summaryrefslogtreecommitdiffstats
path: root/auth
diff options
context:
space:
mode:
authorInstrumental <jgonap@stl.gathman.org>2020-01-24 14:47:48 -0600
committerInstrumental <jgonap@stl.gathman.org>2020-01-24 14:47:54 -0600
commitbe1edcb6830745015f5de72e820f40f36dd571ad (patch)
tree65d10e1d54042c072d958cbb00b048553a60f893 /auth
parent165e298554f06ecd0545df604e11736ebf71566d (diff)
Fix Agent and CM Issues
Issue-ID: AAF-1067 Signed-off-by: Instrumental <jgonap@stl.gathman.org> Change-Id: I5508edec3d63b4831d0caddd8303126956bd05a0
Diffstat (limited to 'auth')
-rw-r--r--auth/auth-certman/src/main/java/org/onap/aaf/auth/cm/AAF_CM.java6
-rw-r--r--auth/auth-certman/src/main/java/org/onap/aaf/auth/cm/ca/CA.java5
-rw-r--r--auth/auth-certman/src/main/java/org/onap/aaf/auth/cm/ca/LocalCA.java9
-rw-r--r--auth/auth-certman/src/main/java/org/onap/aaf/auth/cm/cert/CSRMeta.java3
-rw-r--r--auth/auth-certman/src/main/java/org/onap/aaf/auth/cm/service/CMService.java49
-rw-r--r--auth/auth-certman/src/test/java/org/onap/aaf/auth/cm/LocalCAImpl.java (renamed from auth/auth-certman/src/main/java/org/onap/aaf/auth/cm/LocalCAImpl.java)0
-rw-r--r--auth/auth-deforg/src/main/java/org/onap/aaf/org/DefaultOrgIdentity.java10
-rw-r--r--auth/docker/Dockerfile.base3
8 files changed, 54 insertions, 31 deletions
diff --git a/auth/auth-certman/src/main/java/org/onap/aaf/auth/cm/AAF_CM.java b/auth/auth-certman/src/main/java/org/onap/aaf/auth/cm/AAF_CM.java
index 8bb0441b..024d9f96 100644
--- a/auth/auth-certman/src/main/java/org/onap/aaf/auth/cm/AAF_CM.java
+++ b/auth/auth-certman/src/main/java/org/onap/aaf/auth/cm/AAF_CM.java
@@ -154,7 +154,11 @@ public class AAF_CM extends AbsService<AuthzEnv, AuthzTrans> {
CA ca = cons.newInstance(pinst);
certAuths.put(ca.getName(),ca);
} catch (InvocationTargetException e) {
- access.log(e, "Loading", segs[0]);
+ if(e.getLocalizedMessage()==null) {
+ access.log((Exception)e.getTargetException(), "Loading", segs[0]);
+ } else {
+ access.log(e, "Loading", segs[0]);
+ }
}
}
}
diff --git a/auth/auth-certman/src/main/java/org/onap/aaf/auth/cm/ca/CA.java b/auth/auth-certman/src/main/java/org/onap/aaf/auth/cm/ca/CA.java
index 13876b14..275ad549 100644
--- a/auth/auth-certman/src/main/java/org/onap/aaf/auth/cm/ca/CA.java
+++ b/auth/auth-certman/src/main/java/org/onap/aaf/auth/cm/ca/CA.java
@@ -30,6 +30,7 @@ import java.util.Collections;
import java.util.HashSet;
import java.util.List;
import java.util.Set;
+import java.util.regex.Pattern;
import org.bouncycastle.asn1.x500.style.BCStyle;
import org.onap.aaf.auth.cm.cert.CSRMeta;
@@ -42,6 +43,10 @@ import org.onap.aaf.misc.env.Trans;
import org.onap.aaf.misc.env.util.Split;
public abstract class CA {
+ public static final Pattern IPV4_PATTERN = Pattern.compile("\\A(25[0-5]|2[0-4]\\d|[0-1]?\\d?\\d)(\\.(25[0-5]|2[0-4]\\d|[0-1]?\\d?\\d)){3}\\z");
+ public static final Pattern IPV6_PATTERN = Pattern.compile("\\A(?:[0-9a-fA-F]{1,4}:){7}[0-9a-fA-F]{1,4}\\z");
+
+
private static final String MUST_EXIST_TO_CREATE_CSRS_FOR = " must exist to create CSRs for ";
//TODO figuring out what is an Issuing CA is a matter of convention. Consider SubClassing for Open Source
public static final String ISSUING_CA = "Issuing CA";
diff --git a/auth/auth-certman/src/main/java/org/onap/aaf/auth/cm/ca/LocalCA.java b/auth/auth-certman/src/main/java/org/onap/aaf/auth/cm/ca/LocalCA.java
index c2d6701a..f7de90ea 100644
--- a/auth/auth-certman/src/main/java/org/onap/aaf/auth/cm/ca/LocalCA.java
+++ b/auth/auth-certman/src/main/java/org/onap/aaf/auth/cm/ca/LocalCA.java
@@ -72,7 +72,6 @@ import org.onap.aaf.misc.env.TimeTaken;
import org.onap.aaf.misc.env.Trans;
public class LocalCA extends CA {
-
private final static BigInteger ONE = new BigInteger("1");
// Extensions
private static final KeyPurposeId[] ASN_WebUsage = new KeyPurposeId[] {
@@ -226,8 +225,14 @@ public class LocalCA extends CA {
// new SubjectPublicKeyInfo(ASN1Sequence.getInstance(caCert.getPublicKey().getEncoded()))
);
List<GeneralName> lsan = new ArrayList<>();
+ // Email
+ lsan.add(new GeneralName(GeneralName.rfc822Name,csrmeta.email()));
for (String s : csrmeta.sans()) {
- lsan.add(new GeneralName(GeneralName.dNSName,s));
+ if(IPV4_PATTERN.matcher(s).matches() || IPV6_PATTERN.matcher(s).matches()) {
+ lsan.add(new GeneralName(GeneralName.iPAddress,s));
+ } else {
+ lsan.add(new GeneralName(GeneralName.dNSName,s));
+ }
}
GeneralName[] sans = new GeneralName[lsan.size()];
lsan.toArray(sans);
diff --git a/auth/auth-certman/src/main/java/org/onap/aaf/auth/cm/cert/CSRMeta.java b/auth/auth-certman/src/main/java/org/onap/aaf/auth/cm/cert/CSRMeta.java
index 04ba0b89..e0ee0365 100644
--- a/auth/auth-certman/src/main/java/org/onap/aaf/auth/cm/cert/CSRMeta.java
+++ b/auth/auth-certman/src/main/java/org/onap/aaf/auth/cm/cert/CSRMeta.java
@@ -75,7 +75,8 @@ public class CSRMeta {
if (name==null) {
X500NameBuilder xnb = new X500NameBuilder();
xnb.addRDN(BCStyle.CN,cn);
- xnb.addRDN(BCStyle.E,email);
+ // Add as Subject Alternate Name, email
+ // xnb.addRDN(BCStyle.E,email);
if (mechID!=null) {
if (environment==null) {
xnb.addRDN(BCStyle.OU,mechID);
diff --git a/auth/auth-certman/src/main/java/org/onap/aaf/auth/cm/service/CMService.java b/auth/auth-certman/src/main/java/org/onap/aaf/auth/cm/service/CMService.java
index 3130e5b2..900df8a7 100644
--- a/auth/auth-certman/src/main/java/org/onap/aaf/auth/cm/service/CMService.java
+++ b/auth/auth-certman/src/main/java/org/onap/aaf/auth/cm/service/CMService.java
@@ -93,6 +93,8 @@ public class CMService {
private static final String[] NO_NOTES = new String[0];
private final Permission root_read_permission;
+ private final String aaf_ns;
+
private final CertDAO certDAO;
private final CredDAO credDAO;
private final ArtiDAO artiDAO;
@@ -114,8 +116,9 @@ public class CMService {
this.certManager = certman;
+ aaf_ns = trans.getProperty(Config.AAF_ROOT_NS, Config.AAF_ROOT_NS_DEF);
root_read_permission=new AAFPermission(
- trans.getProperty(Config.AAF_ROOT_NS, Config.AAF_ROOT_NS_DEF),
+ aaf_ns,
ACCESS,
"*",
"read"
@@ -149,11 +152,15 @@ public class CMService {
List<String> notes = null;
List<String> fqdns;
+ boolean dynamic_sans = trans.fish(new AAFPermission(null, ca.getPermType(), ca.getName(),DYNAMIC_SANS));
+ boolean ignoreIPs = trans.fish(new AAFPermission(mechNS,CERTMAN, ca.getName(), IGNORE_IPS));
boolean domain_based = false;
- boolean dynamic_sans = false;
+ // Note: Many Cert Impls require FQDN in "CN=" to be in the SANS as well. Therefore, the "fqdn" variable
+ // includes main ID plus ADDITIONAL SANS at all times.
if(req.value.fqdns.isEmpty()) {
fqdns = new ArrayList<>();
+ fqdns.add(key);
} else {
// Only Template or Dynamic permitted to pass in FQDNs
if (req.value.fqdns.get(0).startsWith("*")) { // Domain set
@@ -163,13 +170,6 @@ public class CMService {
return Result.err(Result.ERR_Denied,
"Domain based Authorizations (" + req.value.fqdns.get(0) + ") requires Exception");
}
- } else {
- if(trans.fish(new AAFPermission(null, ca.getPermType(), ca.getName(),DYNAMIC_SANS))) {
- dynamic_sans = true;
- } else {
- return Result.err(Result.ERR_Denied,
- "Dynamic SANs for (" + req.value.mechid + ") requires Permission");
- }
}
fqdns = new ArrayList<>(req.value.fqdns);
}
@@ -178,15 +178,6 @@ public class CMService {
try {
Organization org = trans.org();
-
- boolean ignoreIPs;
- if(allowIgnoreIPs) {
- ignoreIPs = trans.fish(new AAFPermission(mechNS,CERTMAN, ca.getName(), IGNORE_IPS));
- } else {
- ignoreIPs = false;
- }
-
-
InetAddress primary = null;
// Organize incoming information to get to appropriate Artifact
if (!fqdns.isEmpty()) { // Passed in FQDNS, validated above
@@ -220,7 +211,8 @@ public class CMService {
Set<String> potentialSanNames = new HashSet<>();
for (InetAddress ia1 : ias) {
InetAddress ia2 = InetAddress.getByAddress(ia1.getAddress());
- if (primary == null && ias.length == 1 && trans.ip().equals(ia1.getHostAddress())) {
+ String ip = trans.ip();
+ if (primary == null && ip.equals(ia1.getHostAddress())) {
primary = ia1;
} else if (!cn.equals(ia1.getHostName())
&& !ia2.getHostName().equals(ia2.getHostAddress())) {
@@ -296,16 +288,16 @@ public class CMService {
// Policy 3: MechID must be current
Identity muser = org.getIdentity(trans, add.mechid);
- if (muser == null) {
- return Result.err(Result.ERR_Policy, "MechID must exist in %s", org.getName());
+ if (muser == null || !muser.isFound()) {
+ return Result.err(Result.ERR_Policy, "AppID '%s' must exist in %s",add.mechid,org.getName());
}
// Policy 4: Sponsor must be current
Identity ouser = muser.responsibleTo();
- if (ouser == null) {
+ if (ouser == null || !ouser.isFound()) {
return Result.err(Result.ERR_Policy, "%s does not have a current sponsor at %s", add.mechid,
org.getName());
- } else if (!ouser.isFound() || ouser.mayOwn() != null) {
+ } else if (ouser.mayOwn() != null) {
return Result.err(Result.ERR_Policy, "%s reports that %s cannot be responsible for %s",
org.getName(), trans.user());
}
@@ -327,7 +319,18 @@ public class CMService {
trans.user(), mechNS);
}
+ // Policy 8: IP Addresses allowed in Certs only by Permission
+ if(!trans.fish(new AAFPermission(aaf_ns,CERTMAN, ca.getName(), "ip"))) {
+ for(String fqdn : fqdns) {
+ if(CA.IPV4_PATTERN.matcher(fqdn).matches() || CA.IPV6_PATTERN.matcher(fqdn).matches()) {
+ return Result.err(Status.ERR_Denied,
+ "Machines include a IP Address. IP Addresses are not allowed except by Permission");
+ }
+ }
+ }
+
// Make sure Primary is the first in fqdns
+
if (fqdns.size() > 1) {
for (int i = 0; i < fqdns.size(); ++i) {
if (primary==null && !ignoreIPs) {
diff --git a/auth/auth-certman/src/main/java/org/onap/aaf/auth/cm/LocalCAImpl.java b/auth/auth-certman/src/test/java/org/onap/aaf/auth/cm/LocalCAImpl.java
index dbc63ad1..dbc63ad1 100644
--- a/auth/auth-certman/src/main/java/org/onap/aaf/auth/cm/LocalCAImpl.java
+++ b/auth/auth-certman/src/test/java/org/onap/aaf/auth/cm/LocalCAImpl.java
diff --git a/auth/auth-deforg/src/main/java/org/onap/aaf/org/DefaultOrgIdentity.java b/auth/auth-deforg/src/main/java/org/onap/aaf/org/DefaultOrgIdentity.java
index f1576c4f..eaa44830 100644
--- a/auth/auth-deforg/src/main/java/org/onap/aaf/org/DefaultOrgIdentity.java
+++ b/auth/auth-deforg/src/main/java/org/onap/aaf/org/DefaultOrgIdentity.java
@@ -120,10 +120,14 @@ public class DefaultOrgIdentity implements Identity {
@Override
public Identity responsibleTo() throws OrganizationException {
- if ("".equals(identity.responsibleTo) && isFound()) { // cover the situation of Top Dog... reports to no-one.
- return this;
+ if(isFound()) {
+ if ("".equals(identity.responsibleTo)) { // cover the situation of Top Dog... reports to no-one.
+ return this;
+ } else {
+ return org.getIdentity(trans, identity.responsibleTo);
+ }
} else {
- return org.getIdentity(trans, identity.responsibleTo);
+ throw new OrganizationException("Identity doesn't exist");
}
}
diff --git a/auth/docker/Dockerfile.base b/auth/docker/Dockerfile.base
index 4874f1aa..4ba4dfab 100644
--- a/auth/docker/Dockerfile.base
+++ b/auth/docker/Dockerfile.base
@@ -18,7 +18,8 @@
# ============LICENSE_END====================================================
#
# Use dbuild.sh input parameter to set registry
-FROM ${REGISTRY}/openjdk:8-jre-alpine
+#FROM ${REGISTRY}/openjdk:11.0.5-jre-slim
+FROM ${REGISTRY}/openjdk:8-jdk-alpine
#FROM openjdk:12-jdk-alpine
#FROM openjdk:13-jdk-alpine