diff options
22 files changed, 392 insertions, 80 deletions
@@ -3,9 +3,9 @@ project: 'aaf-authz' project_creation_date: '2017-07-12' lifecycle_state: 'Incubation' project_lead: &onap_releng_ptl - name: 'Ram Koya' - email: 'rk541m@att.com' - id: 'rampi_k' + name: 'Jonathan Gathman' + email: 'jonathan.gathman@us.att.com' + id: 'instrumental' company: 'ATT' timezone: 'America/Dallas' primary_contact: *onap_releng_ptl diff --git a/auth/auth-certman/src/main/java/org/onap/aaf/auth/cm/ca/LocalCA.java b/auth/auth-certman/src/main/java/org/onap/aaf/auth/cm/ca/LocalCA.java index af2d2f6b..893e9f32 100644 --- a/auth/auth-certman/src/main/java/org/onap/aaf/auth/cm/ca/LocalCA.java +++ b/auth/auth-certman/src/main/java/org/onap/aaf/auth/cm/ca/LocalCA.java @@ -203,7 +203,7 @@ public class LocalCA extends CA { public X509andChain sign(Trans trans, CSRMeta csrmeta) throws IOException, CertException { GregorianCalendar gc = new GregorianCalendar(); Date start = gc.getTime(); - gc.add(GregorianCalendar.MONTH, 2); + gc.add(GregorianCalendar.MONTH, 6); Date end = gc.getTime(); X509Certificate x509; TimeTaken tt = trans.start("Create/Sign Cert",Env.SUB); diff --git a/auth/auth-certman/src/main/java/org/onap/aaf/auth/cm/service/CMService.java b/auth/auth-certman/src/main/java/org/onap/aaf/auth/cm/service/CMService.java index f9cd060b..744c3c3f 100644 --- a/auth/auth-certman/src/main/java/org/onap/aaf/auth/cm/service/CMService.java +++ b/auth/auth-certman/src/main/java/org/onap/aaf/auth/cm/service/CMService.java @@ -164,22 +164,25 @@ public class CMService { } else { for (String cn : req.value.fqdns) { - try { - InetAddress[] ias = InetAddress.getAllByName(cn); - Set<String> potentialSanNames = new HashSet<>(); - for (InetAddress ia1 : ias) { - InetAddress ia2 = InetAddress.getByAddress(ia1.getAddress()); - if (primary == null && ias.length == 1 && trans.ip().equals(ia1.getHostAddress())) { - primary = ia1; - } else if (!cn.equals(ia1.getHostName()) - && !ia2.getHostName().equals(ia2.getHostAddress())) { - potentialSanNames.add(ia1.getHostName()); + if(ignoreIPs) { + potentialSanNames.add(cn); + } else { + try { + InetAddress[] ias = InetAddress.getAllByName(cn); + Set<String> potentialSanNames = new HashSet<>(); + for (InetAddress ia1 : ias) { + InetAddress ia2 = InetAddress.getByAddress(ia1.getAddress()); + if (primary == null && ias.length == 1 && trans.ip().equals(ia1.getHostAddress())) { + primary = ia1; + } else if (!cn.equals(ia1.getHostName()) + && !ia2.getHostName().equals(ia2.getHostAddress())) { + potentialSanNames.add(ia1.getHostName()); + } } + } catch (UnknownHostException e1) { + return Result.err(Result.ERR_BadData, "There is no DNS lookup for %s", cn); } - } catch (UnknownHostException e1) { - return Result.err(Result.ERR_BadData, "There is no DNS lookup for %s", cn); } - } } } diff --git a/auth/docker/.gitignore b/auth/docker/.gitignore index a03737d0..c058b043 100644 --- a/auth/docker/.gitignore +++ b/auth/docker/.gitignore @@ -1,2 +1,3 @@ local d.props +aaf.props diff --git a/auth/docker/Dockerfile.config b/auth/docker/Dockerfile.config index f3bd6bc9..60e82ad1 100644 --- a/auth/docker/Dockerfile.config +++ b/auth/docker/Dockerfile.config @@ -11,6 +11,7 @@ COPY local /opt/app/aaf_config/local COPY public /opt/app/aaf_config/public COPY logs /opt/app/aaf_config/logs COPY bin/service.sh /opt/app/aaf_config/bin/agent.sh +COPY bin/aaf-cadi-aaf-${VERSION}-full.jar /opt/app/aaf_config/bin/ ENTRYPOINT ["/bin/bash","/opt/app/aaf_config/bin/agent.sh"] CMD [] diff --git a/auth/docker/aaf.props b/auth/docker/aaf.props index 8d18f55d..5c654806 100644 --- a/auth/docker/aaf.props +++ b/auth/docker/aaf.props @@ -1,14 +1,11 @@ -FQI=clamp@clamp.onap.org -VOLUME=clamp_aaf -LONGITUDE=-92 -FQDN=meriadoc.mithril.sbc.com VERSION=2.1.2-SNAPSHOT -DRIVER=local -LATITUDE=38 -FQDN_IP=192.168.99.100 AAF_FQDN=meriadoc.mithril.sbc.com -AAF_AAF_FQDN_IP=192.168.99.100 DEPLOY_FQI=deployer@people.osaaf.org -DEPLOY_PASSWORD=demo123456! APP_FQDN=meriadoc.mithril.sbc.com APP_FQI=clamp@clamp.onap.org +VOLUME=clamp_aaf +DRIVER=local +LATITUDE=38.432899 +LONGITUDE=-90.43248 +AAF_AAF_FQDN_IP=192.168.99.100 +DEPLOY_PASSWORD=demo123456! diff --git a/auth/docker/d.props.init b/auth/docker/d.props.init index 8691591c..b0ba63d8 100644 --- a/auth/docker/d.props.init +++ b/auth/docker/d.props.init @@ -6,12 +6,12 @@ VERSION=2.1.2-SNAPSHOT CONF_ROOT_DIR=/opt/app/osaaf # Local Env info -HOSTNAME= +HOSTNAME=aaf.osaaf.org HOST_IP= -CASS_HOST=<cass FQDN>:<cass IP> +CASS_HOST=cass.aaf.osaaf.org:<Cass IP> # AAF Machine info -aaf_env=DEV -aaf_register_as=$HOSTNAME -cadi_latitude= -cadi_longitude= +AAF_ENV=DEV +AAF_REGISTER_AS=$HOSTNAME +LATITUDE= +LONGITUDE= diff --git a/auth/docker/dbounce.sh b/auth/docker/dbounce.sh index e6367957..82aedd0c 100644 --- a/auth/docker/dbounce.sh +++ b/auth/docker/dbounce.sh @@ -1,4 +1,4 @@ #!/bin/bash -sh ./dstop.sh "$@" -sh ./dstart.sh "$@" +bash ./dstop.sh "$@" +bash ./dstart.sh "$@" diff --git a/auth/docker/dbuild.sh b/auth/docker/dbuild.sh index 10ca9d95..da0b9b64 100755 --- a/auth/docker/dbuild.sh +++ b/auth/docker/dbuild.sh @@ -24,7 +24,6 @@ docker build -t ${ORG}/${PROJECT}/aaf_agent:${VERSION} sample # Clean up rm sample/Dockerfile sample/bin/aaf-cadi-aaf-${VERSION}-full.jar cd - - ######## # Second, build a core Docker Image echo Building aaf_$AAF_COMPONENT... diff --git a/auth/sample/bin/client.sh b/auth/sample/bin/client.sh index 2c736142..46c85be9 100644 --- a/auth/sample/bin/client.sh +++ b/auth/sample/bin/client.sh @@ -87,9 +87,16 @@ if [ ! "$CMD" = "" ]; then rsync -uh --exclude=.gitignore /opt/app/aaf_config/$D/* /opt/app/osaaf/$D done ;; + showpass) + echo "## Show Passwords" + $JAVA -jar /opt/app/aaf_config/bin/aaf-cadi-aaf-*-full.jar showpass ${APP_FQI} ${APP_FQDN} + ;; + check) + $JAVA -Dcadi_prop_files=/opt/app/osaaf/local/${NS}.props -jar /opt/app/aaf_config/bin/aaf-cadi-aaf-*-full.jar check ${APP_FQI} ${APP_FQDN} + ;; validate) echo "## validate requested" - $JAVA -jar /opt/app/aaf_config/bin/aaf-cadi-aaf-*-full.jar validate cadi_prop_files=/opt/app/osaaf/local/${NS}.props + $JAVA -jar /opt/app/aaf_config/bin/aaf-cadi-aaf-*-full.jar validate /opt/app/osaaf/local/${NS}.props ;; bash) if [ ! -e ~/.bash_aliases ]; then diff --git a/auth/sample/data/identities.dat b/auth/sample/data/identities.dat index 54c0a15d..7bf14d5b 100644 --- a/auth/sample/data/identities.dat +++ b/auth/sample/data/identities.dat @@ -41,7 +41,7 @@ clamp|ONAP CLAMP Application|CLAMP|Application|||a|aaf_admin aai|ONAP AAI Application|AAI|ONAP Application|||a|aaf_admin appc|ONAP APPC Application|APPC|ONAP Application|||a|aaf_admin dcae|ONAP DCAE Application|CLAMP|ONAP Application|||a|aaf_admin -dmaap-bc|ONAP DMaap BC Application|DMaap BC|ONAP Application|||_admina|aaf +dmaap-bc|ONAP DMaap BC Application|DMaap BC|ONAP Application|||a|aaf_admin dmaap-mr|ONAP DMaap MR Application|DMaap MR|ONAP Application|||a|aaf_admin oof|ONAP OOF Application|OOF|ONAP Application|||a|aaf_admin sdnc|ONAP SDNC Application|SDNC|ONAP Application|||a|aaf_admin diff --git a/auth/sample/data/sample.identities.dat b/auth/sample/data/sample.identities.dat index 05ed0cc1..185e1604 100644 --- a/auth/sample/data/sample.identities.dat +++ b/auth/sample/data/sample.identities.dat @@ -27,12 +27,12 @@ iretired|Ira Lee M. Retired|Ira|Retired|314-123-1238|clarice.d.contractor@people # ONAP default Users aaf_admin|AAF Administrator|Mr AAF|AAF Admin|||e|mmanager deploy|Deployer|Deployer|Depoyer|||e|aaf_admin -demo|PORTAL DEMO|PORTAL|DEMO|||e|aaf -jh0003|PORTAL ADMIN|PORTAL|ADMIN|||e|aaf -cs0008|PORTAL DESIGNER|PORTAL|DESIGNER|||e|aaf -jm0007|PORTAL TESTER|PORTAL|TESTER|||e|aaf -op0001|PORTAL OPS|PORTAL|OPS|||e|aaf -gv0001|PORTAL GOVERNOR|PORTAL|GOVERNOR|||e|aaf +demo|PORTAL DEMO|PORTAL|DEMO|||e|aaf_admin +jh0003|PORTAL ADMIN|PORTAL|ADMIN|||e|aaf_admin +cs0008|PORTAL DESIGNER|PORTAL|DESIGNER|||e|aaf_admin +jm0007|PORTAL TESTER|PORTAL|TESTER|||e|aaf_admin +op0001|PORTAL OPS|PORTAL|OPS|||e|aaf_admin +gv0001|PORTAL GOVERNOR|PORTAL|GOVERNOR|||e|aaf_admin # ONAP App IDs aaf|AAF Application|AAF|Application|||a|aaf_admin aaf-sms|AAF SMS Application|AAF SMS|Application|||a|aaf_admin @@ -40,7 +40,7 @@ clamp|ONAP CLAMP Application|CLAMP|Application|||a|aaf_admin aai|ONAP AAI Application|AAI|ONAP Application|||a|aaf_admin appc|ONAP APPC Application|APPC|ONAP Application|||a|aaf_admin dcae|ONAP DCAE Application|CLAMP|ONAP Application|||a|aaf_admin -dmaap-bc|ONAP DMaap BC Application|DMaap BC|ONAP Application|||_admina|aaf +dmaap-bc|ONAP DMaap BC Application|DMaap BC|ONAP Application|||a|aaf_admin dmaap-mr|ONAP DMaap MR Application|DMaap MR|ONAP Application|||a|aaf_admin oof|ONAP OOF Application|OOF|ONAP Application|||a|aaf_admin sdnc|ONAP SDNC Application|SDNC|ONAP Application|||a|aaf_admin diff --git a/cadi/aaf/src/main/java/org/onap/aaf/cadi/aaf/AAFPermission.java b/cadi/aaf/src/main/java/org/onap/aaf/cadi/aaf/AAFPermission.java index 6b69f790..c4ca8082 100644 --- a/cadi/aaf/src/main/java/org/onap/aaf/cadi/aaf/AAFPermission.java +++ b/cadi/aaf/src/main/java/org/onap/aaf/cadi/aaf/AAFPermission.java @@ -50,7 +50,11 @@ public class AAFPermission implements Permission { type = name; this.instance = instance; this.action = action; - key = ns + '|' + type + '|' + instance + '|' + action; + if(ns==null) { + key = type + '|' + instance + '|' + action; + } else { + key = ns + '|' + type + '|' + instance + '|' + action; + } this.roles = NO_ROLES; } @@ -60,7 +64,11 @@ public class AAFPermission implements Permission { type = name; this.instance = instance; this.action = action; - key = ns + '|' + type + '|' + instance + '|' + action; + if(ns==null) { + key = type + '|' + instance + '|' + action; + } else { + key = ns + '|' + type + '|' + instance + '|' + action; + } this.roles = roles==null?NO_ROLES:roles; } @@ -117,7 +125,15 @@ public class AAFPermission implements Permission { } } boolean typeMatches; - if(aafNS.length() == ns.length()) { + if(aafNS==null) { + if(ns==null) { + typeMatches = aafType.equals(type); + } else { + typeMatches = aafType.equals(ns+'.'+type); + } + } else if(ns==null) { + typeMatches = type.equals(aafNS+'.'+aafType); + } else if(aafNS.length() == ns.length()) { typeMatches = aafNS.equals(ns) && aafType.equals(type); } else { // Allow for restructuring of NS/Perm structure typeMatches = (aafNS+'.'+aafType).equals(ns+'.'+type); diff --git a/cadi/aaf/src/main/java/org/onap/aaf/cadi/aaf/TestConnectivity.java b/cadi/aaf/src/main/java/org/onap/aaf/cadi/aaf/TestConnectivity.java index 3e90087c..df2ad4f8 100644 --- a/cadi/aaf/src/main/java/org/onap/aaf/cadi/aaf/TestConnectivity.java +++ b/cadi/aaf/src/main/java/org/onap/aaf/cadi/aaf/TestConnectivity.java @@ -55,7 +55,7 @@ public class TestConnectivity { System.out.println("Usage: ConnectivityTester <cadi_prop_files> [<AAF FQDN (i.e. aaf.dev.att.com)>]"); } else { print(true,"START OF CONNECTIVITY TESTS",new Date().toString(),System.getProperty("user.name"), - "Note: All API Calls are /authz/perms/user/<MechID/Alias of the caller>"); + "Note: All API Calls are /authz/perms/user/<AppID/Alias of the caller>"); if(!args[0].contains(Config.CADI_PROP_FILES+'=')) { args[0]=Config.CADI_PROP_FILES+'='+args[0]; diff --git a/cadi/aaf/src/main/java/org/onap/aaf/cadi/aaf/v2_0/AAFLurPerm.java b/cadi/aaf/src/main/java/org/onap/aaf/cadi/aaf/v2_0/AAFLurPerm.java index b7cf62cd..a5ef6d14 100644 --- a/cadi/aaf/src/main/java/org/onap/aaf/cadi/aaf/v2_0/AAFLurPerm.java +++ b/cadi/aaf/src/main/java/org/onap/aaf/cadi/aaf/v2_0/AAFLurPerm.java @@ -62,7 +62,7 @@ public class AAFLurPerm extends AbsAAFLur<AAFPermission> { private static final String ORG_OSAAF_CADI_OAUTH_O_AUTH2_LUR = "org.osaaf.cadi.oauth.OAuth2Lur"; /** - * Need to be able to transmutate a Principal into either ATTUID or MechID, which are the only ones accepted at this + * Need to be able to transmutate a Principal into either Person or AppID, which are the only ones accepted at this * point by AAF. There is no "domain", aka, no "@att.com" in "ab1234@att.com". * * The only thing that matters here for AAF is that we don't waste calls with IDs that obviously aren't valid. @@ -107,12 +107,6 @@ public class AAFLurPerm extends AbsAAFLur<AAFPermission> { protected User<AAFPermission> loadUser(final Principal principal) { final String name = principal.getName(); -// // Note: The rules for AAF is that it only stores permissions for ATTUID and MechIDs, which don't -// // have domains. We are going to make the Transitive Class (see this.transmutative) to convert -// final Principal tp = principal; //transmutate.mutate(principal); -// if(tp==null) { -// return null; // if not a valid Transmutated credential, don't bother calling... -// } // TODO Create a dynamic way to declare domains supported. final long start = System.nanoTime(); final boolean[] success = new boolean[]{false}; diff --git a/cadi/aaf/src/main/java/org/onap/aaf/cadi/configure/Agent.java b/cadi/aaf/src/main/java/org/onap/aaf/cadi/configure/Agent.java index b3de9754..ef73adaa 100644 --- a/cadi/aaf/src/main/java/org/onap/aaf/cadi/configure/Agent.java +++ b/cadi/aaf/src/main/java/org/onap/aaf/cadi/configure/Agent.java @@ -89,8 +89,8 @@ public class Agent { private static final String HASHES = "################################################################"; private static final String PRINT = "print"; private static final String FILE = "file"; - private static final String PKCS12 = "pkcs12"; - private static final String JKS = "jks"; + public static final String PKCS12 = "pkcs12"; + public static final String JKS = "jks"; private static final String SCRIPT="script"; private static final String CM_VER = "1.0"; @@ -127,7 +127,7 @@ public class Agent { AAFSSO aafsso=null; PropAccess access; - if(args.length>1 && args[0].equals("validate")) { + if(args.length>1 && args[0].equals("validate") ) { int idx = args[1].indexOf('='); aafsso = null; access = new PropAccess( @@ -329,7 +329,7 @@ public class Agent { private static String fqi(Deque<String> cmds) { if(cmds.size()<1) { String alias = env.getProperty(Config.CADI_ALIAS); - return alias!=null?alias:AAFSSO.cons.readLine("MechID: "); + return alias!=null?alias:AAFSSO.cons.readLine("AppID: "); } return cmds.removeFirst(); } @@ -360,11 +360,11 @@ public class Agent { Artifacts artifacts = new Artifacts(); Artifact arti = new Artifact(); artifacts.getArtifact().add(arti); - arti.setMechid(mechID!=null?mechID:AAFSSO.cons.readLine("MechID: ")); + arti.setMechid(mechID!=null?mechID:AAFSSO.cons.readLine("AppID: ")); arti.setMachine(machine!=null?machine:AAFSSO.cons.readLine("Machine (%s): ",InetAddress.getLocalHost().getHostName())); arti.setCa(AAFSSO.cons.readLine("CA: (%s): ","aaf")); - String resp = AAFSSO.cons.readLine("Types [file,jks,script] (%s): ", "jks"); + String resp = AAFSSO.cons.readLine("Types [file,pkcs12,jks,script] (%s): ", PKCS12); for(String s : Split.splitTrim(',', resp)) { arti.getType().add(s); } @@ -419,7 +419,7 @@ public class Agent { if(future.get(TIMEOUT)) { boolean printed = false; for(Artifact a : future.value.getArtifact()) { - AAFSSO.cons.printf("MechID: %s\n",a.getMechid()); + AAFSSO.cons.printf("AppID: %s\n",a.getMechid()); AAFSSO.cons.printf(" Sponsor: %s\n",a.getSponsor()); AAFSSO.cons.printf("Machine: %s\n",a.getMachine()); AAFSSO.cons.printf("CA: %s\n",a.getCa()); @@ -650,7 +650,7 @@ public class Agent { // Have to wait for JDK 1.7 source... //switch(artifact.getType()) { if(acf.value.getArtifact()==null || acf.value.getArtifact().isEmpty()) { - AAFSSO.cons.printf("No Artifacts found for %s on %s", mechID, machine); + AAFSSO.cons.printf("No Artifacts found for %s on %s ", mechID, machine); } else { String id = aafcon.defID(); boolean allowed; @@ -660,7 +660,7 @@ public class Agent { && aafcon.securityInfo().defSS.getClass().isAssignableFrom(HBasicAuthSS.class))); if(!allowed) { Future<String> pf = aafcon.client(CM_VER).read("/cert/may/" + - a.getNs() + ".certman|"+a.getCa()+"|showpass","*/*"); + a.getNs()+"|certman|"+a.getCa()+"|showpass","*/*"); if(pf.get(TIMEOUT)) { allowed = true; } else { @@ -1017,13 +1017,13 @@ public class Agent { String prop; File f; - if((prop=props.getProperty(Config.CADI_KEYFILE))==null || + if((prop=trans.getProperty(Config.CADI_KEYFILE))==null || !(f=new File(prop)).exists()) { trans.error().printf("Keyfile must exist to check Certificates for %s on %s", a.getMechid(), a.getMachine()); } else { - String ksf = props.getProperty(Config.CADI_KEYSTORE); - String ksps = props.getProperty(Config.CADI_KEYSTORE_PASSWORD); + String ksf = trans.getProperty(Config.CADI_KEYSTORE); + String ksps = trans.getProperty(Config.CADI_KEYSTORE_PASSWORD); if(ksf==null || ksps == null) { trans.error().printf("Properties %s and %s must exist to check Certificates for %s on %s", Config.CADI_KEYSTORE, Config.CADI_KEYSTORE_PASSWORD,a.getMechid(), a.getMachine()); diff --git a/cadi/aaf/src/main/java/org/onap/aaf/cadi/configure/PlaceArtifactInKeystore.java b/cadi/aaf/src/main/java/org/onap/aaf/cadi/configure/PlaceArtifactInKeystore.java index 3123b89e..c5413919 100644 --- a/cadi/aaf/src/main/java/org/onap/aaf/cadi/configure/PlaceArtifactInKeystore.java +++ b/cadi/aaf/src/main/java/org/onap/aaf/cadi/configure/PlaceArtifactInKeystore.java @@ -28,7 +28,6 @@ import java.security.cert.Certificate; import java.security.cert.X509Certificate; import java.util.ArrayList; import java.util.Collection; -import java.util.Collections; import java.util.HashSet; import java.util.List; import java.util.Set; @@ -51,7 +50,7 @@ public class PlaceArtifactInKeystore extends ArtifactDir { @Override public boolean _place(Trans trans, CertInfo certInfo, Artifact arti) throws CadiException { - File fks = new File(dir,arti.getNs()+'.'+(kst=="pkcs12"?"p12":kst)); + File fks = new File(dir,arti.getNs()+'.'+(kst==Agent.PKCS12?"p12":kst)); try { KeyStore jks = KeyStore.getInstance(kst); if(fks.exists()) { @@ -125,7 +124,7 @@ public class PlaceArtifactInKeystore extends ArtifactDir { fks.renameTo(backup); } - jks = KeyStore.getInstance("jks"); + jks = KeyStore.getInstance(Agent.JKS); // Set Truststore Password addProperty(Config.CADI_TRUSTSTORE,fks.getAbsolutePath()); diff --git a/cadi/aaf/src/test/java/org/onap/aaf/cadi/cm/test/JU_ArtifactDir.java b/cadi/aaf/src/test/java/org/onap/aaf/cadi/cm/test/JU_ArtifactDir.java index ecadb6ed..d50b87a2 100644 --- a/cadi/aaf/src/test/java/org/onap/aaf/cadi/cm/test/JU_ArtifactDir.java +++ b/cadi/aaf/src/test/java/org/onap/aaf/cadi/cm/test/JU_ArtifactDir.java @@ -42,6 +42,7 @@ import org.junit.Test; import org.mockito.Mock; import org.mockito.MockitoAnnotations; import org.onap.aaf.cadi.CadiException; +import org.onap.aaf.cadi.configure.Agent; import org.onap.aaf.cadi.configure.ArtifactDir; import org.onap.aaf.cadi.util.Chmod; import org.onap.aaf.misc.env.Trans; @@ -112,7 +113,7 @@ public class JU_ArtifactDir { } catch(NullPointerException e) { } - KeyStore ks = KeyStore.getInstance("pkcs12"); + KeyStore ks = KeyStore.getInstance(Agent.PKCS12); try { ArtifactDir.write(writableFile, Chmod.to755, ks, luggagePassword.toCharArray()); fail("Should've thrown an exception"); diff --git a/cadi/aaf/src/test/java/org/onap/aaf/cadi/cm/test/JU_PlaceArtifactInKeystore.java b/cadi/aaf/src/test/java/org/onap/aaf/cadi/cm/test/JU_PlaceArtifactInKeystore.java index 0b086f11..d61ac499 100644 --- a/cadi/aaf/src/test/java/org/onap/aaf/cadi/cm/test/JU_PlaceArtifactInKeystore.java +++ b/cadi/aaf/src/test/java/org/onap/aaf/cadi/cm/test/JU_PlaceArtifactInKeystore.java @@ -21,9 +21,11 @@ package org.onap.aaf.cadi.cm.test; -import static org.junit.Assert.*; -import static org.hamcrest.CoreMatchers.*; -import static org.mockito.Mockito.*; +import static org.hamcrest.CoreMatchers.is; +import static org.junit.Assert.assertThat; +import static org.junit.Assert.fail; +import static org.mockito.Mockito.mock; +import static org.mockito.Mockito.when; import java.io.BufferedReader; import java.io.ByteArrayOutputStream; @@ -31,14 +33,17 @@ import java.io.File; import java.io.FileNotFoundException; import java.io.FileReader; import java.io.IOException; +import java.security.cert.CertificateException; import java.util.ArrayList; import java.util.List; -import java.security.cert.CertificateException; - -import org.junit.*; -import org.mockito.*; +import org.junit.AfterClass; +import org.junit.Before; +import org.junit.Test; +import org.mockito.Mock; +import org.mockito.MockitoAnnotations; import org.onap.aaf.cadi.CadiException; +import org.onap.aaf.cadi.configure.Agent; import org.onap.aaf.cadi.configure.PlaceArtifactInKeystore; import org.onap.aaf.misc.env.Env; import org.onap.aaf.misc.env.TimeTaken; @@ -97,12 +102,12 @@ public class JU_PlaceArtifactInKeystore { @Test public void test() throws CadiException { // Note: PKCS12 can't be tested in JDK 7 and earlier. Can't handle Trusting Certificates. - PlaceArtifactInKeystore placer = new PlaceArtifactInKeystore("jks"); + PlaceArtifactInKeystore placer = new PlaceArtifactInKeystore(Agent.JKS); certs.add(x509String); certs.add(x509Chain); assertThat(placer.place(transMock, certInfoMock, artiMock, "machine"), is(true)); - for (String ext : new String[] {"chal", "keyfile", "jks", "trust.jks", "cred.props"}) { + for (String ext : new String[] {"chal", "keyfile", Agent.JKS, "trust.jks", "cred.props"}) { File f = new File(dirName + '/' + nsName + '.' + ext); assertThat(f.exists(), is(true)); } diff --git a/docs/sections/installation/client_vol.rst b/docs/sections/installation/client_vol.rst new file mode 100644 index 00000000..ea98e5f2 --- /dev/null +++ b/docs/sections/installation/client_vol.rst @@ -0,0 +1,70 @@ +.. This work is licensed under a Creative Commons Attribution 4.0 International License. +.. http://creativecommons.org/licenses/by/4.0 +.. Copyright © 2017 AT&T Intellectual Property. All rights reserved. + +======================================== +Setting up Certs and CADI Configurations +======================================== + +*Note: this document assumes UNIX Bash Shell. Being Java, AAF works in Windows, but you will have to create your own script/instruction conversions.* + +------------------ +Strategy +------------------ + +ONAP is deployed in Docker Containers or Kubernetes managed Docker Containers. Therefore, this instruction utilizes a Docker Container as a standalone Utility... (This means that this container will stop as soon as it is done with its work... it is not a long running daemon) + +Given that all ONAP entities are also in Docker Containers, they all can access Persistent Volumes. + +This tool creates all the Configurations, including Certificates, onto a declared Volume on the directories starting with "/opt/app/osaaf" + +------------------ +Prerequisites +------------------ + * Docker + * Note: it does NOT have to be the SAME Docker that AAF is deployed on... + | but it DOES have be accessible to the AAF Instance. + * For ONAP, this means + + * Windriver VPN + * include "10.12.6.214 aaf-onap-test.osaaf.org" in your /etc/hosts or DNS + +----------------------- +Obtain the Agent Script +----------------------- +Choose the directory you wish to start in... + +If you don't want to clone all of AAF, just get the "agent.sh" from a Browser: + + https://gerrit.onap.org/r/gitweb?p=aaf/authz.git;a=blob_plain;f=auth/docker/agent.sh;hb=HEAD + + Note: curl/wget get html, instead of text + | You might have to mv, and rename it to "agent.sh", but avoids full clone + +------------------------- +Run Script +------------------------- + +In your chosen directory :: + + $ bash agent.sh + +The Agent will look for "aaf.props", and if it doesn't exist, or is missing information, it will ask for it + + +--------------- --------------- +Tag Value +--------------- --------------- +CADI Version Defaults to CADI version of this +AAF's FQDN PUBLIC Name for AAF. For ONAP Test, it is 'aaf-onap-test.osaaf.org' +Deployer's FQI deployer@people.osaaf.org. In a REAL system, this would be a person or process +App's Root FQDN This will show up in the Cert Subject, and should be the name given by Docker. i.e. clamp.onap +App's FQI Fully Qualified ID given by Organization and with AAF NS/domain. ex: clamp@clamp.onap.org +App's Volume Volume to put the data, see above. ex: clamp_aaf +DRIVER Docker Volume type... See Docker Volume documentation +LATITUDE Global latitude coordinate of Node (best guess for Kubernetes) +LONGITUDE Global longitude coordinate of Node (best guess for Kubernetes) +--------------- --------------- + + + diff --git a/docs/sections/installation/install_from_source.rst b/docs/sections/installation/install_from_source.rst new file mode 100644 index 00000000..761069cb --- /dev/null +++ b/docs/sections/installation/install_from_source.rst @@ -0,0 +1,219 @@ +.. This work is licensed under a Creative Commons Attribution 4.0 International License. +.. http://creativecommons.org/licenses/by/4.0 +.. Copyright © 2017 AT&T Intellectual Property. All rights reserved. + +============================ +Installing from Source Code +============================ + +*Note: this document assumes UNIX Bash Shell. Being Java, AAF works in Windows, but you will have to create your own script/instruction conversions.* + +------------------ +Modes +------------------ + +AAF can be run in various ways + * Standalone (on your O/S) + * Docker (localized) + * Kubernetes + * ONAP Styles + * HEAT (Docker Container Based Initilization) + * OOM (a Helm Chart based Kubernetes Environment) + +------------------ +Prerequisites +------------------ + +You need the following tools to build and run AAF + * git + * maven + * Java (JDK 1.8+, openjdk is fine) + * Cassandra + * a separate installation is fine + * these instructions will start off with a Docker based Cassandra instance + * Machine - one of the following + * Standalone Java Processes - no additional running environments necessary + * docker - typically available via packages for O/S + * kubernetes - ditto + + +------------------ +Build from Source +------------------ +Choose the directory you wish to start in... This process will create an "authz" subdirectory:: + + $ mkdir -p ~/src + $ cd ~/src + +Use 'git' to 'clone' the master code:: + + $ git clone https://gerrit.onap.org/r/aaf/authz + +Change to that directory:: + + $ cd authz + +Use Maven to build:: + + << TODO, get ONAP Settings.xml>> + $ mvn install + +.. ----------------- +.. Standalone +.. ----------------- + +----------------- +Docker Mode +----------------- + +After you have successfully run maven, you will need a Cassandra. If you don't have one, here are instructions for a Docker Standalone Cassandra. For a *serious* endeavor, you need a multi-node Cassandra. + +From "authz":: + + $ cd auth/auth-cass/src/main/cql + $ vi config.dat + +=================== +Existing Cassandra +=================== + +AAF Casablanca has added a table. If you have an existing AAF Cassandra, do the following:: + + ### If Container Cassandra, add these steps, otherwise, skip + $ docker container cp init2_1.cql aaf_cass:/tmp + $ docker exec -it aaf_cass bash + (docker) $ cd /tmp + ### + $ cqlsh -f 'init2_1.cql' + +===================== +New Docker Cassandra +===================== + +Assuming you are in your src/authz directory:: + + $ cd auth/auth-cass/docker + $ sh dinstall.sh + +--------------------- +AAF Itself +--------------------- + +Assuming you are in your src/authz directory:: + + $ cd auth/docker + ### If you have not done so before (don't overwrite your work!) + $ cp d.props.init d.props + +You will need to edit and fill out the information in your d.props file. Here is info to help + +**Local Env info** - These are used to load the /etc/hosts file in the Containers, so AAF is available internally and externally + + =============== ============= + Variable Explanation + =============== ============= + HOSTNAME This must be the EXTERNAL FQDN of your host. Must be in DNS or /etc/hosts + HOST_IP This must be the EXTERNAL IP of your host. Must be accessible from "anywhere" + CASS_HOST If Docker Cass, this is the INTERNAL FQDN/IP. If external Cass, then DNS|/etc/hosts entry + aaf_env This shows up in GUI and certs, to differentiate environments + aaf_register_as As pre-set, it is the same external hostname. + cadi_latitude Use "https://bing.com/maps", if needed, to locate your current Global Coords + cadi_longitude ditto + =============== ============= + +============================== +"Bleeding Edge" Source install +============================== + +AAF can be built, and local Docker Images built with the following:: + + $ sh dbuild.sh + +Otherwise, just let it pull from Nexus + +============================== +Configure AAF Volume +============================== + +AAF uses a Persistent Volume to store data longer term, such as CADI configs, Organization info, etc, so that data is not lost when changing out a container. + +This volume is created automatically, as necessary, and linked into the container when starting. :: + + ## Be sure to have your 'd.props' file filled out before running. + $ sh aaf.sh + +============================== +Bootstrapping with Keystores +============================== + +Start the container in bash mode, so it stays up. :: + + $ bash aaf.sh bash + id@77777: + +In another shell, find out your Container name. :: + + $ docker container ls | grep aaf_config + +CD to directory with CA p12 files + + * org.osaaf.aaf.p12 + * org.osaaf.aaf.signer.p12 (if using Certman to sign certificates) + +Copy keystores for this AAF Env :: + + $ docker container cp -L org.osaaf.aaf.p12 aaf_agent_<Your ID>:/opt/app/osaaf/local + ### IF using local CA Signer + $ docker container cp -L org.osaaf.aaf.signer.p12 aaf_agent_<Your ID>:/opt/app/osaaf/local + +In Agent Window :: + + id@77777: agent encrypt cadi_keystore_password + ### IF using local CA Signer + id@77777: agent encrypt cm_ca.local + +Check to make sure all passwords are set :: + + id@77777: grep "enc:" *.props + +When good, exit from Container Shell and run AAF :: + + id@77777: exit + $ bash drun.sh + +Check the Container logs for correct Keystore passwords, other issues :: + + $ docker container logs aaf_<service> + +Watch logs :: + + $ sh aaf.sh taillog + +Notes: + +You can find an ONAP Root certificate, and pre-built trustores for ONAP Test systems at: + | authz/auth/sample/public/AAF_RootCA.cert + | authz/auth/sample/public/truststoreONAPall.jks + +Good Tests to run :: + + ## From "docker" dir + ## + ## assumes you have DNS or /etc/hosts entry for aaf-onap-test.osaaf.org + ## + $ curl --cacert ../sample/public/AAF_RootCA.cer -u demo@people.osaaf.org:demo123456! https://aaf-onap-test.osaaf.org:8100/authz/perms/user/demo@people.osaaf.org + $ openssl s_client -connect aaf-onap-test.osaaf.org:8100 + + + + + + + + + + + + + + diff --git a/docs/sections/installation/fromsource.rst b/docs/sections/installation/sample.rst index 19ac6221..19ac6221 100644 --- a/docs/sections/installation/fromsource.rst +++ b/docs/sections/installation/sample.rst |