diff options
Diffstat (limited to 'auth/auth-cass')
6 files changed, 307 insertions, 73 deletions
diff --git a/auth/auth-cass/src/main/java/org/onap/aaf/auth/dao/Cached.java b/auth/auth-cass/src/main/java/org/onap/aaf/auth/dao/Cached.java index 1888b3ac..a31e7b5b 100644 --- a/auth/auth-cass/src/main/java/org/onap/aaf/auth/dao/Cached.java +++ b/auth/auth-cass/src/main/java/org/onap/aaf/auth/dao/Cached.java @@ -99,7 +99,7 @@ public class Cached<TRANS extends Trans, DATA extends Cacheable> extends Cache<T return Result.ok(); } - protected interface Getter<D> { + public interface Getter<D> { public abstract Result<List<D>> get(); }; diff --git a/auth/auth-cass/src/main/java/org/onap/aaf/auth/dao/CassAccess.java b/auth/auth-cass/src/main/java/org/onap/aaf/auth/dao/CassAccess.java index cde26117..c5ad4599 100644 --- a/auth/auth-cass/src/main/java/org/onap/aaf/auth/dao/CassAccess.java +++ b/auth/auth-cass/src/main/java/org/onap/aaf/auth/dao/CassAccess.java @@ -34,6 +34,7 @@ import org.onap.aaf.misc.env.util.Split; import com.datastax.driver.core.Cluster; import com.datastax.driver.core.Cluster.Builder; +import com.datastax.driver.core.SocketOptions; import com.datastax.driver.core.policies.DCAwareRoundRobinPolicy; import com.datastax.driver.core.policies.TokenAwarePolicy; @@ -162,6 +163,7 @@ public class CassAccess { env.init().printf("Cassandra is using Default Policy, which is not DC aware"); } } + cb.withSocketOptions(new SocketOptions().setReadTimeoutMillis(6500000)); return cb.build(); } diff --git a/auth/auth-cass/src/main/java/org/onap/aaf/auth/dao/cached/CachedCredDAO.java b/auth/auth-cass/src/main/java/org/onap/aaf/auth/dao/cached/CachedCredDAO.java index 106999d3..6bdc22bc 100644 --- a/auth/auth-cass/src/main/java/org/onap/aaf/auth/dao/cached/CachedCredDAO.java +++ b/auth/auth-cass/src/main/java/org/onap/aaf/auth/dao/cached/CachedCredDAO.java @@ -26,13 +26,61 @@ import java.util.List; import org.onap.aaf.auth.dao.CIDAO; import org.onap.aaf.auth.dao.CachedDAO; import org.onap.aaf.auth.dao.cass.CredDAO; +import org.onap.aaf.auth.dao.cass.CredDAO.Data; import org.onap.aaf.auth.dao.cass.Status; import org.onap.aaf.auth.env.AuthzTrans; import org.onap.aaf.auth.layer.Result; public class CachedCredDAO extends CachedDAO<AuthzTrans, CredDAO, CredDAO.Data> { + private final ReadID readID; + private final ReadID readIDBath; + public CachedCredDAO(CredDAO dao, CIDAO<AuthzTrans> info, long expiresIn) { super(dao, info, CredDAO.CACHE_SEG, expiresIn); + if(FileGetter.isLoaded) { + readID = new ReadID() { + @Override + public Result<List<Data>> read(AuthzTrans trans, final String id) { + return FileGetter.singleton(null).getter(id).get(); + } + }; + // Both are the same... File read in only does BAth + readIDBath = readID; + } else { + readID = new ReadID() { + @Override + public Result<List<Data>> read(AuthzTrans trans, final String id) { + DAOGetter getter = new DAOGetter(trans,dao()) { + public Result<List<CredDAO.Data>> call() { + return dao().readID(trans, id); + } + }; + + Result<List<CredDAO.Data>> lurd = get(trans, id, getter); + if (lurd.isOK() && lurd.isEmpty()) { + return Result.err(Status.ERR_UserNotFound,"No User Cred found"); + } + return lurd; + } + }; + + readIDBath = new ReadID() { + @Override + public Result<List<Data>> read(AuthzTrans trans, final String id) { + DAOGetter getter = new DAOGetter(trans,dao()) { + public Result<List<CredDAO.Data>> call() { + return dao().readIDBAth(trans, id); + } + }; + + Result<List<CredDAO.Data>> lurd = get(trans, id, getter); + if (lurd.isOK() && lurd.isEmpty()) { + return Result.err(Status.ERR_UserNotFound,"No User Cred found"); + } + return lurd; + } + }; + } } /** @@ -48,19 +96,16 @@ public class CachedCredDAO extends CachedDAO<AuthzTrans, CredDAO, CredDAO.Data> return dao().readNS(trans, ns); } - + public Result<List<CredDAO.Data>> readID(AuthzTrans trans, final String id) { - DAOGetter getter = new DAOGetter(trans,dao()) { - public Result<List<CredDAO.Data>> call() { - return dao().readID(trans, id); - } - }; - - Result<List<CredDAO.Data>> lurd = get(trans, id, getter); - if (lurd.isOK() && lurd.isEmpty()) { - return Result.err(Status.ERR_UserNotFound,"No User Cred found"); - } - return lurd; + return readID.read(trans, id); + } + + public Result<List<Data>> readIDBAth(AuthzTrans trans, String id) { + return readIDBath.read(trans,id); } + private interface ReadID { + public Result<List<CredDAO.Data>> read(final AuthzTrans trans, final String id); + } } diff --git a/auth/auth-cass/src/main/java/org/onap/aaf/auth/dao/cached/FileGetter.java b/auth/auth-cass/src/main/java/org/onap/aaf/auth/dao/cached/FileGetter.java new file mode 100644 index 00000000..b7a6c59d --- /dev/null +++ b/auth/auth-cass/src/main/java/org/onap/aaf/auth/dao/cached/FileGetter.java @@ -0,0 +1,149 @@ +/** + * ============LICENSE_START==================================================== + * org.onap.aaf + * =========================================================================== + * Copyright (c) 2018 AT&T Intellectual Property. All rights reserved. + * =========================================================================== + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * ============LICENSE_END==================================================== + * + */ + +package org.onap.aaf.auth.dao.cached; + +import java.io.IOException; +import java.nio.ByteBuffer; +import java.text.ParseException; +import java.text.SimpleDateFormat; +import java.util.ArrayList; +import java.util.List; +import java.util.Map; +import java.util.TreeMap; + +import org.onap.aaf.auth.dao.Cached.Getter; +import org.onap.aaf.auth.dao.cass.CredDAO; +import org.onap.aaf.auth.dao.cass.CredDAO.Data; +import org.onap.aaf.auth.layer.Result; +import org.onap.aaf.cadi.Access; +import org.onap.aaf.cadi.Access.Level; +import org.onap.aaf.cadi.CadiException; +import org.onap.aaf.cadi.Hash; +import org.onap.aaf.cadi.PropAccess; +import org.onap.aaf.cadi.util.CSV; + +public class FileGetter { + private static final String AAF_FILEGETTER = "aaf_filegetter"; + public static boolean isLoaded = false; + private static FileGetter singleton; + + private Map<String,List<CredDAO.Data>> data; + private SimpleDateFormat sdf; + private FileGetter(Access access) { + if(access!=null) { + String filename = access.getProperty(AAF_FILEGETTER,null); + if(filename!=null) { + if(!isLoaded) { + data = new TreeMap<>(); + sdf = new SimpleDateFormat("yyyy-MM-dd HH:mm:ss+SSSS"); + CSV csv = new CSV(access, filename).setDelimiter('|'); + try { + access.log(Level.INIT, "Loading Filebased Cred from",filename); + csv.visit(row -> { + if(row.size()<1) { + access.log(Level.INIT, "Bad Row"); + } + int type; + try { + type =Integer.parseInt(row.get(1)); + } catch(Exception e) { + access.log(Level.INIT, e, "skipping ", row.get(0)); + return; + } + if(CredDAO.CERT_SHA256_RSA == type) { + return; + } + CredDAO.Data cdd = new CredDAO.Data(); + cdd.id=row.get(0); + cdd.type = type; + try { + cdd.expires = sdf.parse(row.get(2)); + cdd.cred = ByteBuffer.wrap(Hash.fromHex(row.get(3))); + cdd.notes= row.get(4); + cdd.ns = row.get(5); + cdd.other = Integer.parseInt(row.get(6)); + if(row.size()>8) { + cdd.tag = row.get(8); + } else { + cdd.tag = ""; + } + List<CredDAO.Data> lcdd = data.get(cdd.id); + if(lcdd == null) { + lcdd = new ArrayList<>(); + data.put(cdd.id, lcdd); + } + lcdd.add(cdd); + + } catch (ParseException e) { + access.log(Level.INIT, e); + } + + }); + access.printf(Level.INIT, "Filebased Cred finished..."); + isLoaded = true; + } catch( CadiException | IOException e) { + access.log(Level.ERROR, e); + } + } + } + } + } + + public static synchronized FileGetter singleton(Access access) { + if(singleton==null) { + singleton = new FileGetter(access); + } + return singleton; + + } + public Getter<CredDAO.Data> getter(String id) { + return new FGetter(id); + } + private static List<CredDAO.Data> EMPTY = new ArrayList<>(); + public class FGetter implements Getter<CredDAO.Data> { + private final List<CredDAO.Data> lcdd; + public FGetter(final String id) { + lcdd = data.get(id); + } + @Override + public Result<List<Data>> get() { + return Result.ok(lcdd==null?EMPTY:lcdd); + } + } + + public static void main(String[] args) { + PropAccess access = new PropAccess(args); + access.setProperty(AAF_FILEGETTER,"/Users/jg1555/cred.dat"); + FileGetter fg = FileGetter.singleton(access); + + for(String id : new String[] {"m01891@aaf.att.com","bogus"}) { + Getter<CredDAO.Data> g = fg.getter(id); + Result<List<CredDAO.Data>> r = g.get(); + if(r.isOKhasData()) { + for(CredDAO.Data cdd : r.value) { + System.out.println(cdd); + } + } + } + } +} + diff --git a/auth/auth-cass/src/main/java/org/onap/aaf/auth/dao/cass/CredDAO.java b/auth/auth-cass/src/main/java/org/onap/aaf/auth/dao/cass/CredDAO.java index 9a2511d2..71401882 100644 --- a/auth/auth-cass/src/main/java/org/onap/aaf/auth/dao/cass/CredDAO.java +++ b/auth/auth-cass/src/main/java/org/onap/aaf/auth/dao/cass/CredDAO.java @@ -64,6 +64,7 @@ public class CredDAO extends CassDAOImpl<AuthzTrans,CredDAO.Data> { private CIDAO<AuthzTrans> infoDAO; private PSInfo psNS; private PSInfo psID; + private PSInfo psIDBath; public CredDAO(AuthzTrans trans, Cluster cluster, String keyspace) throws APIException, IOException { super(trans, CredDAO.class.getSimpleName(),cluster, keyspace, Data.class,TABLE, readConsistency(trans,TABLE), writeConsistency(trans,TABLE)); @@ -219,6 +220,15 @@ public class CredDAO extends CassDAOImpl<AuthzTrans,CredDAO.Data> { psID = new PSInfo(trans, SELECT_SP + helpers[FIELD_COMMAS] + " FROM " + TABLE + " WHERE id = ?", CredLoader.deflt,readConsistency); + + // NOTE: (type) in ((1),(2)) is valid for Cass 2.1.14. After 2.1.14, more obvious + // syntax of type in (1,2) is available + // ALSO, 1 & 2 STAND FOR BASIC_AUTH (MD5) AND BASIC_AUTH_SHA256(with salt). + // If more Basic Auth Protocols become available, add here but do NOT + // add X509, and there can be man Certs, and we don't need to read them every time, or + // as discovered, or provide CASS Outage due to too many Certs to read. + psIDBath = new PSInfo(trans, SELECT_SP + helpers[FIELD_COMMAS] + " FROM " + TABLE + + " WHERE id = ? and (type) in ((1),(2))", CredLoader.deflt,readConsistency); } /* (non-Javadoc) @@ -245,6 +255,10 @@ public class CredDAO extends CassDAOImpl<AuthzTrans,CredDAO.Data> { return psID.read(trans, R_TEXT, new Object[]{id}); } + public Result<List<Data>> readIDBAth(AuthzTrans trans, String id) { + return psIDBath.read(trans, R_TEXT, new Object[] {id}); + } + /** * Log Modification statements to History * diff --git a/auth/auth-cass/src/main/java/org/onap/aaf/auth/dao/hl/Question.java b/auth/auth-cass/src/main/java/org/onap/aaf/auth/dao/hl/Question.java index b797ca05..dddf3b51 100644 --- a/auth/auth-cass/src/main/java/org/onap/aaf/auth/dao/hl/Question.java +++ b/auth/auth-cass/src/main/java/org/onap/aaf/auth/dao/hl/Question.java @@ -31,7 +31,6 @@ import java.util.Date; import java.util.HashSet; import java.util.List; import java.util.Map; -import java.util.Random; import java.util.Set; import java.util.TreeSet; @@ -45,6 +44,7 @@ import org.onap.aaf.auth.dao.cached.CachedNSDAO; import org.onap.aaf.auth.dao.cached.CachedPermDAO; import org.onap.aaf.auth.dao.cached.CachedRoleDAO; import org.onap.aaf.auth.dao.cached.CachedUserRoleDAO; +import org.onap.aaf.auth.dao.cached.FileGetter; import org.onap.aaf.auth.dao.cass.ApprovalDAO; import org.onap.aaf.auth.dao.cass.CacheInfoDAO; import org.onap.aaf.auth.dao.cass.CertDAO; @@ -124,7 +124,7 @@ public class Question { static Slot PERMS; private static Set<String> specialLog = null; - public static final Random random = new SecureRandom(); + public static final SecureRandom random = new SecureRandom(); private static long traceID = random.nextLong(); private static Slot specialLogSlot = null; private static Slot transIDSlot = null; @@ -202,6 +202,8 @@ public class Question { permDAO = new CachedPermDAO(new PermDAO(trans, historyDAO, cacheInfoDAO), cacheInfoDAO, expiresIn); roleDAO = new CachedRoleDAO(new RoleDAO(trans, historyDAO, cacheInfoDAO), cacheInfoDAO, expiresIn); userRoleDAO = new CachedUserRoleDAO(new UserRoleDAO(trans, historyDAO,cacheInfoDAO), cacheInfoDAO, expiresIn); + // Create if aaf_file_cred exists with file + FileGetter.singleton(trans.env().access()); credDAO = new CachedCredDAO(new CredDAO(trans, historyDAO, cacheInfoDAO), cacheInfoDAO, expiresIn); certDAO = new CachedCertDAO(new CertDAO(trans, historyDAO, cacheInfoDAO), cacheInfoDAO, expiresIn); @@ -595,27 +597,35 @@ public class Question { public Result<NsDAO.Data> mayUser(AuthzTrans trans, String user,NsDAO.Data ndd, Access access) { // <ns>.access|:role:<role name>|<read|write> String ns = ndd.name; + boolean isRoot = ns.startsWith(Define.ROOT_NS()); int last; do { if (isGranted(trans, user, ns, ACCESS, ":ns", access.name())) { return Result.ok(ndd); } + if(isRoot) { + break; + } if ((last = ns.lastIndexOf('.')) >= 0) { ns = ns.substring(0, last); } } while (last >= 0); - // com.att.aaf.ns|:<client ns>:ns|<access> - // AAF-724 - Make consistent response for May User", and not take the - // last check... too confusing. - Result<NsDAO.Data> rv = mayUserVirtueOfNS(trans, user, ndd, ":" + ndd.name + ":ns", access.name()); - if (rv.isOK()) { - return rv; - } else if (rv.status==Result.ERR_Backend) { - return Result.err(rv); - } else { - return Result.err(Status.ERR_Denied, "[%s] may not %s in NS [%s]", - user, access.name(), ndd.name); - } + + // SAFETY - Do not allow these when NS is Root + if(!isRoot) { + // com.att.aaf.ns|:<client ns>:ns|<access> + // AAF-724 - Make consistent response for May User", and not take the + // last check... too confusing. + Result<NsDAO.Data> rv = mayUserVirtueOfNS(trans, user, ndd, ":" + ndd.name + ":ns", access.name()); + if (rv.isOK()) { + return rv; + } else if (rv.status==Result.ERR_Backend) { + return Result.err(rv); + } + } + return Result.err(Status.ERR_Denied, "[%s] may not %s in NS [%s]", + user, access.name(), ndd.name); + } public Result<NsDAO.Data> mayUser(AuthzTrans trans, String user, RoleDAO.Data rdd, Access access) { @@ -630,49 +640,56 @@ public class Question { } public Result<NsDAO.Data> mayUser(AuthzTrans trans, String user, NsDAO.Data ndd, RoleDAO.Data rdd, Access access) { - // 1) Is User in the Role? - Result<List<UserRoleDAO.Data>> rurd = userRoleDAO.readUserInRole(trans, user, rdd.fullName()); - if (rurd.isOKhasData()) { - return Result.ok(ndd); + // 1) For "read", Is User in the Role is enough + if(Access.read.equals(access)) { + Result<List<UserRoleDAO.Data>> rurd = userRoleDAO.readUserInRole(trans, user, rdd.fullName()); + if (rurd.isOKhasData()) { + return Result.ok(ndd); + } } String roleInst = ":role:" + rdd.name; // <ns>.access|:role:<role name>|<read|write> String ns = rdd.ns; + boolean isRoot = ns.startsWith(Define.ROOT_NS()); int last; do { if (isGranted(trans, user, ns,ACCESS, roleInst, access.name())) { return Result.ok(ndd); } + if(isRoot) { + break; + } if ((last = ns.lastIndexOf('.')) >= 0) { ns = ns.substring(0, last); } } while (last >= 0); - // Check if Access by Global Role perm - // com.att.aaf.ns|:<client ns>:role:name|<access> - Result<NsDAO.Data> rnsd = mayUserVirtueOfNS(trans, user, ndd, ":" - + rdd.ns + roleInst, access.name()); - if (rnsd.isOK()) { - return rnsd; - } else if (rnsd.status==Result.ERR_Backend) { - return Result.err(rnsd); - } + // SAFETY - Do not allow these when NS is Root + if(!isRoot) { + // Check if Access by Global Role perm + // com.att.aaf.ns|:<client ns>:role:name|<access> + Result<NsDAO.Data> rnsd = mayUserVirtueOfNS(trans, user, ndd, ":" + + rdd.ns + roleInst, access.name()); + if (rnsd.isOK()) { + return rnsd; + } else if (rnsd.status==Result.ERR_Backend) { + return Result.err(rnsd); + } - // Check if Access to Whole NS - // AAF-724 - Make consistent response for May User", and not take the - // last check... too confusing. - Result<org.onap.aaf.auth.dao.cass.NsDAO.Data> rv = mayUserVirtueOfNS(trans, user, ndd, - ":" + rdd.ns + ":ns", access.name()); - if (rv.isOK()) { - return rv; - } else if (rnsd.status==Result.ERR_Backend) { - return Result.err(rnsd); - } else { - return Result.err(Status.ERR_Denied, "[%s] may not %s Role [%s]", - user, access.name(), rdd.fullName()); + // Check if Access to Whole NS + // AAF-724 - Make consistent response for May User", and not take the + // last check... too confusing. + Result<org.onap.aaf.auth.dao.cass.NsDAO.Data> rv = mayUserVirtueOfNS(trans, user, ndd, + ":" + rdd.ns + ":ns", access.name()); + if (rv.isOK()) { + return rv; + } else if (rnsd.status==Result.ERR_Backend) { + return Result.err(rnsd); + } } - + return Result.err(Status.ERR_Denied, "[%s] may not %s Role [%s]", + user, access.name(), rdd.fullName()); } public Result<NsDAO.Data> mayUser(AuthzTrans trans, String user,PermDAO.Data pdd, Access access) { @@ -695,43 +712,50 @@ public class Question { } public Result<NsDAO.Data> mayUser(AuthzTrans trans, String user,NsDAO.Data ndd, PermDAO.Data pdd, Access access) { + // Most common occurrence... if granted Permission if (isGranted(trans, user, pdd.ns, pdd.type, pdd.instance, pdd.action)) { return Result.ok(ndd); } + String permInst = ":perm:" + pdd.type + ':' + pdd.instance + ':' + pdd.action; // <ns>.access|:role:<role name>|<read|write> String ns = ndd.name; + boolean isRoot = ns.startsWith(Define.ROOT_NS()); int last; do { if (isGranted(trans, user, ns, ACCESS, permInst, access.name())) { return Result.ok(ndd); } + if(isRoot) { + break; + } if ((last = ns.lastIndexOf('.')) >= 0) { ns = ns.substring(0, last); } } while (last >= 0); - // Check if Access by NS perm - // com.att.aaf.ns|:<client ns>:role:name|<access> - Result<NsDAO.Data> rnsd = mayUserVirtueOfNS(trans, user, ndd, ":" + pdd.ns + permInst, access.name()); - if (rnsd.isOK()) { - return rnsd; - } else if (rnsd.status==Result.ERR_Backend) { - return Result.err(rnsd); - } + // SAFETY - Do not allow these when NS is Root + if(!isRoot) { + // Check if Access by NS perm + // com.att.aaf.ns|:<client ns>:role:name|<access> + Result<NsDAO.Data> rnsd = mayUserVirtueOfNS(trans, user, ndd, ":" + pdd.ns + permInst, access.name()); + if (rnsd.isOK()) { + return rnsd; + } else if (rnsd.status==Result.ERR_Backend) { + return Result.err(rnsd); + } - // Check if Access to Whole NS - // AAF-724 - Make consistent response for May User", and not take the - // last check... too confusing. - Result<NsDAO.Data> rv = mayUserVirtueOfNS(trans, user, ndd, ":" + pdd.ns + ":ns", access.name()); - if (rv.isOK()) { - return rv; - } else { - return Result.err(Status.ERR_Denied, - "[%s] may not %s Perm [%s|%s|%s]", user, access.name(), - pdd.fullType(), pdd.instance, pdd.action); + // Check if Access to Whole NS + // AAF-724 - Make consistent response for May User", and not take the + // last check... too confusing. + Result<NsDAO.Data> rv = mayUserVirtueOfNS(trans, user, ndd, ":" + pdd.ns + ":ns", access.name()); + if (rv.isOK()) { + return rv; + } } - + return Result.err(Status.ERR_Denied, + "[%s] may not %s Perm [%s|%s|%s]", user, access.name(), + pdd.fullType(), pdd.instance, pdd.action); } public Result<Void> mayUser(AuthzTrans trans, DelegateDAO.Data dd, Access access) { @@ -861,7 +885,7 @@ public class Question { Result<List<CredDAO.Data>> result; TimeTaken tt = trans.start("Read DB Cred", Env.REMOTE); try { - result = credDAO.readID(trans, user); + result = credDAO.readIDBAth(trans, user); } finally { tt.done(); } |