diff options
Diffstat (limited to 'auth')
5 files changed, 68 insertions, 10 deletions
diff --git a/auth/auth-cass/src/main/java/org/onap/aaf/auth/dao/hl/Question.java b/auth/auth-cass/src/main/java/org/onap/aaf/auth/dao/hl/Question.java index 1809686a..39578f83 100644 --- a/auth/auth-cass/src/main/java/org/onap/aaf/auth/dao/hl/Question.java +++ b/auth/auth-cass/src/main/java/org/onap/aaf/auth/dao/hl/Question.java @@ -786,11 +786,17 @@ public class Question { return Result.err(Status.ERR_BadData, "[%s] cannot be a delegate for self", dd.user); } - if (!isUser && !isGranted(trans, trans.user(), ROOT_NS,DELG, - org.getDomain(), Question.CREATE)) { - return Result.err(Status.ERR_Denied, + if (!isUser) { + String supportedDomain = org.supportedDomain(dd.user); + if(supportedDomain==null) { + return Result.err(Status.ERR_Denied, + "[%s] may not create a delegate for the domain for [%s]", + trans.user(), dd.user); + } else if(!isGranted(trans, trans.user(), ROOT_NS,DELG,supportedDomain,Question.CREATE)) { + return Result.err(Status.ERR_Denied, "[%s] may not create a delegate for [%s]", trans.user(), dd.user); + } } break; case read: diff --git a/auth/auth-cmd/src/main/java/org/onap/aaf/auth/cmd/user/Cred.java b/auth/auth-cmd/src/main/java/org/onap/aaf/auth/cmd/user/Cred.java index 1a410088..9ef4c00a 100644 --- a/auth/auth-cmd/src/main/java/org/onap/aaf/auth/cmd/user/Cred.java +++ b/auth/auth-cmd/src/main/java/org/onap/aaf/auth/cmd/user/Cred.java @@ -132,11 +132,22 @@ public class Cred extends Cmd { // IMPORTANT! We do this backward, because it is looking for string // %1 or %13. If we replace %1 first, that messes up %13 + String var; for(int i=vars.size()-1;i>0;--i) { - text = text.replace("%"+(i+1), (i<10?" ":"") + i+") " + vars.get(i)); + var = vars.get(i); + if(aafcli.isTest()) { + int type = var.indexOf("U/P"); + if(type>0) { + var = var.substring(0,type+4) + " XXXX/XX/XX XX:XX UTC XXXXXXXXXXXXXXXXXX"; + } + } + text = text.replace("%"+(i+1), (i<10?" ":"") + i+") " + var); } text = text.replace("%1",vars.get(0)); + if(aafcli.isTest()) { + + } pw().println(text); } else if (fp.code()==406 && option==1) { pw().println("You cannot delete this Credential"); diff --git a/auth/auth-core/src/main/java/org/onap/aaf/auth/org/Organization.java b/auth/auth-core/src/main/java/org/onap/aaf/auth/org/Organization.java index 288d79d3..73093099 100644 --- a/auth/auth-core/src/main/java/org/onap/aaf/auth/org/Organization.java +++ b/auth/auth-core/src/main/java/org/onap/aaf/auth/org/Organization.java @@ -95,7 +95,16 @@ public interface Organization { public void addSupportedRealm(String r); - public String getDomain(); + /** + * If Supported, returns Realm, ex: org.onap + * ELSE returns null + * + * @param user + * @return + */ + public String supportedDomain(String user); + + public String getDomain(); /** * Get Identity information based on userID @@ -420,6 +429,11 @@ public interface Organization { @Override public void addSupportedRealm(String r) { } + + @Override + public String supportedDomain(String r) { + return null; + } @Override public String getDomain() { diff --git a/auth/auth-deforg/src/main/java/org/onap/aaf/org/DefaultOrg.java b/auth/auth-deforg/src/main/java/org/onap/aaf/org/DefaultOrg.java index 46d3db9b..70b3324a 100644 --- a/auth/auth-deforg/src/main/java/org/onap/aaf/org/DefaultOrg.java +++ b/auth/auth-deforg/src/main/java/org/onap/aaf/org/DefaultOrg.java @@ -637,6 +637,25 @@ public class DefaultOrg implements Organization { } return false; } + + @Override + public String supportedDomain(String user) { + if(user!=null) { + int after_at = user.indexOf('@')+1; + if(after_at<user.length()) { + String ud = FQI.reverseDomain(user); + if(ud.startsWith(getDomain())) { + return getDomain(); + } + for(String s : supportedRealms) { + if(ud.startsWith(s)) { + return FQI.reverseDomain(s); + } + } + } + } + return null; + } @Override public synchronized void addSupportedRealm(final String r) { diff --git a/auth/auth-service/src/main/java/org/onap/aaf/auth/service/AuthzCassServiceImpl.java b/auth/auth-service/src/main/java/org/onap/aaf/auth/service/AuthzCassServiceImpl.java index 2431e0eb..67410305 100644 --- a/auth/auth-service/src/main/java/org/onap/aaf/auth/service/AuthzCassServiceImpl.java +++ b/auth/auth-service/src/main/java/org/onap/aaf/auth/service/AuthzCassServiceImpl.java @@ -2346,10 +2346,11 @@ public class AuthzCassServiceImpl <NSS,PERMS,PERMKEY,ROLES,USERS,USERROLES,DE } switch(action) { case DELETE: + String why; if(ques.isOwner(trans, user,ns) || - ques.isAdmin(trans, user,ns) || - ques.isGranted(trans, user, ROOT_NS,"password",company,DELETE)) { - return Result.ok(); + ques.isAdmin(trans, user,ns) || + ques.isGranted(trans, user, ROOT_NS,"password",company,DELETE)) { + return Result.ok(); } break; case RESET: @@ -2509,13 +2510,16 @@ public class AuthzCassServiceImpl <NSS,PERMS,PERMKEY,ROLES,USERS,USERROLES,DE try { if (firstID) { // OK, it's a first ID, and not by NS Owner - if(!ques.isOwner(trans,trans.user(),cdd.ns)) { + String user = trans.user(); + if(!ques.isOwner(trans,user,cdd.ns)) { // Admins are not allowed to set first Cred, but Org has already // said entity MAY create, typically by Permission // We can't know which reason they are allowed here, so we // have to assume that any with Special Permission would not be // an Admin. - if(ques.isAdmin(trans, trans.user(), cdd.ns)) { + String domain = org.supportedDomain(user); + if((domain!=null && !ques.isGranted(trans, user, ROOT_NS, "mechid", domain, Question.CREATE)) && + ques.isAdmin(trans, user, cdd.ns)) { return Result.err(Result.ERR_Denied, "Only Owners may create first passwords in their Namespace. Admins may modify after one exists" ); } else { @@ -3900,6 +3904,10 @@ public class AuthzCassServiceImpl <NSS,PERMS,PERMKEY,ROLES,USERS,USERROLES,DE } final DelegateDAO.Data dd = rd.value; + + if(dd.user.contentEquals(dd.delegate) && !trans.requested(force)) { + return Result.err(Status.ERR_InvalidDelegate,dd.user + " cannot delegate to self"); + } Result<List<DelegateDAO.Data>> ddr = ques.delegateDAO().read(trans, dd); if (access==Access.create && ddr.isOKhasData()) { |