diff options
15 files changed, 189 insertions, 70 deletions
diff --git a/auth/auth-cass/src/main/java/org/onap/aaf/auth/direct/DirectCertIdentity.java b/auth/auth-cass/src/main/java/org/onap/aaf/auth/direct/DirectCertIdentity.java index b5fcd690..2c0c054b 100644 --- a/auth/auth-cass/src/main/java/org/onap/aaf/auth/direct/DirectCertIdentity.java +++ b/auth/auth-cass/src/main/java/org/onap/aaf/auth/direct/DirectCertIdentity.java @@ -66,7 +66,7 @@ public class DirectCertIdentity implements CertIdentity { Result<List<Data>> cresp = certDAO.read(trans, ByteBuffer.wrap(fingerprint)); if(cresp.isOKhasData()) { Data cdata = cresp.value.get(0); - return new X509Principal(cdata.id,cert,certBytes); + return new X509Principal(cdata.id,cert,certBytes,null); } return null; } diff --git a/auth/auth-certman/src/main/java/org/onap/aaf/auth/cm/service/CMService.java b/auth/auth-certman/src/main/java/org/onap/aaf/auth/cm/service/CMService.java index 8d39f540..ea65659a 100644 --- a/auth/auth-certman/src/main/java/org/onap/aaf/auth/cm/service/CMService.java +++ b/auth/auth-certman/src/main/java/org/onap/aaf/auth/cm/service/CMService.java @@ -426,17 +426,24 @@ public class CMService { } // Policy 2: MechID must have valid Organization Owner - Identity ouser = muser.responsibleTo(); - if(ouser == null) { - return Result.err(Result.ERR_Denied,"%s is not a valid Sponsor for %s at %s", - trans.user(),add.mechid,trans.org().getName()); + Identity emailUser; + if(muser.isPerson()) { + emailUser = muser; + } else { + Identity ouser = muser.responsibleTo(); + if(ouser == null) { + return Result.err(Result.ERR_Denied,"%s is not a valid Sponsor for %s at %s", + trans.user(),add.mechid,trans.org().getName()); + } + + // Policy 3: Calling ID must be MechID Owner + if(!trans.user().equals(ouser.fullID())) { + return Result.err(Result.ERR_Denied,"%s is not the Sponsor for %s at %s", + trans.user(),add.mechid,trans.org().getName()); + } + emailUser = ouser; } - // Policy 3: Calling ID must be MechID Owner - if(!trans.user().equals(ouser.fullID())) { - return Result.err(Result.ERR_Denied,"%s is not the Sponsor for %s at %s", - trans.user(),add.mechid,trans.org().getName()); - } // Policy 4: Renewal Days are between 10 and 60 (constants, may be parameterized) if(add.renewDays<MIN_RENEWAL) { @@ -447,7 +454,7 @@ public class CMService { // Policy 5: If Notify is blank, set to Owner's Email if(add.notify==null || add.notify.length()==0) { - add.notify = "mailto:"+ouser.email(); + add.notify = "mailto:"+emailUser.email(); } // Policy 6: Only do Domain by Exception @@ -462,7 +469,7 @@ public class CMService { } // Set Sponsor from Golden Source - add.sponsor = ouser.fullID(); + add.sponsor = emailUser.fullID(); } catch (OrganizationException e) { diff --git a/auth/auth-core/src/main/java/org/onap/aaf/auth/server/AbsService.java b/auth/auth-core/src/main/java/org/onap/aaf/auth/server/AbsService.java index af6c88dc..0c28c7ca 100644 --- a/auth/auth-core/src/main/java/org/onap/aaf/auth/server/AbsService.java +++ b/auth/auth-core/src/main/java/org/onap/aaf/auth/server/AbsService.java @@ -186,4 +186,5 @@ public abstract class AbsService<ENV extends BasicEnv, TRANS extends Trans> exte } return def; } + } diff --git a/auth/auth-service/src/main/java/org/onap/aaf/auth/service/AAF_Service.java b/auth/auth-service/src/main/java/org/onap/aaf/auth/service/AAF_Service.java index 3ae2fbfb..40640007 100644 --- a/auth/auth-service/src/main/java/org/onap/aaf/auth/service/AAF_Service.java +++ b/auth/auth-service/src/main/java/org/onap/aaf/auth/service/AAF_Service.java @@ -163,9 +163,9 @@ public class AAF_Service extends AbsService<AuthzEnv,AuthzTrans> { try { Object[] atl=new Object[additionalTafLurs.length+2]; atl[0]=new DirectAAFLur(env,question); // Note, this will be assigned by AuthzTransFilter to TrustChecker - atl[1]=new BasicHttpTaf(env, directAAFUserPass, - domain,Long.parseLong(env.getProperty(Config.AAF_CLEAN_INTERVAL, Config.AAF_CLEAN_INTERVAL_DEF)), - false); + atl[1]= new BasicHttpTaf(env, directAAFUserPass, + domain,Long.parseLong(env.getProperty(Config.AAF_CLEAN_INTERVAL, Config.AAF_CLEAN_INTERVAL_DEF)), + false); if(additionalTafLurs.length>0) { System.arraycopy(additionalTafLurs, 0, atl, 2, additionalTafLurs.length); diff --git a/auth/auth-service/src/main/java/org/onap/aaf/auth/service/AuthzCassServiceImpl.java b/auth/auth-service/src/main/java/org/onap/aaf/auth/service/AuthzCassServiceImpl.java index 519721ce..f3207798 100644 --- a/auth/auth-service/src/main/java/org/onap/aaf/auth/service/AuthzCassServiceImpl.java +++ b/auth/auth-service/src/main/java/org/onap/aaf/auth/service/AuthzCassServiceImpl.java @@ -532,7 +532,6 @@ public class AuthzCassServiceImpl <NSS,PERMS,PERMKEY,ROLES,USERS,USERROLES,DELGS NSS nss = mapper.newInstance(API.NSS); // Note: "loadNamespace" already validates view of Namespace return mapper.nss(trans, rn.value, nss); - } @ApiDoc( diff --git a/auth/auth-service/src/main/java/org/onap/aaf/auth/service/api/API_Creds.java b/auth/auth-service/src/main/java/org/onap/aaf/auth/service/api/API_Creds.java index d31c9d01..390c3089 100644 --- a/auth/auth-service/src/main/java/org/onap/aaf/auth/service/api/API_Creds.java +++ b/auth/auth-service/src/main/java/org/onap/aaf/auth/service/api/API_Creds.java @@ -42,9 +42,11 @@ import org.onap.aaf.auth.service.Code; import org.onap.aaf.auth.service.facade.AuthzFacade; import org.onap.aaf.auth.service.mapper.Mapper.API; import org.onap.aaf.cadi.CredVal; +import org.onap.aaf.cadi.CredVal.Type; import org.onap.aaf.cadi.Symm; import org.onap.aaf.cadi.principal.BasicPrincipal; import org.onap.aaf.cadi.principal.X509Principal; +import org.onap.aaf.cadi.taf.basic.BasicHttpTaf; import org.onap.aaf.misc.env.Env; import org.onap.aaf.misc.env.TimeTaken; @@ -90,23 +92,36 @@ public class API_Creds { // have to check Basic Auth here, because it might be CSP. String authz = req.getHeader("Authorization"); if(authz.startsWith("Basic ")) { - String decoded = Symm.base64noSplit.decode(authz.substring(6)); - int colon = decoded.indexOf(':'); - TimeTaken tt = trans.start("Direct Validation", Env.REMOTE); - try { - if(directAAFUserPass.validate( - decoded.substring(0,colon), - CredVal.Type.PASSWORD , - decoded.substring(colon+1).getBytes(),trans)) { - - resp.setStatus(HttpStatus.OK_200); - } else { - // DME2 at this version crashes without some sort of response - resp.getOutputStream().print(""); - resp.setStatus(HttpStatus.FORBIDDEN_403); + BasicHttpTaf bht = ((X509Principal)p).getBasicHttpTaf(); + if(bht!=null) { + BasicPrincipal bp = new BasicPrincipal(authz,""); + CredVal cv = bht.getCredVal(bp.getDomain()); + if(cv!=null) { + if(cv.validate(bp.getName(), Type.PASSWORD, bp.getCred(), null) ) { + resp.setStatus(HttpStatus.OK_200); + } else { + resp.setStatus(HttpStatus.FORBIDDEN_403); + } + } + } else { + String decoded = Symm.base64noSplit.decode(authz.substring(6)); + int colon = decoded.indexOf(':'); + TimeTaken tt = trans.start("Direct Validation", Env.REMOTE); + try { + if(directAAFUserPass.validate( + decoded.substring(0,colon), + CredVal.Type.PASSWORD , + decoded.substring(colon+1).getBytes(),trans)) { + + resp.setStatus(HttpStatus.OK_200); + } else { + // DME2 at this version crashes without some sort of response + resp.getOutputStream().print(""); + resp.setStatus(HttpStatus.FORBIDDEN_403); + } + } finally { + tt.done(); } - } finally { - tt.done(); } } } else if(p == null) { diff --git a/cadi/aaf/src/main/java/org/onap/aaf/cadi/aaf/cert/AAFListedCertIdentity.java b/cadi/aaf/src/main/java/org/onap/aaf/cadi/aaf/cert/AAFListedCertIdentity.java index e336042a..bc1f94d9 100644 --- a/cadi/aaf/src/main/java/org/onap/aaf/cadi/aaf/cert/AAFListedCertIdentity.java +++ b/cadi/aaf/src/main/java/org/onap/aaf/cadi/aaf/cert/AAFListedCertIdentity.java @@ -93,7 +93,7 @@ public class AAFListedCertIdentity implements CertIdentity { byte[] fingerprint = X509Taf.getFingerPrint(certBytes); String id = certs.get(new ByteArrayHolder(fingerprint)); if(id!=null) { // Caller is Validated - return new X509Principal(id,cert,certBytes); + return new X509Principal(id,cert,certBytes,null); } return null; } diff --git a/cadi/aaf/src/main/java/org/onap/aaf/cadi/sso/AAFSSO.java b/cadi/aaf/src/main/java/org/onap/aaf/cadi/sso/AAFSSO.java index c197be26..f2fb7057 100644 --- a/cadi/aaf/src/main/java/org/onap/aaf/cadi/sso/AAFSSO.java +++ b/cadi/aaf/src/main/java/org/onap/aaf/cadi/sso/AAFSSO.java @@ -186,6 +186,7 @@ public class AAFSSO { char[] password = cons.readPassword("Password for %s: ", appID); String app_pass = access.encrypt(new String(password)); access.setProperty(Config.AAF_APPPASS,app_pass); + diskprops.setProperty(Config.AAF_APPPASS, app_pass); } String keystore=access.getProperty(Config.CADI_KEYSTORE); diff --git a/cadi/core/src/main/java/org/onap/aaf/cadi/CredValDomain.java b/cadi/core/src/main/java/org/onap/aaf/cadi/CredValDomain.java new file mode 100644 index 00000000..e8a5c54b --- /dev/null +++ b/cadi/core/src/main/java/org/onap/aaf/cadi/CredValDomain.java @@ -0,0 +1,25 @@ +/** + * ============LICENSE_START==================================================== + * org.onap.aaf + * =========================================================================== + * Copyright (c) 2018 AT&T Intellectual Property. All rights reserved. + * =========================================================================== + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * ============LICENSE_END==================================================== + * + */ +package org.onap.aaf.cadi; + +public interface CredValDomain extends CredVal { + public String domain(); +} diff --git a/cadi/core/src/main/java/org/onap/aaf/cadi/config/Config.java b/cadi/core/src/main/java/org/onap/aaf/cadi/config/Config.java index 9a0a53cf..b74ccb36 100644 --- a/cadi/core/src/main/java/org/onap/aaf/cadi/config/Config.java +++ b/cadi/core/src/main/java/org/onap/aaf/cadi/config/Config.java @@ -42,6 +42,7 @@ import org.onap.aaf.cadi.CachingLur; import org.onap.aaf.cadi.CadiException; import org.onap.aaf.cadi.Connector; import org.onap.aaf.cadi.CredVal; +import org.onap.aaf.cadi.CredValDomain; import org.onap.aaf.cadi.Locator; import org.onap.aaf.cadi.LocatorException; import org.onap.aaf.cadi.Lur; @@ -111,13 +112,6 @@ public class Config { public static final String CADI_OAUTH2_URL="cadi_oauth2_url"; public static final String CADI_TOKEN_DIR = "cadi_token_dir"; - public static final String CSP_DOMAIN = "csp_domain"; - public static final String CSP_HOSTNAME = "csp_hostname"; - public static final String CSP_DEVL_LOCALHOST = "csp_devl_localhost"; - public static final String CSP_USER_HEADER = "CSP_USER"; - public static final String CSP_SYSTEMS_CONF = "CSPSystems.conf"; - public static final String CSP_SYSTEMS_CONF_FILE = "csp_systems_conf_file"; - public static final String HTTPS_PROTOCOLS = "https.protocols"; public static final String HTTPS_CIPHER_SUITES = "https.cipherSuites"; public static final String HTTPS_CLIENT_PROTOCOLS="jdk.tls.client.protocols"; @@ -277,7 +271,7 @@ public class Config { ///////////////////////////////////////////////////// // Configure Client Cert TAF ///////////////////////////////////////////////////// - + X509Taf x509TAF = null; String truststore = logProp(access, CADI_TRUSTSTORE,null); if(truststore!=null) { String truststore_pwd = access.getProperty(CADI_TRUSTSTORE_PASSWORD,null); @@ -290,7 +284,7 @@ public class Config { } } try { - htlist.add(new X509Taf(access,lur)); + htlist.add(x509TAF=new X509Taf(access,lur)); access.log(Level.INIT,"Certificate Authorization enabled"); } catch (SecurityException e) { access.log(Level.INIT,"AAFListedCertIdentity cannot be instantiated. Certificate Authorization is now disabled",e); @@ -339,7 +333,16 @@ public class Config { if(!basic_warn)access.log(Level.INIT,"WARNING! The basic_warn property has been set to false.", " There will be no additional warning if Basic Auth is used on an insecure channel" ); - htlist.add(new BasicHttpTaf(access, up, basic_realm, userExp, basic_warn)); + BasicHttpTaf bht = new BasicHttpTaf(access, up, basic_realm, userExp, basic_warn); + for(Object o : additionalTafLurs) { + if(o instanceof CredValDomain) { + bht.add((CredValDomain)o); + } + } + if(x509TAF!=null) { + x509TAF.add(bht); + } + htlist.add(bht); access.log(Level.INIT,"Basic Authorization is enabled"); } } else { @@ -443,8 +446,18 @@ public class Config { ///////////////////////////////////////////////////// if(additionalTafLurs!=null) { for(Object additional : additionalTafLurs) { - if(additional instanceof HttpTaf) { - htlist.add((HttpTaf)additional); + if(additional instanceof BasicHttpTaf) { + BasicHttpTaf ht = (BasicHttpTaf)additional; + for(Object cv : additionalTafLurs) { + if(cv instanceof CredValDomain) { + ht.add((CredValDomain)cv); + access.printf(Level.INIT,"%s Authentication is enabled",cv); + } + } + htlist.add(ht); + } else if(additional instanceof HttpTaf) { + HttpTaf ht = (HttpTaf)additional; + htlist.add(ht); access.printf(Level.INIT,"%s Authentication is enabled",additional.getClass().getSimpleName()); } else if(hasOAuthDirectTAF) { Class<?> daupCls; diff --git a/cadi/core/src/main/java/org/onap/aaf/cadi/principal/BasicPrincipal.java b/cadi/core/src/main/java/org/onap/aaf/cadi/principal/BasicPrincipal.java index 22ba702c..a235f1d4 100644 --- a/cadi/core/src/main/java/org/onap/aaf/cadi/principal/BasicPrincipal.java +++ b/cadi/core/src/main/java/org/onap/aaf/cadi/principal/BasicPrincipal.java @@ -36,11 +36,12 @@ public class BasicPrincipal extends BearerPrincipal implements GetCred { private String name = null; private String shortName = null; + private String domain; private byte[] cred = null; - private long created; - public BasicPrincipal(String content,String domain) throws IOException { + + public BasicPrincipal(String content,String defaultDomain) throws IOException { created = System.currentTimeMillis(); ByteArrayInputStream bis = new ByteArrayInputStream(content.getBytes()); // Read past "Basic ", ensuring it starts with it. @@ -61,13 +62,15 @@ public class BasicPrincipal extends BearerPrincipal implements GetCred { shortName=name.substring(0, at); } else { shortName = name; - name = name + '@' + domain; + domain=defaultDomain; + name = name + '@' + defaultDomain; } } public BasicPrincipal(BasicCred bc, String domain) { name = bc.getUser(); cred = bc.getCred(); + this.domain = domain; } private class BasicOS extends OutputStream { @@ -102,6 +105,10 @@ public class BasicPrincipal extends BearerPrincipal implements GetCred { return shortName; } + public String getDomain() { + return domain; + } + public byte[] getCred() { return cred; } diff --git a/cadi/core/src/main/java/org/onap/aaf/cadi/principal/X509Principal.java b/cadi/core/src/main/java/org/onap/aaf/cadi/principal/X509Principal.java index 16f62171..200b8174 100644 --- a/cadi/core/src/main/java/org/onap/aaf/cadi/principal/X509Principal.java +++ b/cadi/core/src/main/java/org/onap/aaf/cadi/principal/X509Principal.java @@ -26,31 +26,30 @@ import java.security.cert.CertificateEncodingException; import java.security.cert.X509Certificate; import java.util.regex.Pattern; -import org.onap.aaf.cadi.CadiException; import org.onap.aaf.cadi.GetCred; +import org.onap.aaf.cadi.taf.basic.BasicHttpTaf; public class X509Principal extends BearerPrincipal implements GetCred { private static final Pattern pattern = Pattern.compile("[a-zA-Z0-9]*\\@[a-zA-Z0-9.]*"); private final X509Certificate cert; private final String name; - private TagLookup tagLookup; - private byte[] content; + private byte[] content; + private BasicHttpTaf bht; public X509Principal(String identity, X509Certificate cert) { name = identity; content = null; this.cert = cert; - tagLookup = null; } - public X509Principal(String identity, X509Certificate cert, byte[] content) { + public X509Principal(String identity, X509Certificate cert, byte[] content, BasicHttpTaf bht) { name = identity; this.content = content; this.cert = cert; - tagLookup = null; + this.bht = bht; } - public X509Principal(X509Certificate cert, byte[] content) throws IOException { + public X509Principal(X509Certificate cert, byte[] content, BasicHttpTaf bht) throws IOException { this.content=content; this.cert = cert; String _name = null; @@ -70,7 +69,7 @@ public class X509Principal extends BearerPrincipal implements GetCred { throw new IOException("X509 does not have Identity as CN"); } name = _name; - tagLookup = null; + this.bht = bht; } public String getAsHeader() throws IOException { @@ -106,4 +105,8 @@ public class X509Principal extends BearerPrincipal implements GetCred { return "x509"; } + public BasicHttpTaf getBasicHttpTaf() { + return bht; + } + } diff --git a/cadi/core/src/main/java/org/onap/aaf/cadi/taf/basic/BasicHttpTaf.java b/cadi/core/src/main/java/org/onap/aaf/cadi/taf/basic/BasicHttpTaf.java index 6d516f00..ac824d0a 100644 --- a/cadi/core/src/main/java/org/onap/aaf/cadi/taf/basic/BasicHttpTaf.java +++ b/cadi/core/src/main/java/org/onap/aaf/cadi/taf/basic/BasicHttpTaf.java @@ -23,18 +23,21 @@ package org.onap.aaf.cadi.taf.basic; import java.io.IOException; import java.security.Principal; +import java.util.Map; +import java.util.TreeMap; import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; import org.onap.aaf.cadi.Access; +import org.onap.aaf.cadi.Access.Level; import org.onap.aaf.cadi.BasicCred; import org.onap.aaf.cadi.CachedPrincipal; -import org.onap.aaf.cadi.CredVal; -import org.onap.aaf.cadi.Taf; -import org.onap.aaf.cadi.Access.Level; import org.onap.aaf.cadi.CachedPrincipal.Resp; +import org.onap.aaf.cadi.CredVal; import org.onap.aaf.cadi.CredVal.Type; +import org.onap.aaf.cadi.CredValDomain; +import org.onap.aaf.cadi.Taf; import org.onap.aaf.cadi.principal.BasicPrincipal; import org.onap.aaf.cadi.principal.CachedBasicPrincipal; import org.onap.aaf.cadi.taf.HttpTaf; @@ -60,6 +63,7 @@ public class BasicHttpTaf implements HttpTaf { private Access access; private String realm; private CredVal rbac; + private Map<String,CredVal> rbacs = new TreeMap<>(); private boolean warn; private long timeToLive; @@ -71,6 +75,10 @@ public class BasicHttpTaf implements HttpTaf { this.timeToLive = timeToLive; } + public void add(final CredValDomain cvd) { + rbacs.put(cvd.domain(), cvd); + } + /** * Note: BasicHttp works for either Carbon Based (Humans) or Silicon Based (machine) Lifeforms. * @see Taf @@ -84,10 +92,16 @@ public class BasicHttpTaf implements HttpTaf { return DenialOfServiceTaf.respDenyID(access,bc.getUser()); } CachedBasicPrincipal bp = new CachedBasicPrincipal(this,bc,realm,timeToLive); + + // Be able to do Organizational specific lookups by Domain + CredVal cv = rbacs.get(bp.getDomain()); + if(cv==null) { + cv = rbac; + } + // ONLY FOR Last Ditch DEBUGGING... // access.log(Level.WARN,bp.getName() + ":" + new String(bp.getCred())); - - if(rbac.validate(bp.getName(),Type.PASSWORD,bp.getCred(),req)) { + if(cv.validate(bp.getName(),Type.PASSWORD,bp.getCred(),req)) { return new BasicHttpTafResp(access,bp,bp.getName()+" authenticated by password",RESP.IS_AUTHENTICATED,resp,realm,false); } else { //TODO may need timed retries in a given time period @@ -107,10 +121,16 @@ public class BasicHttpTaf implements HttpTaf { if(DenialOfServiceTaf.isDeniedID(ba.getName())!=null) { return DenialOfServiceTaf.respDenyID(access,ba.getName()); } + + final int at = ba.getName().indexOf('@'); + CredVal cv = rbacs.get(ba.getName().substring(at+1)); + if(cv==null) { + cv = rbac; // default + } // ONLY FOR Last Ditch DEBUGGING... // access.log(Level.WARN,ba.getName() + ":" + new String(ba.getCred())); - if(rbac.validate(ba.getName(), Type.PASSWORD, ba.getCred(), req)) { + if(cv.validate(ba.getShortName(), Type.PASSWORD, ba.getCred(), req)) { return new BasicHttpTafResp(access,ba, ba.getName()+" authenticated by BasicAuth password",RESP.IS_AUTHENTICATED,resp,realm,false); } else { //TODO may need timed retries in a given time period @@ -146,7 +166,19 @@ public class BasicHttpTaf implements HttpTaf { } return sb.toString(); } + + public void addCredVal(final String realm, final CredVal cv) { + rbacs.put(realm, cv); + } + public CredVal getCredVal(String key) { + CredVal cv = rbacs.get(key); + if(cv==null) { + cv = rbac; + } + return cv; + } + @Override public Resp revalidate(CachedPrincipal prin, Object state) { if(prin instanceof BasicPrincipal) { @@ -162,4 +194,5 @@ public class BasicHttpTaf implements HttpTaf { public String toString() { return "Basic Auth enabled on realm: " + realm; } + } diff --git a/cadi/core/src/main/java/org/onap/aaf/cadi/taf/cert/X509Taf.java b/cadi/core/src/main/java/org/onap/aaf/cadi/taf/cert/X509Taf.java index 66683dcd..dc07bb90 100644 --- a/cadi/core/src/main/java/org/onap/aaf/cadi/taf/cert/X509Taf.java +++ b/cadi/core/src/main/java/org/onap/aaf/cadi/taf/cert/X509Taf.java @@ -36,12 +36,13 @@ import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; import org.onap.aaf.cadi.Access; +import org.onap.aaf.cadi.Access.Level; import org.onap.aaf.cadi.CachedPrincipal; +import org.onap.aaf.cadi.CachedPrincipal.Resp; import org.onap.aaf.cadi.CadiException; +import org.onap.aaf.cadi.CredVal; import org.onap.aaf.cadi.Lur; import org.onap.aaf.cadi.Symm; -import org.onap.aaf.cadi.Access.Level; -import org.onap.aaf.cadi.CachedPrincipal.Resp; import org.onap.aaf.cadi.Taf.LifeForm; import org.onap.aaf.cadi.config.Config; import org.onap.aaf.cadi.config.SecurityInfo; @@ -51,6 +52,7 @@ import org.onap.aaf.cadi.principal.X509Principal; import org.onap.aaf.cadi.taf.HttpTaf; import org.onap.aaf.cadi.taf.TafResp; import org.onap.aaf.cadi.taf.TafResp.RESP; +import org.onap.aaf.cadi.taf.basic.BasicHttpTaf; import org.onap.aaf.cadi.util.Split; public class X509Taf implements HttpTaf { @@ -65,6 +67,7 @@ public class X509Taf implements HttpTaf { private ArrayList<String> cadiIssuers; private String env; private SecurityInfo si; + private BasicHttpTaf bht; static { try { @@ -150,7 +153,7 @@ public class X509Taf implements HttpTaf { String[] sa = Split.splitTrim(':', subject, temp+3,end); if(sa.length==1 || (sa.length>1 && env!=null && env.equals(sa[1]))) { // Check Environment return new X509HttpTafResp(access, - new X509Principal(sa[0], certarr[0],(byte[])null), + new X509Principal(sa[0], certarr[0],(byte[])null,bht), "X509Taf validated " + sa[0] + (sa.length<2?"":" for aaf_env " + env ), RESP.IS_AUTHENTICATED); } } @@ -259,4 +262,16 @@ public class X509Taf implements HttpTaf { return null; } + public void add(BasicHttpTaf bht) { + this.bht = bht; + } + + public CredVal getCredVal(final String key) { + if(bht==null) { + return null; + } else { + return bht.getCredVal(key); + } + } + } diff --git a/cadi/core/src/test/java/org/onap/aaf/cadi/principal/test/JU_X509Principal.java b/cadi/core/src/test/java/org/onap/aaf/cadi/principal/test/JU_X509Principal.java index e62dda4f..0857a870 100644 --- a/cadi/core/src/test/java/org/onap/aaf/cadi/principal/test/JU_X509Principal.java +++ b/cadi/core/src/test/java/org/onap/aaf/cadi/principal/test/JU_X509Principal.java @@ -67,7 +67,7 @@ public class JU_X509Principal { @Test public void constructor2Test() throws IOException { - X509Principal x509 = new X509Principal(name, cert, cred); + X509Principal x509 = new X509Principal(name, cert, cred,null); // Call twice to hit both branches assertThat(x509.getAsHeader(), is("X509 " + cred)); assertThat(x509.toString(), is("X509 Authentication for " + name)); @@ -81,7 +81,7 @@ public class JU_X509Principal { final String longName = "name@domain"; when(subject.getName()).thenReturn("OU=" + longName + ",extra"); when(cert.getSubjectDN()).thenReturn(subject); - X509Principal x509 = new X509Principal(cert, cred); + X509Principal x509 = new X509Principal(cert, cred,null); // Call twice to hit both branches assertThat(x509.getAsHeader(), is("X509 " + cred)); assertThat(x509.toString(), is("X509 Authentication for " + longName)); @@ -91,7 +91,7 @@ public class JU_X509Principal { when(subject.getName()).thenReturn(longName + ",extra"); when(cert.getSubjectDN()).thenReturn(subject); try { - x509 = new X509Principal(cert, cred); + x509 = new X509Principal(cert, cred, null); fail("Should have thrown an Exception"); } catch(IOException e) { assertThat(e.getMessage(), is("X509 does not have Identity as CN")); @@ -100,7 +100,7 @@ public class JU_X509Principal { when(subject.getName()).thenReturn("OU=" + longName); when(cert.getSubjectDN()).thenReturn(subject); try { - x509 = new X509Principal(cert, cred); + x509 = new X509Principal(cert, cred, null); fail("Should have thrown an Exception"); } catch(IOException e) { assertThat(e.getMessage(), is("X509 does not have Identity as CN")); @@ -109,7 +109,7 @@ public class JU_X509Principal { when(subject.getName()).thenReturn("OU=" + name + ",exta"); when(cert.getSubjectDN()).thenReturn(subject); try { - x509 = new X509Principal(cert, cred); + x509 = new X509Principal(cert, cred, null); fail("Should have thrown an Exception"); } catch(IOException e) { assertThat(e.getMessage(), is("X509 does not have Identity as CN")); |