diff options
Diffstat (limited to 'auth/auth-service')
11 files changed, 674 insertions, 674 deletions
diff --git a/auth/auth-service/src/main/java/org/onap/aaf/auth/service/AAF_Service.java b/auth/auth-service/src/main/java/org/onap/aaf/auth/service/AAF_Service.java index 333c0fc1..bdba4696 100644 --- a/auth/auth-service/src/main/java/org/onap/aaf/auth/service/AAF_Service.java +++ b/auth/auth-service/src/main/java/org/onap/aaf/auth/service/AAF_Service.java @@ -196,11 +196,11 @@ public class AAF_Service extends AbsService<AuthzEnv,AuthzTrans> { @Override public void postStartup(final String hostname, final int port) throws APIException { - try { - CacheInfoDAO.startUpdate(env, aafCon().hman(), aafCon().securityInfo().defSS,hostname,port); - } catch (CadiException | LocatorException e) { - throw new APIException(e); - } + try { + CacheInfoDAO.startUpdate(env, aafCon().hman(), aafCon().securityInfo().defSS,hostname,port); + } catch (CadiException | LocatorException e) { + throw new APIException(e); + } } @Override @@ -241,11 +241,11 @@ public class AAF_Service extends AbsService<AuthzEnv,AuthzTrans> { try { new JettyServiceStarter<AuthzEnv,AuthzTrans>( - new AAF_Service(new AuthzEnv(propAccess)),true) - .start(); - } catch (Exception e) { - propAccess.log(e); - } + new AAF_Service(new AuthzEnv(propAccess)),true) + .start(); + } catch (Exception e) { + propAccess.log(e); + } } catch (Exception e) { e.printStackTrace(); } diff --git a/auth/auth-service/src/main/java/org/onap/aaf/auth/service/AuthzCassServiceImpl.java b/auth/auth-service/src/main/java/org/onap/aaf/auth/service/AuthzCassServiceImpl.java index d102b045..3b010821 100644 --- a/auth/auth-service/src/main/java/org/onap/aaf/auth/service/AuthzCassServiceImpl.java +++ b/auth/auth-service/src/main/java/org/onap/aaf/auth/service/AuthzCassServiceImpl.java @@ -118,7 +118,7 @@ public class AuthzCassServiceImpl <NSS,PERMS,PERMKEY,ROLES,USERS,USERROLES,DE implements AuthzService <NSS,PERMS,PERMKEY,ROLES,USERS,USERROLES,DELGS,CERTS,KEYS,REQUEST,HISTORY,ERR,APPROVALS> { private static final String TWO_SPACE = " "; - private Mapper <NSS,PERMS,PERMKEY,ROLES,USERS,USERROLES,DELGS,CERTS,KEYS,REQUEST,HISTORY,ERR,APPROVALS> mapper; + private Mapper <NSS,PERMS,PERMKEY,ROLES,USERS,USERROLES,DELGS,CERTS,KEYS,REQUEST,HISTORY,ERR,APPROVALS> mapper; @Override public Mapper <NSS,PERMS,PERMKEY,ROLES,USERS,USERROLES,DELGS,CERTS,KEYS,REQUEST,HISTORY,ERR,APPROVALS> mapper() {return mapper;} @@ -816,120 +816,120 @@ public class AuthzCassServiceImpl <NSS,PERMS,PERMKEY,ROLES,USERS,USERROLES,DE // User Permission mechanism if(newPd.value.ns.indexOf('@')>0) { - PermDAO.Data pdd = newPd.value; - if(trans.user().equals(newPd.value.ns)) { - CachedPermDAO permDAO = ques.permDAO(); - Result<List<PermDAO.Data>> rlpdd = permDAO.read(trans, pdd); - if(rlpdd.notOK()) { - return Result.err(rlpdd); - } - if(!rlpdd.isEmpty()) { - return Result.err(Result.ERR_ConflictAlreadyExists,"Permission already exists"); - } - - RoleDAO.Data rdd = new RoleDAO.Data(); - rdd.ns = pdd.ns; - rdd.name = "user"; - - pdd.roles(true).add(rdd.fullName()); - Result<PermDAO.Data> rpdd = permDAO.create(trans, pdd); - if(rpdd.notOK()) { - return Result.err(rpdd); - } - - CachedRoleDAO roleDAO = ques.roleDAO(); - Result<List<RoleDAO.Data>> rlrdd = roleDAO.read(trans, rdd); - if(rlrdd.notOK()) { - return Result.err(rlrdd); - } else { - if(!rlrdd.isEmpty()) { - rdd = rlrdd.value.get(0); - } - } - - String eperm = pdd.encode(); - rdd.perms(true).add(eperm); - Result<Void> rv = roleDAO.update(trans, rdd); - if(rv.notOK()) { - return rv; - } - - CachedUserRoleDAO urDAO = ques.userRoleDAO(); - UserRoleDAO.Data urdd = new UserRoleDAO.Data(); - urdd.user = trans.user(); - urdd.ns = rdd.ns; - urdd.rname = rdd.name; - urdd.role = rdd.fullName(); - Result<List<UserRoleDAO.Data>> rlurdd = urDAO.read(trans, urdd); - if(rlurdd.notOK()) { - return Result.err(rlrdd); - } else if(rlurdd.isEmpty()) { - GregorianCalendar gc = trans.org().expiration(null, Expiration.UserInRole); - if(gc==null) { - return Result.err(Result.ERR_Policy,"Organzation does not grant Expiration for UserRole"); - } else { - urdd.expires = gc.getTime(); - } - Result<UserRoleDAO.Data> rurdd = urDAO.create(trans, urdd); - return Result.err(rurdd); - } - return rv; - } else { - return Result.err(Result.ERR_Security,"Only the User can create User Permissions"); - } + PermDAO.Data pdd = newPd.value; + if(trans.user().equals(newPd.value.ns)) { + CachedPermDAO permDAO = ques.permDAO(); + Result<List<PermDAO.Data>> rlpdd = permDAO.read(trans, pdd); + if(rlpdd.notOK()) { + return Result.err(rlpdd); + } + if(!rlpdd.isEmpty()) { + return Result.err(Result.ERR_ConflictAlreadyExists,"Permission already exists"); + } + + RoleDAO.Data rdd = new RoleDAO.Data(); + rdd.ns = pdd.ns; + rdd.name = "user"; + + pdd.roles(true).add(rdd.fullName()); + Result<PermDAO.Data> rpdd = permDAO.create(trans, pdd); + if(rpdd.notOK()) { + return Result.err(rpdd); + } + + CachedRoleDAO roleDAO = ques.roleDAO(); + Result<List<RoleDAO.Data>> rlrdd = roleDAO.read(trans, rdd); + if(rlrdd.notOK()) { + return Result.err(rlrdd); + } else { + if(!rlrdd.isEmpty()) { + rdd = rlrdd.value.get(0); + } + } + + String eperm = pdd.encode(); + rdd.perms(true).add(eperm); + Result<Void> rv = roleDAO.update(trans, rdd); + if(rv.notOK()) { + return rv; + } + + CachedUserRoleDAO urDAO = ques.userRoleDAO(); + UserRoleDAO.Data urdd = new UserRoleDAO.Data(); + urdd.user = trans.user(); + urdd.ns = rdd.ns; + urdd.rname = rdd.name; + urdd.role = rdd.fullName(); + Result<List<UserRoleDAO.Data>> rlurdd = urDAO.read(trans, urdd); + if(rlurdd.notOK()) { + return Result.err(rlrdd); + } else if(rlurdd.isEmpty()) { + GregorianCalendar gc = trans.org().expiration(null, Expiration.UserInRole); + if(gc==null) { + return Result.err(Result.ERR_Policy,"Organzation does not grant Expiration for UserRole"); + } else { + urdd.expires = gc.getTime(); + } + Result<UserRoleDAO.Data> rurdd = urDAO.create(trans, urdd); + return Result.err(rurdd); + } + return rv; + } else { + return Result.err(Result.ERR_Security,"Only the User can create User Permissions"); + } } else { - // Does Perm Type exist as a Namespace? - if(newPd.value.type.isEmpty() || ques.nsDAO().read(trans, newPd.value.fullType()).isOKhasData()) { - return Result.err(Status.ERR_ConflictAlreadyExists, - "Permission Type exists as a Namespace"); - } - - Result<FutureDAO.Data> fd = mapper.future(trans, PermDAO.TABLE, rreq, newPd.value,false, - new Mapper.Memo() { - @Override - public String get() { - return "Create Permission [" + - newPd.value.fullType() + '|' + - newPd.value.instance + '|' + - newPd.value.action + ']'; - } - }, - new MayChange() { - private Result<NsDAO.Data> nsd; - @Override - public Result<?> mayChange() { - if (nsd==null) { - nsd = ques.mayUser(trans, trans.user(), newPd.value, Access.write); - } - return nsd; - } - }); - - Result<List<NsDAO.Data>> nsr = ques.nsDAO().read(trans, newPd.value.ns); - if (nsr.notOKorIsEmpty()) { - return Result.err(nsr); - } - switch(fd.status) { - case OK: - Result<String> rfc = func.createFuture(trans,fd.value, - newPd.value.fullType() + '|' + newPd.value.instance + '|' + newPd.value.action, - trans.user(), - nsr.value.get(0), - FUTURE_OP.C); - if (rfc.isOK()) { - return Result.err(Status.ACC_Future, "Perm [%s.%s|%s|%s] is saved for future processing", - newPd.value.ns, - newPd.value.type, - newPd.value.instance, - newPd.value.action); - } else { - return Result.err(rfc); - } - case Status.ACC_Now: - return func.createPerm(trans, newPd.value, true); - default: - return Result.err(fd); - } + // Does Perm Type exist as a Namespace? + if(newPd.value.type.isEmpty() || ques.nsDAO().read(trans, newPd.value.fullType()).isOKhasData()) { + return Result.err(Status.ERR_ConflictAlreadyExists, + "Permission Type exists as a Namespace"); + } + + Result<FutureDAO.Data> fd = mapper.future(trans, PermDAO.TABLE, rreq, newPd.value,false, + new Mapper.Memo() { + @Override + public String get() { + return "Create Permission [" + + newPd.value.fullType() + '|' + + newPd.value.instance + '|' + + newPd.value.action + ']'; + } + }, + new MayChange() { + private Result<NsDAO.Data> nsd; + @Override + public Result<?> mayChange() { + if (nsd==null) { + nsd = ques.mayUser(trans, trans.user(), newPd.value, Access.write); + } + return nsd; + } + }); + + Result<List<NsDAO.Data>> nsr = ques.nsDAO().read(trans, newPd.value.ns); + if (nsr.notOKorIsEmpty()) { + return Result.err(nsr); + } + switch(fd.status) { + case OK: + Result<String> rfc = func.createFuture(trans,fd.value, + newPd.value.fullType() + '|' + newPd.value.instance + '|' + newPd.value.action, + trans.user(), + nsr.value.get(0), + FUTURE_OP.C); + if (rfc.isOK()) { + return Result.err(Status.ACC_Future, "Perm [%s.%s|%s|%s] is saved for future processing", + newPd.value.ns, + newPd.value.type, + newPd.value.instance, + newPd.value.action); + } else { + return Result.err(rfc); + } + case Status.ACC_Now: + return func.createPerm(trans, newPd.value, true); + default: + return Result.err(fd); + } } } @@ -1995,7 +1995,7 @@ public class AuthzCassServiceImpl <NSS,PERMS,PERMKEY,ROLES,USERS,USERROLES,DE if (nsd==null) { nsd = ques.mayUser(trans, trans.user(), rpd.value, Access.write); if(nsd.notOK()) { - trans.requested(REQD_TYPE.future,true); + trans.requested(REQD_TYPE.future,true); } } return nsd; @@ -2006,32 +2006,32 @@ public class AuthzCassServiceImpl <NSS,PERMS,PERMKEY,ROLES,USERS,USERROLES,DE return Result.err(nsr); } switch(fd.status) { - case OK: - Result<String> rfc = func.createFuture(trans,fd.value, - rpd.value.fullPerm(), - trans.user(), - nsr.value.get(0), - FUTURE_OP.G); - if (rfc.isOK()) { - return Result.err(Status.ACC_Future, "Perm [%s.%s|%s|%s] is saved for future processing", - rpd.value.ns, - rpd.value.type, - rpd.value.instance, - rpd.value.action); - } else { - return Result.err(rfc); - } - case Status.ACC_Now: - Result<Void> rv = null; - if (createPerm!=null) {// has been validated for creating - rv = func.createPerm(trans, createPerm, false); - } - if (rv==null || rv.isOK()) { - rv = func.addPermToRole(trans, rrd.value, rpd.value, false); - } - return rv; - default: - return Result.err(fd); + case OK: + Result<String> rfc = func.createFuture(trans,fd.value, + rpd.value.fullPerm(), + trans.user(), + nsr.value.get(0), + FUTURE_OP.G); + if (rfc.isOK()) { + return Result.err(Status.ACC_Future, "Perm [%s.%s|%s|%s] is saved for future processing", + rpd.value.ns, + rpd.value.type, + rpd.value.instance, + rpd.value.action); + } else { + return Result.err(rfc); + } + case Status.ACC_Now: + Result<Void> rv = null; + if (createPerm!=null) {// has been validated for creating + rv = func.createPerm(trans, createPerm, false); + } + if (rv==null || rv.isOK()) { + rv = func.addPermToRole(trans, rrd.value, rpd.value, false); + } + return rv; + default: + return Result.err(fd); } } @@ -2310,12 +2310,12 @@ public class AuthzCassServiceImpl <NSS,PERMS,PERMKEY,ROLES,USERS,USERROLES,DE private class MayChangeCred implements MayChange { private static final String EXTEND = "extend"; - private static final String RESET = "reset"; - private static final String DELETE = "delete"; - private Result<NsDAO.Data> nsd; + private static final String RESET = "reset"; + private static final String DELETE = "delete"; + private Result<NsDAO.Data> nsd; private AuthzTrans trans; private CredDAO.Data cred; - private String action; + private String action; public MayChangeCred(AuthzTrans trans, CredDAO.Data cred, String action) { this.trans = trans; this.cred = cred; @@ -2330,35 +2330,35 @@ public class AuthzCassServiceImpl <NSS,PERMS,PERMKEY,ROLES,USERS,USERROLES,DE } // Get the Namespace if (nsd.isOK()) { - String ns = nsd.value.name; - String user = trans.user(); - String company; - String temp[] = Split.split('.',ns); - switch(temp.length) { - case 0: - company = Defaults.AAF_NS; - break; - case 1: - company = temp[0]; - break; - default: - company = temp[0] + '.' + temp[1]; - } - switch(action) { - case DELETE: - if(ques.isOwner(trans, user,ns) || - ques.isAdmin(trans, user,ns) || - ques.isGranted(trans, user, ROOT_NS,"password",company,DELETE)) { - return Result.ok(); - } - break; - case RESET: - case EXTEND: + String ns = nsd.value.name; + String user = trans.user(); + String company; + String temp[] = Split.split('.',ns); + switch(temp.length) { + case 0: + company = Defaults.AAF_NS; + break; + case 1: + company = temp[0]; + break; + default: + company = temp[0] + '.' + temp[1]; + } + switch(action) { + case DELETE: + if(ques.isOwner(trans, user,ns) || + ques.isAdmin(trans, user,ns) || + ques.isGranted(trans, user, ROOT_NS,"password",company,DELETE)) { + return Result.ok(); + } + break; + case RESET: + case EXTEND: if (ques.isGranted(trans, trans.user(), ROOT_NS,"password",company,action)) { return Result.ok(); } break; - } + } } return Result.err(Status.ERR_Denied,"%s is not allowed to %s %s in %s",trans.user(),action,cred.id,cred.ns); } @@ -2432,27 +2432,27 @@ public class AuthzCassServiceImpl <NSS,PERMS,PERMKEY,ROLES,USERS,USERROLES,DE // password to validate char differences. // byte[] rawCred = rcred.value.type==CredDAO.RAW?null:; return Result.err(Status.ERR_ConflictAlreadyExists, "Credential with same Expiration Date exists"); - if(rcred.value.type==CredDAO.FQI ) { - if(curr.type==CredDAO.FQI) { - return Result.err(Status.ERR_ConflictAlreadyExists, "Credential with same Expiration Date exists"); - } - } else { - - rb = ques.userCredCheck(trans, curr, rcred.value.cred!=null?rcred.value.cred.array():null); - if (rb.notOK()) { - return Result.err(rb); - } else if (rb.value){ - return Result.err(Status.ERR_Policy, "Credential content cannot be reused."); - } else if(Chrono.dateOnlyStamp(curr.expires).equals(Chrono.dateOnlyStamp(rcred.value.expires)) - && curr.type==rcred.value.type - ) { - // Allow if expiring differential is greater than 1 day (for TEMP) - // Unless expiring in 1 day - if(System.currentTimeMillis() - rcred.value.expires.getTime() > TimeUnit.DAYS.toMillis(1)) { - return Result.err(Status.ERR_ConflictAlreadyExists, "Credential with same Expiration Date exists"); - } - } - } + if(rcred.value.type==CredDAO.FQI ) { + if(curr.type==CredDAO.FQI) { + return Result.err(Status.ERR_ConflictAlreadyExists, "Credential with same Expiration Date exists"); + } + } else { + + rb = ques.userCredCheck(trans, curr, rcred.value.cred!=null?rcred.value.cred.array():null); + if (rb.notOK()) { + return Result.err(rb); + } else if (rb.value){ + return Result.err(Status.ERR_Policy, "Credential content cannot be reused."); + } else if(Chrono.dateOnlyStamp(curr.expires).equals(Chrono.dateOnlyStamp(rcred.value.expires)) + && curr.type==rcred.value.type + ) { + // Allow if expiring differential is greater than 1 day (for TEMP) + // Unless expiring in 1 day + if(System.currentTimeMillis() - rcred.value.expires.getTime() > TimeUnit.DAYS.toMillis(1)) { + return Result.err(Status.ERR_ConflictAlreadyExists, "Credential with same Expiration Date exists"); + } + } + } } } else { try { @@ -2510,18 +2510,18 @@ public class AuthzCassServiceImpl <NSS,PERMS,PERMKEY,ROLES,USERS,USERROLES,DE if (firstID) { // OK, it's a first ID, and not by NS Owner if(!ques.isOwner(trans,trans.user(),cdd.ns)) { - // Admins are not allowed to set first Cred, but Org has already - // said entity MAY create, typically by Permission - // We can't know which reason they are allowed here, so we - // have to assume that any with Special Permission would not be - // an Admin. - if(ques.isAdmin(trans, trans.user(), cdd.ns)) { - return Result.err(Result.ERR_Denied, - "Only Owners may create first passwords in their Namespace. Admins may modify after one exists" ); - } else { - // Allow IDs that AREN'T part of NS with Org Onboarding Permission (see Org object) to create Temp Passwords. + // Admins are not allowed to set first Cred, but Org has already + // said entity MAY create, typically by Permission + // We can't know which reason they are allowed here, so we + // have to assume that any with Special Permission would not be + // an Admin. + if(ques.isAdmin(trans, trans.user(), cdd.ns)) { + return Result.err(Result.ERR_Denied, + "Only Owners may create first passwords in their Namespace. Admins may modify after one exists" ); + } else { + // Allow IDs that AREN'T part of NS with Org Onboarding Permission (see Org object) to create Temp Passwords. rcred.value.expires = org.expiration(null, Expiration.TempPassword).getTime(); - } + } } } } catch (Exception e) { @@ -2852,7 +2852,7 @@ public class AuthzCassServiceImpl <NSS,PERMS,PERMKEY,ROLES,USERS,USERROLES,DE cd.tag = found.tag; cd.expires = org.expiration(null, Expiration.ExtendPassword,days).getTime(); if(cd.expires.before(found.expires)) { - return Result.err(Result.ERR_BadData,String.format("Credential's expiration date is more than %s days in the future",days)); + return Result.err(Result.ERR_BadData,String.format("Credential's expiration date is more than %s days in the future",days)); } cred = ques.credDAO().create(trans, cd); @@ -2866,249 +2866,249 @@ public class AuthzCassServiceImpl <NSS,PERMS,PERMKEY,ROLES,USERS,USERROLES,DE } @ApiDoc( - method = DELETE, - path = "/authn/cred", - params = {}, - expectedCode = 200, - errorCodes = {300,403,404,406}, - text = { "Delete a Credential. If multiple credentials exist for this", - "ID, you will need to specify which entry you are deleting in the", - "CredRequest object." - } - ) - @Override - public Result<Void> deleteUserCred(AuthzTrans trans, REQUEST from) { - final Result<CredDAO.Data> cred = mapper.cred(trans, from, false); - final Validator v = new ServiceValidator(); - if (v.nullOrBlank("cred", cred.value.id).err()) { - return Result.err(Status.ERR_BadData,v.errs()); - } - - MayChange mc = new MayChangeCred(trans,cred.value,MayChangeCred.DELETE); - Result<?> rmc = mc.mayChange(); - if (rmc.notOK()) { - return Result.err(rmc); - } - - boolean doForce = trans.requested(force); - Result<List<CredDAO.Data>> rlcd = ques.credDAO().readID(trans, cred.value.id); - if (rlcd.notOKorIsEmpty()) { - // Empty Creds should not have user_roles. - Result<List<UserRoleDAO.Data>> rlurd = ques.userRoleDAO().readByUser(trans, cred.value.id); - if (rlurd.isOKhasData()) { - for (UserRoleDAO.Data data : rlurd.value) { - ques.userRoleDAO().delete(trans, data, false); - } - } - return Result.err(Status.ERR_UserNotFound, "Credential does not exist"); - } - boolean isLastCred = rlcd.value.size()==1; - - int entry; - CredRequest cr = (CredRequest)from; - if(isLastCred) { - if(cr.getEntry()==null || "1".equals(cr.getEntry())) { - entry = 0; - } else { - return Result.err(Status.ERR_BadData, "User chose invalid credential selection"); - } - } else { - entry = -1; - int fentry = entry; - if(cred.value.type==CredDAO.FQI) { - entry = -1; - for(CredDAO.Data cdd : rlcd.value) { - ++fentry; - if(cdd.type == CredDAO.FQI) { - entry = fentry; - break; - } - } - } else { - if (!doForce) { - if (rlcd.value.size() > 1) { - String inputOption = cr.getEntry(); - if (inputOption == null) { - List<CredDAO.Data> list = filterList(rlcd.value,CredDAO.BASIC_AUTH,CredDAO.BASIC_AUTH_SHA256,CredDAO.CERT_SHA256_RSA); - String message = selectCredFromList(list, MayChangeCred.DELETE); - Object[] variables = buildVariables(list); - return Result.err(Status.ERR_ChoiceNeeded, message, variables); - } else { - try { - if (inputOption.length()>5) { // should be a date - Date d = Chrono.xmlDatatypeFactory.newXMLGregorianCalendar(inputOption).toGregorianCalendar().getTime(); - for (CredDAO.Data cd : rlcd.value) { - ++fentry; - if (cd.type.equals(cr.getType()) && cd.expires.equals(d)) { - entry = fentry; - break; - } - } - } else { - entry = Integer.parseInt(inputOption) - 1; - int count = 0; - for (CredDAO.Data cd : rlcd.value) { - if(cd.type!=CredDAO.BASIC_AUTH && cd.type!=CredDAO.BASIC_AUTH_SHA256 && cd.type!=CredDAO.CERT_SHA256_RSA) { - ++entry; - } - if(++count>entry) { - break; - } - } - } - } catch (NullPointerException e) { - return Result.err(Status.ERR_BadData, "Invalid Date Format for Entry"); - } catch (NumberFormatException e) { - return Result.err(Status.ERR_BadData, "User chose invalid credential selection"); - } - } - isLastCred = (entry==-1); - } else { - isLastCred = true; - } - if (entry < -1 || entry >= rlcd.value.size()) { - return Result.err(Status.ERR_BadData, "User chose invalid credential selection"); - } - } - } - } - - Result<FutureDAO.Data> fd = mapper.future(trans,CredDAO.TABLE,from,cred.value,false, - () -> "Delete Credential [" + - cred.value.id + - ']', - mc); - - Result<List<NsDAO.Data>> nsr = ques.nsDAO().read(trans, cred.value.ns); - if (nsr.notOKorIsEmpty()) { - return Result.err(nsr); - } - - switch(fd.status) { - case OK: - Result<String> rfc = func.createFuture(trans, fd.value, cred.value.id, - trans.user(), nsr.value.get(0), FUTURE_OP.D); - - if (rfc.isOK()) { - return Result.err(Status.ACC_Future, "Credential Delete [%s] is saved for future processing",cred.value.id); - } else { - return Result.err(rfc); - } - case Status.ACC_Now: - Result<?>udr = null; - if (!trans.requested(force)) { - if (entry<0 || entry >= rlcd.value.size()) { - if(cred.value.type==CredDAO.FQI) { - return Result.err(Status.ERR_BadData,"FQI does not exist"); - } else { - return Result.err(Status.ERR_BadData,"Invalid Choice [" + entry + "] chosen for Delete [%s] is saved for future processing",cred.value.id); - } - } - udr = ques.credDAO().delete(trans, rlcd.value.get(entry),false); - } else { - for (CredDAO.Data curr : rlcd.value) { - udr = ques.credDAO().delete(trans, curr, false); - if (udr.notOK()) { - return Result.err(udr); - } - } - } - if (isLastCred) { - Result<List<UserRoleDAO.Data>> rlurd = ques.userRoleDAO().readByUser(trans, cred.value.id); - if (rlurd.isOK()) { - for (UserRoleDAO.Data data : rlurd.value) { - ques.userRoleDAO().delete(trans, data, false); - } - } - } - if (udr==null) { - return Result.err(Result.ERR_NotFound,"No User Data found"); - } - if (udr.isOK()) { - return Result.ok(); - } - return Result.err(udr); - default: - return Result.err(fd); - } - - } - - /* - * Codify the way to get Either Choice Needed or actual Integer from Credit Request - */ - private Result<Integer> selectEntryIfMultiple(final CredRequest cr, List<CredDAO.Data> lcd, String action) { - int entry = 0; - if (lcd.size() > 1) { - String inputOption = cr.getEntry(); - if (inputOption == null) { - String message = selectCredFromList(lcd, action); - Object[] variables = buildVariables(lcd); - return Result.err(Status.ERR_ChoiceNeeded, message, variables); - } else { - if(MayChangeCred.EXTEND.equals(action)) { - // might be Tag - if(inputOption.length()>4) { //Tag is at least 12 - int e = 0; - CredDAO.Data last = null; - int lastIdx = -1; - for(CredDAO.Data cdd : lcd) { - if(inputOption.equals(cdd.tag)) { - if(last==null) { - last = cdd; - lastIdx = e; - } else { - if(last.expires.before(cdd.expires)) { - last = cdd; - lastIdx = e; - } - } - } - ++e; - } - if(last!=null) { - return Result.ok(lastIdx); - } - return Result.err(Status.ERR_BadData, "User chose unknown Tag"); - } - } - entry = Integer.parseInt(inputOption) - 1; - } - if (entry < 0 || entry >= lcd.size()) { - return Result.err(Status.ERR_BadData, "User chose invalid credential selection"); - } - } - return Result.ok(entry); - } - - private List<CredDAO.Data> filterList(List<CredDAO.Data> orig, Integer ... types) { - List<CredDAO.Data> rv = new ArrayList<>(); + method = DELETE, + path = "/authn/cred", + params = {}, + expectedCode = 200, + errorCodes = {300,403,404,406}, + text = { "Delete a Credential. If multiple credentials exist for this", + "ID, you will need to specify which entry you are deleting in the", + "CredRequest object." + } + ) + @Override + public Result<Void> deleteUserCred(AuthzTrans trans, REQUEST from) { + final Result<CredDAO.Data> cred = mapper.cred(trans, from, false); + final Validator v = new ServiceValidator(); + if (v.nullOrBlank("cred", cred.value.id).err()) { + return Result.err(Status.ERR_BadData,v.errs()); + } + + MayChange mc = new MayChangeCred(trans,cred.value,MayChangeCred.DELETE); + Result<?> rmc = mc.mayChange(); + if (rmc.notOK()) { + return Result.err(rmc); + } + + boolean doForce = trans.requested(force); + Result<List<CredDAO.Data>> rlcd = ques.credDAO().readID(trans, cred.value.id); + if (rlcd.notOKorIsEmpty()) { + // Empty Creds should not have user_roles. + Result<List<UserRoleDAO.Data>> rlurd = ques.userRoleDAO().readByUser(trans, cred.value.id); + if (rlurd.isOKhasData()) { + for (UserRoleDAO.Data data : rlurd.value) { + ques.userRoleDAO().delete(trans, data, false); + } + } + return Result.err(Status.ERR_UserNotFound, "Credential does not exist"); + } + boolean isLastCred = rlcd.value.size()==1; + + int entry; + CredRequest cr = (CredRequest)from; + if(isLastCred) { + if(cr.getEntry()==null || "1".equals(cr.getEntry())) { + entry = 0; + } else { + return Result.err(Status.ERR_BadData, "User chose invalid credential selection"); + } + } else { + entry = -1; + int fentry = entry; + if(cred.value.type==CredDAO.FQI) { + entry = -1; + for(CredDAO.Data cdd : rlcd.value) { + ++fentry; + if(cdd.type == CredDAO.FQI) { + entry = fentry; + break; + } + } + } else { + if (!doForce) { + if (rlcd.value.size() > 1) { + String inputOption = cr.getEntry(); + if (inputOption == null) { + List<CredDAO.Data> list = filterList(rlcd.value,CredDAO.BASIC_AUTH,CredDAO.BASIC_AUTH_SHA256,CredDAO.CERT_SHA256_RSA); + String message = selectCredFromList(list, MayChangeCred.DELETE); + Object[] variables = buildVariables(list); + return Result.err(Status.ERR_ChoiceNeeded, message, variables); + } else { + try { + if (inputOption.length()>5) { // should be a date + Date d = Chrono.xmlDatatypeFactory.newXMLGregorianCalendar(inputOption).toGregorianCalendar().getTime(); + for (CredDAO.Data cd : rlcd.value) { + ++fentry; + if (cd.type.equals(cr.getType()) && cd.expires.equals(d)) { + entry = fentry; + break; + } + } + } else { + entry = Integer.parseInt(inputOption) - 1; + int count = 0; + for (CredDAO.Data cd : rlcd.value) { + if(cd.type!=CredDAO.BASIC_AUTH && cd.type!=CredDAO.BASIC_AUTH_SHA256 && cd.type!=CredDAO.CERT_SHA256_RSA) { + ++entry; + } + if(++count>entry) { + break; + } + } + } + } catch (NullPointerException e) { + return Result.err(Status.ERR_BadData, "Invalid Date Format for Entry"); + } catch (NumberFormatException e) { + return Result.err(Status.ERR_BadData, "User chose invalid credential selection"); + } + } + isLastCred = (entry==-1); + } else { + isLastCred = true; + } + if (entry < -1 || entry >= rlcd.value.size()) { + return Result.err(Status.ERR_BadData, "User chose invalid credential selection"); + } + } + } + } + + Result<FutureDAO.Data> fd = mapper.future(trans,CredDAO.TABLE,from,cred.value,false, + () -> "Delete Credential [" + + cred.value.id + + ']', + mc); + + Result<List<NsDAO.Data>> nsr = ques.nsDAO().read(trans, cred.value.ns); + if (nsr.notOKorIsEmpty()) { + return Result.err(nsr); + } + + switch(fd.status) { + case OK: + Result<String> rfc = func.createFuture(trans, fd.value, cred.value.id, + trans.user(), nsr.value.get(0), FUTURE_OP.D); + + if (rfc.isOK()) { + return Result.err(Status.ACC_Future, "Credential Delete [%s] is saved for future processing",cred.value.id); + } else { + return Result.err(rfc); + } + case Status.ACC_Now: + Result<?>udr = null; + if (!trans.requested(force)) { + if (entry<0 || entry >= rlcd.value.size()) { + if(cred.value.type==CredDAO.FQI) { + return Result.err(Status.ERR_BadData,"FQI does not exist"); + } else { + return Result.err(Status.ERR_BadData,"Invalid Choice [" + entry + "] chosen for Delete [%s] is saved for future processing",cred.value.id); + } + } + udr = ques.credDAO().delete(trans, rlcd.value.get(entry),false); + } else { + for (CredDAO.Data curr : rlcd.value) { + udr = ques.credDAO().delete(trans, curr, false); + if (udr.notOK()) { + return Result.err(udr); + } + } + } + if (isLastCred) { + Result<List<UserRoleDAO.Data>> rlurd = ques.userRoleDAO().readByUser(trans, cred.value.id); + if (rlurd.isOK()) { + for (UserRoleDAO.Data data : rlurd.value) { + ques.userRoleDAO().delete(trans, data, false); + } + } + } + if (udr==null) { + return Result.err(Result.ERR_NotFound,"No User Data found"); + } + if (udr.isOK()) { + return Result.ok(); + } + return Result.err(udr); + default: + return Result.err(fd); + } + + } + + /* + * Codify the way to get Either Choice Needed or actual Integer from Credit Request + */ + private Result<Integer> selectEntryIfMultiple(final CredRequest cr, List<CredDAO.Data> lcd, String action) { + int entry = 0; + if (lcd.size() > 1) { + String inputOption = cr.getEntry(); + if (inputOption == null) { + String message = selectCredFromList(lcd, action); + Object[] variables = buildVariables(lcd); + return Result.err(Status.ERR_ChoiceNeeded, message, variables); + } else { + if(MayChangeCred.EXTEND.equals(action)) { + // might be Tag + if(inputOption.length()>4) { //Tag is at least 12 + int e = 0; + CredDAO.Data last = null; + int lastIdx = -1; + for(CredDAO.Data cdd : lcd) { + if(inputOption.equals(cdd.tag)) { + if(last==null) { + last = cdd; + lastIdx = e; + } else { + if(last.expires.before(cdd.expires)) { + last = cdd; + lastIdx = e; + } + } + } + ++e; + } + if(last!=null) { + return Result.ok(lastIdx); + } + return Result.err(Status.ERR_BadData, "User chose unknown Tag"); + } + } + entry = Integer.parseInt(inputOption) - 1; + } + if (entry < 0 || entry >= lcd.size()) { + return Result.err(Status.ERR_BadData, "User chose invalid credential selection"); + } + } + return Result.ok(entry); + } + + private List<CredDAO.Data> filterList(List<CredDAO.Data> orig, Integer ... types) { + List<CredDAO.Data> rv = new ArrayList<>(); for(CredDAO.Data cdd : orig) { - if(cdd!=null) { - for(int t : types) { - if(t==cdd.type) { - rv.add(cdd); - } - } - } + if(cdd!=null) { + for(int t : types) { + if(t==cdd.type) { + rv.add(cdd); + } + } + } } Collections.sort(rv, (o1,o2) -> { - if(o1.type==o2.type) { - return o1.expires.compareTo(o2.expires); - } else { - return o1.type.compareTo(o2.type); - } + if(o1.type==o2.type) { + return o1.expires.compareTo(o2.expires); + } else { + return o1.type.compareTo(o2.type); + } }); - return rv; - } + return rv; + } - private String[] buildVariables(List<CredDAO.Data> value) { + private String[] buildVariables(List<CredDAO.Data> value) { String [] vars = new String[value.size()]; CredDAO.Data cdd; for (int i = 0; i < value.size(); i++) { - cdd = value.get(i); - vars[i] = cdd.id + TWO_SPACE + Define.getCredType(cdd.type) + TWO_SPACE + Chrono.niceUTCStamp(cdd.expires) + TWO_SPACE + cdd.tag; + cdd = value.get(i); + vars[i] = cdd.id + TWO_SPACE + Define.getCredType(cdd.type) + TWO_SPACE + Chrono.niceUTCStamp(cdd.expires) + TWO_SPACE + cdd.tag; } return vars; } @@ -3116,8 +3116,8 @@ public class AuthzCassServiceImpl <NSS,PERMS,PERMKEY,ROLES,USERS,USERROLES,DE private String selectCredFromList(List<CredDAO.Data> value, String action) { StringBuilder errMessage = new StringBuilder(); String userPrompt = MayChangeCred.DELETE.equals(action)? - "Select which cred to delete (set force=true to delete all):": - "Select which cred to " + action + ':'; + "Select which cred to delete (set force=true to delete all):": + "Select which cred to " + action + ':'; int numSpaces = value.get(0).id.length() - "Id".length(); errMessage.append(userPrompt + '\n'); @@ -3132,7 +3132,7 @@ public class AuthzCassServiceImpl <NSS,PERMS,PERMKEY,ROLES,USERS,USERROLES,DE if(MayChangeCred.EXTEND.equals(action)) { errMessage.append("Run same command again with chosen entry or Tag as last parameter"); } else { - errMessage.append("Run same command again with chosen entry as last parameter"); + errMessage.append("Run same command again with chosen entry as last parameter"); } return errMessage.toString(); @@ -3193,20 +3193,20 @@ public class AuthzCassServiceImpl <NSS,PERMS,PERMKEY,ROLES,USERS,USERROLES,DE } @ApiDoc( - method = GET, - path = "/authn/basicAuth", - params = {}, - expectedCode = 200, - errorCodes = { 403 }, - text = { "!!!! DEPRECATED without X509 Authentication STOP USING THIS API BY DECEMBER 2017, or use Certificates !!!!\n" - + "Use /authn/validate instead\n" - + "Note: Validate a Password using BasicAuth Base64 encoded Header. This HTTP/S call is intended as a fast" - + " User/Password lookup for Security Frameworks, and responds 200 if it passes BasicAuth " - + "security, and 403 if it does not." } - ) - private void basicAuth() { - // This is a place holder for Documentation. The real BasicAuth API does not call Service. - } + method = GET, + path = "/authn/basicAuth", + params = {}, + expectedCode = 200, + errorCodes = { 403 }, + text = { "!!!! DEPRECATED without X509 Authentication STOP USING THIS API BY DECEMBER 2017, or use Certificates !!!!\n" + + "Use /authn/validate instead\n" + + "Note: Validate a Password using BasicAuth Base64 encoded Header. This HTTP/S call is intended as a fast" + + " User/Password lookup for Security Frameworks, and responds 200 if it passes BasicAuth " + + "security, and 403 if it does not." } + ) + private void basicAuth() { + // This is a place holder for Documentation. The real BasicAuth API does not call Service. + } /*********************************** * USER-ROLE @@ -3251,9 +3251,9 @@ public class AuthzCassServiceImpl <NSS,PERMS,PERMKEY,ROLES,USERS,USERROLES,DE private Result<NsDAO.Data> nsd; @Override public Result<?> mayChange() { - if(urr.value.role.startsWith(urr.value.user)) { - return Result.ok((NsDAO.Data)null); - } + if(urr.value.role.startsWith(urr.value.user)) { + return Result.ok((NsDAO.Data)null); + } if (nsd==null) { RoleDAO.Data r = RoleDAO.Data.decode(userRole); nsd = ques.mayUser(trans, trans.user(), r, Access.write); @@ -3264,15 +3264,15 @@ public class AuthzCassServiceImpl <NSS,PERMS,PERMKEY,ROLES,USERS,USERROLES,DE NsDAO.Data ndd; if(userRole.role.startsWith(userRole.user)) { - userRole.ns=userRole.user; - userRole.rname="user"; - ndd = null; + userRole.ns=userRole.user; + userRole.rname="user"; + ndd = null; } else { - Result<NsDAO.Data> nsr = ques.deriveNs(trans, userRole.role); - if (nsr.notOK()) { - return Result.err(nsr); - } - ndd = nsr.value; + Result<NsDAO.Data> nsr = ques.deriveNs(trans, userRole.role); + if (nsr.notOK()) { + return Result.err(nsr); + } + ndd = nsr.value; } switch(fd.status) { @@ -3820,17 +3820,17 @@ public class AuthzCassServiceImpl <NSS,PERMS,PERMKEY,ROLES,USERS,USERROLES,DE // May user see Namespace of Permission (since it's only one piece... we can't check for "is permission part of") Result<List<HistoryDAO.Data>> resp; if(type.startsWith(trans.user())) { - resp = ques.historyDAO().readBySubject(trans, type, "perm", yyyymm); + resp = ques.historyDAO().readBySubject(trans, type, "perm", yyyymm); } else { Result<NsDAO.Data> rnd = ques.deriveNs(trans,type); - if (rnd.notOK()) { - return Result.err(rnd); - } - rnd = ques.mayUser(trans, trans.user(), rnd.value, Access.read); - if (rnd.notOK()) { - return Result.err(rnd); - } - resp = ques.historyDAO().readBySubject(trans, type, "perm", yyyymm); + if (rnd.notOK()) { + return Result.err(rnd); + } + rnd = ques.mayUser(trans, trans.user(), rnd.value, Access.read); + if (rnd.notOK()) { + return Result.err(rnd); + } + resp = ques.historyDAO().readBySubject(trans, type, "perm", yyyymm); } if (resp.notOK()) { @@ -3864,8 +3864,8 @@ public class AuthzCassServiceImpl <NSS,PERMS,PERMKEY,ROLES,USERS,USERROLES,DE @Override public Result<HISTORY> getHistoryBySubject(AuthzTrans trans, String subject, String target, int[] yyyymm, final int sort) { - NsDAO.Data ndd = new NsDAO.Data(); - ndd.name = FQI.reverseDomain(subject); + NsDAO.Data ndd = new NsDAO.Data(); + ndd.name = FQI.reverseDomain(subject); Result<Data> rnd = ques.mayUser(trans, trans.user(), ndd, Access.read); if (rnd.notOK()) { return Result.err(rnd); diff --git a/auth/auth-service/src/main/java/org/onap/aaf/auth/service/AuthzService.java b/auth/auth-service/src/main/java/org/onap/aaf/auth/service/AuthzService.java index 80d317f0..f9f23f46 100644 --- a/auth/auth-service/src/main/java/org/onap/aaf/auth/service/AuthzService.java +++ b/auth/auth-service/src/main/java/org/onap/aaf/auth/service/AuthzService.java @@ -644,7 +644,7 @@ public interface AuthzService<NSS,PERMS,PERMKEY,ROLES,USERS,USERROLES,DELGS,CERT * @param sort * @return */ - public Result<HISTORY> getHistoryBySubject(AuthzTrans trans, String subject, String target, int[] yyyymm, int sort); + public Result<HISTORY> getHistoryBySubject(AuthzTrans trans, String subject, String target, int[] yyyymm, int sort); /*********************************** * DELEGATE diff --git a/auth/auth-service/src/main/java/org/onap/aaf/auth/service/api/API_Creds.java b/auth/auth-service/src/main/java/org/onap/aaf/auth/service/api/API_Creds.java index c8bae9f0..f7c38681 100644 --- a/auth/auth-service/src/main/java/org/onap/aaf/auth/service/api/API_Creds.java +++ b/auth/auth-service/src/main/java/org/onap/aaf/auth/service/api/API_Creds.java @@ -194,7 +194,7 @@ public class API_Creds { authzAPI.route(POST,"/authn/cred",API.CRED_REQ,new Code(facade,"Add a New ID/Credential", true) { @Override public void handle(AuthzTrans trans, HttpServletRequest req, HttpServletResponse resp) throws Exception { - Result<Void> r = context.createUserCred(trans, req); + Result<Void> r = context.createUserCred(trans, req); if (r.isOK()) { resp.setStatus(HttpStatus.CREATED_201); } else { diff --git a/auth/auth-service/src/main/java/org/onap/aaf/auth/service/api/API_UserRole.java b/auth/auth-service/src/main/java/org/onap/aaf/auth/service/api/API_UserRole.java index a56b7c26..15d2302f 100644 --- a/auth/auth-service/src/main/java/org/onap/aaf/auth/service/api/API_UserRole.java +++ b/auth/auth-service/src/main/java/org/onap/aaf/auth/service/api/API_UserRole.java @@ -114,7 +114,7 @@ public class API_UserRole { authzAPI.route(PUT,"/authz/userRole/user",API.USER_ROLE_REQ,new Code(facade,"Update Roles for a user", true) { @Override public void handle(AuthzTrans trans, HttpServletRequest req, HttpServletResponse resp) throws Exception { - context.error(trans,resp,removeAPI); + context.error(trans,resp,removeAPI); } }); @@ -125,7 +125,7 @@ public class API_UserRole { authzAPI.route(PUT,"/authz/userRole/role",API.USER_ROLE_REQ,new Code(facade,"Update Users for a role", true) { @Override public void handle(AuthzTrans trans, HttpServletRequest req, HttpServletResponse resp) throws Exception { - context.error(trans,resp,removeAPI); + context.error(trans,resp,removeAPI); } }); diff --git a/auth/auth-service/src/main/java/org/onap/aaf/auth/service/facade/AuthzFacade.java b/auth/auth-service/src/main/java/org/onap/aaf/auth/service/facade/AuthzFacade.java index 80e02264..f9ea39d6 100644 --- a/auth/auth-service/src/main/java/org/onap/aaf/auth/service/facade/AuthzFacade.java +++ b/auth/auth-service/src/main/java/org/onap/aaf/auth/service/facade/AuthzFacade.java @@ -243,7 +243,7 @@ public interface AuthzFacade { public abstract Result<Void> getHistoryBySubject(AuthzTrans trans, HttpServletResponse resp, String type, String subject, int[] yyyymm, int sort); - /* + /* * Cache */ public abstract Result<Void> cacheClear(AuthzTrans trans, String pathParam); diff --git a/auth/auth-service/src/main/java/org/onap/aaf/auth/service/facade/AuthzFacadeImpl.java b/auth/auth-service/src/main/java/org/onap/aaf/auth/service/facade/AuthzFacadeImpl.java index 323c9fe0..10138d2c 100644 --- a/auth/auth-service/src/main/java/org/onap/aaf/auth/service/facade/AuthzFacadeImpl.java +++ b/auth/auth-service/src/main/java/org/onap/aaf/auth/service/facade/AuthzFacadeImpl.java @@ -174,16 +174,16 @@ public abstract class AuthzFacadeImpl<NSS,PERMS,PERMKEY,ROLES,USERS,USERROLES,DE if (result.variables==null || result.variables.length<1) { detail = new String[1]; } else { - List<String> dlist = new ArrayList<String>(); - dlist.add(null); - String os; - for(Object s : result.variables) { - if(s!=null && (os=s.toString()).length()>0) { - dlist.add(os); - } - } - detail = new String[dlist.size()]; - dlist.toArray(detail); + List<String> dlist = new ArrayList<String>(); + dlist.add(null); + String os; + for(Object s : result.variables) { + if(s!=null && (os=s.toString()).length()>0) { + dlist.add(os); + } + } + detail = new String[dlist.size()]; + dlist.toArray(detail); } //int httpstatus; diff --git a/auth/auth-service/src/main/java/org/onap/aaf/auth/service/mapper/Mapper_2_0.java b/auth/auth-service/src/main/java/org/onap/aaf/auth/service/mapper/Mapper_2_0.java index 56ba5f5f..26216c65 100644 --- a/auth/auth-service/src/main/java/org/onap/aaf/auth/service/mapper/Mapper_2_0.java +++ b/auth/auth-service/src/main/java/org/onap/aaf/auth/service/mapper/Mapper_2_0.java @@ -367,30 +367,30 @@ public class Mapper_2_0 implements Mapper<Nss, Perms, Pkey, Roles, Users, UserRo PermRequest from = (PermRequest)req; String type = from.getType(); if(type==null) { - return Result.err(Result.ERR_BadData, "Invalid Perm Type"); + return Result.err(Result.ERR_BadData, "Invalid Perm Type"); } PermDAO.Data pd = new PermDAO.Data(); if(type.contains("@")) { - String[] split = Split.splitTrim(':', type); - pd.ns = split[0]; - pd.type=split.length>1?split[1]:""; - pd.instance = from.getInstance(); - pd.action = from.getAction(); - pd.description = from.getDescription(); - return Result.ok(pd); + String[] split = Split.splitTrim(':', type); + pd.ns = split[0]; + pd.type=split.length>1?split[1]:""; + pd.instance = from.getInstance(); + pd.action = from.getAction(); + pd.description = from.getDescription(); + return Result.ok(pd); } else { - Result<NsSplit> nss = q.deriveNsSplit(trans, from.getType()); - if (nss.isOK()) { - pd.ns=nss.value.ns; - pd.type = nss.value.name; - pd.instance = from.getInstance(); - pd.action = from.getAction(); - pd.description = from.getDescription(); - trans.checkpoint(pd.fullPerm(), Env.ALWAYS); - return Result.ok(pd); - } else { - return Result.err(nss); - } + Result<NsSplit> nss = q.deriveNsSplit(trans, from.getType()); + if (nss.isOK()) { + pd.ns=nss.value.ns; + pd.type = nss.value.name; + pd.instance = from.getInstance(); + pd.action = from.getAction(); + pd.description = from.getDescription(); + trans.checkpoint(pd.fullPerm(), Env.ALWAYS); + return Result.ok(pd); + } else { + return Result.err(nss); + } } } @@ -526,23 +526,23 @@ public class Mapper_2_0 implements Mapper<Nss, Perms, Pkey, Roles, Users, UserRo to.ns = Question.domain2ns(to.id); to.type = from.getType(); if(to.type!=null && to.type==CredDAO.FQI) { - to.cred = null; + to.cred = null; } else { - String passwd = from.getPassword(); - if (requiresPass) { - String ok = trans.org().isValidPassword(trans, to.id,passwd); - if (ok.length()>0) { - return Result.err(Status.ERR_BadData,ok); - } - } - if (passwd != null) { - to.cred = ByteBuffer.wrap(passwd.getBytes()); - to.type = CredDAO.RAW; - } else { - to.type = CredDAO.NONE; - } - } - + String passwd = from.getPassword(); + if (requiresPass) { + String ok = trans.org().isValidPassword(trans, to.id,passwd); + if (ok.length()>0) { + return Result.err(Status.ERR_BadData,ok); + } + } + if (passwd != null) { + to.cred = ByteBuffer.wrap(passwd.getBytes()); + to.type = CredDAO.RAW; + } else { + to.type = CredDAO.NONE; + } + } + // Note: Ensure requested EndDate created will match Organization Password Rules // P.S. Do not apply TempPassword rule here. Do that when you know you are doing a Create/Reset (see Service) to.expires = getExpires(trans.org(),Expiration.Password,base,from.getId()); diff --git a/auth/auth-service/src/main/java/org/onap/aaf/auth/service/validation/ServiceValidator.java b/auth/auth-service/src/main/java/org/onap/aaf/auth/service/validation/ServiceValidator.java index df8bde8b..56785fee 100644 --- a/auth/auth-service/src/main/java/org/onap/aaf/auth/service/validation/ServiceValidator.java +++ b/auth/auth-service/src/main/java/org/onap/aaf/auth/service/validation/ServiceValidator.java @@ -57,9 +57,9 @@ public class ServiceValidator extends Validator { if (pd==null) { msg("Perm Data is null."); } else { - if(!pd.ns.contains("@")) { - ns(pd.ns); - } + if(!pd.ns.contains("@")) { + ns(pd.ns); + } permType(pd.type,pd.ns); permInstance(pd.instance); permAction(pd.action); @@ -222,8 +222,8 @@ public class ServiceValidator extends Validator { public ServiceValidator user_role(String user, UserRoleDAO.Data urdd) { role(user,urdd.role); if(!urdd.role.startsWith(user)) { - nullOrBlank("UserRole.ns",urdd.ns); - nullOrBlank("UserRole.rname",urdd.rname); + nullOrBlank("UserRole.ns",urdd.ns); + nullOrBlank("UserRole.rname",urdd.rname); } return this; } diff --git a/auth/auth-service/src/test/java/org/onap/aaf/auth/service/test/JU_BaseServiceImpl.java b/auth/auth-service/src/test/java/org/onap/aaf/auth/service/test/JU_BaseServiceImpl.java index 5e6cfb62..9a804c98 100644 --- a/auth/auth-service/src/test/java/org/onap/aaf/auth/service/test/JU_BaseServiceImpl.java +++ b/auth/auth-service/src/test/java/org/onap/aaf/auth/service/test/JU_BaseServiceImpl.java @@ -75,20 +75,20 @@ import aaf.v2_0.Users; @RunWith(MockitoJUnitRunner.class) public abstract class JU_BaseServiceImpl { - protected AuthzCassServiceImpl<Nss, Perms, Pkey, Roles, Users, UserRoles, Delgs, Certs, Keys, Request, History, Error, Approvals> - acsi; - protected Mapper_2_0 mapper; + protected AuthzCassServiceImpl<Nss, Perms, Pkey, Roles, Users, UserRoles, Delgs, Certs, Keys, Request, History, Error, Approvals> + acsi; + protected Mapper_2_0 mapper; - @Mock + @Mock protected DefaultOrg org; - @Mock + @Mock protected DefaultOrgIdentity orgIdentity; // // NOTE: Annotation format (@Mock and @Spy) do NOT seem to always work as a Base Class, // so we construct manually. // -// Mock Objects +// Mock Objects protected HistoryDAO historyDAO = mock(HistoryDAO.class); protected CacheInfoDAO cacheInfoDAO = mock(CacheInfoDAO.class); protected CachedNSDAO nsDAO = mock(CachedNSDAO.class); @@ -102,47 +102,47 @@ public abstract class JU_BaseServiceImpl { protected DelegateDAO delegateDAO = mock(DelegateDAO.class); protected ApprovalDAO approvalDAO = mock(ApprovalDAO.class); - // Spy Objects + // Spy Objects @Spy protected static PropAccess access = new PropAccess(); @Spy - protected static AuthzEnv env = new AuthzEnv(access); + protected static AuthzEnv env = new AuthzEnv(access); @Spy protected static AuthzTrans trans = env.newTransNoAvg(); // @Spy doesn't seem to work on Question. @Spy protected Question question = spy(new Question(trans, - historyDAO,cacheInfoDAO,nsDAO,permDAO, - roleDAO,userRoleDAO,credDAO,certDAO, - locateDAO,futureDAO,delegateDAO,approvalDAO)); + historyDAO,cacheInfoDAO,nsDAO,permDAO, + roleDAO,userRoleDAO,credDAO,certDAO, + locateDAO,futureDAO,delegateDAO,approvalDAO)); - public void setUp() throws Exception { - when(trans.org()).thenReturn(org); - when(org.getDomain()).thenReturn("org.onap"); - Define.set(access); - access.setProperty(Config.CADI_LATITUDE, "38.0"); - access.setProperty(Config.CADI_LONGITUDE, "-72.0"); - - mapper = new Mapper_2_0(question); - acsi = new AuthzCassServiceImpl<>(trans, mapper, question); - } - - ////////// - // Common Data Objects - ///////// + public void setUp() throws Exception { + when(trans.org()).thenReturn(org); + when(org.getDomain()).thenReturn("org.onap"); + Define.set(access); + access.setProperty(Config.CADI_LATITUDE, "38.0"); + access.setProperty(Config.CADI_LONGITUDE, "-72.0"); + + mapper = new Mapper_2_0(question); + acsi = new AuthzCassServiceImpl<>(trans, mapper, question); + } + + ////////// + // Common Data Objects + ///////// protected List<NsDAO.Data> nsData(String name) { - NsDAO.Data ndd = new NsDAO.Data(); - ndd.name=name; - int dot = name.lastIndexOf('.'); - if(dot<0) { - ndd.parent="."; - } else { - ndd.parent=name.substring(0,dot); - } - List<NsDAO.Data> rv = new ArrayList<NsDAO.Data>(); - rv.add(ndd); - return rv; + NsDAO.Data ndd = new NsDAO.Data(); + ndd.name=name; + int dot = name.lastIndexOf('.'); + if(dot<0) { + ndd.parent="."; + } else { + ndd.parent=name.substring(0,dot); + } + List<NsDAO.Data> rv = new ArrayList<NsDAO.Data>(); + rv.add(ndd); + return rv; } /** @@ -155,36 +155,36 @@ public abstract class JU_BaseServiceImpl { * @param days */ protected void whenRole(AuthzTrans trans, String user, String ns, String role, boolean exists, int days) { - Result<List<UserRoleDAO.Data>> result; - if(exists) { - result = Result.ok(listOf(urData(user,ns,role,days))); - } else { - result = Result.ok(emptyList(UserRoleDAO.Data.class)); - } - when(question.userRoleDAO().read(trans, user, ns+'.'+role)).thenReturn(result); + Result<List<UserRoleDAO.Data>> result; + if(exists) { + result = Result.ok(listOf(urData(user,ns,role,days))); + } else { + result = Result.ok(emptyList(UserRoleDAO.Data.class)); + } + when(question.userRoleDAO().read(trans, user, ns+'.'+role)).thenReturn(result); } protected UserRoleDAO.Data urData(String user, String ns, String rname, int days) { - UserRoleDAO.Data urdd = new UserRoleDAO.Data(); - urdd.user = user; - urdd.ns = ns; - urdd.rname = rname; - urdd.role = ns + '.' + rname; - GregorianCalendar gc = new GregorianCalendar(); - gc.add(GregorianCalendar.DAY_OF_YEAR, days); - urdd.expires = gc.getTime(); - return urdd; + UserRoleDAO.Data urdd = new UserRoleDAO.Data(); + urdd.user = user; + urdd.ns = ns; + urdd.rname = rname; + urdd.role = ns + '.' + rname; + GregorianCalendar gc = new GregorianCalendar(); + gc.add(GregorianCalendar.DAY_OF_YEAR, days); + urdd.expires = gc.getTime(); + return urdd; } protected <T> List<T> listOf(T t) { - List<T> list = new ArrayList<>(); - list.add(t); - return list; + List<T> list = new ArrayList<>(); + list.add(t); + return list; } protected <T> List<T> emptyList(Class<T> cls) { - return new ArrayList<>(); + return new ArrayList<>(); } } diff --git a/auth/auth-service/src/test/java/org/onap/aaf/auth/service/test/JU_ServiceImpl_createUserCred.java b/auth/auth-service/src/test/java/org/onap/aaf/auth/service/test/JU_ServiceImpl_createUserCred.java index 00da6b4c..2bb907ac 100644 --- a/auth/auth-service/src/test/java/org/onap/aaf/auth/service/test/JU_ServiceImpl_createUserCred.java +++ b/auth/auth-service/src/test/java/org/onap/aaf/auth/service/test/JU_ServiceImpl_createUserCred.java @@ -49,100 +49,100 @@ import junit.framework.Assert; @RunWith(MockitoJUnitRunner.class) public class JU_ServiceImpl_createUserCred extends JU_BaseServiceImpl { - @Mock - private Result<CredDAO.Data> rcdd; - - @Before - public void setUp() throws Exception { - super.setUp(); - } + @Mock + private Result<CredDAO.Data> rcdd; + + @Before + public void setUp() throws Exception { + super.setUp(); + } @Test public void validCreateNewIsOwner() throws OrganizationException { - CredRequest cr = credRequest1(); - final String fqi = "bob@people.onap.org"; - when(trans.user()).thenReturn(fqi); - when(org.isValidPassword(trans, cr.getId(),cr.getPassword())).thenReturn(""); - when(org.isValidCred(trans, cr.getId())).thenReturn(true); - when(org.canHaveMultipleCreds(cr.getId())).thenReturn(true); - when(org.getIdentity(trans, cr.getId())).thenReturn(orgIdentity); - when(orgIdentity.isFound()).thenReturn(true); - final String ns = "org.onap.sample"; - whenRole(trans, fqi, ns, "owner", false, 100); - when(question.nsDAO().read(trans, ns)).thenReturn(Result.ok(nsData(ns))); - when(question.credDAO().readID(trans, cr.getId())).thenReturn(Result.ok(emptyList(CredDAO.Data.class))); - when(question.credDAO().create(any(AuthzTrans.class), any(CredDAO.Data.class) )).thenReturn(Result.ok(credDataFound(cr,100))); - when(question.credDAO().readNS(trans, ns)).thenReturn(Result.ok(listOf(credDataFound(cr,100)))); - Result<?> result = acsi.createUserCred(trans,cr); - // Owner may do FIRST Creds - Assert.assertEquals(Result.OK,result.status); + CredRequest cr = credRequest1(); + final String fqi = "bob@people.onap.org"; + when(trans.user()).thenReturn(fqi); + when(org.isValidPassword(trans, cr.getId(),cr.getPassword())).thenReturn(""); + when(org.isValidCred(trans, cr.getId())).thenReturn(true); + when(org.canHaveMultipleCreds(cr.getId())).thenReturn(true); + when(org.getIdentity(trans, cr.getId())).thenReturn(orgIdentity); + when(orgIdentity.isFound()).thenReturn(true); + final String ns = "org.onap.sample"; + whenRole(trans, fqi, ns, "owner", false, 100); + when(question.nsDAO().read(trans, ns)).thenReturn(Result.ok(nsData(ns))); + when(question.credDAO().readID(trans, cr.getId())).thenReturn(Result.ok(emptyList(CredDAO.Data.class))); + when(question.credDAO().create(any(AuthzTrans.class), any(CredDAO.Data.class) )).thenReturn(Result.ok(credDataFound(cr,100))); + when(question.credDAO().readNS(trans, ns)).thenReturn(Result.ok(listOf(credDataFound(cr,100)))); + Result<?> result = acsi.createUserCred(trans,cr); + // Owner may do FIRST Creds + Assert.assertEquals(Result.OK,result.status); } @Test public void validCreateNewOnlyAdmin() throws OrganizationException { - CredRequest cr = credRequest1(); - final String fqi = "bob@people.onap.org"; - when(trans.user()).thenReturn(fqi); - when(org.isValidPassword(trans, cr.getId(),cr.getPassword())).thenReturn(""); - when(org.isValidCred(trans, cr.getId())).thenReturn(true); - when(org.canHaveMultipleCreds(cr.getId())).thenReturn(true); - when(org.getIdentity(trans, cr.getId())).thenReturn(orgIdentity); - when(orgIdentity.isFound()).thenReturn(true); - final String ns = "org.onap.sample"; - whenRole(trans,fqi,ns,"owner",false, 100); - whenRole(trans,fqi,ns,"admin",true, 100); - when(question.nsDAO().read(trans, ns)).thenReturn(Result.ok(nsData(ns))); - when(question.credDAO().readID(trans, cr.getId())).thenReturn(Result.ok(emptyList(CredDAO.Data.class))); - when(question.credDAO().create(any(AuthzTrans.class), any(CredDAO.Data.class) )).thenReturn(Result.ok(credDataFound(cr,100))); - when(question.credDAO().readNS(trans, ns)).thenReturn(Result.ok(listOf(credDataFound(cr,100)))); - Result<?> result = acsi.createUserCred(trans,cr); - // Admins may not do FIRST Creds - Assert.assertEquals(Result.ERR_Denied,result.status); + CredRequest cr = credRequest1(); + final String fqi = "bob@people.onap.org"; + when(trans.user()).thenReturn(fqi); + when(org.isValidPassword(trans, cr.getId(),cr.getPassword())).thenReturn(""); + when(org.isValidCred(trans, cr.getId())).thenReturn(true); + when(org.canHaveMultipleCreds(cr.getId())).thenReturn(true); + when(org.getIdentity(trans, cr.getId())).thenReturn(orgIdentity); + when(orgIdentity.isFound()).thenReturn(true); + final String ns = "org.onap.sample"; + whenRole(trans,fqi,ns,"owner",false, 100); + whenRole(trans,fqi,ns,"admin",true, 100); + when(question.nsDAO().read(trans, ns)).thenReturn(Result.ok(nsData(ns))); + when(question.credDAO().readID(trans, cr.getId())).thenReturn(Result.ok(emptyList(CredDAO.Data.class))); + when(question.credDAO().create(any(AuthzTrans.class), any(CredDAO.Data.class) )).thenReturn(Result.ok(credDataFound(cr,100))); + when(question.credDAO().readNS(trans, ns)).thenReturn(Result.ok(listOf(credDataFound(cr,100)))); + Result<?> result = acsi.createUserCred(trans,cr); + // Admins may not do FIRST Creds + Assert.assertEquals(Result.ERR_Denied,result.status); } @Test public void validCreateExisting() throws OrganizationException { - CredRequest cr = credRequest1(); - when(org.isValidPassword(trans, cr.getId(),cr.getPassword())).thenReturn(""); - when(org.isValidCred(trans, cr.getId())).thenReturn(true); - when(org.canHaveMultipleCreds(cr.getId())).thenReturn(true); - when(org.getIdentity(trans, cr.getId())).thenReturn(orgIdentity); - when(orgIdentity.isFound()).thenReturn(true); - String ns = "org.onap.sample"; - when(question.nsDAO().read(trans, ns)).thenReturn(Result.ok(nsData(ns))); - - CredDAO.Data cdd = credDataFound(cr,100); - when(question.credDAO().create(any(AuthzTrans.class), any(CredDAO.Data.class) )).thenReturn(Result.ok(cdd)); - when(question.credDAO().readID(trans, cr.getId())).thenReturn(Result.ok(listOf(cdd))); + CredRequest cr = credRequest1(); + when(org.isValidPassword(trans, cr.getId(),cr.getPassword())).thenReturn(""); + when(org.isValidCred(trans, cr.getId())).thenReturn(true); + when(org.canHaveMultipleCreds(cr.getId())).thenReturn(true); + when(org.getIdentity(trans, cr.getId())).thenReturn(orgIdentity); + when(orgIdentity.isFound()).thenReturn(true); + String ns = "org.onap.sample"; + when(question.nsDAO().read(trans, ns)).thenReturn(Result.ok(nsData(ns))); + + CredDAO.Data cdd = credDataFound(cr,100); + when(question.credDAO().create(any(AuthzTrans.class), any(CredDAO.Data.class) )).thenReturn(Result.ok(cdd)); + when(question.credDAO().readID(trans, cr.getId())).thenReturn(Result.ok(listOf(cdd))); - Result<?> result = acsi.createUserCred(trans,cr); - Assert.assertEquals(Result.OK,result.status); + Result<?> result = acsi.createUserCred(trans,cr); + Assert.assertEquals(Result.OK,result.status); } private CredRequest credRequest1() { - CredRequest cr = new CredRequest(); - cr.setId("m12345@sample.onap.org"); - cr.setPassword("BobAndWeave"); - cr.setType(CredDAO.RAW); - return cr; + CredRequest cr = new CredRequest(); + cr.setId("m12345@sample.onap.org"); + cr.setPassword("BobAndWeave"); + cr.setType(CredDAO.RAW); + return cr; } private CredDAO.Data credDataFound(CredRequest cr, int days) { - CredDAO.Data cdd = new CredDAO.Data(); - cdd.id = cr.getId(); - cdd.ns = FQI.reverseDomain(cr.getId()); - cdd.other = 12345; - cdd.tag = "1355434"; - cdd.type = CredDAO.BASIC_AUTH_SHA256; - try { - cdd.cred = ByteBuffer.wrap(Hash.hashSHA256(cr.getPassword().getBytes())); - } catch (NoSuchAlgorithmException e) { - Assert.fail(e.getMessage()); - } - GregorianCalendar gc = new GregorianCalendar(); - gc.add(GregorianCalendar.DAY_OF_YEAR, days); - cdd.expires = gc.getTime(); - return cdd; + CredDAO.Data cdd = new CredDAO.Data(); + cdd.id = cr.getId(); + cdd.ns = FQI.reverseDomain(cr.getId()); + cdd.other = 12345; + cdd.tag = "1355434"; + cdd.type = CredDAO.BASIC_AUTH_SHA256; + try { + cdd.cred = ByteBuffer.wrap(Hash.hashSHA256(cr.getPassword().getBytes())); + } catch (NoSuchAlgorithmException e) { + Assert.fail(e.getMessage()); + } + GregorianCalendar gc = new GregorianCalendar(); + gc.add(GregorianCalendar.DAY_OF_YEAR, days); + cdd.expires = gc.getTime(); + return cdd; } }
\ No newline at end of file |