summaryrefslogtreecommitdiffstats
path: root/auth/auth-cass
diff options
context:
space:
mode:
Diffstat (limited to 'auth/auth-cass')
-rw-r--r--auth/auth-cass/src/main/java/org/onap/aaf/auth/dao/cass/NsDAO.java1
-rw-r--r--auth/auth-cass/src/main/java/org/onap/aaf/auth/dao/cass/PermDAO.java28
-rw-r--r--auth/auth-cass/src/main/java/org/onap/aaf/auth/dao/cass/RoleDAO.java9
-rw-r--r--auth/auth-cass/src/main/java/org/onap/aaf/auth/dao/hl/Question.java39
-rw-r--r--auth/auth-cass/src/main/java/org/onap/aaf/auth/direct/DirectAAFUserPass.java15
-rw-r--r--auth/auth-cass/src/test/java/org/onap/aaf/auth/dao/cass/JU_RoleDAO.java2
-rw-r--r--auth/auth-cass/src/test/java/org/onap/aaf/auth/direct/test/JU_DirectAAFLur.java4
-rw-r--r--auth/auth-cass/src/test/java/org/onap/aaf/auth/direct/test/JU_DirectAAFUserPass.java2
8 files changed, 82 insertions, 18 deletions
diff --git a/auth/auth-cass/src/main/java/org/onap/aaf/auth/dao/cass/NsDAO.java b/auth/auth-cass/src/main/java/org/onap/aaf/auth/dao/cass/NsDAO.java
index f769e38c..10e7844c 100644
--- a/auth/auth-cass/src/main/java/org/onap/aaf/auth/dao/cass/NsDAO.java
+++ b/auth/auth-cass/src/main/java/org/onap/aaf/auth/dao/cass/NsDAO.java
@@ -64,6 +64,7 @@ public class NsDAO extends CassDAOImpl<AuthzTrans,NsDAO.Data> {
public static final String TABLE = "ns";
public static final String TABLE_ATTRIB = "ns_attrib";
public static final int CACHE_SEG = 0x40; // yields segment 0x0-0x3F
+ public static final int USER = 0;
public static final int ROOT = 1;
public static final int COMPANY=2;
public static final int APP = 3;
diff --git a/auth/auth-cass/src/main/java/org/onap/aaf/auth/dao/cass/PermDAO.java b/auth/auth-cass/src/main/java/org/onap/aaf/auth/dao/cass/PermDAO.java
index 6e1057b8..3b77a577 100644
--- a/auth/auth-cass/src/main/java/org/onap/aaf/auth/dao/cass/PermDAO.java
+++ b/auth/auth-cass/src/main/java/org/onap/aaf/auth/dao/cass/PermDAO.java
@@ -93,11 +93,26 @@ public class PermDAO extends CassDAOImpl<AuthzTrans,PermDAO.Data> {
}
public String fullType() {
- return ns + '.' + type;
+ StringBuilder sb = new StringBuilder();
+ if(ns==null) {
+ sb.append('.');
+ } else {
+ sb.append(ns);
+ sb.append(ns.indexOf('@')<0?'.':':');
+ }
+ sb.append(type);
+ return sb.toString();
}
public String fullPerm() {
- return ns + '.' + type + '|' + instance + '|' + action;
+ StringBuilder sb = new StringBuilder(ns);
+ sb.append(ns.indexOf('@')<0?'.':':');
+ sb.append(type);
+ sb.append('|');
+ sb.append(instance);
+ sb.append('|');
+ sb.append(action);
+ return sb.toString();
}
public String encode() {
@@ -193,17 +208,26 @@ public class PermDAO extends CassDAOImpl<AuthzTrans,PermDAO.Data> {
Data rv = new PermDAO.Data();
if (rdns.isOKhasData()) {
switch(s.length) {
+ case 4:
+ rv.ns=s[0];
+ rv.type=s[1];
+ rv.instance=s[2];
+ rv.action=s[3];
+ break;
case 3:
+ rv.ns=s[0];
rv.type=s[1];
rv.instance=s[2];
rv.action=s[3];
break;
case 2:
+ rv.ns=s[0];
rv.type=s[1];
rv.instance=s[2];
rv.action=STAR;
break;
default:
+ rv.ns=s[0];
rv.type=s[1];
rv.instance = STAR;
rv.action = STAR;
diff --git a/auth/auth-cass/src/main/java/org/onap/aaf/auth/dao/cass/RoleDAO.java b/auth/auth-cass/src/main/java/org/onap/aaf/auth/dao/cass/RoleDAO.java
index 127dd4e2..e31e1e6a 100644
--- a/auth/auth-cass/src/main/java/org/onap/aaf/auth/dao/cass/RoleDAO.java
+++ b/auth/auth-cass/src/main/java/org/onap/aaf/auth/dao/cass/RoleDAO.java
@@ -106,7 +106,14 @@ public class RoleDAO extends CassDAOImpl<AuthzTrans,RoleDAO.Data> {
}
public String fullName() {
- return ns + '.' + name;
+ StringBuilder sb = new StringBuilder();
+ if(ns==null) {
+ sb.append('.');
+ } else {
+ sb.append(ns.indexOf('@')<0?'.':':');
+ }
+ sb.append(name);
+ return sb.toString();
}
public String encode() {
diff --git a/auth/auth-cass/src/main/java/org/onap/aaf/auth/dao/hl/Question.java b/auth/auth-cass/src/main/java/org/onap/aaf/auth/dao/hl/Question.java
index 2c98a9bc..7160edec 100644
--- a/auth/auth-cass/src/main/java/org/onap/aaf/auth/dao/hl/Question.java
+++ b/auth/auth-cass/src/main/java/org/onap/aaf/auth/dao/hl/Question.java
@@ -187,6 +187,7 @@ public class Question {
private final CacheInfoDAO cacheInfoDAO;
private final int cldays;
+ private final boolean alwaysSpecial;
public Question(AuthzTrans trans, Cluster cluster, String keyspace) throws APIException, IOException {
PERMS = trans.slot("USER_PERMS");
@@ -220,6 +221,8 @@ public class Question {
AbsCassDAO.primePSIs(trans);
cldays = Integer.parseInt(trans.getProperty(Config.AAF_CRED_WARN_DAYS, Config.AAF_CRED_WARN_DAYS_DFT));
+
+ alwaysSpecial = Boolean.parseBoolean(trans.getProperty("aaf_always_special", Boolean.FALSE.toString()));
}
public void startTimers(AuthzEnv env) {
@@ -612,6 +615,17 @@ public class Question {
}
public Result<NsDAO.Data> mayUser(AuthzTrans trans, String user,PermDAO.Data pdd, Access access) {
+ if(pdd.ns.indexOf('@')>-1) {
+ if(user.equals(pdd.ns)) {
+ NsDAO.Data ndd = new NsDAO.Data();
+ ndd.name = user;
+ ndd.type = NsDAO.USER;
+ ndd.parent = "";
+ return Result.ok(ndd);
+ } else {
+ return Result.err(Result.ERR_Security,"Only a User may modify User");
+ }
+ }
Result<NsDAO.Data> rnsd = deriveNs(trans, pdd.ns);
if (rnsd.isOK()) {
return mayUser(trans, user, rnsd.value, pdd, access);
@@ -831,6 +845,7 @@ public class Question {
byte[] md5=Hash.hashMD5(cred);
if (Hash.compareTo(md5,dbcred)==0) {
checkLessThanDays(trans,cldays,now,cdd);
+ trans.setTag(cdd.tag);
return Result.ok(cdd.expires);
} else if (debug!=null) {
load(debug, cdd);
@@ -844,6 +859,7 @@ public class Question {
if (Hash.compareTo(hash,dbcred)==0) {
checkLessThanDays(trans,cldays,now,cdd);
+ trans.setTag(cdd.tag);
return Result.ok(cdd.expires);
} else if (debug!=null) {
load(debug, cdd);
@@ -858,34 +874,41 @@ public class Question {
} else {
if (expired==null || expired.before(cdd.expires)) {
expired = cdd.expires;
+ trans.setTag(cdd.tag);
}
}
} // end for each
- if (debug==null) {
- trans.audit().printf("No cred matches ip=%s, user=%s\n",trans.ip(),user);
- } else {
- trans.audit().printf("No cred matches ip=%s, user=%s %s\n",trans.ip(),user,debug.toString());
- }
+
if (expired!=null) {
// Note: this is only returned if there are no good Credentials
rv = Result.err(Status.ERR_Security,
- "Credentials %s from %s expired %s",trans.user(), trans.ip(), Chrono.dateTime(expired));
+ "Credentials expired %s",Chrono.utcStamp(expired));
+ } else {
+ if (debug==null && alwaysSpecial) {
+ debug = new StringBuilder();
+ }
+ if (debug!=null) {
+ debug.append(trans.env().encryptor().encrypt(new String(cred)));
+ rv = Result.err(Status.ERR_Security,String.format("invalid password - %s",debug.toString()));
+ }
}
}
} else {
return Result.err(result);
}
- return rv == null ? Result.create((Date) null, Status.ERR_Security, "Wrong credential") : rv;
+ return rv == null ? Result.err(Status.ERR_Security, "Wrong credential") : rv;
}
private void load(StringBuilder debug, Data cdd) {
- debug.append("DB Entry: user=");
+ debug.append("\nDB Entry: user=");
debug.append(cdd.id);
debug.append(",type=");
debug.append(cdd.type);
debug.append(",expires=");
debug.append(Chrono.dateTime(cdd.expires));
+ debug.append(",tag=");
+ debug.append(cdd.tag);
debug.append('\n');
}
diff --git a/auth/auth-cass/src/main/java/org/onap/aaf/auth/direct/DirectAAFUserPass.java b/auth/auth-cass/src/main/java/org/onap/aaf/auth/direct/DirectAAFUserPass.java
index 3ef532b4..62e1592f 100644
--- a/auth/auth-cass/src/main/java/org/onap/aaf/auth/direct/DirectAAFUserPass.java
+++ b/auth/auth-cass/src/main/java/org/onap/aaf/auth/direct/DirectAAFUserPass.java
@@ -52,8 +52,13 @@ public class DirectAAFUserPass implements CredVal {
@Override
public boolean validate(String user, Type type, byte[] pass, Object state) {
+ if(user==null || type==null || pass==null) {
+ return false;
+ }
+
try {
AuthzTrans trans;
+ boolean transfer = false;
if (state !=null) {
if (state instanceof AuthzTrans) {
trans = (AuthzTrans)state;
@@ -61,19 +66,23 @@ public class DirectAAFUserPass implements CredVal {
trans = env.newTransNoAvg();
if (state instanceof HttpServletRequest) {
trans.set((HttpServletRequest)state);
+ transfer=true;
}
}
} else {
trans = env.newTransNoAvg();
}
Result<Date> result = question.doesUserCredMatch(trans, user, pass);
- trans.logAuditTrail(env.info());
+ if(transfer) {
+ ((HttpServletRequest)state).setAttribute("CRED_TAG", trans.getTag());
+ }
+ trans.logAuditTrail(env.debug());
switch(result.status) {
case OK:
return true;
default:
- String ip = trans.ip()==null?"":(", ip="+trans.ip());
- env.warn().log(user, "failed password validation" + ip + ':',result.errorString());
+ String ip = trans.ip()==null?"":trans.ip();
+ env.audit().printf("user=%s,tag=%s,ip=%s,msg=\"failed password validation: %s\"",user,trans.getTag(),ip,result.errorString());
}
} catch (DAOException e) {
env.error().log(e,"Cannot validate user/pass from cassandra");
diff --git a/auth/auth-cass/src/test/java/org/onap/aaf/auth/dao/cass/JU_RoleDAO.java b/auth/auth-cass/src/test/java/org/onap/aaf/auth/dao/cass/JU_RoleDAO.java
index 16f05aa3..fa023af3 100644
--- a/auth/auth-cass/src/test/java/org/onap/aaf/auth/dao/cass/JU_RoleDAO.java
+++ b/auth/auth-cass/src/test/java/org/onap/aaf/auth/dao/cass/JU_RoleDAO.java
@@ -430,7 +430,7 @@ public class JU_RoleDAO {
}
@Test
- public void testWasMOdified() {
+ public void testWasModified() {
TimeTaken tt = Mockito.mock(TimeTaken.class);
Mockito.doReturn(tt).when(trans).start("RoleDAO CREATE", Env.REMOTE);
Mockito.doReturn(tt).when(trans).start("Clear Reset Deque", Env.SUB);
diff --git a/auth/auth-cass/src/test/java/org/onap/aaf/auth/direct/test/JU_DirectAAFLur.java b/auth/auth-cass/src/test/java/org/onap/aaf/auth/direct/test/JU_DirectAAFLur.java
index 05077438..f0f3c5d0 100644
--- a/auth/auth-cass/src/test/java/org/onap/aaf/auth/direct/test/JU_DirectAAFLur.java
+++ b/auth/auth-cass/src/test/java/org/onap/aaf/auth/direct/test/JU_DirectAAFLur.java
@@ -237,7 +237,7 @@ public class JU_DirectAAFLur {
assertFalse(pp.match(null));
- pond = new AAFPermission("null.test", "name", "instance", "action");
- pp.match(pond);
+ pond = new AAFPermission("test.test", "test", "test", "test");
+ assertTrue(pp.match(pond));
}
}
diff --git a/auth/auth-cass/src/test/java/org/onap/aaf/auth/direct/test/JU_DirectAAFUserPass.java b/auth/auth-cass/src/test/java/org/onap/aaf/auth/direct/test/JU_DirectAAFUserPass.java
index ca0a8917..c767aeb5 100644
--- a/auth/auth-cass/src/test/java/org/onap/aaf/auth/direct/test/JU_DirectAAFUserPass.java
+++ b/auth/auth-cass/src/test/java/org/onap/aaf/auth/direct/test/JU_DirectAAFUserPass.java
@@ -125,7 +125,7 @@ public class JU_DirectAAFUserPass {
}
boolean retVal = aafLocatorObj.validate(null, null, null, null);
- assertTrue(retVal);
+ assertFalse(retVal);
}
@Test