summaryrefslogtreecommitdiffstats
path: root/auth/auth-batch/src/main/java/org/onap/aaf/auth/reports/Expiring.java
diff options
context:
space:
mode:
Diffstat (limited to 'auth/auth-batch/src/main/java/org/onap/aaf/auth/reports/Expiring.java')
-rw-r--r--auth/auth-batch/src/main/java/org/onap/aaf/auth/reports/Expiring.java299
1 files changed, 299 insertions, 0 deletions
diff --git a/auth/auth-batch/src/main/java/org/onap/aaf/auth/reports/Expiring.java b/auth/auth-batch/src/main/java/org/onap/aaf/auth/reports/Expiring.java
new file mode 100644
index 00000000..6974a5db
--- /dev/null
+++ b/auth/auth-batch/src/main/java/org/onap/aaf/auth/reports/Expiring.java
@@ -0,0 +1,299 @@
+/**
+ * ============LICENSE_START====================================================
+ * org.onap.aaf
+ * ===========================================================================
+ * Copyright (c) 2018 AT&T Intellectual Property. All rights reserved.
+ * ===========================================================================
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ * ============LICENSE_END====================================================
+ *
+ */
+
+package org.onap.aaf.auth.reports;
+
+import java.io.File;
+import java.io.FileNotFoundException;
+import java.io.IOException;
+import java.security.cert.Certificate;
+import java.security.cert.CertificateException;
+import java.security.cert.X509Certificate;
+import java.util.Date;
+import java.util.HashMap;
+import java.util.HashSet;
+import java.util.List;
+import java.util.Map;
+import java.util.Set;
+import java.util.TreeMap;
+
+import org.onap.aaf.auth.Batch;
+import org.onap.aaf.auth.dao.cass.CredDAO;
+import org.onap.aaf.auth.env.AuthzTrans;
+import org.onap.aaf.auth.helpers.Cred;
+import org.onap.aaf.auth.helpers.Cred.Instance;
+import org.onap.aaf.auth.helpers.UserRole;
+import org.onap.aaf.auth.helpers.Visitor;
+import org.onap.aaf.auth.helpers.X509;
+import org.onap.aaf.auth.org.ExpireRange;
+import org.onap.aaf.auth.org.ExpireRange.Range;
+import org.onap.aaf.auth.org.OrganizationException;
+import org.onap.aaf.cadi.configure.Factory;
+import org.onap.aaf.cadi.util.CSV;
+import org.onap.aaf.misc.env.APIException;
+import org.onap.aaf.misc.env.Env;
+import org.onap.aaf.misc.env.TimeTaken;
+import org.onap.aaf.misc.env.util.Chrono;
+
+
+public class Expiring extends Batch {
+
+ private static final String CSV = ".csv";
+ private static final String INFO = "info";
+ private static final String EXPIRED_OWNERS = "ExpiredOwners";
+ private int minOwners;
+ private Map<String, CSV.Writer> writerList;
+ private File logDir;
+ private ExpireRange expireRange;
+ private Date deleteDate;
+
+ public Expiring(AuthzTrans trans) throws APIException, IOException, OrganizationException {
+ super(trans.env());
+ trans.info().log("Starting Connection Process");
+
+ TimeTaken tt0 = trans.start("Cassandra Initialization", Env.SUB);
+ try {
+ TimeTaken tt = trans.start("Connect to Cluster", Env.REMOTE);
+ try {
+ session = cluster.connect();
+ } finally {
+ tt.done();
+ }
+
+ // Load Cred. We don't follow Visitor, because we have to gather up everything into Identity Anyway
+ Cred.load(trans, session);
+ UserRole.load(trans, session, UserRole.v2_0_11, new UserRole.DataLoadVisitor());
+
+ minOwners=1;
+
+ // Create Intermediate Output
+ writerList = new HashMap<>();
+ logDir = new File(logDir());
+ logDir.mkdirs();
+
+ expireRange = new ExpireRange(trans.env().access());
+ String sdate = Chrono.dateOnlyStamp(expireRange.now);
+ for( List<Range> lr : expireRange.ranges.values()) {
+ for(Range r : lr ) {
+ if(writerList.get(r.name())==null) {
+ File file = new File(logDir,r.name() + sdate +CSV);
+ CSV csv = new CSV(file);
+ CSV.Writer cw = csv.writer(false);
+ cw.row(INFO,r.name(),Chrono.dateOnlyStamp(expireRange.now),r.reportingLevel());
+ writerList.put(r.name(),cw);
+ if("Delete".equals(r.name())) {
+ deleteDate = r.getStart();
+ }
+ }
+ }
+ }
+
+ } finally {
+ tt0.done();
+ }
+ }
+
+ @Override
+ protected void run(AuthzTrans trans) {
+ try {
+ File file = new File(logDir, EXPIRED_OWNERS + Chrono.dateOnlyStamp(expireRange.now) + CSV);
+ final CSV ownerCSV = new CSV(file);
+
+ Map<String, Set<UserRole>> owners = new TreeMap<String, Set<UserRole>>();
+ trans.info().log("Process UserRoles");
+ UserRole.load(trans, session, UserRole.v2_0_11, new Visitor<UserRole>() {
+ @Override
+ public void visit(UserRole ur) {
+ // Cannot just delete owners, unless there is at least one left. Process later
+ if ("owner".equals(ur.rname())) {
+ Set<UserRole> urs = owners.get(ur.role());
+ if (urs == null) {
+ urs = new HashSet<UserRole>();
+ owners.put(ur.role(), urs);
+ }
+ urs.add(ur);
+ } else {
+ writeAnalysis(trans,ur);
+ }
+ }
+ });
+
+ // Now Process Owners, one owner Role at a time, ensuring one is left,
+ // preferably
+ // a good one. If so, process the others as normal. Otherwise, write
+ // ExpiredOwners
+ // report
+ if (!owners.values().isEmpty()) {
+ // Lazy Create file
+ CSV.Writer expOwner = null;
+ try {
+ for (Set<UserRole> sur : owners.values()) {
+ int goodOwners = 0;
+ for (UserRole ur : sur) {
+ if (ur.expires().after(expireRange.now)) {
+ ++goodOwners;
+ }
+ }
+
+ for (UserRole ur : sur) {
+ if (goodOwners >= minOwners) {
+ writeAnalysis(trans, ur);
+ } else {
+ if (expOwner == null) {
+ expOwner = ownerCSV.writer();
+ expOwner.row(INFO,EXPIRED_OWNERS,Chrono.dateOnlyStamp(expireRange.now),2);
+ }
+ expOwner.row("owner",ur.role(), ur.user(), Chrono.dateOnlyStamp(ur.expires()));
+ }
+ }
+ }
+ } finally {
+ expOwner.close();
+ }
+ }
+
+ trans.info().log("Checking for Expired Credentials");
+
+ for (Cred cred : Cred.data.values()) {
+ List<Instance> linst = cred.instances;
+ if(linst!=null) {
+ Instance lastBath = null;
+ for(Instance inst : linst) {
+ // Special Behavior: only eval the LAST Instance
+ if (inst.type == CredDAO.BASIC_AUTH || inst.type == CredDAO.BASIC_AUTH_SHA256) {
+ if(deleteDate!=null && inst.expires.before(deleteDate)) {
+ writeAnalysis(trans, cred, inst); // will go to Delete
+ } else if(lastBath==null || lastBath.expires.before(inst.expires)) {
+ lastBath = inst;
+ }
+ } else {
+ writeAnalysis(trans, cred, inst);
+ }
+ }
+ if(lastBath!=null) {
+ writeAnalysis(trans, cred, lastBath);
+ }
+ }
+ }
+
+ trans.info().log("Checking for Expired X509s");
+ X509.load(trans, session, new Visitor<X509>() {
+ @Override
+ public void visit(X509 x509) {
+ try {
+ for(Certificate cert : Factory.toX509Certificate(x509.x509)) {
+ writeAnalysis(trans, x509, (X509Certificate)cert);
+ }
+ } catch (CertificateException | IOException e) {
+ trans.error().log(e, "Error Decrypting X509");
+ }
+
+ }
+ });
+ } catch (FileNotFoundException e) {
+ trans.info().log(e);
+ }
+ }
+
+
+ private void writeAnalysis(AuthzTrans trans, UserRole ur) {
+ Range r = expireRange.getRange("ur", ur.expires());
+ if(r!=null) {
+ CSV.Writer cw = writerList.get(r.name());
+ if(cw!=null) {
+ ur.row(cw);
+ }
+ }
+ }
+
+ private void writeAnalysis(AuthzTrans trans, Cred cred, Instance inst) {
+ if(cred!=null && inst!=null) {
+ Range r = expireRange.getRange("cred", inst.expires);
+ if(r!=null) {
+ CSV.Writer cw = writerList.get(r.name());
+ if(cw!=null) {
+ cred.row(cw,inst);
+ }
+ }
+ }
+ }
+
+ private void writeAnalysis(AuthzTrans trans, X509 x509, X509Certificate x509Cert) throws IOException {
+ Range r = expireRange.getRange("x509", x509Cert.getNotAfter());
+ if(r!=null) {
+ CSV.Writer cw = writerList.get(r.name());
+ if(cw!=null) {
+ x509.row(cw,x509Cert);
+ }
+ }
+ }
+
+ /*
+ private String[] contacts(final AuthzTrans trans, final String ns, final int levels) {
+ List<UserRole> owners = UserRole.getByRole().get(ns+".owner");
+ List<UserRole> current = new ArrayList<>();
+ for(UserRole ur : owners) {
+ if(expireRange.now.before(ur.expires())) {
+ current.add(ur);
+ }
+ }
+ if(current.isEmpty()) {
+ trans.warn().log(ns,"has no current owners");
+ current = owners;
+ }
+
+ List<String> email = new ArrayList<>();
+ for(UserRole ur : current) {
+ Identity id;
+ int i=0;
+ boolean go = true;
+ try {
+ id = org.getIdentity(trans, ur.user());
+ do {
+ if(id!=null) {
+ email.add(id.email());
+ if(i<levels) {
+ id = id.responsibleTo();
+ } else {
+ go = false;
+ }
+ } else {
+ go = false;
+ }
+ } while(go);
+ } catch (OrganizationException e) {
+ trans.error().log(e);
+ }
+ }
+
+ return email.toArray(new String[email.size()]);
+ }
+*/
+
+ @Override
+ protected void _close(AuthzTrans trans) {
+ session.close();
+ for(CSV.Writer cw : writerList.values()) {
+ cw.close();
+ }
+ }
+
+}