diff options
-rw-r--r-- | .gitignore | 1 | ||||
-rw-r--r-- | auth/auth-certman/src/main/java/org/onap/aaf/auth/cm/ca/X509andChain.java | 2 | ||||
-rw-r--r-- | auth/auth-certman/src/main/java/org/onap/aaf/auth/cm/cert/BCFactory.java | 2 | ||||
-rw-r--r-- | auth/auth-certman/src/test/java/org/onap/aaf/auth/cm/test/CertmanTest.java | 4 | ||||
-rw-r--r-- | auth/auth-cmd/src/main/java/org/onap/aaf/auth/cmd/Cmd.java | 2 | ||||
-rw-r--r-- | auth/sample/local/org.osaaf.aaf.p12 | bin | 3920 -> 4140 bytes | |||
-rw-r--r-- | auth/sample/local/org.osaaf.aaf.props | 4 | ||||
-rw-r--r-- | cadi/aaf/src/test/java/org/onap/aaf/cadi/aaf/cert/test/JU_AAFListedCertIdentity.java | 178 | ||||
-rw-r--r-- | cadi/shiro/src/main/java/org/onap/aaf/cadi/shiro/AAFAuthorizationInfo.java | 4 | ||||
-rw-r--r-- | conf/CA/manual.sh | 36 | ||||
-rw-r--r-- | conf/CA/san.conf | 15 | ||||
-rw-r--r-- | misc/env/src/main/java/org/onap/aaf/misc/env/jaxb/JAXBmar.java | 2 | ||||
-rw-r--r-- | misc/env/src/main/java/org/onap/aaf/misc/env/jaxb/JAXBumar.java | 2 | ||||
-rw-r--r-- | misc/rosetta/src/test/java/org/onap/aaf/misc/rosetta/test/JU_JSON.java | 4 |
14 files changed, 238 insertions, 18 deletions
@@ -3,3 +3,4 @@ /target/ /temp/ .metadata/ +/cadisample/ diff --git a/auth/auth-certman/src/main/java/org/onap/aaf/auth/cm/ca/X509andChain.java b/auth/auth-certman/src/main/java/org/onap/aaf/auth/cm/ca/X509andChain.java index 24416c92..46a6393a 100644 --- a/auth/auth-certman/src/main/java/org/onap/aaf/auth/cm/ca/X509andChain.java +++ b/auth/auth-certman/src/main/java/org/onap/aaf/auth/cm/ca/X509andChain.java @@ -33,7 +33,7 @@ import org.onap.aaf.cadi.cm.Factory; * Have to put the Cert and resulting Trust Chain together. * Treating them separately has caused issues * - * @author jg1555 + * @author JonathanGathman * */ public class X509andChain { diff --git a/auth/auth-certman/src/main/java/org/onap/aaf/auth/cm/cert/BCFactory.java b/auth/auth-certman/src/main/java/org/onap/aaf/auth/cm/cert/BCFactory.java index 4fdac6a6..7f4590f3 100644 --- a/auth/auth-certman/src/main/java/org/onap/aaf/auth/cm/cert/BCFactory.java +++ b/auth/auth-certman/src/main/java/org/onap/aaf/auth/cm/cert/BCFactory.java @@ -48,7 +48,7 @@ import org.onap.aaf.misc.env.Trans; * Additional Factory mechanisms for CSRs, and BouncyCastle. The main Factory * utilizes only Java abstractions, and is useful in Client code. * - * @author jg1555 + * @author JonathanGathman * */ public class BCFactory extends Factory { diff --git a/auth/auth-certman/src/test/java/org/onap/aaf/auth/cm/test/CertmanTest.java b/auth/auth-certman/src/test/java/org/onap/aaf/auth/cm/test/CertmanTest.java index 3faa5bbf..7d3f25ca 100644 --- a/auth/auth-certman/src/test/java/org/onap/aaf/auth/cm/test/CertmanTest.java +++ b/auth/auth-certman/src/test/java/org/onap/aaf/auth/cm/test/CertmanTest.java @@ -120,8 +120,8 @@ public class CertmanTest { // @Override // public Void code(Rcli<?> client) throws APIException, CadiException { // CertificateRequest cr = new CertificateRequest(); -// cr.setMechid("m12345@aaf.att.com"); -// cr.setSponsor("jg1555"); +// cr.setMechid("a12345@org.osaaf.org"); +// cr.setSponsor("something"); // cr.getFqdns().add("mithrilcsp.sbc.com"); // cr.getFqdns().add("zld01907.vci.att.com"); // cr.getFqdns().add("aaftest.test.att.com"); diff --git a/auth/auth-cmd/src/main/java/org/onap/aaf/auth/cmd/Cmd.java b/auth/auth-cmd/src/main/java/org/onap/aaf/auth/cmd/Cmd.java index 896cbb30..7f41650d 100644 --- a/auth/auth-cmd/src/main/java/org/onap/aaf/auth/cmd/Cmd.java +++ b/auth/auth-cmd/src/main/java/org/onap/aaf/auth/cmd/Cmd.java @@ -228,7 +228,7 @@ public abstract class Cmd { } else if(desc.startsWith("{")) { StringReader sr = new StringReader(desc); try { - // Note: 11-18-2013, JG1555. This rather convoluted Message Structure required by TSS Restful Specs, reflecting "Northbound" practices. + // Note: 11-18-2013, JonathanGathman. This rather convoluted Message Structure required by TSS Restful Specs, reflecting "Northbound" practices. Error err = getDF(Error.class).newData().in(TYPE.JSON).load(sr).asObject(); sb.append(" ["); sb.append(err.getMessageId()); diff --git a/auth/sample/local/org.osaaf.aaf.p12 b/auth/sample/local/org.osaaf.aaf.p12 Binary files differindex e4d33924..f40a7556 100644 --- a/auth/sample/local/org.osaaf.aaf.p12 +++ b/auth/sample/local/org.osaaf.aaf.p12 diff --git a/auth/sample/local/org.osaaf.aaf.props b/auth/sample/local/org.osaaf.aaf.props index f5970b01..975f80cc 100644 --- a/auth/sample/local/org.osaaf.aaf.props +++ b/auth/sample/local/org.osaaf.aaf.props @@ -10,8 +10,8 @@ aaf_env=DEV cadi_x509_issuers=CN=intermediateCA_1, OU=OSAAF, O=ONAP, C=US cadi_keyfile=/opt/app/osaaf/local/org.osaaf.aaf.keyfile cadi_keystore=/opt/app/osaaf/local/org.osaaf.aaf.p12 -cadi_keystore_password=enc:4L1xY_7mYTuk57SPWZetza5WlgBUYBe8pbT1-AWKO1-5PAbSTynQEc5TU7ZeomfN +cadi_keystore_password=enc:3O7HDzEzdYatFYb83-jV69MNzN8qIW975SS70qCs7xri0b1n4r5viHo1lrM6K8om #cadi_key_password=enc:<KEY PASSWORD (optional if the same as KEYSTORE PASSWORD)> -cadi_alias=aaf@aaf.osaaf.org +cadi_alias=aaf-authz@aaf.osaaf.org cadi_truststore=/opt/app/osaaf/local/org.osaaf.aaf.trust.p12 cadi_truststore_password=enc:5nzj6v3Rb0oZPV1zCxg8EJFfkFvWFGJflLB0i_FN0Np diff --git a/cadi/aaf/src/test/java/org/onap/aaf/cadi/aaf/cert/test/JU_AAFListedCertIdentity.java b/cadi/aaf/src/test/java/org/onap/aaf/cadi/aaf/cert/test/JU_AAFListedCertIdentity.java new file mode 100644 index 00000000..3698b36a --- /dev/null +++ b/cadi/aaf/src/test/java/org/onap/aaf/cadi/aaf/cert/test/JU_AAFListedCertIdentity.java @@ -0,0 +1,178 @@ +/** + * ============LICENSE_START==================================================== + * org.onap.aaf + * =========================================================================== + * Copyright (c) 2018 AT&T Intellectual Property. All rights reserved. + * =========================================================================== + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * ============LICENSE_END==================================================== + * + */ + +package org.onap.aaf.cadi.aaf.cert.test; + +import static org.mockito.Mockito.*; +import static org.hamcrest.CoreMatchers.*; +import static org.junit.Assert.*; + +import org.junit.*; +import org.mockito.*; + +import java.io.ByteArrayOutputStream; +import java.io.PrintStream; +import java.lang.reflect.Field; +import java.lang.reflect.Modifier; +import java.net.HttpURLConnection; +import java.security.cert.CertificateException; +import java.security.cert.X509Certificate; +import java.util.ArrayList; +import java.util.Date; +import java.util.List; +import java.util.Set; + +import javax.servlet.http.HttpServletRequest; + +import org.onap.aaf.cadi.CadiException; +import org.onap.aaf.cadi.PropAccess; +import org.onap.aaf.cadi.aaf.cert.AAFListedCertIdentity; +import org.onap.aaf.cadi.aaf.v2_0.AAFCon; +import org.onap.aaf.cadi.client.Future; +import org.onap.aaf.cadi.client.Rcli; +import org.onap.aaf.cadi.config.Config; +import org.onap.aaf.misc.env.APIException; +import org.onap.aaf.misc.env.util.Chrono; +import org.onap.aaf.misc.rosetta.env.RosettaDF; + +import aaf.v2_0.Certs; +import aaf.v2_0.Certs.Cert; +import aaf.v2_0.Users; +import aaf.v2_0.Users.User; + +public class JU_AAFListedCertIdentity { + + @Mock private AAFCon<?> conMock; + @Mock private Rcli<Object> rcliMock; + @Mock private RosettaDF<Users> userDFMock; + @Mock private RosettaDF<Certs> certDFMock; + @Mock private Future<Users> futureUsersMock; + @Mock private Future<Certs> futureCertsMock; + + @Mock private Users usersMock; + @Mock private User userMock1; + @Mock private User userMock2; + @Mock private User userMock3; + + @Mock private Certs certsMock; + @Mock private Cert certMock1; + @Mock private Cert certMock2; + @Mock private Cert certMock3; + + @Mock private HttpServletRequest reqMock; + @Mock private X509Certificate x509Mock; + + private List<User> usersList; + private List<Cert> certsList; + + private PropAccess access; + + private ByteArrayOutputStream outStream; + + private static final String USERS = "user1,user2,user3"; + private static final String ID = "id"; + private static final String FINGERPRINT = "fingerprint"; + + private static final byte[] certBytes = "certificate".getBytes(); + + @Before + public void setup() throws IllegalArgumentException, IllegalAccessException, NoSuchFieldException, SecurityException { + MockitoAnnotations.initMocks(this); + + certsList = new ArrayList<>(); + certsList.add(certMock1); + certsList.add(certMock2); + certsList.add(certMock3); + + usersList = new ArrayList<>(); + usersList.add(userMock1); + usersList.add(userMock2); + usersList.add(userMock3); + + outStream = new ByteArrayOutputStream(); + access = new PropAccess(new PrintStream(outStream), new String[0]); + outStream.reset(); + access.setProperty(Config.AAF_CERT_IDS, USERS); + setFinal(conMock, conMock.getClass().getField("usersDF"), userDFMock); + setFinal(conMock, conMock.getClass().getField("certsDF"), certDFMock); + setFinal(conMock, conMock.getClass().getField("access"), access); + } + + @Test + public void test() throws APIException, CadiException, CertificateException { + doReturn(rcliMock).when(conMock).client(Config.AAF_DEFAULT_VERSION); + when(rcliMock.read("/authz/users/perm/com.att.aaf.trust/tguard/authenticate", Users.class, userDFMock)).thenReturn(futureUsersMock); + when(rcliMock.read("/authz/users/perm/com.att.aaf.trust/basicAuth/authenticate", Users.class, userDFMock)).thenReturn(futureUsersMock); + when(rcliMock.read("/authz/users/perm/com.att.aaf.trust/csp/authenticate", Users.class, userDFMock)).thenReturn(futureUsersMock); + + when(futureUsersMock.get(5000)).thenReturn(true); + futureUsersMock.value = usersMock; + when(usersMock.getUser()).thenReturn(usersList); + + when(rcliMock.read("/authn/cert/id/user1", Certs.class, conMock.certsDF)).thenReturn(futureCertsMock); + when(rcliMock.read("/authn/cert/id/user2", Certs.class, conMock.certsDF)).thenReturn(futureCertsMock); + when(rcliMock.read("/authn/cert/id/user3", Certs.class, conMock.certsDF)).thenReturn(futureCertsMock); + + when(futureCertsMock.get(5000)).thenReturn(true); + futureCertsMock.value = certsMock; + when(certsMock.getCert()).thenReturn(certsList); + + when(userMock1.getId()).thenReturn("user1"); + when(userMock2.getId()).thenReturn("user2"); + when(userMock3.getId()).thenReturn("user3"); + + prepareCert(certMock1); + prepareCert(certMock2); + prepareCert(certMock3); + + AAFListedCertIdentity certID = new AAFListedCertIdentity(access, conMock); + + when(x509Mock.getEncoded()).thenReturn(certBytes); + certID.identity(reqMock, null, null); + certID.identity(reqMock, null, certBytes); + certID.identity(reqMock, x509Mock, null); + certID.identity(reqMock, x509Mock, certBytes); + + Set<String> hashSetOfUsers = AAFListedCertIdentity.trusted("basicAuth"); + assertThat(hashSetOfUsers.contains("user1"), is(true)); + assertThat(hashSetOfUsers.contains("user2"), is(true)); + assertThat(hashSetOfUsers.contains("user3"), is(true)); + + } + + private void setFinal(Object object, Field field, Object newValue) throws IllegalArgumentException, IllegalAccessException, NoSuchFieldException, SecurityException { + field.setAccessible(true); + + Field modifiersField = Field.class.getDeclaredField("modifiers"); + modifiersField.setAccessible(true); + modifiersField.setInt(field, field.getModifiers() & Modifier.FINAL); + + field.set(object, newValue); + } + + private void prepareCert(Cert cert) { + Date date = new Date(); + when(cert.getExpires()).thenReturn(Chrono.timeStamp(new Date(date.getTime() + (60 * 60 * 24)))); + when(cert.getId()).thenReturn(ID); + when(cert.getFingerprint()).thenReturn(FINGERPRINT.getBytes()); + } + +} diff --git a/cadi/shiro/src/main/java/org/onap/aaf/cadi/shiro/AAFAuthorizationInfo.java b/cadi/shiro/src/main/java/org/onap/aaf/cadi/shiro/AAFAuthorizationInfo.java index 90935900..bfdc6bf1 100644 --- a/cadi/shiro/src/main/java/org/onap/aaf/cadi/shiro/AAFAuthorizationInfo.java +++ b/cadi/shiro/src/main/java/org/onap/aaf/cadi/shiro/AAFAuthorizationInfo.java @@ -31,9 +31,9 @@ import org.onap.aaf.cadi.Access; import org.onap.aaf.cadi.Access.Level; /** - * We treate "roles" and "permissions" in a similar way for first pass. + * We treat "roles" and "permissions" in a similar way for first pass. * - * @author jg1555 + * @author JonathanGathman * */ public class AAFAuthorizationInfo implements AuthorizationInfo { diff --git a/conf/CA/manual.sh b/conf/CA/manual.sh index 7b75fbc9..00a23ec8 100644 --- a/conf/CA/manual.sh +++ b/conf/CA/manual.sh @@ -13,10 +13,30 @@ else FQDN=$1 NAME=$FQDN shift + + echo "Enter any SANS, delimited by spaces: " + read SANS +fi + +# Do SANs +if [ "$SANS" = "" ]; then + echo no SANS + if [ -e $NAME.san ]; then + rm $NAME.san + fi + else + echo some SANS + cp ../san.conf $NAME.san + NUM=1 + for D in $SANS; do + echo "DNS.$NUM = $D" >> $NAME.san + NUM=$((NUM+1)) + done fi + echo $SUBJECT -if [ -e $FQI.csr ]; then +if [ -e $NAME.csr ]; then SIGN_IT=true else if [ "$1" = "-local" ]; then @@ -46,13 +66,19 @@ fi if [ "$SIGN_IT" = "true" ]; then # Sign it - openssl ca -config ../openssl.conf -extensions server_cert -out $NAME.crt \ + if [ -e $NAME.san ]; then + openssl ca -config ../openssl.conf -extensions server_cert -out $NAME.crt \ -cert certs/ca.crt -keyfile private/ca.key \ -policy policy_loose \ -days 360 \ + -extfile $NAME.san \ -infiles $NAME.csr + else + openssl ca -config ../openssl.conf -extensions server_cert -out $NAME.crt \ + -cert certs/ca.crt -keyfile private/ca.key \ + -policy policy_loose \ + -days 360 \ + -infiles $NAME.csr + fi fi - - - diff --git a/conf/CA/san.conf b/conf/CA/san.conf new file mode 100644 index 00000000..de9f62f9 --- /dev/null +++ b/conf/CA/san.conf @@ -0,0 +1,15 @@ +# SAN Extension +# Copy, then add DNS.1 = name, etc +# +[ server_cert ] +# Extensions for server certificates (`man x509v3_config`). +basicConstraints = CA:FALSE +nsCertType = server, client +nsComment = "OpenSSL Generated Server Certificate" +subjectKeyIdentifier = hash +authorityKeyIdentifier = keyid,issuer:always +keyUsage = critical, digitalSignature, keyEncipherment, nonRepudiation +extendedKeyUsage = serverAuth, clientAuth +subjectAltName = @alt_names + +[ alt_names ] diff --git a/misc/env/src/main/java/org/onap/aaf/misc/env/jaxb/JAXBmar.java b/misc/env/src/main/java/org/onap/aaf/misc/env/jaxb/JAXBmar.java index cca3e68c..127eb154 100644 --- a/misc/env/src/main/java/org/onap/aaf/misc/env/jaxb/JAXBmar.java +++ b/misc/env/src/main/java/org/onap/aaf/misc/env/jaxb/JAXBmar.java @@ -25,7 +25,7 @@ * Created on: Apr 10, 2009
* Created by: Jonathan
*
- * Revamped to do away with ThreadLocal 5/27/2011, JG1555
+ * Revamped to do away with ThreadLocal 5/27/2011, JonathanGathman
*
* (c) 2009 SBC Knowledge Ventures, L.P. All rights reserved.
*******************************************************************
diff --git a/misc/env/src/main/java/org/onap/aaf/misc/env/jaxb/JAXBumar.java b/misc/env/src/main/java/org/onap/aaf/misc/env/jaxb/JAXBumar.java index 94e9ba80..74072aaf 100644 --- a/misc/env/src/main/java/org/onap/aaf/misc/env/jaxb/JAXBumar.java +++ b/misc/env/src/main/java/org/onap/aaf/misc/env/jaxb/JAXBumar.java @@ -25,7 +25,7 @@ * Created on: Apr 10, 2009
* Created by: Jonathan
*
- * Revamped to do away with ThreadLocal 5/27/2011, JG1555
+ * Revamped to do away with ThreadLocal 5/27/2011, JonathanGathman
*
* (c) 2009 SBC Knowledge Ventures, L.P. All rights reserved.
*******************************************************************
diff --git a/misc/rosetta/src/test/java/org/onap/aaf/misc/rosetta/test/JU_JSON.java b/misc/rosetta/src/test/java/org/onap/aaf/misc/rosetta/test/JU_JSON.java index 2a48edc4..080fc973 100644 --- a/misc/rosetta/src/test/java/org/onap/aaf/misc/rosetta/test/JU_JSON.java +++ b/misc/rosetta/src/test/java/org/onap/aaf/misc/rosetta/test/JU_JSON.java @@ -58,9 +58,9 @@ public class JU_JSON { go(jin, jout, "{\"id\":\"Me,[}[eg[)(:x,\\\" Myself\",\"date\":1353094689100}"); // TODO: Clean out AT&T specific data - go(jin,jout, "{\"userid\":\"jg1555\",\"timestamp\":1353097388531,\"item\":[{\"tag\":\"color\",\"value\":\"Mauve\"},{\"tag\":\"shirtsize\",\"value\":\"Xtra Large\"}]}"); + go(jin,jout, "{\"userid\":\"xk3233\",\"timestamp\":1353097388531,\"item\":[{\"tag\":\"color\",\"value\":\"Mauve\"},{\"tag\":\"shirtsize\",\"value\":\"Xtra Large\"}]}"); //go() - //"<?xml version=\"1.0\" encoding=\"UTF-8\" standalone=\"yes\"?><vote xmlns=\"urn:poll.att.com\"><userid>jg1555</userid><timestamp>1353082669667</timestamp></vote>"); + //"<?xml version=\"1.0\" encoding=\"UTF-8\" standalone=\"yes\"?><vote xmlns=\"urn:poll.att.com\"><userid>xk3233</userid><timestamp>1353082669667</timestamp></vote>"); // 3/11/2015 Jonathan found a case with missing comma go(jin,jout, "{\"start\":\"2015-03-11T18:18:05.580-05:00\",\"end\":\"2015-09-11-05:00\",\"force\":\"false\",\"perm\":{\"type\":\"org.osaaf.myns.mytype\",\"instance\":\"myInstance\",\"action\":\"myAction\"}" |