Fixes from Regression Tests

Issue-ID: AAF-1058 Change-Id: I7d3ace9cef69a163c2ec0c9a48583fdfa9ca20af Signed-off-by: Instrumental <jonathan.gathman@att.com>
author: Instrumental <jonathan.gathman@att.com> 2019-11-27 15:57:10 -0600
committer: Instrumental <jonathan.gathman@att.com> 2019-11-27 15:57:14 -0600
commit: d131f7ed38fd65d7f04b7d71368ba03e9000665c (patch)
tree: b7e9d1fa5662251f1f20c0ca79d9c94c8f5b1f54 /auth
parent: db3e010fec901487ca23199566ff205a523f7b45 (diff)
5 files changed, 68 insertions, 10 deletions
diff --git a/auth/auth-cass/src/main/java/org/onap/aaf/auth/dao/hl/Question.java b/auth/auth-cass/src/main/java/org/onap/aaf/auth/dao/hl/Question.java
index 1809686a..39578f83 100644
--- a/auth/auth-cass/src/main/java/org/onap/aaf/auth/dao/hl/Question.java
+++ b/auth/auth-cass/src/main/java/org/onap/aaf/auth/dao/hl/Question.java
@@ -786,11 +786,17 @@ public class Question {
                     return Result.err(Status.ERR_BadData,
                             "[%s] cannot be a delegate for self", dd.user);
                 }
-                if (!isUser    && !isGranted(trans, trans.user(), ROOT_NS,DELG,
-                                org.getDomain(), Question.CREATE)) {
-                    return Result.err(Status.ERR_Denied,
+                if (!isUser) {
+                	String supportedDomain = org.supportedDomain(dd.user);
+                	if(supportedDomain==null) {
+                        return Result.err(Status.ERR_Denied,
+                                "[%s] may not create a delegate for the domain for [%s]",
+                                trans.user(), dd.user);
+                	} else if(!isGranted(trans, trans.user(), ROOT_NS,DELG,supportedDomain,Question.CREATE)) {
+                		return Result.err(Status.ERR_Denied,
                             "[%s] may not create a delegate for [%s]",
                             trans.user(), dd.user);
+                	}
                 }
                 break;
             case read:
diff --git a/auth/auth-cmd/src/main/java/org/onap/aaf/auth/cmd/user/Cred.java b/auth/auth-cmd/src/main/java/org/onap/aaf/auth/cmd/user/Cred.java
index 1a410088..9ef4c00a 100644
--- a/auth/auth-cmd/src/main/java/org/onap/aaf/auth/cmd/user/Cred.java
+++ b/auth/auth-cmd/src/main/java/org/onap/aaf/auth/cmd/user/Cred.java
@@ -132,11 +132,22 @@ public class Cred extends Cmd {
 
                     // IMPORTANT! We do this backward, because it is looking for string
                     // %1 or %13.  If we replace %1 first, that messes up %13
+                    String var;
                     for(int i=vars.size()-1;i>0;--i) {
-                        text = text.replace("%"+(i+1), (i<10?" ":"") + i+") " + vars.get(i));
+                    	var = vars.get(i);
+                    	if(aafcli.isTest()) {
+                    		int type = var.indexOf("U/P");
+                    		if(type>0) {
+                    			var = var.substring(0,type+4) + "  XXXX/XX/XX XX:XX UTC  XXXXXXXXXXXXXXXXXX";
+                    		}
+                    	}
+                        text = text.replace("%"+(i+1), (i<10?" ":"") + i+") " + var);
                     }
 
                     text = text.replace("%1",vars.get(0));
+                    if(aafcli.isTest()) {
+                    	
+                    }
                     pw().println(text);
                 } else if (fp.code()==406 && option==1) {
                         pw().println("You cannot delete this Credential");
diff --git a/auth/auth-core/src/main/java/org/onap/aaf/auth/org/Organization.java b/auth/auth-core/src/main/java/org/onap/aaf/auth/org/Organization.java
index 288d79d3..73093099 100644
--- a/auth/auth-core/src/main/java/org/onap/aaf/auth/org/Organization.java
+++ b/auth/auth-core/src/main/java/org/onap/aaf/auth/org/Organization.java
@@ -95,7 +95,16 @@ public interface Organization {
 
     public void addSupportedRealm(String r);
 
-    public String getDomain();
+    /**
+     * If Supported, returns Realm, ex: org.onap
+     * ELSE returns null
+     * 
+     * @param user
+     * @return
+     */
+    public String supportedDomain(String user);
+
+	public String getDomain();
 
     /**
      * Get Identity information based on userID
@@ -420,6 +429,11 @@ public interface Organization {
         @Override
         public void addSupportedRealm(String r) {
         }
+        
+        @Override
+        public String supportedDomain(String r) {
+        	return null;
+        }
 
         @Override
         public String getDomain() {
diff --git a/auth/auth-deforg/src/main/java/org/onap/aaf/org/DefaultOrg.java b/auth/auth-deforg/src/main/java/org/onap/aaf/org/DefaultOrg.java
index 46d3db9b..70b3324a 100644
--- a/auth/auth-deforg/src/main/java/org/onap/aaf/org/DefaultOrg.java
+++ b/auth/auth-deforg/src/main/java/org/onap/aaf/org/DefaultOrg.java
@@ -637,6 +637,25 @@ public class DefaultOrg implements Organization {
         }
         return false;
     }
+    
+	@Override
+	public String supportedDomain(String user) {
+		if(user!=null) {
+			int after_at = user.indexOf('@')+1;
+			if(after_at<user.length()) {
+				String ud = FQI.reverseDomain(user);
+				if(ud.startsWith(getDomain())) {
+					return getDomain();
+				}
+				for(String s : supportedRealms) {
+					if(ud.startsWith(s)) {
+						return FQI.reverseDomain(s);
+					}
+				}
+			}
+		}
+		return null;
+	}
 
     @Override
     public synchronized void addSupportedRealm(final String r) {
diff --git a/auth/auth-service/src/main/java/org/onap/aaf/auth/service/AuthzCassServiceImpl.java b/auth/auth-service/src/main/java/org/onap/aaf/auth/service/AuthzCassServiceImpl.java
index 2431e0eb..67410305 100644
--- a/auth/auth-service/src/main/java/org/onap/aaf/auth/service/AuthzCassServiceImpl.java
+++ b/auth/auth-service/src/main/java/org/onap/aaf/auth/service/AuthzCassServiceImpl.java
@@ -2346,10 +2346,11 @@ public class AuthzCassServiceImpl    <NSS,PERMS,PERMKEY,ROLES,USERS,USERROLES,DE
                 }
                 switch(action) {
                     case DELETE:
+                    	String why;
                         if(ques.isOwner(trans, user,ns) ||
-                                ques.isAdmin(trans, user,ns) ||
-                                ques.isGranted(trans, user, ROOT_NS,"password",company,DELETE)) {
-                                     return Result.ok();
+                        		ques.isAdmin(trans, user,ns) ||
+                        		ques.isGranted(trans, user, ROOT_NS,"password",company,DELETE)) {
+                        	return Result.ok();
                         }
                         break;
                     case RESET:
@@ -2509,13 +2510,16 @@ public class AuthzCassServiceImpl    <NSS,PERMS,PERMKEY,ROLES,USERS,USERROLES,DE
                         try {
                             if (firstID) {
                                 // OK, it's a first ID, and not by NS Owner
-                                if(!ques.isOwner(trans,trans.user(),cdd.ns)) {
+                            	String user = trans.user();
+                                if(!ques.isOwner(trans,user,cdd.ns)) {
                                     // Admins are not allowed to set first Cred, but Org has already
                                     // said entity MAY create, typically by Permission
                                     // We can't know which reason they are allowed here, so we
                                     // have to assume that any with Special Permission would not be
                                     // an Admin.
-                                    if(ques.isAdmin(trans, trans.user(), cdd.ns)) {
+                                	String domain = org.supportedDomain(user);
+                                    if((domain!=null && !ques.isGranted(trans, user, ROOT_NS, "mechid", domain, Question.CREATE)) &&
+                                    		ques.isAdmin(trans, user, cdd.ns)) {
                                         return Result.err(Result.ERR_Denied,
                                             "Only Owners may create first passwords in their Namespace. Admins may modify after one exists" );
                                     } else {
@@ -3900,6 +3904,10 @@ public class AuthzCassServiceImpl    <NSS,PERMS,PERMKEY,ROLES,USERS,USERROLES,DE
         }
 
         final DelegateDAO.Data dd = rd.value;
+        
+        if(dd.user.contentEquals(dd.delegate) && !trans.requested(force)) {
+        	return Result.err(Status.ERR_InvalidDelegate,dd.user + " cannot delegate to self");
+        }
 
         Result<List<DelegateDAO.Data>> ddr = ques.delegateDAO().read(trans, dd);
         if (access==Access.create && ddr.isOKhasData()) {
author	Instrumental <jonathan.gathman@att.com>	2019-11-27 15:57:10 -0600
committer	Instrumental <jonathan.gathman@att.com>	2019-11-27 15:57:14 -0600
commit	d131f7ed38fd65d7f04b7d71368ba03e9000665c (patch)
tree	b7e9d1fa5662251f1f20c0ca79d9c94c8f5b1f54 /auth
parent	db3e010fec901487ca23199566ff205a523f7b45 (diff)