summaryrefslogtreecommitdiffstats
path: root/auth
diff options
context:
space:
mode:
authorInstrumental <jonathan.gathman@att.com>2018-07-02 21:41:55 -0500
committerInstrumental <jonathan.gathman@att.com>2018-07-02 21:42:28 -0500
commitca76fbda94492f1b0c895ff0f4070381f17472f0 (patch)
tree8180941d2fdc474c282ac5272e014c2f45b7da48 /auth
parentc060284812fbbc18fcf22eb628c47c251505fe50 (diff)
Add ability for BAuth by domain
Issue-ID: AAF-361 Change-Id: I6f437ffcfef5555f44acfb32fd6020f86f8cf403 Signed-off-by: Instrumental <jonathan.gathman@att.com>
Diffstat (limited to 'auth')
-rw-r--r--auth/auth-cass/src/main/java/org/onap/aaf/auth/direct/DirectCertIdentity.java2
-rw-r--r--auth/auth-certman/src/main/java/org/onap/aaf/auth/cm/service/CMService.java29
-rw-r--r--auth/auth-core/src/main/java/org/onap/aaf/auth/server/AbsService.java1
-rw-r--r--auth/auth-service/src/main/java/org/onap/aaf/auth/service/AAF_Service.java6
-rw-r--r--auth/auth-service/src/main/java/org/onap/aaf/auth/service/AuthzCassServiceImpl.java1
-rw-r--r--auth/auth-service/src/main/java/org/onap/aaf/auth/service/api/API_Creds.java47
6 files changed, 54 insertions, 32 deletions
diff --git a/auth/auth-cass/src/main/java/org/onap/aaf/auth/direct/DirectCertIdentity.java b/auth/auth-cass/src/main/java/org/onap/aaf/auth/direct/DirectCertIdentity.java
index b5fcd690..2c0c054b 100644
--- a/auth/auth-cass/src/main/java/org/onap/aaf/auth/direct/DirectCertIdentity.java
+++ b/auth/auth-cass/src/main/java/org/onap/aaf/auth/direct/DirectCertIdentity.java
@@ -66,7 +66,7 @@ public class DirectCertIdentity implements CertIdentity {
Result<List<Data>> cresp = certDAO.read(trans, ByteBuffer.wrap(fingerprint));
if(cresp.isOKhasData()) {
Data cdata = cresp.value.get(0);
- return new X509Principal(cdata.id,cert,certBytes);
+ return new X509Principal(cdata.id,cert,certBytes,null);
}
return null;
}
diff --git a/auth/auth-certman/src/main/java/org/onap/aaf/auth/cm/service/CMService.java b/auth/auth-certman/src/main/java/org/onap/aaf/auth/cm/service/CMService.java
index 8d39f540..ea65659a 100644
--- a/auth/auth-certman/src/main/java/org/onap/aaf/auth/cm/service/CMService.java
+++ b/auth/auth-certman/src/main/java/org/onap/aaf/auth/cm/service/CMService.java
@@ -426,17 +426,24 @@ public class CMService {
}
// Policy 2: MechID must have valid Organization Owner
- Identity ouser = muser.responsibleTo();
- if(ouser == null) {
- return Result.err(Result.ERR_Denied,"%s is not a valid Sponsor for %s at %s",
- trans.user(),add.mechid,trans.org().getName());
+ Identity emailUser;
+ if(muser.isPerson()) {
+ emailUser = muser;
+ } else {
+ Identity ouser = muser.responsibleTo();
+ if(ouser == null) {
+ return Result.err(Result.ERR_Denied,"%s is not a valid Sponsor for %s at %s",
+ trans.user(),add.mechid,trans.org().getName());
+ }
+
+ // Policy 3: Calling ID must be MechID Owner
+ if(!trans.user().equals(ouser.fullID())) {
+ return Result.err(Result.ERR_Denied,"%s is not the Sponsor for %s at %s",
+ trans.user(),add.mechid,trans.org().getName());
+ }
+ emailUser = ouser;
}
- // Policy 3: Calling ID must be MechID Owner
- if(!trans.user().equals(ouser.fullID())) {
- return Result.err(Result.ERR_Denied,"%s is not the Sponsor for %s at %s",
- trans.user(),add.mechid,trans.org().getName());
- }
// Policy 4: Renewal Days are between 10 and 60 (constants, may be parameterized)
if(add.renewDays<MIN_RENEWAL) {
@@ -447,7 +454,7 @@ public class CMService {
// Policy 5: If Notify is blank, set to Owner's Email
if(add.notify==null || add.notify.length()==0) {
- add.notify = "mailto:"+ouser.email();
+ add.notify = "mailto:"+emailUser.email();
}
// Policy 6: Only do Domain by Exception
@@ -462,7 +469,7 @@ public class CMService {
}
// Set Sponsor from Golden Source
- add.sponsor = ouser.fullID();
+ add.sponsor = emailUser.fullID();
} catch (OrganizationException e) {
diff --git a/auth/auth-core/src/main/java/org/onap/aaf/auth/server/AbsService.java b/auth/auth-core/src/main/java/org/onap/aaf/auth/server/AbsService.java
index af6c88dc..0c28c7ca 100644
--- a/auth/auth-core/src/main/java/org/onap/aaf/auth/server/AbsService.java
+++ b/auth/auth-core/src/main/java/org/onap/aaf/auth/server/AbsService.java
@@ -186,4 +186,5 @@ public abstract class AbsService<ENV extends BasicEnv, TRANS extends Trans> exte
}
return def;
}
+
}
diff --git a/auth/auth-service/src/main/java/org/onap/aaf/auth/service/AAF_Service.java b/auth/auth-service/src/main/java/org/onap/aaf/auth/service/AAF_Service.java
index 3ae2fbfb..40640007 100644
--- a/auth/auth-service/src/main/java/org/onap/aaf/auth/service/AAF_Service.java
+++ b/auth/auth-service/src/main/java/org/onap/aaf/auth/service/AAF_Service.java
@@ -163,9 +163,9 @@ public class AAF_Service extends AbsService<AuthzEnv,AuthzTrans> {
try {
Object[] atl=new Object[additionalTafLurs.length+2];
atl[0]=new DirectAAFLur(env,question); // Note, this will be assigned by AuthzTransFilter to TrustChecker
- atl[1]=new BasicHttpTaf(env, directAAFUserPass,
- domain,Long.parseLong(env.getProperty(Config.AAF_CLEAN_INTERVAL, Config.AAF_CLEAN_INTERVAL_DEF)),
- false);
+ atl[1]= new BasicHttpTaf(env, directAAFUserPass,
+ domain,Long.parseLong(env.getProperty(Config.AAF_CLEAN_INTERVAL, Config.AAF_CLEAN_INTERVAL_DEF)),
+ false);
if(additionalTafLurs.length>0) {
System.arraycopy(additionalTafLurs, 0, atl, 2, additionalTafLurs.length);
diff --git a/auth/auth-service/src/main/java/org/onap/aaf/auth/service/AuthzCassServiceImpl.java b/auth/auth-service/src/main/java/org/onap/aaf/auth/service/AuthzCassServiceImpl.java
index 519721ce..f3207798 100644
--- a/auth/auth-service/src/main/java/org/onap/aaf/auth/service/AuthzCassServiceImpl.java
+++ b/auth/auth-service/src/main/java/org/onap/aaf/auth/service/AuthzCassServiceImpl.java
@@ -532,7 +532,6 @@ public class AuthzCassServiceImpl <NSS,PERMS,PERMKEY,ROLES,USERS,USERROLES,DELGS
NSS nss = mapper.newInstance(API.NSS);
// Note: "loadNamespace" already validates view of Namespace
return mapper.nss(trans, rn.value, nss);
-
}
@ApiDoc(
diff --git a/auth/auth-service/src/main/java/org/onap/aaf/auth/service/api/API_Creds.java b/auth/auth-service/src/main/java/org/onap/aaf/auth/service/api/API_Creds.java
index d31c9d01..390c3089 100644
--- a/auth/auth-service/src/main/java/org/onap/aaf/auth/service/api/API_Creds.java
+++ b/auth/auth-service/src/main/java/org/onap/aaf/auth/service/api/API_Creds.java
@@ -42,9 +42,11 @@ import org.onap.aaf.auth.service.Code;
import org.onap.aaf.auth.service.facade.AuthzFacade;
import org.onap.aaf.auth.service.mapper.Mapper.API;
import org.onap.aaf.cadi.CredVal;
+import org.onap.aaf.cadi.CredVal.Type;
import org.onap.aaf.cadi.Symm;
import org.onap.aaf.cadi.principal.BasicPrincipal;
import org.onap.aaf.cadi.principal.X509Principal;
+import org.onap.aaf.cadi.taf.basic.BasicHttpTaf;
import org.onap.aaf.misc.env.Env;
import org.onap.aaf.misc.env.TimeTaken;
@@ -90,23 +92,36 @@ public class API_Creds {
// have to check Basic Auth here, because it might be CSP.
String authz = req.getHeader("Authorization");
if(authz.startsWith("Basic ")) {
- String decoded = Symm.base64noSplit.decode(authz.substring(6));
- int colon = decoded.indexOf(':');
- TimeTaken tt = trans.start("Direct Validation", Env.REMOTE);
- try {
- if(directAAFUserPass.validate(
- decoded.substring(0,colon),
- CredVal.Type.PASSWORD ,
- decoded.substring(colon+1).getBytes(),trans)) {
-
- resp.setStatus(HttpStatus.OK_200);
- } else {
- // DME2 at this version crashes without some sort of response
- resp.getOutputStream().print("");
- resp.setStatus(HttpStatus.FORBIDDEN_403);
+ BasicHttpTaf bht = ((X509Principal)p).getBasicHttpTaf();
+ if(bht!=null) {
+ BasicPrincipal bp = new BasicPrincipal(authz,"");
+ CredVal cv = bht.getCredVal(bp.getDomain());
+ if(cv!=null) {
+ if(cv.validate(bp.getName(), Type.PASSWORD, bp.getCred(), null) ) {
+ resp.setStatus(HttpStatus.OK_200);
+ } else {
+ resp.setStatus(HttpStatus.FORBIDDEN_403);
+ }
+ }
+ } else {
+ String decoded = Symm.base64noSplit.decode(authz.substring(6));
+ int colon = decoded.indexOf(':');
+ TimeTaken tt = trans.start("Direct Validation", Env.REMOTE);
+ try {
+ if(directAAFUserPass.validate(
+ decoded.substring(0,colon),
+ CredVal.Type.PASSWORD ,
+ decoded.substring(colon+1).getBytes(),trans)) {
+
+ resp.setStatus(HttpStatus.OK_200);
+ } else {
+ // DME2 at this version crashes without some sort of response
+ resp.getOutputStream().print("");
+ resp.setStatus(HttpStatus.FORBIDDEN_403);
+ }
+ } finally {
+ tt.done();
}
- } finally {
- tt.done();
}
}
} else if(p == null) {