diff options
9 files changed, 71 insertions, 42 deletions
diff --git a/auth/auth-cass/src/main/java/org/onap/aaf/auth/dao/Cached.java b/auth/auth-cass/src/main/java/org/onap/aaf/auth/dao/Cached.java index a31e7b5b..5605d653 100644 --- a/auth/auth-cass/src/main/java/org/onap/aaf/auth/dao/Cached.java +++ b/auth/auth-cass/src/main/java/org/onap/aaf/auth/dao/Cached.java @@ -3,6 +3,8 @@ * org.onap.aaf * =========================================================================== * Copyright (c) 2018 AT&T Intellectual Property. All rights reserved. + * + * Modification Copyright (c) 2019 IBM * =========================================================================== * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -37,7 +39,6 @@ import org.onap.aaf.misc.env.Trans; public class Cached<TRANS extends Trans, DATA extends Cacheable> extends Cache<TRANS,DATA> { // Java does not allow creation of Arrays with Generics in them... - // private Map<String,Dated> cache[]; protected final CIDAO<TRANS> info; private static Timer infoTimer; @@ -47,19 +48,8 @@ public class Cached<TRANS extends Trans, DATA extends Cacheable> extends Cache<T protected final String name; private final long expireIn; - - // Taken from String Hash, but coded, to ensure consistent across Java versions. Also covers negative case; - public int cacheIdx(String key) { - int h = 0; - for (int i = 0; i < key.length(); i++) { - h = 31*h + key.charAt(i); - } - if (h<0)h*=-1; - return h%segSize; - } - public Cached(CIDAO<TRANS> info, String name, int segSize, long expireIn) { this.name =name; this.segSize = segSize; @@ -71,6 +61,18 @@ public class Cached<TRANS extends Trans, DATA extends Cacheable> extends Cache<T cache[i]=obtain(name+i); } } + + // Taken from String Hash, but coded, to ensure consistent across Java versions. Also covers negative case; + public int cacheIdx(String key) { + int h = 0; + for (int i = 0; i < key.length(); i++) { + h = 31*h + key.charAt(i); + } + if (h<0) { + h*=-1; + } + return h%segSize; + } public void add(String key, List<DATA> data) { @SuppressWarnings("unchecked") @@ -83,14 +85,14 @@ public class Cached<TRANS extends Trans, DATA extends Cacheable> extends Cache<T int cacheIdx = cacheIdx(key); @SuppressWarnings("unchecked") Map<String,Dated> map = ((Map<String,Dated>)cache[cacheIdx]); -// if (map.remove(key)!=null) // Not seeming to remove all the time if (map!=null)map.clear(); -// System.err.println("Remove " + name + " " + key); return cacheIdx; } public Result<Void> invalidate(int segment) { - if (segment<0 || segment>=cache.length) return Result.err(Status.ERR_BadData,"Cache Segment %s is out of range",Integer.toString(segment)); + if (segment<0 || segment>=cache.length) { + return Result.err(Status.ERR_BadData,"Cache Segment %s is out of range",Integer.toString(segment)); + } @SuppressWarnings("unchecked") Map<String,Dated> map = ((Map<String,Dated>)cache[segment]); if (map!=null) { @@ -99,6 +101,7 @@ public class Cached<TRANS extends Trans, DATA extends Cacheable> extends Cache<T return Result.ok(); } + @FunctionalInterface public interface Getter<D> { public abstract Result<List<D>> get(); }; @@ -125,8 +128,6 @@ public class Cached<TRANS extends Trans, DATA extends Cacheable> extends Cache<T rld = getter.get(); if (rld.isOK()) { // only store valid lists map.put(key, new Dated(rld.value,expireIn)); // successful item found gets put in cache -// } else if (rld.status == Result.ERR_Backend){ -// map.remove(key); } } return rld; @@ -162,8 +163,8 @@ public class Cached<TRANS extends Trans, DATA extends Cacheable> extends Cache<T } } - private final static class Refresh extends TimerTask { - private static final int maxRefresh = 2*60*10000; // 20 mins + private static final class Refresh extends TimerTask { + private static final int MAXREFRESH = 2*60*10000; // 20 mins private AuthzEnv env; private CIDAO<AuthzTrans> cidao; private int minRefresh; @@ -173,7 +174,7 @@ public class Cached<TRANS extends Trans, DATA extends Cacheable> extends Cache<T this.env = env; this.cidao = cidao; this.minRefresh = minRefresh; - lastRun = System.currentTimeMillis()-maxRefresh-1000; + lastRun = System.currentTimeMillis()-MAXREFRESH-1000; } @Override @@ -182,7 +183,9 @@ public class Cached<TRANS extends Trans, DATA extends Cacheable> extends Cache<T long now = System.currentTimeMillis(); long interval = now-lastRun; - if (interval < minRefresh || interval < Math.min(env.transRate(),maxRefresh)) return; + if (interval < minRefresh || interval < Math.min(env.transRate(),MAXREFRESH)) { + return; + } lastRun = now; AuthzTrans trans = env.newTransNoAvg(); Result<Void> rv = cidao.check(trans); diff --git a/auth/auth-cass/src/main/java/org/onap/aaf/auth/dao/CassDAOImpl.java b/auth/auth-cass/src/main/java/org/onap/aaf/auth/dao/CassDAOImpl.java index 72444c99..68ec2e8b 100644 --- a/auth/auth-cass/src/main/java/org/onap/aaf/auth/dao/CassDAOImpl.java +++ b/auth/auth-cass/src/main/java/org/onap/aaf/auth/dao/CassDAOImpl.java @@ -167,19 +167,27 @@ public class CassDAOImpl<TRANS extends TransStore,DATA> extends AbsCassDAO<TRANS public void replace(CRUD crud, PSInfo psInfo) { switch(crud) { - case create: createPS = psInfo; break; - case read: readPS = psInfo; break; - case update: updatePS = psInfo; break; - case delete: deletePS = psInfo; break; + case create: createPS = psInfo; + break; + case read: readPS = psInfo; + break; + case update: updatePS = psInfo; + break; + case delete: deletePS = psInfo; + break; } } public void disable(CRUD crud) { switch(crud) { - case create: createPS = null; break; - case read: readPS = null; break; - case update: updatePS = null; break; - case delete: deletePS = null; break; + case create: createPS = null; + break; + case read: readPS = null; + break; + case update: updatePS = null; + break; + case delete: deletePS = null; + break; } } diff --git a/auth/auth-cass/src/main/java/org/onap/aaf/auth/dao/cached/CachedCredDAO.java b/auth/auth-cass/src/main/java/org/onap/aaf/auth/dao/cached/CachedCredDAO.java index 6bdc22bc..a8a3796a 100644 --- a/auth/auth-cass/src/main/java/org/onap/aaf/auth/dao/cached/CachedCredDAO.java +++ b/auth/auth-cass/src/main/java/org/onap/aaf/auth/dao/cached/CachedCredDAO.java @@ -3,6 +3,7 @@ * org.onap.aaf * =========================================================================== * Copyright (c) 2018 AT&T Intellectual Property. All rights reserved. + * Modifications Copyright (C) 2019 IBM. * =========================================================================== * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -51,6 +52,7 @@ public class CachedCredDAO extends CachedDAO<AuthzTrans, CredDAO, CredDAO.Data> @Override public Result<List<Data>> read(AuthzTrans trans, final String id) { DAOGetter getter = new DAOGetter(trans,dao()) { + @Override public Result<List<CredDAO.Data>> call() { return dao().readID(trans, id); } @@ -68,6 +70,7 @@ public class CachedCredDAO extends CachedDAO<AuthzTrans, CredDAO, CredDAO.Data> @Override public Result<List<Data>> read(AuthzTrans trans, final String id) { DAOGetter getter = new DAOGetter(trans,dao()) { + @Override public Result<List<CredDAO.Data>> call() { return dao().readIDBAth(trans, id); } @@ -105,6 +108,7 @@ public class CachedCredDAO extends CachedDAO<AuthzTrans, CredDAO, CredDAO.Data> return readIDBath.read(trans,id); } + @FunctionalInterface private interface ReadID { public Result<List<CredDAO.Data>> read(final AuthzTrans trans, final String id); } diff --git a/auth/auth-certman/src/main/java/org/onap/aaf/auth/cm/mapper/Mapper1_0.java b/auth/auth-certman/src/main/java/org/onap/aaf/auth/cm/mapper/Mapper1_0.java index 1c951961..bce7eccd 100644 --- a/auth/auth-certman/src/main/java/org/onap/aaf/auth/cm/mapper/Mapper1_0.java +++ b/auth/auth-certman/src/main/java/org/onap/aaf/auth/cm/mapper/Mapper1_0.java @@ -3,6 +3,7 @@ * org.onap.aaf * =========================================================================== * Copyright (c) 2018 AT&T Intellectual Property. All rights reserved. + * Modifications Copyright (C) 2019 IBM. * =========================================================================== * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -123,11 +124,9 @@ public class Mapper1_0 implements Mapper<BaseRequest,CertInfo,Artifacts,Error> { // Certs in keystore versus Truststore. Separate in Version 2_0 if (cin.trustCAs()!=null) { for (String c : cin.trustCAs()) { - if (c!=null) { - if (!cout.getCerts().contains(c)) { - cout.getCerts().add(c); - } - } + if ((c!=null)&&(!cout.getCerts().contains(c))) { + cout.getCerts().add(c); + } } } if (cin.notes()!=null) { diff --git a/auth/auth-cmd/src/main/java/org/onap/aaf/auth/cmd/AAFcli.java b/auth/auth-cmd/src/main/java/org/onap/aaf/auth/cmd/AAFcli.java index 6ca37c33..bd8f1a52 100644 --- a/auth/auth-cmd/src/main/java/org/onap/aaf/auth/cmd/AAFcli.java +++ b/auth/auth-cmd/src/main/java/org/onap/aaf/auth/cmd/AAFcli.java @@ -4,7 +4,7 @@ * =========================================================================== * Copyright (c) 2018 AT&T Intellectual Property. All rights reserved. * - * Modifications Copyright (C) 2018 IBM. + * Modifications Copyright (C) 2019 IBM. * =========================================================================== * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -215,8 +215,7 @@ public class AAFcli { } } else if ("expect".equalsIgnoreCase(largs[idx])) { expect.clear(); - if (largs.length > idx++) { - if (!"nothing".equals(largs[idx])) { + if ((largs.length > idx++)&&(!"nothing".equals(largs[idx]))) { for (String str : largs[idx].split(",")) { try { if ("Exception".equalsIgnoreCase(str)) { @@ -229,8 +228,7 @@ public class AAFcli { } } ++idx; - } - } + } continue; // Sleep, typically for reports, to allow DB to update // Milliseconds @@ -376,7 +374,8 @@ public class AAFcli { char last = 0; for (int i = 0; i < line.length(); ++i) { char ch; - if (Character.isWhitespace(ch = line.charAt(i))) { + ch = line.charAt(i); + if (Character.isWhitespace(ch)) { if (start || last==',') { continue; // trim } else if (quote != 0) { diff --git a/auth/auth-gui/src/main/java/org/onap/aaf/auth/cui/CUI.java b/auth/auth-gui/src/main/java/org/onap/aaf/auth/cui/CUI.java index cb44ab09..20a28cab 100644 --- a/auth/auth-gui/src/main/java/org/onap/aaf/auth/cui/CUI.java +++ b/auth/auth-gui/src/main/java/org/onap/aaf/auth/cui/CUI.java @@ -45,7 +45,7 @@ import org.onap.aaf.misc.env.TimeTaken; public class CUI extends HttpCode<AuthzTrans, Void> { private final AAF_GUI gui; - private final static Pattern userPerm = Pattern.compile("perm (create|delete).*@.*:id.*aaf.gui.*"); + private static final Pattern userPerm = Pattern.compile("perm (create|delete).*@.*:id.*aaf.gui.*"); public CUI(AAF_GUI gui) { @@ -90,6 +90,7 @@ public class CUI extends HttpCode<AuthzTrans, Void> { if(userPerm.matcher(cmdStr).matches()) { trans.clearCache(); Cookie cookie = new Cookie(Page.AAF_THEME,trans.getProperty(Page.AAF_THEME)); + cookie.setSecure(true); cookie.setMaxAge(-1); cookie.setComment("Remove AAF GUI Theme"); trans.hresp().addCookie(cookie); diff --git a/docs/sections/architecture/aaf_architecture.rst b/docs/sections/architecture/aaf_architecture.rst index 50d20eec..5513be8a 100644 --- a/docs/sections/architecture/aaf_architecture.rst +++ b/docs/sections/architecture/aaf_architecture.rst @@ -64,6 +64,17 @@ Enjoy stretching your mind AAF can support models of either side. In the meantime, enjoy the use of your mind to comtemplate things beyond tickets and this will help drive what you need to ask for in terms of Identities for your Apps. +Components +========== + +The running components of AAF include the following: + - "service" - RESTful HTTP/S - The main API Service for Authentication, Authorization and Management + - "locate" - RESTful HTTP/S - Provides Scaleble, Cross-Deployment Global location, inside or outside a container, of Registered Components (at minimum, AAF Components). Locate also provide Configuration information for Generated Configurations. + - "oauth" - RESTful HTTP/S - OAuth 2 implementation. Provides "token" and "introspection" methods, where Authorization data is included. + - "gui" - Browser HTTP/S - Management GUI, where user interactions occur, including a Web-based CMD-Line interface, API Docs, Approval pages, etc. + - "cm" - RESTful HTTP/S - Certificate Manager API, see more details below. + - "fs" - HTTP ONLY - File Server. This Component MUST NOT be HTTP/S, because it Provides HTTP Accessed RCLs as part of the TLS process. Other public information may be presented as well (such as Certificates, which are by definition Public) + Certificate Manager =================== diff --git a/docs/sections/architecture/security.rst b/docs/sections/architecture/security.rst index d1809935..ebfd63ba 100644 --- a/docs/sections/architecture/security.rst +++ b/docs/sections/architecture/security.rst @@ -33,6 +33,10 @@ Whenever two processing entities exist that need to communicate securely, it is Encryption is provided by HTTP/S with the TLS 1.2+ protocol. Lesser protocols can also be added, but it is highly recommended that the protocol go no lower than TLS 1.1 +ALL components of AAF are accessible only by HTTP/S (service, locate, oauth, gui, certman), EXCEPT the component "FS". + +FS *must* be HTTP, because it is responsible for being accessible DURING the TLS process for recent RCLs. (Revocation lists). Since it is part of the TLS process, it cannot be TLS itself. + .. image:: images/SecurityArchBasic_TLS.svg :width: 70% :align: center diff --git a/docs/sections/release-notes.rst b/docs/sections/release-notes.rst index 72198931..ed91732c 100644 --- a/docs/sections/release-notes.rst +++ b/docs/sections/release-notes.rst @@ -5,7 +5,7 @@ Release Notes ============= -Version: 2.1.15 (El Alto, Early Drop, 5.0.0) +Version: 2.1.15 (El Alto, 5.0.1) --------------------------------------------- :Release Date: 2019-08-12 |