diff options
Diffstat (limited to 'auth')
10 files changed, 165 insertions, 22 deletions
diff --git a/auth/auth-cass/src/main/java/org/onap/aaf/auth/dao/cass/CredDAO.java b/auth/auth-cass/src/main/java/org/onap/aaf/auth/dao/cass/CredDAO.java index 9c57d200..868f9ac2 100644 --- a/auth/auth-cass/src/main/java/org/onap/aaf/auth/dao/cass/CredDAO.java +++ b/auth/auth-cass/src/main/java/org/onap/aaf/auth/dao/cass/CredDAO.java @@ -53,6 +53,7 @@ public class CredDAO extends CassDAOImpl<AuthzTrans,CredDAO.Data> { public static final String TABLE = "cred"; public static final int CACHE_SEG = 0x40; // yields segment 0x0-0x3F public static final int RAW = -1; + public static final int FQI = 0; public static final int BASIC_AUTH = 1; public static final int BASIC_AUTH_SHA256 = 2; public static final int CERT_SHA256_RSA =200; @@ -225,8 +226,12 @@ public class CredDAO extends CassDAOImpl<AuthzTrans,CredDAO.Data> { @Override public Result<Data> create(AuthzTrans trans, Data data) { if(data.tag == null) { - long l = srand.nextLong(); - data.tag = Long.toHexString(l); + if(data.type==0) { + data.tag="PlaceHolder"; + } else { + long l = srand.nextLong(); + data.tag = Long.toHexString(l); + } } return super.create(trans, data); } diff --git a/auth/auth-cass/src/main/java/org/onap/aaf/auth/dao/hl/Question.java b/auth/auth-cass/src/main/java/org/onap/aaf/auth/dao/hl/Question.java index bd0c8355..2c98a9bc 100644 --- a/auth/auth-cass/src/main/java/org/onap/aaf/auth/dao/hl/Question.java +++ b/auth/auth-cass/src/main/java/org/onap/aaf/auth/dao/hl/Question.java @@ -920,6 +920,9 @@ public class Question { tt.done(); } + } else if (cred.type==CredDAO.FQI) { + cred.cred = null; + return Result.ok(cred); } return Result.err(Status.ERR_Security,"invalid/unreadable credential"); } diff --git a/auth/auth-cmd/src/main/java/org/onap/aaf/auth/cmd/ns/List.java b/auth/auth-cmd/src/main/java/org/onap/aaf/auth/cmd/ns/List.java index 3dae0fa5..42306c85 100644 --- a/auth/auth-cmd/src/main/java/org/onap/aaf/auth/cmd/ns/List.java +++ b/auth/auth-cmd/src/main/java/org/onap/aaf/auth/cmd/ns/List.java @@ -163,8 +163,9 @@ public class List extends BaseCmd<NS> { type = 9999; } switch(type) { + case 0: return "NoCrd"; case 1: return "U/P"; - case 2: return "U/P2"; + case 2: return "U/P2"; case 10: return "Cert"; case 200: return "x509"; default: diff --git a/auth/auth-cmd/src/main/java/org/onap/aaf/auth/cmd/user/ID.java b/auth/auth-cmd/src/main/java/org/onap/aaf/auth/cmd/user/ID.java new file mode 100644 index 00000000..12035a16 --- /dev/null +++ b/auth/auth-cmd/src/main/java/org/onap/aaf/auth/cmd/user/ID.java @@ -0,0 +1,125 @@ +/** + * ============LICENSE_START==================================================== + * org.onap.aaf + * =========================================================================== + * Copyright (c) 2018 AT&T Intellectual Property. All rights reserved. + * =========================================================================== + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * ============LICENSE_END==================================================== + * + */ + +package org.onap.aaf.auth.cmd.user; + +import org.onap.aaf.auth.cmd.AAFcli; +import org.onap.aaf.auth.cmd.Cmd; +import org.onap.aaf.auth.cmd.Param; +import org.onap.aaf.auth.rserv.HttpMethods; +import org.onap.aaf.cadi.CadiException; +import org.onap.aaf.cadi.LocatorException; +import org.onap.aaf.cadi.client.Future; +import org.onap.aaf.cadi.client.Rcli; +import org.onap.aaf.cadi.client.Retryable; +import org.onap.aaf.misc.env.APIException; + +import aaf.v2_0.CredRequest; + +public class ID extends Cmd { + public static final String ATTEMPT_FAILED_SPECIFICS_WITHELD = "Attempt Failed. Specifics witheld."; + private static final String CRED_PATH = "/authn/cred"; + private static final String[] options = {"add","del"}; + public ID(User parent) { + super(parent,"fqi", + new Param(optionsToString(options),true), + new Param("id",true) + ); + } + + @Override + public int _exec(int _idx, final String ... args) throws CadiException, APIException, LocatorException { + int idx = _idx; + String key = args[idx++]; + final int option = whichOption(options,key); + + final CredRequest cr = new CredRequest(); + cr.setId(args[idx++]); + cr.setType(0); + if (args.length>idx) + cr.setEntry(args[idx]); + + // Set Start/End commands + setStartEnd(cr); + Integer ret = same(new Retryable<Integer>() { + @Override + public Integer code(Rcli<?> client) throws CadiException, APIException { + Future<CredRequest> fp=null; + String verb =null; + switch(option) { + case 0: + fp = client.create( + CRED_PATH, + getDF(CredRequest.class), + cr + ); + verb = "Added ID ["; + break; + case 1: + setQueryParamsOn(client); + fp = client.delete(CRED_PATH, + getDF(CredRequest.class), + cr + ); + verb = "Deleted ID ["; + break; + default: + break; + } + if (fp==null) { + return null; // get by Sonar check. + } + if (fp.get(AAFcli.timeout())) { + pw().print(verb); + pw().print(cr.getId()); + pw().println(']'); + } else if (fp.code()==202) { + pw().println("ID Action Accepted, but requires Approvals before actualizing"); + } else if (fp.code()==406 && option==1) { + pw().println("You cannot delete this ID"); + } else { + pw().println(ATTEMPT_FAILED_SPECIFICS_WITHELD); + } + return fp.code(); + } + }); + if (ret==null)ret = -1; + return ret; + } + + @Override + public void detailedHelp(int _indent, StringBuilder sb) { + int indent = _indent; + detailLine(sb,indent,"Add or Delete Fully Qualified Identity: An ID attached to the Namespace"); + indent+=2; + detailLine(sb,indent,"fqi - the ID to create/delete within AAF"); + sb.append('\n'); + detailLine(sb,indent,"This usage has NO Credential, and serves only to allow IDs to be attached"); + detailLine(sb,indent,"to Roles before credentials such as Certificates are established."); + detailLine(sb,indent,"The Domain can be related to any Namespace you have access to *"); + detailLine(sb,indent,"The Domain is in reverse order of Namespace, i.e. "); + detailLine(sb,indent+2,"NS of com.att.myapp can create user of XY1234@myapp.att.com"); + indent-=2; + api(sb,indent,HttpMethods.POST,"authn/cred",CredRequest.class,true); + api(sb,indent,HttpMethods.DELETE,"authn/cred",CredRequest.class,false); + api(sb,indent,HttpMethods.PUT,"authn/cred",CredRequest.class,false); + } +} diff --git a/auth/auth-cmd/src/main/java/org/onap/aaf/auth/cmd/user/User.java b/auth/auth-cmd/src/main/java/org/onap/aaf/auth/cmd/user/User.java index 26e35bec..746f9c22 100644 --- a/auth/auth-cmd/src/main/java/org/onap/aaf/auth/cmd/user/User.java +++ b/auth/auth-cmd/src/main/java/org/onap/aaf/auth/cmd/user/User.java @@ -29,6 +29,7 @@ public class User extends BaseCmd<User> { public User(AAFcli aafcli) throws APIException { super(aafcli,"user"); cmds.add(new Role(this)); + cmds.add(new ID(this)); cmds.add(new Cred(this)); cmds.add(new Delg(this)); cmds.add(new List(this)); diff --git a/auth/auth-gui/src/main/java/org/onap/aaf/auth/gui/AAF_GUI.java b/auth/auth-gui/src/main/java/org/onap/aaf/auth/gui/AAF_GUI.java index 359cb28b..f8aeb11b 100644 --- a/auth/auth-gui/src/main/java/org/onap/aaf/auth/gui/AAF_GUI.java +++ b/auth/auth-gui/src/main/java/org/onap/aaf/auth/gui/AAF_GUI.java @@ -131,7 +131,8 @@ public class AAF_GUI extends AbsService<AuthzEnv, AuthzTrans> implements State<E deployedVersion = access.getProperty(Config.AAF_RELEASE, "N/A:2.x"); // Certificate Manager - cmCon = new AAFConHttp(env.access(),Config.AAF_URL_CM); + String aaf_url_cm = env.getProperty(Config.AAF_URL_CM,Config.AAF_URL_CM_DEF); + cmCon = new AAFConHttp(env.access(),aaf_url_cm); artifactsDF = env.newDataFactory(Artifacts.class); certInfoDF = env.newDataFactory(CertInfo.class); diff --git a/auth/auth-service/src/main/java/org/onap/aaf/auth/service/AuthzCassServiceImpl.java b/auth/auth-service/src/main/java/org/onap/aaf/auth/service/AuthzCassServiceImpl.java index 751825c1..e311513e 100644 --- a/auth/auth-service/src/main/java/org/onap/aaf/auth/service/AuthzCassServiceImpl.java +++ b/auth/auth-service/src/main/java/org/onap/aaf/auth/service/AuthzCassServiceImpl.java @@ -2290,7 +2290,6 @@ public class AuthzCassServiceImpl <NSS,PERMS,PERMKEY,ROLES,USERS,USERROLES,DE try { Result<CredDAO.Data> rcred = mapper.cred(trans, from, true); if (rcred.isOKhasData()) { - byte[] rawCred = rcred.value.cred.array(); rcred = ques.userCredSetup(trans, rcred.value); final ServiceValidator v = new ServiceValidator(); @@ -2333,7 +2332,9 @@ public class AuthzCassServiceImpl <NSS,PERMS,PERMKEY,ROLES,USERS,USERROLES,DE // Note: ASPR specifies character differences, but we don't actually store the // password to validate char differences. - rb = ques.userCredCheck(trans, curr, rawCred); +// byte[] rawCred = rcred.value.type==CredDAO.RAW?null:; + + rb = ques.userCredCheck(trans, curr, rcred.value.cred.array()); if (rb.notOK()) { return Result.err(rb); } else if (rb.value){ diff --git a/auth/auth-service/src/main/java/org/onap/aaf/auth/service/mapper/Mapper_2_0.java b/auth/auth-service/src/main/java/org/onap/aaf/auth/service/mapper/Mapper_2_0.java index 72a24d21..187f4e39 100644 --- a/auth/auth-service/src/main/java/org/onap/aaf/auth/service/mapper/Mapper_2_0.java +++ b/auth/auth-service/src/main/java/org/onap/aaf/auth/service/mapper/Mapper_2_0.java @@ -509,22 +509,27 @@ public class Mapper_2_0 implements Mapper<Nss, Perms, Pkey, Roles, Users, UserRo CredDAO.Data to = new CredDAO.Data(); to.id=from.getId(); to.ns = Question.domain2ns(to.id); - String passwd = from.getPassword(); - if (requiresPass) { - String ok = trans.org().isValidPassword(trans, to.id,passwd); - if (ok.length()>0) { - return Result.err(Status.ERR_BadData,ok); - } - } else { - to.type=0; - } - if (passwd != null) { - to.cred = ByteBuffer.wrap(passwd.getBytes()); - to.type = CredDAO.RAW; + to.type = from.getType(); + if(to.type!=null && to.type==CredDAO.FQI) { + to.cred = null; } else { - to.type = 0; - } - + String passwd = from.getPassword(); + if (requiresPass) { + String ok = trans.org().isValidPassword(trans, to.id,passwd); + if (ok.length()>0) { + return Result.err(Status.ERR_BadData,ok); + } + } else { + to.type=0; + } + if (passwd != null) { + to.cred = ByteBuffer.wrap(passwd.getBytes()); + to.type = CredDAO.RAW; + } else { + to.type = CredDAO.FQI; + } + } + // Note: Ensure requested EndDate created will match Organization Password Rules // P.S. Do not apply TempPassword rule here. Do that when you know you are doing a Create/Reset (see Service) to.expires = getExpires(trans.org(),Expiration.Password,base,from.getId()); diff --git a/auth/auth-service/src/main/java/org/onap/aaf/auth/service/validation/ServiceValidator.java b/auth/auth-service/src/main/java/org/onap/aaf/auth/service/validation/ServiceValidator.java index 128fdcd1..adff4612 100644 --- a/auth/auth-service/src/main/java/org/onap/aaf/auth/service/validation/ServiceValidator.java +++ b/auth/auth-service/src/main/java/org/onap/aaf/auth/service/validation/ServiceValidator.java @@ -162,6 +162,7 @@ public class ServiceValidator extends Validator { } else { switch(cd.type) { case CredDAO.BASIC_AUTH_SHA256: + case CredDAO.FQI: // ok break; default: diff --git a/auth/helm/aaf/values.yaml b/auth/helm/aaf/values.yaml index 4ae0777e..fae26290 100644 --- a/auth/helm/aaf/values.yaml +++ b/auth/helm/aaf/values.yaml @@ -114,7 +114,7 @@ image: # When using Docker Repo, add, and include trailing "/" # repository: nexus3.onap.org:10003/ # repository: localhost:5000/ - version: 2.1.14 + version: 2.1.14-SNAPSHOT resources: {} # We usually recommend not to specify default resources and to leave this as a conscious |