java/org/onap/aaf/auth/cache/Cache.java3
-rw-r--r--auth/auth-core/src/main/java/org/onap/aaf/auth/rserv/CachingFileAccess.java6
-rw-r--r--auth/auth-core/src/main/java/org/onap/aaf/auth/validation/Validator.java35
-rw-r--r--auth/auth-gui/src/main/java/org/onap/aaf/auth/gui/Page.java2
-rw-r--r--auth/auth-gui/src/main/java/org/onap/aaf/auth/gui/pages/ApiDocs.java3
-rw-r--r--auth/auth-gui/src/main/java/org/onap/aaf/auth/gui/pages/PermDetail.java2
-rw-r--r--auth/auth-gui/src/main/java/org/onap/aaf/auth/gui/pages/RoleDetail.java6
-rw-r--r--auth/auth-service/src/main/java/org/onap/aaf/auth/service/AuthzCassServiceImpl.java45
-rw-r--r--auth/auth-service/src/main/java/org/onap/aaf/auth/service/validation/ServiceValidator.java12
13 files changed, 153 insertions, 48 deletions
diff --git a/auth/auth-cass/src/main/java/org/onap/aaf/auth/dao/cass/RoleDAO.java b/auth/auth-cass/src/main/java/org/onap/aaf/auth/dao/cass/RoleDAO.java
index e31e1e6a..a5fa7a77 100644
--- a/auth/auth-cass/src/main/java/org/onap/aaf/auth/dao/cass/RoleDAO.java
+++ b/auth/auth-cass/src/main/java/org/onap/aaf/auth/dao/cass/RoleDAO.java
@@ -110,6 +110,7 @@ public class RoleDAO extends CassDAOImpl<AuthzTrans,RoleDAO.Data> {
if(ns==null) {
sb.append('.');
} else {
+ sb.append(ns);
sb.append(ns.indexOf('@')<0?'.':':');
}
sb.append(name);
@@ -129,19 +130,29 @@ public class RoleDAO extends CassDAOImpl<AuthzTrans,RoleDAO.Data> {
* @return
*/
public static Result<Data> decode(AuthzTrans trans, Question q, String r) {
- String[] ss = Split.splitTrim('|', r,2);
Data data = new Data();
- if (ss[1]==null) { // older 1 part encoding must be evaluated for NS
- Result<NsSplit> nss = q.deriveNsSplit(trans, ss[0]);
- if (nss.notOK()) {
- return Result.err(nss);
- }
- data.ns=nss.value.ns;
- data.name=nss.value.name;
- } else { // new 4 part encoding
- data.ns=ss[0];
- data.name=ss[1];
- }
+ if(r.indexOf('@')>=0) {
+ int colon = r.indexOf(':');
+ if(colon<0) {
+ return Result.err(Result.ERR_BadData, "%s is not a valid Role",r);
+ } else {
+ data.ns=r.substring(0, colon);
+ data.name=r.substring(++colon);
+ }
+ } else {
+ String[] ss = Split.splitTrim('|', r,2);
+ if (ss[1]==null) { // older 1 part encoding must be evaluated for NS
+ Result<NsSplit> nss = q.deriveNsSplit(trans, ss[0]);
+ if (nss.notOK()) {
+ return Result.err(nss);
+ }
+ data.ns=nss.value.ns;
+ data.name=nss.value.name;
+ } else { // new 4 part encoding
+ data.ns=ss[0];
+ data.name=ss[1];
+ }
+ }
return Result.ok(data);
}
diff --git a/auth/auth-cass/src/main/java/org/onap/aaf/auth/dao/hl/Question.java b/auth/auth-cass/src/main/java/org/onap/aaf/auth/dao/hl/Question.java
index d40c2ea0..ae6f371b 100644
--- a/auth/auth-cass/src/main/java/org/onap/aaf/auth/dao/hl/Question.java
+++ b/auth/auth-cass/src/main/java/org/onap/aaf/auth/dao/hl/Question.java
@@ -325,13 +325,22 @@ public class Question {
return permDAO.readByType(trans, nss.value.ns, nss.value.name);
}
- public Result<List<PermDAO.Data>> getPermsByName(AuthzTrans trans,
- String type, String instance, String action) {
- Result<NsSplit> nss = deriveNsSplit(trans, type);
- if (nss.notOK()) {
- return Result.err(nss);
- }
- return permDAO.read(trans, nss.value.ns, nss.value.name, instance,action);
+ public Result<List<PermDAO.Data>> getPermsByName(AuthzTrans trans, String type, String instance, String action) {
+ if(type.indexOf('@') >= 0) {
+ int colon = type.indexOf(':');
+ if(colon>=0) {
+ return permDAO.read(trans, type.substring(0, colon),type.substring(colon+1), instance,action);
+ } else {
+ return Result.err(Result.ERR_BadData, "%s is malformed",type);
+ }
+ } else {
+ Result<NsSplit> nss = deriveNsSplit(trans, type);
+ if (nss.notOK()) {
+ return Result.err(nss);
+ }
+
+ return permDAO.read(trans, nss.value.ns, nss.value.name, instance,action);
+ }
}
public Result<List<PermDAO.Data>> getPermsByRole(AuthzTrans trans, String role, boolean lookup) {
@@ -377,8 +386,14 @@ public class Question {
return Result.ok(perms);
}
- public Result<List<RoleDAO.Data>> getRolesByName(AuthzTrans trans,
- String role) {
+ public Result<List<RoleDAO.Data>> getRolesByName(AuthzTrans trans, String role) {
+ if(role.startsWith(trans.user()) ) {
+ if(role.endsWith(":user")) {
+ return roleDAO.read(trans,trans.user(), "user");
+ } else {
+ return Result.err(Result.ERR_BadData,"%s is a badly formatted role",role);
+ }
+ }
Result<NsSplit> nss = deriveNsSplit(trans, role);
if (nss.notOK()) {
return Result.err(nss);
@@ -415,12 +430,7 @@ public class Question {
if (r.isOKhasData()) {
return Result.ok(r.value.get(0));
} else {
- int dot;
- if (child==null) {
- return Result.err(Status.ERR_NsNotFound, "No Namespace");
- } else {
- dot = child.lastIndexOf('.');
- }
+ int dot = child.lastIndexOf('.');
if (dot < 0) {
return Result.err(Status.ERR_NsNotFound, "No Namespace for [%s]", child);
} else {
@@ -561,6 +571,9 @@ public class Question {
}
public Result<NsDAO.Data> mayUser(AuthzTrans trans, String user, RoleDAO.Data rdd, Access access) {
+ if(trans.user().equals(rdd.ns)) {
+ return Result.ok((NsDAO.Data)null);
+ }
Result<NsDAO.Data> rnsd = deriveNs(trans, rdd.ns);
if (rnsd.isOK()) {
return mayUser(trans, user, rnsd.value, rdd, access);
diff --git a/auth/auth-certman/src/main/java/org/onap/aaf/auth/cm/ca/CA.java b/auth/auth-certman/src/main/java/org/onap/aaf/auth/cm/ca/CA.java
index 881c9bea..10da10d9 100644
--- a/auth/auth-certman/src/main/java/org/onap/aaf/auth/cm/ca/CA.java
+++ b/auth/auth-certman/src/main/java/org/onap/aaf/auth/cm/ca/CA.java
@@ -47,6 +47,7 @@ public abstract class CA {
public static final String ISSUING_CA = "Issuing CA";
public static final String CM_CA_PREFIX = "cm_ca.";
public static final String CM_CA_BASE_SUBJECT = ".baseSubject";
+ public static final String CM_CA_ENV_TAG = ".env_tag";
protected static final String CM_PUBLIC_DIR = "cm_public_dir";
private static final String CM_TRUST_CAS = "cm_trust_cas";
protected static final String CM_BACKUP_CAS = "cm_backup_cas";
@@ -63,12 +64,15 @@ public abstract class CA {
private String[] trustedCAs;
private String[] caIssuerDNs;
private List<RDN> rdns;
+ private final boolean env_tag;
protected CA(Access access, String caName, String env) throws IOException, CertException {
trustedCAs = new String[4]; // starting array
this.name = caName;
this.env = env;
+ this.env_tag = env==null || env.isEmpty()?false:
+ Boolean.parseBoolean(access.getProperty(CM_CA_ENV_TAG, Boolean.FALSE.toString()));
permNS = CM_CA_PREFIX + name;
permType = access.getProperty(permNS + ".perm_type",null);
if (permType==null) {
@@ -189,6 +193,10 @@ public abstract class CA {
return trustedCAs;
}
+ public boolean shouldAddEnvTag() {
+ return env_tag;
+ }
+
public String getEnv() {
return env;
}
diff --git a/auth/auth-certman/src/main/java/org/onap/aaf/auth/cm/service/CMService.java b/auth/auth-certman/src/main/java/org/onap/aaf/auth/cm/service/CMService.java
index 1f2ee645..1f2b0880 100644
--- a/auth/auth-certman/src/main/java/org/onap/aaf/auth/cm/service/CMService.java
+++ b/auth/auth-certman/src/main/java/org/onap/aaf/auth/cm/service/CMService.java
@@ -297,6 +297,7 @@ public class CMService {
CSRMeta csrMeta;
try {
csrMeta = BCFactory.createCSRMeta(ca, req.value.mechid, email, fqdns);
+ csrMeta.environment(ca.getEnv());
X509andChain x509ac = ca.sign(trans, csrMeta);
if (x509ac == null) {
return Result.err(Result.ERR_ActionNotCompleted, "x509 Certificate not signed by CA");
diff --git a/auth/auth-core/src/main/java/org/onap/aaf/auth/cache/Cache.java b/auth/auth-core/src/main/java/org/onap/aaf/auth/cache/Cache.java
index 9393e143..6a8ccf1e 100644
--- a/auth/auth-core/src/main/java/org/onap/aaf/auth/cache/Cache.java
+++ b/auth/auth-core/src/main/java/org/onap/aaf/auth/cache/Cache.java
@@ -31,7 +31,6 @@ import java.util.Set;
import java.util.Timer;
import java.util.TimerTask;
import java.util.concurrent.ConcurrentHashMap;
-import java.util.logging.Level;
import org.onap.aaf.misc.env.Env;
import org.onap.aaf.misc.env.Trans;
@@ -153,7 +152,7 @@ public class Cache<TRANS extends Trans, DATA> {
}
if (count>0) {
- env.info().log(Level.INFO, "Cache removed",count,"expired Cached Elements out of", total);
+ env.debug().log("Cache removed",count,"expired Cached Elements out of", total);
}
// If High (total) is reached during this period, increase the number of expired services removed for next time.
diff --git a/auth/auth-core/src/main/java/org/onap/aaf/auth/rserv/CachingFileAccess.java b/auth/auth-core/src/main/java/org/onap/aaf/auth/rserv/CachingFileAccess.java
index a269f24b..37f3b088 100644
--- a/auth/auth-core/src/main/java/org/onap/aaf/auth/rserv/CachingFileAccess.java
+++ b/auth/auth-core/src/main/java/org/onap/aaf/auth/rserv/CachingFileAccess.java
@@ -131,6 +131,12 @@ public class CachingFileAccess<TRANS extends Trans> extends HttpCode<TRANS, Void
typeMap.put("props", "text/plain");
typeMap.put("jks", "application/octet-stream");
+ // Fonts
+ typeMap.put("ttf","font/ttf");
+ typeMap.put("woff","font/woff");
+ typeMap.put("woff2","font/woff2");
+
+
timer = new Timer("Caching Cleanup",true);
timer.schedule(new Cleanup(content,500),60000,60000);
diff --git a/auth/auth-core/src/main/java/org/onap/aaf/auth/validation/Validator.java b/auth/auth-core/src/main/java/org/onap/aaf/auth/validation/Validator.java
index 7e861eda..c0f2f530 100644
--- a/auth/auth-core/src/main/java/org/onap/aaf/auth/validation/Validator.java
+++ b/auth/auth-core/src/main/java/org/onap/aaf/auth/validation/Validator.java
@@ -143,6 +143,21 @@ public class Validator {
return this;
}
+ public final Validator permTypeWithUser(String user, String type) {
+ if (type==null) {
+ msg("Perm Type is null");
+ } else if (user==null) {
+ msg("User is null");
+ } else {
+ if(!(type.startsWith(user) && type.endsWith(":id"))) {
+ if(nob(type,NAME_CHARS)) {
+ msg("Perm Type [" + type + "] is invalid.");
+ }
+ }
+ }
+ return this;
+ }
+
public final Validator permType(String type, String ns) {
if (type==null) {
msg("Perm Type is null");
@@ -169,6 +184,26 @@ public class Validator {
return this;
}
+ public final Validator role(String user, String role) {
+ if(role==null) {
+ msg("Role is null");
+ }
+ if(user==null) {
+ msg("User is null");
+ }
+ if(!err()) {
+ if(role.startsWith(user) && role.endsWith(":user")) {
+ if(!(role.length() == user.length() + 5)) {
+ msg("Role [" + role + "] is invalid.");
+ }
+ } else if (nob(role, NAME_CHARS)) {
+ msg("Role [" + role + "] is invalid.");
+ }
+ }
+ return this;
+ }
+
+
public final Validator role(String role) {
if (nob(role, NAME_CHARS)) {
msg("Role [" + role + "] is invalid.");
diff --git a/auth/auth-gui/src/main/java/org/onap/aaf/auth/gui/Page.java b/auth/auth-gui/src/main/java/org/onap/aaf/auth/gui/Page.java
index 18ec9f68..243e66b8 100644
--- a/auth/auth-gui/src/main/java/org/onap/aaf/auth/gui/Page.java
+++ b/auth/auth-gui/src/main/java/org/onap/aaf/auth/gui/Page.java
@@ -435,7 +435,7 @@ public class Page extends HTMLCacheGen {
selected = false;
}
xgen.incr(HTMLGen.LI,selected?"class=selected":"")
- .incr(HTMLGen.A, "href="+mi[0])
+ .incr(HTMLGen.A, "href="+mi[2])
.text(mi[1])
.end(2);
}
diff --git a/auth/auth-gui/src/main/java/org/onap/aaf/auth/gui/pages/ApiDocs.java b/auth/auth-gui/src/main/java/org/onap/aaf/auth/gui/pages/ApiDocs.java
index 969505bb..106c3889 100644
--- a/auth/auth-gui/src/main/java/org/onap/aaf/auth/gui/pages/ApiDocs.java
+++ b/auth/auth-gui/src/main/java/org/onap/aaf/auth/gui/pages/ApiDocs.java
@@ -43,6 +43,7 @@ import org.onap.aaf.cadi.Symm;
import org.onap.aaf.cadi.client.Future;
import org.onap.aaf.cadi.client.Rcli;
import org.onap.aaf.cadi.client.Retryable;
+import org.onap.aaf.cadi.config.Config;
import org.onap.aaf.misc.env.APIException;
import org.onap.aaf.misc.env.Env;
import org.onap.aaf.misc.env.TimeTaken;
@@ -82,7 +83,7 @@ public class ApiDocs extends Page {
public Preamble(AAF_GUI gui) {
super(false, "preamble");
- fsUrl = gui.access.getProperty("fs_url", "");
+ fsUrl = gui.access.getProperty(Config.AAF_URL_FS, "/theme");
}
@Override
diff --git a/auth/auth-gui/src/main/java/org/onap/aaf/auth/gui/pages/PermDetail.java b/auth/auth-gui/src/main/java/org/onap/aaf/auth/gui/pages/PermDetail.java
index 7bf6447d..4a5a940a 100644
--- a/auth/auth-gui/src/main/java/org/onap/aaf/auth/gui/pages/PermDetail.java
+++ b/auth/auth-gui/src/main/java/org/onap/aaf/auth/gui/pages/PermDetail.java
@@ -88,7 +88,7 @@ public class PermDetail extends Page {
final String pInstance = trans.get(instance, null);
final String pAction = trans.get(action, null);
Validator v = new Validator();
- v.permType(pType)
+ v.permTypeWithUser(trans.user(),pType)
.permInstance(pInstance)
.permAction(pAction);
diff --git a/auth/auth-gui/src/main/java/org/onap/aaf/auth/gui/pages/RoleDetail.java b/auth/auth-gui/src/main/java/org/onap/aaf/auth/gui/pages/RoleDetail.java
index f69f4871..6588de54 100644
--- a/auth/auth-gui/src/main/java/org/onap/aaf/auth/gui/pages/RoleDetail.java
+++ b/auth/auth-gui/src/main/java/org/onap/aaf/auth/gui/pages/RoleDetail.java
@@ -106,7 +106,11 @@ public class RoleDetail extends Page {
public void prefix(final AAF_GUI gui, final AuthzTrans trans, final Cache<HTMLGen> cache, final HTMLGen hgen) {
final String pRole = trans.get(sRoleName, null);
Validator v = new Validator();
- v.role(pRole);
+ if(!v.isNull("Role",pRole).err()) {
+ if(!pRole.startsWith(trans.user())) {
+ v.role(pRole);
+ }
+ }
if (v.err()) {
trans.warn().printf("Error in PermDetail Request: %s", v.errs());
return;
diff --git a/auth/auth-service/src/main/java/org/onap/aaf/auth/service/AuthzCassServiceImpl.java b/auth/auth-service/src/main/java/org/onap/aaf/auth/service/AuthzCassServiceImpl.java
index 1d201f9a..8fc2ad52 100644
--- a/auth/auth-service/src/main/java/org/onap/aaf/auth/service/AuthzCassServiceImpl.java
+++ b/auth/auth-service/src/main/java/org/onap/aaf/auth/service/AuthzCassServiceImpl.java
@@ -826,7 +826,7 @@ public class AuthzCassServiceImpl <NSS,PERMS,PERMKEY,ROLES,USERS,USERROLES,DE
rdd.ns = pdd.ns;
rdd.name = "user";
- pdd.roles(true).add(rdd.encode());
+ pdd.roles(true).add(rdd.fullName());
Result<PermDAO.Data> rpdd = permDAO.create(trans, pdd);
if(rpdd.notOK()) {
return Result.err(rpdd);
@@ -3087,7 +3087,7 @@ public class AuthzCassServiceImpl <NSS,PERMS,PERMKEY,ROLES,USERS,USERROLES,DE
final UserRoleDAO.Data userRole = urr.value;
final ServiceValidator v = new ServiceValidator();
- if (v.user_role(userRole).err() ||
+ if (v.user_role(trans.user(),userRole).err() ||
v.user(trans.org(), userRole.user).err()) {
return Result.err(Status.ERR_BadData,v.errs());
}
@@ -3103,6 +3103,9 @@ public class AuthzCassServiceImpl <NSS,PERMS,PERMKEY,ROLES,USERS,USERROLES,DE
private Result<NsDAO.Data> nsd;
@Override
public Result<?> mayChange() {
+ if(urr.value.role.startsWith(urr.value.user)) {
+ return Result.ok((NsDAO.Data)null);
+ }
if (nsd==null) {
RoleDAO.Data r = RoleDAO.Data.decode(userRole);
nsd = ques.mayUser(trans, trans.user(), r, Access.write);
@@ -3110,15 +3113,24 @@ public class AuthzCassServiceImpl <NSS,PERMS,PERMKEY,ROLES,USERS,USERROLES,DE
return nsd;
}
});
- Result<NsDAO.Data> nsr = ques.deriveNs(trans, userRole.role);
- if (nsr.notOKorIsEmpty()) {
- return Result.err(nsr);
+
+ NsDAO.Data ndd;
+ if(userRole.role.startsWith(userRole.user)) {
+ userRole.ns=userRole.user;
+ userRole.rname="user";
+ ndd = null;
+ } else {
+ Result<NsDAO.Data> nsr = ques.deriveNs(trans, userRole.role);
+ if (nsr.notOK()) {
+ return Result.err(nsr);
+ }
+ ndd = nsr.value;
}
switch(fd.status) {
case OK:
Result<String> rfc = func.createFuture(trans, fd.value, userRole.user+'|'+userRole.ns + '.' + userRole.rname,
- userRole.user, nsr.value, FUTURE_OP.C);
+ userRole.user, ndd, FUTURE_OP.C);
if (rfc.isOK()) {
return Result.err(Status.ACC_Future, "UserRole [%s - %s.%s] is saved for future processing",
userRole.user,
@@ -3658,16 +3670,21 @@ public class AuthzCassServiceImpl <NSS,PERMS,PERMKEY,ROLES,USERS,USERROLES,DE
}
// May user see Namespace of Permission (since it's only one piece... we can't check for "is permission part of")
- Result<NsDAO.Data> rnd = ques.deriveNs(trans,type);
- if (rnd.notOK()) {
- return Result.err(rnd);
+ Result<List<HistoryDAO.Data>> resp;
+ if(type.startsWith(trans.user())) {
+ resp = ques.historyDAO().readBySubject(trans, type, "perm", yyyymm);
+ } else {
+ Result<NsDAO.Data> rnd = ques.deriveNs(trans,type);
+ if (rnd.notOK()) {
+ return Result.err(rnd);
+ }
+ rnd = ques.mayUser(trans, trans.user(), rnd.value, Access.read);
+ if (rnd.notOK()) {
+ return Result.err(rnd);
+ }
+ resp = ques.historyDAO().readBySubject(trans, type, "perm", yyyymm);
}
- rnd = ques.mayUser(trans, trans.user(), rnd.value, Access.read);
- if (rnd.notOK()) {
- return Result.err(rnd);
- }
- Result<List<HistoryDAO.Data>> resp = ques.historyDAO().readBySubject(trans, type, "perm", yyyymm);
if (resp.notOK()) {
return Result.err(resp);
}
diff --git a/auth/auth-service/src/main/java/org/onap/aaf/auth/service/validation/ServiceValidator.java b/auth/auth-service/src/main/java/org/onap/aaf/auth/service/validation/ServiceValidator.java
index fb7556ed..df8bde8b 100644
--- a/auth/auth-service/src/main/java/org/onap/aaf/auth/service/validation/ServiceValidator.java
+++ b/auth/auth-service/src/main/java/org/onap/aaf/auth/service/validation/ServiceValidator.java
@@ -86,7 +86,7 @@ public class ServiceValidator extends Validator {
}
return this;
}
-
+
public ServiceValidator role(RoleDAO.Data pd) {
if (pd==null) {
msg("Role Data is null.");
@@ -219,6 +219,16 @@ public class ServiceValidator extends Validator {
return this;
}
+ public ServiceValidator user_role(String user, UserRoleDAO.Data urdd) {
+ role(user,urdd.role);
+ if(!urdd.role.startsWith(user)) {
+ nullOrBlank("UserRole.ns",urdd.ns);
+ nullOrBlank("UserRole.rname",urdd.rname);
+ }
+ return this;
+ }
+
+
public ServiceValidator user_role(UserRoleDAO.Data urdd) {
if (urdd==null) {
msg("UserRole is null");