diff options
author | Instrumental <jgonap@stl.gathman.org> | 2020-01-24 14:47:48 -0600 |
---|---|---|
committer | Instrumental <jgonap@stl.gathman.org> | 2020-01-24 14:47:54 -0600 |
commit | be1edcb6830745015f5de72e820f40f36dd571ad (patch) | |
tree | 65d10e1d54042c072d958cbb00b048553a60f893 /auth | |
parent | 165e298554f06ecd0545df604e11736ebf71566d (diff) |
Fix Agent and CM Issues
Issue-ID: AAF-1067
Signed-off-by: Instrumental <jgonap@stl.gathman.org>
Change-Id: I5508edec3d63b4831d0caddd8303126956bd05a0
Diffstat (limited to 'auth')
-rw-r--r-- | auth/auth-certman/src/main/java/org/onap/aaf/auth/cm/AAF_CM.java | 6 | ||||
-rw-r--r-- | auth/auth-certman/src/main/java/org/onap/aaf/auth/cm/ca/CA.java | 5 | ||||
-rw-r--r-- | auth/auth-certman/src/main/java/org/onap/aaf/auth/cm/ca/LocalCA.java | 9 | ||||
-rw-r--r-- | auth/auth-certman/src/main/java/org/onap/aaf/auth/cm/cert/CSRMeta.java | 3 | ||||
-rw-r--r-- | auth/auth-certman/src/main/java/org/onap/aaf/auth/cm/service/CMService.java | 49 | ||||
-rw-r--r-- | auth/auth-certman/src/test/java/org/onap/aaf/auth/cm/LocalCAImpl.java (renamed from auth/auth-certman/src/main/java/org/onap/aaf/auth/cm/LocalCAImpl.java) | 0 | ||||
-rw-r--r-- | auth/auth-deforg/src/main/java/org/onap/aaf/org/DefaultOrgIdentity.java | 10 | ||||
-rw-r--r-- | auth/docker/Dockerfile.base | 3 |
8 files changed, 54 insertions, 31 deletions
diff --git a/auth/auth-certman/src/main/java/org/onap/aaf/auth/cm/AAF_CM.java b/auth/auth-certman/src/main/java/org/onap/aaf/auth/cm/AAF_CM.java index 8bb0441b..024d9f96 100644 --- a/auth/auth-certman/src/main/java/org/onap/aaf/auth/cm/AAF_CM.java +++ b/auth/auth-certman/src/main/java/org/onap/aaf/auth/cm/AAF_CM.java @@ -154,7 +154,11 @@ public class AAF_CM extends AbsService<AuthzEnv, AuthzTrans> { CA ca = cons.newInstance(pinst); certAuths.put(ca.getName(),ca); } catch (InvocationTargetException e) { - access.log(e, "Loading", segs[0]); + if(e.getLocalizedMessage()==null) { + access.log((Exception)e.getTargetException(), "Loading", segs[0]); + } else { + access.log(e, "Loading", segs[0]); + } } } } diff --git a/auth/auth-certman/src/main/java/org/onap/aaf/auth/cm/ca/CA.java b/auth/auth-certman/src/main/java/org/onap/aaf/auth/cm/ca/CA.java index 13876b14..275ad549 100644 --- a/auth/auth-certman/src/main/java/org/onap/aaf/auth/cm/ca/CA.java +++ b/auth/auth-certman/src/main/java/org/onap/aaf/auth/cm/ca/CA.java @@ -30,6 +30,7 @@ import java.util.Collections; import java.util.HashSet; import java.util.List; import java.util.Set; +import java.util.regex.Pattern; import org.bouncycastle.asn1.x500.style.BCStyle; import org.onap.aaf.auth.cm.cert.CSRMeta; @@ -42,6 +43,10 @@ import org.onap.aaf.misc.env.Trans; import org.onap.aaf.misc.env.util.Split; public abstract class CA { + public static final Pattern IPV4_PATTERN = Pattern.compile("\\A(25[0-5]|2[0-4]\\d|[0-1]?\\d?\\d)(\\.(25[0-5]|2[0-4]\\d|[0-1]?\\d?\\d)){3}\\z"); + public static final Pattern IPV6_PATTERN = Pattern.compile("\\A(?:[0-9a-fA-F]{1,4}:){7}[0-9a-fA-F]{1,4}\\z"); + + private static final String MUST_EXIST_TO_CREATE_CSRS_FOR = " must exist to create CSRs for "; //TODO figuring out what is an Issuing CA is a matter of convention. Consider SubClassing for Open Source public static final String ISSUING_CA = "Issuing CA"; diff --git a/auth/auth-certman/src/main/java/org/onap/aaf/auth/cm/ca/LocalCA.java b/auth/auth-certman/src/main/java/org/onap/aaf/auth/cm/ca/LocalCA.java index c2d6701a..f7de90ea 100644 --- a/auth/auth-certman/src/main/java/org/onap/aaf/auth/cm/ca/LocalCA.java +++ b/auth/auth-certman/src/main/java/org/onap/aaf/auth/cm/ca/LocalCA.java @@ -72,7 +72,6 @@ import org.onap.aaf.misc.env.TimeTaken; import org.onap.aaf.misc.env.Trans; public class LocalCA extends CA { - private final static BigInteger ONE = new BigInteger("1"); // Extensions private static final KeyPurposeId[] ASN_WebUsage = new KeyPurposeId[] { @@ -226,8 +225,14 @@ public class LocalCA extends CA { // new SubjectPublicKeyInfo(ASN1Sequence.getInstance(caCert.getPublicKey().getEncoded())) ); List<GeneralName> lsan = new ArrayList<>(); + // Email + lsan.add(new GeneralName(GeneralName.rfc822Name,csrmeta.email())); for (String s : csrmeta.sans()) { - lsan.add(new GeneralName(GeneralName.dNSName,s)); + if(IPV4_PATTERN.matcher(s).matches() || IPV6_PATTERN.matcher(s).matches()) { + lsan.add(new GeneralName(GeneralName.iPAddress,s)); + } else { + lsan.add(new GeneralName(GeneralName.dNSName,s)); + } } GeneralName[] sans = new GeneralName[lsan.size()]; lsan.toArray(sans); diff --git a/auth/auth-certman/src/main/java/org/onap/aaf/auth/cm/cert/CSRMeta.java b/auth/auth-certman/src/main/java/org/onap/aaf/auth/cm/cert/CSRMeta.java index 04ba0b89..e0ee0365 100644 --- a/auth/auth-certman/src/main/java/org/onap/aaf/auth/cm/cert/CSRMeta.java +++ b/auth/auth-certman/src/main/java/org/onap/aaf/auth/cm/cert/CSRMeta.java @@ -75,7 +75,8 @@ public class CSRMeta { if (name==null) { X500NameBuilder xnb = new X500NameBuilder(); xnb.addRDN(BCStyle.CN,cn); - xnb.addRDN(BCStyle.E,email); + // Add as Subject Alternate Name, email + // xnb.addRDN(BCStyle.E,email); if (mechID!=null) { if (environment==null) { xnb.addRDN(BCStyle.OU,mechID); diff --git a/auth/auth-certman/src/main/java/org/onap/aaf/auth/cm/service/CMService.java b/auth/auth-certman/src/main/java/org/onap/aaf/auth/cm/service/CMService.java index 3130e5b2..900df8a7 100644 --- a/auth/auth-certman/src/main/java/org/onap/aaf/auth/cm/service/CMService.java +++ b/auth/auth-certman/src/main/java/org/onap/aaf/auth/cm/service/CMService.java @@ -93,6 +93,8 @@ public class CMService { private static final String[] NO_NOTES = new String[0]; private final Permission root_read_permission; + private final String aaf_ns; + private final CertDAO certDAO; private final CredDAO credDAO; private final ArtiDAO artiDAO; @@ -114,8 +116,9 @@ public class CMService { this.certManager = certman; + aaf_ns = trans.getProperty(Config.AAF_ROOT_NS, Config.AAF_ROOT_NS_DEF); root_read_permission=new AAFPermission( - trans.getProperty(Config.AAF_ROOT_NS, Config.AAF_ROOT_NS_DEF), + aaf_ns, ACCESS, "*", "read" @@ -149,11 +152,15 @@ public class CMService { List<String> notes = null; List<String> fqdns; + boolean dynamic_sans = trans.fish(new AAFPermission(null, ca.getPermType(), ca.getName(),DYNAMIC_SANS)); + boolean ignoreIPs = trans.fish(new AAFPermission(mechNS,CERTMAN, ca.getName(), IGNORE_IPS)); boolean domain_based = false; - boolean dynamic_sans = false; + // Note: Many Cert Impls require FQDN in "CN=" to be in the SANS as well. Therefore, the "fqdn" variable + // includes main ID plus ADDITIONAL SANS at all times. if(req.value.fqdns.isEmpty()) { fqdns = new ArrayList<>(); + fqdns.add(key); } else { // Only Template or Dynamic permitted to pass in FQDNs if (req.value.fqdns.get(0).startsWith("*")) { // Domain set @@ -163,13 +170,6 @@ public class CMService { return Result.err(Result.ERR_Denied, "Domain based Authorizations (" + req.value.fqdns.get(0) + ") requires Exception"); } - } else { - if(trans.fish(new AAFPermission(null, ca.getPermType(), ca.getName(),DYNAMIC_SANS))) { - dynamic_sans = true; - } else { - return Result.err(Result.ERR_Denied, - "Dynamic SANs for (" + req.value.mechid + ") requires Permission"); - } } fqdns = new ArrayList<>(req.value.fqdns); } @@ -178,15 +178,6 @@ public class CMService { try { Organization org = trans.org(); - - boolean ignoreIPs; - if(allowIgnoreIPs) { - ignoreIPs = trans.fish(new AAFPermission(mechNS,CERTMAN, ca.getName(), IGNORE_IPS)); - } else { - ignoreIPs = false; - } - - InetAddress primary = null; // Organize incoming information to get to appropriate Artifact if (!fqdns.isEmpty()) { // Passed in FQDNS, validated above @@ -220,7 +211,8 @@ public class CMService { Set<String> potentialSanNames = new HashSet<>(); for (InetAddress ia1 : ias) { InetAddress ia2 = InetAddress.getByAddress(ia1.getAddress()); - if (primary == null && ias.length == 1 && trans.ip().equals(ia1.getHostAddress())) { + String ip = trans.ip(); + if (primary == null && ip.equals(ia1.getHostAddress())) { primary = ia1; } else if (!cn.equals(ia1.getHostName()) && !ia2.getHostName().equals(ia2.getHostAddress())) { @@ -296,16 +288,16 @@ public class CMService { // Policy 3: MechID must be current Identity muser = org.getIdentity(trans, add.mechid); - if (muser == null) { - return Result.err(Result.ERR_Policy, "MechID must exist in %s", org.getName()); + if (muser == null || !muser.isFound()) { + return Result.err(Result.ERR_Policy, "AppID '%s' must exist in %s",add.mechid,org.getName()); } // Policy 4: Sponsor must be current Identity ouser = muser.responsibleTo(); - if (ouser == null) { + if (ouser == null || !ouser.isFound()) { return Result.err(Result.ERR_Policy, "%s does not have a current sponsor at %s", add.mechid, org.getName()); - } else if (!ouser.isFound() || ouser.mayOwn() != null) { + } else if (ouser.mayOwn() != null) { return Result.err(Result.ERR_Policy, "%s reports that %s cannot be responsible for %s", org.getName(), trans.user()); } @@ -327,7 +319,18 @@ public class CMService { trans.user(), mechNS); } + // Policy 8: IP Addresses allowed in Certs only by Permission + if(!trans.fish(new AAFPermission(aaf_ns,CERTMAN, ca.getName(), "ip"))) { + for(String fqdn : fqdns) { + if(CA.IPV4_PATTERN.matcher(fqdn).matches() || CA.IPV6_PATTERN.matcher(fqdn).matches()) { + return Result.err(Status.ERR_Denied, + "Machines include a IP Address. IP Addresses are not allowed except by Permission"); + } + } + } + // Make sure Primary is the first in fqdns + if (fqdns.size() > 1) { for (int i = 0; i < fqdns.size(); ++i) { if (primary==null && !ignoreIPs) { diff --git a/auth/auth-certman/src/main/java/org/onap/aaf/auth/cm/LocalCAImpl.java b/auth/auth-certman/src/test/java/org/onap/aaf/auth/cm/LocalCAImpl.java index dbc63ad1..dbc63ad1 100644 --- a/auth/auth-certman/src/main/java/org/onap/aaf/auth/cm/LocalCAImpl.java +++ b/auth/auth-certman/src/test/java/org/onap/aaf/auth/cm/LocalCAImpl.java diff --git a/auth/auth-deforg/src/main/java/org/onap/aaf/org/DefaultOrgIdentity.java b/auth/auth-deforg/src/main/java/org/onap/aaf/org/DefaultOrgIdentity.java index f1576c4f..eaa44830 100644 --- a/auth/auth-deforg/src/main/java/org/onap/aaf/org/DefaultOrgIdentity.java +++ b/auth/auth-deforg/src/main/java/org/onap/aaf/org/DefaultOrgIdentity.java @@ -120,10 +120,14 @@ public class DefaultOrgIdentity implements Identity { @Override public Identity responsibleTo() throws OrganizationException { - if ("".equals(identity.responsibleTo) && isFound()) { // cover the situation of Top Dog... reports to no-one. - return this; + if(isFound()) { + if ("".equals(identity.responsibleTo)) { // cover the situation of Top Dog... reports to no-one. + return this; + } else { + return org.getIdentity(trans, identity.responsibleTo); + } } else { - return org.getIdentity(trans, identity.responsibleTo); + throw new OrganizationException("Identity doesn't exist"); } } diff --git a/auth/docker/Dockerfile.base b/auth/docker/Dockerfile.base index 4874f1aa..4ba4dfab 100644 --- a/auth/docker/Dockerfile.base +++ b/auth/docker/Dockerfile.base @@ -18,7 +18,8 @@ # ============LICENSE_END==================================================== # # Use dbuild.sh input parameter to set registry -FROM ${REGISTRY}/openjdk:8-jre-alpine +#FROM ${REGISTRY}/openjdk:11.0.5-jre-slim +FROM ${REGISTRY}/openjdk:8-jdk-alpine #FROM openjdk:12-jdk-alpine #FROM openjdk:13-jdk-alpine |