diff options
18 files changed, 299 insertions, 165 deletions
diff --git a/auth/auth-cass/src/main/java/org/onap/aaf/auth/dao/cass/CredDAO.java b/auth/auth-cass/src/main/java/org/onap/aaf/auth/dao/cass/CredDAO.java index 37501967..d64cff29 100644 --- a/auth/auth-cass/src/main/java/org/onap/aaf/auth/dao/cass/CredDAO.java +++ b/auth/auth-cass/src/main/java/org/onap/aaf/auth/dao/cass/CredDAO.java @@ -265,6 +265,16 @@ public class CredDAO extends CassDAOImpl<AuthzTrans,CredDAO.Data> { hd.memo = memo ? String.format("%s by %s", override[0], hd.user) : (modified.name() + "d credential for " + data.id); + String spacer = ": "; + if(data.notes!=null) { + hd.memo+=spacer + data.notes; + spacer = ", "; + } + + if(data.tag!=null) { + hd.memo+=spacer + data.tag; + } + // Detail? if (modified==CRUD.delete) { try { diff --git a/auth/auth-cass/src/main/java/org/onap/aaf/auth/dao/hl/Question.java b/auth/auth-cass/src/main/java/org/onap/aaf/auth/dao/hl/Question.java index 3abad1a5..22b14cb4 100644 --- a/auth/auth-cass/src/main/java/org/onap/aaf/auth/dao/hl/Question.java +++ b/auth/auth-cass/src/main/java/org/onap/aaf/auth/dao/hl/Question.java @@ -1178,9 +1178,9 @@ public class Question { } public boolean isAdmin(AuthzTrans trans, String user, String ns) { - Date now = new Date(); Result<List<UserRoleDAO.Data>> rur = userRoleDAO.read(trans, user,ns+DOT_ADMIN); if (rur.isOKhasData()) { + Date now = new Date(); for (UserRoleDAO.Data urdd : rur.value){ if (urdd.expires.after(now)) { return true; @@ -1192,8 +1192,8 @@ public class Question { public boolean isOwner(AuthzTrans trans, String user, String ns) { Result<List<UserRoleDAO.Data>> rur = userRoleDAO.read(trans, user,ns+DOT_OWNER); - Date now = new Date(); if (rur.isOKhasData()) {for (UserRoleDAO.Data urdd : rur.value){ + Date now = new Date(); if (urdd.expires.after(now)) { return true; } diff --git a/auth/auth-certman/src/main/java/org/onap/aaf/auth/cm/service/CMService.java b/auth/auth-certman/src/main/java/org/onap/aaf/auth/cm/service/CMService.java index 1f2b0880..85424de1 100644 --- a/auth/auth-certman/src/main/java/org/onap/aaf/auth/cm/service/CMService.java +++ b/auth/auth-certman/src/main/java/org/onap/aaf/auth/cm/service/CMService.java @@ -60,6 +60,7 @@ import org.onap.aaf.auth.org.Organization.Identity; import org.onap.aaf.auth.org.OrganizationException; import org.onap.aaf.cadi.Hash; import org.onap.aaf.cadi.Permission; +import org.onap.aaf.cadi.Access.Level; import org.onap.aaf.cadi.aaf.AAFPermission; import org.onap.aaf.cadi.config.Config; import org.onap.aaf.cadi.configure.Factory; @@ -88,6 +89,7 @@ public class CMService { private final CredDAO credDAO; private final ArtiDAO artiDAO; private AAF_CM certManager; + private Boolean allowIgnoreIPs; // @SuppressWarnings("unchecked") public CMService(final AuthzTrans trans, AAF_CM certman) throws APIException, IOException { @@ -108,6 +110,10 @@ public class CMService { "*", "read" ); + allowIgnoreIPs = Boolean.valueOf(certman.access.getProperty(Config.CM_ALLOW_IGNORE_IPS, "false")); + if(allowIgnoreIPs) { + trans.env().access().log(Level.INIT, "Allowing DNS Evaluation to be turned off with <ns>.certman|<ca name>|"+IGNORE_IPS); + } } public Result<CertResp> requestCert(final AuthzTrans trans, final Result<CertReq> req, final CA ca) { @@ -133,7 +139,13 @@ public class CMService { try { Organization org = trans.org(); - boolean ignoreIPs = trans.fish(new AAFPermission(mechNS,CERTMAN, ca.getName(), IGNORE_IPS)); + boolean ignoreIPs; + if(allowIgnoreIPs) { + ignoreIPs = trans.fish(new AAFPermission(mechNS,CERTMAN, ca.getName(), IGNORE_IPS)); + } else { + ignoreIPs = false; + } + InetAddress primary = null; // Organize incoming information to get to appropriate Artifact @@ -164,8 +176,8 @@ public class CMService { } } else { - for (String cn : req.value.fqdns) { - if (!ignoreIPs) { + if (!ignoreIPs) { + for (String cn : req.value.fqdns) { try { InetAddress[] ias = InetAddress.getAllByName(cn); Set<String> potentialSanNames = new HashSet<>(); diff --git a/auth/auth-cmd/src/main/java/org/onap/aaf/auth/cmd/AAFcli.java b/auth/auth-cmd/src/main/java/org/onap/aaf/auth/cmd/AAFcli.java index 8fcea294..01d001fd 100644 --- a/auth/auth-cmd/src/main/java/org/onap/aaf/auth/cmd/AAFcli.java +++ b/auth/auth-cmd/src/main/java/org/onap/aaf/auth/cmd/AAFcli.java @@ -94,10 +94,6 @@ public class AAFcli { this(access,new AuthzEnv(access.getProperties()),wtr,hman, si,ss); } - public AuthzEnv env() { - return env; - } - public AAFcli(Access access, AuthzEnv env, Writer wtr, HMangr hman, SecurityInfoC<HttpURLConnection> si, SecuritySetter<HttpURLConnection> ss) throws APIException { this.env = env; this.access = access; @@ -127,7 +123,11 @@ public class AAFcli { cmds.add(new Mgmt(this)); } - public static int timeout() { + public AuthzEnv env() { + return env; + } + + public static int timeout() { return TIMEOUT; } diff --git a/auth/auth-cmd/src/main/java/org/onap/aaf/auth/cmd/ns/List.java b/auth/auth-cmd/src/main/java/org/onap/aaf/auth/cmd/ns/List.java index add5aed8..e1252d87 100644 --- a/auth/auth-cmd/src/main/java/org/onap/aaf/auth/cmd/ns/List.java +++ b/auth/auth-cmd/src/main/java/org/onap/aaf/auth/cmd/ns/List.java @@ -26,6 +26,7 @@ import java.util.Comparator; import org.onap.aaf.auth.cmd.BaseCmd; import org.onap.aaf.auth.cmd.DeprecatedCMD; +import org.onap.aaf.auth.common.Define; import org.onap.aaf.cadi.client.Future; import org.onap.aaf.misc.env.util.Chrono; @@ -162,15 +163,8 @@ public class List extends BaseCmd<NS> { if ((type=u.getType())==null) { type = 9999; } - switch(type) { - case 0: return "NoCrd"; - case 1: return "U/P"; - case 2: return "U/P2"; - case 10: return "FQI"; - case 200: return "x509"; - default: - return "n/a"; - } + return Define.getCredType(type); } + } diff --git a/auth/auth-cmd/src/main/java/org/onap/aaf/auth/cmd/user/Cred.java b/auth/auth-cmd/src/main/java/org/onap/aaf/auth/cmd/user/Cred.java index 1dfcc17f..2d626d4e 100644 --- a/auth/auth-cmd/src/main/java/org/onap/aaf/auth/cmd/user/Cred.java +++ b/auth/auth-cmd/src/main/java/org/onap/aaf/auth/cmd/user/Cred.java @@ -122,7 +122,7 @@ public class Cred extends Cmd { pw().println(']'); } else if (fp.code()==202) { pw().println("Credential Action Accepted, but requires Approvals before actualizing"); - } else if (fp.code()==300) { + } else if (fp.code()==300 || fp.code()==406) { Error err = em.getError(fp); String text = err.getText(); List<String> vars = err.getVariables(); diff --git a/auth/auth-cmd/src/main/java/org/onap/aaf/auth/cmd/user/ID.java b/auth/auth-cmd/src/main/java/org/onap/aaf/auth/cmd/user/ID.java index 46d5d052..71d61f79 100644 --- a/auth/auth-cmd/src/main/java/org/onap/aaf/auth/cmd/user/ID.java +++ b/auth/auth-cmd/src/main/java/org/onap/aaf/auth/cmd/user/ID.java @@ -35,7 +35,6 @@ import org.onap.aaf.misc.env.APIException; import aaf.v2_0.CredRequest; public class ID extends Cmd { - public static final String ATTEMPT_FAILED_SPECIFICS_WITHELD = "Attempt Failed. Specifics witheld."; private static final String CRED_PATH = "/authn/cred"; private static final String[] options = {"add","del"}; public ID(User parent) { @@ -98,7 +97,7 @@ public class ID extends Cmd { } else if (fp.code()==406 && option==1) { pw().println("FQI does not exist"); } else { - pw().println(ATTEMPT_FAILED_SPECIFICS_WITHELD); + pw().println(Cred.ATTEMPT_FAILED_SPECIFICS_WITHELD); } return fp.code(); } diff --git a/auth/auth-cmd/src/main/java/org/onap/aaf/auth/cmd/user/List.java b/auth/auth-cmd/src/main/java/org/onap/aaf/auth/cmd/user/List.java index 7daa51fb..444a82ab 100644 --- a/auth/auth-cmd/src/main/java/org/onap/aaf/auth/cmd/user/List.java +++ b/auth/auth-cmd/src/main/java/org/onap/aaf/auth/cmd/user/List.java @@ -48,7 +48,6 @@ public class List extends BaseCmd<User> { void report(Users users, boolean count, String ... str) { reportHead(str); - int idx = 0; java.util.List<aaf.v2_0.Users.User> sorted = users.getUser(); Collections.sort(sorted, (Comparator<aaf.v2_0.Users.User>) (u1, u2) -> { if (u1==null || u2 == null) { @@ -56,11 +55,11 @@ public class List extends BaseCmd<User> { } return u1.getId().compareTo(u2.getId()); }); - String format = reportColHead("%-48s %-5s %-11s %-16s\n","User","Type","Expires","Tag"); + String format = reportColHead("%-36s %-5s %-20s %-16s\n","User","Type","Expires","Tag"); String date = "XXXX-XX-XX"; for (aaf.v2_0.Users.User user : sorted) { if (!aafcli.isTest()) { - date = Chrono.dateOnlyStamp(user.getExpires()); + date = Chrono.niceUTCStamp(user.getExpires()); } String tag=user.getTag(); Integer type = user.getType(); @@ -70,7 +69,7 @@ public class List extends BaseCmd<User> { tag = "\n\tfingerprint: " + tag; } pw().format(format, - count? (Integer.valueOf(++idx) + ") " + user.getId()): user.getId(), + user.getId(), org.onap.aaf.auth.cmd.ns.List.getType(user), date, tag); diff --git a/auth/auth-core/src/main/java/org/onap/aaf/auth/common/Define.java b/auth/auth-core/src/main/java/org/onap/aaf/auth/common/Define.java index e9c36017..800a8472 100644 --- a/auth/auth-core/src/main/java/org/onap/aaf/auth/common/Define.java +++ b/auth/auth-core/src/main/java/org/onap/aaf/auth/common/Define.java @@ -24,8 +24,8 @@ package org.onap.aaf.auth.common; import java.util.Map.Entry; import org.onap.aaf.cadi.Access; -import org.onap.aaf.cadi.CadiException; import org.onap.aaf.cadi.Access.Level; +import org.onap.aaf.cadi.CadiException; import org.onap.aaf.cadi.config.Config; public class Define { @@ -91,4 +91,16 @@ public class Define { return initialized; } + public static String getCredType(int type) { + switch(type) { + case 0: return "NoCrd"; + case 1: return "U/P"; + case 2: return "U/P2"; + case 10: return "FQI"; + case 200: return "x509"; + default: + return "n/a"; + } + } + } diff --git a/auth/auth-service/src/main/java/org/onap/aaf/auth/service/AuthzCassServiceImpl.java b/auth/auth-service/src/main/java/org/onap/aaf/auth/service/AuthzCassServiceImpl.java index 9a6ef7e3..295db4ac 100644 --- a/auth/auth-service/src/main/java/org/onap/aaf/auth/service/AuthzCassServiceImpl.java +++ b/auth/auth-service/src/main/java/org/onap/aaf/auth/service/AuthzCassServiceImpl.java @@ -2821,7 +2821,7 @@ public class AuthzCassServiceImpl <NSS,PERMS,PERMKEY,ROLES,USERS,USERROLES,DE //Need to do the "Pick Entry" mechanism // Note, this sorts - Result<Integer> ri = selectEntryIfMultiple((CredRequest)from, lcdd, "extend"); + Result<Integer> ri = selectEntryIfMultiple((CredRequest)from, lcdd, MayChangeCred.EXTEND); if (ri.notOK()) { return Result.err(ri); } @@ -2835,8 +2835,11 @@ public class AuthzCassServiceImpl <NSS,PERMS,PERMKEY,ROLES,USERS,USERROLES,DE cd.type = found.type; cd.ns = found.ns; cd.notes = "Extended"; - cd.expires = org.expiration(null, Expiration.ExtendPassword,days).getTime(); cd.tag = found.tag; + cd.expires = org.expiration(null, Expiration.ExtendPassword,days).getTime(); + if(cd.expires.before(found.expires)) { + return Result.err(Result.ERR_BadData,String.format("Credential's expiration date is more than %s days in the future",days)); + } cred = ques.credDAO().create(trans, cd); if (cred.isOK()) { @@ -2887,63 +2890,72 @@ public class AuthzCassServiceImpl <NSS,PERMS,PERMKEY,ROLES,USERS,USERROLES,DE } boolean isLastCred = rlcd.value.size()==1; - int entry = -1; - int fentry = entry; - if(cred.value.type==CredDAO.FQI) { - entry = -1; - for(CredDAO.Data cdd : rlcd.value) { - ++fentry; - if(cdd.type == CredDAO.FQI) { - entry = fentry; - break; - } + int entry; + CredRequest cr = (CredRequest)from; + if(isLastCred) { + if(cr.getEntry()==null || "1".equals(cr.getEntry())) { + entry = 0; + } else { + return Result.err(Status.ERR_BadData, "User chose invalid credential selection"); } } else { - if (!doForce) { - if (rlcd.value.size() > 1) { - CredRequest cr = (CredRequest)from; - String inputOption = cr.getEntry(); - if (inputOption == null) { - List<CredDAO.Data> list = filterList(rlcd.value,CredDAO.BASIC_AUTH,CredDAO.BASIC_AUTH_SHA256,CredDAO.CERT_SHA256_RSA); - String message = selectCredFromList(list, MayChangeCred.DELETE); - Object[] variables = buildVariables(list); - return Result.err(Status.ERR_ChoiceNeeded, message, variables); - } else { - try { - if (inputOption.length()>5) { // should be a date - Date d = Chrono.xmlDatatypeFactory.newXMLGregorianCalendar(inputOption).toGregorianCalendar().getTime(); - for (CredDAO.Data cd : rlcd.value) { - ++fentry; - if (cd.type.equals(cr.getType()) && cd.expires.equals(d)) { - entry = fentry; - break; - } - } - } else { - entry = Integer.parseInt(inputOption) - 1; - int count = 0; - for (CredDAO.Data cd : rlcd.value) { - if(cd.type!=CredDAO.BASIC_AUTH && cd.type!=CredDAO.BASIC_AUTH_SHA256 && cd.type!=CredDAO.CERT_SHA256_RSA) { - ++entry; - } - if(++count>entry) { - break; - } - } - } - } catch (NullPointerException e) { - return Result.err(Status.ERR_BadData, "Invalid Date Format for Entry"); - } catch (NumberFormatException e) { - return Result.err(Status.ERR_BadData, "User chose invalid credential selection"); - } - } - isLastCred = (entry==-1)?true:false; - } else { - isLastCred = true; - } - if (entry < -1 || entry >= rlcd.value.size()) { - return Result.err(Status.ERR_BadData, "User chose invalid credential selection"); - } + entry = -1; + int fentry = entry; + if(cred.value.type==CredDAO.FQI) { + entry = -1; + for(CredDAO.Data cdd : rlcd.value) { + ++fentry; + if(cdd.type == CredDAO.FQI) { + entry = fentry; + break; + } + } + } else { + if (!doForce) { + if (rlcd.value.size() > 1) { + String inputOption = cr.getEntry(); + if (inputOption == null) { + List<CredDAO.Data> list = filterList(rlcd.value,CredDAO.BASIC_AUTH,CredDAO.BASIC_AUTH_SHA256,CredDAO.CERT_SHA256_RSA); + String message = selectCredFromList(list, MayChangeCred.DELETE); + Object[] variables = buildVariables(list); + return Result.err(Status.ERR_ChoiceNeeded, message, variables); + } else { + try { + if (inputOption.length()>5) { // should be a date + Date d = Chrono.xmlDatatypeFactory.newXMLGregorianCalendar(inputOption).toGregorianCalendar().getTime(); + for (CredDAO.Data cd : rlcd.value) { + ++fentry; + if (cd.type.equals(cr.getType()) && cd.expires.equals(d)) { + entry = fentry; + break; + } + } + } else { + entry = Integer.parseInt(inputOption) - 1; + int count = 0; + for (CredDAO.Data cd : rlcd.value) { + if(cd.type!=CredDAO.BASIC_AUTH && cd.type!=CredDAO.BASIC_AUTH_SHA256 && cd.type!=CredDAO.CERT_SHA256_RSA) { + ++entry; + } + if(++count>entry) { + break; + } + } + } + } catch (NullPointerException e) { + return Result.err(Status.ERR_BadData, "Invalid Date Format for Entry"); + } catch (NumberFormatException e) { + return Result.err(Status.ERR_BadData, "User chose invalid credential selection"); + } + } + isLastCred = (entry==-1)?true:false; + } else { + isLastCred = true; + } + if (entry < -1 || entry >= rlcd.value.size()) { + return Result.err(Status.ERR_BadData, "User chose invalid credential selection"); + } + } } } @@ -3020,6 +3032,32 @@ public class AuthzCassServiceImpl <NSS,PERMS,PERMKEY,ROLES,USERS,USERROLES,DE Object[] variables = buildVariables(lcd); return Result.err(Status.ERR_ChoiceNeeded, message, variables); } else { + if(MayChangeCred.EXTEND.equals(action)) { + // might be Tag + if(inputOption.length()>4) { //Tag is at least 12 + int e = 0; + CredDAO.Data last = null; + int lastIdx = -1; + for(CredDAO.Data cdd : lcd) { + if(inputOption.equals(cdd.tag)) { + if(last==null) { + last = cdd; + lastIdx = e; + } else { + if(last.expires.before(cdd.expires)) { + last = cdd; + lastIdx = e; + } + } + } + ++e; + } + if(last!=null) { + return Result.ok(lastIdx); + } + return Result.err(Status.ERR_BadData, "User chose unknown Tag"); + } + } entry = Integer.parseInt(inputOption) - 1; } if (entry < 0 || entry >= lcd.size()) { @@ -3040,20 +3078,23 @@ public class AuthzCassServiceImpl <NSS,PERMS,PERMKEY,ROLES,USERS,USERROLES,DE } } } + Collections.sort(rv, (o1,o2) -> { + if(o1.type==o2.type) { + return o1.expires.compareTo(o2.expires); + } else { + return o1.type.compareTo(o2.type); + } + }); return rv; } private String[] buildVariables(List<CredDAO.Data> value) { - // ensure credentials are sorted so we can fully automate Cred regression test - Collections.sort(value, (cred1, cred2) -> - cred1.type==cred2.type?cred2.expires.compareTo(cred1.expires): - cred1.type<cred2.type?-1:1); String [] vars = new String[value.size()]; CredDAO.Data cdd; for (int i = 0; i < value.size(); i++) { cdd = value.get(i); - vars[i] = cdd.id + TWO_SPACE + cdd.type + TWO_SPACE + (cdd.type<10?TWO_SPACE:"")+ cdd.expires + TWO_SPACE + cdd.tag; + vars[i] = cdd.id + TWO_SPACE + Define.getCredType(cdd.type) + TWO_SPACE + Chrono.niceUTCStamp(cdd.expires) + TWO_SPACE + cdd.tag; } return vars; } @@ -3070,12 +3111,15 @@ public class AuthzCassServiceImpl <NSS,PERMS,PERMKEY,ROLES,USERS,USERROLES,DE for (int i = 0; i < numSpaces; i++) { errMessage.append(' '); } - errMessage.append(" Type Expires Tag " + '\n'); + errMessage.append(" Type Expires Tag " + '\n'); for (int i=0;i<value.size();++i) { errMessage.append(" %s\n"); } - errMessage.append("Run same command again with chosen entry as last parameter"); - + if(MayChangeCred.EXTEND.equals(action)) { + errMessage.append("Run same command again with chosen entry or Tag as last parameter"); + } else { + errMessage.append("Run same command again with chosen entry as last parameter"); + } return errMessage.toString(); } diff --git a/cadi/aaf/src/main/java/org/onap/aaf/cadi/aaf/v2_0/AAFCon.java b/cadi/aaf/src/main/java/org/onap/aaf/cadi/aaf/v2_0/AAFCon.java index 9e21f6cd..e40743da 100644 --- a/cadi/aaf/src/main/java/org/onap/aaf/cadi/aaf/v2_0/AAFCon.java +++ b/cadi/aaf/src/main/java/org/onap/aaf/cadi/aaf/v2_0/AAFCon.java @@ -126,43 +126,47 @@ public abstract class AAFCon<CLIENT> implements Connector { if (mechid==null) { mechid=access.getProperty(Config.OAUTH_CLIENT_ID,null); } - String encpass = access.getProperty(Config.AAF_APPPASS, null); - if (encpass==null) { - encpass = access.getProperty(Config.OAUTH_CLIENT_SECRET,null); - } - if (encpass==null) { - String alias = access.getProperty(Config.CADI_ALIAS, mechid); - if (alias==null) { - access.printf(Access.Level.WARN,"%s, %s or %s required before use.", Config.CADI_ALIAS, Config.AAF_APPID, Config.OAUTH_CLIENT_ID); - set(si.defSS); - } else { - si.defSS=x509Alias(alias); - set(si.defSS); - } + String alias = access.getProperty(Config.CADI_ALIAS, null); + if(alias != null) { + si.defSS=x509Alias(alias); + set(si.defSS); } else { - if (mechid!=null) { - si.defSS=basicAuth(mechid, encpass); - set(si.defSS); - } else { - si.defSS=new SecuritySetter<CLIENT>() { - - @Override - public String getID() { - return ""; - } - - @Override - public void setSecurity(CLIENT client) throws CadiException { - throw new CadiException("AAFCon has not been initialized with Credentials (SecuritySetter)"); - } - @Override - public int setLastResponse(int respCode) { - return 0; - } - }; - set(si.defSS); - } + String encpass = access.getProperty(Config.AAF_APPPASS, null); + if (encpass==null) { + encpass = access.getProperty(Config.OAUTH_CLIENT_SECRET,null); + } + + if (encpass==null) { + if (alias==null) { + access.printf(Access.Level.WARN,"%s, %s or %s required before use.", Config.CADI_ALIAS, Config.AAF_APPID, Config.OAUTH_CLIENT_ID); + set(si.defSS); + } + } else { + if (mechid!=null) { + si.defSS=basicAuth(mechid, encpass); + set(si.defSS); + } else { + si.defSS=new SecuritySetter<CLIENT>() { + + @Override + public String getID() { + return ""; + } + + @Override + public void setSecurity(CLIENT client) throws CadiException { + throw new CadiException("AAFCon has not been initialized with Credentials (SecuritySetter)"); + } + + @Override + public int setLastResponse(int respCode) { + return 0; + } + }; + set(si.defSS); + } + } } } diff --git a/cadi/aaf/src/main/java/org/onap/aaf/cadi/aaf/v2_0/AAFConHttp.java b/cadi/aaf/src/main/java/org/onap/aaf/cadi/aaf/v2_0/AAFConHttp.java index d39fc1d6..e60b5d8a 100644 --- a/cadi/aaf/src/main/java/org/onap/aaf/cadi/aaf/v2_0/AAFConHttp.java +++ b/cadi/aaf/src/main/java/org/onap/aaf/cadi/aaf/v2_0/AAFConHttp.java @@ -60,31 +60,26 @@ public class AAFConHttp extends AAFCon<HttpURLConnection> { public AAFConHttp(Access access, String tag) throws CadiException, LocatorException { super(access,tag,SecurityInfoC.instance(access, HttpURLConnection.class)); - bestSS(si); hman = new HMangr(access,Config.loadLocator(si, access.getProperty(tag,tag/*try the content itself*/))); } public AAFConHttp(Access access, String urlTag, SecurityInfoC<HttpURLConnection> si) throws CadiException, LocatorException { super(access,urlTag,si); - bestSS(si); hman = new HMangr(access,Config.loadLocator(si, access.getProperty(urlTag,null))); } public AAFConHttp(Access access, Locator<URI> locator) throws CadiException, LocatorException { super(access,Config.AAF_URL,SecurityInfoC.instance(access, HttpURLConnection.class)); - bestSS(si); hman = new HMangr(access,locator); } public AAFConHttp(Access access, Locator<URI> locator, SecurityInfoC<HttpURLConnection> si) throws CadiException, LocatorException, APIException { super(access,Config.AAF_URL,si); - bestSS(si); hman = new HMangr(access,locator); } public AAFConHttp(Access access, Locator<URI> locator, SecurityInfoC<HttpURLConnection> si, String tag) throws CadiException, LocatorException, APIException { super(access,tag,si); - bestSS(si); hman = new HMangr(access, locator); } diff --git a/cadi/aaf/src/main/java/org/onap/aaf/cadi/configure/Agent.java b/cadi/aaf/src/main/java/org/onap/aaf/cadi/configure/Agent.java index 98abfbf9..aa9bf138 100644 --- a/cadi/aaf/src/main/java/org/onap/aaf/cadi/configure/Agent.java +++ b/cadi/aaf/src/main/java/org/onap/aaf/cadi/configure/Agent.java @@ -140,28 +140,75 @@ public class Agent { } else { try { AAFSSO aafsso=null; - PropAccess access; + PropAccess access=null; - if (args.length>1 && args[0].equals("validate") ) { - int idx = args[1].indexOf('='); - aafsso = null; - access = new PropAccess( - (idx<0?Config.CADI_PROP_FILES:args[1].substring(0, idx))+ - '='+ - (idx<0?args[1]:args[1].substring(idx+1))); - } else { - aafsso= new AAFSSO(args, new AAFSSO.ProcessArgs() { - @Override - public Properties process(String[] args, Properties props) { - if (args.length>1) { - if (!args[0].equals("keypairgen")) { - props.put(Config.AAF_APPID, args[1]); - } - } - return props; - } - }); - access = aafsso.access(); + String hasEtc = null; + for(String a : args) { + if(a.startsWith(Config.CADI_PROP_FILES)) { + access = new PropAccess(args); + break; + } else if(a.startsWith(Config.CADI_ETCDIR)) { + int idx = a.indexOf('='); + if(idx>=0 && idx<a.length()) { + hasEtc = a.substring(idx+1); + } + } + } + + if(access==null) { + if(args.length>1 && args[1].contains("@")) { + String domain = FQI.reverseDomain(args[1]); + if(domain!=null) { + if(hasEtc==null) { + hasEtc = "."; + } + File etc = new File(hasEtc); + if(etc.exists()) { + File nsprops = new File(etc,domain+".props"); + if(nsprops.exists()) { + access = new PropAccess(new String[] {Config.CADI_PROP_FILES+'='+nsprops.getAbsolutePath()}); + } + } + } + } + } + + if(access==null) { + for(Entry<Object, Object> es : System.getProperties().entrySet()) { + if(Config.CADI_PROP_FILES.equals(es.getKey())) { + access = new PropAccess(); + } + } + } + + // When using Config file, check if Cred Exists, and if not, work with Deployer. + if(access!=null && !"config".equals(args[0]) && access.getProperty(Config.AAF_APPPASS)==null && access.getProperty(Config.CADI_ALIAS)==null) { + // not enough credentials to use Props. Use AAFSSO + access = null; + } + + if(access==null) { + if (args.length>1 && args[0].equals("validate") ) { + int idx = args[1].indexOf('='); + aafsso = null; + access = new PropAccess( + (idx<0?Config.CADI_PROP_FILES:args[1].substring(0, idx))+ + '='+ + (idx<0?args[1]:args[1].substring(idx+1))); + } else { + aafsso= new AAFSSO(args, new AAFSSO.ProcessArgs() { + @Override + public Properties process(String[] args, Properties props) { + if (args.length>1) { + if (!args[0].equals("keypairgen")) { + props.put(Config.AAF_APPID, args[1]); + } + } + return props; + } + }); + access = aafsso.access(); + } } if (aafsso!=null && aafsso.loginOnly()) { @@ -805,7 +852,7 @@ public class Agent { try { final String fqi = fqi(cmds); Artifact arti = new Artifact(); - arti.setDir(propAccess.getProperty(Config.CADI_ETCDIR, ".")); + arti.setDir(propAccess.getProperty(Config.CADI_ETCDIR, System.getProperty("user.dir"))); arti.setNs(FQI.reverseDomain(fqi)); PropHolder loc = PropHolder.get(arti, "location.props"); PropHolder cred = PropHolder.get(arti,"cred.props"); @@ -822,13 +869,20 @@ public class Agent { loc.add(tag, getProperty(propAccess, trans, false, tag, "%s: ",tag)); } + String keyfile = cred.getKeyPath(); + if(keyfile!=null) { + File fkeyfile = new File(keyfile); + if(!fkeyfile.exists()) { + ArtifactDir.write(fkeyfile,Chmod.to400,Symm.keygen()); + } + } cred.add(Config.CADI_KEYFILE, cred.getKeyPath()); final String ssoAppID = propAccess.getProperty(Config.AAF_APPID); if(fqi!=null && fqi.equals(ssoAppID)) { cred.addEnc(Config.AAF_APPPASS, propAccess, null); // only Ask for Password when starting scratch } else if(propAccess.getProperty(Config.CADI_PROP_FILES)==null) { - char[] pwd = AAFSSO.cons.readPassword("Password for %s: ", fqi); + char[] pwd = AAFSSO.cons.readPassword("Password for %s (leave blank for NO password): ", fqi); if(pwd.length>0) { cred.addEnc(Config.AAF_APPPASS, new String(pwd)); } diff --git a/cadi/aaf/src/main/java/org/onap/aaf/cadi/configure/PlaceArtifactScripts.java b/cadi/aaf/src/main/java/org/onap/aaf/cadi/configure/PlaceArtifactScripts.java index 5ee1abe2..123bb9df 100644 --- a/cadi/aaf/src/main/java/org/onap/aaf/cadi/configure/PlaceArtifactScripts.java +++ b/cadi/aaf/src/main/java/org/onap/aaf/cadi/configure/PlaceArtifactScripts.java @@ -24,6 +24,8 @@ package org.onap.aaf.cadi.configure; import java.io.File; import org.onap.aaf.cadi.CadiException; +import org.onap.aaf.cadi.aaf.Defaults; +import org.onap.aaf.cadi.config.Config; import org.onap.aaf.cadi.util.Chmod; import org.onap.aaf.misc.env.Trans; import org.onap.aaf.misc.env.util.Chrono; @@ -55,7 +57,7 @@ public class PlaceArtifactScripts extends ArtifactDir { classpath.append(File.pathSeparatorChar); } File f = new File(pth); - classpath.append(f.getCanonicalPath().replaceAll("[0-9]+\\.[0-9]+\\.[0-9]+","*")); + classpath.append(f.getCanonicalPath().replaceAll("[0-9]+\\.[0-9]+\\.[0-9]+",Defaults.AAF_VERSION+".*")); } write(f1,Chmod.to644, @@ -63,10 +65,15 @@ public class PlaceArtifactScripts extends ArtifactDir { "# Certificate Manager Check Script\n", "# Check on Certificate, and renew if needed.\n", "# Generated by Certificate Manager " + Chrono.timeStamp()+'\n', + "# by Deployer " + trans.getProperty(Config.AAF_APPID,"") + '\n', + "#\n", "DIR="+arti.getDir()+'\n', + "APP_ID=" + arti.getMechid() + '\n', + "FQDN=" + arti.getMachine()+ '\n', "APP="+arti.getNs()+'\n', - "EMAIL="+email, - "CP=\""+classpath.toString()+"\"\n", + "EMAIL="+email+ '\n', + "JAR=\""+classpath.toString()+"\"\n", + "JAVA=\""+javaHome() + "/bin/" +"java\"\n", checkScript ); @@ -100,7 +107,6 @@ public class PlaceArtifactScripts extends ArtifactDir { return rc==null?System.getProperty("java.home"):rc; } private final static String checkScript = - "> $DIR/$APP.msg\n\n" + "function mailit {\n" + " if [ -e /bin/mail ]; then\n" + " MAILER=/bin/mail\n" + @@ -115,9 +121,8 @@ public class PlaceArtifactScripts extends ArtifactDir { " printf \"$*\" | $MAILER -s \"AAF Certman Notification for `uname -n`\" $EMAIL\n"+ " fi\n" + "}\n\n" + - javaHome() + "/bin/" +"java -cp $CP " + - Agent.class.getName() + - " cadi_prop_files=$DIR/$APP.props check 2> $DIR/$APP.STDERR > $DIR/$APP.STDOUT\n" + + "> $DIR/$APP.msg\n\n" + + "$JAVA -jar $JAR check $APP_ID $FQDN cadi_prop_files=$DIR/$APP.props 2> $DIR/$APP.STDERR > $DIR/$APP.STDOUT\n" + "case \"$?\" in\n" + " 0)\n" + " # Note: Validation will be mailed only the first day after any modification\n" + diff --git a/cadi/aaf/src/main/java/org/onap/aaf/cadi/sso/AAFSSO.java b/cadi/aaf/src/main/java/org/onap/aaf/cadi/sso/AAFSSO.java index de31e661..c0ac43e9 100644 --- a/cadi/aaf/src/main/java/org/onap/aaf/cadi/sso/AAFSSO.java +++ b/cadi/aaf/src/main/java/org/onap/aaf/cadi/sso/AAFSSO.java @@ -381,7 +381,7 @@ public class AAFSSO { addProp(Config.AAF_LOCATE_URL, locateUrl); try { if(access.getProperty(Config.AAF_URL)==null) { - access.setProperty(Config.AAF_URL, "https://AAF_LOCATE/AAF_NS.service:2.1"); + access.setProperty(Config.AAF_URL, Defaults.AAF_ROOT+".service:"+Defaults.AAF_VERSION); } AAFCon<?> aafCon = AAFCon.newInstance(access); Future<Configuration> acf; diff --git a/cadi/core/src/main/java/org/onap/aaf/cadi/CmdLine.java b/cadi/core/src/main/java/org/onap/aaf/cadi/CmdLine.java index 68a8db05..0a1f38db 100644 --- a/cadi/core/src/main/java/org/onap/aaf/cadi/CmdLine.java +++ b/cadi/core/src/main/java/org/onap/aaf/cadi/CmdLine.java @@ -113,7 +113,8 @@ public class CmdLine { // Jonathan. Oh, well, Deployment services need this behavior. I will put this code in, but leave it undocumented. // One still needs access to the keyfile to read. // July 2016 - thought of a tool "CMPass" to regurgitate from properties, but only if allowed. - } else if ("regurgitate".equalsIgnoreCase(args[0]) && args.length>2) { + } else if (("regurgitate".equalsIgnoreCase(args[0]) || "undigest".equalsIgnoreCase(args[0])) + && args.length>2) { try { Symm symm; FileInputStream fis = new FileInputStream(args[2]); @@ -188,7 +189,7 @@ public class CmdLine { System.out.flush(); return; } catch (IOException e) { - System.err.println("Cannot regurgitate password"); + System.err.println("Cannot undigest password"); System.err.println(" \""+ e.getMessage() + '"'); } } else if ("encode64".equalsIgnoreCase(args[0]) && args.length>1) { @@ -334,6 +335,7 @@ public class CmdLine { System.out.println(" digest [<passwd>|-i|] <keyfile> (Encrypts Password with \"keyfile\""); System.out.println(" if passwd = -i, will read StdIn"); System.out.println(" if passwd is blank, will ask securely)"); + System.out.println(" undigest <enc:...> <keyfile> (Decrypts Encoded with \"keyfile\")"); System.out.println(" passgen <digits> (Generate Password of given size)"); System.out.println(" urlgen <digits> (Generate URL field of given size)"); System.out.println(" encode64 <your text> (Encodes to Base64)"); diff --git a/cadi/core/src/main/java/org/onap/aaf/cadi/config/Config.java b/cadi/core/src/main/java/org/onap/aaf/cadi/config/Config.java index 2655b4ce..48f5e2d1 100644 --- a/cadi/core/src/main/java/org/onap/aaf/cadi/config/Config.java +++ b/cadi/core/src/main/java/org/onap/aaf/cadi/config/Config.java @@ -228,6 +228,9 @@ public class Config { public static final String AAF_URL_CM_DEF = "https://AAF_LOCATE_URL/AAF_NS.cm:"+AAF_DEFAULT_API_VERSION; public static final String AAF_URL_HELLO = "aaf_url_hello"; public static final String CM_TRUSTED_CAS = "cm_trusted_cas"; + // let NS Owners choose with <ns>.certman aaf ignoreIPs" to ignoreIP Check for Configs + // Probably only want to allow in a DEV Env. + public static final String CM_ALLOW_IGNORE_IPS="cm_allow_ignore_ips"; public static final String PATHFILTER_URLPATTERN = "pathfilter_urlpattern"; public static final String PATHFILTER_STACK = "pathfilter_stack"; diff --git a/cadi/core/src/test/java/org/onap/aaf/cadi/test/JU_CmdLine.java b/cadi/core/src/test/java/org/onap/aaf/cadi/test/JU_CmdLine.java index 967bf221..859f9a25 100644 --- a/cadi/core/src/test/java/org/onap/aaf/cadi/test/JU_CmdLine.java +++ b/cadi/core/src/test/java/org/onap/aaf/cadi/test/JU_CmdLine.java @@ -235,6 +235,7 @@ public class JU_CmdLine { " digest [<passwd>|-i|] <keyfile> (Encrypts Password with \"keyfile\"" + lineSeparator + " if passwd = -i, will read StdIn" + lineSeparator + " if passwd is blank, will ask securely)" + lineSeparator + + " undigest <enc:...> <keyfile> (Decrypts Encoded with \"keyfile\")" + lineSeparator + " passgen <digits> (Generate Password of given size)" + lineSeparator + " urlgen <digits> (Generate URL field of given size)" + lineSeparator + " encode64 <your text> (Encodes to Base64)" + lineSeparator + |