summaryrefslogtreecommitdiffstats
path: root/auth/auth-certman/src
diff options
context:
space:
mode:
Diffstat (limited to 'auth/auth-certman/src')
-rw-r--r--auth/auth-certman/src/main/java/org/onap/aaf/auth/cm/AAF_CM.java9
-rw-r--r--auth/auth-certman/src/main/java/org/onap/aaf/auth/cm/ca/CA.java7
-rw-r--r--auth/auth-certman/src/main/java/org/onap/aaf/auth/cm/mapper/Mapper1_0.java72
-rw-r--r--auth/auth-certman/src/main/java/org/onap/aaf/auth/cm/mapper/Mapper2_0.java4
-rw-r--r--auth/auth-certman/src/main/java/org/onap/aaf/auth/cm/service/CMService.java21
-rw-r--r--auth/auth-certman/src/main/java/org/onap/aaf/auth/cm/validation/CertmanValidator.java14
-rw-r--r--auth/auth-certman/src/test/java/org/onap/aaf/auth/cm/validation/JU_CertmanValidator.java2
7 files changed, 83 insertions, 46 deletions
diff --git a/auth/auth-certman/src/main/java/org/onap/aaf/auth/cm/AAF_CM.java b/auth/auth-certman/src/main/java/org/onap/aaf/auth/cm/AAF_CM.java
index 7dea9f07..aa5c1daf 100644
--- a/auth/auth-certman/src/main/java/org/onap/aaf/auth/cm/AAF_CM.java
+++ b/auth/auth-certman/src/main/java/org/onap/aaf/auth/cm/AAF_CM.java
@@ -40,6 +40,7 @@ import org.onap.aaf.auth.cm.facade.FacadeFactory;
import org.onap.aaf.auth.cm.mapper.Mapper.API;
import org.onap.aaf.auth.cm.service.CMService;
import org.onap.aaf.auth.cm.service.Code;
+import org.onap.aaf.auth.cm.validation.CertmanValidator;
import org.onap.aaf.auth.dao.CassAccess;
import org.onap.aaf.auth.dao.cass.LocateDAO;
import org.onap.aaf.auth.direct.DirectLocatorCreator;
@@ -72,6 +73,7 @@ import com.datastax.driver.core.Cluster;
public class AAF_CM extends AbsService<AuthzEnv, AuthzTrans> {
private static final String USER_PERMS = "userPerms";
+ private static final String CM_ALLOW_TMP = "cm_allow_tmp";
private static final Map<String,CA> certAuths = new TreeMap<>();
public static Facade1_0 facade1_0; // this is the default Facade
public static Facade1_0 facade1_0_XML; // this is the XML Facade
@@ -106,6 +108,13 @@ public class AAF_CM extends AbsService<AuthzEnv, AuthzTrans> {
if (aafEnv==null) {
throw new APIException("aaf_env needs to be set");
}
+
+ // Check for allowing /tmp in Properties
+ String allowTmp = env.getProperty(CM_ALLOW_TMP);
+ if("true".equalsIgnoreCase(allowTmp)) {
+ CertmanValidator.allowTmp();
+ }
+
// Initialize Facade for all uses
AuthzTrans trans = env.newTrans();
diff --git a/auth/auth-certman/src/main/java/org/onap/aaf/auth/cm/ca/CA.java b/auth/auth-certman/src/main/java/org/onap/aaf/auth/cm/ca/CA.java
index 10da10d9..26b4e2aa 100644
--- a/auth/auth-certman/src/main/java/org/onap/aaf/auth/cm/ca/CA.java
+++ b/auth/auth-certman/src/main/java/org/onap/aaf/auth/cm/ca/CA.java
@@ -73,10 +73,11 @@ public abstract class CA {
this.env = env;
this.env_tag = env==null || env.isEmpty()?false:
Boolean.parseBoolean(access.getProperty(CM_CA_ENV_TAG, Boolean.FALSE.toString()));
- permNS = CM_CA_PREFIX + name;
- permType = access.getProperty(permNS + ".perm_type",null);
+ permNS=null;
+ String prefix = CM_CA_PREFIX + name;
+ permType = access.getProperty(prefix + ".perm_type",null);
if (permType==null) {
- throw new CertException(permNS + ".perm_type" + MUST_EXIST_TO_CREATE_CSRS_FOR + caName);
+ throw new CertException(prefix + ".perm_type" + MUST_EXIST_TO_CREATE_CSRS_FOR + caName);
}
caIssuerDNs = Split.splitTrim(':', access.getProperty(Config.CADI_X509_ISSUERS, null));
diff --git a/auth/auth-certman/src/main/java/org/onap/aaf/auth/cm/mapper/Mapper1_0.java b/auth/auth-certman/src/main/java/org/onap/aaf/auth/cm/mapper/Mapper1_0.java
index 663cee82..22243ae4 100644
--- a/auth/auth-certman/src/main/java/org/onap/aaf/auth/cm/mapper/Mapper1_0.java
+++ b/auth/auth-certman/src/main/java/org/onap/aaf/auth/cm/mapper/Mapper1_0.java
@@ -24,6 +24,7 @@ package org.onap.aaf.auth.cm.mapper;
import java.io.IOException;
import java.util.ArrayList;
import java.util.List;
+import java.util.Set;
import org.onap.aaf.auth.cm.data.CertDrop;
import org.onap.aaf.auth.cm.data.CertRenew;
@@ -219,31 +220,31 @@ public class Mapper1_0 implements Mapper<BaseRequest,CertInfo,Artifacts,Error> {
List<ArtiDAO.Data> ladd = new ArrayList<>();
for (Artifact arti : artifacts.getArtifact()) {
ArtiDAO.Data data = new ArtiDAO.Data();
- data.mechid = arti.getMechid();
- data.machine = arti.getMachine();
- data.type(true).addAll(arti.getType());
- data.ca = arti.getCa();
- data.dir = arti.getDir();
- data.os_user = arti.getOsUser();
+ data.mechid = trim(arti.getMechid());
+ data.machine = trim(arti.getMachine());
+ if(arti.getType()!=null) {
+ Set<String> ss = data.type(true);
+ for(String t : arti.getType()) {
+ ss.add(trim(t));
+ }
+ }
+ data.ca = trim(arti.getCa());
+ data.dir = trim(arti.getDir());
+ data.os_user = trim(arti.getOsUser());
// Optional (on way in)
- data.ns = arti.getNs();
+ data.ns = trim(arti.getNs());
data.renewDays = arti.getRenewDays();
- data.notify = arti.getNotification();
+ data.notify = trim(arti.getNotification());
// Ignored on way in for create/update
- data.sponsor = arti.getSponsor();
- data.expires = null;
-
- // Derive Optional Data from Machine (Domain) if exists
- if (data.machine!=null) {
- if (data.ca==null && data.machine.endsWith(".att.com")) {
- data.ca = "aaf"; // default
- }
- if (data.ns==null ) {
- data.ns=FQI.reverseDomain(data.machine);
- }
+ data.sponsor = (arti.getSponsor());
+ if(arti.getSans()!=null) {
+ Set<String> ls = data.sans(true);
+ for(String t : arti.getSans()) {
+ ls.add(trim(t));
+ }
}
- data.sans(true).addAll(arti.getSans());
+ data.expires = null;
ladd.add(data);
}
return ladd;
@@ -258,17 +259,21 @@ public class Mapper1_0 implements Mapper<BaseRequest,CertInfo,Artifacts,Error> {
Artifacts artis = new Artifacts();
for (ArtiDAO.Data arti : lArtiDAO.value) {
Artifact a = new Artifact();
- a.setMechid(arti.mechid);
- a.setMachine(arti.machine);
- a.setSponsor(arti.sponsor);
- a.setNs(arti.ns);
- a.setCa(arti.ca);
- a.setDir(arti.dir);
- a.getType().addAll(arti.type(false));
- a.setOsUser(arti.os_user);
+ a.setMechid(trim(arti.mechid));
+ a.setMachine(trim(arti.machine));
+ a.setSponsor(trim(arti.sponsor));
+ a.setNs(trim(arti.ns));
+ a.setCa(trim(arti.ca));
+ a.setDir(trim(arti.dir));
+ for(String t : arti.type(false)) {
+ a.getType().add(trim(t));
+ }
+ a.setOsUser(trim(arti.os_user));
a.setRenewDays(arti.renewDays);
- a.setNotification(arti.notify);
- a.getSans().addAll(arti.sans(false));
+ a.setNotification(trim(arti.notify));
+ for(String t : arti.sans(false)) {
+ a.getSans().add(trim(t));
+ }
artis.getArtifact().add(a);
}
return Result.ok(artis);
@@ -279,4 +284,11 @@ public class Mapper1_0 implements Mapper<BaseRequest,CertInfo,Artifacts,Error> {
+ private String trim(String s) {
+ if(s==null) {
+ return s;
+ } else {
+ return s.trim();
+ }
+ }
} \ No newline at end of file
diff --git a/auth/auth-certman/src/main/java/org/onap/aaf/auth/cm/mapper/Mapper2_0.java b/auth/auth-certman/src/main/java/org/onap/aaf/auth/cm/mapper/Mapper2_0.java
index 2b9204c9..53388f67 100644
--- a/auth/auth-certman/src/main/java/org/onap/aaf/auth/cm/mapper/Mapper2_0.java
+++ b/auth/auth-certman/src/main/java/org/onap/aaf/auth/cm/mapper/Mapper2_0.java
@@ -210,8 +210,8 @@ public class Mapper2_0 implements Mapper<BaseRequest,CertInfo,Artifacts,Error> {
ArtiDAO.Data data = new ArtiDAO.Data();
data.mechid = trim(arti.getMechid());
data.machine = trim(arti.getMachine());
- Set<String> ss = data.type(true);
if(arti.getType()!=null) {
+ Set<String> ss = data.type(true);
for(String t : arti.getType()) {
ss.add(t.trim());
}
@@ -228,8 +228,8 @@ public class Mapper2_0 implements Mapper<BaseRequest,CertInfo,Artifacts,Error> {
// Ignored on way in for create/update
data.sponsor = trim(arti.getSponsor());
data.expires = null;
- ss = data.sans(true);
if(arti.getSans()!=null) {
+ Set<String> ss = data.sans(true);
for(String s : arti.getSans()) {
ss.add(s.trim());
}
diff --git a/auth/auth-certman/src/main/java/org/onap/aaf/auth/cm/service/CMService.java b/auth/auth-certman/src/main/java/org/onap/aaf/auth/cm/service/CMService.java
index 893a6b17..26b3a22a 100644
--- a/auth/auth-certman/src/main/java/org/onap/aaf/auth/cm/service/CMService.java
+++ b/auth/auth-certman/src/main/java/org/onap/aaf/auth/cm/service/CMService.java
@@ -90,6 +90,7 @@ public class CMService {
private final ArtiDAO artiDAO;
private AAF_CM certManager;
private Boolean allowIgnoreIPs;
+ private Boolean alwaysIgnoreIPs;
// @SuppressWarnings("unchecked")
public CMService(final AuthzTrans trans, AAF_CM certman) throws APIException, IOException {
@@ -110,9 +111,14 @@ public class CMService {
"*",
"read"
);
- allowIgnoreIPs = Boolean.valueOf(certman.access.getProperty(Config.CM_ALLOW_IGNORE_IPS, "false"));
- if(allowIgnoreIPs) {
- trans.env().access().log(Level.INIT, "Allowing DNS Evaluation to be turned off with <ns>.certman|<ca name>|"+IGNORE_IPS);
+ alwaysIgnoreIPs = Boolean.valueOf(certman.access.getProperty(Config.CM_ALWAYS_IGNORE_IPS, "false"));
+ if(alwaysIgnoreIPs) {
+ trans.env().access().log(Level.INIT, "DNS Evaluation for Cert Creation is turned off with " + Config.CM_ALWAYS_IGNORE_IPS );
+ } else {
+ allowIgnoreIPs = Boolean.valueOf(certman.access.getProperty(Config.CM_ALLOW_IGNORE_IPS, "false"));
+ if(allowIgnoreIPs) {
+ trans.env().access().log(Level.INIT, "Allowing DNS Evaluation to be turned off with <ns>.certman|<ca name>|"+IGNORE_IPS);
+ }
}
}
@@ -140,7 +146,9 @@ public class CMService {
Organization org = trans.org();
boolean ignoreIPs;
- if(allowIgnoreIPs) {
+ if(alwaysIgnoreIPs) {
+ ignoreIPs=true;
+ } else if(allowIgnoreIPs) {
ignoreIPs = trans.fish(new AAFPermission(mechNS,CERTMAN, ca.getName(), IGNORE_IPS));
} else {
ignoreIPs = false;
@@ -290,7 +298,7 @@ public class CMService {
trans.error().log("CMService var primary is null");
} else {
String fg = fqdns.get(i);
- if (fg!=null && fg.equals(primary.getHostName())) {
+ if (fg!=null && primary!=null && fg.equals(primary.getHostName())) {
if (i != 0) {
String tmp = fqdns.get(0);
fqdns.set(0, primary.getHostName());
@@ -301,7 +309,7 @@ public class CMService {
}
}
} catch (Exception e) {
- trans.debug().log(e);
+ trans.error().log(e);
return Result.err(Status.ERR_Denied,
"AppID Sponsorship cannot be determined at this time. Try later.");
}
@@ -474,7 +482,6 @@ public class CMService {
// Policy 6: Only do Domain by Exception
if (add.machine.startsWith("*")) { // Domain set
CA ca = certManager.getCA(add.ca);
-
if (!trans.fish(new AAFPermission(ca.getPermNS(),ca.getPermType(), add.ca, DOMAIN))) {
return Result.err(Result.ERR_Denied, "Domain Artifacts (%s) requires specific Permission",
add.machine);
diff --git a/auth/auth-certman/src/main/java/org/onap/aaf/auth/cm/validation/CertmanValidator.java b/auth/auth-certman/src/main/java/org/onap/aaf/auth/cm/validation/CertmanValidator.java
index f85eb44e..5835b31f 100644
--- a/auth/auth-certman/src/main/java/org/onap/aaf/auth/cm/validation/CertmanValidator.java
+++ b/auth/auth-certman/src/main/java/org/onap/aaf/auth/cm/validation/CertmanValidator.java
@@ -22,6 +22,7 @@
package org.onap.aaf.auth.cm.validation;
import java.util.List;
+import java.util.regex.Pattern;
import org.onap.aaf.auth.dao.cass.ArtiDAO;
import org.onap.aaf.auth.dao.cass.ArtiDAO.Data;
@@ -47,7 +48,13 @@ public class CertmanValidator extends Validator{
private static final String MUST_HAVE_AT_LEAST = " must have at least ";
private static final String IS_NULL = " is null.";
private static final String ARTIFACTS_MUST_HAVE_AT_LEAST = "Artifacts must have at least ";
-
+ private static final Pattern ALPHA_NUM = Pattern.compile("[a-zA-Z0-9]*");
+
+ private static boolean disallowTmp = true;
+ public static void allowTmp() {
+ disallowTmp=false;
+ }
+
public CertmanValidator nullBlankMin(String name, List<String> list, int min) {
if (list==null) {
msg(name + IS_NULL);
@@ -72,7 +79,7 @@ public class CertmanValidator extends Validator{
} else {
for (ArtiDAO.Data a : list) {
allRequired(a);
- if(a.dir!=null && a.dir.startsWith("/tmp")) {
+ if(disallowTmp && a.dir!=null && a.dir.startsWith("/tmp")) {
msg("Certificates may not be deployed into /tmp directory (they will be removed at a random time by O/S)");
}
}
@@ -99,7 +106,8 @@ public class CertmanValidator extends Validator{
nullOrBlank(MACHINE, a.machine);
nullOrBlank("ca",a.ca);
nullOrBlank("dir",a.dir);
- nullOrBlank("os_user",a.os_user);
+ match("NS must be dot separated AlphaNumeric",a.ns,NAME_CHARS);
+ match("O/S User must be AlphaNumeric",a.os_user,ALPHA_NUM);
// Note: AppName, Notify & Sponsor are currently not required
}
return this;
diff --git a/auth/auth-certman/src/test/java/org/onap/aaf/auth/cm/validation/JU_CertmanValidator.java b/auth/auth-certman/src/test/java/org/onap/aaf/auth/cm/validation/JU_CertmanValidator.java
index 4aa3d6d3..6d090398 100644
--- a/auth/auth-certman/src/test/java/org/onap/aaf/auth/cm/validation/JU_CertmanValidator.java
+++ b/auth/auth-certman/src/test/java/org/onap/aaf/auth/cm/validation/JU_CertmanValidator.java
@@ -80,7 +80,7 @@ public class JU_CertmanValidator {
public void artisRequired_shouldReportErrorWhenArtifactDoesNotHaveAllRequiredFields() {
certmanValidator.artisRequired(newArrayList(newArtifactData("id", "", "ca", "dir", "user")), 1);
- assertEquals("machine is blank.\n", certmanValidator.errs());
+ assertEquals("machine is blank.\n" + "NS must be dot separated AlphaNumeric\n", certmanValidator.errs());
}
@Test