diff options
Diffstat (limited to 'auth/auth-certman')
8 files changed, 279 insertions, 252 deletions
diff --git a/auth/auth-certman/pom.xml b/auth/auth-certman/pom.xml index 8237b027..69465b7d 100644 --- a/auth/auth-certman/pom.xml +++ b/auth/auth-certman/pom.xml @@ -1,228 +1,218 @@ <?xml version="1.0" encoding="UTF-8"?> <!-- * ============LICENSE_START==================================================== - * org.onap.aaf - * =========================================================================== - * Copyright (c) 2017 AT&T Intellectual Property. All rights reserved. - * =========================================================================== - * Licensed under the Apache License, Version 2.0 (the "License"); * you may - not use this file except in compliance with the License. * You may obtain - a copy of the License at * * http://www.apache.org/licenses/LICENSE-2.0 * - * Unless required by applicable law or agreed to in writing, software * distributed - under the License is distributed on an "AS IS" BASIS, * WITHOUT WARRANTIES - OR CONDITIONS OF ANY KIND, either express or implied. * See the License for - the specific language governing permissions and * limitations under the License. - * ============LICENSE_END==================================================== - * --> - + * org.onap.aaf + * =========================================================================== + * Copyright (c) 2017 AT&T Intellectual Property. All rights reserved. + * =========================================================================== + * Licensed under the Apache License, Version 2.0 (the "License"); * you may + not use this file except in compliance with the License. * You may obtain + a copy of the License at * * http://www.apache.org/licenses/LICENSE-2.0 * + * Unless required by applicable law or agreed to in writing, software * distributed + under the License is distributed on an "AS IS" BASIS, * WITHOUT WARRANTIES + OR CONDITIONS OF ANY KIND, either express or implied. * See the License for + the specific language governing permissions and * limitations under the License. + * ============LICENSE_END==================================================== + * --> + <project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" - xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/maven-v4_0_0.xsd"> - <modelVersion>4.0.0</modelVersion> - <parent> - <groupId>org.onap.aaf.authz</groupId> - <artifactId>authparent</artifactId> - <version>2.1.14-SNAPSHOT</version> - <relativePath>../pom.xml</relativePath> - </parent> + xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/maven-v4_0_0.xsd"> + <modelVersion>4.0.0</modelVersion> + <parent> + <groupId>org.onap.aaf.authz</groupId> + <artifactId>authparent</artifactId> + <version>2.1.16-SNAPSHOT</version> + <relativePath>../pom.xml</relativePath> + </parent> - <artifactId>aaf-auth-certman</artifactId> - <name>AAF Auth Certificate Manager</name> - <description>Certificate Manager API</description> + <artifactId>aaf-auth-certman</artifactId> + <name>AAF Auth Certificate Manager</name> + <description>Certificate Manager API</description> - <properties> - <!-- SONAR --> - <!-- <sonar.skip>true</sonar.skip> --> - <jacoco.version>0.7.7.201606060606</jacoco.version> - <sonar-jacoco-listeners.version>3.2</sonar-jacoco-listeners.version> - <sonar.core.codeCoveragePlugin>jacoco</sonar.core.codeCoveragePlugin> - <!-- Default Sonar configuration --> - <sonar.jacoco.reportPaths>target/code-coverage/jacoco-ut.exec</sonar.jacoco.reportPaths> - <sonar.jacoco.itReportPaths>target/code-coverage/jacoco-it.exec</sonar.jacoco.itReportPaths> - <!-- Note: This list should match jacoco-maven-plugin's exclusion list - below --> - <sonar.exclusions>**/gen/**,**/generated-sources/**,**/yang-gen**,**/pax/**</sonar.exclusions> - <nexusproxy>https://nexus.onap.org</nexusproxy> - <snapshotNexusPath>/content/repositories/snapshots/</snapshotNexusPath> - <releaseNexusPath>/content/repositories/releases/</releaseNexusPath> - <stagingNexusPath>/content/repositories/staging/</stagingNexusPath> - <sitePath>/content/sites/site/org/onap/aaf/authz/${project.artifactId}/${project.version}</sitePath> - <project.bouncyCastleVersion>1.60</project.bouncyCastleVersion> - </properties> + <properties> + <!-- SONAR --> + <!-- <sonar.skip>true</sonar.skip> --> + <jacoco.version>0.7.7.201606060606</jacoco.version> + <sonar-jacoco-listeners.version>3.2</sonar-jacoco-listeners.version> + <sonar.core.codeCoveragePlugin>jacoco</sonar.core.codeCoveragePlugin> + <!-- Default Sonar configuration --> + <sonar.jacoco.reportPaths>target/code-coverage/jacoco-ut.exec</sonar.jacoco.reportPaths> + <sonar.jacoco.itReportPaths>target/code-coverage/jacoco-it.exec</sonar.jacoco.itReportPaths> + <!-- Note: This list should match jacoco-maven-plugin's exclusion list + below --> + <sonar.exclusions>**/gen/**,**/generated-sources/**,**/yang-gen**,**/pax/**</sonar.exclusions> + <nexusproxy>https://nexus.onap.org</nexusproxy> + <snapshotNexusPath>/content/repositories/snapshots/</snapshotNexusPath> + <releaseNexusPath>/content/repositories/releases/</releaseNexusPath> + <stagingNexusPath>/content/repositories/staging/</stagingNexusPath> + <sitePath>/content/sites/site/org/onap/aaf/authz/${project.artifactId}/${project.version}</sitePath> + <project.bouncyCastleVersion>1.60</project.bouncyCastleVersion> + </properties> - <dependencies> + <dependencies> <dependency> <groupId>org.powermock</groupId> <artifactId>powermock-module-junit4-rule-agent</artifactId> <version>1.6.4</version> <scope>test</scope> </dependency> - <dependency> - <groupId>org.onap.aaf.authz</groupId> - <artifactId>aaf-auth-core</artifactId> - </dependency> - - <dependency> - <groupId>org.onap.aaf.authz</groupId> - <artifactId>aaf-auth-cass</artifactId> - </dependency> + <dependency> + <groupId>org.onap.aaf.authz</groupId> + <artifactId>aaf-auth-core</artifactId> + </dependency> - <dependency> - <groupId>org.onap.aaf.authz</groupId> - <artifactId>aaf-cadi-aaf</artifactId> - </dependency> - - <!-- Add the Organizations you wish to support. You can delete ONAP if - you have something else Match with Property Entry: Organization.<root ns>, - i.e. Organization.onap.org=org.onap.org.DefaultOrg --> - <dependency> - <groupId>org.onap.aaf.authz</groupId> - <artifactId>aaf-auth-deforg</artifactId> - </dependency> + <dependency> + <groupId>org.onap.aaf.authz</groupId> + <artifactId>aaf-auth-cass</artifactId> + </dependency> - <dependency> - <groupId>com.google.code.jscep</groupId> - <artifactId>jscep</artifactId> - <version>2.4.0</version> - <exclusions> - <exclusion> - <groupId>org.bouncycastle</groupId> - <artifactId>bcprov-jdk15on</artifactId> - </exclusion> - <exclusion> - <groupId>org.bouncycastle</groupId> - <artifactId>bcpkix-jdk15on</artifactId> - </exclusion> - </exclusions> - </dependency> - <!-- JSCEP does not use latest "Bouncy Castle" --> - <dependency> - <groupId>org.bouncycastle</groupId> - <artifactId>bcprov-jdk15on</artifactId> - <version>${project.bouncyCastleVersion}</version> - </dependency> - <dependency> - <groupId>org.bouncycastle</groupId> - <artifactId>bcpkix-jdk15on</artifactId> - <version>${project.bouncyCastleVersion}</version> - </dependency> - </dependencies> + <dependency> + <groupId>org.onap.aaf.authz</groupId> + <artifactId>aaf-cadi-aaf</artifactId> + </dependency> + + <!-- Add the Organizations you wish to support. You can delete ONAP if + you have something else Match with Property Entry: Organization.<root ns>, + i.e. Organization.onap.org=org.onap.org.DefaultOrg --> + <dependency> + <groupId>org.onap.aaf.authz</groupId> + <artifactId>aaf-auth-deforg</artifactId> + </dependency> - <build> - <plugins> - <plugin> - <groupId>org.apache.maven.plugins</groupId> - <artifactId>maven-jar-plugin</artifactId> - <configuration> - <includes> - <include>**/*.class</include> - </includes> - </configuration> - <version>2.3.1</version> - </plugin> + <dependency> + <groupId>com.google.code.jscep</groupId> + <artifactId>jscep</artifactId> + <version>2.4.0</version> + <exclusions> + <exclusion> + <groupId>org.bouncycastle</groupId> + <artifactId>bcprov-jdk15on</artifactId> + </exclusion> + <exclusion> + <groupId>org.bouncycastle</groupId> + <artifactId>bcpkix-jdk15on</artifactId> + </exclusion> + </exclusions> + </dependency> + <!-- JSCEP does not use latest "Bouncy Castle" --> + <dependency> + <groupId>org.bouncycastle</groupId> + <artifactId>bcprov-jdk15on</artifactId> + <version>${project.bouncyCastleVersion}</version> + </dependency> + <dependency> + <groupId>org.bouncycastle</groupId> + <artifactId>bcpkix-jdk15on</artifactId> + <version>${project.bouncyCastleVersion}</version> + </dependency> + </dependencies> - <!--This plugin's configuration is used to store Eclipse m2e settings - only. It has no influence on the Maven build itself. --> - <plugin> - <groupId>org.apache.maven.plugins</groupId> - <artifactId>maven-deploy-plugin</artifactId> - <configuration> - <skip>false</skip> - </configuration> - </plugin> - <plugin> - <groupId>org.codehaus.mojo</groupId> - <artifactId>appassembler-maven-plugin</artifactId> - <configuration> - <programs> - <program> - <mainClass>org.onap.aaf.auth.cm.AAF_CM</mainClass> - <name>cm</name> - <commandLineArguments> - <commandLineArgument>cadi_prop_files=${project.ext_root_dir}/etc/org.osaaf.aaf.cm.props</commandLineArgument> - <commandLineArgument>cadi_log_dir=${project.ext_root_dir}/logs/cm</commandLineArgument> - </commandLineArguments> - </program> - </programs> - </configuration> - </plugin> - <plugin> - <groupId>org.jacoco</groupId> - <artifactId>jacoco-maven-plugin</artifactId> - <configuration> - <excludes> - <exclude>**/gen/**</exclude> - <exclude>**/generated-sources/**</exclude> - <exclude>**/yang-gen/**</exclude> - <exclude>**/pax/**</exclude> - </excludes> - </configuration> - <executions> + <build> + <plugins> + <plugin> + <groupId>org.apache.maven.plugins</groupId> + <artifactId>maven-jar-plugin</artifactId> + <configuration> + <includes> + <include>**/*.class</include> + </includes> + </configuration> + <version>2.3.1</version> + </plugin> + <plugin> + <groupId>org.codehaus.mojo</groupId> + <artifactId>appassembler-maven-plugin</artifactId> + <configuration> + <programs> + <program> + <mainClass>org.onap.aaf.auth.cm.AAF_CM</mainClass> + <name>cm</name> + <commandLineArguments> + <commandLineArgument>cadi_prop_files=${project.ext_root_dir}/etc/org.osaaf.aaf.cm.props</commandLineArgument> + <commandLineArgument>cadi_log_dir=${project.ext_root_dir}/logs/cm</commandLineArgument> + </commandLineArguments> + </program> + </programs> + </configuration> + </plugin> + <plugin> + <groupId>org.jacoco</groupId> + <artifactId>jacoco-maven-plugin</artifactId> + <configuration> + <excludes> + <exclude>**/gen/**</exclude> + <exclude>**/generated-sources/**</exclude> + <exclude>**/yang-gen/**</exclude> + <exclude>**/pax/**</exclude> + </excludes> + </configuration> + <executions> - <execution> - <id>pre-unit-test</id> - <goals> - <goal>prepare-agent</goal> - </goals> - <configuration> - <destFile>${project.build.directory}/code-coverage/jacoco-ut.exec</destFile> - <propertyName>surefireArgLine</propertyName> - </configuration> - </execution> + <execution> + <id>pre-unit-test</id> + <goals> + <goal>prepare-agent</goal> + </goals> + <configuration> + <destFile>${project.build.directory}/code-coverage/jacoco-ut.exec</destFile> + <propertyName>surefireArgLine</propertyName> + </configuration> + </execution> - <execution> - <id>post-unit-test</id> - <phase>test</phase> - <goals> - <goal>report</goal> - </goals> - <configuration> - <dataFile>${project.build.directory}/code-coverage/jacoco-ut.exec</dataFile> - <outputDirectory>${project.reporting.outputDirectory}/jacoco-ut</outputDirectory> - </configuration> - </execution> - <execution> - <id>pre-integration-test</id> - <phase>pre-integration-test</phase> - <goals> - <goal>prepare-agent</goal> - </goals> - <configuration> - <destFile>${project.build.directory}/code-coverage/jacoco-it.exec</destFile> - <propertyName>failsafeArgLine</propertyName> - </configuration> - </execution> + <execution> + <id>post-unit-test</id> + <phase>test</phase> + <goals> + <goal>report</goal> + </goals> + <configuration> + <dataFile>${project.build.directory}/code-coverage/jacoco-ut.exec</dataFile> + <outputDirectory>${project.reporting.outputDirectory}/jacoco-ut</outputDirectory> + </configuration> + </execution> + <execution> + <id>pre-integration-test</id> + <phase>pre-integration-test</phase> + <goals> + <goal>prepare-agent</goal> + </goals> + <configuration> + <destFile>${project.build.directory}/code-coverage/jacoco-it.exec</destFile> + <propertyName>failsafeArgLine</propertyName> + </configuration> + </execution> - <execution> - <id>post-integration-test</id> - <phase>post-integration-test</phase> - <goals> - <goal>report</goal> - </goals> - <configuration> - <dataFile>${project.build.directory}/code-coverage/jacoco-it.exec</dataFile> - <outputDirectory>${project.reporting.outputDirectory}/jacoco-it</outputDirectory> - </configuration> - </execution> - </executions> - </plugin> - </plugins> - </build> + <execution> + <id>post-integration-test</id> + <phase>post-integration-test</phase> + <goals> + <goal>report</goal> + </goals> + <configuration> + <dataFile>${project.build.directory}/code-coverage/jacoco-it.exec</dataFile> + <outputDirectory>${project.reporting.outputDirectory}/jacoco-it</outputDirectory> + </configuration> + </execution> + </executions> + </plugin> + </plugins> + </build> - <distributionManagement> - <repository> - <id>ecomp-releases</id> - <name>AAF Release Repository</name> - <url>${nexusproxy}${releaseNexusPath}</url> - </repository> - <snapshotRepository> - <id>ecomp-snapshots</id> - <name>AAF Snapshot Repository</name> - <url>${nexusproxy}${snapshotNexusPath}</url> - </snapshotRepository> - <site> - <id>ecomp-site</id> - <url>dav:${nexusproxy}${sitePath}</url> - </site> - </distributionManagement> + <distributionManagement> + <repository> + <id>ecomp-releases</id> + <name>AAF Release Repository</name> + <url>${nexusproxy}${releaseNexusPath}</url> + </repository> + <snapshotRepository> + <id>ecomp-snapshots</id> + <name>AAF Snapshot Repository</name> + <url>${nexusproxy}${snapshotNexusPath}</url> + </snapshotRepository> + <site> + <id>ecomp-site</id> + <url>dav:${nexusproxy}${sitePath}</url> + </site> + </distributionManagement> </project> diff --git a/auth/auth-certman/src/main/java/org/onap/aaf/auth/cm/AAF_CM.java b/auth/auth-certman/src/main/java/org/onap/aaf/auth/cm/AAF_CM.java index 7dea9f07..aa5c1daf 100644 --- a/auth/auth-certman/src/main/java/org/onap/aaf/auth/cm/AAF_CM.java +++ b/auth/auth-certman/src/main/java/org/onap/aaf/auth/cm/AAF_CM.java @@ -40,6 +40,7 @@ import org.onap.aaf.auth.cm.facade.FacadeFactory; import org.onap.aaf.auth.cm.mapper.Mapper.API; import org.onap.aaf.auth.cm.service.CMService; import org.onap.aaf.auth.cm.service.Code; +import org.onap.aaf.auth.cm.validation.CertmanValidator; import org.onap.aaf.auth.dao.CassAccess; import org.onap.aaf.auth.dao.cass.LocateDAO; import org.onap.aaf.auth.direct.DirectLocatorCreator; @@ -72,6 +73,7 @@ import com.datastax.driver.core.Cluster; public class AAF_CM extends AbsService<AuthzEnv, AuthzTrans> { private static final String USER_PERMS = "userPerms"; + private static final String CM_ALLOW_TMP = "cm_allow_tmp"; private static final Map<String,CA> certAuths = new TreeMap<>(); public static Facade1_0 facade1_0; // this is the default Facade public static Facade1_0 facade1_0_XML; // this is the XML Facade @@ -106,6 +108,13 @@ public class AAF_CM extends AbsService<AuthzEnv, AuthzTrans> { if (aafEnv==null) { throw new APIException("aaf_env needs to be set"); } + + // Check for allowing /tmp in Properties + String allowTmp = env.getProperty(CM_ALLOW_TMP); + if("true".equalsIgnoreCase(allowTmp)) { + CertmanValidator.allowTmp(); + } + // Initialize Facade for all uses AuthzTrans trans = env.newTrans(); diff --git a/auth/auth-certman/src/main/java/org/onap/aaf/auth/cm/ca/CA.java b/auth/auth-certman/src/main/java/org/onap/aaf/auth/cm/ca/CA.java index 10da10d9..26b4e2aa 100644 --- a/auth/auth-certman/src/main/java/org/onap/aaf/auth/cm/ca/CA.java +++ b/auth/auth-certman/src/main/java/org/onap/aaf/auth/cm/ca/CA.java @@ -73,10 +73,11 @@ public abstract class CA { this.env = env; this.env_tag = env==null || env.isEmpty()?false: Boolean.parseBoolean(access.getProperty(CM_CA_ENV_TAG, Boolean.FALSE.toString())); - permNS = CM_CA_PREFIX + name; - permType = access.getProperty(permNS + ".perm_type",null); + permNS=null; + String prefix = CM_CA_PREFIX + name; + permType = access.getProperty(prefix + ".perm_type",null); if (permType==null) { - throw new CertException(permNS + ".perm_type" + MUST_EXIST_TO_CREATE_CSRS_FOR + caName); + throw new CertException(prefix + ".perm_type" + MUST_EXIST_TO_CREATE_CSRS_FOR + caName); } caIssuerDNs = Split.splitTrim(':', access.getProperty(Config.CADI_X509_ISSUERS, null)); diff --git a/auth/auth-certman/src/main/java/org/onap/aaf/auth/cm/mapper/Mapper1_0.java b/auth/auth-certman/src/main/java/org/onap/aaf/auth/cm/mapper/Mapper1_0.java index 663cee82..22243ae4 100644 --- a/auth/auth-certman/src/main/java/org/onap/aaf/auth/cm/mapper/Mapper1_0.java +++ b/auth/auth-certman/src/main/java/org/onap/aaf/auth/cm/mapper/Mapper1_0.java @@ -24,6 +24,7 @@ package org.onap.aaf.auth.cm.mapper; import java.io.IOException; import java.util.ArrayList; import java.util.List; +import java.util.Set; import org.onap.aaf.auth.cm.data.CertDrop; import org.onap.aaf.auth.cm.data.CertRenew; @@ -219,31 +220,31 @@ public class Mapper1_0 implements Mapper<BaseRequest,CertInfo,Artifacts,Error> { List<ArtiDAO.Data> ladd = new ArrayList<>(); for (Artifact arti : artifacts.getArtifact()) { ArtiDAO.Data data = new ArtiDAO.Data(); - data.mechid = arti.getMechid(); - data.machine = arti.getMachine(); - data.type(true).addAll(arti.getType()); - data.ca = arti.getCa(); - data.dir = arti.getDir(); - data.os_user = arti.getOsUser(); + data.mechid = trim(arti.getMechid()); + data.machine = trim(arti.getMachine()); + if(arti.getType()!=null) { + Set<String> ss = data.type(true); + for(String t : arti.getType()) { + ss.add(trim(t)); + } + } + data.ca = trim(arti.getCa()); + data.dir = trim(arti.getDir()); + data.os_user = trim(arti.getOsUser()); // Optional (on way in) - data.ns = arti.getNs(); + data.ns = trim(arti.getNs()); data.renewDays = arti.getRenewDays(); - data.notify = arti.getNotification(); + data.notify = trim(arti.getNotification()); // Ignored on way in for create/update - data.sponsor = arti.getSponsor(); - data.expires = null; - - // Derive Optional Data from Machine (Domain) if exists - if (data.machine!=null) { - if (data.ca==null && data.machine.endsWith(".att.com")) { - data.ca = "aaf"; // default - } - if (data.ns==null ) { - data.ns=FQI.reverseDomain(data.machine); - } + data.sponsor = (arti.getSponsor()); + if(arti.getSans()!=null) { + Set<String> ls = data.sans(true); + for(String t : arti.getSans()) { + ls.add(trim(t)); + } } - data.sans(true).addAll(arti.getSans()); + data.expires = null; ladd.add(data); } return ladd; @@ -258,17 +259,21 @@ public class Mapper1_0 implements Mapper<BaseRequest,CertInfo,Artifacts,Error> { Artifacts artis = new Artifacts(); for (ArtiDAO.Data arti : lArtiDAO.value) { Artifact a = new Artifact(); - a.setMechid(arti.mechid); - a.setMachine(arti.machine); - a.setSponsor(arti.sponsor); - a.setNs(arti.ns); - a.setCa(arti.ca); - a.setDir(arti.dir); - a.getType().addAll(arti.type(false)); - a.setOsUser(arti.os_user); + a.setMechid(trim(arti.mechid)); + a.setMachine(trim(arti.machine)); + a.setSponsor(trim(arti.sponsor)); + a.setNs(trim(arti.ns)); + a.setCa(trim(arti.ca)); + a.setDir(trim(arti.dir)); + for(String t : arti.type(false)) { + a.getType().add(trim(t)); + } + a.setOsUser(trim(arti.os_user)); a.setRenewDays(arti.renewDays); - a.setNotification(arti.notify); - a.getSans().addAll(arti.sans(false)); + a.setNotification(trim(arti.notify)); + for(String t : arti.sans(false)) { + a.getSans().add(trim(t)); + } artis.getArtifact().add(a); } return Result.ok(artis); @@ -279,4 +284,11 @@ public class Mapper1_0 implements Mapper<BaseRequest,CertInfo,Artifacts,Error> { + private String trim(String s) { + if(s==null) { + return s; + } else { + return s.trim(); + } + } }
\ No newline at end of file diff --git a/auth/auth-certman/src/main/java/org/onap/aaf/auth/cm/mapper/Mapper2_0.java b/auth/auth-certman/src/main/java/org/onap/aaf/auth/cm/mapper/Mapper2_0.java index 2b9204c9..53388f67 100644 --- a/auth/auth-certman/src/main/java/org/onap/aaf/auth/cm/mapper/Mapper2_0.java +++ b/auth/auth-certman/src/main/java/org/onap/aaf/auth/cm/mapper/Mapper2_0.java @@ -210,8 +210,8 @@ public class Mapper2_0 implements Mapper<BaseRequest,CertInfo,Artifacts,Error> { ArtiDAO.Data data = new ArtiDAO.Data(); data.mechid = trim(arti.getMechid()); data.machine = trim(arti.getMachine()); - Set<String> ss = data.type(true); if(arti.getType()!=null) { + Set<String> ss = data.type(true); for(String t : arti.getType()) { ss.add(t.trim()); } @@ -228,8 +228,8 @@ public class Mapper2_0 implements Mapper<BaseRequest,CertInfo,Artifacts,Error> { // Ignored on way in for create/update data.sponsor = trim(arti.getSponsor()); data.expires = null; - ss = data.sans(true); if(arti.getSans()!=null) { + Set<String> ss = data.sans(true); for(String s : arti.getSans()) { ss.add(s.trim()); } diff --git a/auth/auth-certman/src/main/java/org/onap/aaf/auth/cm/service/CMService.java b/auth/auth-certman/src/main/java/org/onap/aaf/auth/cm/service/CMService.java index 85424de1..26b3a22a 100644 --- a/auth/auth-certman/src/main/java/org/onap/aaf/auth/cm/service/CMService.java +++ b/auth/auth-certman/src/main/java/org/onap/aaf/auth/cm/service/CMService.java @@ -90,6 +90,7 @@ public class CMService { private final ArtiDAO artiDAO; private AAF_CM certManager; private Boolean allowIgnoreIPs; + private Boolean alwaysIgnoreIPs; // @SuppressWarnings("unchecked") public CMService(final AuthzTrans trans, AAF_CM certman) throws APIException, IOException { @@ -110,9 +111,14 @@ public class CMService { "*", "read" ); - allowIgnoreIPs = Boolean.valueOf(certman.access.getProperty(Config.CM_ALLOW_IGNORE_IPS, "false")); - if(allowIgnoreIPs) { - trans.env().access().log(Level.INIT, "Allowing DNS Evaluation to be turned off with <ns>.certman|<ca name>|"+IGNORE_IPS); + alwaysIgnoreIPs = Boolean.valueOf(certman.access.getProperty(Config.CM_ALWAYS_IGNORE_IPS, "false")); + if(alwaysIgnoreIPs) { + trans.env().access().log(Level.INIT, "DNS Evaluation for Cert Creation is turned off with " + Config.CM_ALWAYS_IGNORE_IPS ); + } else { + allowIgnoreIPs = Boolean.valueOf(certman.access.getProperty(Config.CM_ALLOW_IGNORE_IPS, "false")); + if(allowIgnoreIPs) { + trans.env().access().log(Level.INIT, "Allowing DNS Evaluation to be turned off with <ns>.certman|<ca name>|"+IGNORE_IPS); + } } } @@ -140,7 +146,9 @@ public class CMService { Organization org = trans.org(); boolean ignoreIPs; - if(allowIgnoreIPs) { + if(alwaysIgnoreIPs) { + ignoreIPs=true; + } else if(allowIgnoreIPs) { ignoreIPs = trans.fish(new AAFPermission(mechNS,CERTMAN, ca.getName(), IGNORE_IPS)); } else { ignoreIPs = false; @@ -286,11 +294,11 @@ public class CMService { // Make sure Primary is the first in fqdns if (fqdns.size() > 1) { for (int i = 0; i < fqdns.size(); ++i) { - if (primary==null) { + if (primary==null && !ignoreIPs) { trans.error().log("CMService var primary is null"); } else { String fg = fqdns.get(i); - if (fg!=null && fg.equals(primary.getHostName())) { + if (fg!=null && primary!=null && fg.equals(primary.getHostName())) { if (i != 0) { String tmp = fqdns.get(0); fqdns.set(0, primary.getHostName()); @@ -301,7 +309,7 @@ public class CMService { } } } catch (Exception e) { - trans.debug().log(e); + trans.error().log(e); return Result.err(Status.ERR_Denied, "AppID Sponsorship cannot be determined at this time. Try later."); } @@ -474,7 +482,6 @@ public class CMService { // Policy 6: Only do Domain by Exception if (add.machine.startsWith("*")) { // Domain set CA ca = certManager.getCA(add.ca); - if (!trans.fish(new AAFPermission(ca.getPermNS(),ca.getPermType(), add.ca, DOMAIN))) { return Result.err(Result.ERR_Denied, "Domain Artifacts (%s) requires specific Permission", add.machine); diff --git a/auth/auth-certman/src/main/java/org/onap/aaf/auth/cm/validation/CertmanValidator.java b/auth/auth-certman/src/main/java/org/onap/aaf/auth/cm/validation/CertmanValidator.java index f85eb44e..5835b31f 100644 --- a/auth/auth-certman/src/main/java/org/onap/aaf/auth/cm/validation/CertmanValidator.java +++ b/auth/auth-certman/src/main/java/org/onap/aaf/auth/cm/validation/CertmanValidator.java @@ -22,6 +22,7 @@ package org.onap.aaf.auth.cm.validation; import java.util.List; +import java.util.regex.Pattern; import org.onap.aaf.auth.dao.cass.ArtiDAO; import org.onap.aaf.auth.dao.cass.ArtiDAO.Data; @@ -47,7 +48,13 @@ public class CertmanValidator extends Validator{ private static final String MUST_HAVE_AT_LEAST = " must have at least "; private static final String IS_NULL = " is null."; private static final String ARTIFACTS_MUST_HAVE_AT_LEAST = "Artifacts must have at least "; - + private static final Pattern ALPHA_NUM = Pattern.compile("[a-zA-Z0-9]*"); + + private static boolean disallowTmp = true; + public static void allowTmp() { + disallowTmp=false; + } + public CertmanValidator nullBlankMin(String name, List<String> list, int min) { if (list==null) { msg(name + IS_NULL); @@ -72,7 +79,7 @@ public class CertmanValidator extends Validator{ } else { for (ArtiDAO.Data a : list) { allRequired(a); - if(a.dir!=null && a.dir.startsWith("/tmp")) { + if(disallowTmp && a.dir!=null && a.dir.startsWith("/tmp")) { msg("Certificates may not be deployed into /tmp directory (they will be removed at a random time by O/S)"); } } @@ -99,7 +106,8 @@ public class CertmanValidator extends Validator{ nullOrBlank(MACHINE, a.machine); nullOrBlank("ca",a.ca); nullOrBlank("dir",a.dir); - nullOrBlank("os_user",a.os_user); + match("NS must be dot separated AlphaNumeric",a.ns,NAME_CHARS); + match("O/S User must be AlphaNumeric",a.os_user,ALPHA_NUM); // Note: AppName, Notify & Sponsor are currently not required } return this; diff --git a/auth/auth-certman/src/test/java/org/onap/aaf/auth/cm/validation/JU_CertmanValidator.java b/auth/auth-certman/src/test/java/org/onap/aaf/auth/cm/validation/JU_CertmanValidator.java index 4aa3d6d3..6d090398 100644 --- a/auth/auth-certman/src/test/java/org/onap/aaf/auth/cm/validation/JU_CertmanValidator.java +++ b/auth/auth-certman/src/test/java/org/onap/aaf/auth/cm/validation/JU_CertmanValidator.java @@ -80,7 +80,7 @@ public class JU_CertmanValidator { public void artisRequired_shouldReportErrorWhenArtifactDoesNotHaveAllRequiredFields() { certmanValidator.artisRequired(newArrayList(newArtifactData("id", "", "ca", "dir", "user")), 1); - assertEquals("machine is blank.\n", certmanValidator.errs()); + assertEquals("machine is blank.\n" + "NS must be dot separated AlphaNumeric\n", certmanValidator.errs()); } @Test |