diff options
Diffstat (limited to 'auth')
35 files changed, 403 insertions, 105 deletions
diff --git a/auth/auth-batch/pom.xml b/auth/auth-batch/pom.xml index 09ce6182..304a23f7 100644 --- a/auth/auth-batch/pom.xml +++ b/auth/auth-batch/pom.xml @@ -25,7 +25,7 @@ <parent> <groupId>org.onap.aaf.authz</groupId> <artifactId>authparent</artifactId> - <version>2.1.14-SNAPSHOT</version> + <version>2.1.15-SNAPSHOT</version> <relativePath>../pom.xml</relativePath> </parent> diff --git a/auth/auth-batch/src/main/java/org/onap/aaf/auth/batch/reports/ApprovedRpt.java b/auth/auth-batch/src/main/java/org/onap/aaf/auth/batch/reports/ApprovedRpt.java new file mode 100644 index 00000000..7b6e09f5 --- /dev/null +++ b/auth/auth-batch/src/main/java/org/onap/aaf/auth/batch/reports/ApprovedRpt.java @@ -0,0 +1,183 @@ +/** + * ============LICENSE_START==================================================== + * org.onap.aaf + * =========================================================================== + * Copyright (c) 2018 AT&T Intellectual Property. All rights reserved. + * =========================================================================== + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * ============LICENSE_END==================================================== + * + */ + +package org.onap.aaf.auth.batch.reports; + +import java.io.File; +import java.io.IOException; +import java.util.Date; +import java.util.GregorianCalendar; +import java.util.Iterator; +import java.util.List; +import java.util.Map; +import java.util.TreeMap; +import java.util.UUID; + +import org.onap.aaf.auth.batch.Batch; +import org.onap.aaf.auth.env.AuthzTrans; +import org.onap.aaf.auth.org.OrganizationException; +import org.onap.aaf.cadi.routing.GreatCircle; +import org.onap.aaf.cadi.util.CSV; +import org.onap.aaf.cadi.util.CSV.Visitor; +import org.onap.aaf.cadi.util.CSV.Writer; +import org.onap.aaf.misc.env.APIException; +import org.onap.aaf.misc.env.Env; +import org.onap.aaf.misc.env.TimeTaken; +import org.onap.aaf.misc.env.util.Chrono; +import org.onap.aaf.misc.env.util.Split; + +import com.datastax.driver.core.ResultSet; +import com.datastax.driver.core.Row; +import com.datastax.driver.core.SimpleStatement; +import com.datastax.driver.core.Statement; + + +public class ApprovedRpt extends Batch { + + private static final String APPR_RPT = "ApprovedRpt"; + private static final String CSV = ".csv"; + private static final String INFO = "info"; + private Date now; + private Writer approvedW; + private CSV historyR; + private static String yr_mon; + + public ApprovedRpt(AuthzTrans trans) throws APIException, IOException, OrganizationException { + super(trans.env()); + trans.info().log("Starting Connection Process"); + + TimeTaken tt0 = trans.start("Cassandra Initialization", Env.SUB); + try { +// TimeTaken tt = trans.start("Connect to Cluster", Env.REMOTE); +// try { +// session = cluster.connect(); +// } finally { +// tt.done(); +// } + + now = new Date(); + String sdate = Chrono.dateOnlyStamp(now); + File file = new File(logDir(),APPR_RPT + sdate +CSV); + CSV csv = new CSV(env.access(),file); + approvedW = csv.writer(false); + + historyR = new CSV(env.access(),args()[1]).setDelimiter('|'); + + yr_mon = args()[0]; + } finally { + tt0.done(); + } + } + + @Override + protected void run(AuthzTrans trans) { + try { + Map<String,Boolean> checked = new TreeMap<String, Boolean>(); + + final AuthzTrans transNoAvg = trans.env().newTransNoAvg(); +// ResultSet results; +// Statement stmt = new SimpleStatement( "select dateof(id), approver, status, user, type, memo from authz.approved;" ); +// results = session.execute(stmt); +// Iterator<Row> iter = results.iterator(); +// Row row; + /* + * while (iter.hasNext()) { + ++totalLoaded; + row = iter.next(); + d = row.getTimestamp(0); + if(d.after(begin)) { + approvedW.row("aprvd", + Chrono.dateOnlyStamp(d), + row.getString(1), + row.getString(2), + row.getString(3), + row.getString(4), + row.getString(5) + ); + } + } + + */ + int totalLoaded = 0; + Date d; + GregorianCalendar gc = new GregorianCalendar(); + gc.add(GregorianCalendar.MONTH, -2); + Date begin = gc.getTime(); + approvedW.comment("date, approver, status, user, role, memo"); + + historyR.visit(row -> { + String s = row.get(7); + if(s.equals(yr_mon)) { + String target = row.get(5); + if("user_role".equals(target)) { + String action = row.get(1); + switch(action) { + case "create": + write("created",row); + break; + case "update": + write("approved",row); + break; + case "delete": + write("denied",row); + break; + } + } + } + }); + + } catch (Exception e) { + trans.info().log(e); + } + } + + private void write(String a_or_d, List<String> row) { + String[] target = Split.splitTrim('|', row.get(4)); + + if(target.length>1) { + UUID id = UUID.fromString(row.get(0)); + Date date = Chrono.uuidToDate(id); + String status; + String memo; + String approver = row.get(6); + if("batch:JobChange".equals(approver)) { + status = "reduced"; + memo = "existing role membership reduced to invoke reapproval"; + } else { + status = a_or_d; + memo = row.get(2); + } + if(!approver.equals(target[0])) { + approvedW.row( + Chrono.niceDateStamp(date), + approver, + status, + target[0], + target[1], + memo + ); + } + } + + + } + +} diff --git a/auth/auth-cass/pom.xml b/auth/auth-cass/pom.xml index 646dcbbb..4b9f9fee 100644 --- a/auth/auth-cass/pom.xml +++ b/auth/auth-cass/pom.xml @@ -17,7 +17,7 @@ <parent> <groupId>org.onap.aaf.authz</groupId> <artifactId>authparent</artifactId> - <version>2.1.14-SNAPSHOT</version> + <version>2.1.15-SNAPSHOT</version> <relativePath>../pom.xml</relativePath> </parent> diff --git a/auth/auth-cass/src/main/java/org/onap/aaf/auth/dao/hl/Function.java b/auth/auth-cass/src/main/java/org/onap/aaf/auth/dao/hl/Function.java index c59312c0..4ec70d4a 100644 --- a/auth/auth-cass/src/main/java/org/onap/aaf/auth/dao/hl/Function.java +++ b/auth/auth-cass/src/main/java/org/onap/aaf/auth/dao/hl/Function.java @@ -628,12 +628,7 @@ public class Function { return Result.err(Status.ERR_DependencyExists, sb.toString()); } - if (move && parent == null) { - return Result - .err(Status.ERR_DependencyExists, - "Cannot move users, roles or permissions - parent is missing.\nDelete dependencies and try again"); - } - else if (move && parent.type == NsType.COMPANY.type) { + if (move && (parent == null || parent.type == NsType.COMPANY.type)) { return Result .err(Status.ERR_DependencyExists, "Cannot move users, roles or permissions to [%s].\nDelete dependencies and try again", @@ -1040,7 +1035,7 @@ public class Function { // Attached to any Roles? if (fullperm.roles != null) { - if (force) { + if (force || fullperm.roles.contains(user+":user")) { for (String role : fullperm.roles) { Result<Void> rv = null; Result<RoleDAO.Data> rrdd = RoleDAO.Data.decode(trans, q, role); diff --git a/auth/auth-cass/src/main/java/org/onap/aaf/auth/dao/hl/Question.java b/auth/auth-cass/src/main/java/org/onap/aaf/auth/dao/hl/Question.java index 22b14cb4..3b61da31 100644 --- a/auth/auth-cass/src/main/java/org/onap/aaf/auth/dao/hl/Question.java +++ b/auth/auth-cass/src/main/java/org/onap/aaf/auth/dao/hl/Question.java @@ -246,15 +246,29 @@ public class Question { approvalDAO.close(trans); } - public Result<PermDAO.Data> permFrom(AuthzTrans trans, String type, - String instance, String action) { - Result<NsDAO.Data> rnd = deriveNs(trans, type); - if (rnd.isOK()) { - return Result.ok(new PermDAO.Data(new NsSplit(rnd.value, type), - instance, action)); - } else { - return Result.err(rnd); - } + public Result<PermDAO.Data> permFrom(AuthzTrans trans, String type, String instance, String action) { + if(type.indexOf('@') >= 0) { + int colon = type.indexOf(':'); + if(colon>=0) { + PermDAO.Data pdd = new PermDAO.Data(); + pdd.ns = type.substring(0, colon); + pdd.type = type.substring(colon+1); + pdd.instance = instance; + pdd.action = action; + + return Result.ok(pdd); + } else { + return Result.err(Result.ERR_BadData,"Could not extract ns and type from " + type); + } + } else { + Result<NsDAO.Data> rnd = deriveNs(trans, type); + if (rnd.isOK()) { + return Result.ok(new PermDAO.Data(new NsSplit(rnd.value, type), + instance, action)); + } else { + return Result.err(rnd); + } + } } /** @@ -317,12 +331,21 @@ public class Question { return Result.ok(rlpUser); } - public Result<List<PermDAO.Data>> getPermsByType(AuthzTrans trans, String perm) { - Result<NsSplit> nss = deriveNsSplit(trans, perm); - if (nss.notOK()) { - return Result.err(nss); - } - return permDAO.readByType(trans, nss.value.ns, nss.value.name); + public Result<List<PermDAO.Data>> getPermsByType(AuthzTrans trans, String type) { + if(type.indexOf('@') >= 0) { + int colon = type.indexOf(':'); + if(colon>=0) { + return permDAO.readByType(trans, type.substring(0, colon),type.substring(colon+1)); + } else { + return Result.err(Result.ERR_BadData, "%s is malformed",type); + } + } else { + Result<NsSplit> nss = deriveNsSplit(trans, type); + if (nss.notOK()) { + return Result.err(nss); + } + return permDAO.readByType(trans, nss.value.ns, nss.value.name); + } } public Result<List<PermDAO.Data>> getPermsByName(AuthzTrans trans, String type, String instance, String action) { diff --git a/auth/auth-cass/src/main/java/org/onap/aaf/auth/direct/DirectAAFLocator.java b/auth/auth-cass/src/main/java/org/onap/aaf/auth/direct/DirectAAFLocator.java index 2f1d150c..27d5df74 100644 --- a/auth/auth-cass/src/main/java/org/onap/aaf/auth/direct/DirectAAFLocator.java +++ b/auth/auth-cass/src/main/java/org/onap/aaf/auth/direct/DirectAAFLocator.java @@ -77,7 +77,7 @@ public class DirectAAFLocator extends AbsAAFLocator<AuthzTrans> { if(name.indexOf('.')>=0) { aaf_url = "https://"+Config.AAF_LOCATE_URL_TAG+'/'+name+':'+version; } else { - aaf_url = "https://"+Config.AAF_LOCATE_URL_TAG+"/%NS."+name+':'+version; + aaf_url = "https://"+Config.AAF_LOCATE_URL_TAG+"/%CNS.%NS."+name+':'+version; } RegistrationPropHolder rph = new RegistrationPropHolder(access,0); aaf_url = rph.replacements(getClass().getSimpleName(),aaf_url, null,null); diff --git a/auth/auth-cass/src/test/java/org/onap/aaf/auth/direct/test/JU_DirectAAFLocator.java b/auth/auth-cass/src/test/java/org/onap/aaf/auth/direct/test/JU_DirectAAFLocator.java index 01d4b9a2..f6d2a593 100644 --- a/auth/auth-cass/src/test/java/org/onap/aaf/auth/direct/test/JU_DirectAAFLocator.java +++ b/auth/auth-cass/src/test/java/org/onap/aaf/auth/direct/test/JU_DirectAAFLocator.java @@ -103,7 +103,8 @@ public class JU_DirectAAFLocator { Mockito.doReturn(access).when(env).access(); Mockito.doReturn("20").when(access).getProperty(Config.CADI_LATITUDE,null); Mockito.doReturn("20").when(access).getProperty(Config.CADI_LONGITUDE,null); - Mockito.doReturn("20").when(access).getProperty(Config.AAF_LOCATOR_CONTAINER,""); + Mockito.doReturn("").when(access).getProperty(Config.AAF_LOCATOR_CONTAINER,""); + Mockito.doReturn("").when(access).getProperty(Config.AAF_LOCATOR_CONTAINER_NS,""); Mockito.doReturn("20").when(access).getProperty(Config.AAF_LOCATOR_APP_NS,"AAF_NS"); try { DirectAAFLocator aafLocatorObj=new DirectAAFLocator(env, ldao,"test",null); @@ -118,7 +119,8 @@ public class JU_DirectAAFLocator { Mockito.doReturn(access).when(env).access(); Mockito.doReturn("20").when(access).getProperty(Config.CADI_LATITUDE,null); Mockito.doReturn("20").when(access).getProperty(Config.CADI_LONGITUDE,null); - Mockito.doReturn("20").when(access).getProperty(Config.AAF_LOCATOR_CONTAINER,""); + Mockito.doReturn("").when(access).getProperty(Config.AAF_LOCATOR_CONTAINER,""); + Mockito.doReturn("").when(access).getProperty(Config.AAF_LOCATOR_CONTAINER_NS,""); Mockito.doReturn("20 30").when(access).getProperty(Config.AAF_URL,null); try { DirectAAFLocator aafLocatorObj=new DirectAAFLocator(env, ldao,"test","192.0.0.1"); @@ -138,7 +140,8 @@ public class JU_DirectAAFLocator { Mockito.doReturn(trans).when(env).newTransNoAvg(); Mockito.doReturn("20").when(access).getProperty(Config.CADI_LATITUDE,null); Mockito.doReturn("20").when(access).getProperty(Config.CADI_LONGITUDE,null); - Mockito.doReturn("20").when(access).getProperty(Config.AAF_LOCATOR_CONTAINER,""); + Mockito.doReturn("").when(access).getProperty(Config.AAF_LOCATOR_CONTAINER,""); + Mockito.doReturn("").when(access).getProperty(Config.AAF_LOCATOR_CONTAINER_NS,""); Mockito.doReturn("http://aafurl.com").when(access).getProperty(Config.AAF_URL,null); try { aafLocatorObj = new DirectAAFLocator(env, ldao,"test","30.20.30.30"); @@ -171,7 +174,8 @@ public class JU_DirectAAFLocator { Mockito.doReturn(trans).when(env).newTransNoAvg(); Mockito.doReturn("20").when(access).getProperty(Config.CADI_LATITUDE,null); Mockito.doReturn("20").when(access).getProperty(Config.CADI_LONGITUDE,null); - Mockito.doReturn("20").when(access).getProperty(Config.AAF_LOCATOR_CONTAINER,""); + Mockito.doReturn("").when(access).getProperty(Config.AAF_LOCATOR_CONTAINER,""); + Mockito.doReturn("").when(access).getProperty(Config.AAF_LOCATOR_CONTAINER_NS,""); Mockito.doReturn("http://aafurl.com").when(access).getProperty(Config.AAF_URL,null); try { aafLocatorObj = new DirectAAFLocator(env, ldao,"test","30.20.30.30"); diff --git a/auth/auth-cass/src/test/java/org/onap/aaf/auth/direct/test/JU_DirectLocatorCreator.java b/auth/auth-cass/src/test/java/org/onap/aaf/auth/direct/test/JU_DirectLocatorCreator.java index c2b8597b..0eb75fcb 100644 --- a/auth/auth-cass/src/test/java/org/onap/aaf/auth/direct/test/JU_DirectLocatorCreator.java +++ b/auth/auth-cass/src/test/java/org/onap/aaf/auth/direct/test/JU_DirectLocatorCreator.java @@ -57,7 +57,8 @@ public class JU_DirectLocatorCreator { Mockito.doReturn(access).when(env).access(); Mockito.doReturn("20").when(access).getProperty(Config.CADI_LATITUDE,null); Mockito.doReturn("20").when(access).getProperty(Config.CADI_LONGITUDE,null); - Mockito.doReturn("20").when(access).getProperty(Config.AAF_LOCATOR_CONTAINER,""); + Mockito.doReturn("").when(access).getProperty(Config.AAF_LOCATOR_CONTAINER,""); + Mockito.doReturn("").when(access).getProperty(Config.AAF_LOCATOR_CONTAINER_NS,""); Mockito.doReturn("http://aafurl.com").when(access).getProperty(Config.AAF_URL,null); DirectLocatorCreator directLocObj = new DirectLocatorCreator(env, locateDAO); try { diff --git a/auth/auth-certman/pom.xml b/auth/auth-certman/pom.xml index 8237b027..82d127ce 100644 --- a/auth/auth-certman/pom.xml +++ b/auth/auth-certman/pom.xml @@ -20,7 +20,7 @@ <parent> <groupId>org.onap.aaf.authz</groupId> <artifactId>authparent</artifactId> - <version>2.1.14-SNAPSHOT</version> + <version>2.1.15-SNAPSHOT</version> <relativePath>../pom.xml</relativePath> </parent> diff --git a/auth/auth-certman/src/main/java/org/onap/aaf/auth/cm/AAF_CM.java b/auth/auth-certman/src/main/java/org/onap/aaf/auth/cm/AAF_CM.java index 7dea9f07..aa5c1daf 100644 --- a/auth/auth-certman/src/main/java/org/onap/aaf/auth/cm/AAF_CM.java +++ b/auth/auth-certman/src/main/java/org/onap/aaf/auth/cm/AAF_CM.java @@ -40,6 +40,7 @@ import org.onap.aaf.auth.cm.facade.FacadeFactory; import org.onap.aaf.auth.cm.mapper.Mapper.API; import org.onap.aaf.auth.cm.service.CMService; import org.onap.aaf.auth.cm.service.Code; +import org.onap.aaf.auth.cm.validation.CertmanValidator; import org.onap.aaf.auth.dao.CassAccess; import org.onap.aaf.auth.dao.cass.LocateDAO; import org.onap.aaf.auth.direct.DirectLocatorCreator; @@ -72,6 +73,7 @@ import com.datastax.driver.core.Cluster; public class AAF_CM extends AbsService<AuthzEnv, AuthzTrans> { private static final String USER_PERMS = "userPerms"; + private static final String CM_ALLOW_TMP = "cm_allow_tmp"; private static final Map<String,CA> certAuths = new TreeMap<>(); public static Facade1_0 facade1_0; // this is the default Facade public static Facade1_0 facade1_0_XML; // this is the XML Facade @@ -106,6 +108,13 @@ public class AAF_CM extends AbsService<AuthzEnv, AuthzTrans> { if (aafEnv==null) { throw new APIException("aaf_env needs to be set"); } + + // Check for allowing /tmp in Properties + String allowTmp = env.getProperty(CM_ALLOW_TMP); + if("true".equalsIgnoreCase(allowTmp)) { + CertmanValidator.allowTmp(); + } + // Initialize Facade for all uses AuthzTrans trans = env.newTrans(); diff --git a/auth/auth-certman/src/main/java/org/onap/aaf/auth/cm/ca/CA.java b/auth/auth-certman/src/main/java/org/onap/aaf/auth/cm/ca/CA.java index 10da10d9..26b4e2aa 100644 --- a/auth/auth-certman/src/main/java/org/onap/aaf/auth/cm/ca/CA.java +++ b/auth/auth-certman/src/main/java/org/onap/aaf/auth/cm/ca/CA.java @@ -73,10 +73,11 @@ public abstract class CA { this.env = env; this.env_tag = env==null || env.isEmpty()?false: Boolean.parseBoolean(access.getProperty(CM_CA_ENV_TAG, Boolean.FALSE.toString())); - permNS = CM_CA_PREFIX + name; - permType = access.getProperty(permNS + ".perm_type",null); + permNS=null; + String prefix = CM_CA_PREFIX + name; + permType = access.getProperty(prefix + ".perm_type",null); if (permType==null) { - throw new CertException(permNS + ".perm_type" + MUST_EXIST_TO_CREATE_CSRS_FOR + caName); + throw new CertException(prefix + ".perm_type" + MUST_EXIST_TO_CREATE_CSRS_FOR + caName); } caIssuerDNs = Split.splitTrim(':', access.getProperty(Config.CADI_X509_ISSUERS, null)); diff --git a/auth/auth-certman/src/main/java/org/onap/aaf/auth/cm/mapper/Mapper1_0.java b/auth/auth-certman/src/main/java/org/onap/aaf/auth/cm/mapper/Mapper1_0.java index 663cee82..22243ae4 100644 --- a/auth/auth-certman/src/main/java/org/onap/aaf/auth/cm/mapper/Mapper1_0.java +++ b/auth/auth-certman/src/main/java/org/onap/aaf/auth/cm/mapper/Mapper1_0.java @@ -24,6 +24,7 @@ package org.onap.aaf.auth.cm.mapper; import java.io.IOException; import java.util.ArrayList; import java.util.List; +import java.util.Set; import org.onap.aaf.auth.cm.data.CertDrop; import org.onap.aaf.auth.cm.data.CertRenew; @@ -219,31 +220,31 @@ public class Mapper1_0 implements Mapper<BaseRequest,CertInfo,Artifacts,Error> { List<ArtiDAO.Data> ladd = new ArrayList<>(); for (Artifact arti : artifacts.getArtifact()) { ArtiDAO.Data data = new ArtiDAO.Data(); - data.mechid = arti.getMechid(); - data.machine = arti.getMachine(); - data.type(true).addAll(arti.getType()); - data.ca = arti.getCa(); - data.dir = arti.getDir(); - data.os_user = arti.getOsUser(); + data.mechid = trim(arti.getMechid()); + data.machine = trim(arti.getMachine()); + if(arti.getType()!=null) { + Set<String> ss = data.type(true); + for(String t : arti.getType()) { + ss.add(trim(t)); + } + } + data.ca = trim(arti.getCa()); + data.dir = trim(arti.getDir()); + data.os_user = trim(arti.getOsUser()); // Optional (on way in) - data.ns = arti.getNs(); + data.ns = trim(arti.getNs()); data.renewDays = arti.getRenewDays(); - data.notify = arti.getNotification(); + data.notify = trim(arti.getNotification()); // Ignored on way in for create/update - data.sponsor = arti.getSponsor(); - data.expires = null; - - // Derive Optional Data from Machine (Domain) if exists - if (data.machine!=null) { - if (data.ca==null && data.machine.endsWith(".att.com")) { - data.ca = "aaf"; // default - } - if (data.ns==null ) { - data.ns=FQI.reverseDomain(data.machine); - } + data.sponsor = (arti.getSponsor()); + if(arti.getSans()!=null) { + Set<String> ls = data.sans(true); + for(String t : arti.getSans()) { + ls.add(trim(t)); + } } - data.sans(true).addAll(arti.getSans()); + data.expires = null; ladd.add(data); } return ladd; @@ -258,17 +259,21 @@ public class Mapper1_0 implements Mapper<BaseRequest,CertInfo,Artifacts,Error> { Artifacts artis = new Artifacts(); for (ArtiDAO.Data arti : lArtiDAO.value) { Artifact a = new Artifact(); - a.setMechid(arti.mechid); - a.setMachine(arti.machine); - a.setSponsor(arti.sponsor); - a.setNs(arti.ns); - a.setCa(arti.ca); - a.setDir(arti.dir); - a.getType().addAll(arti.type(false)); - a.setOsUser(arti.os_user); + a.setMechid(trim(arti.mechid)); + a.setMachine(trim(arti.machine)); + a.setSponsor(trim(arti.sponsor)); + a.setNs(trim(arti.ns)); + a.setCa(trim(arti.ca)); + a.setDir(trim(arti.dir)); + for(String t : arti.type(false)) { + a.getType().add(trim(t)); + } + a.setOsUser(trim(arti.os_user)); a.setRenewDays(arti.renewDays); - a.setNotification(arti.notify); - a.getSans().addAll(arti.sans(false)); + a.setNotification(trim(arti.notify)); + for(String t : arti.sans(false)) { + a.getSans().add(trim(t)); + } artis.getArtifact().add(a); } return Result.ok(artis); @@ -279,4 +284,11 @@ public class Mapper1_0 implements Mapper<BaseRequest,CertInfo,Artifacts,Error> { + private String trim(String s) { + if(s==null) { + return s; + } else { + return s.trim(); + } + } }
\ No newline at end of file diff --git a/auth/auth-certman/src/main/java/org/onap/aaf/auth/cm/mapper/Mapper2_0.java b/auth/auth-certman/src/main/java/org/onap/aaf/auth/cm/mapper/Mapper2_0.java index 2b9204c9..53388f67 100644 --- a/auth/auth-certman/src/main/java/org/onap/aaf/auth/cm/mapper/Mapper2_0.java +++ b/auth/auth-certman/src/main/java/org/onap/aaf/auth/cm/mapper/Mapper2_0.java @@ -210,8 +210,8 @@ public class Mapper2_0 implements Mapper<BaseRequest,CertInfo,Artifacts,Error> { ArtiDAO.Data data = new ArtiDAO.Data(); data.mechid = trim(arti.getMechid()); data.machine = trim(arti.getMachine()); - Set<String> ss = data.type(true); if(arti.getType()!=null) { + Set<String> ss = data.type(true); for(String t : arti.getType()) { ss.add(t.trim()); } @@ -228,8 +228,8 @@ public class Mapper2_0 implements Mapper<BaseRequest,CertInfo,Artifacts,Error> { // Ignored on way in for create/update data.sponsor = trim(arti.getSponsor()); data.expires = null; - ss = data.sans(true); if(arti.getSans()!=null) { + Set<String> ss = data.sans(true); for(String s : arti.getSans()) { ss.add(s.trim()); } diff --git a/auth/auth-certman/src/main/java/org/onap/aaf/auth/cm/service/CMService.java b/auth/auth-certman/src/main/java/org/onap/aaf/auth/cm/service/CMService.java index 893a6b17..6ebcadac 100644 --- a/auth/auth-certman/src/main/java/org/onap/aaf/auth/cm/service/CMService.java +++ b/auth/auth-certman/src/main/java/org/onap/aaf/auth/cm/service/CMService.java @@ -290,7 +290,7 @@ public class CMService { trans.error().log("CMService var primary is null"); } else { String fg = fqdns.get(i); - if (fg!=null && fg.equals(primary.getHostName())) { + if (fg!=null && primary!=null && fg.equals(primary.getHostName())) { if (i != 0) { String tmp = fqdns.get(0); fqdns.set(0, primary.getHostName()); @@ -301,7 +301,7 @@ public class CMService { } } } catch (Exception e) { - trans.debug().log(e); + trans.error().log(e); return Result.err(Status.ERR_Denied, "AppID Sponsorship cannot be determined at this time. Try later."); } @@ -474,7 +474,6 @@ public class CMService { // Policy 6: Only do Domain by Exception if (add.machine.startsWith("*")) { // Domain set CA ca = certManager.getCA(add.ca); - if (!trans.fish(new AAFPermission(ca.getPermNS(),ca.getPermType(), add.ca, DOMAIN))) { return Result.err(Result.ERR_Denied, "Domain Artifacts (%s) requires specific Permission", add.machine); diff --git a/auth/auth-certman/src/main/java/org/onap/aaf/auth/cm/validation/CertmanValidator.java b/auth/auth-certman/src/main/java/org/onap/aaf/auth/cm/validation/CertmanValidator.java index f85eb44e..5835b31f 100644 --- a/auth/auth-certman/src/main/java/org/onap/aaf/auth/cm/validation/CertmanValidator.java +++ b/auth/auth-certman/src/main/java/org/onap/aaf/auth/cm/validation/CertmanValidator.java @@ -22,6 +22,7 @@ package org.onap.aaf.auth.cm.validation; import java.util.List; +import java.util.regex.Pattern; import org.onap.aaf.auth.dao.cass.ArtiDAO; import org.onap.aaf.auth.dao.cass.ArtiDAO.Data; @@ -47,7 +48,13 @@ public class CertmanValidator extends Validator{ private static final String MUST_HAVE_AT_LEAST = " must have at least "; private static final String IS_NULL = " is null."; private static final String ARTIFACTS_MUST_HAVE_AT_LEAST = "Artifacts must have at least "; - + private static final Pattern ALPHA_NUM = Pattern.compile("[a-zA-Z0-9]*"); + + private static boolean disallowTmp = true; + public static void allowTmp() { + disallowTmp=false; + } + public CertmanValidator nullBlankMin(String name, List<String> list, int min) { if (list==null) { msg(name + IS_NULL); @@ -72,7 +79,7 @@ public class CertmanValidator extends Validator{ } else { for (ArtiDAO.Data a : list) { allRequired(a); - if(a.dir!=null && a.dir.startsWith("/tmp")) { + if(disallowTmp && a.dir!=null && a.dir.startsWith("/tmp")) { msg("Certificates may not be deployed into /tmp directory (they will be removed at a random time by O/S)"); } } @@ -99,7 +106,8 @@ public class CertmanValidator extends Validator{ nullOrBlank(MACHINE, a.machine); nullOrBlank("ca",a.ca); nullOrBlank("dir",a.dir); - nullOrBlank("os_user",a.os_user); + match("NS must be dot separated AlphaNumeric",a.ns,NAME_CHARS); + match("O/S User must be AlphaNumeric",a.os_user,ALPHA_NUM); // Note: AppName, Notify & Sponsor are currently not required } return this; diff --git a/auth/auth-certman/src/test/java/org/onap/aaf/auth/cm/validation/JU_CertmanValidator.java b/auth/auth-certman/src/test/java/org/onap/aaf/auth/cm/validation/JU_CertmanValidator.java index 4aa3d6d3..6d090398 100644 --- a/auth/auth-certman/src/test/java/org/onap/aaf/auth/cm/validation/JU_CertmanValidator.java +++ b/auth/auth-certman/src/test/java/org/onap/aaf/auth/cm/validation/JU_CertmanValidator.java @@ -80,7 +80,7 @@ public class JU_CertmanValidator { public void artisRequired_shouldReportErrorWhenArtifactDoesNotHaveAllRequiredFields() { certmanValidator.artisRequired(newArrayList(newArtifactData("id", "", "ca", "dir", "user")), 1); - assertEquals("machine is blank.\n", certmanValidator.errs()); + assertEquals("machine is blank.\n" + "NS must be dot separated AlphaNumeric\n", certmanValidator.errs()); } @Test diff --git a/auth/auth-cmd/pom.xml b/auth/auth-cmd/pom.xml index a564b59a..6c6505fc 100644 --- a/auth/auth-cmd/pom.xml +++ b/auth/auth-cmd/pom.xml @@ -18,7 +18,7 @@ <parent> <groupId>org.onap.aaf.authz</groupId> <artifactId>authparent</artifactId> - <version>2.1.14-SNAPSHOT</version> + <version>2.1.15-SNAPSHOT</version> <relativePath>../pom.xml</relativePath> </parent> diff --git a/auth/auth-core/pom.xml b/auth/auth-core/pom.xml index 13952e4c..a7ae68c6 100644 --- a/auth/auth-core/pom.xml +++ b/auth/auth-core/pom.xml @@ -25,7 +25,7 @@ <parent> <groupId>org.onap.aaf.authz</groupId> <artifactId>authparent</artifactId> - <version>2.1.14-SNAPSHOT</version> + <version>2.1.15-SNAPSHOT</version> <relativePath>../pom.xml</relativePath> </parent> diff --git a/auth/auth-core/src/main/java/org/onap/aaf/auth/validation/Validator.java b/auth/auth-core/src/main/java/org/onap/aaf/auth/validation/Validator.java index 98c09076..6d519c64 100644 --- a/auth/auth-core/src/main/java/org/onap/aaf/auth/validation/Validator.java +++ b/auth/auth-core/src/main/java/org/onap/aaf/auth/validation/Validator.java @@ -86,8 +86,15 @@ public class Validator { } protected final boolean noMatch(String str, Pattern p) { - return !p.matcher(str).matches(); + return str==null || !p.matcher(str).matches(); } + + protected final void match(String text, String str, Pattern p) { + if(str==null || !p.matcher(str).matches()) { + msg(text); + } + } + protected final boolean nob(String str, Pattern p) { return str==null || !p.matcher(str).matches(); } diff --git a/auth/auth-deforg/pom.xml b/auth/auth-deforg/pom.xml index a72a38a5..a4bf5e7b 100644 --- a/auth/auth-deforg/pom.xml +++ b/auth/auth-deforg/pom.xml @@ -26,7 +26,7 @@ <artifactId>authparent</artifactId> <relativePath>../pom.xml</relativePath> <groupId>org.onap.aaf.authz</groupId> - <version>2.1.14-SNAPSHOT</version> + <version>2.1.15-SNAPSHOT</version> </parent> <artifactId>aaf-auth-deforg</artifactId> diff --git a/auth/auth-fs/pom.xml b/auth/auth-fs/pom.xml index f5985e20..fc86d4a9 100644 --- a/auth/auth-fs/pom.xml +++ b/auth/auth-fs/pom.xml @@ -17,7 +17,7 @@ <parent> <groupId>org.onap.aaf.authz</groupId> <artifactId>authparent</artifactId> - <version>2.1.14-SNAPSHOT</version> + <version>2.1.15-SNAPSHOT</version> <relativePath>../pom.xml</relativePath> </parent> diff --git a/auth/auth-gui/pom.xml b/auth/auth-gui/pom.xml index 884aff86..8dc9551a 100644 --- a/auth/auth-gui/pom.xml +++ b/auth/auth-gui/pom.xml @@ -17,7 +17,7 @@ <parent> <groupId>org.onap.aaf.authz</groupId> <artifactId>authparent</artifactId> - <version>2.1.14-SNAPSHOT</version> + <version>2.1.15-SNAPSHOT</version> <relativePath>../pom.xml</relativePath> </parent> diff --git a/auth/auth-gui/src/main/java/org/onap/aaf/auth/gui/pages/CMArtiChangeAction.java b/auth/auth-gui/src/main/java/org/onap/aaf/auth/gui/pages/CMArtiChangeAction.java index 1e06b109..f67f6d5c 100644 --- a/auth/auth-gui/src/main/java/org/onap/aaf/auth/gui/pages/CMArtiChangeAction.java +++ b/auth/auth-gui/src/main/java/org/onap/aaf/auth/gui/pages/CMArtiChangeAction.java @@ -37,12 +37,13 @@ import org.onap.aaf.cadi.client.Rcli; import org.onap.aaf.cadi.client.Retryable; import org.onap.aaf.cadi.util.Vars; import org.onap.aaf.misc.env.APIException; -import org.onap.aaf.misc.env.Slot; import org.onap.aaf.misc.env.Data.TYPE; +import org.onap.aaf.misc.env.Slot; import org.onap.aaf.misc.env.util.IPValidator; import org.onap.aaf.misc.env.util.Split; import org.onap.aaf.misc.xgen.Cache; import org.onap.aaf.misc.xgen.DynamicCode; +import org.onap.aaf.misc.xgen.Mark; import org.onap.aaf.misc.xgen.html.HTMLGen; import aaf.v2_0.Error; @@ -72,7 +73,7 @@ public class CMArtiChangeAction extends Page { cache.dynamic(hgen, new DynamicCode<HTMLGen,AAF_GUI, AuthzTrans>() { @Override public void code(final AAF_GUI gui, final AuthzTrans trans,final Cache<HTMLGen> cache, final HTMLGen hgen) throws APIException, IOException { -trans.info().log("Step 1"); + trans.info().log("Step 1"); final Artifact arti = new Artifact(); final String machine = trans.get(sMachine,null); final String ca = trans.get(sCA, null); @@ -105,13 +106,6 @@ trans.info().log("Step 1"); } } - // Disallow Domain based Definitions without exception - if (machine.startsWith("*")) { // Domain set - if (!trans.fish(getPerm(ca, "domain"))) { - hgen.p("Policy Failure: Domain Artifact Declarations are only allowed by Exception."); - return; - } - } } arti.setMechid((String)trans.get(sID,null)); @@ -193,9 +187,24 @@ trans.info().log("Step 1"); if (f==null) { hgen.p("Unknown Command"); } else { - if (f.body().contains("%")) { + if (f.code() > 201) { Error err = gui.getDF(Error.class).newData().in(TYPE.JSON).load(f.body()).asObject(); - hgen.p(Vars.convert(err.getText(),err.getVariables())); + if(f.body().contains("%") ) { + hgen.p(Vars.convert(err.getText(),err.getVariables())); + } else { + int colon = err.getText().indexOf(':'); + if(colon>0) { + hgen.p(err.getMessageId() + ": " + err.getText().substring(0, colon)); + Mark bq = new Mark(); + hgen.incr(bq,"blockquote"); + for(String em : Split.splitTrim('\n', err.getText().substring(colon+1))) { + hgen.p(em); + } + hgen.end(bq); + } else { + hgen.p(err.getMessageId() + ": " + err.getText()); + } + } } else { hgen.p(arti.getMechid() + " on " + arti.getMachine() + ": " + f.body()); } diff --git a/auth/auth-hello/pom.xml b/auth/auth-hello/pom.xml index 25b836cd..665d724f 100644 --- a/auth/auth-hello/pom.xml +++ b/auth/auth-hello/pom.xml @@ -17,7 +17,7 @@ <parent> <groupId>org.onap.aaf.authz</groupId> <artifactId>authparent</artifactId> - <version>2.1.14-SNAPSHOT</version> + <version>2.1.15-SNAPSHOT</version> <relativePath>../pom.xml</relativePath> </parent> diff --git a/auth/auth-locate/pom.xml b/auth/auth-locate/pom.xml index 6a855877..8ca9c892 100644 --- a/auth/auth-locate/pom.xml +++ b/auth/auth-locate/pom.xml @@ -17,7 +17,7 @@ <parent> <groupId>org.onap.aaf.authz</groupId> <artifactId>authparent</artifactId> - <version>2.1.14-SNAPSHOT</version> + <version>2.1.15-SNAPSHOT</version> <relativePath>../pom.xml</relativePath> </parent> diff --git a/auth/auth-locate/src/main/java/org/onap/aaf/auth/locate/AAF_Locate.java b/auth/auth-locate/src/main/java/org/onap/aaf/auth/locate/AAF_Locate.java index 5ebabed7..ebbeae6b 100644 --- a/auth/auth-locate/src/main/java/org/onap/aaf/auth/locate/AAF_Locate.java +++ b/auth/auth-locate/src/main/java/org/onap/aaf/auth/locate/AAF_Locate.java @@ -182,7 +182,7 @@ public class AAF_Locate extends AbsService<AuthzEnv, AuthzTrans> { protected AAFConHttp _newAAFConHttp() throws CadiException { try { if (dal==null) { - dal = AbsAAFLocator.create("%AAF_NS.service",Config.AAF_DEFAULT_API_VERSION); + dal = AbsAAFLocator.create("%CNS.%NS.service",Config.AAF_DEFAULT_API_VERSION); } // utilize pre-constructed DirectAAFLocator return new AAFConHttp(env.access(),dal); diff --git a/auth/auth-oauth/pom.xml b/auth/auth-oauth/pom.xml index 2c7cc758..ec4c5bec 100644 --- a/auth/auth-oauth/pom.xml +++ b/auth/auth-oauth/pom.xml @@ -17,7 +17,7 @@ <parent> <groupId>org.onap.aaf.authz</groupId> <artifactId>authparent</artifactId> - <version>2.1.14-SNAPSHOT</version> + <version>2.1.15-SNAPSHOT</version> <relativePath>../pom.xml</relativePath> </parent> diff --git a/auth/auth-service/pom.xml b/auth/auth-service/pom.xml index ff334874..72713dd3 100644 --- a/auth/auth-service/pom.xml +++ b/auth/auth-service/pom.xml @@ -17,7 +17,7 @@ <parent> <groupId>org.onap.aaf.authz</groupId> <artifactId>authparent</artifactId> - <version>2.1.14-SNAPSHOT</version> + <version>2.1.15-SNAPSHOT</version> <relativePath>../pom.xml</relativePath> </parent> diff --git a/auth/docker/Dockerfile.ms b/auth/docker/Dockerfile.ms new file mode 100644 index 00000000..351c3798 --- /dev/null +++ b/auth/docker/Dockerfile.ms @@ -0,0 +1,47 @@ +######### +# ============LICENSE_START==================================================== +# org.onap.aaf +# =========================================================================== +# Copyright (c) 2017 AT&T Intellectual Property. All rights reserved. +# =========================================================================== +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# ============LICENSE_END==================================================== +# +FROM ${DOCKER_REPOSITORY}/onap/aaf/aaf_core:${AAF_VERSION} +MAINTAINER AAF Team, AT&T 2018 +ENV VERSION=${AAF_VERSION} + +LABEL description="aaf_${AAF_COMPONENT}" +LABEL version=${AAF_VERSION} + +COPY bin/pod_wait.sh /opt/app/aaf/bin/ +RUN mkdir -p /opt/app/osaaf &&\ + mkdir -p /opt/app/aaf/status &&\ + chmod 755 /opt/app/aaf/bin/* &&\ + if [ -n "${DUSER}" ]; then chown ${DUSER}:${DUSER} /opt/app/aaf/status \ + && chown ${DUSER}:${DUSER} /opt/app/osaaf \ + && chown -R ${DUSER}:${DUSER} /opt/app/aaf; fi + +#CMD ["bash","-c","cd /opt/app/aaf;bin/${AAF_COMPONENT}"] +CMD [] + +# For Debugging installation +# CMD ["/bin/bash","-c","pwd;cd /opt/app/osaaf;find /opt/app/osaaf -depth;df -k; cat /opt/app/aaf/${AAF_COMPONENT}/bin/${AAF_COMPONENT};cat /etc/hosts;/opt/app/aaf/${AAF_COMPONENT}/bin/${AAF_COMPONENT}"] +# Java Debugging VM Args +# "-Xdebug",\ +# "-Xnoagent",\ +# "-Xrunjdwp:transport=dt_socket,server=y,suspend=n,address=8000",\ + +# TLS Debugging VM Args +# "-Djavax.net.debug","ssl", \ + diff --git a/auth/docker/agent.sh b/auth/docker/agent.sh index 0538b70d..b0ae3fd0 100644 --- a/auth/docker/agent.sh +++ b/auth/docker/agent.sh @@ -28,7 +28,7 @@ fi . ./aaf.props DOCKER=${DOCKER:=docker} -CADI_VERSION=${CADI_VERSION:=2.1.14-SNAPSHOT} +CADI_VERSION=${CADI_VERSION:=2.1.15-SNAPSHOT} for V in VERSION DOCKER_REPOSITORY HOSTNAME CONTAINER_NS AAF_FQDN AAF_FQDN_IP DEPLOY_FQI APP_FQDN APP_FQI VOLUME DRIVER LATITUDE LONGITUDE; do if [ "$(grep $V ./aaf.props)" = "" ]; then diff --git a/auth/helm/aaf-hello/values.yaml b/auth/helm/aaf-hello/values.yaml index 3a0a377c..cc8765f5 100644 --- a/auth/helm/aaf-hello/values.yaml +++ b/auth/helm/aaf-hello/values.yaml @@ -54,7 +54,7 @@ image: # When using Docker Repo, add, and include trailing "/" # repository: nexus3.onap.org:10003/ # repository: localhost:5000/ - version: 2.1.14-SNAPSHOT + version: 2.1.15-SNAPSHOT resources: {} # We usually recommend not to specify default resources and to leave this as a conscious diff --git a/auth/helm/aaf/Chart.yaml b/auth/helm/aaf/Chart.yaml index d0a1d286..3f370a55 100644 --- a/auth/helm/aaf/Chart.yaml +++ b/auth/helm/aaf/Chart.yaml @@ -22,4 +22,4 @@ apiVersion: v1 appVersion: "1.0" description: AAF Helm Chart name: aaf -version: 2.1.14-SNAPSHOT +version: 2.1.15-SNAPSHOT diff --git a/auth/helm/aaf/values.yaml b/auth/helm/aaf/values.yaml index fae26290..324cbc64 100644 --- a/auth/helm/aaf/values.yaml +++ b/auth/helm/aaf/values.yaml @@ -31,11 +31,11 @@ services: aaf_env: "DEV" public_fqdn: "aaf.osaaf.org" # DUBLIN ONLY - for M4 compatibility with Casablanca - aaf_locator_name: "public.%NS.%N" - aaf_locator_name_helm: "%NS.%N" +# aaf_locator_name: "public.%NS.%N" +# aaf_locator_name_helm: "%NS.%N" # EL ALTO and Beyond -# aaf_locator_name: "%NS.%N" -# aaf_locator_name_helm: "%CNS.%NS.%N" + aaf_locator_name: "%NS.%N" + aaf_locator_name_helm: "%CNS.%NS.%N" cadi_latitude: "38.0" cadi_longitude: "-72.0" cass: @@ -114,7 +114,7 @@ image: # When using Docker Repo, add, and include trailing "/" # repository: nexus3.onap.org:10003/ # repository: localhost:5000/ - version: 2.1.14-SNAPSHOT + version: 2.1.15-SNAPSHOT resources: {} # We usually recommend not to specify default resources and to leave this as a conscious diff --git a/auth/pom.xml b/auth/pom.xml index 7951a641..071c1841 100644 --- a/auth/pom.xml +++ b/auth/pom.xml @@ -26,7 +26,7 @@ <parent> <groupId>org.onap.aaf.authz</groupId> <artifactId>parent</artifactId> - <version>2.1.14-SNAPSHOT</version> + <version>2.1.15-SNAPSHOT</version> </parent> <artifactId>authparent</artifactId> <name>AAF Auth Parent</name> diff --git a/auth/sample/logs/clean b/auth/sample/logs/clean index 7d5152b9..7fa18ef8 100644 --- a/auth/sample/logs/clean +++ b/auth/sample/logs/clean @@ -1,7 +1,7 @@ cd /opt/app/osaaf/logs for D in `find . -type d`; do if [ "$D" != "./" ]; then - rm -f $D/*.log + rm -f $D/*.log.* fi done |