diff options
Diffstat (limited to 'cadi')
38 files changed, 442 insertions, 254 deletions
diff --git a/cadi/aaf/src/main/java/org/onap/aaf/cadi/aaf/AAFPermission.java b/cadi/aaf/src/main/java/org/onap/aaf/cadi/aaf/AAFPermission.java index 3b783949..c4ca8082 100644 --- a/cadi/aaf/src/main/java/org/onap/aaf/cadi/aaf/AAFPermission.java +++ b/cadi/aaf/src/main/java/org/onap/aaf/cadi/aaf/AAFPermission.java @@ -25,6 +25,7 @@ import java.util.ArrayList; import java.util.List; import org.onap.aaf.cadi.Permission; +import org.onap.aaf.misc.env.util.Split; /** * A Class that understands the AAF format of Permission (name/type/action) @@ -35,7 +36,7 @@ import org.onap.aaf.cadi.Permission; */ public class AAFPermission implements Permission { private static final List<String> NO_ROLES; - protected String type,instance,action,key; + protected String ns,type,instance,action,key; private List<String> roles; static { @@ -44,19 +45,30 @@ public class AAFPermission implements Permission { protected AAFPermission() {roles=NO_ROLES;} - public AAFPermission(String type, String instance, String action) { - this.type = type; + public AAFPermission(String ns, String name, String instance, String action) { + this.ns = ns; + type = name; this.instance = instance; this.action = action; - key = type + '|' + instance + '|' + action; + if(ns==null) { + key = type + '|' + instance + '|' + action; + } else { + key = ns + '|' + type + '|' + instance + '|' + action; + } this.roles = NO_ROLES; } - public AAFPermission(String type, String instance, String action, List<String> roles) { - this.type = type; + + public AAFPermission(String ns, String name, String instance, String action, List<String> roles) { + this.ns = ns; + type = name; this.instance = instance; this.action = action; - key = type + '|' + instance + '|' + action; + if(ns==null) { + key = type + '|' + instance + '|' + action; + } else { + key = ns + '|' + type + '|' + instance + '|' + action; + } this.roles = roles==null?NO_ROLES:roles; } @@ -71,6 +83,7 @@ public class AAFPermission implements Permission { * If you want a simple field comparison, it is faster without REGEX */ public boolean match(Permission p) { + String aafNS; String aafType; String aafInstance; String aafAction; @@ -79,24 +92,68 @@ public class AAFPermission implements Permission { // Note: In AAF > 1.0, Accepting "*" from name would violate multi-tenancy // Current solution is only allow direct match on Type. // 8/28/2014 Jonathan - added REGEX ability - aafType = ap.getName(); + aafNS = ap.getNS(); + aafType = ap.getType(); aafInstance = ap.getInstance(); aafAction = ap.getAction(); } else { - // Permission is concatenated together: separated by | - String[] aaf = p.getKey().split("[\\s]*\\|[\\s]*",3); - aafType = aaf[0]; - aafInstance = (aaf.length > 1) ? aaf[1] : "*"; - aafAction = (aaf.length > 2) ? aaf[2] : "*"; + // Permission is concatenated together: separated by + String[] aaf = Split.splitTrim('|', p.getKey()); + switch(aaf.length) { + case 1: + aafNS = aaf[0]; + aafType=""; + aafInstance = aafAction = "*"; + break; + case 2: + aafNS = aaf[0]; + aafType = aaf[1]; + aafInstance = aafAction = "*"; + break; + case 3: + aafNS = aaf[0]; + aafType = aaf[1]; + aafInstance = aaf[2]; + aafAction = "*"; + break; + default: + aafNS = aaf[0]; + aafType = aaf[1]; + aafInstance = aaf[2]; + aafAction = aaf[3]; + break; + } } - return ((type.equals(aafType)) && - (PermEval.evalInstance(instance, aafInstance)) && - (PermEval.evalAction(action, aafAction))); + boolean typeMatches; + if(aafNS==null) { + if(ns==null) { + typeMatches = aafType.equals(type); + } else { + typeMatches = aafType.equals(ns+'.'+type); + } + } else if(ns==null) { + typeMatches = type.equals(aafNS+'.'+aafType); + } else if(aafNS.length() == ns.length()) { + typeMatches = aafNS.equals(ns) && aafType.equals(type); + } else { // Allow for restructuring of NS/Perm structure + typeMatches = (aafNS+'.'+aafType).equals(ns+'.'+type); + } + return (typeMatches && + PermEval.evalInstance(instance, aafInstance) && + PermEval.evalAction(action, aafAction)); + } + + public String getNS() { + return ns; } - public String getName() { + public String getType() { return type; } + + public String getFullType() { + return ns + '.' + type; + } public String getInstance() { return instance; @@ -121,7 +178,9 @@ public class AAFPermission implements Permission { return roles; } public String toString() { - return "AAFPermission:\n\tType: " + type + + return "AAFPermission:" + + "\n\tNS: " + ns + + "\n\tType: " + type + "\n\tInstance: " + instance + "\n\tAction: " + action + "\n\tKey: " + key; diff --git a/cadi/aaf/src/main/java/org/onap/aaf/cadi/aaf/Defaults.java b/cadi/aaf/src/main/java/org/onap/aaf/cadi/aaf/Defaults.java new file mode 100644 index 00000000..5aa4dbc5 --- /dev/null +++ b/cadi/aaf/src/main/java/org/onap/aaf/cadi/aaf/Defaults.java @@ -0,0 +1,33 @@ +/** + * ============LICENSE_START==================================================== + * org.onap.aaf + * =========================================================================== + * Copyright (c) 2018 AT&T Intellectual Property. All rights reserved. + * =========================================================================== + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * ============LICENSE_END==================================================== + * + */ +package org.onap.aaf.cadi.aaf; + +public interface Defaults { + public static String AAF_VERSION = "2.1"; + public static String AAF_NS = "AAF_NS"; + public static String AAF_URL = "https://AAF_LOCATE_URL/" + AAF_NS + ".service:" + AAF_VERSION; + public static String GUI_URL = "https://AAF_LOCATE_URL/" + AAF_NS + ".gui:" + AAF_VERSION; + public static String CM_URL = "https://AAF_LOCATE_URL/" + AAF_NS + ".cm:" + AAF_VERSION; + public static String FS_URL = "https://AAF_LOCATE_URL/" + AAF_NS + ".fs:" + AAF_VERSION; + public static String HELLO_URL = "https://AAF_LOCATE_URL/" + AAF_NS + ".hello:" + AAF_VERSION; + public static String OAUTH2_TOKEN_URL = "https://AAF_LOCATE_URL/" + AAF_NS + ".token:" + AAF_VERSION; + public static String OAUTH2_INTROSPECT_URL = "https://AAF_LOCATE_URL/" + AAF_NS + ".introspect:" + AAF_VERSION; +} diff --git a/cadi/aaf/src/main/java/org/onap/aaf/cadi/aaf/TestConnectivity.java b/cadi/aaf/src/main/java/org/onap/aaf/cadi/aaf/TestConnectivity.java index 35bcc5a9..df2ad4f8 100644 --- a/cadi/aaf/src/main/java/org/onap/aaf/cadi/aaf/TestConnectivity.java +++ b/cadi/aaf/src/main/java/org/onap/aaf/cadi/aaf/TestConnectivity.java @@ -55,7 +55,7 @@ public class TestConnectivity { System.out.println("Usage: ConnectivityTester <cadi_prop_files> [<AAF FQDN (i.e. aaf.dev.att.com)>]"); } else { print(true,"START OF CONNECTIVITY TESTS",new Date().toString(),System.getProperty("user.name"), - "Note: All API Calls are /authz/perms/user/<MechID/Alias of the caller>"); + "Note: All API Calls are /authz/perms/user/<AppID/Alias of the caller>"); if(!args[0].contains(Config.CADI_PROP_FILES+'=')) { args[0]=Config.CADI_PROP_FILES+'='+args[0]; @@ -79,15 +79,16 @@ public class TestConnectivity { List<SecuritySetter<HttpURLConnection>> lss = loadSetters(access,si); ///////// print(true,"Test Connections driven by AAFLocator"); - URI serviceURI = new URI(aaflocate+"/locate/AAF_NS.service:2.0"); + URI serviceURI = new URI(Defaults.AAF_URL); for(URI uri : new URI[] { serviceURI, - new URI(aaflocate+"/locate/AAF_NS.service:2.0"), - new URI(aaflocate+"/locate/AAF_NS.locate:2.0"), - new URI(aaflocate+"/locate/AAF_NS.token:2.0"), - new URI(aaflocate+"/locate/AAF_NS.certman:2.0"), - new URI(aaflocate+"/locate/AAF_NS.hello") + new URI(Defaults.OAUTH2_TOKEN_URL), + new URI(Defaults.OAUTH2_INTROSPECT_URL), + new URI(Defaults.CM_URL), + new URI(Defaults.GUI_URL), + new URI(Defaults.FS_URL), + new URI(Defaults.HELLO_URL) }) { Locator<URI> locator = new AAFLocator(si, uri); try { @@ -105,14 +106,6 @@ public class TestConnectivity { permTest(locator,ss); } - ///////// - // Removed for ONAP -// print(true,"Test Proxy Access driven by AAFLocator"); -// locator = new AAFLocator(si, new URI(aaflocate+"/AAF_NS.gw:2.0/proxy")); -// for(SecuritySetter<HttpURLConnection> ss : lss) { -// permTest(locator,ss); -// } - ////////// print(true,"Test essential BasicAuth Service call, driven by AAFLocator"); for(SecuritySetter<HttpURLConnection> ss : lss) { @@ -163,7 +156,7 @@ public class TestConnectivity { String tokenURL = access.getProperty(Config.AAF_OAUTH2_TOKEN_URL); String locateURL=access.getProperty(Config.AAF_LOCATE_URL); if(tokenURL==null || (tokenURL.contains("/locate/") && locateURL!=null)) { - tokenURL=locateURL+"/locate/AAF_NS.token:2.0/token"; + tokenURL=Defaults.OAUTH2_TOKEN_URL+"/token"; } try { diff --git a/cadi/aaf/src/main/java/org/onap/aaf/cadi/aaf/v2_0/AAFAuthn.java b/cadi/aaf/src/main/java/org/onap/aaf/cadi/aaf/v2_0/AAFAuthn.java index 3c970bc2..b350e2a7 100644 --- a/cadi/aaf/src/main/java/org/onap/aaf/cadi/aaf/v2_0/AAFAuthn.java +++ b/cadi/aaf/src/main/java/org/onap/aaf/cadi/aaf/v2_0/AAFAuthn.java @@ -43,7 +43,7 @@ public class AAFAuthn<CLIENT> extends AbsUserCache<AAFPermission> { * @throws Exception .. */ // Package on purpose - AAFAuthn(AAFCon<CLIENT> con) throws Exception { + AAFAuthn(AAFCon<CLIENT> con) { super(con.access,con.cleanInterval,con.highCount,con.usageRefreshTriggerCount); this.con = con; } @@ -73,7 +73,7 @@ public class AAFAuthn<CLIENT> extends AbsUserCache<AAFPermission> { * * Convenience function. Passes "null" for State object */ - public String validate(String user, String password) throws IOException, CadiException { + public String validate(String user, String password) throws IOException { return validate(user,password,null); } @@ -90,7 +90,7 @@ public class AAFAuthn<CLIENT> extends AbsUserCache<AAFPermission> { * @throws CadiException * @throws Exception */ - public String validate(String user, String password, Object state) throws IOException, CadiException { + public String validate(String user, String password, Object state) throws IOException { password = access.decrypt(password, false); byte[] bytes = password.getBytes(); User<AAFPermission> usr = getUser(user,bytes); @@ -103,7 +103,7 @@ public class AAFAuthn<CLIENT> extends AbsUserCache<AAFPermission> { } } - AAFCachedPrincipal cp = new AAFCachedPrincipal(this,con.app, user, bytes, con.cleanInterval); + AAFCachedPrincipal cp = new AAFCachedPrincipal(user, bytes, con.cleanInterval); // Since I've relocated the Validation piece in the Principal, just revalidate, then do Switch // Statement switch(cp.revalidate(state)) { @@ -127,9 +127,10 @@ public class AAFAuthn<CLIENT> extends AbsUserCache<AAFPermission> { } private class AAFCachedPrincipal extends ConfigPrincipal implements CachedPrincipal { - private long expires,timeToLive; + private long expires; + private long timeToLive; - public AAFCachedPrincipal(AAFAuthn<?> aaf, String app, String name, byte[] pass, int timeToLive) { + private AAFCachedPrincipal(String name, byte[] pass, int timeToLive) { super(name,pass); this.timeToLive = timeToLive; expires = timeToLive + System.currentTimeMillis(); @@ -164,6 +165,6 @@ public class AAFAuthn<CLIENT> extends AbsUserCache<AAFPermission> { public long expires() { return expires; } - }; + } } diff --git a/cadi/aaf/src/main/java/org/onap/aaf/cadi/aaf/v2_0/AAFCon.java b/cadi/aaf/src/main/java/org/onap/aaf/cadi/aaf/v2_0/AAFCon.java index b076379c..32a82d6d 100644 --- a/cadi/aaf/src/main/java/org/onap/aaf/cadi/aaf/v2_0/AAFCon.java +++ b/cadi/aaf/src/main/java/org/onap/aaf/cadi/aaf/v2_0/AAFCon.java @@ -166,19 +166,21 @@ public abstract class AAFCon<CLIENT> implements Connector { access.printf(Access.Level.WARN,"%s, %s or %s required before use.", Config.CADI_ALIAS, Config.AAF_APPID, Config.OAUTH_CLIENT_ID); set(si.defSS); } else { - set(si.defSS=x509Alias(alias)); + si.defSS=x509Alias(alias); + set(si.defSS); } } else { - if(mechid!=null && encpass !=null) { - set(si.defSS=basicAuth(mechid, encpass)); + if(mechid!=null) { + si.defSS=basicAuth(mechid, encpass); + set(si.defSS); } else { - set(si.defSS=new SecuritySetter<CLIENT>() { - + si.defSS=new SecuritySetter<CLIENT>() { + @Override public String getID() { return ""; } - + @Override public void setSecurity(CLIENT client) throws CadiException { throw new CadiException("AAFCon has not been initialized with Credentials (SecuritySetter)"); @@ -188,7 +190,8 @@ public abstract class AAFCon<CLIENT> implements Connector { public int setLastResponse(int respCode) { return 0; } - }); + }; + set(si.defSS); } } } @@ -249,22 +252,21 @@ public abstract class AAFCon<CLIENT> implements Connector { public AAFAuthn<CLIENT> newAuthn() throws APIException { try { - return new AAFAuthn<CLIENT>(this); - } catch (APIException e) { - throw e; + return new AAFAuthn<>(this); } catch (Exception e) { throw new APIException(e); } } public AAFAuthn<CLIENT> newAuthn(AbsUserCache<AAFPermission> c) { - return new AAFAuthn<CLIENT>(this,c); + return new AAFAuthn<>(this, c); } public AAFLurPerm newLur() throws CadiException { try { if(lur==null) { - return (lur = new AAFLurPerm(this)); + lur = new AAFLurPerm(this); + return lur; } else { return new AAFLurPerm(this,lur); } @@ -357,13 +359,13 @@ public abstract class AAFCon<CLIENT> implements Connector { Error err = errDF.newData().in(TYPE.JSON).load(f.body()).asObject(); return Vars.convert(err.getText(),err.getVariables()); } catch (APIException e){ - // just return the body below + access.log(e); } } return text; } - public static AAFCon<?> newInstance(PropAccess pa) throws APIException, CadiException, LocatorException { + public static AAFCon<?> newInstance(PropAccess pa) throws CadiException, LocatorException { // Potentially add plugin for other kinds of Access return new AAFConHttp(pa); } diff --git a/cadi/aaf/src/main/java/org/onap/aaf/cadi/aaf/v2_0/AAFConHttp.java b/cadi/aaf/src/main/java/org/onap/aaf/cadi/aaf/v2_0/AAFConHttp.java index 9fc38d9f..59cb6c87 100644 --- a/cadi/aaf/src/main/java/org/onap/aaf/cadi/aaf/v2_0/AAFConHttp.java +++ b/cadi/aaf/src/main/java/org/onap/aaf/cadi/aaf/v2_0/AAFConHttp.java @@ -49,7 +49,7 @@ import org.onap.aaf.misc.env.APIException; public class AAFConHttp extends AAFCon<HttpURLConnection> { private final HMangr hman; - public AAFConHttp(Access access) throws APIException, CadiException, LocatorException { + public AAFConHttp(Access access) throws CadiException, LocatorException { super(access,Config.AAF_URL,SecurityInfoC.instance(access, HttpURLConnection.class)); bestSS(si); hman = new HMangr(access,Config.loadLocator(si, access.getProperty(Config.AAF_URL,null))); @@ -64,7 +64,7 @@ public class AAFConHttp extends AAFCon<HttpURLConnection> { } catch (APIException e) { throw new CadiException(e); } - } else if((s = access.getProperty(Config.AAF_APPID, null))!=null){ + } else if((access.getProperty(Config.AAF_APPID, null))!=null){ try { return new HBasicAuthSS(si,true); } catch (IOException /*| GeneralSecurityException*/ e) { @@ -75,19 +75,19 @@ public class AAFConHttp extends AAFCon<HttpURLConnection> { } } - public AAFConHttp(Access access, String tag) throws APIException, CadiException, LocatorException { + public AAFConHttp(Access access, String tag) throws CadiException, LocatorException { super(access,tag,SecurityInfoC.instance(access, HttpURLConnection.class)); bestSS(si); hman = new HMangr(access,Config.loadLocator(si, access.getProperty(tag,tag/*try the content itself*/))); } - public AAFConHttp(Access access, String urlTag, SecurityInfoC<HttpURLConnection> si) throws CadiException, APIException, LocatorException { + public AAFConHttp(Access access, String urlTag, SecurityInfoC<HttpURLConnection> si) throws CadiException, LocatorException { super(access,urlTag,si); bestSS(si); hman = new HMangr(access,Config.loadLocator(si, access.getProperty(urlTag,null))); } - public AAFConHttp(Access access, Locator<URI> locator) throws CadiException, LocatorException, APIException { + public AAFConHttp(Access access, Locator<URI> locator) throws CadiException, LocatorException { super(access,Config.AAF_URL,SecurityInfoC.instance(access, HttpURLConnection.class)); bestSS(si); hman = new HMangr(access,locator); @@ -135,7 +135,7 @@ public class AAFConHttp extends AAFCon<HttpURLConnection> { } } - public SecuritySetter<HttpURLConnection> x509Alias(String alias) throws APIException, CadiException { + public SecuritySetter<HttpURLConnection> x509Alias(String alias) throws CadiException { try { return set(new HX509SS(alias,si)); } catch (Exception e) { @@ -168,7 +168,7 @@ public class AAFConHttp extends AAFCon<HttpURLConnection> { } } @Override - public AbsTransferSS<HttpURLConnection> transferSS(TaggedPrincipal principal) throws CadiException { + public AbsTransferSS<HttpURLConnection> transferSS(TaggedPrincipal principal) { return new HTransferSS(principal, app,si); } @@ -199,7 +199,7 @@ public class AAFConHttp extends AAFCon<HttpURLConnection> { @Override public <RET> RET best(Retryable<RET> retryable) throws LocatorException, CadiException, APIException { - return hman.best(si.defSS, (Retryable<RET>)retryable); + return hman.best(si.defSS, retryable); } /* (non-Javadoc) @@ -207,7 +207,7 @@ public class AAFConHttp extends AAFCon<HttpURLConnection> { */ @Override public <RET> RET bestForUser(GetSetter getSetter, Retryable<RET> retryable) throws LocatorException, CadiException, APIException { - return hman.best(getSetter.get(this), (Retryable<RET>)retryable); + return hman.best(getSetter.get(this), retryable); } /* (non-Javadoc) @@ -230,7 +230,7 @@ public class AAFConHttp extends AAFCon<HttpURLConnection> { * @see org.onap.aaf.cadi.aaf.v2_0.AAFCon#setInitURI(java.lang.String) */ @Override - protected void setInitURI(String uriString) throws CadiException { + protected void setInitURI(String uriString) { // Using Locator, not URLString, which is mostly for DME2 } diff --git a/cadi/aaf/src/main/java/org/onap/aaf/cadi/aaf/v2_0/AAFLurPerm.java b/cadi/aaf/src/main/java/org/onap/aaf/cadi/aaf/v2_0/AAFLurPerm.java index 84d23655..a5ef6d14 100644 --- a/cadi/aaf/src/main/java/org/onap/aaf/cadi/aaf/v2_0/AAFLurPerm.java +++ b/cadi/aaf/src/main/java/org/onap/aaf/cadi/aaf/v2_0/AAFLurPerm.java @@ -62,7 +62,7 @@ public class AAFLurPerm extends AbsAAFLur<AAFPermission> { private static final String ORG_OSAAF_CADI_OAUTH_O_AUTH2_LUR = "org.osaaf.cadi.oauth.OAuth2Lur"; /** - * Need to be able to transmutate a Principal into either ATTUID or MechID, which are the only ones accepted at this + * Need to be able to transmutate a Principal into either Person or AppID, which are the only ones accepted at this * point by AAF. There is no "domain", aka, no "@att.com" in "ab1234@att.com". * * The only thing that matters here for AAF is that we don't waste calls with IDs that obviously aren't valid. @@ -107,12 +107,6 @@ public class AAFLurPerm extends AbsAAFLur<AAFPermission> { protected User<AAFPermission> loadUser(final Principal principal) { final String name = principal.getName(); -// // Note: The rules for AAF is that it only stores permissions for ATTUID and MechIDs, which don't -// // have domains. We are going to make the Transitive Class (see this.transmutative) to convert -// final Principal tp = principal; //transmutate.mutate(principal); -// if(tp==null) { -// return null; // if not a valid Transmutated credential, don't bother calling... -// } // TODO Create a dynamic way to declare domains supported. final long start = System.nanoTime(); final boolean[] success = new boolean[]{false}; @@ -148,7 +142,7 @@ public class AAFLurPerm extends AbsAAFLur<AAFPermission> { Map<String, Permission> newMap = user.newMap(); boolean willLog = aaf.access.willLog(Level.DEBUG); for(Perm perm : fp.value.getPerm()) { - user.add(newMap,new AAFPermission(perm.getType(),perm.getInstance(),perm.getAction(),perm.getRoles())); + user.add(newMap,new AAFPermission(perm.getNs(),perm.getType(),perm.getInstance(),perm.getAction(),perm.getRoles())); if(willLog) { aaf.access.log(Level.DEBUG, name,"has '",perm.getType(),'|',perm.getInstance(),'|',perm.getAction(),'\''); } @@ -197,7 +191,7 @@ public class AAFLurPerm extends AbsAAFLur<AAFPermission> { Map<String,Permission> newMap = user.newMap(); boolean willLog = aaf.access.willLog(Level.DEBUG); for(Perm perm : fp.value.getPerm()) { - user.add(newMap, new AAFPermission(perm.getType(),perm.getInstance(),perm.getAction(),perm.getRoles())); + user.add(newMap, new AAFPermission(perm.getNs(),perm.getType(),perm.getInstance(),perm.getAction(),perm.getRoles())); if(willLog) { aaf.access.log(Level.DEBUG, name,"has",perm.getType(),perm.getInstance(),perm.getAction()); } @@ -235,10 +229,13 @@ public class AAFLurPerm extends AbsAAFLur<AAFPermission> { @Override public Permission createPerm(String p) { String[] params = Split.split('|', p); - if(params.length==3) { - return new AAFPermission(params[0],params[1],params[2]); - } else { - return new LocalPermission(p); + switch(params.length) { + case 3: + return new AAFPermission(null,params[0],params[1],params[2]); + case 4: + return new AAFPermission(params[0],params[1],params[2],params[3]); + default: + return new LocalPermission(p); } } diff --git a/cadi/aaf/src/main/java/org/onap/aaf/cadi/aaf/v2_0/AAFTaf.java b/cadi/aaf/src/main/java/org/onap/aaf/cadi/aaf/v2_0/AAFTaf.java index 42f3ec4d..6159726b 100644 --- a/cadi/aaf/src/main/java/org/onap/aaf/cadi/aaf/v2_0/AAFTaf.java +++ b/cadi/aaf/src/main/java/org/onap/aaf/cadi/aaf/v2_0/AAFTaf.java @@ -22,23 +22,20 @@ package org.onap.aaf.cadi.aaf.v2_0; import java.io.IOException; -import java.net.ConnectException; import java.security.Principal; - import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; - import org.onap.aaf.cadi.AbsUserCache; +import org.onap.aaf.cadi.Access.Level; import org.onap.aaf.cadi.CachedPrincipal; +import org.onap.aaf.cadi.CachedPrincipal.Resp; import org.onap.aaf.cadi.CadiException; import org.onap.aaf.cadi.Connector; import org.onap.aaf.cadi.GetCred; import org.onap.aaf.cadi.Hash; import org.onap.aaf.cadi.SecuritySetter; -import org.onap.aaf.cadi.User; -import org.onap.aaf.cadi.Access.Level; -import org.onap.aaf.cadi.CachedPrincipal.Resp; import org.onap.aaf.cadi.Taf.LifeForm; +import org.onap.aaf.cadi.User; import org.onap.aaf.cadi.aaf.AAFPermission; import org.onap.aaf.cadi.aaf.v2_0.AAFCon.GetSetter; import org.onap.aaf.cadi.client.Future; @@ -54,8 +51,6 @@ import org.onap.aaf.cadi.taf.basic.BasicHttpTafResp; import org.onap.aaf.misc.env.APIException; public class AAFTaf<CLIENT> extends AbsUserCache<AAFPermission> implements HttpTaf { -// private static final String INVALID_AUTH_TOKEN = "Invalid Auth Token"; -// private static final String AUTHENTICATING_SERVICE_UNAVAILABLE = "Authenticating Service unavailable"; private AAFCon<CLIENT> aaf; private boolean warn; @@ -67,19 +62,19 @@ public class AAFTaf<CLIENT> extends AbsUserCache<AAFPermission> implements HttpT public AAFTaf(AAFCon<CLIENT> con, boolean turnOnWarning, AbsUserCache<AAFPermission> other) { super(other); - aaf = (AAFCon<CLIENT>)con; + aaf = con; warn = turnOnWarning; } // Note: Needed for Creation of this Object with Generics @SuppressWarnings("unchecked") - public AAFTaf(Connector mustBeAAFCon, boolean turnOnWarning, AbsUserCache<AAFPermission> other) throws CadiException { + public AAFTaf(Connector mustBeAAFCon, boolean turnOnWarning, AbsUserCache<AAFPermission> other) { this((AAFCon<CLIENT>)mustBeAAFCon,turnOnWarning,other); } // Note: Needed for Creation of this Object with Generics @SuppressWarnings("unchecked") - public AAFTaf(Connector mustBeAAFCon, boolean turnOnWarning) throws CadiException { + public AAFTaf(Connector mustBeAAFCon, boolean turnOnWarning) { this((AAFCon<CLIENT>)mustBeAAFCon,turnOnWarning); } @@ -90,7 +85,9 @@ public class AAFTaf<CLIENT> extends AbsUserCache<AAFPermission> implements HttpT // Note: Either Carbon or Silicon based LifeForms ok String authz = req.getHeader("Authorization"); if(authz != null && authz.startsWith("Basic ")) { - if(warn&&!req.isSecure())aaf.access.log(Level.WARN,"WARNING! BasicAuth has been used over an insecure channel"); + if(warn&&!req.isSecure()) { + aaf.access.log(Level.WARN,"WARNING! BasicAuth has been used over an insecure channel"); + } try { final CachedBasicPrincipal bp; if(req.getUserPrincipal() instanceof CachedBasicPrincipal) { @@ -100,14 +97,12 @@ public class AAFTaf<CLIENT> extends AbsUserCache<AAFPermission> implements HttpT } // First try Cache final User<AAFPermission> usr = getUser(bp); - if(usr != null && usr.principal != null) { - if(usr.principal instanceof GetCred) { - if(Hash.isEqual(bp.getCred(),((GetCred)usr.principal).getCred())) { - return new BasicHttpTafResp(aaf.access,bp,bp.getName()+" authenticated by cached AAF password",RESP.IS_AUTHENTICATED,resp,aaf.getRealm(),false); - } - } + if(usr != null + && usr.principal instanceof GetCred + && Hash.isEqual(bp.getCred(),((GetCred)usr.principal).getCred())) { + return new BasicHttpTafResp(aaf.access,bp,bp.getName()+" authenticated by cached AAF password",RESP.IS_AUTHENTICATED,resp,aaf.getRealm(),false); } - + Miss miss = missed(bp.getName(), bp.getCred()); if(miss!=null && !miss.mayContinue()) { return new BasicHttpTafResp(aaf.access,null,buildMsg(bp,req, @@ -123,7 +118,7 @@ public class AAFTaf<CLIENT> extends AbsUserCache<AAFPermission> implements HttpT } },new Retryable<BasicHttpTafResp>() { @Override - public BasicHttpTafResp code(Rcli<?> client) throws CadiException, ConnectException, APIException { + public BasicHttpTafResp code(Rcli<?> client) throws CadiException, APIException { Future<String> fp = client.read("/authn/basicAuth", "text/plain"); if(fp.get(aaf.timeout)) { if(usr!=null) { @@ -166,7 +161,7 @@ public class AAFTaf<CLIENT> extends AbsUserCache<AAFPermission> implements HttpT return new BasicHttpTafResp(aaf.access,null,"Requesting HTTP Basic Authorization",RESP.TRY_AUTHENTICATING,resp,aaf.getRealm(),false); } - public String buildMsg(Principal pr, HttpServletRequest req, Object ... msg) { + private String buildMsg(Principal pr, HttpServletRequest req, Object... msg) { StringBuilder sb = new StringBuilder(); for(Object s : msg) { sb.append(s.toString()); diff --git a/cadi/aaf/src/main/java/org/onap/aaf/cadi/aaf/v2_0/AAFTrustChecker.java b/cadi/aaf/src/main/java/org/onap/aaf/cadi/aaf/v2_0/AAFTrustChecker.java index 2094948a..bf85beef 100644 --- a/cadi/aaf/src/main/java/org/onap/aaf/cadi/aaf/v2_0/AAFTrustChecker.java +++ b/cadi/aaf/src/main/java/org/onap/aaf/cadi/aaf/v2_0/AAFTrustChecker.java @@ -55,8 +55,13 @@ public class AAFTrustChecker implements TrustChecker { AAFPermission temp=null; if(str!=null) { String[] sp = Split.splitTrim('|', str); - if(sp.length==3) { - temp = new AAFPermission(sp[0],sp[1],sp[2]); + switch(sp.length) { + case 3: + temp = new AAFPermission(null,sp[0],sp[1],sp[2]); + break; + case 4: + temp = new AAFPermission(sp[0],sp[1],sp[2],sp[3]); + break; } } perm=temp; @@ -69,8 +74,13 @@ public class AAFTrustChecker implements TrustChecker { AAFPermission temp=null; if(str!=null) { String[] sp = Split.splitTrim('|', str); - if(sp.length==3) { - temp = new AAFPermission(sp[0],sp[1],sp[2]); + switch(sp.length) { + case 3: + temp = new AAFPermission(null,sp[0],sp[1],sp[2]); + break; + case 4: + temp = new AAFPermission(sp[0],sp[1],sp[2],sp[3]); + break; } } perm=temp; diff --git a/cadi/aaf/src/main/java/org/onap/aaf/cadi/aaf/v2_0/AbsAAFLocator.java b/cadi/aaf/src/main/java/org/onap/aaf/cadi/aaf/v2_0/AbsAAFLocator.java index f0909062..fca23740 100644 --- a/cadi/aaf/src/main/java/org/onap/aaf/cadi/aaf/v2_0/AbsAAFLocator.java +++ b/cadi/aaf/src/main/java/org/onap/aaf/cadi/aaf/v2_0/AbsAAFLocator.java @@ -32,6 +32,7 @@ import java.util.NoSuchElementException; import org.onap.aaf.cadi.Access; import org.onap.aaf.cadi.Access.Level; +import org.onap.aaf.cadi.aaf.Defaults; import org.onap.aaf.cadi.Locator; import org.onap.aaf.cadi.LocatorException; import org.onap.aaf.cadi.config.Config; @@ -87,6 +88,12 @@ public abstract class AbsAAFLocator<TRANS extends Trans> implements Locator<URI> latitude = Double.parseDouble(lat); longitude = Double.parseDouble(lng); } + if(name.startsWith(Defaults.AAF_NS)) { + String root_ns = access.getProperty(Config.AAF_ROOT_NS, null); + if(root_ns!=null) { + name=name.replace(Defaults.AAF_NS, root_ns); + } + } if(name.startsWith("http")) { // simple URL this.name = name; this.version = Config.AAF_DEFAULT_VERSION; @@ -128,6 +135,8 @@ public abstract class AbsAAFLocator<TRANS extends Trans> implements Locator<URI> version = split[1]; name = split[0]; break; + default: + break; } } } @@ -207,7 +216,7 @@ public abstract class AbsAAFLocator<TRANS extends Trans> implements Locator<URI> } private boolean noEntries() { - return epList.size()<=0; + return epList.isEmpty(); } @Override @@ -259,7 +268,7 @@ public abstract class AbsAAFLocator<TRANS extends Trans> implements Locator<URI> @Override public Item best() throws LocatorException { if(!hasItems()) { - throw new LocatorException("No Entries found" + (pathInfo==null?"":(" for " + pathInfo))); + throw new LocatorException("No Entries found for '" + aaf_locator_uri.toString() + "/locate/" + name + ':' + version + '\''); } List<EP> lep = new ArrayList<>(); EP first = null; @@ -416,8 +425,8 @@ public abstract class AbsAAFLocator<TRANS extends Trans> implements Locator<URI> } protected static class EP implements Comparable<EP> { - public URI uri; - public final double distance; + private URI uri; + private final double distance; private boolean valid; public EP(final Endpoint ep, double latitude, double longitude) throws URISyntaxException { @@ -486,7 +495,7 @@ public abstract class AbsAAFLocator<TRANS extends Trans> implements Locator<URI> try { return new URI(rv.getScheme(),rv.getUserInfo(),rv.getHost(),rv.getPort(),pathInfo,query,fragment); } catch (URISyntaxException e) { - throw new LocatorException("Error copying URL"); + throw new LocatorException("Error copying URL", e); } } return rv; diff --git a/cadi/aaf/src/main/java/org/onap/aaf/cadi/aaf/v2_0/AbsAAFLur.java b/cadi/aaf/src/main/java/org/onap/aaf/cadi/aaf/v2_0/AbsAAFLur.java index 9feeee36..89106cc1 100644 --- a/cadi/aaf/src/main/java/org/onap/aaf/cadi/aaf/v2_0/AbsAAFLur.java +++ b/cadi/aaf/src/main/java/org/onap/aaf/cadi/aaf/v2_0/AbsAAFLur.java @@ -90,7 +90,7 @@ public abstract class AbsAAFLur<PERM extends Permission> extends AbsUserCache<PE protected abstract boolean isCorrectPermType(Permission pond); // This is where you build AAF CLient Code. Answer the question "Is principal "bait" in the "pond" - public boolean fish(Principal bait, Permission pond) { + public boolean fish(Principal bait, Permission ... pond) { if(preemptiveLur!=null && preemptiveLur.handles(bait)) { return preemptiveLur.fish(bait, pond); } else { @@ -123,20 +123,23 @@ public abstract class AbsAAFLur<PERM extends Permission> extends AbsUserCache<PE user = loadUser(bait); sb.append("\n\tloadUser called"); } - if(user==null) { - sb.append("\n\tUser was not Loaded"); - } else if(user.contains(pond)) { - sb.append("\n\tUser contains "); - sb.append(pond.getKey()); - rv = true; - } else { - sb.append("\n\tUser does not contain "); - sb.append(pond.getKey()); - List<Permission> perms = new ArrayList<>(); - user.copyPermsTo(perms); - for(Permission p : perms) { - sb.append("\n\t\t"); + for (Permission p : pond) { + if(user==null) { + sb.append("\n\tUser was not Loaded"); + break; + } else if(user.contains(p)) { + sb.append("\n\tUser contains "); + sb.append(p.getKey()); + rv = true; + } else { + sb.append("\n\tUser does not contain "); sb.append(p.getKey()); + List<Permission> perms = new ArrayList<>(); + user.copyPermsTo(perms); + for(Permission perm : perms) { + sb.append("\n\t\t"); + sb.append(perm.getKey()); + } } } } else { @@ -147,14 +150,23 @@ public abstract class AbsAAFLur<PERM extends Permission> extends AbsUserCache<PE aaf.access.log(Level.INFO, sb); return rv; } else { + boolean rv = false; if(handles(bait)) { User<PERM> user = getUser(bait); if(user==null || user.permsUnloaded() || user.permExpired()) { user = loadUser(bait); } - return user==null?false:user.contains(pond); + if(user==null) { + return false; + } else { + for(Permission p : pond) { + if(rv=user.contains(p)) { + break; + } + } + } } - return false; + return rv; } } } diff --git a/cadi/aaf/src/main/java/org/onap/aaf/cadi/configure/Agent.java b/cadi/aaf/src/main/java/org/onap/aaf/cadi/configure/Agent.java index 7f1b0cf6..ef73adaa 100644 --- a/cadi/aaf/src/main/java/org/onap/aaf/cadi/configure/Agent.java +++ b/cadi/aaf/src/main/java/org/onap/aaf/cadi/configure/Agent.java @@ -52,6 +52,7 @@ import org.onap.aaf.cadi.CmdLine; import org.onap.aaf.cadi.LocatorException; import org.onap.aaf.cadi.PropAccess; import org.onap.aaf.cadi.Symm; +import org.onap.aaf.cadi.aaf.Defaults; import org.onap.aaf.cadi.aaf.client.ErrMessage; import org.onap.aaf.cadi.aaf.v2_0.AAFCon; import org.onap.aaf.cadi.aaf.v2_0.AAFConHttp; @@ -88,8 +89,8 @@ public class Agent { private static final String HASHES = "################################################################"; private static final String PRINT = "print"; private static final String FILE = "file"; - private static final String PKCS12 = "pkcs12"; - private static final String JKS = "jks"; + public static final String PKCS12 = "pkcs12"; + public static final String JKS = "jks"; private static final String SCRIPT="script"; private static final String CM_VER = "1.0"; @@ -126,7 +127,7 @@ public class Agent { AAFSSO aafsso=null; PropAccess access; - if(args.length>0 && args[0].equals("validate")) { + if(args.length>1 && args[0].equals("validate") ) { int idx = args[1].indexOf('='); aafsso = null; access = new PropAccess( @@ -328,7 +329,7 @@ public class Agent { private static String fqi(Deque<String> cmds) { if(cmds.size()<1) { String alias = env.getProperty(Config.CADI_ALIAS); - return alias!=null?alias:AAFSSO.cons.readLine("MechID: "); + return alias!=null?alias:AAFSSO.cons.readLine("AppID: "); } return cmds.removeFirst(); } @@ -353,17 +354,17 @@ public class Agent { } private static void createArtifact(Trans trans, AAFCon<?> aafcon, Deque<String> cmds) throws Exception { - String mechID = fqi(cmds); - String machine = machine(cmds); + final String mechID = fqi(cmds); + final String machine = machine(cmds); Artifacts artifacts = new Artifacts(); Artifact arti = new Artifact(); artifacts.getArtifact().add(arti); - arti.setMechid(mechID!=null?mechID:AAFSSO.cons.readLine("MechID: ")); + arti.setMechid(mechID!=null?mechID:AAFSSO.cons.readLine("AppID: ")); arti.setMachine(machine!=null?machine:AAFSSO.cons.readLine("Machine (%s): ",InetAddress.getLocalHost().getHostName())); arti.setCa(AAFSSO.cons.readLine("CA: (%s): ","aaf")); - String resp = AAFSSO.cons.readLine("Types [file,jks,script] (%s): ", "jks"); + String resp = AAFSSO.cons.readLine("Types [file,pkcs12,jks,script] (%s): ", PKCS12); for(String s : Split.splitTrim(',', resp)) { arti.getType().add(s); } @@ -418,7 +419,7 @@ public class Agent { if(future.get(TIMEOUT)) { boolean printed = false; for(Artifact a : future.value.getArtifact()) { - AAFSSO.cons.printf("MechID: %s\n",a.getMechid()); + AAFSSO.cons.printf("AppID: %s\n",a.getMechid()); AAFSSO.cons.printf(" Sponsor: %s\n",a.getSponsor()); AAFSSO.cons.printf("Machine: %s\n",a.getMachine()); AAFSSO.cons.printf("CA: %s\n",a.getCa()); @@ -649,7 +650,7 @@ public class Agent { // Have to wait for JDK 1.7 source... //switch(artifact.getType()) { if(acf.value.getArtifact()==null || acf.value.getArtifact().isEmpty()) { - AAFSSO.cons.printf("No Artifacts found for %s on %s", mechID, machine); + AAFSSO.cons.printf("No Artifacts found for %s on %s ", mechID, machine); } else { String id = aafcon.defID(); boolean allowed; @@ -659,7 +660,7 @@ public class Agent { && aafcon.securityInfo().defSS.getClass().isAssignableFrom(HBasicAuthSS.class))); if(!allowed) { Future<String> pf = aafcon.client(CM_VER).read("/cert/may/" + - a.getNs() + ".certman|"+a.getCa()+"|showpass","*/*"); + a.getNs()+"|certman|"+a.getCa()+"|showpass","*/*"); if(pf.get(TIMEOUT)) { allowed = true; } else { @@ -798,6 +799,7 @@ public class Agent { directedPut(pa, filesymm, normal,creds, Config.CADI_KEYFILE, fkf.getCanonicalPath()); directedPut(pa, filesymm, normal,creds, Config.AAF_APPID,fqi); directedPut(pa, filesymm, normal,creds, Config.AAF_APPPASS,null); + directedPut(pa, filesymm, normal,creds, Config.AAF_URL, Defaults.AAF_URL); String cts = pa.getProperty(Config.CADI_TRUSTSTORE); @@ -928,7 +930,7 @@ public class Agent { if(tag.endsWith("_password")) { if(val.length()>4) { if(val.startsWith("enc:")) { - val = orig.decrypt(value, true); + val = orig.decrypt(val, true); } val = "enc:" + symm.enpass(val); } @@ -1015,13 +1017,13 @@ public class Agent { String prop; File f; - if((prop=props.getProperty(Config.CADI_KEYFILE))==null || + if((prop=trans.getProperty(Config.CADI_KEYFILE))==null || !(f=new File(prop)).exists()) { trans.error().printf("Keyfile must exist to check Certificates for %s on %s", a.getMechid(), a.getMachine()); } else { - String ksf = props.getProperty(Config.CADI_KEYSTORE); - String ksps = props.getProperty(Config.CADI_KEYSTORE_PASSWORD); + String ksf = trans.getProperty(Config.CADI_KEYSTORE); + String ksps = trans.getProperty(Config.CADI_KEYSTORE_PASSWORD); if(ksf==null || ksps == null) { trans.error().printf("Properties %s and %s must exist to check Certificates for %s on %s", Config.CADI_KEYSTORE, Config.CADI_KEYSTORE_PASSWORD,a.getMechid(), a.getMachine()); diff --git a/cadi/aaf/src/main/java/org/onap/aaf/cadi/configure/PlaceArtifactInKeystore.java b/cadi/aaf/src/main/java/org/onap/aaf/cadi/configure/PlaceArtifactInKeystore.java index cb282605..c5413919 100644 --- a/cadi/aaf/src/main/java/org/onap/aaf/cadi/configure/PlaceArtifactInKeystore.java +++ b/cadi/aaf/src/main/java/org/onap/aaf/cadi/configure/PlaceArtifactInKeystore.java @@ -28,7 +28,6 @@ import java.security.cert.Certificate; import java.security.cert.X509Certificate; import java.util.ArrayList; import java.util.Collection; -import java.util.Collections; import java.util.HashSet; import java.util.List; import java.util.Set; @@ -51,7 +50,7 @@ public class PlaceArtifactInKeystore extends ArtifactDir { @Override public boolean _place(Trans trans, CertInfo certInfo, Artifact arti) throws CadiException { - File fks = new File(dir,arti.getNs()+'.'+kst); + File fks = new File(dir,arti.getNs()+'.'+(kst==Agent.PKCS12?"p12":kst)); try { KeyStore jks = KeyStore.getInstance(kst); if(fks.exists()) { @@ -118,13 +117,14 @@ public class PlaceArtifactInKeystore extends ArtifactDir { write(fks,Chmod.to400,jks,keystorePassArray); // Change out to TrustStore - fks = new File(dir,arti.getNs()+".trust."+kst); + // NOTE: PKCS12 does NOT support Trusted Entries. Put in JKS Always + fks = new File(dir,arti.getNs()+".trust.jks"); if(fks.exists()) { File backup = File.createTempFile(fks.getName()+'.', ".backup",dir); fks.renameTo(backup); } - jks = KeyStore.getInstance(kst); + jks = KeyStore.getInstance(Agent.JKS); // Set Truststore Password addProperty(Config.CADI_TRUSTSTORE,fks.getAbsolutePath()); diff --git a/cadi/aaf/src/main/java/org/onap/aaf/cadi/configure/PlaceArtifactOnStream.java b/cadi/aaf/src/main/java/org/onap/aaf/cadi/configure/PlaceArtifactOnStream.java index b6aeafe6..92308034 100644 --- a/cadi/aaf/src/main/java/org/onap/aaf/cadi/configure/PlaceArtifactOnStream.java +++ b/cadi/aaf/src/main/java/org/onap/aaf/cadi/configure/PlaceArtifactOnStream.java @@ -37,11 +37,13 @@ public class PlaceArtifactOnStream implements PlaceArtifact { @Override public boolean place(Trans trans, CertInfo capi, Artifact a, String machine) { + String lineSeparator = System.lineSeparator(); + if(capi.getNotes()!=null && capi.getNotes().length()>0) { - trans.info().printf("Warning: %s\n",capi.getNotes()); + trans.info().printf("Warning: %s" + lineSeparator, capi.getNotes()); } - out.printf("Challenge: %s\n",capi.getChallenge()); - out.printf("PrivateKey:\n%s\n",capi.getPrivatekey()); + out.printf("Challenge: %s" + lineSeparator, capi.getChallenge()); + out.printf("PrivateKey:" + lineSeparator + "%s" + lineSeparator, capi.getPrivatekey()); out.println("Certificate Chain:"); for(String c : capi.getCerts()) { out.println(c); diff --git a/cadi/aaf/src/main/java/org/onap/aaf/cadi/oauth/OAuth2Lur.java b/cadi/aaf/src/main/java/org/onap/aaf/cadi/oauth/OAuth2Lur.java index 89816a2c..b3fe2947 100644 --- a/cadi/aaf/src/main/java/org/onap/aaf/cadi/oauth/OAuth2Lur.java +++ b/cadi/aaf/src/main/java/org/onap/aaf/cadi/oauth/OAuth2Lur.java @@ -41,34 +41,37 @@ public class OAuth2Lur implements Lur { @Override public Permission createPerm(String p) { String[] params = Split.split('|', p); - if(params.length==3) { - return new AAFPermission(params[0],params[1],params[2]); - } else { - return new LocalPermission(p); + switch(params.length) { + case 3: + return new AAFPermission(null,params[0],params[1],params[2]); + case 4: + return new AAFPermission(params[0],params[1],params[2],params[3]); + default: + return new LocalPermission(p); } } @Override - public boolean fish(Principal bait, Permission pond) { - AAFPermission apond = (AAFPermission)pond; - OAuth2Principal oap; + public boolean fish(Principal bait, Permission ... pond) { + boolean rv = false; + if(bait instanceof OAuth2Principal) { - oap = (OAuth2Principal)bait; - } else { - // Here is the spot to put in Principal Conversions - return false; - } - - TokenPerm tp = oap.tokenPerm(); - if(tp==null) { - } else { - for(Permission p : tp.perms()) { - if(p.match(apond)) { - return true; + OAuth2Principal oap = (OAuth2Principal)bait; + for (Permission p : pond ) { + AAFPermission apond = (AAFPermission)p; + + TokenPerm tp = oap.tokenPerm(); + if(tp==null) { + } else { + for(Permission perm : tp.perms()) { + if(perm.match(apond)) { + return true; + } + } } } } - return false; + return rv; } @Override @@ -87,7 +90,7 @@ public class OAuth2Lur implements Lur { } @Override - public boolean handlesExclusively(Permission pond) { + public boolean handlesExclusively(Permission ... pond) { return false; } diff --git a/cadi/aaf/src/main/java/org/onap/aaf/cadi/oauth/TokenClient.java b/cadi/aaf/src/main/java/org/onap/aaf/cadi/oauth/TokenClient.java index 2ebd7dc1..e0d6bf0e 100644 --- a/cadi/aaf/src/main/java/org/onap/aaf/cadi/oauth/TokenClient.java +++ b/cadi/aaf/src/main/java/org/onap/aaf/cadi/oauth/TokenClient.java @@ -443,6 +443,11 @@ public class TokenClient { throw new APIException("Error Decrypting Password",e); } } + + if(username!=null) { + params.add("username="+username); + } + break; case refresh_token: if(client_id!=null) { diff --git a/cadi/aaf/src/main/java/org/onap/aaf/cadi/oauth/TokenClientFactory.java b/cadi/aaf/src/main/java/org/onap/aaf/cadi/oauth/TokenClientFactory.java index 28bf6592..e235b681 100644 --- a/cadi/aaf/src/main/java/org/onap/aaf/cadi/oauth/TokenClientFactory.java +++ b/cadi/aaf/src/main/java/org/onap/aaf/cadi/oauth/TokenClientFactory.java @@ -38,6 +38,7 @@ import org.onap.aaf.cadi.Hash; import org.onap.aaf.cadi.Locator; import org.onap.aaf.cadi.LocatorException; import org.onap.aaf.cadi.Symm; +import org.onap.aaf.cadi.aaf.Defaults; import org.onap.aaf.cadi.aaf.v2_0.AAFConHttp; import org.onap.aaf.cadi.aaf.v2_0.AAFLocator; import org.onap.aaf.cadi.config.Config; @@ -63,10 +64,10 @@ public class TokenClientFactory extends Persist<Token,TimedToken> { super(pa, new RosettaEnv(pa.getProperties()),Token.class,"outgoing"); if(access.getProperty(Config.AAF_OAUTH2_TOKEN_URL,null)==null) { - access.getProperties().put(Config.AAF_OAUTH2_TOKEN_URL, "https://AAF_LOCATE_URL/AAF_NS.token:2.0"); // Default to AAF + access.getProperties().put(Config.AAF_OAUTH2_TOKEN_URL, Defaults.OAUTH2_TOKEN_URL); // Default to AAF } if(access.getProperty(Config.AAF_OAUTH2_INTROSPECT_URL,null)==null) { - access.getProperties().put(Config.AAF_OAUTH2_INTROSPECT_URL, "https://AAF_LOCATE_URL/AAF_NS.introspect:2.0"); // Default to AAF); + access.getProperties().put(Config.AAF_OAUTH2_INTROSPECT_URL, Defaults.OAUTH2_INTROSPECT_URL); // Default to AAF); } symm = Symm.encrypt.obtain(); diff --git a/cadi/aaf/src/main/java/org/onap/aaf/cadi/oauth/TokenPerm.java b/cadi/aaf/src/main/java/org/onap/aaf/cadi/oauth/TokenPerm.java index 5c77fda7..bb33bc76 100644 --- a/cadi/aaf/src/main/java/org/onap/aaf/cadi/oauth/TokenPerm.java +++ b/cadi/aaf/src/main/java/org/onap/aaf/cadi/oauth/TokenPerm.java @@ -141,13 +141,16 @@ public class TokenPerm extends Persisting<Introspect>{ // Gathering object for parsing objects, then creating AAF Permission private static class PermInfo { - public String type,instance,action; + public String ns,type,instance,action; public void clear() { - type=instance=action=null; + ns=type=instance=action=null; } public void eval(Parsed<State> pd) { if(pd.hasName()) { switch(pd.name) { + case "ns": + ns=pd.sb.toString(); + break; case "type": type=pd.sb.toString(); break; @@ -162,7 +165,7 @@ public class TokenPerm extends Persisting<Introspect>{ } public AAFPermission create() { if(type!=null && instance!=null && action !=null) { - return new AAFPermission(type, instance, action); + return new AAFPermission(ns,type, instance, action); } else { return null; } diff --git a/cadi/aaf/src/main/java/org/onap/aaf/cadi/olur/OLur.java b/cadi/aaf/src/main/java/org/onap/aaf/cadi/olur/OLur.java index 74d88fc2..95dd9a39 100644 --- a/cadi/aaf/src/main/java/org/onap/aaf/cadi/olur/OLur.java +++ b/cadi/aaf/src/main/java/org/onap/aaf/cadi/olur/OLur.java @@ -22,16 +22,19 @@ package org.onap.aaf.cadi.olur; import java.security.Principal; +import java.util.HashSet; import java.util.List; +import java.util.Set; +import org.onap.aaf.cadi.Access.Level; import org.onap.aaf.cadi.CadiException; import org.onap.aaf.cadi.LocatorException; import org.onap.aaf.cadi.Lur; import org.onap.aaf.cadi.Permission; import org.onap.aaf.cadi.PropAccess; -import org.onap.aaf.cadi.Access.Level; import org.onap.aaf.cadi.aaf.AAFPermission; import org.onap.aaf.cadi.client.Result; +import org.onap.aaf.cadi.lur.LocalPermission; import org.onap.aaf.cadi.oauth.AbsOTafLur; import org.onap.aaf.cadi.oauth.OAuth2Principal; import org.onap.aaf.cadi.oauth.TimedToken; @@ -39,8 +42,8 @@ import org.onap.aaf.cadi.oauth.TokenClient; import org.onap.aaf.cadi.oauth.TokenPerm; import org.onap.aaf.cadi.principal.Kind; import org.onap.aaf.misc.env.APIException; -import org.onap.aaf.misc.env.util.Split; import org.onap.aaf.misc.env.util.Pool.Pooled; +import org.onap.aaf.misc.env.util.Split; public class OLur extends AbsOTafLur implements Lur { public OLur(PropAccess access, final String token_url, final String introspect_url) throws APIException, CadiException { @@ -51,7 +54,7 @@ public class OLur extends AbsOTafLur implements Lur { * @see org.onap.aaf.cadi.Lur#fish(java.security.Principal, org.onap.aaf.cadi.Permission) */ @Override - public boolean fish(Principal bait, Permission pond) { + public boolean fish(Principal bait, Permission ... pond) { TokenPerm tp; if(bait instanceof OAuth2Principal) { OAuth2Principal oa2p = (OAuth2Principal)bait; @@ -66,7 +69,17 @@ public class OLur extends AbsOTafLur implements Lur { try { TokenClient tc = tcp.content; tc.username(bait.getName()); - Result<TimedToken> rtt = tc.getToken(Kind.getKind(bait),tc.defaultScope()); + Set<String> scopeSet = new HashSet<>(); + scopeSet.add(tc.defaultScope()); + AAFPermission ap; + for (Permission p : pond) { + ap = (AAFPermission)p; + scopeSet.add(ap.getNS()); + } + String[] scopes = new String[scopeSet.size()]; + scopeSet.toArray(scopes); + + Result<TimedToken> rtt = tc.getToken(Kind.getKind(bait),scopes); if(rtt.isOK()) { Result<TokenPerm> rtp = tkMgr.get(rtt.value.getAccessToken(), bait.getName().getBytes()); if(rtp.isOK()) { @@ -77,9 +90,11 @@ public class OLur extends AbsOTafLur implements Lur { tcp.done(); } } catch (APIException | LocatorException | CadiException e) { - access.log(Level.ERROR, "Unable to Get a Token: " + e.getMessage()); + access.log(e, "Unable to Get a Token"); } } + + boolean rv = false; if(tp!=null) { if(tkMgr.access.willLog(Level.DEBUG)) { StringBuilder sb = new StringBuilder("AAF Permissions for user "); @@ -87,8 +102,10 @@ public class OLur extends AbsOTafLur implements Lur { sb.append(", from token "); sb.append(tp.get().getAccessToken()); for (AAFPermission p : tp.perms()) { - sb.append("\n\t"); - sb.append(p.getName()); + sb.append("\n\t["); + sb.append(p.getNS()); + sb.append(']'); + sb.append(p.getType()); sb.append('|'); sb.append(p.getInstance()); sb.append('|'); @@ -97,13 +114,18 @@ public class OLur extends AbsOTafLur implements Lur { sb.append('\n'); access.log(Level.DEBUG, sb); } - for (AAFPermission p : tp.perms()) { - if (p.match(pond)) { - return true; + for (Permission p : pond) { + if(rv) { + break; + } + for (AAFPermission perm : tp.perms()) { + if (rv=perm.match(p)) { + break; + } } } } - return false; + return rv; } /* (non-Javadoc) @@ -122,7 +144,7 @@ public class OLur extends AbsOTafLur implements Lur { * @see org.onap.aaf.cadi.Lur#handlesExclusively(org.onap.aaf.cadi.Permission) */ @Override - public boolean handlesExclusively(Permission pond) { + public boolean handlesExclusively(Permission ... pond) { return false; } @@ -140,10 +162,13 @@ public class OLur extends AbsOTafLur implements Lur { @Override public Permission createPerm(final String p) { String[] s = Split.split('|',p); - if(s!=null && s.length==3) { - return new AAFPermission(s[0],s[1],s[2]); - } else { - return null; + switch(s.length) { + case 3: + return new AAFPermission(null, s[0],s[1],s[2]); + case 4: + return new AAFPermission(s[0],s[1],s[2],s[3]); + default: + return new LocalPermission(p); } } diff --git a/cadi/aaf/src/main/java/org/onap/aaf/cadi/sso/AAFSSO.java b/cadi/aaf/src/main/java/org/onap/aaf/cadi/sso/AAFSSO.java index 28103b5d..41931976 100644 --- a/cadi/aaf/src/main/java/org/onap/aaf/cadi/sso/AAFSSO.java +++ b/cadi/aaf/src/main/java/org/onap/aaf/cadi/sso/AAFSSO.java @@ -38,6 +38,7 @@ import org.onap.aaf.cadi.Access.Level; import org.onap.aaf.cadi.CadiException; import org.onap.aaf.cadi.PropAccess; import org.onap.aaf.cadi.Symm; +import org.onap.aaf.cadi.aaf.Defaults; import org.onap.aaf.cadi.config.Config; import org.onap.aaf.cadi.util.MyConsole; import org.onap.aaf.cadi.util.SubStandardConsole; @@ -311,9 +312,8 @@ public class AAFSSO { addProp(Config.AAF_LOCATE_URL, locateUrl); } - String aafUrl = "https://AAF_LOCATE_URL/AAF_NS.service:2.0"; - access.setProperty(Config.AAF_URL, aafUrl); - access.setProperty(Config.CM_URL, "https://AAF_LOCATE_URL/AAF_NS.cm:2.0"); + access.setProperty(Config.AAF_URL, Defaults.AAF_URL); + access.setProperty(Config.CM_URL, Defaults.CM_URL); String cadiLatitude = access.getProperty(Config.CADI_LATITUDE); if(cadiLatitude==null) { System.out.println("# If you do not know your Global Coordinates, we suggest bing.com/maps"); diff --git a/cadi/aaf/src/test/java/org/onap/aaf/cadi/aaf/test/JU_AAFPermission.java b/cadi/aaf/src/test/java/org/onap/aaf/cadi/aaf/test/JU_AAFPermission.java index 4836e4ed..939e9b18 100644 --- a/cadi/aaf/src/test/java/org/onap/aaf/cadi/aaf/test/JU_AAFPermission.java +++ b/cadi/aaf/src/test/java/org/onap/aaf/cadi/aaf/test/JU_AAFPermission.java @@ -33,11 +33,11 @@ import org.onap.aaf.cadi.Permission; import org.onap.aaf.cadi.aaf.AAFPermission; public class JU_AAFPermission { - + private final static String ns = "ns"; private final static String type = "type"; private final static String instance = "instance"; private final static String action = "action"; - private final static String key = type + '|' + instance + '|' + action; + private final static String key = ns + '|' + type + '|' + instance + '|' + action; private final static String role = "role"; private static List<String> roles; @@ -50,14 +50,17 @@ public class JU_AAFPermission { @Test public void constructor1Test() { - AAFPermission perm = new AAFPermission(type, instance, action); - assertThat(perm.getName(), is(type)); + AAFPermission perm = new AAFPermission(ns, type, instance, action); + assertThat(perm.getNS(), is(ns)); + assertThat(perm.getType(), is(type)); assertThat(perm.getInstance(), is(instance)); assertThat(perm.getAction(), is(action)); assertThat(perm.getKey(), is(key)); assertThat(perm.permType(), is("AAF")); assertThat(perm.roles().size(), is(0)); - assertThat(perm.toString(), is("AAFPermission:\n\tType: " + type + + assertThat(perm.toString(), is("AAFPermission:" + + "\n\tNS: " + ns + + "\n\tType: " + type + "\n\tInstance: " + instance + "\n\tAction: " + action + "\n\tKey: " + key)); @@ -67,39 +70,45 @@ public class JU_AAFPermission { public void constructor2Test() { AAFPermission perm; - perm = new AAFPermission(type, instance, action, null); - assertThat(perm.getName(), is(type)); + perm = new AAFPermission(ns, type, instance, action, null); + assertThat(perm.getNS(), is(ns)); + assertThat(perm.getType(), is(type)); assertThat(perm.getInstance(), is(instance)); assertThat(perm.getAction(), is(action)); assertThat(perm.getKey(), is(key)); assertThat(perm.permType(), is("AAF")); assertThat(perm.roles().size(), is(0)); - assertThat(perm.toString(), is("AAFPermission:\n\tType: " + type + + assertThat(perm.toString(), is("AAFPermission:" + + "\n\tNS: " + ns + + "\n\tType: " + type + "\n\tInstance: " + instance + "\n\tAction: " + action + "\n\tKey: " + key)); - perm = new AAFPermission(type, instance, action, roles); - assertThat(perm.getName(), is(type)); + perm = new AAFPermission(ns, type, instance, action, roles); + assertThat(perm.getNS(), is(ns)); + assertThat(perm.getType(), is(type)); assertThat(perm.getInstance(), is(instance)); assertThat(perm.getAction(), is(action)); assertThat(perm.getKey(), is(key)); assertThat(perm.permType(), is("AAF")); assertThat(perm.roles().size(), is(1)); assertThat(perm.roles().get(0), is(role)); - assertThat(perm.toString(), is("AAFPermission:\n\tType: " + type + - "\n\tInstance: " + instance + - "\n\tAction: " + action + - "\n\tKey: " + key)); + assertThat(perm.toString(), is("AAFPermission:" + + "\n\tNS: " + ns + + "\n\tType: " + type + + "\n\tInstance: " + instance + + "\n\tAction: " + action + + "\n\tKey: " + key)); } @Test public void matchTest() { - final AAFPermission controlPermission = new AAFPermission(type, instance, action); + final AAFPermission controlPermission = new AAFPermission(ns,type, instance, action); PermissionStub perm; AAFPermission aafperm; - aafperm = new AAFPermission(type, instance, action); + aafperm = new AAFPermission(ns, type, instance, action); assertThat(controlPermission.match(aafperm), is(true)); perm = new PermissionStub(key); @@ -117,7 +126,8 @@ public class JU_AAFPermission { @Test public void coverageTest() { AAFPermissionStub aafps = new AAFPermissionStub(); - assertThat(aafps.getName(), is(nullValue())); + assertThat(aafps.getNS(), is(nullValue())); + assertThat(aafps.getType(), is(nullValue())); assertThat(aafps.getInstance(), is(nullValue())); assertThat(aafps.getAction(), is(nullValue())); assertThat(aafps.getKey(), is(nullValue())); diff --git a/cadi/aaf/src/test/java/org/onap/aaf/cadi/cm/test/JU_ArtifactDir.java b/cadi/aaf/src/test/java/org/onap/aaf/cadi/cm/test/JU_ArtifactDir.java index ecadb6ed..d50b87a2 100644 --- a/cadi/aaf/src/test/java/org/onap/aaf/cadi/cm/test/JU_ArtifactDir.java +++ b/cadi/aaf/src/test/java/org/onap/aaf/cadi/cm/test/JU_ArtifactDir.java @@ -42,6 +42,7 @@ import org.junit.Test; import org.mockito.Mock; import org.mockito.MockitoAnnotations; import org.onap.aaf.cadi.CadiException; +import org.onap.aaf.cadi.configure.Agent; import org.onap.aaf.cadi.configure.ArtifactDir; import org.onap.aaf.cadi.util.Chmod; import org.onap.aaf.misc.env.Trans; @@ -112,7 +113,7 @@ public class JU_ArtifactDir { } catch(NullPointerException e) { } - KeyStore ks = KeyStore.getInstance("pkcs12"); + KeyStore ks = KeyStore.getInstance(Agent.PKCS12); try { ArtifactDir.write(writableFile, Chmod.to755, ks, luggagePassword.toCharArray()); fail("Should've thrown an exception"); diff --git a/cadi/aaf/src/test/java/org/onap/aaf/cadi/cm/test/JU_PlaceArtifactInKeystore.java b/cadi/aaf/src/test/java/org/onap/aaf/cadi/cm/test/JU_PlaceArtifactInKeystore.java index 0b086f11..d61ac499 100644 --- a/cadi/aaf/src/test/java/org/onap/aaf/cadi/cm/test/JU_PlaceArtifactInKeystore.java +++ b/cadi/aaf/src/test/java/org/onap/aaf/cadi/cm/test/JU_PlaceArtifactInKeystore.java @@ -21,9 +21,11 @@ package org.onap.aaf.cadi.cm.test; -import static org.junit.Assert.*; -import static org.hamcrest.CoreMatchers.*; -import static org.mockito.Mockito.*; +import static org.hamcrest.CoreMatchers.is; +import static org.junit.Assert.assertThat; +import static org.junit.Assert.fail; +import static org.mockito.Mockito.mock; +import static org.mockito.Mockito.when; import java.io.BufferedReader; import java.io.ByteArrayOutputStream; @@ -31,14 +33,17 @@ import java.io.File; import java.io.FileNotFoundException; import java.io.FileReader; import java.io.IOException; +import java.security.cert.CertificateException; import java.util.ArrayList; import java.util.List; -import java.security.cert.CertificateException; - -import org.junit.*; -import org.mockito.*; +import org.junit.AfterClass; +import org.junit.Before; +import org.junit.Test; +import org.mockito.Mock; +import org.mockito.MockitoAnnotations; import org.onap.aaf.cadi.CadiException; +import org.onap.aaf.cadi.configure.Agent; import org.onap.aaf.cadi.configure.PlaceArtifactInKeystore; import org.onap.aaf.misc.env.Env; import org.onap.aaf.misc.env.TimeTaken; @@ -97,12 +102,12 @@ public class JU_PlaceArtifactInKeystore { @Test public void test() throws CadiException { // Note: PKCS12 can't be tested in JDK 7 and earlier. Can't handle Trusting Certificates. - PlaceArtifactInKeystore placer = new PlaceArtifactInKeystore("jks"); + PlaceArtifactInKeystore placer = new PlaceArtifactInKeystore(Agent.JKS); certs.add(x509String); certs.add(x509Chain); assertThat(placer.place(transMock, certInfoMock, artiMock, "machine"), is(true)); - for (String ext : new String[] {"chal", "keyfile", "jks", "trust.jks", "cred.props"}) { + for (String ext : new String[] {"chal", "keyfile", Agent.JKS, "trust.jks", "cred.props"}) { File f = new File(dirName + '/' + nsName + '.' + ext); assertThat(f.exists(), is(true)); } diff --git a/cadi/aaf/src/test/java/org/onap/aaf/cadi/oauth/test/JU_TokenPerm.java b/cadi/aaf/src/test/java/org/onap/aaf/cadi/oauth/test/JU_TokenPerm.java index 6bbed0ed..356c12d5 100644 --- a/cadi/aaf/src/test/java/org/onap/aaf/cadi/oauth/test/JU_TokenPerm.java +++ b/cadi/aaf/src/test/java/org/onap/aaf/cadi/oauth/test/JU_TokenPerm.java @@ -98,28 +98,28 @@ public class JU_TokenPerm { String json; LoadPermissions lp; Permission p; - + json = "{\"perm\":[" + - " {\"type\":\"com.access\",\"instance\":\"*\",\"action\":\"read,approve\"}," + + " {\"ns\":\"com\",\"type\":\"access\",\"instance\":\"*\",\"action\":\"read,approve\"}," + "]}"; lp = new LoadPermissions(new StringReader(json)); assertThat(lp.perms.size(), is(1)); p = lp.perms.get(0); - assertThat(p.getKey(), is("com.access|*|read,approve")); + assertThat(p.getKey(), is("com|access|*|read,approve")); assertThat(p.permType(), is("AAF")); // Extra closing braces for coverage json = "{\"perm\":[" + - " {\"type\":\"com.access\",\"instance\":\"*\",\"action\":\"read,approve\"}}," + + " {\"ns\":\"com\",\"type\":\"access\",\"instance\":\"*\",\"action\":\"read,approve\"}}," + "]]}"; lp = new LoadPermissions(new StringReader(json)); assertThat(lp.perms.size(), is(1)); p = lp.perms.get(0); - assertThat(p.getKey(), is("com.access|*|read,approve")); + assertThat(p.getKey(), is("com|access|*|read,approve")); assertThat(p.permType(), is("AAF")); // Test without a type diff --git a/cadi/aaf/src/test/java/org/onap/aaf/client/sample/Sample.java b/cadi/aaf/src/test/java/org/onap/aaf/client/sample/Sample.java index 45a7d341..6c3c6118 100644 --- a/cadi/aaf/src/test/java/org/onap/aaf/client/sample/Sample.java +++ b/cadi/aaf/src/test/java/org/onap/aaf/client/sample/Sample.java @@ -147,7 +147,7 @@ public class Sample { String permS = myAccess.getProperty("perm","org.osaaf.aaf.access|*|read"); String[] permA = Split.splitTrim('|', permS); if(permA.length>2) { - final Permission perm = new AAFPermission(permA[0],permA[1],permA[2]); + final Permission perm = new AAFPermission(null, permA[0],permA[1],permA[2]); // See the CODE for Java Methods used if(singleton().oneAuthorization(fqi, perm)) { System.out.printf("Success: %s has %s\n",fqi.getName(),permS); diff --git a/cadi/client/src/test/java/org/onap/aaf/cadi/locator/test/JU_PropertyLocator.java b/cadi/client/src/test/java/org/onap/aaf/cadi/locator/test/JU_PropertyLocator.java index d14e747a..024deff7 100644 --- a/cadi/client/src/test/java/org/onap/aaf/cadi/locator/test/JU_PropertyLocator.java +++ b/cadi/client/src/test/java/org/onap/aaf/cadi/locator/test/JU_PropertyLocator.java @@ -81,6 +81,7 @@ public class JU_PropertyLocator { assertThat(pl.hasItems(), is(false)); assertThat(countItems(pl), is(0)); + Thread.sleep(20L); // PL checks same milli... pl.refresh(); assertThat(pl.hasItems(), is(true)); diff --git a/cadi/core/src/main/java/org/onap/aaf/cadi/AbsUserCache.java b/cadi/core/src/main/java/org/onap/aaf/cadi/AbsUserCache.java index 1d01a3e8..39631894 100644 --- a/cadi/core/src/main/java/org/onap/aaf/cadi/AbsUserCache.java +++ b/cadi/core/src/main/java/org/onap/aaf/cadi/AbsUserCache.java @@ -246,7 +246,7 @@ public abstract class AbsUserCache<PERM extends Permission> { /** * The default behavior of a LUR is to not handle something exclusively. */ - public boolean handlesExclusively(Permission pond) { + public boolean handlesExclusively(Permission ... pond) { return false; } diff --git a/cadi/core/src/main/java/org/onap/aaf/cadi/Lur.java b/cadi/core/src/main/java/org/onap/aaf/cadi/Lur.java index fd73d00b..0beb4856 100644 --- a/cadi/core/src/main/java/org/onap/aaf/cadi/Lur.java +++ b/cadi/core/src/main/java/org/onap/aaf/cadi/Lur.java @@ -52,7 +52,7 @@ public interface Lur { * @param principalName * @return */ - public boolean fish(Principal bait, Permission pond); + public boolean fish(Principal bait, Permission ... pond); /** * Fish all the Principals out a Pond @@ -77,7 +77,7 @@ public interface Lur { * @param pond * @return */ - public boolean handlesExclusively(Permission pond); + public boolean handlesExclusively(Permission ... pond); /** * Does the LUR support a particular kind of Principal diff --git a/cadi/core/src/main/java/org/onap/aaf/cadi/Symm.java b/cadi/core/src/main/java/org/onap/aaf/cadi/Symm.java index 4067f160..afc1d979 100644 --- a/cadi/core/src/main/java/org/onap/aaf/cadi/Symm.java +++ b/cadi/core/src/main/java/org/onap/aaf/cadi/Symm.java @@ -483,7 +483,8 @@ public class Symm { switch(read) { case -1: case '=': - case '\n': + case '\n': + case '\r': return -1; } for(int i=0;i<codec.length;++i) { @@ -662,6 +663,9 @@ public class Symm { * @throws IOException */ public void enpass(final String password, final OutputStream os) throws IOException { + if(password==null) { + throw new IOException("Invalid password passed"); + } final ByteArrayOutputStream baos = new ByteArrayOutputStream(); DataOutputStream dos = new DataOutputStream(baos); byte[] bytes = password.getBytes(); diff --git a/cadi/core/src/main/java/org/onap/aaf/cadi/config/Config.java b/cadi/core/src/main/java/org/onap/aaf/cadi/config/Config.java index acbcf558..8cb6ae06 100644 --- a/cadi/core/src/main/java/org/onap/aaf/cadi/config/Config.java +++ b/cadi/core/src/main/java/org/onap/aaf/cadi/config/Config.java @@ -134,12 +134,21 @@ public class Config { public static final String OAUTH_CLIENT_SECRET="client_secret"; public static final String AAF_ENV = "aaf_env"; - public static final String AAF_URL = "aaf_url"; //URL for AAF... Use to trigger AAF configuration public static final String AAF_ROOT_NS = "aaf_root_ns"; public static final String AAF_ROOT_NS_DEF = "org.osaaf.aaf"; public static final String AAF_ROOT_COMPANY = "aaf_root_company"; public static final String AAF_LOCATE_URL = "aaf_locate_url"; //URL for AAF locator private static final String AAF_LOCATE_URL_TAG = "AAF_LOCATE_URL"; // Name of Above for use in Config Variables. + public static final String AAF_DEFAULT_VERSION = "2.1"; + public static final String AAF_URL = "aaf_url"; //URL for AAF... Use to trigger AAF configuration + public static final String AAF_URL_DEF = "https://AAF_LOCATE_URL/AAF_NS.service:" + AAF_DEFAULT_VERSION; + public static final String GUI_URL_DEF = "https://AAF_LOCATE_URL/AAF_NS.gui:" + AAF_DEFAULT_VERSION; + public static final String CM_URL_DEF = "https://AAF_LOCATE_URL/AAF_NS.cm:" + AAF_DEFAULT_VERSION; + public static final String FS_URL_DEF = "https://AAF_LOCATE_URL/AAF_NS.fs:" + AAF_DEFAULT_VERSION; + public static final String HELLO_URL_DEF = "https://AAF_LOCATE_URL/AAF_NS.hello:" + AAF_DEFAULT_VERSION; + public static final String OAUTH2_TOKEN_URL = "https://AAF_LOCATE_URL/AAF_NS.token:" + AAF_DEFAULT_VERSION; + public static final String OAUTH2_INTROSPECT_URL = "https://AAF_LOCATE_URL/AAF_NS.introspect:" + AAF_DEFAULT_VERSION; + public static final String AAF_REGISTER_AS = "aaf_register_as"; public static final String AAF_APPID = "aaf_id"; public static final String AAF_APPPASS = "aaf_password"; @@ -174,7 +183,6 @@ public class Config { public static final String AAF_COMPONENT = "aaf_component"; public static final String AAF_CERT_IDS = "aaf_cert_ids"; public static final String AAF_DEBUG_IDS = "aaf_debug_ids"; // comma delimited - public static final String AAF_DEFAULT_VERSION = "2.0"; public static final String AAF_DATA_DIR = "aaf_data_dir"; // AAF processes and Components only. public static final String GW_URL = "gw_url"; diff --git a/cadi/core/src/main/java/org/onap/aaf/cadi/lur/EpiLur.java b/cadi/core/src/main/java/org/onap/aaf/cadi/lur/EpiLur.java index 2813dca8..b442c7d9 100644 --- a/cadi/core/src/main/java/org/onap/aaf/cadi/lur/EpiLur.java +++ b/cadi/core/src/main/java/org/onap/aaf/cadi/lur/EpiLur.java @@ -60,7 +60,7 @@ public final class EpiLur implements Lur { if(lurs.length==0) throw new CadiException("Need at least one Lur implementation in constructor"); } - public boolean fish(Principal bait, Permission pond) { + public boolean fish(Principal bait, Permission ... pond) { if(pond==null) { return false; } @@ -99,7 +99,7 @@ public final class EpiLur implements Lur { } // Never needed... Only EpiLur uses... - public boolean handlesExclusively(Permission pond) { + public boolean handlesExclusively(Permission ... pond) { return false; } diff --git a/cadi/core/src/main/java/org/onap/aaf/cadi/lur/LocalLur.java b/cadi/core/src/main/java/org/onap/aaf/cadi/lur/LocalLur.java index 0f9adb94..e177a22f 100644 --- a/cadi/core/src/main/java/org/onap/aaf/cadi/lur/LocalLur.java +++ b/cadi/core/src/main/java/org/onap/aaf/cadi/lur/LocalLur.java @@ -94,14 +94,16 @@ public final class LocalLur extends AbsUserCache<LocalPermission> implements Lur } // @Override - public boolean fish(Principal bait, Permission pond) { + public boolean fish(Principal bait, Permission ... pond) { if (pond == null) { return false; } - if (handles(bait) && pond instanceof LocalPermission) { // local Users only have LocalPermissions - User<LocalPermission> user = getUser(bait); - if (user != null) { - return user.contains((LocalPermission)pond); + for(Permission p : pond) { + if (handles(bait) && p instanceof LocalPermission) { // local Users only have LocalPermissions + User<LocalPermission> user = getUser(bait); + if (user != null) { + return user.contains((LocalPermission)p); + } } } return false; @@ -128,8 +130,15 @@ public final class LocalLur extends AbsUserCache<LocalPermission> implements Lur return principal.getName().endsWith(supportedRealm); } - public boolean handlesExclusively(Permission pond) { - return supportingGroups.contains(pond.getKey()); + @Override + public boolean handlesExclusively(Permission ... pond) { + boolean rv = false; + for (Permission p : pond) { + if(rv=supportingGroups.contains(p.getKey())) { + break; + } + } + return rv; } /* (non-Javadoc) diff --git a/cadi/core/src/main/java/org/onap/aaf/cadi/lur/NullLur.java b/cadi/core/src/main/java/org/onap/aaf/cadi/lur/NullLur.java index 1e44726a..b314f20e 100644 --- a/cadi/core/src/main/java/org/onap/aaf/cadi/lur/NullLur.java +++ b/cadi/core/src/main/java/org/onap/aaf/cadi/lur/NullLur.java @@ -44,7 +44,7 @@ public class NullLur implements Lur { return false; }}; - public boolean fish(Principal bait, Permission pond) { + public boolean fish(Principal bait, Permission ... pond) { // Well, for Jenkins, this is ok... It finds out it can't do J2EE Security, and then looks at it's own // System.err.println("CADI's LUR has not been configured, but is still being called. Access is being denied"); return false; @@ -56,7 +56,7 @@ public class NullLur implements Lur { public void destroy() { } - public boolean handlesExclusively(Permission pond) { + public boolean handlesExclusively(Permission ... pond) { return false; } diff --git a/cadi/core/src/test/java/org/onap/aaf/cadi/lur/test/JU_EpiLur.java b/cadi/core/src/test/java/org/onap/aaf/cadi/lur/test/JU_EpiLur.java index f7c3a0a2..b99030eb 100644 --- a/cadi/core/src/test/java/org/onap/aaf/cadi/lur/test/JU_EpiLur.java +++ b/cadi/core/src/test/java/org/onap/aaf/cadi/lur/test/JU_EpiLur.java @@ -117,10 +117,10 @@ public class JU_EpiLur { private class CredValStub implements Lur, CredVal { @Override public boolean validate(String user, Type type, byte[] cred, Object state) { return false; } @Override public Permission createPerm(String p) { return null; } - @Override public boolean fish(Principal bait, Permission pond) { return false; } + @Override public boolean fish(Principal bait, Permission ... pond) { return false; } @Override public void fishAll(Principal bait, List<Permission> permissions) { } @Override public void destroy() { } - @Override public boolean handlesExclusively(Permission pond) { return false; } + @Override public boolean handlesExclusively(Permission ... pond) { return false; } @Override public boolean handles(Principal principal) { return false; } @Override public void clear(Principal p, StringBuilder report) { } } diff --git a/cadi/core/src/test/java/org/onap/aaf/cadi/test/JU_AbsUserCache.java b/cadi/core/src/test/java/org/onap/aaf/cadi/test/JU_AbsUserCache.java index 1737710a..b34e90ab 100644 --- a/cadi/core/src/test/java/org/onap/aaf/cadi/test/JU_AbsUserCache.java +++ b/cadi/core/src/test/java/org/onap/aaf/cadi/test/JU_AbsUserCache.java @@ -350,7 +350,7 @@ public class JU_AbsUserCache { class AbsUserCacheCLStub<PERM extends Permission> extends AbsUserCache<PERM> implements CachingLur<PERM> { public AbsUserCacheCLStub(AbsUserCache<PERM> cache) { super(cache); } @Override public Permission createPerm(String p) { return null; } - @Override public boolean fish(Principal bait, Permission pond) { return false; } + @Override public boolean fish(Principal bait, Permission ... pond) { return false; } @Override public void fishAll(Principal bait, List<Permission> permissions) { } @Override public boolean handles(Principal principal) { return false; } @Override public Resp reload(User<PERM> user) { return null; } diff --git a/cadi/core/src/test/java/org/onap/aaf/cadi/test/JU_CadiWrap.java b/cadi/core/src/test/java/org/onap/aaf/cadi/test/JU_CadiWrap.java index d9a4437c..850dd22c 100644 --- a/cadi/core/src/test/java/org/onap/aaf/cadi/test/JU_CadiWrap.java +++ b/cadi/core/src/test/java/org/onap/aaf/cadi/test/JU_CadiWrap.java @@ -122,10 +122,10 @@ public class JU_CadiWrap { // Anonymous object for testing purposes CachingLur<Permission> lur1 = new CachingLur<Permission>() { @Override public Permission createPerm(String p) { return null; } - @Override public boolean fish(Principal bait, Permission pond) { return true; } + @Override public boolean fish(Principal bait, Permission ... pond) { return true; } @Override public void fishAll(Principal bait, List<Permission> permissions) { } @Override public void destroy() { } - @Override public boolean handlesExclusively(Permission pond) { return false; } + @Override public boolean handlesExclusively(Permission ... pond) { return false; } @Override public boolean handles(Principal principal) { return false; } @Override public void remove(String user) { } @Override public Resp reload(User<Permission> user) { return null; } diff --git a/cadi/oauth-enduser/src/test/java/org/onap/aaf/cadi/enduser/test/OAuthExample.java b/cadi/oauth-enduser/src/test/java/org/onap/aaf/cadi/enduser/test/OAuthExample.java index 835e699b..ae9c93ed 100644 --- a/cadi/oauth-enduser/src/test/java/org/onap/aaf/cadi/enduser/test/OAuthExample.java +++ b/cadi/oauth-enduser/src/test/java/org/onap/aaf/cadi/enduser/test/OAuthExample.java @@ -31,6 +31,7 @@ import org.onap.aaf.cadi.Access.Level; import org.onap.aaf.cadi.CadiException; import org.onap.aaf.cadi.LocatorException; import org.onap.aaf.cadi.PropAccess; +import org.onap.aaf.cadi.aaf.Defaults; import org.onap.aaf.cadi.client.Future; import org.onap.aaf.cadi.client.Rcli; import org.onap.aaf.cadi.client.Result; @@ -72,13 +73,10 @@ public class OAuthExample { // Obtain Endpoints for OAuth2 from Properties. Expected is "cadi.properties" file, pointed to by "cadi_prop_files" - String tokenServiceURL = access.getProperty(Config.AAF_OAUTH2_TOKEN_URL, - "https://AAF_LOCATE_URL/AAF_NS.token:2.0"); // Default to AAF - String tokenIntrospectURL = access.getProperty(Config.AAF_OAUTH2_INTROSPECT_URL, - "https://AAF_LOCATE_URL/AAF_NS.introspect:2.0"); // Default to AAF); + String tokenServiceURL = access.getProperty(Config.AAF_OAUTH2_TOKEN_URL,Defaults.OAUTH2_TOKEN_URL); // Default to AAF + String tokenIntrospectURL = access.getProperty(Config.AAF_OAUTH2_INTROSPECT_URL,Defaults.OAUTH2_INTROSPECT_URL); // Default to AAF); // Get Hello Service - final String endServicesURL = access.getProperty(Config.AAF_OAUTH2_HELLO_URL, - "https://AAF_LOCATE_URL/AAF_NS.hello:2.0"); + final String endServicesURL = access.getProperty(Config.AAF_OAUTH2_HELLO_URL,Defaults.HELLO_URL); final int CALL_TIMEOUT = Integer.parseInt(access.getProperty(Config.AAF_CALL_TIMEOUT,Config.AAF_CALL_TIMEOUT_DEF)); diff --git a/cadi/oauth-enduser/src/test/java/org/onap/aaf/cadi/enduser/test/OnapClientExample.java b/cadi/oauth-enduser/src/test/java/org/onap/aaf/cadi/enduser/test/OnapClientExample.java index 4b29518f..c82a7c5d 100644 --- a/cadi/oauth-enduser/src/test/java/org/onap/aaf/cadi/enduser/test/OnapClientExample.java +++ b/cadi/oauth-enduser/src/test/java/org/onap/aaf/cadi/enduser/test/OnapClientExample.java @@ -31,6 +31,7 @@ import org.onap.aaf.cadi.Access.Level; import org.onap.aaf.cadi.CadiException; import org.onap.aaf.cadi.LocatorException; import org.onap.aaf.cadi.PropAccess; +import org.onap.aaf.cadi.aaf.Defaults; import org.onap.aaf.cadi.client.Future; import org.onap.aaf.cadi.client.Rcli; import org.onap.aaf.cadi.client.Result; @@ -103,8 +104,7 @@ public class OnapClientExample { // Use this Token in your client calls with "Tokenized Client" (TzClient) // These should NOT be used cross thread. // Get Hello Service URL... roll your own in your own world. - final String endServicesURL = access.getProperty(Config.AAF_OAUTH2_HELLO_URL, - "https://AAF_LOCATE_URL/AAF_NS.hello:2.0"); + final String endServicesURL = access.getProperty(Config.AAF_OAUTH2_HELLO_URL,Defaults.HELLO_URL); TzClient helloClient = tcf.newTzClient(endServicesURL); |