summaryrefslogtreecommitdiffstats
path: root/auth
diff options
context:
space:
mode:
Diffstat (limited to 'auth')
-rw-r--r--auth/auth-cass/src/main/java/org/onap/aaf/auth/dao/cass/CredDAO.java10
-rw-r--r--auth/auth-cass/src/main/java/org/onap/aaf/auth/dao/hl/Question.java4
-rw-r--r--auth/auth-certman/src/main/java/org/onap/aaf/auth/cm/service/CMService.java18
-rw-r--r--auth/auth-cmd/src/main/java/org/onap/aaf/auth/cmd/AAFcli.java10
-rw-r--r--auth/auth-cmd/src/main/java/org/onap/aaf/auth/cmd/ns/List.java12
-rw-r--r--auth/auth-cmd/src/main/java/org/onap/aaf/auth/cmd/user/Cred.java2
-rw-r--r--auth/auth-cmd/src/main/java/org/onap/aaf/auth/cmd/user/ID.java3
-rw-r--r--auth/auth-cmd/src/main/java/org/onap/aaf/auth/cmd/user/List.java7
-rw-r--r--auth/auth-core/src/main/java/org/onap/aaf/auth/common/Define.java14
-rw-r--r--auth/auth-service/src/main/java/org/onap/aaf/auth/service/AuthzCassServiceImpl.java174
10 files changed, 162 insertions, 92 deletions
diff --git a/auth/auth-cass/src/main/java/org/onap/aaf/auth/dao/cass/CredDAO.java b/auth/auth-cass/src/main/java/org/onap/aaf/auth/dao/cass/CredDAO.java
index 37501967..d64cff29 100644
--- a/auth/auth-cass/src/main/java/org/onap/aaf/auth/dao/cass/CredDAO.java
+++ b/auth/auth-cass/src/main/java/org/onap/aaf/auth/dao/cass/CredDAO.java
@@ -265,6 +265,16 @@ public class CredDAO extends CassDAOImpl<AuthzTrans,CredDAO.Data> {
hd.memo = memo
? String.format("%s by %s", override[0], hd.user)
: (modified.name() + "d credential for " + data.id);
+ String spacer = ": ";
+ if(data.notes!=null) {
+ hd.memo+=spacer + data.notes;
+ spacer = ", ";
+ }
+
+ if(data.tag!=null) {
+ hd.memo+=spacer + data.tag;
+ }
+
// Detail?
if (modified==CRUD.delete) {
try {
diff --git a/auth/auth-cass/src/main/java/org/onap/aaf/auth/dao/hl/Question.java b/auth/auth-cass/src/main/java/org/onap/aaf/auth/dao/hl/Question.java
index 3abad1a5..22b14cb4 100644
--- a/auth/auth-cass/src/main/java/org/onap/aaf/auth/dao/hl/Question.java
+++ b/auth/auth-cass/src/main/java/org/onap/aaf/auth/dao/hl/Question.java
@@ -1178,9 +1178,9 @@ public class Question {
}
public boolean isAdmin(AuthzTrans trans, String user, String ns) {
- Date now = new Date();
Result<List<UserRoleDAO.Data>> rur = userRoleDAO.read(trans, user,ns+DOT_ADMIN);
if (rur.isOKhasData()) {
+ Date now = new Date();
for (UserRoleDAO.Data urdd : rur.value){
if (urdd.expires.after(now)) {
return true;
@@ -1192,8 +1192,8 @@ public class Question {
public boolean isOwner(AuthzTrans trans, String user, String ns) {
Result<List<UserRoleDAO.Data>> rur = userRoleDAO.read(trans, user,ns+DOT_OWNER);
- Date now = new Date();
if (rur.isOKhasData()) {for (UserRoleDAO.Data urdd : rur.value){
+ Date now = new Date();
if (urdd.expires.after(now)) {
return true;
}
diff --git a/auth/auth-certman/src/main/java/org/onap/aaf/auth/cm/service/CMService.java b/auth/auth-certman/src/main/java/org/onap/aaf/auth/cm/service/CMService.java
index 1f2b0880..85424de1 100644
--- a/auth/auth-certman/src/main/java/org/onap/aaf/auth/cm/service/CMService.java
+++ b/auth/auth-certman/src/main/java/org/onap/aaf/auth/cm/service/CMService.java
@@ -60,6 +60,7 @@ import org.onap.aaf.auth.org.Organization.Identity;
import org.onap.aaf.auth.org.OrganizationException;
import org.onap.aaf.cadi.Hash;
import org.onap.aaf.cadi.Permission;
+import org.onap.aaf.cadi.Access.Level;
import org.onap.aaf.cadi.aaf.AAFPermission;
import org.onap.aaf.cadi.config.Config;
import org.onap.aaf.cadi.configure.Factory;
@@ -88,6 +89,7 @@ public class CMService {
private final CredDAO credDAO;
private final ArtiDAO artiDAO;
private AAF_CM certManager;
+ private Boolean allowIgnoreIPs;
// @SuppressWarnings("unchecked")
public CMService(final AuthzTrans trans, AAF_CM certman) throws APIException, IOException {
@@ -108,6 +110,10 @@ public class CMService {
"*",
"read"
);
+ allowIgnoreIPs = Boolean.valueOf(certman.access.getProperty(Config.CM_ALLOW_IGNORE_IPS, "false"));
+ if(allowIgnoreIPs) {
+ trans.env().access().log(Level.INIT, "Allowing DNS Evaluation to be turned off with <ns>.certman|<ca name>|"+IGNORE_IPS);
+ }
}
public Result<CertResp> requestCert(final AuthzTrans trans, final Result<CertReq> req, final CA ca) {
@@ -133,7 +139,13 @@ public class CMService {
try {
Organization org = trans.org();
- boolean ignoreIPs = trans.fish(new AAFPermission(mechNS,CERTMAN, ca.getName(), IGNORE_IPS));
+ boolean ignoreIPs;
+ if(allowIgnoreIPs) {
+ ignoreIPs = trans.fish(new AAFPermission(mechNS,CERTMAN, ca.getName(), IGNORE_IPS));
+ } else {
+ ignoreIPs = false;
+ }
+
InetAddress primary = null;
// Organize incoming information to get to appropriate Artifact
@@ -164,8 +176,8 @@ public class CMService {
}
} else {
- for (String cn : req.value.fqdns) {
- if (!ignoreIPs) {
+ if (!ignoreIPs) {
+ for (String cn : req.value.fqdns) {
try {
InetAddress[] ias = InetAddress.getAllByName(cn);
Set<String> potentialSanNames = new HashSet<>();
diff --git a/auth/auth-cmd/src/main/java/org/onap/aaf/auth/cmd/AAFcli.java b/auth/auth-cmd/src/main/java/org/onap/aaf/auth/cmd/AAFcli.java
index 8fcea294..01d001fd 100644
--- a/auth/auth-cmd/src/main/java/org/onap/aaf/auth/cmd/AAFcli.java
+++ b/auth/auth-cmd/src/main/java/org/onap/aaf/auth/cmd/AAFcli.java
@@ -94,10 +94,6 @@ public class AAFcli {
this(access,new AuthzEnv(access.getProperties()),wtr,hman, si,ss);
}
- public AuthzEnv env() {
- return env;
- }
-
public AAFcli(Access access, AuthzEnv env, Writer wtr, HMangr hman, SecurityInfoC<HttpURLConnection> si, SecuritySetter<HttpURLConnection> ss) throws APIException {
this.env = env;
this.access = access;
@@ -127,7 +123,11 @@ public class AAFcli {
cmds.add(new Mgmt(this));
}
- public static int timeout() {
+ public AuthzEnv env() {
+ return env;
+ }
+
+ public static int timeout() {
return TIMEOUT;
}
diff --git a/auth/auth-cmd/src/main/java/org/onap/aaf/auth/cmd/ns/List.java b/auth/auth-cmd/src/main/java/org/onap/aaf/auth/cmd/ns/List.java
index add5aed8..e1252d87 100644
--- a/auth/auth-cmd/src/main/java/org/onap/aaf/auth/cmd/ns/List.java
+++ b/auth/auth-cmd/src/main/java/org/onap/aaf/auth/cmd/ns/List.java
@@ -26,6 +26,7 @@ import java.util.Comparator;
import org.onap.aaf.auth.cmd.BaseCmd;
import org.onap.aaf.auth.cmd.DeprecatedCMD;
+import org.onap.aaf.auth.common.Define;
import org.onap.aaf.cadi.client.Future;
import org.onap.aaf.misc.env.util.Chrono;
@@ -162,15 +163,8 @@ public class List extends BaseCmd<NS> {
if ((type=u.getType())==null) {
type = 9999;
}
- switch(type) {
- case 0: return "NoCrd";
- case 1: return "U/P";
- case 2: return "U/P2";
- case 10: return "FQI";
- case 200: return "x509";
- default:
- return "n/a";
- }
+ return Define.getCredType(type);
}
+
}
diff --git a/auth/auth-cmd/src/main/java/org/onap/aaf/auth/cmd/user/Cred.java b/auth/auth-cmd/src/main/java/org/onap/aaf/auth/cmd/user/Cred.java
index 1dfcc17f..2d626d4e 100644
--- a/auth/auth-cmd/src/main/java/org/onap/aaf/auth/cmd/user/Cred.java
+++ b/auth/auth-cmd/src/main/java/org/onap/aaf/auth/cmd/user/Cred.java
@@ -122,7 +122,7 @@ public class Cred extends Cmd {
pw().println(']');
} else if (fp.code()==202) {
pw().println("Credential Action Accepted, but requires Approvals before actualizing");
- } else if (fp.code()==300) {
+ } else if (fp.code()==300 || fp.code()==406) {
Error err = em.getError(fp);
String text = err.getText();
List<String> vars = err.getVariables();
diff --git a/auth/auth-cmd/src/main/java/org/onap/aaf/auth/cmd/user/ID.java b/auth/auth-cmd/src/main/java/org/onap/aaf/auth/cmd/user/ID.java
index 46d5d052..71d61f79 100644
--- a/auth/auth-cmd/src/main/java/org/onap/aaf/auth/cmd/user/ID.java
+++ b/auth/auth-cmd/src/main/java/org/onap/aaf/auth/cmd/user/ID.java
@@ -35,7 +35,6 @@ import org.onap.aaf.misc.env.APIException;
import aaf.v2_0.CredRequest;
public class ID extends Cmd {
- public static final String ATTEMPT_FAILED_SPECIFICS_WITHELD = "Attempt Failed. Specifics witheld.";
private static final String CRED_PATH = "/authn/cred";
private static final String[] options = {"add","del"};
public ID(User parent) {
@@ -98,7 +97,7 @@ public class ID extends Cmd {
} else if (fp.code()==406 && option==1) {
pw().println("FQI does not exist");
} else {
- pw().println(ATTEMPT_FAILED_SPECIFICS_WITHELD);
+ pw().println(Cred.ATTEMPT_FAILED_SPECIFICS_WITHELD);
}
return fp.code();
}
diff --git a/auth/auth-cmd/src/main/java/org/onap/aaf/auth/cmd/user/List.java b/auth/auth-cmd/src/main/java/org/onap/aaf/auth/cmd/user/List.java
index 7daa51fb..444a82ab 100644
--- a/auth/auth-cmd/src/main/java/org/onap/aaf/auth/cmd/user/List.java
+++ b/auth/auth-cmd/src/main/java/org/onap/aaf/auth/cmd/user/List.java
@@ -48,7 +48,6 @@ public class List extends BaseCmd<User> {
void report(Users users, boolean count, String ... str) {
reportHead(str);
- int idx = 0;
java.util.List<aaf.v2_0.Users.User> sorted = users.getUser();
Collections.sort(sorted, (Comparator<aaf.v2_0.Users.User>) (u1, u2) -> {
if (u1==null || u2 == null) {
@@ -56,11 +55,11 @@ public class List extends BaseCmd<User> {
}
return u1.getId().compareTo(u2.getId());
});
- String format = reportColHead("%-48s %-5s %-11s %-16s\n","User","Type","Expires","Tag");
+ String format = reportColHead("%-36s %-5s %-20s %-16s\n","User","Type","Expires","Tag");
String date = "XXXX-XX-XX";
for (aaf.v2_0.Users.User user : sorted) {
if (!aafcli.isTest()) {
- date = Chrono.dateOnlyStamp(user.getExpires());
+ date = Chrono.niceUTCStamp(user.getExpires());
}
String tag=user.getTag();
Integer type = user.getType();
@@ -70,7 +69,7 @@ public class List extends BaseCmd<User> {
tag = "\n\tfingerprint: " + tag;
}
pw().format(format,
- count? (Integer.valueOf(++idx) + ") " + user.getId()): user.getId(),
+ user.getId(),
org.onap.aaf.auth.cmd.ns.List.getType(user),
date,
tag);
diff --git a/auth/auth-core/src/main/java/org/onap/aaf/auth/common/Define.java b/auth/auth-core/src/main/java/org/onap/aaf/auth/common/Define.java
index e9c36017..800a8472 100644
--- a/auth/auth-core/src/main/java/org/onap/aaf/auth/common/Define.java
+++ b/auth/auth-core/src/main/java/org/onap/aaf/auth/common/Define.java
@@ -24,8 +24,8 @@ package org.onap.aaf.auth.common;
import java.util.Map.Entry;
import org.onap.aaf.cadi.Access;
-import org.onap.aaf.cadi.CadiException;
import org.onap.aaf.cadi.Access.Level;
+import org.onap.aaf.cadi.CadiException;
import org.onap.aaf.cadi.config.Config;
public class Define {
@@ -91,4 +91,16 @@ public class Define {
return initialized;
}
+ public static String getCredType(int type) {
+ switch(type) {
+ case 0: return "NoCrd";
+ case 1: return "U/P";
+ case 2: return "U/P2";
+ case 10: return "FQI";
+ case 200: return "x509";
+ default:
+ return "n/a";
+ }
+ }
+
}
diff --git a/auth/auth-service/src/main/java/org/onap/aaf/auth/service/AuthzCassServiceImpl.java b/auth/auth-service/src/main/java/org/onap/aaf/auth/service/AuthzCassServiceImpl.java
index 9a6ef7e3..295db4ac 100644
--- a/auth/auth-service/src/main/java/org/onap/aaf/auth/service/AuthzCassServiceImpl.java
+++ b/auth/auth-service/src/main/java/org/onap/aaf/auth/service/AuthzCassServiceImpl.java
@@ -2821,7 +2821,7 @@ public class AuthzCassServiceImpl <NSS,PERMS,PERMKEY,ROLES,USERS,USERROLES,DE
//Need to do the "Pick Entry" mechanism
// Note, this sorts
- Result<Integer> ri = selectEntryIfMultiple((CredRequest)from, lcdd, "extend");
+ Result<Integer> ri = selectEntryIfMultiple((CredRequest)from, lcdd, MayChangeCred.EXTEND);
if (ri.notOK()) {
return Result.err(ri);
}
@@ -2835,8 +2835,11 @@ public class AuthzCassServiceImpl <NSS,PERMS,PERMKEY,ROLES,USERS,USERROLES,DE
cd.type = found.type;
cd.ns = found.ns;
cd.notes = "Extended";
- cd.expires = org.expiration(null, Expiration.ExtendPassword,days).getTime();
cd.tag = found.tag;
+ cd.expires = org.expiration(null, Expiration.ExtendPassword,days).getTime();
+ if(cd.expires.before(found.expires)) {
+ return Result.err(Result.ERR_BadData,String.format("Credential's expiration date is more than %s days in the future",days));
+ }
cred = ques.credDAO().create(trans, cd);
if (cred.isOK()) {
@@ -2887,63 +2890,72 @@ public class AuthzCassServiceImpl <NSS,PERMS,PERMKEY,ROLES,USERS,USERROLES,DE
}
boolean isLastCred = rlcd.value.size()==1;
- int entry = -1;
- int fentry = entry;
- if(cred.value.type==CredDAO.FQI) {
- entry = -1;
- for(CredDAO.Data cdd : rlcd.value) {
- ++fentry;
- if(cdd.type == CredDAO.FQI) {
- entry = fentry;
- break;
- }
+ int entry;
+ CredRequest cr = (CredRequest)from;
+ if(isLastCred) {
+ if(cr.getEntry()==null || "1".equals(cr.getEntry())) {
+ entry = 0;
+ } else {
+ return Result.err(Status.ERR_BadData, "User chose invalid credential selection");
}
} else {
- if (!doForce) {
- if (rlcd.value.size() > 1) {
- CredRequest cr = (CredRequest)from;
- String inputOption = cr.getEntry();
- if (inputOption == null) {
- List<CredDAO.Data> list = filterList(rlcd.value,CredDAO.BASIC_AUTH,CredDAO.BASIC_AUTH_SHA256,CredDAO.CERT_SHA256_RSA);
- String message = selectCredFromList(list, MayChangeCred.DELETE);
- Object[] variables = buildVariables(list);
- return Result.err(Status.ERR_ChoiceNeeded, message, variables);
- } else {
- try {
- if (inputOption.length()>5) { // should be a date
- Date d = Chrono.xmlDatatypeFactory.newXMLGregorianCalendar(inputOption).toGregorianCalendar().getTime();
- for (CredDAO.Data cd : rlcd.value) {
- ++fentry;
- if (cd.type.equals(cr.getType()) && cd.expires.equals(d)) {
- entry = fentry;
- break;
- }
- }
- } else {
- entry = Integer.parseInt(inputOption) - 1;
- int count = 0;
- for (CredDAO.Data cd : rlcd.value) {
- if(cd.type!=CredDAO.BASIC_AUTH && cd.type!=CredDAO.BASIC_AUTH_SHA256 && cd.type!=CredDAO.CERT_SHA256_RSA) {
- ++entry;
- }
- if(++count>entry) {
- break;
- }
- }
- }
- } catch (NullPointerException e) {
- return Result.err(Status.ERR_BadData, "Invalid Date Format for Entry");
- } catch (NumberFormatException e) {
- return Result.err(Status.ERR_BadData, "User chose invalid credential selection");
- }
- }
- isLastCred = (entry==-1)?true:false;
- } else {
- isLastCred = true;
- }
- if (entry < -1 || entry >= rlcd.value.size()) {
- return Result.err(Status.ERR_BadData, "User chose invalid credential selection");
- }
+ entry = -1;
+ int fentry = entry;
+ if(cred.value.type==CredDAO.FQI) {
+ entry = -1;
+ for(CredDAO.Data cdd : rlcd.value) {
+ ++fentry;
+ if(cdd.type == CredDAO.FQI) {
+ entry = fentry;
+ break;
+ }
+ }
+ } else {
+ if (!doForce) {
+ if (rlcd.value.size() > 1) {
+ String inputOption = cr.getEntry();
+ if (inputOption == null) {
+ List<CredDAO.Data> list = filterList(rlcd.value,CredDAO.BASIC_AUTH,CredDAO.BASIC_AUTH_SHA256,CredDAO.CERT_SHA256_RSA);
+ String message = selectCredFromList(list, MayChangeCred.DELETE);
+ Object[] variables = buildVariables(list);
+ return Result.err(Status.ERR_ChoiceNeeded, message, variables);
+ } else {
+ try {
+ if (inputOption.length()>5) { // should be a date
+ Date d = Chrono.xmlDatatypeFactory.newXMLGregorianCalendar(inputOption).toGregorianCalendar().getTime();
+ for (CredDAO.Data cd : rlcd.value) {
+ ++fentry;
+ if (cd.type.equals(cr.getType()) && cd.expires.equals(d)) {
+ entry = fentry;
+ break;
+ }
+ }
+ } else {
+ entry = Integer.parseInt(inputOption) - 1;
+ int count = 0;
+ for (CredDAO.Data cd : rlcd.value) {
+ if(cd.type!=CredDAO.BASIC_AUTH && cd.type!=CredDAO.BASIC_AUTH_SHA256 && cd.type!=CredDAO.CERT_SHA256_RSA) {
+ ++entry;
+ }
+ if(++count>entry) {
+ break;
+ }
+ }
+ }
+ } catch (NullPointerException e) {
+ return Result.err(Status.ERR_BadData, "Invalid Date Format for Entry");
+ } catch (NumberFormatException e) {
+ return Result.err(Status.ERR_BadData, "User chose invalid credential selection");
+ }
+ }
+ isLastCred = (entry==-1)?true:false;
+ } else {
+ isLastCred = true;
+ }
+ if (entry < -1 || entry >= rlcd.value.size()) {
+ return Result.err(Status.ERR_BadData, "User chose invalid credential selection");
+ }
+ }
}
}
@@ -3020,6 +3032,32 @@ public class AuthzCassServiceImpl <NSS,PERMS,PERMKEY,ROLES,USERS,USERROLES,DE
Object[] variables = buildVariables(lcd);
return Result.err(Status.ERR_ChoiceNeeded, message, variables);
} else {
+ if(MayChangeCred.EXTEND.equals(action)) {
+ // might be Tag
+ if(inputOption.length()>4) { //Tag is at least 12
+ int e = 0;
+ CredDAO.Data last = null;
+ int lastIdx = -1;
+ for(CredDAO.Data cdd : lcd) {
+ if(inputOption.equals(cdd.tag)) {
+ if(last==null) {
+ last = cdd;
+ lastIdx = e;
+ } else {
+ if(last.expires.before(cdd.expires)) {
+ last = cdd;
+ lastIdx = e;
+ }
+ }
+ }
+ ++e;
+ }
+ if(last!=null) {
+ return Result.ok(lastIdx);
+ }
+ return Result.err(Status.ERR_BadData, "User chose unknown Tag");
+ }
+ }
entry = Integer.parseInt(inputOption) - 1;
}
if (entry < 0 || entry >= lcd.size()) {
@@ -3040,20 +3078,23 @@ public class AuthzCassServiceImpl <NSS,PERMS,PERMKEY,ROLES,USERS,USERROLES,DE
}
}
}
+ Collections.sort(rv, (o1,o2) -> {
+ if(o1.type==o2.type) {
+ return o1.expires.compareTo(o2.expires);
+ } else {
+ return o1.type.compareTo(o2.type);
+ }
+ });
return rv;
}
private String[] buildVariables(List<CredDAO.Data> value) {
- // ensure credentials are sorted so we can fully automate Cred regression test
- Collections.sort(value, (cred1, cred2) ->
- cred1.type==cred2.type?cred2.expires.compareTo(cred1.expires):
- cred1.type<cred2.type?-1:1);
String [] vars = new String[value.size()];
CredDAO.Data cdd;
for (int i = 0; i < value.size(); i++) {
cdd = value.get(i);
- vars[i] = cdd.id + TWO_SPACE + cdd.type + TWO_SPACE + (cdd.type<10?TWO_SPACE:"")+ cdd.expires + TWO_SPACE + cdd.tag;
+ vars[i] = cdd.id + TWO_SPACE + Define.getCredType(cdd.type) + TWO_SPACE + Chrono.niceUTCStamp(cdd.expires) + TWO_SPACE + cdd.tag;
}
return vars;
}
@@ -3070,12 +3111,15 @@ public class AuthzCassServiceImpl <NSS,PERMS,PERMKEY,ROLES,USERS,USERROLES,DE
for (int i = 0; i < numSpaces; i++) {
errMessage.append(' ');
}
- errMessage.append(" Type Expires Tag " + '\n');
+ errMessage.append(" Type Expires Tag " + '\n');
for (int i=0;i<value.size();++i) {
errMessage.append(" %s\n");
}
- errMessage.append("Run same command again with chosen entry as last parameter");
-
+ if(MayChangeCred.EXTEND.equals(action)) {
+ errMessage.append("Run same command again with chosen entry or Tag as last parameter");
+ } else {
+ errMessage.append("Run same command again with chosen entry as last parameter");
+ }
return errMessage.toString();
}