diff options
| author |   Instrumental <jonathan.gathman@att.com> | 2018-07-02 21:41:55 -0500 |
|---|---|---|
| committer | Instrumental <jonathan.gathman@att.com> | 2018-07-02 21:42:28 -0500 |
| commit | ca76fbda94492f1b0c895ff0f4070381f17472f0 (patch) | |
| tree | 8180941d2fdc474c282ac5272e014c2f45b7da48 /auth | |
| parent | c060284812fbbc18fcf22eb628c47c251505fe50 (diff) | |
Add ability for BAuth by domain
Issue-ID: AAF-361
Change-Id: I6f437ffcfef5555f44acfb32fd6020f86f8cf403
Signed-off-by: Instrumental <jonathan.gathman@att.com>
Diffstat (limited to 'auth')
6 files changed, 54 insertions, 32 deletions
diff --git a/auth/auth-cass/src/main/java/org/onap/aaf/auth/direct/DirectCertIdentity.java b/auth/auth-cass/src/main/java/org/onap/aaf/auth/direct/DirectCertIdentity.java index b5fcd690..2c0c054b 100644 --- a/auth/auth-cass/src/main/java/org/onap/aaf/auth/direct/DirectCertIdentity.java +++ b/auth/auth-cass/src/main/java/org/onap/aaf/auth/direct/DirectCertIdentity.java @@ -66,7 +66,7 @@ public class DirectCertIdentity implements CertIdentity { Result<List<Data>> cresp = certDAO.read(trans, ByteBuffer.wrap(fingerprint)); if(cresp.isOKhasData()) { Data cdata = cresp.value.get(0); - return new X509Principal(cdata.id,cert,certBytes); + return new X509Principal(cdata.id,cert,certBytes,null); } return null; } diff --git a/auth/auth-certman/src/main/java/org/onap/aaf/auth/cm/service/CMService.java b/auth/auth-certman/src/main/java/org/onap/aaf/auth/cm/service/CMService.java index 8d39f540..ea65659a 100644 --- a/auth/auth-certman/src/main/java/org/onap/aaf/auth/cm/service/CMService.java +++ b/auth/auth-certman/src/main/java/org/onap/aaf/auth/cm/service/CMService.java @@ -426,17 +426,24 @@ public class CMService { } // Policy 2: MechID must have valid Organization Owner - Identity ouser = muser.responsibleTo(); - if(ouser == null) { - return Result.err(Result.ERR_Denied,"%s is not a valid Sponsor for %s at %s", - trans.user(),add.mechid,trans.org().getName()); + Identity emailUser; + if(muser.isPerson()) { + emailUser = muser; + } else { + Identity ouser = muser.responsibleTo(); + if(ouser == null) { + return Result.err(Result.ERR_Denied,"%s is not a valid Sponsor for %s at %s", + trans.user(),add.mechid,trans.org().getName()); + } + + // Policy 3: Calling ID must be MechID Owner + if(!trans.user().equals(ouser.fullID())) { + return Result.err(Result.ERR_Denied,"%s is not the Sponsor for %s at %s", + trans.user(),add.mechid,trans.org().getName()); + } + emailUser = ouser; } - // Policy 3: Calling ID must be MechID Owner - if(!trans.user().equals(ouser.fullID())) { - return Result.err(Result.ERR_Denied,"%s is not the Sponsor for %s at %s", - trans.user(),add.mechid,trans.org().getName()); - } // Policy 4: Renewal Days are between 10 and 60 (constants, may be parameterized) if(add.renewDays<MIN_RENEWAL) { @@ -447,7 +454,7 @@ public class CMService { // Policy 5: If Notify is blank, set to Owner's Email if(add.notify==null || add.notify.length()==0) { - add.notify = "mailto:"+ouser.email(); + add.notify = "mailto:"+emailUser.email(); } // Policy 6: Only do Domain by Exception @@ -462,7 +469,7 @@ public class CMService { } // Set Sponsor from Golden Source - add.sponsor = ouser.fullID(); + add.sponsor = emailUser.fullID(); } catch (OrganizationException e) { diff --git a/auth/auth-core/src/main/java/org/onap/aaf/auth/server/AbsService.java b/auth/auth-core/src/main/java/org/onap/aaf/auth/server/AbsService.java index af6c88dc..0c28c7ca 100644 --- a/auth/auth-core/src/main/java/org/onap/aaf/auth/server/AbsService.java +++ b/auth/auth-core/src/main/java/org/onap/aaf/auth/server/AbsService.java @@ -186,4 +186,5 @@ public abstract class AbsService<ENV extends BasicEnv, TRANS extends Trans> exte } return def; } + } diff --git a/auth/auth-service/src/main/java/org/onap/aaf/auth/service/AAF_Service.java b/auth/auth-service/src/main/java/org/onap/aaf/auth/service/AAF_Service.java index 3ae2fbfb..40640007 100644 --- a/auth/auth-service/src/main/java/org/onap/aaf/auth/service/AAF_Service.java +++ b/auth/auth-service/src/main/java/org/onap/aaf/auth/service/AAF_Service.java @@ -163,9 +163,9 @@ public class AAF_Service extends AbsService<AuthzEnv,AuthzTrans> { try { Object[] atl=new Object[additionalTafLurs.length+2]; atl[0]=new DirectAAFLur(env,question); // Note, this will be assigned by AuthzTransFilter to TrustChecker - atl[1]=new BasicHttpTaf(env, directAAFUserPass, - domain,Long.parseLong(env.getProperty(Config.AAF_CLEAN_INTERVAL, Config.AAF_CLEAN_INTERVAL_DEF)), - false); + atl[1]= new BasicHttpTaf(env, directAAFUserPass, + domain,Long.parseLong(env.getProperty(Config.AAF_CLEAN_INTERVAL, Config.AAF_CLEAN_INTERVAL_DEF)), + false); if(additionalTafLurs.length>0) { System.arraycopy(additionalTafLurs, 0, atl, 2, additionalTafLurs.length); diff --git a/auth/auth-service/src/main/java/org/onap/aaf/auth/service/AuthzCassServiceImpl.java b/auth/auth-service/src/main/java/org/onap/aaf/auth/service/AuthzCassServiceImpl.java index 519721ce..f3207798 100644 --- a/auth/auth-service/src/main/java/org/onap/aaf/auth/service/AuthzCassServiceImpl.java +++ b/auth/auth-service/src/main/java/org/onap/aaf/auth/service/AuthzCassServiceImpl.java @@ -532,7 +532,6 @@ public class AuthzCassServiceImpl <NSS,PERMS,PERMKEY,ROLES,USERS,USERROLES,DELGS NSS nss = mapper.newInstance(API.NSS); // Note: "loadNamespace" already validates view of Namespace return mapper.nss(trans, rn.value, nss); - } @ApiDoc( diff --git a/auth/auth-service/src/main/java/org/onap/aaf/auth/service/api/API_Creds.java b/auth/auth-service/src/main/java/org/onap/aaf/auth/service/api/API_Creds.java index d31c9d01..390c3089 100644 --- a/auth/auth-service/src/main/java/org/onap/aaf/auth/service/api/API_Creds.java +++ b/auth/auth-service/src/main/java/org/onap/aaf/auth/service/api/API_Creds.java @@ -42,9 +42,11 @@ import org.onap.aaf.auth.service.Code; import org.onap.aaf.auth.service.facade.AuthzFacade; import org.onap.aaf.auth.service.mapper.Mapper.API; import org.onap.aaf.cadi.CredVal; +import org.onap.aaf.cadi.CredVal.Type; import org.onap.aaf.cadi.Symm; import org.onap.aaf.cadi.principal.BasicPrincipal; import org.onap.aaf.cadi.principal.X509Principal; +import org.onap.aaf.cadi.taf.basic.BasicHttpTaf; import org.onap.aaf.misc.env.Env; import org.onap.aaf.misc.env.TimeTaken; @@ -90,23 +92,36 @@ public class API_Creds { // have to check Basic Auth here, because it might be CSP. String authz = req.getHeader("Authorization"); if(authz.startsWith("Basic ")) { - String decoded = Symm.base64noSplit.decode(authz.substring(6)); - int colon = decoded.indexOf(':'); - TimeTaken tt = trans.start("Direct Validation", Env.REMOTE); - try { - if(directAAFUserPass.validate( - decoded.substring(0,colon), - CredVal.Type.PASSWORD , - decoded.substring(colon+1).getBytes(),trans)) { - - resp.setStatus(HttpStatus.OK_200); - } else { - // DME2 at this version crashes without some sort of response - resp.getOutputStream().print(""); - resp.setStatus(HttpStatus.FORBIDDEN_403); + BasicHttpTaf bht = ((X509Principal)p).getBasicHttpTaf(); + if(bht!=null) { + BasicPrincipal bp = new BasicPrincipal(authz,""); + CredVal cv = bht.getCredVal(bp.getDomain()); + if(cv!=null) { + if(cv.validate(bp.getName(), Type.PASSWORD, bp.getCred(), null) ) { + resp.setStatus(HttpStatus.OK_200); + } else { + resp.setStatus(HttpStatus.FORBIDDEN_403); + } + } + } else { + String decoded = Symm.base64noSplit.decode(authz.substring(6)); + int colon = decoded.indexOf(':'); + TimeTaken tt = trans.start("Direct Validation", Env.REMOTE); + try { + if(directAAFUserPass.validate( + decoded.substring(0,colon), + CredVal.Type.PASSWORD , + decoded.substring(colon+1).getBytes(),trans)) { + + resp.setStatus(HttpStatus.OK_200); + } else { + // DME2 at this version crashes without some sort of response + resp.getOutputStream().print(""); + resp.setStatus(HttpStatus.FORBIDDEN_403); + } + } finally { + tt.done(); } - } finally { - tt.done(); } } } else if(p == null) { |