diff options
15 files changed, 95 insertions, 32 deletions
diff --git a/auth/auth-batch/src/main/java/org/onap/aaf/auth/batch/helpers/BatchDataView.java b/auth/auth-batch/src/main/java/org/onap/aaf/auth/batch/helpers/BatchDataView.java index d3209a02..b5d25a43 100644 --- a/auth/auth-batch/src/main/java/org/onap/aaf/auth/batch/helpers/BatchDataView.java +++ b/auth/auth-batch/src/main/java/org/onap/aaf/auth/batch/helpers/BatchDataView.java @@ -20,7 +20,6 @@ */ package org.onap.aaf.auth.batch.helpers; -import java.io.IOException; import java.util.ArrayList; import java.util.List; @@ -34,7 +33,6 @@ import org.onap.aaf.auth.dao.cass.UserRoleDAO.Data; import org.onap.aaf.auth.env.AuthzTrans; import org.onap.aaf.auth.layer.Result; import org.onap.aaf.cadi.Hash; -import org.onap.aaf.misc.env.APIException; import org.onap.aaf.misc.env.TimeTaken; import org.onap.aaf.misc.env.Trans; import org.onap.aaf.misc.env.util.Chrono; diff --git a/auth/auth-batch/src/main/java/org/onap/aaf/auth/batch/helpers/Visitor.java b/auth/auth-batch/src/main/java/org/onap/aaf/auth/batch/helpers/Visitor.java index 3e7b30b2..38a76477 100644 --- a/auth/auth-batch/src/main/java/org/onap/aaf/auth/batch/helpers/Visitor.java +++ b/auth/auth-batch/src/main/java/org/onap/aaf/auth/batch/helpers/Visitor.java @@ -3,7 +3,6 @@ * org.onap.aaf * =========================================================================== * Copyright (c) 2018 AT&T Intellectual Property. All rights reserved. - * Modifications Copyright (C) 2019 IBM. * =========================================================================== * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -21,7 +20,6 @@ package org.onap.aaf.auth.batch.helpers; -@FunctionalInterface public interface Visitor<T> { void visit(T t); diff --git a/auth/auth-batch/src/main/java/org/onap/aaf/auth/batch/reports/ApprovedRpt.java b/auth/auth-batch/src/main/java/org/onap/aaf/auth/batch/reports/ApprovedRpt.java index ea196b1f..b2fd8a9a 100644 --- a/auth/auth-batch/src/main/java/org/onap/aaf/auth/batch/reports/ApprovedRpt.java +++ b/auth/auth-batch/src/main/java/org/onap/aaf/auth/batch/reports/ApprovedRpt.java @@ -3,7 +3,6 @@ * org.onap.aaf * =========================================================================== * Copyright (c) 2018 AT&T Intellectual Property. All rights reserved. - * Modifications Copyright (C) 2019 IBM. * =========================================================================== * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -64,6 +63,13 @@ public class ApprovedRpt extends Batch { TimeTaken tt0 = trans.start("Cassandra Initialization", Env.SUB); try { +// TimeTaken tt = trans.start("Connect to Cluster", Env.REMOTE); +// try { +// session = cluster.connect(); +// } finally { +// tt.done(); +// } + now = new Date(); String sdate = Chrono.dateOnlyStamp(now); File file = new File(logDir(),APPR_RPT + sdate +CSV); @@ -84,6 +90,29 @@ public class ApprovedRpt extends Batch { Map<String,Boolean> checked = new TreeMap<String, Boolean>(); final AuthzTrans transNoAvg = trans.env().newTransNoAvg(); +// ResultSet results; +// Statement stmt = new SimpleStatement( "select dateof(id), approver, status, user, type, memo from authz.approved;" ); +// results = session.execute(stmt); +// Iterator<Row> iter = results.iterator(); +// Row row; + /* + * while (iter.hasNext()) { + ++totalLoaded; + row = iter.next(); + d = row.getTimestamp(0); + if(d.after(begin)) { + approvedW.row("aprvd", + Chrono.dateOnlyStamp(d), + row.getString(1), + row.getString(2), + row.getString(3), + row.getString(4), + row.getString(5) + ); + } + } + + */ int totalLoaded = 0; Date d; GregorianCalendar gc = new GregorianCalendar(); diff --git a/auth/auth-batch/src/main/java/org/onap/aaf/auth/batch/reports/bodies/NotifyCredBody.java b/auth/auth-batch/src/main/java/org/onap/aaf/auth/batch/reports/bodies/NotifyCredBody.java index 8eaf6a86..7001c024 100644 --- a/auth/auth-batch/src/main/java/org/onap/aaf/auth/batch/reports/bodies/NotifyCredBody.java +++ b/auth/auth-batch/src/main/java/org/onap/aaf/auth/batch/reports/bodies/NotifyCredBody.java @@ -22,7 +22,7 @@ */ package org.onap.aaf.auth.batch.reports.bodies; - +import java.io.IOException; import java.util.GregorianCalendar; import java.util.List; diff --git a/auth/auth-batch/src/main/java/org/onap/aaf/auth/batch/reports/bodies/OneMonthNotifyCredBody.java b/auth/auth-batch/src/main/java/org/onap/aaf/auth/batch/reports/bodies/OneMonthNotifyCredBody.java index 417d4be4..8747ebf8 100644 --- a/auth/auth-batch/src/main/java/org/onap/aaf/auth/batch/reports/bodies/OneMonthNotifyCredBody.java +++ b/auth/auth-batch/src/main/java/org/onap/aaf/auth/batch/reports/bodies/OneMonthNotifyCredBody.java @@ -26,7 +26,7 @@ import org.onap.aaf.auth.batch.helpers.ExpireRange; import org.onap.aaf.cadi.Access; public class OneMonthNotifyCredBody extends NotifyCredBody { - public OneMonthNotifyCredBody(Access access){ + public OneMonthNotifyCredBody(Access access) throws IOException { super(access, ExpireRange.ONE_MONTH); } diff --git a/auth/auth-batch/src/main/java/org/onap/aaf/auth/batch/reports/bodies/OneWeekNotifyCredBody.java b/auth/auth-batch/src/main/java/org/onap/aaf/auth/batch/reports/bodies/OneWeekNotifyCredBody.java index dae48d85..a1277d55 100644 --- a/auth/auth-batch/src/main/java/org/onap/aaf/auth/batch/reports/bodies/OneWeekNotifyCredBody.java +++ b/auth/auth-batch/src/main/java/org/onap/aaf/auth/batch/reports/bodies/OneWeekNotifyCredBody.java @@ -26,7 +26,7 @@ import org.onap.aaf.auth.batch.helpers.ExpireRange; import org.onap.aaf.cadi.Access; public class OneWeekNotifyCredBody extends NotifyCredBody { - public OneWeekNotifyCredBody(Access access){ + public OneWeekNotifyCredBody(Access access) throws IOException { super(access, ExpireRange.ONE_WEEK); } diff --git a/auth/auth-cass/src/main/java/org/onap/aaf/auth/dao/hl/Question.java b/auth/auth-cass/src/main/java/org/onap/aaf/auth/dao/hl/Question.java index 1b20b900..c7ee5938 100644 --- a/auth/auth-cass/src/main/java/org/onap/aaf/auth/dao/hl/Question.java +++ b/auth/auth-cass/src/main/java/org/onap/aaf/auth/dao/hl/Question.java @@ -26,12 +26,13 @@ import java.nio.ByteBuffer; import java.security.NoSuchAlgorithmException; import java.security.SecureRandom; import java.util.ArrayList; -import java.util.Collections; +import java.util.Collection; import java.util.Date; import java.util.HashSet; import java.util.List; import java.util.Map; import java.util.Set; +import java.util.TreeMap; import java.util.TreeSet; import org.onap.aaf.auth.common.Define; @@ -496,6 +497,7 @@ public class Question { Result<List<NsDAO.Data>> rld = nsDAO.read(trans, lookup); if (rld.isOKhasData()) { nsd=rld.value.get(0); + lookup = nsd.parent; if (type.type == nsd.type) { return Result.ok(nsd); } else { @@ -898,18 +900,28 @@ public class Question { } } else { Date now = new Date(); - // Bug noticed 6/22. Sorting on the result can cause Concurrency Issues. - List<CredDAO.Data> cddl; + // Bug noticed 6/22. Sorting on the result can cause Concurrency Issues. + // 9/14/2019. Use TreeSet for sorting, and using only the LAST of a Tagged entry + Collection<CredDAO.Data> cddl; if (result.value.size() > 1) { - cddl = new ArrayList<>(result.value.size()); - for (CredDAO.Data old : result.value) { - if (old.type==CredDAO.BASIC_AUTH || old.type==CredDAO.BASIC_AUTH_SHA256) { - cddl.add(old); + Map<String,CredDAO.Data> mcdd = new TreeMap<>(); + CredDAO.Data cdd; + String tag; + int pseudoTag = 0; + for (CredDAO.Data rcdd : result.value) { + if (rcdd.type==CredDAO.BASIC_AUTH || rcdd.type==CredDAO.BASIC_AUTH_SHA256) { + if(rcdd.tag==null) { + mcdd.put(Integer.toString(++pseudoTag),rcdd); + } else { + tag = rcdd.tag; + cdd = mcdd.get(tag); + if(cdd==null || cdd.expires.before(rcdd.expires)) { + mcdd.put(tag,rcdd); + } + } } } - if (cddl.size()>1) { - Collections.sort(cddl, (a, b) -> b.expires.compareTo(a.expires)); - } + cddl = mcdd.values(); } else { cddl = result.value; } diff --git a/auth/auth-certman/src/main/java/org/onap/aaf/auth/cm/service/CMService.java b/auth/auth-certman/src/main/java/org/onap/aaf/auth/cm/service/CMService.java index 4788ee45..aa145f1c 100644 --- a/auth/auth-certman/src/main/java/org/onap/aaf/auth/cm/service/CMService.java +++ b/auth/auth-certman/src/main/java/org/onap/aaf/auth/cm/service/CMService.java @@ -367,7 +367,7 @@ public class CMService { for(Iterator<? extends Certificate> iter = certs.iterator(); iter.hasNext();) { X509Certificate x509 = (X509Certificate)iter.next(); if(x509.getNotAfter().after(now) && x509.getSubjectDN().getName().contains(cn)) { - if(++count>MAX_X509s) { + if(++count>max_509s) { break; } } diff --git a/auth/auth-core/src/main/java/org/onap/aaf/auth/env/AuthzTransFilter.java b/auth/auth-core/src/main/java/org/onap/aaf/auth/env/AuthzTransFilter.java index e4420ab1..bd9f8875 100644 --- a/auth/auth-core/src/main/java/org/onap/aaf/auth/env/AuthzTransFilter.java +++ b/auth/auth-core/src/main/java/org/onap/aaf/auth/env/AuthzTransFilter.java @@ -167,6 +167,8 @@ public class AuthzTransFilter extends TransFilter<AuthzTrans> { // } sb.append(",ms="); sb.append(m.total); + sb.append(",status="); + sb.append(trans.hresp().getStatus()); sb.append(",meth="); sb.append(trans.meth()); sb.append(",path="); diff --git a/auth/auth-service/src/main/java/org/onap/aaf/auth/service/api/API_Creds.java b/auth/auth-service/src/main/java/org/onap/aaf/auth/service/api/API_Creds.java index f7c38681..fbc1baa2 100644 --- a/auth/auth-service/src/main/java/org/onap/aaf/auth/service/api/API_Creds.java +++ b/auth/auth-service/src/main/java/org/onap/aaf/auth/service/api/API_Creds.java @@ -143,14 +143,16 @@ public class API_Creds { AuthzTrans trans, HttpServletRequest req, HttpServletResponse resp) throws Exception { - + // will be a valid Entity. Do we need to add permission + //if(trans.fish("ns","password","request")) or the like Result<Date> r = context.doesCredentialMatch(trans, req, resp); if (r.isOK()) { resp.setStatus(HttpStatus.OK_200); } else { // For Security, we don't give any info out on why failed, other than forbidden // Can't do "401", because that is on the call itself - resp.setStatus(HttpStatus.FORBIDDEN_403); + // 403 Implies you MAY NOT Ask. + resp.setStatus(HttpStatus.NOT_ACCEPTABLE_406); } } }); diff --git a/cadi/aaf/src/main/java/org/onap/aaf/cadi/aaf/v2_0/AAFAuthn.java b/cadi/aaf/src/main/java/org/onap/aaf/cadi/aaf/v2_0/AAFAuthn.java index ec0875c1..216468c2 100644 --- a/cadi/aaf/src/main/java/org/onap/aaf/cadi/aaf/v2_0/AAFAuthn.java +++ b/cadi/aaf/src/main/java/org/onap/aaf/cadi/aaf/v2_0/AAFAuthn.java @@ -29,9 +29,10 @@ import org.onap.aaf.cadi.CadiException; import org.onap.aaf.cadi.User; import org.onap.aaf.cadi.aaf.AAFPermission; import org.onap.aaf.cadi.client.Future; -import org.onap.aaf.cadi.client.Rcli; import org.onap.aaf.cadi.lur.ConfigPrincipal; +import aaf.v2_0.CredRequest; + public class AAFAuthn<CLIENT> extends AbsUserCache<AAFPermission> { private AAFCon<CLIENT> con; private String realm; @@ -139,12 +140,16 @@ public class AAFAuthn<CLIENT> extends AbsUserCache<AAFPermission> { try { Miss missed = missed(getName(),getCred()); if (missed==null || missed.mayContinue()) { - Rcli<CLIENT> client = con.client().forUser(con.basicAuth(getName(), new String(getCred()))); - Future<String> fp = client.read( - "/authn/basicAuth", - "text/plain" - ); - if (fp.get(con.timeout)) { + CredRequest cr = new CredRequest(); + cr.setId(getName()); + cr.setPassword(new String(getCred())); + Future<String> fp = con.client().readPost("/authn/validate", con.credReqDF, cr); + //Rcli<CLIENT> client = con.client().forUser(con.basicAuth(getName(), new String(getCred()))); + //Future<String> fp = client.read( + // "/authn/basicAuth", + // "text/plain" + // ); + if (fp.get(con.timeout)) { expires = System.currentTimeMillis() + timeToLive; addUser(new User<AAFPermission>(this, expires)); return Resp.REVALIDATED; diff --git a/cadi/aaf/src/main/java/org/onap/aaf/cadi/aaf/v2_0/AAFCon.java b/cadi/aaf/src/main/java/org/onap/aaf/cadi/aaf/v2_0/AAFCon.java index 40684057..3b97883b 100644 --- a/cadi/aaf/src/main/java/org/onap/aaf/cadi/aaf/v2_0/AAFCon.java +++ b/cadi/aaf/src/main/java/org/onap/aaf/cadi/aaf/v2_0/AAFCon.java @@ -28,6 +28,7 @@ import java.util.concurrent.ConcurrentHashMap; import org.onap.aaf.cadi.AbsUserCache; import org.onap.aaf.cadi.Access; +import org.onap.aaf.cadi.Access.Level; import org.onap.aaf.cadi.CadiException; import org.onap.aaf.cadi.CadiWrap; import org.onap.aaf.cadi.Connector; @@ -36,7 +37,6 @@ import org.onap.aaf.cadi.LocatorException; import org.onap.aaf.cadi.Lur; import org.onap.aaf.cadi.PropAccess; import org.onap.aaf.cadi.SecuritySetter; -import org.onap.aaf.cadi.Access.Level; import org.onap.aaf.cadi.aaf.AAFPermission; import org.onap.aaf.cadi.aaf.marshal.CertsMarshal; import org.onap.aaf.cadi.client.Future; @@ -56,6 +56,7 @@ import org.onap.aaf.misc.rosetta.env.RosettaDF; import org.onap.aaf.misc.rosetta.env.RosettaEnv; import aaf.v2_0.Certs; +import aaf.v2_0.CredRequest; import aaf.v2_0.Error; import aaf.v2_0.Perms; import aaf.v2_0.Users; @@ -69,6 +70,7 @@ public abstract class AAFCon<CLIENT> implements Connector { final public RosettaDF<Perms> permsDF; final public RosettaDF<Certs> certsDF; final public RosettaDF<Users> usersDF; + final public RosettaDF<CredRequest> credReqDF; final public RosettaDF<Error> errDF; private String realm; public final String app; @@ -90,6 +92,7 @@ public abstract class AAFCon<CLIENT> implements Connector { permsDF = copy.permsDF; certsDF = copy.certsDF; usersDF = copy.usersDF; + credReqDF = copy.credReqDF; errDF = copy.errDF; app = copy.app; si = copy.si; @@ -186,6 +189,7 @@ public abstract class AAFCon<CLIENT> implements Connector { usersDF = env.newDataFactory(Users.class); certsDF = env.newDataFactory(Certs.class); certsDF.rootMarshal(new CertsMarshal()); // Speedier Marshaling + credReqDF = env.newDataFactory(CredRequest.class); errDF = env.newDataFactory(Error.class); } catch (APIException e) { throw new CadiException("AAFCon cannot be configured",e); diff --git a/cadi/aaf/src/main/java/org/onap/aaf/cadi/aaf/v2_0/AbsAAFLocator.java b/cadi/aaf/src/main/java/org/onap/aaf/cadi/aaf/v2_0/AbsAAFLocator.java index 5ef25bcd..a654e6f6 100644 --- a/cadi/aaf/src/main/java/org/onap/aaf/cadi/aaf/v2_0/AbsAAFLocator.java +++ b/cadi/aaf/src/main/java/org/onap/aaf/cadi/aaf/v2_0/AbsAAFLocator.java @@ -236,7 +236,10 @@ public abstract class AbsAAFLocator<TRANS extends Trans> implements Locator<URI> @Override public Item best() throws LocatorException { if (!hasItems()) { - throw new LocatorException("No Entries found for '" + aaf_locator_uri.toString() + '/' + name + ':' + version + '\''); + throw new LocatorException(String.format("No Entries found for '%s/%s:%s'", + (aaf_locator_uri==null?aaf_locator_host:aaf_locator_uri.toString()), + name, + version)); } List<EP> lep = new ArrayList<>(); EP first = null; diff --git a/cadi/core/src/main/java/org/onap/aaf/cadi/User.java b/cadi/core/src/main/java/org/onap/aaf/cadi/User.java index 4848e504..cb3b4e8f 100644 --- a/cadi/core/src/main/java/org/onap/aaf/cadi/User.java +++ b/cadi/core/src/main/java/org/onap/aaf/cadi/User.java @@ -40,7 +40,7 @@ public final class User<PERM extends Permission> { public String name; private byte[] cred; public Principal principal; - Map<String, Permission> perms ; + Map<String, Permission> perms; long permExpires; private final long interval; int count; diff --git a/cadi/core/src/main/java/org/onap/aaf/cadi/util/CSV.java b/cadi/core/src/main/java/org/onap/aaf/cadi/util/CSV.java index fbaa4a5a..2c9bb8c4 100644 --- a/cadi/core/src/main/java/org/onap/aaf/cadi/util/CSV.java +++ b/cadi/core/src/main/java/org/onap/aaf/cadi/util/CSV.java @@ -45,17 +45,20 @@ public class CSV { private Access access; private boolean processAll; private char delimiter = ','; + private boolean go; public CSV(Access access, File file) { this.access = access; csv = file; processAll = false; + go = true; } public CSV(Access access, String csvFilename) { this.access = access; csv = new File(csvFilename); processAll = false; + go = true; } public CSV setDelimiter(char delimiter) { @@ -88,7 +91,7 @@ public class CSV { try { String line; StringBuilder sb = new StringBuilder(); - while((line = br.readLine())!=null) { + while(go && (line = br.readLine())!=null) { line=line.trim(); if(!line.startsWith("#") && line.length()>0) { // System.out.println(line); uncomment to debug @@ -268,6 +271,13 @@ public class CSV { return csv.getAbsolutePath(); } } + + /** + * Provides a way to stop processing records from inside a Visit + */ + public void stop() { + go = false; + } public void delete() { csv.delete(); |