diff options
| author |   Sai Gandham <sai.gandham@att.com> | 2019-07-12 22:26:30 +0000 |
|---|---|---|
| committer |   Gerrit Code Review <gerrit@onap.org> | 2019-07-12 22:26:30 +0000 |
| commit | f918e038f8f4eea2fb879edf704683877bc19849 (patch) | |
| tree | 6eb10de329001f74401e8d2cae1fa33a35079d19 /auth | |
| parent | 3c06c9887d6f88524f06b46f2593f6eef640826b (diff) | |
| parent | 1338680ef142f9a33ee32a00b07c7d2ae658cb3a (diff) | |
Merge "Adjust Agent for none K8s"
Diffstat (limited to 'auth')
10 files changed, 162 insertions, 92 deletions
diff --git a/auth/auth-cass/src/main/java/org/onap/aaf/auth/dao/cass/CredDAO.java b/auth/auth-cass/src/main/java/org/onap/aaf/auth/dao/cass/CredDAO.java index 37501967..d64cff29 100644 --- a/auth/auth-cass/src/main/java/org/onap/aaf/auth/dao/cass/CredDAO.java +++ b/auth/auth-cass/src/main/java/org/onap/aaf/auth/dao/cass/CredDAO.java @@ -265,6 +265,16 @@ public class CredDAO extends CassDAOImpl<AuthzTrans,CredDAO.Data> { hd.memo = memo ? String.format("%s by %s", override[0], hd.user) : (modified.name() + "d credential for " + data.id); + String spacer = ": "; + if(data.notes!=null) { + hd.memo+=spacer + data.notes; + spacer = ", "; + } + + if(data.tag!=null) { + hd.memo+=spacer + data.tag; + } + // Detail? if (modified==CRUD.delete) { try { diff --git a/auth/auth-cass/src/main/java/org/onap/aaf/auth/dao/hl/Question.java b/auth/auth-cass/src/main/java/org/onap/aaf/auth/dao/hl/Question.java index 3abad1a5..22b14cb4 100644 --- a/auth/auth-cass/src/main/java/org/onap/aaf/auth/dao/hl/Question.java +++ b/auth/auth-cass/src/main/java/org/onap/aaf/auth/dao/hl/Question.java @@ -1178,9 +1178,9 @@ public class Question { } public boolean isAdmin(AuthzTrans trans, String user, String ns) { - Date now = new Date(); Result<List<UserRoleDAO.Data>> rur = userRoleDAO.read(trans, user,ns+DOT_ADMIN); if (rur.isOKhasData()) { + Date now = new Date(); for (UserRoleDAO.Data urdd : rur.value){ if (urdd.expires.after(now)) { return true; @@ -1192,8 +1192,8 @@ public class Question { public boolean isOwner(AuthzTrans trans, String user, String ns) { Result<List<UserRoleDAO.Data>> rur = userRoleDAO.read(trans, user,ns+DOT_OWNER); - Date now = new Date(); if (rur.isOKhasData()) {for (UserRoleDAO.Data urdd : rur.value){ + Date now = new Date(); if (urdd.expires.after(now)) { return true; } diff --git a/auth/auth-certman/src/main/java/org/onap/aaf/auth/cm/service/CMService.java b/auth/auth-certman/src/main/java/org/onap/aaf/auth/cm/service/CMService.java index 1f2b0880..85424de1 100644 --- a/auth/auth-certman/src/main/java/org/onap/aaf/auth/cm/service/CMService.java +++ b/auth/auth-certman/src/main/java/org/onap/aaf/auth/cm/service/CMService.java @@ -60,6 +60,7 @@ import org.onap.aaf.auth.org.Organization.Identity; import org.onap.aaf.auth.org.OrganizationException; import org.onap.aaf.cadi.Hash; import org.onap.aaf.cadi.Permission; +import org.onap.aaf.cadi.Access.Level; import org.onap.aaf.cadi.aaf.AAFPermission; import org.onap.aaf.cadi.config.Config; import org.onap.aaf.cadi.configure.Factory; @@ -88,6 +89,7 @@ public class CMService { private final CredDAO credDAO; private final ArtiDAO artiDAO; private AAF_CM certManager; + private Boolean allowIgnoreIPs; // @SuppressWarnings("unchecked") public CMService(final AuthzTrans trans, AAF_CM certman) throws APIException, IOException { @@ -108,6 +110,10 @@ public class CMService { "*", "read" ); + allowIgnoreIPs = Boolean.valueOf(certman.access.getProperty(Config.CM_ALLOW_IGNORE_IPS, "false")); + if(allowIgnoreIPs) { + trans.env().access().log(Level.INIT, "Allowing DNS Evaluation to be turned off with <ns>.certman|<ca name>|"+IGNORE_IPS); + } } public Result<CertResp> requestCert(final AuthzTrans trans, final Result<CertReq> req, final CA ca) { @@ -133,7 +139,13 @@ public class CMService { try { Organization org = trans.org(); - boolean ignoreIPs = trans.fish(new AAFPermission(mechNS,CERTMAN, ca.getName(), IGNORE_IPS)); + boolean ignoreIPs; + if(allowIgnoreIPs) { + ignoreIPs = trans.fish(new AAFPermission(mechNS,CERTMAN, ca.getName(), IGNORE_IPS)); + } else { + ignoreIPs = false; + } + InetAddress primary = null; // Organize incoming information to get to appropriate Artifact @@ -164,8 +176,8 @@ public class CMService { } } else { - for (String cn : req.value.fqdns) { - if (!ignoreIPs) { + if (!ignoreIPs) { + for (String cn : req.value.fqdns) { try { InetAddress[] ias = InetAddress.getAllByName(cn); Set<String> potentialSanNames = new HashSet<>(); diff --git a/auth/auth-cmd/src/main/java/org/onap/aaf/auth/cmd/AAFcli.java b/auth/auth-cmd/src/main/java/org/onap/aaf/auth/cmd/AAFcli.java index 8fcea294..01d001fd 100644 --- a/auth/auth-cmd/src/main/java/org/onap/aaf/auth/cmd/AAFcli.java +++ b/auth/auth-cmd/src/main/java/org/onap/aaf/auth/cmd/AAFcli.java @@ -94,10 +94,6 @@ public class AAFcli { this(access,new AuthzEnv(access.getProperties()),wtr,hman, si,ss); } - public AuthzEnv env() { - return env; - } - public AAFcli(Access access, AuthzEnv env, Writer wtr, HMangr hman, SecurityInfoC<HttpURLConnection> si, SecuritySetter<HttpURLConnection> ss) throws APIException { this.env = env; this.access = access; @@ -127,7 +123,11 @@ public class AAFcli { cmds.add(new Mgmt(this)); } - public static int timeout() { + public AuthzEnv env() { + return env; + } + + public static int timeout() { return TIMEOUT; } diff --git a/auth/auth-cmd/src/main/java/org/onap/aaf/auth/cmd/ns/List.java b/auth/auth-cmd/src/main/java/org/onap/aaf/auth/cmd/ns/List.java index add5aed8..e1252d87 100644 --- a/auth/auth-cmd/src/main/java/org/onap/aaf/auth/cmd/ns/List.java +++ b/auth/auth-cmd/src/main/java/org/onap/aaf/auth/cmd/ns/List.java @@ -26,6 +26,7 @@ import java.util.Comparator; import org.onap.aaf.auth.cmd.BaseCmd; import org.onap.aaf.auth.cmd.DeprecatedCMD; +import org.onap.aaf.auth.common.Define; import org.onap.aaf.cadi.client.Future; import org.onap.aaf.misc.env.util.Chrono; @@ -162,15 +163,8 @@ public class List extends BaseCmd<NS> { if ((type=u.getType())==null) { type = 9999; } - switch(type) { - case 0: return "NoCrd"; - case 1: return "U/P"; - case 2: return "U/P2"; - case 10: return "FQI"; - case 200: return "x509"; - default: - return "n/a"; - } + return Define.getCredType(type); } + } diff --git a/auth/auth-cmd/src/main/java/org/onap/aaf/auth/cmd/user/Cred.java b/auth/auth-cmd/src/main/java/org/onap/aaf/auth/cmd/user/Cred.java index 1dfcc17f..2d626d4e 100644 --- a/auth/auth-cmd/src/main/java/org/onap/aaf/auth/cmd/user/Cred.java +++ b/auth/auth-cmd/src/main/java/org/onap/aaf/auth/cmd/user/Cred.java @@ -122,7 +122,7 @@ public class Cred extends Cmd { pw().println(']'); } else if (fp.code()==202) { pw().println("Credential Action Accepted, but requires Approvals before actualizing"); - } else if (fp.code()==300) { + } else if (fp.code()==300 || fp.code()==406) { Error err = em.getError(fp); String text = err.getText(); List<String> vars = err.getVariables(); diff --git a/auth/auth-cmd/src/main/java/org/onap/aaf/auth/cmd/user/ID.java b/auth/auth-cmd/src/main/java/org/onap/aaf/auth/cmd/user/ID.java index 46d5d052..71d61f79 100644 --- a/auth/auth-cmd/src/main/java/org/onap/aaf/auth/cmd/user/ID.java +++ b/auth/auth-cmd/src/main/java/org/onap/aaf/auth/cmd/user/ID.java @@ -35,7 +35,6 @@ import org.onap.aaf.misc.env.APIException; import aaf.v2_0.CredRequest; public class ID extends Cmd { - public static final String ATTEMPT_FAILED_SPECIFICS_WITHELD = "Attempt Failed. Specifics witheld."; private static final String CRED_PATH = "/authn/cred"; private static final String[] options = {"add","del"}; public ID(User parent) { @@ -98,7 +97,7 @@ public class ID extends Cmd { } else if (fp.code()==406 && option==1) { pw().println("FQI does not exist"); } else { - pw().println(ATTEMPT_FAILED_SPECIFICS_WITHELD); + pw().println(Cred.ATTEMPT_FAILED_SPECIFICS_WITHELD); } return fp.code(); } diff --git a/auth/auth-cmd/src/main/java/org/onap/aaf/auth/cmd/user/List.java b/auth/auth-cmd/src/main/java/org/onap/aaf/auth/cmd/user/List.java index 7daa51fb..444a82ab 100644 --- a/auth/auth-cmd/src/main/java/org/onap/aaf/auth/cmd/user/List.java +++ b/auth/auth-cmd/src/main/java/org/onap/aaf/auth/cmd/user/List.java @@ -48,7 +48,6 @@ public class List extends BaseCmd<User> { void report(Users users, boolean count, String ... str) { reportHead(str); - int idx = 0; java.util.List<aaf.v2_0.Users.User> sorted = users.getUser(); Collections.sort(sorted, (Comparator<aaf.v2_0.Users.User>) (u1, u2) -> { if (u1==null || u2 == null) { @@ -56,11 +55,11 @@ public class List extends BaseCmd<User> { } return u1.getId().compareTo(u2.getId()); }); - String format = reportColHead("%-48s %-5s %-11s %-16s\n","User","Type","Expires","Tag"); + String format = reportColHead("%-36s %-5s %-20s %-16s\n","User","Type","Expires","Tag"); String date = "XXXX-XX-XX"; for (aaf.v2_0.Users.User user : sorted) { if (!aafcli.isTest()) { - date = Chrono.dateOnlyStamp(user.getExpires()); + date = Chrono.niceUTCStamp(user.getExpires()); } String tag=user.getTag(); Integer type = user.getType(); @@ -70,7 +69,7 @@ public class List extends BaseCmd<User> { tag = "\n\tfingerprint: " + tag; } pw().format(format, - count? (Integer.valueOf(++idx) + ") " + user.getId()): user.getId(), + user.getId(), org.onap.aaf.auth.cmd.ns.List.getType(user), date, tag); diff --git a/auth/auth-core/src/main/java/org/onap/aaf/auth/common/Define.java b/auth/auth-core/src/main/java/org/onap/aaf/auth/common/Define.java index e9c36017..800a8472 100644 --- a/auth/auth-core/src/main/java/org/onap/aaf/auth/common/Define.java +++ b/auth/auth-core/src/main/java/org/onap/aaf/auth/common/Define.java @@ -24,8 +24,8 @@ package org.onap.aaf.auth.common; import java.util.Map.Entry; import org.onap.aaf.cadi.Access; -import org.onap.aaf.cadi.CadiException; import org.onap.aaf.cadi.Access.Level; +import org.onap.aaf.cadi.CadiException; import org.onap.aaf.cadi.config.Config; public class Define { @@ -91,4 +91,16 @@ public class Define { return initialized; } + public static String getCredType(int type) { + switch(type) { + case 0: return "NoCrd"; + case 1: return "U/P"; + case 2: return "U/P2"; + case 10: return "FQI"; + case 200: return "x509"; + default: + return "n/a"; + } + } + } diff --git a/auth/auth-service/src/main/java/org/onap/aaf/auth/service/AuthzCassServiceImpl.java b/auth/auth-service/src/main/java/org/onap/aaf/auth/service/AuthzCassServiceImpl.java index 9a6ef7e3..295db4ac 100644 --- a/auth/auth-service/src/main/java/org/onap/aaf/auth/service/AuthzCassServiceImpl.java +++ b/auth/auth-service/src/main/java/org/onap/aaf/auth/service/AuthzCassServiceImpl.java @@ -2821,7 +2821,7 @@ public class AuthzCassServiceImpl <NSS,PERMS,PERMKEY,ROLES,USERS,USERROLES,DE //Need to do the "Pick Entry" mechanism // Note, this sorts - Result<Integer> ri = selectEntryIfMultiple((CredRequest)from, lcdd, "extend"); + Result<Integer> ri = selectEntryIfMultiple((CredRequest)from, lcdd, MayChangeCred.EXTEND); if (ri.notOK()) { return Result.err(ri); } @@ -2835,8 +2835,11 @@ public class AuthzCassServiceImpl <NSS,PERMS,PERMKEY,ROLES,USERS,USERROLES,DE cd.type = found.type; cd.ns = found.ns; cd.notes = "Extended"; - cd.expires = org.expiration(null, Expiration.ExtendPassword,days).getTime(); cd.tag = found.tag; + cd.expires = org.expiration(null, Expiration.ExtendPassword,days).getTime(); + if(cd.expires.before(found.expires)) { + return Result.err(Result.ERR_BadData,String.format("Credential's expiration date is more than %s days in the future",days)); + } cred = ques.credDAO().create(trans, cd); if (cred.isOK()) { @@ -2887,63 +2890,72 @@ public class AuthzCassServiceImpl <NSS,PERMS,PERMKEY,ROLES,USERS,USERROLES,DE } boolean isLastCred = rlcd.value.size()==1; - int entry = -1; - int fentry = entry; - if(cred.value.type==CredDAO.FQI) { - entry = -1; - for(CredDAO.Data cdd : rlcd.value) { - ++fentry; - if(cdd.type == CredDAO.FQI) { - entry = fentry; - break; - } + int entry; + CredRequest cr = (CredRequest)from; + if(isLastCred) { + if(cr.getEntry()==null || "1".equals(cr.getEntry())) { + entry = 0; + } else { + return Result.err(Status.ERR_BadData, "User chose invalid credential selection"); } } else { - if (!doForce) { - if (rlcd.value.size() > 1) { - CredRequest cr = (CredRequest)from; - String inputOption = cr.getEntry(); - if (inputOption == null) { - List<CredDAO.Data> list = filterList(rlcd.value,CredDAO.BASIC_AUTH,CredDAO.BASIC_AUTH_SHA256,CredDAO.CERT_SHA256_RSA); - String message = selectCredFromList(list, MayChangeCred.DELETE); - Object[] variables = buildVariables(list); - return Result.err(Status.ERR_ChoiceNeeded, message, variables); - } else { - try { - if (inputOption.length()>5) { // should be a date - Date d = Chrono.xmlDatatypeFactory.newXMLGregorianCalendar(inputOption).toGregorianCalendar().getTime(); - for (CredDAO.Data cd : rlcd.value) { - ++fentry; - if (cd.type.equals(cr.getType()) && cd.expires.equals(d)) { - entry = fentry; - break; - } - } - } else { - entry = Integer.parseInt(inputOption) - 1; - int count = 0; - for (CredDAO.Data cd : rlcd.value) { - if(cd.type!=CredDAO.BASIC_AUTH && cd.type!=CredDAO.BASIC_AUTH_SHA256 && cd.type!=CredDAO.CERT_SHA256_RSA) { - ++entry; - } - if(++count>entry) { - break; - } - } - } - } catch (NullPointerException e) { - return Result.err(Status.ERR_BadData, "Invalid Date Format for Entry"); - } catch (NumberFormatException e) { - return Result.err(Status.ERR_BadData, "User chose invalid credential selection"); - } - } - isLastCred = (entry==-1)?true:false; - } else { - isLastCred = true; - } - if (entry < -1 || entry >= rlcd.value.size()) { - return Result.err(Status.ERR_BadData, "User chose invalid credential selection"); - } + entry = -1; + int fentry = entry; + if(cred.value.type==CredDAO.FQI) { + entry = -1; + for(CredDAO.Data cdd : rlcd.value) { + ++fentry; + if(cdd.type == CredDAO.FQI) { + entry = fentry; + break; + } + } + } else { + if (!doForce) { + if (rlcd.value.size() > 1) { + String inputOption = cr.getEntry(); + if (inputOption == null) { + List<CredDAO.Data> list = filterList(rlcd.value,CredDAO.BASIC_AUTH,CredDAO.BASIC_AUTH_SHA256,CredDAO.CERT_SHA256_RSA); + String message = selectCredFromList(list, MayChangeCred.DELETE); + Object[] variables = buildVariables(list); + return Result.err(Status.ERR_ChoiceNeeded, message, variables); + } else { + try { + if (inputOption.length()>5) { // should be a date + Date d = Chrono.xmlDatatypeFactory.newXMLGregorianCalendar(inputOption).toGregorianCalendar().getTime(); + for (CredDAO.Data cd : rlcd.value) { + ++fentry; + if (cd.type.equals(cr.getType()) && cd.expires.equals(d)) { + entry = fentry; + break; + } + } + } else { + entry = Integer.parseInt(inputOption) - 1; + int count = 0; + for (CredDAO.Data cd : rlcd.value) { + if(cd.type!=CredDAO.BASIC_AUTH && cd.type!=CredDAO.BASIC_AUTH_SHA256 && cd.type!=CredDAO.CERT_SHA256_RSA) { + ++entry; + } + if(++count>entry) { + break; + } + } + } + } catch (NullPointerException e) { + return Result.err(Status.ERR_BadData, "Invalid Date Format for Entry"); + } catch (NumberFormatException e) { + return Result.err(Status.ERR_BadData, "User chose invalid credential selection"); + } + } + isLastCred = (entry==-1)?true:false; + } else { + isLastCred = true; + } + if (entry < -1 || entry >= rlcd.value.size()) { + return Result.err(Status.ERR_BadData, "User chose invalid credential selection"); + } + } } } @@ -3020,6 +3032,32 @@ public class AuthzCassServiceImpl <NSS,PERMS,PERMKEY,ROLES,USERS,USERROLES,DE Object[] variables = buildVariables(lcd); return Result.err(Status.ERR_ChoiceNeeded, message, variables); } else { + if(MayChangeCred.EXTEND.equals(action)) { + // might be Tag + if(inputOption.length()>4) { //Tag is at least 12 + int e = 0; + CredDAO.Data last = null; + int lastIdx = -1; + for(CredDAO.Data cdd : lcd) { + if(inputOption.equals(cdd.tag)) { + if(last==null) { + last = cdd; + lastIdx = e; + } else { + if(last.expires.before(cdd.expires)) { + last = cdd; + lastIdx = e; + } + } + } + ++e; + } + if(last!=null) { + return Result.ok(lastIdx); + } + return Result.err(Status.ERR_BadData, "User chose unknown Tag"); + } + } entry = Integer.parseInt(inputOption) - 1; } if (entry < 0 || entry >= lcd.size()) { @@ -3040,20 +3078,23 @@ public class AuthzCassServiceImpl <NSS,PERMS,PERMKEY,ROLES,USERS,USERROLES,DE } } } + Collections.sort(rv, (o1,o2) -> { + if(o1.type==o2.type) { + return o1.expires.compareTo(o2.expires); + } else { + return o1.type.compareTo(o2.type); + } + }); return rv; } private String[] buildVariables(List<CredDAO.Data> value) { - // ensure credentials are sorted so we can fully automate Cred regression test - Collections.sort(value, (cred1, cred2) -> - cred1.type==cred2.type?cred2.expires.compareTo(cred1.expires): - cred1.type<cred2.type?-1:1); String [] vars = new String[value.size()]; CredDAO.Data cdd; for (int i = 0; i < value.size(); i++) { cdd = value.get(i); - vars[i] = cdd.id + TWO_SPACE + cdd.type + TWO_SPACE + (cdd.type<10?TWO_SPACE:"")+ cdd.expires + TWO_SPACE + cdd.tag; + vars[i] = cdd.id + TWO_SPACE + Define.getCredType(cdd.type) + TWO_SPACE + Chrono.niceUTCStamp(cdd.expires) + TWO_SPACE + cdd.tag; } return vars; } @@ -3070,12 +3111,15 @@ public class AuthzCassServiceImpl <NSS,PERMS,PERMKEY,ROLES,USERS,USERROLES,DE for (int i = 0; i < numSpaces; i++) { errMessage.append(' '); } - errMessage.append(" Type Expires Tag " + '\n'); + errMessage.append(" Type Expires Tag " + '\n'); for (int i=0;i<value.size();++i) { errMessage.append(" %s\n"); } - errMessage.append("Run same command again with chosen entry as last parameter"); - + if(MayChangeCred.EXTEND.equals(action)) { + errMessage.append("Run same command again with chosen entry or Tag as last parameter"); + } else { + errMessage.append("Run same command again with chosen entry as last parameter"); + } return errMessage.toString(); } |