diff options
7 files changed, 115 insertions, 39 deletions
diff --git a/auth/auth-batch/src/main/java/org/onap/aaf/auth/batch/reports/Analyze.java b/auth/auth-batch/src/main/java/org/onap/aaf/auth/batch/reports/Analyze.java index 60902f1e..a49fc943 100644 --- a/auth/auth-batch/src/main/java/org/onap/aaf/auth/batch/reports/Analyze.java +++ b/auth/auth-batch/src/main/java/org/onap/aaf/auth/batch/reports/Analyze.java @@ -207,8 +207,19 @@ public class Analyze extends Batch { deleteCW.comment("Approval is Orphaned"); Approval.row(deleteCW, appr); } else { - ticket.approvals.add(appr); // add to found Ticket - approvers.add(appr.getApprover()); + // for users and approvers still valid + String user = appr.getUser(); + + if(org.isRevoked(trans, appr.getApprover())) { + deleteCW.comment("Approver ID is revoked"); + Approval.row(deleteCW, appr); + } else if(user!=null && !user.isEmpty() && org.isRevoked(trans, user)) { + deleteCW.comment("USER ID is revoked"); + Approval.row(deleteCW, appr); + } else { + ticket.approvals.add(appr); // add to found Ticket + approvers.add(appr.getApprover()); + } } } } finally { diff --git a/auth/auth-batch/src/main/java/org/onap/aaf/auth/batch/reports/NotInOrg.java b/auth/auth-batch/src/main/java/org/onap/aaf/auth/batch/reports/NotInOrg.java index 9cd0baee..fb562b24 100644 --- a/auth/auth-batch/src/main/java/org/onap/aaf/auth/batch/reports/NotInOrg.java +++ b/auth/auth-batch/src/main/java/org/onap/aaf/auth/batch/reports/NotInOrg.java @@ -125,27 +125,6 @@ public class NotInOrg extends Batch { } } - /* - * Do we delete now? Or work on Revocation semantics - * - trans.info().log("Checking for X509s without IDs"); - X509.load(trans, session, new Visitor<X509>() { - @Override - public void visit(X509 x509) { - try { - for(Certificate cert : Factory.toX509Certificate(x509.x509)) { - X509Certificate xc = (X509Certificate)cert; - xc.getSubjectDN(); - if(!check(transNoAvg,checked, (X))) { - x509.row(notInOrgW,); - } - } - } catch (CertificateException | IOException e) { - trans.error().log(e, "Error Decrypting X509"); - } - } - }); - */ } catch (OrganizationException e) { trans.info().log(e); } @@ -155,7 +134,7 @@ public class NotInOrg extends Batch { private Writer whichWriter(AuthzTrans transNoAvg, String id) { Writer w = whichWriter.get(id); if(w==null) { - w = org.mayAutoDelete(transNoAvg, id)? + w = org.isRevoked(transNoAvg, id)? notInOrgDeleteW: notInOrgW; whichWriter.put(id,w); diff --git a/auth/auth-batch/src/main/java/org/onap/aaf/auth/batch/reports/bodies/OneWeekNotifyCredBody.java b/auth/auth-batch/src/main/java/org/onap/aaf/auth/batch/reports/bodies/OneWeekNotifyCredBody.java new file mode 100644 index 00000000..e28388d5 --- /dev/null +++ b/auth/auth-batch/src/main/java/org/onap/aaf/auth/batch/reports/bodies/OneWeekNotifyCredBody.java @@ -0,0 +1,45 @@ +/** + * ============LICENSE_START==================================================== + * org.onap.aaf + * =========================================================================== + * Copyright (c) 2018 AT&T Intellectual Property. All rights reserved. + * =========================================================================== + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * ============LICENSE_END==================================================== + * + */ +package org.onap.aaf.auth.batch.reports.bodies; + +import java.io.IOException; + +import org.onap.aaf.auth.batch.helpers.ExpireRange; +import org.onap.aaf.cadi.Access; + +public class OneWeekNotifyCredBody extends NotifyCredBody { + public OneWeekNotifyCredBody(Access access) throws IOException { + super(access, ExpireRange.ONE_WEEK); + } + + @Override + public String subject() { + return String.format("AAF Final Week Credential Notification (ENV: %s)",env); + } + + /* (non-Javadoc) + * @see org.onap.aaf.auth.batch.reports.bodies.NotifyCredBody#dynamic() + */ + @Override + protected String dynamic() { + return "Failure for your App is <b><i>IMMINENT</i></b>. This email is escalated to your superior and General Manager. " + super.dynamic(); + } +} diff --git a/auth/auth-core/src/main/java/org/onap/aaf/auth/org/Organization.java b/auth/auth-core/src/main/java/org/onap/aaf/auth/org/Organization.java index 597f2696..539b9369 100644 --- a/auth/auth-core/src/main/java/org/onap/aaf/auth/org/Organization.java +++ b/auth/auth-core/src/main/java/org/onap/aaf/auth/org/Organization.java @@ -106,18 +106,16 @@ public interface Organization { public Identity getIdentity(AuthzTrans trans, String id) throws OrganizationException; /** - * May AutoDelete + * Is Revoked * * Deletion of an Identity that has been removed from an Organization can be dangerous. Mistakes may have been made * in the Organization side, a Feed might be corrupted, an API might not be quite right. * - * The implementation of this method can use a double check of some sort, such as comparsion of missing ID in Organization + * The implementation of this method can use a double check of some sort, such as comparison of missing ID in Organization * feed with a "Deleted ID" feed. * - * The failure to be in Organization will still be reported, if returned "false", but if true, it is taken as an - * ok to proceed with deletion. */ - public boolean mayAutoDelete(AuthzTrans trans, String id); + public boolean isRevoked(AuthzTrans trans, String id); /** @@ -562,7 +560,7 @@ public interface Organization { } @Override - public boolean mayAutoDelete(AuthzTrans trans, String id) { + public boolean isRevoked(AuthzTrans trans, String id) { // provide a corresponding feed that indicates that an ID has been intentionally removed from identities.dat table. return false; } diff --git a/auth/auth-core/src/main/java/org/onap/aaf/auth/server/AbsServiceStarter.java b/auth/auth-core/src/main/java/org/onap/aaf/auth/server/AbsServiceStarter.java index ee92540b..b3e2883d 100644 --- a/auth/auth-core/src/main/java/org/onap/aaf/auth/server/AbsServiceStarter.java +++ b/auth/auth-core/src/main/java/org/onap/aaf/auth/server/AbsServiceStarter.java @@ -148,7 +148,7 @@ public abstract class AbsServiceStarter<ENV extends RosettaEnv, TRANS extends Tr } status = new File(status, fname); if(status.exists()) { - status.delete(); + deleted=status.delete(); } } if(deleted) { diff --git a/auth/auth-deforg/src/main/java/org/onap/aaf/org/DefaultOrg.java b/auth/auth-deforg/src/main/java/org/onap/aaf/org/DefaultOrg.java index 92db4694..50b65ffe 100644 --- a/auth/auth-deforg/src/main/java/org/onap/aaf/org/DefaultOrg.java +++ b/auth/auth-deforg/src/main/java/org/onap/aaf/org/DefaultOrg.java @@ -32,6 +32,7 @@ import java.util.Set; import java.util.regex.Pattern; import org.onap.aaf.auth.env.AuthzTrans; +import org.onap.aaf.auth.local.AbsData.Reuse; import org.onap.aaf.auth.org.EmailWarnings; import org.onap.aaf.auth.org.Executor; import org.onap.aaf.auth.org.Mailer; @@ -83,6 +84,7 @@ public class DefaultOrg implements Organization { } fIdentities.createNewFile(); } + } } else { fIdentities = new File(temp); @@ -103,6 +105,24 @@ public class DefaultOrg implements Organization { throw new OrganizationException(fIdentities.getCanonicalPath() + " does not exist."); } } + + File fRevoked=null; + temp=env.getProperty(getClass().getName()+".file.revoked"); + if(temp==null) { + temp = env.getProperty(AAF_DATA_DIR); + if (temp!=null) { + File dir = new File(temp); + fRevoked=new File(dir,"revoked.dat"); + } + } else { + fRevoked = new File(temp); + } + if (fRevoked!=null && fRevoked.exists()) { + revoked = new Identities(fRevoked); + } else { + revoked = null; + } + } catch (IOException e) { throw new OrganizationException(e); } @@ -112,6 +132,7 @@ public class DefaultOrg implements Organization { static final List<String> NULL_DELEGATES = new ArrayList<>(); public Identities identities; + public Identities revoked; private boolean dryRun; private Mailer mailer; public enum Types {Employee, Contractor, Application, NotActive}; @@ -147,7 +168,35 @@ public class DefaultOrg implements Organization { return new DefaultOrgIdentity(trans,at<0?id:id.substring(0, at),this); } - /* (non-Javadoc) + /** + * If the ID isn't in the revoked file, if it exists, it is revoked. + */ + @Override + public boolean isRevoked(AuthzTrans trans, String key) { + if(revoked!=null) { + try { + revoked.open(trans, DefaultOrgIdentity.TIMEOUT); + try { + Reuse r = revoked.reuse(); + int at = key.indexOf(domain); + String search; + if (at>=0) { + search = key.substring(0,at); + } else { + search = key; + } + return revoked.find(search, r)!=null; + } finally { + revoked.close(trans); + } + } catch (IOException e) { + trans.error().log(e); + } + } + return false; + } + + /* (non-Javadoc) * @see org.onap.aaf.auth.org.Organization#getEsclaations(org.onap.aaf.auth.env.AuthzTrans, java.lang.String, int) */ @Override @@ -632,10 +681,4 @@ public class DefaultOrg implements Organization { return 0; } } - - @Override - public boolean mayAutoDelete(AuthzTrans trans, String user) { - // provide a corresponding feed that indicates that an ID has been intentionally removed from identities.dat table. - return false; - } } diff --git a/auth/auth-deforg/src/main/java/org/onap/aaf/org/DefaultOrgIdentity.java b/auth/auth-deforg/src/main/java/org/onap/aaf/org/DefaultOrgIdentity.java index ba616ade..f2b9d8c9 100644 --- a/auth/auth-deforg/src/main/java/org/onap/aaf/org/DefaultOrgIdentity.java +++ b/auth/auth-deforg/src/main/java/org/onap/aaf/org/DefaultOrgIdentity.java @@ -45,7 +45,7 @@ public class DefaultOrgIdentity implements Identity { private static final String APPLICATION = "a"; private static final String NON_ACTIVE = "n"; - private final static int TIMEOUT = Integer.parseInt(Config.AAF_CONN_TIMEOUT_DEF); + final static int TIMEOUT = Integer.parseInt(Config.AAF_CONN_TIMEOUT_DEF); private DefaultOrg org; //package on purpose |