summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rw-r--r--.gitignore1
-rw-r--r--auth/auth-certman/src/main/java/org/onap/aaf/auth/cm/ca/X509andChain.java2
-rw-r--r--auth/auth-certman/src/main/java/org/onap/aaf/auth/cm/cert/BCFactory.java2
-rw-r--r--auth/auth-certman/src/test/java/org/onap/aaf/auth/cm/test/CertmanTest.java4
-rw-r--r--auth/auth-cmd/src/main/java/org/onap/aaf/auth/cmd/Cmd.java2
-rw-r--r--auth/sample/local/org.osaaf.aaf.p12bin3920 -> 4140 bytes
-rw-r--r--auth/sample/local/org.osaaf.aaf.props4
-rw-r--r--cadi/aaf/src/test/java/org/onap/aaf/cadi/aaf/cert/test/JU_AAFListedCertIdentity.java178
-rw-r--r--cadi/shiro/src/main/java/org/onap/aaf/cadi/shiro/AAFAuthorizationInfo.java4
-rw-r--r--conf/CA/manual.sh36
-rw-r--r--conf/CA/san.conf15
-rw-r--r--misc/env/src/main/java/org/onap/aaf/misc/env/jaxb/JAXBmar.java2
-rw-r--r--misc/env/src/main/java/org/onap/aaf/misc/env/jaxb/JAXBumar.java2
-rw-r--r--misc/rosetta/src/test/java/org/onap/aaf/misc/rosetta/test/JU_JSON.java4
14 files changed, 238 insertions, 18 deletions
diff --git a/.gitignore b/.gitignore
index f0ac2df4..5ca6890c 100644
--- a/.gitignore
+++ b/.gitignore
@@ -3,3 +3,4 @@
/target/
/temp/
.metadata/
+/cadisample/
diff --git a/auth/auth-certman/src/main/java/org/onap/aaf/auth/cm/ca/X509andChain.java b/auth/auth-certman/src/main/java/org/onap/aaf/auth/cm/ca/X509andChain.java
index 24416c92..46a6393a 100644
--- a/auth/auth-certman/src/main/java/org/onap/aaf/auth/cm/ca/X509andChain.java
+++ b/auth/auth-certman/src/main/java/org/onap/aaf/auth/cm/ca/X509andChain.java
@@ -33,7 +33,7 @@ import org.onap.aaf.cadi.cm.Factory;
* Have to put the Cert and resulting Trust Chain together.
* Treating them separately has caused issues
*
- * @author jg1555
+ * @author JonathanGathman
*
*/
public class X509andChain {
diff --git a/auth/auth-certman/src/main/java/org/onap/aaf/auth/cm/cert/BCFactory.java b/auth/auth-certman/src/main/java/org/onap/aaf/auth/cm/cert/BCFactory.java
index 4fdac6a6..7f4590f3 100644
--- a/auth/auth-certman/src/main/java/org/onap/aaf/auth/cm/cert/BCFactory.java
+++ b/auth/auth-certman/src/main/java/org/onap/aaf/auth/cm/cert/BCFactory.java
@@ -48,7 +48,7 @@ import org.onap.aaf.misc.env.Trans;
* Additional Factory mechanisms for CSRs, and BouncyCastle. The main Factory
* utilizes only Java abstractions, and is useful in Client code.
*
- * @author jg1555
+ * @author JonathanGathman
*
*/
public class BCFactory extends Factory {
diff --git a/auth/auth-certman/src/test/java/org/onap/aaf/auth/cm/test/CertmanTest.java b/auth/auth-certman/src/test/java/org/onap/aaf/auth/cm/test/CertmanTest.java
index 3faa5bbf..7d3f25ca 100644
--- a/auth/auth-certman/src/test/java/org/onap/aaf/auth/cm/test/CertmanTest.java
+++ b/auth/auth-certman/src/test/java/org/onap/aaf/auth/cm/test/CertmanTest.java
@@ -120,8 +120,8 @@ public class CertmanTest {
// @Override
// public Void code(Rcli<?> client) throws APIException, CadiException {
// CertificateRequest cr = new CertificateRequest();
-// cr.setMechid("m12345@aaf.att.com");
-// cr.setSponsor("jg1555");
+// cr.setMechid("a12345@org.osaaf.org");
+// cr.setSponsor("something");
// cr.getFqdns().add("mithrilcsp.sbc.com");
// cr.getFqdns().add("zld01907.vci.att.com");
// cr.getFqdns().add("aaftest.test.att.com");
diff --git a/auth/auth-cmd/src/main/java/org/onap/aaf/auth/cmd/Cmd.java b/auth/auth-cmd/src/main/java/org/onap/aaf/auth/cmd/Cmd.java
index 896cbb30..7f41650d 100644
--- a/auth/auth-cmd/src/main/java/org/onap/aaf/auth/cmd/Cmd.java
+++ b/auth/auth-cmd/src/main/java/org/onap/aaf/auth/cmd/Cmd.java
@@ -228,7 +228,7 @@ public abstract class Cmd {
} else if(desc.startsWith("{")) {
StringReader sr = new StringReader(desc);
try {
- // Note: 11-18-2013, JG1555. This rather convoluted Message Structure required by TSS Restful Specs, reflecting "Northbound" practices.
+ // Note: 11-18-2013, JonathanGathman. This rather convoluted Message Structure required by TSS Restful Specs, reflecting "Northbound" practices.
Error err = getDF(Error.class).newData().in(TYPE.JSON).load(sr).asObject();
sb.append(" [");
sb.append(err.getMessageId());
diff --git a/auth/sample/local/org.osaaf.aaf.p12 b/auth/sample/local/org.osaaf.aaf.p12
index e4d33924..f40a7556 100644
--- a/auth/sample/local/org.osaaf.aaf.p12
+++ b/auth/sample/local/org.osaaf.aaf.p12
Binary files differ
diff --git a/auth/sample/local/org.osaaf.aaf.props b/auth/sample/local/org.osaaf.aaf.props
index f5970b01..975f80cc 100644
--- a/auth/sample/local/org.osaaf.aaf.props
+++ b/auth/sample/local/org.osaaf.aaf.props
@@ -10,8 +10,8 @@ aaf_env=DEV
cadi_x509_issuers=CN=intermediateCA_1, OU=OSAAF, O=ONAP, C=US
cadi_keyfile=/opt/app/osaaf/local/org.osaaf.aaf.keyfile
cadi_keystore=/opt/app/osaaf/local/org.osaaf.aaf.p12
-cadi_keystore_password=enc:4L1xY_7mYTuk57SPWZetza5WlgBUYBe8pbT1-AWKO1-5PAbSTynQEc5TU7ZeomfN
+cadi_keystore_password=enc:3O7HDzEzdYatFYb83-jV69MNzN8qIW975SS70qCs7xri0b1n4r5viHo1lrM6K8om
#cadi_key_password=enc:<KEY PASSWORD (optional if the same as KEYSTORE PASSWORD)>
-cadi_alias=aaf@aaf.osaaf.org
+cadi_alias=aaf-authz@aaf.osaaf.org
cadi_truststore=/opt/app/osaaf/local/org.osaaf.aaf.trust.p12
cadi_truststore_password=enc:5nzj6v3Rb0oZPV1zCxg8EJFfkFvWFGJflLB0i_FN0Np
diff --git a/cadi/aaf/src/test/java/org/onap/aaf/cadi/aaf/cert/test/JU_AAFListedCertIdentity.java b/cadi/aaf/src/test/java/org/onap/aaf/cadi/aaf/cert/test/JU_AAFListedCertIdentity.java
new file mode 100644
index 00000000..3698b36a
--- /dev/null
+++ b/cadi/aaf/src/test/java/org/onap/aaf/cadi/aaf/cert/test/JU_AAFListedCertIdentity.java
@@ -0,0 +1,178 @@
+/**
+ * ============LICENSE_START====================================================
+ * org.onap.aaf
+ * ===========================================================================
+ * Copyright (c) 2018 AT&T Intellectual Property. All rights reserved.
+ * ===========================================================================
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ * ============LICENSE_END====================================================
+ *
+ */
+
+package org.onap.aaf.cadi.aaf.cert.test;
+
+import static org.mockito.Mockito.*;
+import static org.hamcrest.CoreMatchers.*;
+import static org.junit.Assert.*;
+
+import org.junit.*;
+import org.mockito.*;
+
+import java.io.ByteArrayOutputStream;
+import java.io.PrintStream;
+import java.lang.reflect.Field;
+import java.lang.reflect.Modifier;
+import java.net.HttpURLConnection;
+import java.security.cert.CertificateException;
+import java.security.cert.X509Certificate;
+import java.util.ArrayList;
+import java.util.Date;
+import java.util.List;
+import java.util.Set;
+
+import javax.servlet.http.HttpServletRequest;
+
+import org.onap.aaf.cadi.CadiException;
+import org.onap.aaf.cadi.PropAccess;
+import org.onap.aaf.cadi.aaf.cert.AAFListedCertIdentity;
+import org.onap.aaf.cadi.aaf.v2_0.AAFCon;
+import org.onap.aaf.cadi.client.Future;
+import org.onap.aaf.cadi.client.Rcli;
+import org.onap.aaf.cadi.config.Config;
+import org.onap.aaf.misc.env.APIException;
+import org.onap.aaf.misc.env.util.Chrono;
+import org.onap.aaf.misc.rosetta.env.RosettaDF;
+
+import aaf.v2_0.Certs;
+import aaf.v2_0.Certs.Cert;
+import aaf.v2_0.Users;
+import aaf.v2_0.Users.User;
+
+public class JU_AAFListedCertIdentity {
+
+ @Mock private AAFCon<?> conMock;
+ @Mock private Rcli<Object> rcliMock;
+ @Mock private RosettaDF<Users> userDFMock;
+ @Mock private RosettaDF<Certs> certDFMock;
+ @Mock private Future<Users> futureUsersMock;
+ @Mock private Future<Certs> futureCertsMock;
+
+ @Mock private Users usersMock;
+ @Mock private User userMock1;
+ @Mock private User userMock2;
+ @Mock private User userMock3;
+
+ @Mock private Certs certsMock;
+ @Mock private Cert certMock1;
+ @Mock private Cert certMock2;
+ @Mock private Cert certMock3;
+
+ @Mock private HttpServletRequest reqMock;
+ @Mock private X509Certificate x509Mock;
+
+ private List<User> usersList;
+ private List<Cert> certsList;
+
+ private PropAccess access;
+
+ private ByteArrayOutputStream outStream;
+
+ private static final String USERS = "user1,user2,user3";
+ private static final String ID = "id";
+ private static final String FINGERPRINT = "fingerprint";
+
+ private static final byte[] certBytes = "certificate".getBytes();
+
+ @Before
+ public void setup() throws IllegalArgumentException, IllegalAccessException, NoSuchFieldException, SecurityException {
+ MockitoAnnotations.initMocks(this);
+
+ certsList = new ArrayList<>();
+ certsList.add(certMock1);
+ certsList.add(certMock2);
+ certsList.add(certMock3);
+
+ usersList = new ArrayList<>();
+ usersList.add(userMock1);
+ usersList.add(userMock2);
+ usersList.add(userMock3);
+
+ outStream = new ByteArrayOutputStream();
+ access = new PropAccess(new PrintStream(outStream), new String[0]);
+ outStream.reset();
+ access.setProperty(Config.AAF_CERT_IDS, USERS);
+ setFinal(conMock, conMock.getClass().getField("usersDF"), userDFMock);
+ setFinal(conMock, conMock.getClass().getField("certsDF"), certDFMock);
+ setFinal(conMock, conMock.getClass().getField("access"), access);
+ }
+
+ @Test
+ public void test() throws APIException, CadiException, CertificateException {
+ doReturn(rcliMock).when(conMock).client(Config.AAF_DEFAULT_VERSION);
+ when(rcliMock.read("/authz/users/perm/com.att.aaf.trust/tguard/authenticate", Users.class, userDFMock)).thenReturn(futureUsersMock);
+ when(rcliMock.read("/authz/users/perm/com.att.aaf.trust/basicAuth/authenticate", Users.class, userDFMock)).thenReturn(futureUsersMock);
+ when(rcliMock.read("/authz/users/perm/com.att.aaf.trust/csp/authenticate", Users.class, userDFMock)).thenReturn(futureUsersMock);
+
+ when(futureUsersMock.get(5000)).thenReturn(true);
+ futureUsersMock.value = usersMock;
+ when(usersMock.getUser()).thenReturn(usersList);
+
+ when(rcliMock.read("/authn/cert/id/user1", Certs.class, conMock.certsDF)).thenReturn(futureCertsMock);
+ when(rcliMock.read("/authn/cert/id/user2", Certs.class, conMock.certsDF)).thenReturn(futureCertsMock);
+ when(rcliMock.read("/authn/cert/id/user3", Certs.class, conMock.certsDF)).thenReturn(futureCertsMock);
+
+ when(futureCertsMock.get(5000)).thenReturn(true);
+ futureCertsMock.value = certsMock;
+ when(certsMock.getCert()).thenReturn(certsList);
+
+ when(userMock1.getId()).thenReturn("user1");
+ when(userMock2.getId()).thenReturn("user2");
+ when(userMock3.getId()).thenReturn("user3");
+
+ prepareCert(certMock1);
+ prepareCert(certMock2);
+ prepareCert(certMock3);
+
+ AAFListedCertIdentity certID = new AAFListedCertIdentity(access, conMock);
+
+ when(x509Mock.getEncoded()).thenReturn(certBytes);
+ certID.identity(reqMock, null, null);
+ certID.identity(reqMock, null, certBytes);
+ certID.identity(reqMock, x509Mock, null);
+ certID.identity(reqMock, x509Mock, certBytes);
+
+ Set<String> hashSetOfUsers = AAFListedCertIdentity.trusted("basicAuth");
+ assertThat(hashSetOfUsers.contains("user1"), is(true));
+ assertThat(hashSetOfUsers.contains("user2"), is(true));
+ assertThat(hashSetOfUsers.contains("user3"), is(true));
+
+ }
+
+ private void setFinal(Object object, Field field, Object newValue) throws IllegalArgumentException, IllegalAccessException, NoSuchFieldException, SecurityException {
+ field.setAccessible(true);
+
+ Field modifiersField = Field.class.getDeclaredField("modifiers");
+ modifiersField.setAccessible(true);
+ modifiersField.setInt(field, field.getModifiers() & Modifier.FINAL);
+
+ field.set(object, newValue);
+ }
+
+ private void prepareCert(Cert cert) {
+ Date date = new Date();
+ when(cert.getExpires()).thenReturn(Chrono.timeStamp(new Date(date.getTime() + (60 * 60 * 24))));
+ when(cert.getId()).thenReturn(ID);
+ when(cert.getFingerprint()).thenReturn(FINGERPRINT.getBytes());
+ }
+
+}
diff --git a/cadi/shiro/src/main/java/org/onap/aaf/cadi/shiro/AAFAuthorizationInfo.java b/cadi/shiro/src/main/java/org/onap/aaf/cadi/shiro/AAFAuthorizationInfo.java
index 90935900..bfdc6bf1 100644
--- a/cadi/shiro/src/main/java/org/onap/aaf/cadi/shiro/AAFAuthorizationInfo.java
+++ b/cadi/shiro/src/main/java/org/onap/aaf/cadi/shiro/AAFAuthorizationInfo.java
@@ -31,9 +31,9 @@ import org.onap.aaf.cadi.Access;
import org.onap.aaf.cadi.Access.Level;
/**
- * We treate "roles" and "permissions" in a similar way for first pass.
+ * We treat "roles" and "permissions" in a similar way for first pass.
*
- * @author jg1555
+ * @author JonathanGathman
*
*/
public class AAFAuthorizationInfo implements AuthorizationInfo {
diff --git a/conf/CA/manual.sh b/conf/CA/manual.sh
index 7b75fbc9..00a23ec8 100644
--- a/conf/CA/manual.sh
+++ b/conf/CA/manual.sh
@@ -13,10 +13,30 @@ else
FQDN=$1
NAME=$FQDN
shift
+
+ echo "Enter any SANS, delimited by spaces: "
+ read SANS
+fi
+
+# Do SANs
+if [ "$SANS" = "" ]; then
+ echo no SANS
+ if [ -e $NAME.san ]; then
+ rm $NAME.san
+ fi
+ else
+ echo some SANS
+ cp ../san.conf $NAME.san
+ NUM=1
+ for D in $SANS; do
+ echo "DNS.$NUM = $D" >> $NAME.san
+ NUM=$((NUM+1))
+ done
fi
+
echo $SUBJECT
-if [ -e $FQI.csr ]; then
+if [ -e $NAME.csr ]; then
SIGN_IT=true
else
if [ "$1" = "-local" ]; then
@@ -46,13 +66,19 @@ fi
if [ "$SIGN_IT" = "true" ]; then
# Sign it
- openssl ca -config ../openssl.conf -extensions server_cert -out $NAME.crt \
+ if [ -e $NAME.san ]; then
+ openssl ca -config ../openssl.conf -extensions server_cert -out $NAME.crt \
-cert certs/ca.crt -keyfile private/ca.key \
-policy policy_loose \
-days 360 \
+ -extfile $NAME.san \
-infiles $NAME.csr
+ else
+ openssl ca -config ../openssl.conf -extensions server_cert -out $NAME.crt \
+ -cert certs/ca.crt -keyfile private/ca.key \
+ -policy policy_loose \
+ -days 360 \
+ -infiles $NAME.csr
+ fi
fi
-
-
-
diff --git a/conf/CA/san.conf b/conf/CA/san.conf
new file mode 100644
index 00000000..de9f62f9
--- /dev/null
+++ b/conf/CA/san.conf
@@ -0,0 +1,15 @@
+# SAN Extension
+# Copy, then add DNS.1 = name, etc
+#
+[ server_cert ]
+# Extensions for server certificates (`man x509v3_config`).
+basicConstraints = CA:FALSE
+nsCertType = server, client
+nsComment = "OpenSSL Generated Server Certificate"
+subjectKeyIdentifier = hash
+authorityKeyIdentifier = keyid,issuer:always
+keyUsage = critical, digitalSignature, keyEncipherment, nonRepudiation
+extendedKeyUsage = serverAuth, clientAuth
+subjectAltName = @alt_names
+
+[ alt_names ]
diff --git a/misc/env/src/main/java/org/onap/aaf/misc/env/jaxb/JAXBmar.java b/misc/env/src/main/java/org/onap/aaf/misc/env/jaxb/JAXBmar.java
index cca3e68c..127eb154 100644
--- a/misc/env/src/main/java/org/onap/aaf/misc/env/jaxb/JAXBmar.java
+++ b/misc/env/src/main/java/org/onap/aaf/misc/env/jaxb/JAXBmar.java
@@ -25,7 +25,7 @@
* Created on: Apr 10, 2009
* Created by: Jonathan
*
- * Revamped to do away with ThreadLocal 5/27/2011, JG1555
+ * Revamped to do away with ThreadLocal 5/27/2011, JonathanGathman
*
* (c) 2009 SBC Knowledge Ventures, L.P. All rights reserved.
*******************************************************************
diff --git a/misc/env/src/main/java/org/onap/aaf/misc/env/jaxb/JAXBumar.java b/misc/env/src/main/java/org/onap/aaf/misc/env/jaxb/JAXBumar.java
index 94e9ba80..74072aaf 100644
--- a/misc/env/src/main/java/org/onap/aaf/misc/env/jaxb/JAXBumar.java
+++ b/misc/env/src/main/java/org/onap/aaf/misc/env/jaxb/JAXBumar.java
@@ -25,7 +25,7 @@
* Created on: Apr 10, 2009
* Created by: Jonathan
*
- * Revamped to do away with ThreadLocal 5/27/2011, JG1555
+ * Revamped to do away with ThreadLocal 5/27/2011, JonathanGathman
*
* (c) 2009 SBC Knowledge Ventures, L.P. All rights reserved.
*******************************************************************
diff --git a/misc/rosetta/src/test/java/org/onap/aaf/misc/rosetta/test/JU_JSON.java b/misc/rosetta/src/test/java/org/onap/aaf/misc/rosetta/test/JU_JSON.java
index 2a48edc4..080fc973 100644
--- a/misc/rosetta/src/test/java/org/onap/aaf/misc/rosetta/test/JU_JSON.java
+++ b/misc/rosetta/src/test/java/org/onap/aaf/misc/rosetta/test/JU_JSON.java
@@ -58,9 +58,9 @@ public class JU_JSON {
go(jin, jout, "{\"id\":\"Me,[}[eg[)(:x,\\\" Myself\",\"date\":1353094689100}");
// TODO: Clean out AT&T specific data
- go(jin,jout, "{\"userid\":\"jg1555\",\"timestamp\":1353097388531,\"item\":[{\"tag\":\"color\",\"value\":\"Mauve\"},{\"tag\":\"shirtsize\",\"value\":\"Xtra Large\"}]}");
+ go(jin,jout, "{\"userid\":\"xk3233\",\"timestamp\":1353097388531,\"item\":[{\"tag\":\"color\",\"value\":\"Mauve\"},{\"tag\":\"shirtsize\",\"value\":\"Xtra Large\"}]}");
//go()
- //"<?xml version=\"1.0\" encoding=\"UTF-8\" standalone=\"yes\"?><vote xmlns=\"urn:poll.att.com\"><userid>jg1555</userid><timestamp>1353082669667</timestamp></vote>");
+ //"<?xml version=\"1.0\" encoding=\"UTF-8\" standalone=\"yes\"?><vote xmlns=\"urn:poll.att.com\"><userid>xk3233</userid><timestamp>1353082669667</timestamp></vote>");
// 3/11/2015 Jonathan found a case with missing comma
go(jin,jout, "{\"start\":\"2015-03-11T18:18:05.580-05:00\",\"end\":\"2015-09-11-05:00\",\"force\":\"false\",\"perm\":{\"type\":\"org.osaaf.myns.mytype\",\"instance\":\"myInstance\",\"action\":\"myAction\"}"