diff options
29 files changed, 280 insertions, 82 deletions
diff --git a/auth/auth-batch/src/main/java/org/onap/aaf/auth/helpers/Perm.java b/auth/auth-batch/src/main/java/org/onap/aaf/auth/helpers/Perm.java index 469284a2..acfb3390 100644 --- a/auth/auth-batch/src/main/java/org/onap/aaf/auth/helpers/Perm.java +++ b/auth/auth-batch/src/main/java/org/onap/aaf/auth/helpers/Perm.java @@ -106,7 +106,9 @@ public class Perm implements Comparable<Perm> { try { while(iter.hasNext()) { row = iter.next(); - Perm pk = new Perm(row.getString(0),row.getString(1),row.getString(2),row.getString(3), row.getString(4), row.getSet(5,String.class)); + Perm pk = new Perm( + row.getString(0),row.getString(1),row.getString(2), + row.getString(3), row.getString(4), row.getSet(5,String.class)); keys.put(pk.encode(), pk); data.put(pk,pk.roles); } diff --git a/auth/auth-core/src/main/java/org/onap/aaf/auth/rserv/CachingFileAccess.java b/auth/auth-core/src/main/java/org/onap/aaf/auth/rserv/CachingFileAccess.java index bc563f39..96349aed 100644 --- a/auth/auth-core/src/main/java/org/onap/aaf/auth/rserv/CachingFileAccess.java +++ b/auth/auth-core/src/main/java/org/onap/aaf/auth/rserv/CachingFileAccess.java @@ -37,7 +37,6 @@ import java.util.ArrayList; import java.util.Arrays; import java.util.Collections; import java.util.Comparator; -import java.util.Date; import java.util.HashSet; import java.util.Map; import java.util.Map.Entry; @@ -553,10 +552,10 @@ public class CachingFileAccess<TRANS extends Trans> extends HttpCode<TRANS, Void content.remove(entry.getKey()); //System.out.println("removed Cache Item " + entry.getKey() + "/" + new Date(entry.getValue().access).toString()); } - for(int i=end;i<size;++i) { - Entry<String, Content> entry = scont.get(i).entry; - //System.out.println("remaining Cache Item " + entry.getKey() + "/" + new Date(entry.getValue().access).toString()); - } +// for(int i=end;i<size;++i) { +// Entry<String, Content> entry = scont.get(i).entry; +// //System.out.println("remaining Cache Item " + entry.getKey() + "/" + new Date(entry.getValue().access).toString()); +// } } } } diff --git a/auth/auth-fs/src/test/java/org/onap/aaf/auth/fs/test/JU_AAF_FS.java b/auth/auth-fs/src/test/java/org/onap/aaf/auth/fs/test/JU_AAF_FS.java index 27f771c1..3c68f61d 100644 --- a/auth/auth-fs/src/test/java/org/onap/aaf/auth/fs/test/JU_AAF_FS.java +++ b/auth/auth-fs/src/test/java/org/onap/aaf/auth/fs/test/JU_AAF_FS.java @@ -48,8 +48,6 @@ import java.io.File; import java.io.IOException; import java.io.PrintStream; -import org.junit.Test; - public class JU_AAF_FS { AuthzEnv aEnv; AAF_FS aafFs; diff --git a/auth/auth-oauth/src/main/java/org/onap/aaf/auth/oauth/OAuth2FormHttpTafResp.java b/auth/auth-oauth/src/main/java/org/onap/aaf/auth/oauth/OAuth2FormHttpTafResp.java index 23d87e3e..6adb4641 100644 --- a/auth/auth-oauth/src/main/java/org/onap/aaf/auth/oauth/OAuth2FormHttpTafResp.java +++ b/auth/auth-oauth/src/main/java/org/onap/aaf/auth/oauth/OAuth2FormHttpTafResp.java @@ -32,19 +32,20 @@ import org.onap.aaf.cadi.taf.AbsTafResp; import org.onap.aaf.cadi.taf.TafResp; public class OAuth2FormHttpTafResp extends AbsTafResp implements TafResp { + private static final String tafName = DirectOAuthTAF.class.getSimpleName(); private HttpServletResponse httpResp; private RESP status; private final boolean wasFailed; public OAuth2FormHttpTafResp(Access access, OAuth2FormPrincipal principal, String desc, RESP status, HttpServletResponse resp, boolean wasFailed) { - super(access,principal, desc); + super(access,tafName,principal, desc); httpResp = resp; this.status = status; this.wasFailed = wasFailed; } public OAuth2FormHttpTafResp(Access access, TrustPrincipal principal, String desc, RESP status,HttpServletResponse resp) { - super(access,principal, desc); + super(access,tafName,principal, desc); httpResp = resp; this.status = status; wasFailed = true; // if Trust Principal added, must be good @@ -62,4 +63,5 @@ public class OAuth2FormHttpTafResp extends AbsTafResp implements TafResp { public boolean isFailedAttempt() { return wasFailed; } + } diff --git a/cadi/aaf/src/main/java/org/onap/aaf/cadi/aaf/v2_0/AAFLurPerm.java b/cadi/aaf/src/main/java/org/onap/aaf/cadi/aaf/v2_0/AAFLurPerm.java index a5ef6d14..682540ea 100644 --- a/cadi/aaf/src/main/java/org/onap/aaf/cadi/aaf/v2_0/AAFLurPerm.java +++ b/cadi/aaf/src/main/java/org/onap/aaf/cadi/aaf/v2_0/AAFLurPerm.java @@ -30,18 +30,20 @@ import java.util.Map; import org.onap.aaf.cadi.AbsUserCache; import org.onap.aaf.cadi.Access; +import org.onap.aaf.cadi.Access.Level; +import org.onap.aaf.cadi.CachedPrincipal.Resp; import org.onap.aaf.cadi.CadiException; import org.onap.aaf.cadi.Lur; import org.onap.aaf.cadi.Permission; import org.onap.aaf.cadi.User; -import org.onap.aaf.cadi.Access.Level; -import org.onap.aaf.cadi.CachedPrincipal.Resp; import org.onap.aaf.cadi.aaf.AAFPermission; import org.onap.aaf.cadi.client.Future; +import org.onap.aaf.cadi.client.Holder; import org.onap.aaf.cadi.client.Rcli; import org.onap.aaf.cadi.client.Retryable; import org.onap.aaf.cadi.config.Config; import org.onap.aaf.cadi.lur.LocalPermission; +import org.onap.aaf.cadi.util.Timing; import org.onap.aaf.misc.env.APIException; import org.onap.aaf.misc.env.util.Split; @@ -107,15 +109,16 @@ public class AAFLurPerm extends AbsAAFLur<AAFPermission> { protected User<AAFPermission> loadUser(final Principal principal) { final String name = principal.getName(); -// TODO Create a dynamic way to declare domains supported. final long start = System.nanoTime(); + final Holder<Float> remote = new Holder<Float>(0f); + final boolean[] success = new boolean[]{false}; -// new Exception("loadUser").printStackTrace(); try { return aaf.best(new Retryable<User<AAFPermission>>() { @Override public User<AAFPermission> code(Rcli<?> client) throws CadiException, ConnectException, APIException { + final long remoteStart = System.nanoTime(); Future<Perms> fp = client.read("/authz/perms/user/"+name,aaf.permsDF); // In the meantime, lookup User, create if necessary @@ -137,7 +140,9 @@ public class AAFLurPerm extends AbsAAFLur<AAFPermission> { } // OK, done all we can, now get content - if(fp.get(aaf.timeout)) { + boolean ok = fp.get(aaf.timeout); + remote.set(Timing.millis(remoteStart)); + if(ok) { success[0]=true; Map<String, Permission> newMap = user.newMap(); boolean willLog = aaf.access.willLog(Level.DEBUG); @@ -170,51 +175,61 @@ public class AAFLurPerm extends AbsAAFLur<AAFPermission> { success[0]=false; return null; } finally { - float time = (System.nanoTime()-start)/1000000f; - aaf.access.log(Level.INFO, success[0]?"Loaded":"Load Failure",name,"from AAF in",time,"ms"); + aaf.access.printf(Level.INFO, "AAFLurPerm: %s %s perms from AAF in %f ms, remote=%f", + (success[0]?"Loaded":"Load Failure"),name,Timing.millis(start),remote.get()); } } - public Resp reload(User<AAFPermission> user) { + public Resp reload(final User<AAFPermission> user) { final String name = user.name; long start = System.nanoTime(); - boolean success = false; + final Holder<Float> remote = new Holder<Float>(0f); + final Holder<Boolean> success = new Holder<Boolean>(false); try { - Future<Perms> fp = aaf.client(Config.AAF_DEFAULT_VERSION).read( - "/authz/perms/user/"+name, - aaf.permsDF - ); - - // OK, done all we can, now get content - if(fp.get(aaf.timeout)) { - success = true; - Map<String,Permission> newMap = user.newMap(); - boolean willLog = aaf.access.willLog(Level.DEBUG); - for(Perm perm : fp.value.getPerm()) { - user.add(newMap, new AAFPermission(perm.getNs(),perm.getType(),perm.getInstance(),perm.getAction(),perm.getRoles())); - if(willLog) { - aaf.access.log(Level.DEBUG, name,"has",perm.getType(),perm.getInstance(),perm.getAction()); + Resp rv = aaf.best(new Retryable<Resp>() { + @Override + public Resp code(Rcli<?> client) throws CadiException, ConnectException, APIException { + final long remoteStart = System.nanoTime(); + Future<Perms> fp = aaf.client(Config.AAF_DEFAULT_VERSION).read( + "/authz/perms/user/"+name, + aaf.permsDF + ); + + // OK, done all we can, now get content + boolean ok = fp.get(aaf.timeout); + remote.set(Timing.millis(remoteStart)); + if(ok) { + success.set(true); + Map<String,Permission> newMap = user.newMap(); + boolean willLog = aaf.access.willLog(Level.DEBUG); + for(Perm perm : fp.value.getPerm()) { + user.add(newMap, new AAFPermission(perm.getNs(),perm.getType(),perm.getInstance(),perm.getAction(),perm.getRoles())); + if(willLog) { + aaf.access.log(Level.DEBUG, name,"has",perm.getType(),perm.getInstance(),perm.getAction()); + } + } + user.renewPerm(); + return Resp.REVALIDATED; + } else { + int code; + switch(code=fp.code()) { + case 401: + aaf.access.log(Access.Level.ERROR, code, "Unauthorized to make AAF calls"); + break; + default: + aaf.access.log(Access.Level.ERROR, code, fp.body()); + } + return Resp.UNVALIDATED; } } - user.renewPerm(); - return Resp.REVALIDATED; - } else { - int code; - switch(code=fp.code()) { - case 401: - aaf.access.log(Access.Level.ERROR, code, "Unauthorized to make AAF calls"); - break; - default: - aaf.access.log(Access.Level.ERROR, code, fp.body()); - } - return Resp.UNVALIDATED; - } + }); + return rv; } catch (Exception e) { aaf.access.log(e,"Calling","/authz/perms/user/"+name); return Resp.INACCESSIBLE; } finally { - float time = (System.nanoTime()-start)/1000000f; - aaf.access.log(Level.AUDIT, success?"Reloaded":"Reload Failure",name,"from AAF in",time,"ms"); + aaf.access.printf(Level.INFO, "AAFLurPerm: %s %s perms from AAF in %f ms (remote=%f)", + (success.get()?"Reloaded":"Reload Failure"),name,Timing.millis(start),remote.get()); } } diff --git a/cadi/aaf/src/main/java/org/onap/aaf/cadi/oauth/OAuth2HttpTafResp.java b/cadi/aaf/src/main/java/org/onap/aaf/cadi/oauth/OAuth2HttpTafResp.java index 7e1028a5..9292e75e 100644 --- a/cadi/aaf/src/main/java/org/onap/aaf/cadi/oauth/OAuth2HttpTafResp.java +++ b/cadi/aaf/src/main/java/org/onap/aaf/cadi/oauth/OAuth2HttpTafResp.java @@ -31,19 +31,20 @@ import org.onap.aaf.cadi.taf.AbsTafResp; import org.onap.aaf.cadi.taf.TafResp; public class OAuth2HttpTafResp extends AbsTafResp implements TafResp { + private static final String tafName = OAuth2HttpTaf.class.getSimpleName(); private HttpServletResponse httpResp; private RESP status; private final boolean wasFailed; public OAuth2HttpTafResp(Access access, OAuth2Principal principal, String desc, RESP status, HttpServletResponse resp, boolean wasFailed) { - super(access,principal, desc); + super(access,tafName, principal, desc); httpResp = resp; this.status = status; this.wasFailed = wasFailed; } public OAuth2HttpTafResp(Access access, TrustPrincipal principal, String desc, RESP status,HttpServletResponse resp) { - super(access,principal, desc); + super(access,tafName, principal, desc); httpResp = resp; this.status = status; wasFailed = true; // if Trust Principal added, must be good @@ -62,5 +63,4 @@ public class OAuth2HttpTafResp extends AbsTafResp implements TafResp { return wasFailed; } - } diff --git a/cadi/core/src/main/java/org/onap/aaf/cadi/CadiWrap.java b/cadi/core/src/main/java/org/onap/aaf/cadi/CadiWrap.java index a2dfba37..6f4d5cc7 100644 --- a/cadi/core/src/main/java/org/onap/aaf/cadi/CadiWrap.java +++ b/cadi/core/src/main/java/org/onap/aaf/cadi/CadiWrap.java @@ -34,6 +34,7 @@ import org.onap.aaf.cadi.filter.PermConverter; import org.onap.aaf.cadi.lur.EpiLur; import org.onap.aaf.cadi.principal.TaggedPrincipal; import org.onap.aaf.cadi.taf.TafResp; +import org.onap.aaf.cadi.util.Timing; @@ -113,7 +114,7 @@ public class CadiWrap extends HttpServletRequestWrapper implements HttpServletRe */ @Override public boolean isUserInRole(String perm) { - return perm==null?false:checkPerm(access,"(HttpRequest)",principal,pconv,lur,perm); + return perm==null?false:checkPerm(access,"isUserInRole",principal,pconv,lur,perm); } public static boolean checkPerm(Access access, String caller, Principal principal, PermConverter pconv, Lur lur, String perm) { @@ -121,12 +122,13 @@ public class CadiWrap extends HttpServletRequestWrapper implements HttpServletRe access.log(Level.AUDIT,caller, "No Principal in Transaction"); return false; } else { + final long start = System.nanoTime(); perm = pconv.convert(perm); if(lur.fish(principal,lur.createPerm(perm))) { - access.log(Level.DEBUG,caller, principal.getName(), "has", perm); + access.printf(Level.DEBUG,"%s: %s has %s, %f ms", caller, principal.getName(), perm, Timing.millis(start)); return true; } else { - access.log(Level.DEBUG,caller, principal.getName(), "does not have", perm); + access.printf(Level.DEBUG,"%s: %s does not have %s, %f ms", caller, principal.getName(), perm, Timing.millis(start)); return false; } } diff --git a/cadi/core/src/main/java/org/onap/aaf/cadi/filter/CadiFilter.java b/cadi/core/src/main/java/org/onap/aaf/cadi/filter/CadiFilter.java index 237aa28d..29234ed7 100644 --- a/cadi/core/src/main/java/org/onap/aaf/cadi/filter/CadiFilter.java +++ b/cadi/core/src/main/java/org/onap/aaf/cadi/filter/CadiFilter.java @@ -36,6 +36,7 @@ import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; import org.onap.aaf.cadi.Access; +import org.onap.aaf.cadi.Access.Level; import org.onap.aaf.cadi.CadiException; import org.onap.aaf.cadi.CadiWrap; import org.onap.aaf.cadi.LocatorException; @@ -43,11 +44,11 @@ import org.onap.aaf.cadi.Lur; import org.onap.aaf.cadi.PropAccess; import org.onap.aaf.cadi.ServletContextAccess; import org.onap.aaf.cadi.TrustChecker; -import org.onap.aaf.cadi.Access.Level; import org.onap.aaf.cadi.config.Config; import org.onap.aaf.cadi.config.Get; import org.onap.aaf.cadi.taf.TafResp; import org.onap.aaf.cadi.taf.TafResp.RESP; +import org.onap.aaf.cadi.util.Timing; /** * CadiFilter @@ -264,22 +265,39 @@ public class CadiFilter implements Filter { */ //TODO Always validate changes against Tomcat AbsCadiValve and Jaspi CadiSAM functions public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException { + final long startAll = System.nanoTime(); + long startCode, startValidate; + float code=0f, validate=0f; + String user = "n/a"; + String tag = ""; try { HttpServletRequest hreq = (HttpServletRequest)request; if(noAuthn(hreq)) { + startCode=System.nanoTime(); chain.doFilter(request, response); + code = Timing.millis(startCode); } else { HttpServletResponse hresp = (HttpServletResponse)response; + startValidate=System.nanoTime(); TafResp tresp = httpChecker.validate(hreq, hresp, hreq); + validate = Timing.millis(startValidate); if(tresp.isAuthenticated()==RESP.IS_AUTHENTICATED) { + user = tresp.getPrincipal().personalName(); + tag = tresp.getPrincipal().tag(); CadiWrap cw = new CadiWrap(hreq, tresp, httpChecker.getLur(),getConverter(hreq)); if(httpChecker.notCadi(cw, hresp)) { + startCode=System.nanoTime(); oauthFilter.doFilter(cw,response,chain); + code = Timing.millis(startCode); } - } + } } } catch (ClassCastException e) { throw new ServletException("CadiFilter expects Servlet to be an HTTP Servlet",e); + } finally { + access.printf(Level.WARN, "Trans: user=%s[%s],ip=%s,ms=%f,validate=%f,code=%f", + user,tag,request.getRemoteAddr(), + Timing.millis(startAll),validate,code); } } diff --git a/cadi/core/src/main/java/org/onap/aaf/cadi/taf/AbsTafResp.java b/cadi/core/src/main/java/org/onap/aaf/cadi/taf/AbsTafResp.java index c216fb57..fb54abdb 100644 --- a/cadi/core/src/main/java/org/onap/aaf/cadi/taf/AbsTafResp.java +++ b/cadi/core/src/main/java/org/onap/aaf/cadi/taf/AbsTafResp.java @@ -23,6 +23,7 @@ package org.onap.aaf.cadi.taf; import org.onap.aaf.cadi.Access; import org.onap.aaf.cadi.principal.TaggedPrincipal; +import org.onap.aaf.cadi.util.Timing; /** * AbsTafResp @@ -34,9 +35,11 @@ import org.onap.aaf.cadi.principal.TaggedPrincipal; */ public abstract class AbsTafResp implements TafResp { - protected final String desc; - protected final TaggedPrincipal principal; protected final Access access; + protected final String tafName; + protected final TaggedPrincipal principal; + protected final String desc; + private float timing; /** * AbsTafResp @@ -47,11 +50,13 @@ public abstract class AbsTafResp implements TafResp { * Access (for access to underlying container, i.e. for Logging, auditing, ClassLoaders, etc) * * @param access + * @param tafname * @param principal * @param description */ - public AbsTafResp(Access access, TaggedPrincipal principal, String description) { + public AbsTafResp(Access access, String tafname, TaggedPrincipal principal, String description) { this.access = access; + this.tafName = tafname; this.principal = principal; this.desc = description; } @@ -113,4 +118,19 @@ public abstract class AbsTafResp implements TafResp { return false; } + @Override + public float timing() { + return timing; + } + + @Override + public void timing(final long start) { + timing = Timing.millis(start); + } + + @Override + public String taf() { + return tafName; + } + } diff --git a/cadi/core/src/main/java/org/onap/aaf/cadi/taf/HttpEpiTaf.java b/cadi/core/src/main/java/org/onap/aaf/cadi/taf/HttpEpiTaf.java index 5b51c111..1d7967e3 100644 --- a/cadi/core/src/main/java/org/onap/aaf/cadi/taf/HttpEpiTaf.java +++ b/cadi/core/src/main/java/org/onap/aaf/cadi/taf/HttpEpiTaf.java @@ -101,8 +101,9 @@ public class HttpEpiTaf implements HttpTaf { } try { for (HttpTaf taf : tafs) { + final long start = System.nanoTime(); tresp = taf.validate(reading, req, resp); - addToLog(log, tresp); + addToLog(log, tresp, start); switch(tresp.isAuthenticated()) { case TRY_ANOTHER_TAF: break; // and loop @@ -181,10 +182,11 @@ public class HttpEpiTaf implements HttpTaf { return Resp.NOT_MINE; } - private void addToLog(List<TafResp> log, TafResp tresp) { + private void addToLog(List<TafResp> log, final TafResp tresp, final long start) { if (log == null) { return; } + tresp.timing(start); log.add(tresp); } @@ -193,7 +195,7 @@ public class HttpEpiTaf implements HttpTaf { return; } for (TafResp tresp : log) { - access.log(Level.DEBUG, tresp.desc()); + access.printf(Level.DEBUG, "%s: %s, ms=%f", tresp.taf(), tresp.desc(), tresp.timing()); } } diff --git a/cadi/core/src/main/java/org/onap/aaf/cadi/taf/LoginPageTafResp.java b/cadi/core/src/main/java/org/onap/aaf/cadi/taf/LoginPageTafResp.java index 3f80170e..c8abec0a 100644 --- a/cadi/core/src/main/java/org/onap/aaf/cadi/taf/LoginPageTafResp.java +++ b/cadi/core/src/main/java/org/onap/aaf/cadi/taf/LoginPageTafResp.java @@ -37,7 +37,7 @@ public class LoginPageTafResp extends AbsTafResp { private final String loginPageURL; private LoginPageTafResp(Access access, final HttpServletResponse resp, String loginPageURL) { - super(access, null, "Multiple Possible HTTP Logins available. Redirecting to Login Choice Page"); + super(access, "LoginPage", null, "Multiple Possible HTTP Logins available. Redirecting to Login Choice Page"); httpResp = resp; this.loginPageURL = loginPageURL; } @@ -91,4 +91,10 @@ public class LoginPageTafResp extends AbsTafResp { return NullTafResp.singleton(); } + + @Override + public String taf() { + return "LoginPage"; + } + } diff --git a/cadi/core/src/main/java/org/onap/aaf/cadi/taf/NullTafResp.java b/cadi/core/src/main/java/org/onap/aaf/cadi/taf/NullTafResp.java index 20fc944a..af6ef9cc 100644 --- a/cadi/core/src/main/java/org/onap/aaf/cadi/taf/NullTafResp.java +++ b/cadi/core/src/main/java/org/onap/aaf/cadi/taf/NullTafResp.java @@ -70,4 +70,19 @@ class NullTafResp implements TafResp { public boolean isFailedAttempt() { return true; } + + @Override + public float timing() { + return 0; + } + + @Override + public void timing(long start) { + } + + @Override + public String taf() { + return "NULL"; + } + } diff --git a/cadi/core/src/main/java/org/onap/aaf/cadi/taf/PuntTafResp.java b/cadi/core/src/main/java/org/onap/aaf/cadi/taf/PuntTafResp.java index f496581b..a38c8532 100644 --- a/cadi/core/src/main/java/org/onap/aaf/cadi/taf/PuntTafResp.java +++ b/cadi/core/src/main/java/org/onap/aaf/cadi/taf/PuntTafResp.java @@ -25,6 +25,7 @@ import java.io.IOException; import org.onap.aaf.cadi.Access; import org.onap.aaf.cadi.principal.TaggedPrincipal; +import org.onap.aaf.cadi.util.Timing; /** * A Punt Resp to make it fast and easy for a Taf to respond that it cannot handle a particular kind of @@ -33,10 +34,13 @@ import org.onap.aaf.cadi.principal.TaggedPrincipal; * */ public class PuntTafResp implements TafResp { + private final String name; private final String desc; + private float timing; public PuntTafResp(String name, String explanation) { - desc = name + " is not processing this transaction: " + explanation; + this.name = name; + desc = "Not processing this transaction: " + explanation; } public boolean isValid() { @@ -66,4 +70,20 @@ public class PuntTafResp implements TafResp { public boolean isFailedAttempt() { return false; } + + @Override + public float timing() { + return timing; + } + + @Override + public void timing(long start) { + timing = Timing.millis(start); + } + + @Override + public String taf() { + return name; + } + } diff --git a/cadi/core/src/main/java/org/onap/aaf/cadi/taf/TafResp.java b/cadi/core/src/main/java/org/onap/aaf/cadi/taf/TafResp.java index a679d994..acade37a 100644 --- a/cadi/core/src/main/java/org/onap/aaf/cadi/taf/TafResp.java +++ b/cadi/core/src/main/java/org/onap/aaf/cadi/taf/TafResp.java @@ -91,4 +91,21 @@ public interface TafResp { * Be able to check if part of a Failed attempt */ public boolean isFailedAttempt(); + + /** + * report how long this took + * @return + */ + public float timing(); + + /** + * Set end of timing in Millis, given Nanos + * @param start + */ + void timing(long start); + + /** + * Support Taf Name + */ + String taf(); } diff --git a/cadi/core/src/main/java/org/onap/aaf/cadi/taf/TrustNotTafResp.java b/cadi/core/src/main/java/org/onap/aaf/cadi/taf/TrustNotTafResp.java index 24a79cf3..98ead3ca 100644 --- a/cadi/core/src/main/java/org/onap/aaf/cadi/taf/TrustNotTafResp.java +++ b/cadi/core/src/main/java/org/onap/aaf/cadi/taf/TrustNotTafResp.java @@ -25,10 +25,12 @@ import java.io.IOException; import org.onap.aaf.cadi.Access; import org.onap.aaf.cadi.principal.TaggedPrincipal; +import org.onap.aaf.cadi.util.Timing; public class TrustNotTafResp implements TafResp { private final TafResp delegate; private final String desc; + private float timing; public TrustNotTafResp(final TafResp delegate, final String desc) { this.delegate = delegate; @@ -69,8 +71,24 @@ public class TrustNotTafResp implements TafResp { public boolean isFailedAttempt() { return true; } + @Override + public float timing() { + return timing; + } + + @Override + public void timing(long start) { + timing = Timing.millis(start); + } + @Override public String toString() { return desc(); } + + @Override + public String taf() { + return "TrustNot"; + } + } diff --git a/cadi/core/src/main/java/org/onap/aaf/cadi/taf/TrustTafResp.java b/cadi/core/src/main/java/org/onap/aaf/cadi/taf/TrustTafResp.java index bc5e8db6..9d3b28ca 100644 --- a/cadi/core/src/main/java/org/onap/aaf/cadi/taf/TrustTafResp.java +++ b/cadi/core/src/main/java/org/onap/aaf/cadi/taf/TrustTafResp.java @@ -25,11 +25,13 @@ import java.io.IOException; import org.onap.aaf.cadi.Access; import org.onap.aaf.cadi.principal.TaggedPrincipal; +import org.onap.aaf.cadi.util.Timing; public class TrustTafResp implements TafResp { private final TafResp delegate; private final TaggedPrincipal principal; private final String desc; + private float timing; public TrustTafResp(final TafResp delegate, final TaggedPrincipal principal, final String desc) { this.delegate = delegate; @@ -71,8 +73,23 @@ public class TrustTafResp implements TafResp { public boolean isFailedAttempt() { return delegate.isFailedAttempt(); } + @Override + public float timing() { + return timing; + } + + @Override + public void timing(long start) { + timing = Timing.millis(start); + } public String toString() { return principal.getName() + " by trust of " + desc(); } + + @Override + public String taf() { + return "Trust"; + } + } diff --git a/cadi/core/src/main/java/org/onap/aaf/cadi/taf/basic/BasicHttpTafResp.java b/cadi/core/src/main/java/org/onap/aaf/cadi/taf/basic/BasicHttpTafResp.java index c17797b8..643cf29e 100644 --- a/cadi/core/src/main/java/org/onap/aaf/cadi/taf/basic/BasicHttpTafResp.java +++ b/cadi/core/src/main/java/org/onap/aaf/cadi/taf/basic/BasicHttpTafResp.java @@ -31,13 +31,14 @@ import org.onap.aaf.cadi.taf.AbsTafResp; import org.onap.aaf.cadi.taf.TafResp; public class BasicHttpTafResp extends AbsTafResp implements TafResp { + private static final String tafName = BasicHttpTaf.class.getSimpleName(); private HttpServletResponse httpResp; private String realm; private RESP status; private final boolean wasFailed; public BasicHttpTafResp(Access access, TaggedPrincipal principal, String description, RESP status, HttpServletResponse resp, String realm, boolean wasFailed) { - super(access,principal, description); + super(access, tafName, principal, description); httpResp = resp; this.realm = realm; this.status = status; @@ -57,6 +58,4 @@ public class BasicHttpTafResp extends AbsTafResp implements TafResp { public boolean isFailedAttempt() { return wasFailed; } - - } diff --git a/cadi/core/src/main/java/org/onap/aaf/cadi/taf/cert/X509HttpTafResp.java b/cadi/core/src/main/java/org/onap/aaf/cadi/taf/cert/X509HttpTafResp.java index b7f63b8e..c18f9036 100644 --- a/cadi/core/src/main/java/org/onap/aaf/cadi/taf/cert/X509HttpTafResp.java +++ b/cadi/core/src/main/java/org/onap/aaf/cadi/taf/cert/X509HttpTafResp.java @@ -29,10 +29,12 @@ import org.onap.aaf.cadi.taf.AbsTafResp; import org.onap.aaf.cadi.taf.TafResp; public class X509HttpTafResp extends AbsTafResp implements TafResp { + private static final String tafName = X509Taf.class.getSimpleName(); + private RESP status; public X509HttpTafResp(Access access, TaggedPrincipal principal, String description, RESP status) { - super(access, principal, description); + super(access, tafName, principal, description); this.status = status; } diff --git a/cadi/core/src/main/java/org/onap/aaf/cadi/taf/cert/X509Taf.java b/cadi/core/src/main/java/org/onap/aaf/cadi/taf/cert/X509Taf.java index 7b7f2db0..77efa956 100644 --- a/cadi/core/src/main/java/org/onap/aaf/cadi/taf/cert/X509Taf.java +++ b/cadi/core/src/main/java/org/onap/aaf/cadi/taf/cert/X509Taf.java @@ -56,7 +56,6 @@ import org.onap.aaf.cadi.taf.basic.BasicHttpTaf; import org.onap.aaf.cadi.util.Split; public class X509Taf implements HttpTaf { - private static final String CERTIFICATE_NOT_VALID_FOR_AUTHENTICATION = "Certificate NOT valid for Authentication"; public static final CertificateFactory certFactory; public static final MessageDigest messageDigest; diff --git a/cadi/core/src/main/java/org/onap/aaf/cadi/taf/dos/DenialOfServiceTafResp.java b/cadi/core/src/main/java/org/onap/aaf/cadi/taf/dos/DenialOfServiceTafResp.java index b156392d..e5a336f7 100644 --- a/cadi/core/src/main/java/org/onap/aaf/cadi/taf/dos/DenialOfServiceTafResp.java +++ b/cadi/core/src/main/java/org/onap/aaf/cadi/taf/dos/DenialOfServiceTafResp.java @@ -27,10 +27,12 @@ import org.onap.aaf.cadi.Access; import org.onap.aaf.cadi.taf.AbsTafResp; public class DenialOfServiceTafResp extends AbsTafResp { + private static final String tafName = DenialOfServiceTaf.class.getSimpleName(); + private RESP ect; // Homage to Arethra Franklin public DenialOfServiceTafResp(Access access, RESP resp, String description ) { - super(access, null, description); + super(access, tafName, null, description); ect = resp; } @@ -44,4 +46,10 @@ public class DenialOfServiceTafResp extends AbsTafResp { public RESP authenticate() throws IOException { return ect; } + + @Override + public String taf() { + return "DOS"; + } + } diff --git a/cadi/core/src/main/java/org/onap/aaf/cadi/util/Timing.java b/cadi/core/src/main/java/org/onap/aaf/cadi/util/Timing.java new file mode 100644 index 00000000..82bd389a --- /dev/null +++ b/cadi/core/src/main/java/org/onap/aaf/cadi/util/Timing.java @@ -0,0 +1,27 @@ +/** + * ============LICENSE_START==================================================== + * org.onap.aaf + * =========================================================================== + * Copyright (c) 2018 AT&T Intellectual Property. All rights reserved. + * =========================================================================== + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * ============LICENSE_END==================================================== + * + */ +package org.onap.aaf.cadi.util; + +public class Timing { + public static float millis(final long start) { + return (System.nanoTime() - start) / 1000000f; + } +} diff --git a/cadi/core/src/test/java/org/onap/aaf/cadi/lur/test/JU_LocalLur.java b/cadi/core/src/test/java/org/onap/aaf/cadi/lur/test/JU_LocalLur.java index 722ac14f..f35f81c1 100644 --- a/cadi/core/src/test/java/org/onap/aaf/cadi/lur/test/JU_LocalLur.java +++ b/cadi/core/src/test/java/org/onap/aaf/cadi/lur/test/JU_LocalLur.java @@ -37,10 +37,10 @@ import org.junit.Before; import org.junit.Test; import org.mockito.Mock; import org.mockito.MockitoAnnotations; -import org.onap.aaf.cadi.Permission; -import org.onap.aaf.cadi.PropAccess; import org.onap.aaf.cadi.AbsUserCache; import org.onap.aaf.cadi.CredVal.Type; +import org.onap.aaf.cadi.Permission; +import org.onap.aaf.cadi.PropAccess; import org.onap.aaf.cadi.lur.ConfigPrincipal; import org.onap.aaf.cadi.lur.LocalLur; import org.onap.aaf.cadi.lur.LocalPermission; diff --git a/cadi/core/src/test/java/org/onap/aaf/cadi/taf/dos/test/JU_DenialOfServiceTaf.java b/cadi/core/src/test/java/org/onap/aaf/cadi/taf/dos/test/JU_DenialOfServiceTaf.java index ce49654b..997ebced 100644 --- a/cadi/core/src/test/java/org/onap/aaf/cadi/taf/dos/test/JU_DenialOfServiceTaf.java +++ b/cadi/core/src/test/java/org/onap/aaf/cadi/taf/dos/test/JU_DenialOfServiceTaf.java @@ -131,7 +131,8 @@ public class JU_DenialOfServiceTaf { dost = new DenialOfServiceTaf(accessMock); tafResp = dost.validate(LifeForm.SBLF, reqMock1, respMock); - assertThat(tafResp.desc(), is("DenialOfServiceTaf is not processing this transaction: This Transaction is not denied")); + assertThat(tafResp.desc(), is("Not processing this transaction: This Transaction is not denied")); + assertThat(tafResp.taf(), is("DenialOfServiceTaf")); assertThat(DenialOfServiceTaf.denyIP(ip1), is(true)); @@ -139,7 +140,8 @@ public class JU_DenialOfServiceTaf { assertThat(tafResp.desc(), is(ip1 + " is on the IP Denial list")); tafResp = dost.validate(LifeForm.SBLF, reqMock2, respMock); - assertThat(tafResp.desc(), is("DenialOfServiceTaf is not processing this transaction: This Transaction is not denied")); + assertThat(tafResp.desc(), is("Not processing this transaction: This Transaction is not denied")); + assertThat(tafResp.taf(), is("DenialOfServiceTaf")); } @Test diff --git a/cadi/core/src/test/java/org/onap/aaf/cadi/taf/test/JU_AbsTafResp.java b/cadi/core/src/test/java/org/onap/aaf/cadi/taf/test/JU_AbsTafResp.java index 6d0c04b7..e4469d30 100644 --- a/cadi/core/src/test/java/org/onap/aaf/cadi/taf/test/JU_AbsTafResp.java +++ b/cadi/core/src/test/java/org/onap/aaf/cadi/taf/test/JU_AbsTafResp.java @@ -40,6 +40,7 @@ import org.onap.aaf.cadi.taf.TafResp.RESP; public class JU_AbsTafResp { + private static final String JUNIT = "Junit"; private static final String name = "name"; private static final String tag = "tag"; private static final String description = "description"; @@ -58,7 +59,7 @@ public class JU_AbsTafResp { @Test public void test() { - AbsTafResp tafResp = new AbsTafResp(access, taggedPrinc, description) { + AbsTafResp tafResp = new AbsTafResp(access, JUNIT, taggedPrinc, description) { @Override public RESP authenticate() throws IOException { return null; } @@ -66,12 +67,13 @@ public class JU_AbsTafResp { assertThat(tafResp.isValid(), is(true)); assertThat(tafResp.desc(), is(description)); + assertThat(tafResp.taf(), is(JUNIT)); assertThat(tafResp.isAuthenticated(), is(RESP.IS_AUTHENTICATED)); assertThat(tafResp.getPrincipal(), is(taggedPrinc)); assertThat(tafResp.getAccess(), is(access)); assertThat(tafResp.isFailedAttempt(), is(false)); - tafResp = new AbsTafResp(null, null, null) { + tafResp = new AbsTafResp(null, JUNIT, null, null) { @Override public RESP authenticate() throws IOException { return null; } @@ -81,6 +83,7 @@ public class JU_AbsTafResp { assertThat(tafResp.isAuthenticated(), is(RESP.TRY_ANOTHER_TAF)); assertThat(tafResp.getPrincipal(), is(nullValue())); assertThat(tafResp.getAccess(), is(nullValue())); + assertThat(tafResp.taf(), is(JUNIT)); assertThat(tafResp.isFailedAttempt(), is(false)); } diff --git a/cadi/core/src/test/java/org/onap/aaf/cadi/taf/test/JU_EpiTaf.java b/cadi/core/src/test/java/org/onap/aaf/cadi/taf/test/JU_EpiTaf.java index a1190590..f8e20cbf 100644 --- a/cadi/core/src/test/java/org/onap/aaf/cadi/taf/test/JU_EpiTaf.java +++ b/cadi/core/src/test/java/org/onap/aaf/cadi/taf/test/JU_EpiTaf.java @@ -76,7 +76,10 @@ public class JU_EpiTaf { @Override public RESP authenticate() throws IOException { return null; } @Override public TaggedPrincipal getPrincipal() { return null; } @Override public Access getAccess() { return null; } - @Override public boolean isFailedAttempt() { return false; } + @Override public boolean isFailedAttempt() { return false; } + @Override public float timing() { return 0; } + @Override public void timing(long start) {} + @Override public String taf() {return "JUnit";} } class TryAnotherTaf implements Taf { @@ -91,6 +94,9 @@ public class JU_EpiTaf { @Override public TaggedPrincipal getPrincipal() { return null; } @Override public Access getAccess() { return null; } @Override public boolean isFailedAttempt() { return false; } + @Override public float timing() { return 0; } + @Override public void timing(long start) {} + @Override public String taf() {return "JUnit";} } class TryAuthenticatingTaf implements Taf { diff --git a/cadi/core/src/test/java/org/onap/aaf/cadi/taf/test/JU_PuntTafResp.java b/cadi/core/src/test/java/org/onap/aaf/cadi/taf/test/JU_PuntTafResp.java index 516f4044..aacce522 100644 --- a/cadi/core/src/test/java/org/onap/aaf/cadi/taf/test/JU_PuntTafResp.java +++ b/cadi/core/src/test/java/org/onap/aaf/cadi/taf/test/JU_PuntTafResp.java @@ -44,7 +44,8 @@ public class JU_PuntTafResp { assertFalse(punt.isValid()); assertThat(punt.isAuthenticated(), is(RESP.TRY_ANOTHER_TAF)); - assertThat(punt.desc(), is(name + " is not processing this transaction: " + explanation)); + assertThat(punt.desc(), is("Not processing this transaction: " + explanation)); + assertThat(punt.taf(), is(name)); assertThat(punt.authenticate(), is(RESP.TRY_ANOTHER_TAF)); assertThat(punt.getPrincipal(), is(nullValue())); assertThat(punt.getAccess(), is(Access.NULL)); diff --git a/docs/sections/architecture/security.rst b/docs/sections/architecture/security.rst index 93247899..d1809935 100644 --- a/docs/sections/architecture/security.rst +++ b/docs/sections/architecture/security.rst @@ -12,7 +12,7 @@ The service side is always compute process, but the client can be of two types: * People (via browser, or perhaps command line tool) * Compute process talking to another computer process. -In larger systems, it is atypical to have just one connection, but will the call initiated by the initial actor will cause additional calls after it. Thus, we demonstrate both a client call, and a subsequent call in the following: +In larger systems, it is a typical to have just one connection, but will the call initiated by the initial actor will cause additional calls after it. Thus, we demonstrate both a client call, and a subsequent call in the following: Thus, the essential building blocks of any networked system is made up of a caller and any subsquent calls. @@ -126,7 +126,7 @@ The AAF Suite provides the following elements: The Organization ---------------- -AAF is only a tool to reflect the Organization it is setup for. AAF does not, for instance, know what IDs are acceptable to a particular company. Every Organization (or Company) will also likely have its own Certificate Authority and DNS. Most importantly, each Organzation will have a hierarchy of who is responsible for any give person or application. +AAF is only a tool to reflect the Organization it is setup for. AAF does not, for instance, know what IDs are acceptable to a particular company. Every Organization (or Company) will also likely have its own Certificate Authority and DNS. Most importantly, each Organization will have a hierarchy of who is responsible for any give person or application. * AAF's Certman connects to the Organization's CA via SCEP protocol (Others can be created as well) * AAF ties into the Organizational hierarchy. Currently, this is through a feed of IDs and relationships. diff --git a/docs/sections/installation/Bootstrapping-AAF-Components.rst b/docs/sections/installation/Bootstrapping-AAF-Components.rst index 2bb329d6..79b2fffc 100644 --- a/docs/sections/installation/Bootstrapping-AAF-Components.rst +++ b/docs/sections/installation/Bootstrapping-AAF-Components.rst @@ -145,7 +145,7 @@ $ cd /opt/app/osaaf/CA view README.txt for last minute info -view an/or change "subject.aaf" for your needs. This format will be used on all generated certs from the CA. +view and/or change "subject.aaf" for your needs. This format will be used on all generated certs from the CA. $ cat subject.aaf diff --git a/docs/sections/installation/client_vol.rst b/docs/sections/installation/client_vol.rst index fc33e1bb..059c1d23 100644 --- a/docs/sections/installation/client_vol.rst +++ b/docs/sections/installation/client_vol.rst @@ -62,7 +62,7 @@ Query Tag Description =================== =============== ============ CADI Version VERSION Defaults to CADI version of this AAF's FQDN AAF_FQDN PUBLIC Name for AAF. For ONAP Test, it is 'aaf-onap-test.osaaf.org' -Deployer's FQI DEPLOY_FQI deployer@people.osaaf.org. In a REAL system, this would be a person or process +Deployer's FQI DEPLOY_FQI In a REAL system, this would be a person or process. For ONAP Testing, the id is deploy@people.osaaf.org, password (see Dynamic Properties) is 'demo123456!' App's Root FQDN APP_FQDN This will show up in the Cert Subject, and should be the name given by Docker. i.e. clamp.onap App's FQI APP_FQI Fully Qualified ID given by Organization and with AAF NS/domain. ex: clamp@clamp.onap.org App's Volume VOLUME Volume to put the data, see above. ex: clamp_aaf |