diff options
Diffstat (limited to 'cadi')
9 files changed, 148 insertions, 82 deletions
diff --git a/cadi/aaf/src/main/java/org/onap/aaf/cadi/aaf/v2_0/AAFCon.java b/cadi/aaf/src/main/java/org/onap/aaf/cadi/aaf/v2_0/AAFCon.java index 9e21f6cd..e40743da 100644 --- a/cadi/aaf/src/main/java/org/onap/aaf/cadi/aaf/v2_0/AAFCon.java +++ b/cadi/aaf/src/main/java/org/onap/aaf/cadi/aaf/v2_0/AAFCon.java @@ -126,43 +126,47 @@ public abstract class AAFCon<CLIENT> implements Connector { if (mechid==null) { mechid=access.getProperty(Config.OAUTH_CLIENT_ID,null); } - String encpass = access.getProperty(Config.AAF_APPPASS, null); - if (encpass==null) { - encpass = access.getProperty(Config.OAUTH_CLIENT_SECRET,null); - } - if (encpass==null) { - String alias = access.getProperty(Config.CADI_ALIAS, mechid); - if (alias==null) { - access.printf(Access.Level.WARN,"%s, %s or %s required before use.", Config.CADI_ALIAS, Config.AAF_APPID, Config.OAUTH_CLIENT_ID); - set(si.defSS); - } else { - si.defSS=x509Alias(alias); - set(si.defSS); - } + String alias = access.getProperty(Config.CADI_ALIAS, null); + if(alias != null) { + si.defSS=x509Alias(alias); + set(si.defSS); } else { - if (mechid!=null) { - si.defSS=basicAuth(mechid, encpass); - set(si.defSS); - } else { - si.defSS=new SecuritySetter<CLIENT>() { - - @Override - public String getID() { - return ""; - } - - @Override - public void setSecurity(CLIENT client) throws CadiException { - throw new CadiException("AAFCon has not been initialized with Credentials (SecuritySetter)"); - } - @Override - public int setLastResponse(int respCode) { - return 0; - } - }; - set(si.defSS); - } + String encpass = access.getProperty(Config.AAF_APPPASS, null); + if (encpass==null) { + encpass = access.getProperty(Config.OAUTH_CLIENT_SECRET,null); + } + + if (encpass==null) { + if (alias==null) { + access.printf(Access.Level.WARN,"%s, %s or %s required before use.", Config.CADI_ALIAS, Config.AAF_APPID, Config.OAUTH_CLIENT_ID); + set(si.defSS); + } + } else { + if (mechid!=null) { + si.defSS=basicAuth(mechid, encpass); + set(si.defSS); + } else { + si.defSS=new SecuritySetter<CLIENT>() { + + @Override + public String getID() { + return ""; + } + + @Override + public void setSecurity(CLIENT client) throws CadiException { + throw new CadiException("AAFCon has not been initialized with Credentials (SecuritySetter)"); + } + + @Override + public int setLastResponse(int respCode) { + return 0; + } + }; + set(si.defSS); + } + } } } diff --git a/cadi/aaf/src/main/java/org/onap/aaf/cadi/aaf/v2_0/AAFConHttp.java b/cadi/aaf/src/main/java/org/onap/aaf/cadi/aaf/v2_0/AAFConHttp.java index d39fc1d6..e60b5d8a 100644 --- a/cadi/aaf/src/main/java/org/onap/aaf/cadi/aaf/v2_0/AAFConHttp.java +++ b/cadi/aaf/src/main/java/org/onap/aaf/cadi/aaf/v2_0/AAFConHttp.java @@ -60,31 +60,26 @@ public class AAFConHttp extends AAFCon<HttpURLConnection> { public AAFConHttp(Access access, String tag) throws CadiException, LocatorException { super(access,tag,SecurityInfoC.instance(access, HttpURLConnection.class)); - bestSS(si); hman = new HMangr(access,Config.loadLocator(si, access.getProperty(tag,tag/*try the content itself*/))); } public AAFConHttp(Access access, String urlTag, SecurityInfoC<HttpURLConnection> si) throws CadiException, LocatorException { super(access,urlTag,si); - bestSS(si); hman = new HMangr(access,Config.loadLocator(si, access.getProperty(urlTag,null))); } public AAFConHttp(Access access, Locator<URI> locator) throws CadiException, LocatorException { super(access,Config.AAF_URL,SecurityInfoC.instance(access, HttpURLConnection.class)); - bestSS(si); hman = new HMangr(access,locator); } public AAFConHttp(Access access, Locator<URI> locator, SecurityInfoC<HttpURLConnection> si) throws CadiException, LocatorException, APIException { super(access,Config.AAF_URL,si); - bestSS(si); hman = new HMangr(access,locator); } public AAFConHttp(Access access, Locator<URI> locator, SecurityInfoC<HttpURLConnection> si, String tag) throws CadiException, LocatorException, APIException { super(access,tag,si); - bestSS(si); hman = new HMangr(access, locator); } diff --git a/cadi/aaf/src/main/java/org/onap/aaf/cadi/configure/Agent.java b/cadi/aaf/src/main/java/org/onap/aaf/cadi/configure/Agent.java index 98abfbf9..aa9bf138 100644 --- a/cadi/aaf/src/main/java/org/onap/aaf/cadi/configure/Agent.java +++ b/cadi/aaf/src/main/java/org/onap/aaf/cadi/configure/Agent.java @@ -140,28 +140,75 @@ public class Agent { } else { try { AAFSSO aafsso=null; - PropAccess access; + PropAccess access=null; - if (args.length>1 && args[0].equals("validate") ) { - int idx = args[1].indexOf('='); - aafsso = null; - access = new PropAccess( - (idx<0?Config.CADI_PROP_FILES:args[1].substring(0, idx))+ - '='+ - (idx<0?args[1]:args[1].substring(idx+1))); - } else { - aafsso= new AAFSSO(args, new AAFSSO.ProcessArgs() { - @Override - public Properties process(String[] args, Properties props) { - if (args.length>1) { - if (!args[0].equals("keypairgen")) { - props.put(Config.AAF_APPID, args[1]); - } - } - return props; - } - }); - access = aafsso.access(); + String hasEtc = null; + for(String a : args) { + if(a.startsWith(Config.CADI_PROP_FILES)) { + access = new PropAccess(args); + break; + } else if(a.startsWith(Config.CADI_ETCDIR)) { + int idx = a.indexOf('='); + if(idx>=0 && idx<a.length()) { + hasEtc = a.substring(idx+1); + } + } + } + + if(access==null) { + if(args.length>1 && args[1].contains("@")) { + String domain = FQI.reverseDomain(args[1]); + if(domain!=null) { + if(hasEtc==null) { + hasEtc = "."; + } + File etc = new File(hasEtc); + if(etc.exists()) { + File nsprops = new File(etc,domain+".props"); + if(nsprops.exists()) { + access = new PropAccess(new String[] {Config.CADI_PROP_FILES+'='+nsprops.getAbsolutePath()}); + } + } + } + } + } + + if(access==null) { + for(Entry<Object, Object> es : System.getProperties().entrySet()) { + if(Config.CADI_PROP_FILES.equals(es.getKey())) { + access = new PropAccess(); + } + } + } + + // When using Config file, check if Cred Exists, and if not, work with Deployer. + if(access!=null && !"config".equals(args[0]) && access.getProperty(Config.AAF_APPPASS)==null && access.getProperty(Config.CADI_ALIAS)==null) { + // not enough credentials to use Props. Use AAFSSO + access = null; + } + + if(access==null) { + if (args.length>1 && args[0].equals("validate") ) { + int idx = args[1].indexOf('='); + aafsso = null; + access = new PropAccess( + (idx<0?Config.CADI_PROP_FILES:args[1].substring(0, idx))+ + '='+ + (idx<0?args[1]:args[1].substring(idx+1))); + } else { + aafsso= new AAFSSO(args, new AAFSSO.ProcessArgs() { + @Override + public Properties process(String[] args, Properties props) { + if (args.length>1) { + if (!args[0].equals("keypairgen")) { + props.put(Config.AAF_APPID, args[1]); + } + } + return props; + } + }); + access = aafsso.access(); + } } if (aafsso!=null && aafsso.loginOnly()) { @@ -805,7 +852,7 @@ public class Agent { try { final String fqi = fqi(cmds); Artifact arti = new Artifact(); - arti.setDir(propAccess.getProperty(Config.CADI_ETCDIR, ".")); + arti.setDir(propAccess.getProperty(Config.CADI_ETCDIR, System.getProperty("user.dir"))); arti.setNs(FQI.reverseDomain(fqi)); PropHolder loc = PropHolder.get(arti, "location.props"); PropHolder cred = PropHolder.get(arti,"cred.props"); @@ -822,13 +869,20 @@ public class Agent { loc.add(tag, getProperty(propAccess, trans, false, tag, "%s: ",tag)); } + String keyfile = cred.getKeyPath(); + if(keyfile!=null) { + File fkeyfile = new File(keyfile); + if(!fkeyfile.exists()) { + ArtifactDir.write(fkeyfile,Chmod.to400,Symm.keygen()); + } + } cred.add(Config.CADI_KEYFILE, cred.getKeyPath()); final String ssoAppID = propAccess.getProperty(Config.AAF_APPID); if(fqi!=null && fqi.equals(ssoAppID)) { cred.addEnc(Config.AAF_APPPASS, propAccess, null); // only Ask for Password when starting scratch } else if(propAccess.getProperty(Config.CADI_PROP_FILES)==null) { - char[] pwd = AAFSSO.cons.readPassword("Password for %s: ", fqi); + char[] pwd = AAFSSO.cons.readPassword("Password for %s (leave blank for NO password): ", fqi); if(pwd.length>0) { cred.addEnc(Config.AAF_APPPASS, new String(pwd)); } diff --git a/cadi/aaf/src/main/java/org/onap/aaf/cadi/configure/PlaceArtifactScripts.java b/cadi/aaf/src/main/java/org/onap/aaf/cadi/configure/PlaceArtifactScripts.java index 5ee1abe2..123bb9df 100644 --- a/cadi/aaf/src/main/java/org/onap/aaf/cadi/configure/PlaceArtifactScripts.java +++ b/cadi/aaf/src/main/java/org/onap/aaf/cadi/configure/PlaceArtifactScripts.java @@ -24,6 +24,8 @@ package org.onap.aaf.cadi.configure; import java.io.File; import org.onap.aaf.cadi.CadiException; +import org.onap.aaf.cadi.aaf.Defaults; +import org.onap.aaf.cadi.config.Config; import org.onap.aaf.cadi.util.Chmod; import org.onap.aaf.misc.env.Trans; import org.onap.aaf.misc.env.util.Chrono; @@ -55,7 +57,7 @@ public class PlaceArtifactScripts extends ArtifactDir { classpath.append(File.pathSeparatorChar); } File f = new File(pth); - classpath.append(f.getCanonicalPath().replaceAll("[0-9]+\\.[0-9]+\\.[0-9]+","*")); + classpath.append(f.getCanonicalPath().replaceAll("[0-9]+\\.[0-9]+\\.[0-9]+",Defaults.AAF_VERSION+".*")); } write(f1,Chmod.to644, @@ -63,10 +65,15 @@ public class PlaceArtifactScripts extends ArtifactDir { "# Certificate Manager Check Script\n", "# Check on Certificate, and renew if needed.\n", "# Generated by Certificate Manager " + Chrono.timeStamp()+'\n', + "# by Deployer " + trans.getProperty(Config.AAF_APPID,"") + '\n', + "#\n", "DIR="+arti.getDir()+'\n', + "APP_ID=" + arti.getMechid() + '\n', + "FQDN=" + arti.getMachine()+ '\n', "APP="+arti.getNs()+'\n', - "EMAIL="+email, - "CP=\""+classpath.toString()+"\"\n", + "EMAIL="+email+ '\n', + "JAR=\""+classpath.toString()+"\"\n", + "JAVA=\""+javaHome() + "/bin/" +"java\"\n", checkScript ); @@ -100,7 +107,6 @@ public class PlaceArtifactScripts extends ArtifactDir { return rc==null?System.getProperty("java.home"):rc; } private final static String checkScript = - "> $DIR/$APP.msg\n\n" + "function mailit {\n" + " if [ -e /bin/mail ]; then\n" + " MAILER=/bin/mail\n" + @@ -115,9 +121,8 @@ public class PlaceArtifactScripts extends ArtifactDir { " printf \"$*\" | $MAILER -s \"AAF Certman Notification for `uname -n`\" $EMAIL\n"+ " fi\n" + "}\n\n" + - javaHome() + "/bin/" +"java -cp $CP " + - Agent.class.getName() + - " cadi_prop_files=$DIR/$APP.props check 2> $DIR/$APP.STDERR > $DIR/$APP.STDOUT\n" + + "> $DIR/$APP.msg\n\n" + + "$JAVA -jar $JAR check $APP_ID $FQDN cadi_prop_files=$DIR/$APP.props 2> $DIR/$APP.STDERR > $DIR/$APP.STDOUT\n" + "case \"$?\" in\n" + " 0)\n" + " # Note: Validation will be mailed only the first day after any modification\n" + diff --git a/cadi/aaf/src/main/java/org/onap/aaf/cadi/oauth/TokenClientFactory.java b/cadi/aaf/src/main/java/org/onap/aaf/cadi/oauth/TokenClientFactory.java index b3cf266e..14cf0f62 100644 --- a/cadi/aaf/src/main/java/org/onap/aaf/cadi/oauth/TokenClientFactory.java +++ b/cadi/aaf/src/main/java/org/onap/aaf/cadi/oauth/TokenClientFactory.java @@ -152,15 +152,17 @@ public class TokenClientFactory extends Persist<Token,TimedToken> { } sb.append('_'); sb.append(tokenSource); - byte[] tohash=scope.getBytes(); - if (hash!=null && hash.length>0) { - byte temp[] = new byte[hash.length+tohash.length]; - System.arraycopy(tohash, 0, temp, 0, tohash.length); - System.arraycopy(hash, 0, temp, tohash.length, hash.length); - tohash = temp; - } - if (scope!=null && scope.length()>0) { - sb.append(Hash.toHexNo0x(Hash.hashSHA256(tohash))); + if (scope!=null) { + byte[] tohash=scope.getBytes(); + if (hash!=null && hash.length>0) { + byte temp[] = new byte[hash.length+tohash.length]; + System.arraycopy(tohash, 0, temp, 0, tohash.length); + System.arraycopy(hash, 0, temp, tohash.length, hash.length); + tohash = temp; + } + if (scope.length()>0) { + sb.append(Hash.toHexNo0x(Hash.hashSHA256(tohash))); + } } return sb.toString(); } catch (NoSuchAlgorithmException e) { diff --git a/cadi/aaf/src/main/java/org/onap/aaf/cadi/sso/AAFSSO.java b/cadi/aaf/src/main/java/org/onap/aaf/cadi/sso/AAFSSO.java index de31e661..c0ac43e9 100644 --- a/cadi/aaf/src/main/java/org/onap/aaf/cadi/sso/AAFSSO.java +++ b/cadi/aaf/src/main/java/org/onap/aaf/cadi/sso/AAFSSO.java @@ -381,7 +381,7 @@ public class AAFSSO { addProp(Config.AAF_LOCATE_URL, locateUrl); try { if(access.getProperty(Config.AAF_URL)==null) { - access.setProperty(Config.AAF_URL, "https://AAF_LOCATE/AAF_NS.service:2.1"); + access.setProperty(Config.AAF_URL, Defaults.AAF_ROOT+".service:"+Defaults.AAF_VERSION); } AAFCon<?> aafCon = AAFCon.newInstance(access); Future<Configuration> acf; diff --git a/cadi/core/src/main/java/org/onap/aaf/cadi/CmdLine.java b/cadi/core/src/main/java/org/onap/aaf/cadi/CmdLine.java index 68a8db05..0a1f38db 100644 --- a/cadi/core/src/main/java/org/onap/aaf/cadi/CmdLine.java +++ b/cadi/core/src/main/java/org/onap/aaf/cadi/CmdLine.java @@ -113,7 +113,8 @@ public class CmdLine { // Jonathan. Oh, well, Deployment services need this behavior. I will put this code in, but leave it undocumented. // One still needs access to the keyfile to read. // July 2016 - thought of a tool "CMPass" to regurgitate from properties, but only if allowed. - } else if ("regurgitate".equalsIgnoreCase(args[0]) && args.length>2) { + } else if (("regurgitate".equalsIgnoreCase(args[0]) || "undigest".equalsIgnoreCase(args[0])) + && args.length>2) { try { Symm symm; FileInputStream fis = new FileInputStream(args[2]); @@ -188,7 +189,7 @@ public class CmdLine { System.out.flush(); return; } catch (IOException e) { - System.err.println("Cannot regurgitate password"); + System.err.println("Cannot undigest password"); System.err.println(" \""+ e.getMessage() + '"'); } } else if ("encode64".equalsIgnoreCase(args[0]) && args.length>1) { @@ -334,6 +335,7 @@ public class CmdLine { System.out.println(" digest [<passwd>|-i|] <keyfile> (Encrypts Password with \"keyfile\""); System.out.println(" if passwd = -i, will read StdIn"); System.out.println(" if passwd is blank, will ask securely)"); + System.out.println(" undigest <enc:...> <keyfile> (Decrypts Encoded with \"keyfile\")"); System.out.println(" passgen <digits> (Generate Password of given size)"); System.out.println(" urlgen <digits> (Generate URL field of given size)"); System.out.println(" encode64 <your text> (Encodes to Base64)"); diff --git a/cadi/core/src/main/java/org/onap/aaf/cadi/config/Config.java b/cadi/core/src/main/java/org/onap/aaf/cadi/config/Config.java index 2655b4ce..48f5e2d1 100644 --- a/cadi/core/src/main/java/org/onap/aaf/cadi/config/Config.java +++ b/cadi/core/src/main/java/org/onap/aaf/cadi/config/Config.java @@ -228,6 +228,9 @@ public class Config { public static final String AAF_URL_CM_DEF = "https://AAF_LOCATE_URL/AAF_NS.cm:"+AAF_DEFAULT_API_VERSION; public static final String AAF_URL_HELLO = "aaf_url_hello"; public static final String CM_TRUSTED_CAS = "cm_trusted_cas"; + // let NS Owners choose with <ns>.certman aaf ignoreIPs" to ignoreIP Check for Configs + // Probably only want to allow in a DEV Env. + public static final String CM_ALLOW_IGNORE_IPS="cm_allow_ignore_ips"; public static final String PATHFILTER_URLPATTERN = "pathfilter_urlpattern"; public static final String PATHFILTER_STACK = "pathfilter_stack"; diff --git a/cadi/core/src/test/java/org/onap/aaf/cadi/test/JU_CmdLine.java b/cadi/core/src/test/java/org/onap/aaf/cadi/test/JU_CmdLine.java index 967bf221..859f9a25 100644 --- a/cadi/core/src/test/java/org/onap/aaf/cadi/test/JU_CmdLine.java +++ b/cadi/core/src/test/java/org/onap/aaf/cadi/test/JU_CmdLine.java @@ -235,6 +235,7 @@ public class JU_CmdLine { " digest [<passwd>|-i|] <keyfile> (Encrypts Password with \"keyfile\"" + lineSeparator + " if passwd = -i, will read StdIn" + lineSeparator + " if passwd is blank, will ask securely)" + lineSeparator + + " undigest <enc:...> <keyfile> (Decrypts Encoded with \"keyfile\")" + lineSeparator + " passgen <digits> (Generate Password of given size)" + lineSeparator + " urlgen <digits> (Generate URL field of given size)" + lineSeparator + " encode64 <your text> (Encodes to Base64)" + lineSeparator + |