diff options
Diffstat (limited to 'auth/auth-certman/src')
7 files changed, 83 insertions, 46 deletions
diff --git a/auth/auth-certman/src/main/java/org/onap/aaf/auth/cm/AAF_CM.java b/auth/auth-certman/src/main/java/org/onap/aaf/auth/cm/AAF_CM.java index 7dea9f07..aa5c1daf 100644 --- a/auth/auth-certman/src/main/java/org/onap/aaf/auth/cm/AAF_CM.java +++ b/auth/auth-certman/src/main/java/org/onap/aaf/auth/cm/AAF_CM.java @@ -40,6 +40,7 @@ import org.onap.aaf.auth.cm.facade.FacadeFactory; import org.onap.aaf.auth.cm.mapper.Mapper.API; import org.onap.aaf.auth.cm.service.CMService; import org.onap.aaf.auth.cm.service.Code; +import org.onap.aaf.auth.cm.validation.CertmanValidator; import org.onap.aaf.auth.dao.CassAccess; import org.onap.aaf.auth.dao.cass.LocateDAO; import org.onap.aaf.auth.direct.DirectLocatorCreator; @@ -72,6 +73,7 @@ import com.datastax.driver.core.Cluster; public class AAF_CM extends AbsService<AuthzEnv, AuthzTrans> { private static final String USER_PERMS = "userPerms"; + private static final String CM_ALLOW_TMP = "cm_allow_tmp"; private static final Map<String,CA> certAuths = new TreeMap<>(); public static Facade1_0 facade1_0; // this is the default Facade public static Facade1_0 facade1_0_XML; // this is the XML Facade @@ -106,6 +108,13 @@ public class AAF_CM extends AbsService<AuthzEnv, AuthzTrans> { if (aafEnv==null) { throw new APIException("aaf_env needs to be set"); } + + // Check for allowing /tmp in Properties + String allowTmp = env.getProperty(CM_ALLOW_TMP); + if("true".equalsIgnoreCase(allowTmp)) { + CertmanValidator.allowTmp(); + } + // Initialize Facade for all uses AuthzTrans trans = env.newTrans(); diff --git a/auth/auth-certman/src/main/java/org/onap/aaf/auth/cm/ca/CA.java b/auth/auth-certman/src/main/java/org/onap/aaf/auth/cm/ca/CA.java index 10da10d9..26b4e2aa 100644 --- a/auth/auth-certman/src/main/java/org/onap/aaf/auth/cm/ca/CA.java +++ b/auth/auth-certman/src/main/java/org/onap/aaf/auth/cm/ca/CA.java @@ -73,10 +73,11 @@ public abstract class CA { this.env = env; this.env_tag = env==null || env.isEmpty()?false: Boolean.parseBoolean(access.getProperty(CM_CA_ENV_TAG, Boolean.FALSE.toString())); - permNS = CM_CA_PREFIX + name; - permType = access.getProperty(permNS + ".perm_type",null); + permNS=null; + String prefix = CM_CA_PREFIX + name; + permType = access.getProperty(prefix + ".perm_type",null); if (permType==null) { - throw new CertException(permNS + ".perm_type" + MUST_EXIST_TO_CREATE_CSRS_FOR + caName); + throw new CertException(prefix + ".perm_type" + MUST_EXIST_TO_CREATE_CSRS_FOR + caName); } caIssuerDNs = Split.splitTrim(':', access.getProperty(Config.CADI_X509_ISSUERS, null)); diff --git a/auth/auth-certman/src/main/java/org/onap/aaf/auth/cm/mapper/Mapper1_0.java b/auth/auth-certman/src/main/java/org/onap/aaf/auth/cm/mapper/Mapper1_0.java index 663cee82..22243ae4 100644 --- a/auth/auth-certman/src/main/java/org/onap/aaf/auth/cm/mapper/Mapper1_0.java +++ b/auth/auth-certman/src/main/java/org/onap/aaf/auth/cm/mapper/Mapper1_0.java @@ -24,6 +24,7 @@ package org.onap.aaf.auth.cm.mapper; import java.io.IOException; import java.util.ArrayList; import java.util.List; +import java.util.Set; import org.onap.aaf.auth.cm.data.CertDrop; import org.onap.aaf.auth.cm.data.CertRenew; @@ -219,31 +220,31 @@ public class Mapper1_0 implements Mapper<BaseRequest,CertInfo,Artifacts,Error> { List<ArtiDAO.Data> ladd = new ArrayList<>(); for (Artifact arti : artifacts.getArtifact()) { ArtiDAO.Data data = new ArtiDAO.Data(); - data.mechid = arti.getMechid(); - data.machine = arti.getMachine(); - data.type(true).addAll(arti.getType()); - data.ca = arti.getCa(); - data.dir = arti.getDir(); - data.os_user = arti.getOsUser(); + data.mechid = trim(arti.getMechid()); + data.machine = trim(arti.getMachine()); + if(arti.getType()!=null) { + Set<String> ss = data.type(true); + for(String t : arti.getType()) { + ss.add(trim(t)); + } + } + data.ca = trim(arti.getCa()); + data.dir = trim(arti.getDir()); + data.os_user = trim(arti.getOsUser()); // Optional (on way in) - data.ns = arti.getNs(); + data.ns = trim(arti.getNs()); data.renewDays = arti.getRenewDays(); - data.notify = arti.getNotification(); + data.notify = trim(arti.getNotification()); // Ignored on way in for create/update - data.sponsor = arti.getSponsor(); - data.expires = null; - - // Derive Optional Data from Machine (Domain) if exists - if (data.machine!=null) { - if (data.ca==null && data.machine.endsWith(".att.com")) { - data.ca = "aaf"; // default - } - if (data.ns==null ) { - data.ns=FQI.reverseDomain(data.machine); - } + data.sponsor = (arti.getSponsor()); + if(arti.getSans()!=null) { + Set<String> ls = data.sans(true); + for(String t : arti.getSans()) { + ls.add(trim(t)); + } } - data.sans(true).addAll(arti.getSans()); + data.expires = null; ladd.add(data); } return ladd; @@ -258,17 +259,21 @@ public class Mapper1_0 implements Mapper<BaseRequest,CertInfo,Artifacts,Error> { Artifacts artis = new Artifacts(); for (ArtiDAO.Data arti : lArtiDAO.value) { Artifact a = new Artifact(); - a.setMechid(arti.mechid); - a.setMachine(arti.machine); - a.setSponsor(arti.sponsor); - a.setNs(arti.ns); - a.setCa(arti.ca); - a.setDir(arti.dir); - a.getType().addAll(arti.type(false)); - a.setOsUser(arti.os_user); + a.setMechid(trim(arti.mechid)); + a.setMachine(trim(arti.machine)); + a.setSponsor(trim(arti.sponsor)); + a.setNs(trim(arti.ns)); + a.setCa(trim(arti.ca)); + a.setDir(trim(arti.dir)); + for(String t : arti.type(false)) { + a.getType().add(trim(t)); + } + a.setOsUser(trim(arti.os_user)); a.setRenewDays(arti.renewDays); - a.setNotification(arti.notify); - a.getSans().addAll(arti.sans(false)); + a.setNotification(trim(arti.notify)); + for(String t : arti.sans(false)) { + a.getSans().add(trim(t)); + } artis.getArtifact().add(a); } return Result.ok(artis); @@ -279,4 +284,11 @@ public class Mapper1_0 implements Mapper<BaseRequest,CertInfo,Artifacts,Error> { + private String trim(String s) { + if(s==null) { + return s; + } else { + return s.trim(); + } + } }
\ No newline at end of file diff --git a/auth/auth-certman/src/main/java/org/onap/aaf/auth/cm/mapper/Mapper2_0.java b/auth/auth-certman/src/main/java/org/onap/aaf/auth/cm/mapper/Mapper2_0.java index 2b9204c9..53388f67 100644 --- a/auth/auth-certman/src/main/java/org/onap/aaf/auth/cm/mapper/Mapper2_0.java +++ b/auth/auth-certman/src/main/java/org/onap/aaf/auth/cm/mapper/Mapper2_0.java @@ -210,8 +210,8 @@ public class Mapper2_0 implements Mapper<BaseRequest,CertInfo,Artifacts,Error> { ArtiDAO.Data data = new ArtiDAO.Data(); data.mechid = trim(arti.getMechid()); data.machine = trim(arti.getMachine()); - Set<String> ss = data.type(true); if(arti.getType()!=null) { + Set<String> ss = data.type(true); for(String t : arti.getType()) { ss.add(t.trim()); } @@ -228,8 +228,8 @@ public class Mapper2_0 implements Mapper<BaseRequest,CertInfo,Artifacts,Error> { // Ignored on way in for create/update data.sponsor = trim(arti.getSponsor()); data.expires = null; - ss = data.sans(true); if(arti.getSans()!=null) { + Set<String> ss = data.sans(true); for(String s : arti.getSans()) { ss.add(s.trim()); } diff --git a/auth/auth-certman/src/main/java/org/onap/aaf/auth/cm/service/CMService.java b/auth/auth-certman/src/main/java/org/onap/aaf/auth/cm/service/CMService.java index 893a6b17..26b3a22a 100644 --- a/auth/auth-certman/src/main/java/org/onap/aaf/auth/cm/service/CMService.java +++ b/auth/auth-certman/src/main/java/org/onap/aaf/auth/cm/service/CMService.java @@ -90,6 +90,7 @@ public class CMService { private final ArtiDAO artiDAO; private AAF_CM certManager; private Boolean allowIgnoreIPs; + private Boolean alwaysIgnoreIPs; // @SuppressWarnings("unchecked") public CMService(final AuthzTrans trans, AAF_CM certman) throws APIException, IOException { @@ -110,9 +111,14 @@ public class CMService { "*", "read" ); - allowIgnoreIPs = Boolean.valueOf(certman.access.getProperty(Config.CM_ALLOW_IGNORE_IPS, "false")); - if(allowIgnoreIPs) { - trans.env().access().log(Level.INIT, "Allowing DNS Evaluation to be turned off with <ns>.certman|<ca name>|"+IGNORE_IPS); + alwaysIgnoreIPs = Boolean.valueOf(certman.access.getProperty(Config.CM_ALWAYS_IGNORE_IPS, "false")); + if(alwaysIgnoreIPs) { + trans.env().access().log(Level.INIT, "DNS Evaluation for Cert Creation is turned off with " + Config.CM_ALWAYS_IGNORE_IPS ); + } else { + allowIgnoreIPs = Boolean.valueOf(certman.access.getProperty(Config.CM_ALLOW_IGNORE_IPS, "false")); + if(allowIgnoreIPs) { + trans.env().access().log(Level.INIT, "Allowing DNS Evaluation to be turned off with <ns>.certman|<ca name>|"+IGNORE_IPS); + } } } @@ -140,7 +146,9 @@ public class CMService { Organization org = trans.org(); boolean ignoreIPs; - if(allowIgnoreIPs) { + if(alwaysIgnoreIPs) { + ignoreIPs=true; + } else if(allowIgnoreIPs) { ignoreIPs = trans.fish(new AAFPermission(mechNS,CERTMAN, ca.getName(), IGNORE_IPS)); } else { ignoreIPs = false; @@ -290,7 +298,7 @@ public class CMService { trans.error().log("CMService var primary is null"); } else { String fg = fqdns.get(i); - if (fg!=null && fg.equals(primary.getHostName())) { + if (fg!=null && primary!=null && fg.equals(primary.getHostName())) { if (i != 0) { String tmp = fqdns.get(0); fqdns.set(0, primary.getHostName()); @@ -301,7 +309,7 @@ public class CMService { } } } catch (Exception e) { - trans.debug().log(e); + trans.error().log(e); return Result.err(Status.ERR_Denied, "AppID Sponsorship cannot be determined at this time. Try later."); } @@ -474,7 +482,6 @@ public class CMService { // Policy 6: Only do Domain by Exception if (add.machine.startsWith("*")) { // Domain set CA ca = certManager.getCA(add.ca); - if (!trans.fish(new AAFPermission(ca.getPermNS(),ca.getPermType(), add.ca, DOMAIN))) { return Result.err(Result.ERR_Denied, "Domain Artifacts (%s) requires specific Permission", add.machine); diff --git a/auth/auth-certman/src/main/java/org/onap/aaf/auth/cm/validation/CertmanValidator.java b/auth/auth-certman/src/main/java/org/onap/aaf/auth/cm/validation/CertmanValidator.java index f85eb44e..5835b31f 100644 --- a/auth/auth-certman/src/main/java/org/onap/aaf/auth/cm/validation/CertmanValidator.java +++ b/auth/auth-certman/src/main/java/org/onap/aaf/auth/cm/validation/CertmanValidator.java @@ -22,6 +22,7 @@ package org.onap.aaf.auth.cm.validation; import java.util.List; +import java.util.regex.Pattern; import org.onap.aaf.auth.dao.cass.ArtiDAO; import org.onap.aaf.auth.dao.cass.ArtiDAO.Data; @@ -47,7 +48,13 @@ public class CertmanValidator extends Validator{ private static final String MUST_HAVE_AT_LEAST = " must have at least "; private static final String IS_NULL = " is null."; private static final String ARTIFACTS_MUST_HAVE_AT_LEAST = "Artifacts must have at least "; - + private static final Pattern ALPHA_NUM = Pattern.compile("[a-zA-Z0-9]*"); + + private static boolean disallowTmp = true; + public static void allowTmp() { + disallowTmp=false; + } + public CertmanValidator nullBlankMin(String name, List<String> list, int min) { if (list==null) { msg(name + IS_NULL); @@ -72,7 +79,7 @@ public class CertmanValidator extends Validator{ } else { for (ArtiDAO.Data a : list) { allRequired(a); - if(a.dir!=null && a.dir.startsWith("/tmp")) { + if(disallowTmp && a.dir!=null && a.dir.startsWith("/tmp")) { msg("Certificates may not be deployed into /tmp directory (they will be removed at a random time by O/S)"); } } @@ -99,7 +106,8 @@ public class CertmanValidator extends Validator{ nullOrBlank(MACHINE, a.machine); nullOrBlank("ca",a.ca); nullOrBlank("dir",a.dir); - nullOrBlank("os_user",a.os_user); + match("NS must be dot separated AlphaNumeric",a.ns,NAME_CHARS); + match("O/S User must be AlphaNumeric",a.os_user,ALPHA_NUM); // Note: AppName, Notify & Sponsor are currently not required } return this; diff --git a/auth/auth-certman/src/test/java/org/onap/aaf/auth/cm/validation/JU_CertmanValidator.java b/auth/auth-certman/src/test/java/org/onap/aaf/auth/cm/validation/JU_CertmanValidator.java index 4aa3d6d3..6d090398 100644 --- a/auth/auth-certman/src/test/java/org/onap/aaf/auth/cm/validation/JU_CertmanValidator.java +++ b/auth/auth-certman/src/test/java/org/onap/aaf/auth/cm/validation/JU_CertmanValidator.java @@ -80,7 +80,7 @@ public class JU_CertmanValidator { public void artisRequired_shouldReportErrorWhenArtifactDoesNotHaveAllRequiredFields() { certmanValidator.artisRequired(newArrayList(newArtifactData("id", "", "ca", "dir", "user")), 1); - assertEquals("machine is blank.\n", certmanValidator.errs()); + assertEquals("machine is blank.\n" + "NS must be dot separated AlphaNumeric\n", certmanValidator.errs()); } @Test |