From 4b5a7d721d994a49057e9bfb403c7bff1b376660 Mon Sep 17 00:00:00 2001 From: Instrumental Date: Fri, 7 Sep 2018 12:21:34 -0500 Subject: Mass removal of all Tabs (Style Warnings) Issue-ID: AAF-473 Change-Id: Iaf0ef8120882937959bb0065f2f6ba74a021940f Signed-off-by: Instrumental --- .../src/main/java/org/onap/aaf/auth/cm/AAF_CM.java | 338 +++--- .../org/onap/aaf/auth/cm/api/API_Artifact.java | 168 +-- .../java/org/onap/aaf/auth/cm/api/API_Cert.java | 186 +-- .../src/main/java/org/onap/aaf/auth/cm/ca/CA.java | 364 +++--- .../main/java/org/onap/aaf/auth/cm/ca/JscepCA.java | 374 +++--- .../main/java/org/onap/aaf/auth/cm/ca/LocalCA.java | 362 +++--- .../onap/aaf/auth/cm/ca/X509ChainWithIssuer.java | 108 +- .../java/org/onap/aaf/auth/cm/ca/X509andChain.java | 76 +- .../java/org/onap/aaf/auth/cm/cert/BCFactory.java | 178 +-- .../java/org/onap/aaf/auth/cm/cert/CSRMeta.java | 372 +++--- .../main/java/org/onap/aaf/auth/cm/cert/RDN.java | 142 +-- .../java/org/onap/aaf/auth/cm/data/CertReq.java | 30 +- .../java/org/onap/aaf/auth/cm/data/CertResp.java | 106 +- .../java/org/onap/aaf/auth/cm/facade/Facade.java | 270 ++--- .../org/onap/aaf/auth/cm/facade/Facade1_0.java | 12 +- .../org/onap/aaf/auth/cm/facade/FacadeFactory.java | 14 +- .../org/onap/aaf/auth/cm/facade/FacadeImpl.java | 1108 ++++++++--------- .../java/org/onap/aaf/auth/cm/mapper/Mapper.java | 28 +- .../org/onap/aaf/auth/cm/mapper/Mapper1_0.java | 432 +++---- .../org/onap/aaf/auth/cm/mapper/Mapper2_0.java | 414 +++---- .../org/onap/aaf/auth/cm/service/CMService.java | 1256 ++++++++++---------- .../java/org/onap/aaf/auth/cm/service/Code.java | 24 +- .../aaf/auth/cm/validation/CertmanValidator.java | 150 +-- 23 files changed, 3256 insertions(+), 3256 deletions(-) (limited to 'auth/auth-certman/src/main') diff --git a/auth/auth-certman/src/main/java/org/onap/aaf/auth/cm/AAF_CM.java b/auth/auth-certman/src/main/java/org/onap/aaf/auth/cm/AAF_CM.java index a9a9b4e5..d80b085b 100644 --- a/auth/auth-certman/src/main/java/org/onap/aaf/auth/cm/AAF_CM.java +++ b/auth/auth-certman/src/main/java/org/onap/aaf/auth/cm/AAF_CM.java @@ -70,173 +70,173 @@ import com.datastax.driver.core.Cluster; public class AAF_CM extends AbsService { - private static final String USER_PERMS = "userPerms"; - private static final Map certAuths = new TreeMap<>(); - public Facade1_0 facade1_0; // this is the default Facade - public Facade1_0 facade1_0_XML; // this is the XML Facade - public Map cacheUser; - public AAFAuthn aafAuthn; - public AAFLurPerm aafLurPerm; - final public Cluster cluster; - public final LocateDAO locateDAO; - - - /** - * Construct AuthzAPI with all the Context Supporting Routes that Authz needs - * - * @param env - * @param si - * @param dm - * @param decryptor - * @throws APIException - */ - public AAF_CM(AuthzEnv env) throws Exception { - super(env.access(),env); - aafLurPerm = aafCon().newLur(); - // Note: If you need both Authn and Authz construct the following: - aafAuthn = aafCon().newAuthn(aafLurPerm); - - String aaf_env = env.getProperty(Config.AAF_ENV); - if(aaf_env==null) { - throw new APIException("aaf_env needs to be set"); - } - - // Initialize Facade for all uses - AuthzTrans trans = env.newTrans(); - - cluster = org.onap.aaf.auth.dao.CassAccess.cluster(env,null); - locateDAO = new LocateDAO(trans,cluster,CassAccess.KEYSPACE); - - // Have AAFLocator object Create DirectLocators for Location needs - AbsAAFLocator.setCreator(new DirectLocatorCreator(env, locateDAO)); - - // Load Supported Certificate Authorities by property - // Note: Some will be dynamic Properties, so we need to look through all - for(Entry es : env.access().getProperties().entrySet()) { - String key = es.getKey().toString(); - if(key.startsWith(CA.CM_CA_PREFIX)) { - int idx = key.indexOf('.'); - if(idx==key.lastIndexOf('.')) { // else it's a regular property - - env.log(Level.INIT, "Loading Certificate Authority Module: " + key.substring(idx+1)); - String[] segs = Split.split(',', env.getProperty(key)); - if(segs.length>0) { - String[][] multiParams = new String[segs.length-1][]; - for(int i=0;i cac = (Class)Class.forName(segs[0]); - Constructor cons = cac.getConstructor(new Class[] { - Access.class,String.class,String.class,String[][].class - }); - Object pinst[] = new Object[4]; - pinst[0]=env; - pinst[1]= key.substring(idx+1); - pinst[2]= aaf_env; - pinst[3] = multiParams; - CA ca = cons.newInstance(pinst); - certAuths.put(ca.getName(),ca); - } - } - } - } - if(certAuths.size()==0) { - throw new APIException("No Certificate Authorities have been configured in CertMan"); - } - - CMService service = new CMService(trans, this); - // note: Service knows how to shutdown Cluster on Shutdown, etc. See Constructor - facade1_0 = FacadeFactory.v1_0(this,trans, service,Data.TYPE.JSON); // Default Facade - facade1_0_XML = FacadeFactory.v1_0(this,trans,service,Data.TYPE.XML); - - - synchronized(env) { - if(cacheUser == null) { - cacheUser = Cache.obtain(USER_PERMS); - Cache.startCleansing(env, USER_PERMS); - } - } - - //////////////////////////////////////////////////////////////////////////// - // APIs - //////////////////////////////////////////////////////////////////////// - API_Cert.init(this); - API_Artifact.init(this); - - StringBuilder sb = new StringBuilder(); - trans.auditTrail(2, sb); - trans.init().log(sb); - } - - public CA getCA(String key) { - return certAuths.get(key); - } - - /** - * Setup XML and JSON implementations for each supported Version type - * - * We do this by taking the Code passed in and creating clones of these with the appropriate Facades and properties - * to do Versions and Content switches - * - */ - public void route(HttpMethods meth, String path, API api, Code code) throws Exception { - String version = "1.0"; - // Get Correct API Class from Mapper - Class respCls = facade1_0.mapper().getClass(api); - if(respCls==null) throw new Exception("Unknown class associated with " + api.getClass().getName() + ' ' + api.name()); - // setup Application API HTML ContentTypes for JSON and Route - String application = applicationJSON(respCls, version); - route(env,meth,path,code,application,"application/json;version="+version,"*/*"); - - // setup Application API HTML ContentTypes for XML and Route - application = applicationXML(respCls, version); - route(env,meth,path,code.clone(facade1_0_XML),application,"application/xml;version="+version); - - // Add other Supported APIs here as created - } - - public void routeAll(HttpMethods meth, String path, API api, Code code) throws Exception { - route(env,meth,path,code,""); // this will always match - } - - @Override - public Filter[] _filters(Object ... additionalTafLurs) throws CadiException, LocatorException { - try { - return new Filter[] { - new AuthzTransFilter(env,aafCon(), - new AAFTrustChecker((Env)env), - additionalTafLurs) - }; - } catch (NumberFormatException e) { - throw new CadiException("Invalid Property information", e); - } - } - - @SuppressWarnings("unchecked") - @Override - public Registrant[] registrants(final int port) throws CadiException, LocatorException { - return new Registrant[] { - new DirectRegistrar(access,locateDAO,app_name,app_version,port) - }; - } - - public void destroy() { - Cache.stopTimer(); - locateDAO.close(env.newTransNoAvg()); - cluster.close(); - } - - public static void main(final String[] args) { - try { - Log4JLogIt logIt = new Log4JLogIt(args, "cm"); - PropAccess propAccess = new PropAccess(logIt,args); - - AAF_CM service = new AAF_CM(new AuthzEnv(propAccess)); - JettyServiceStarter jss = new JettyServiceStarter(service); - jss.start(); - } catch (Exception e) { - e.printStackTrace(); - } - } + private static final String USER_PERMS = "userPerms"; + private static final Map certAuths = new TreeMap<>(); + public Facade1_0 facade1_0; // this is the default Facade + public Facade1_0 facade1_0_XML; // this is the XML Facade + public Map cacheUser; + public AAFAuthn aafAuthn; + public AAFLurPerm aafLurPerm; + final public Cluster cluster; + public final LocateDAO locateDAO; + + + /** + * Construct AuthzAPI with all the Context Supporting Routes that Authz needs + * + * @param env + * @param si + * @param dm + * @param decryptor + * @throws APIException + */ + public AAF_CM(AuthzEnv env) throws Exception { + super(env.access(),env); + aafLurPerm = aafCon().newLur(); + // Note: If you need both Authn and Authz construct the following: + aafAuthn = aafCon().newAuthn(aafLurPerm); + + String aaf_env = env.getProperty(Config.AAF_ENV); + if(aaf_env==null) { + throw new APIException("aaf_env needs to be set"); + } + + // Initialize Facade for all uses + AuthzTrans trans = env.newTrans(); + + cluster = org.onap.aaf.auth.dao.CassAccess.cluster(env,null); + locateDAO = new LocateDAO(trans,cluster,CassAccess.KEYSPACE); + + // Have AAFLocator object Create DirectLocators for Location needs + AbsAAFLocator.setCreator(new DirectLocatorCreator(env, locateDAO)); + + // Load Supported Certificate Authorities by property + // Note: Some will be dynamic Properties, so we need to look through all + for(Entry es : env.access().getProperties().entrySet()) { + String key = es.getKey().toString(); + if(key.startsWith(CA.CM_CA_PREFIX)) { + int idx = key.indexOf('.'); + if(idx==key.lastIndexOf('.')) { // else it's a regular property + + env.log(Level.INIT, "Loading Certificate Authority Module: " + key.substring(idx+1)); + String[] segs = Split.split(',', env.getProperty(key)); + if(segs.length>0) { + String[][] multiParams = new String[segs.length-1][]; + for(int i=0;i cac = (Class)Class.forName(segs[0]); + Constructor cons = cac.getConstructor(new Class[] { + Access.class,String.class,String.class,String[][].class + }); + Object pinst[] = new Object[4]; + pinst[0]=env; + pinst[1]= key.substring(idx+1); + pinst[2]= aaf_env; + pinst[3] = multiParams; + CA ca = cons.newInstance(pinst); + certAuths.put(ca.getName(),ca); + } + } + } + } + if(certAuths.size()==0) { + throw new APIException("No Certificate Authorities have been configured in CertMan"); + } + + CMService service = new CMService(trans, this); + // note: Service knows how to shutdown Cluster on Shutdown, etc. See Constructor + facade1_0 = FacadeFactory.v1_0(this,trans, service,Data.TYPE.JSON); // Default Facade + facade1_0_XML = FacadeFactory.v1_0(this,trans,service,Data.TYPE.XML); + + + synchronized(env) { + if(cacheUser == null) { + cacheUser = Cache.obtain(USER_PERMS); + Cache.startCleansing(env, USER_PERMS); + } + } + + //////////////////////////////////////////////////////////////////////////// + // APIs + //////////////////////////////////////////////////////////////////////// + API_Cert.init(this); + API_Artifact.init(this); + + StringBuilder sb = new StringBuilder(); + trans.auditTrail(2, sb); + trans.init().log(sb); + } + + public CA getCA(String key) { + return certAuths.get(key); + } + + /** + * Setup XML and JSON implementations for each supported Version type + * + * We do this by taking the Code passed in and creating clones of these with the appropriate Facades and properties + * to do Versions and Content switches + * + */ + public void route(HttpMethods meth, String path, API api, Code code) throws Exception { + String version = "1.0"; + // Get Correct API Class from Mapper + Class respCls = facade1_0.mapper().getClass(api); + if(respCls==null) throw new Exception("Unknown class associated with " + api.getClass().getName() + ' ' + api.name()); + // setup Application API HTML ContentTypes for JSON and Route + String application = applicationJSON(respCls, version); + route(env,meth,path,code,application,"application/json;version="+version,"*/*"); + + // setup Application API HTML ContentTypes for XML and Route + application = applicationXML(respCls, version); + route(env,meth,path,code.clone(facade1_0_XML),application,"application/xml;version="+version); + + // Add other Supported APIs here as created + } + + public void routeAll(HttpMethods meth, String path, API api, Code code) throws Exception { + route(env,meth,path,code,""); // this will always match + } + + @Override + public Filter[] _filters(Object ... additionalTafLurs) throws CadiException, LocatorException { + try { + return new Filter[] { + new AuthzTransFilter(env,aafCon(), + new AAFTrustChecker((Env)env), + additionalTafLurs) + }; + } catch (NumberFormatException e) { + throw new CadiException("Invalid Property information", e); + } + } + + @SuppressWarnings("unchecked") + @Override + public Registrant[] registrants(final int port) throws CadiException, LocatorException { + return new Registrant[] { + new DirectRegistrar(access,locateDAO,app_name,app_version,port) + }; + } + + public void destroy() { + Cache.stopTimer(); + locateDAO.close(env.newTransNoAvg()); + cluster.close(); + } + + public static void main(final String[] args) { + try { + Log4JLogIt logIt = new Log4JLogIt(args, "cm"); + PropAccess propAccess = new PropAccess(logIt,args); + + AAF_CM service = new AAF_CM(new AuthzEnv(propAccess)); + JettyServiceStarter jss = new JettyServiceStarter(service); + jss.start(); + } catch (Exception e) { + e.printStackTrace(); + } + } } diff --git a/auth/auth-certman/src/main/java/org/onap/aaf/auth/cm/api/API_Artifact.java b/auth/auth-certman/src/main/java/org/onap/aaf/auth/cm/api/API_Artifact.java index 134ad7c5..34f7927e 100644 --- a/auth/auth-certman/src/main/java/org/onap/aaf/auth/cm/api/API_Artifact.java +++ b/auth/auth-certman/src/main/java/org/onap/aaf/auth/cm/api/API_Artifact.java @@ -39,95 +39,95 @@ import org.onap.aaf.auth.rserv.HttpMethods; * */ public class API_Artifact { - private static final String GET_ARTIFACTS = "Get Artifacts"; + private static final String GET_ARTIFACTS = "Get Artifacts"; private static final String CERT_ARTIFACTS = "/cert/artifacts"; - /** - * Normal Init level APIs - * - * @param cmAPI - * @throws Exception - */ - public static void init(final AAF_CM cmAPI) throws Exception { - cmAPI.route(HttpMethods.POST, CERT_ARTIFACTS, API.ARTIFACTS, new Code(cmAPI,"Create Artifacts") { - @Override - public void handle(AuthzTrans trans, HttpServletRequest req, HttpServletResponse resp) throws Exception { - Result r = context.createArtifacts(trans, req, resp); - if(r.isOK()) { - resp.setStatus(HttpStatus.CREATED_201); - } else { - context.error(trans,resp,r); - } - } - }); + /** + * Normal Init level APIs + * + * @param cmAPI + * @throws Exception + */ + public static void init(final AAF_CM cmAPI) throws Exception { + cmAPI.route(HttpMethods.POST, CERT_ARTIFACTS, API.ARTIFACTS, new Code(cmAPI,"Create Artifacts") { + @Override + public void handle(AuthzTrans trans, HttpServletRequest req, HttpServletResponse resp) throws Exception { + Result r = context.createArtifacts(trans, req, resp); + if(r.isOK()) { + resp.setStatus(HttpStatus.CREATED_201); + } else { + context.error(trans,resp,r); + } + } + }); - /** - * Use Query Params to get Artifacts by Machine or MechID - */ - cmAPI.route(HttpMethods.GET, CERT_ARTIFACTS, API.ARTIFACTS, new Code(cmAPI,GET_ARTIFACTS) { - @Override - public void handle(AuthzTrans trans, HttpServletRequest req, HttpServletResponse resp) throws Exception { - Result r = context.readArtifacts(trans, req, resp); - if(r.isOK()) { - resp.setStatus(HttpStatus.OK_200); - } else { - context.error(trans,resp,r); - } - } - }); + /** + * Use Query Params to get Artifacts by Machine or MechID + */ + cmAPI.route(HttpMethods.GET, CERT_ARTIFACTS, API.ARTIFACTS, new Code(cmAPI,GET_ARTIFACTS) { + @Override + public void handle(AuthzTrans trans, HttpServletRequest req, HttpServletResponse resp) throws Exception { + Result r = context.readArtifacts(trans, req, resp); + if(r.isOK()) { + resp.setStatus(HttpStatus.OK_200); + } else { + context.error(trans,resp,r); + } + } + }); - cmAPI.route(HttpMethods.GET, "/cert/artifacts/:mechid/:machine", API.ARTIFACTS, new Code(cmAPI,GET_ARTIFACTS) { - @Override - public void handle(AuthzTrans trans, HttpServletRequest req, HttpServletResponse resp) throws Exception { - - Result r = context.readArtifacts(trans, resp, pathParam(req,":mechid"), pathParam(req,":machine")); - if(r.isOK()) { - resp.setStatus(HttpStatus.OK_200); - } else { - context.error(trans,resp,r); - } - } - }); - - - cmAPI.route(HttpMethods.PUT, CERT_ARTIFACTS, API.ARTIFACTS, new Code(cmAPI,"Update Artifacts") { - @Override - public void handle(AuthzTrans trans, HttpServletRequest req, HttpServletResponse resp) throws Exception { - Result r = context.updateArtifacts(trans, req, resp); - if(r.isOK()) { - resp.setStatus(HttpStatus.OK_200); - } else { - context.error(trans,resp,r); - } - } - }); + cmAPI.route(HttpMethods.GET, "/cert/artifacts/:mechid/:machine", API.ARTIFACTS, new Code(cmAPI,GET_ARTIFACTS) { + @Override + public void handle(AuthzTrans trans, HttpServletRequest req, HttpServletResponse resp) throws Exception { + + Result r = context.readArtifacts(trans, resp, pathParam(req,":mechid"), pathParam(req,":machine")); + if(r.isOK()) { + resp.setStatus(HttpStatus.OK_200); + } else { + context.error(trans,resp,r); + } + } + }); + + + cmAPI.route(HttpMethods.PUT, CERT_ARTIFACTS, API.ARTIFACTS, new Code(cmAPI,"Update Artifacts") { + @Override + public void handle(AuthzTrans trans, HttpServletRequest req, HttpServletResponse resp) throws Exception { + Result r = context.updateArtifacts(trans, req, resp); + if(r.isOK()) { + resp.setStatus(HttpStatus.OK_200); + } else { + context.error(trans,resp,r); + } + } + }); - cmAPI.route(HttpMethods.DELETE, "/cert/artifacts/:mechid/:machine", API.VOID, new Code(cmAPI,"Delete Artifacts") { - @Override - public void handle(AuthzTrans trans, HttpServletRequest req, HttpServletResponse resp) throws Exception { - Result r = context.deleteArtifacts(trans, resp, - pathParam(req, ":mechid"), pathParam(req,":machine")); - if(r.isOK()) { - resp.setStatus(HttpStatus.OK_200); - } else { - context.error(trans,resp,r); - } - } - }); - + cmAPI.route(HttpMethods.DELETE, "/cert/artifacts/:mechid/:machine", API.VOID, new Code(cmAPI,"Delete Artifacts") { + @Override + public void handle(AuthzTrans trans, HttpServletRequest req, HttpServletResponse resp) throws Exception { + Result r = context.deleteArtifacts(trans, resp, + pathParam(req, ":mechid"), pathParam(req,":machine")); + if(r.isOK()) { + resp.setStatus(HttpStatus.OK_200); + } else { + context.error(trans,resp,r); + } + } + }); + - cmAPI.route(HttpMethods.DELETE, CERT_ARTIFACTS, API.VOID, new Code(cmAPI,"Delete Artifacts") { - @Override - public void handle(AuthzTrans trans, HttpServletRequest req, HttpServletResponse resp) throws Exception { - Result r = context.deleteArtifacts(trans, req, resp); - if(r.isOK()) { - resp.setStatus(HttpStatus.OK_200); - } else { - context.error(trans,resp,r); - } - } - }); - + cmAPI.route(HttpMethods.DELETE, CERT_ARTIFACTS, API.VOID, new Code(cmAPI,"Delete Artifacts") { + @Override + public void handle(AuthzTrans trans, HttpServletRequest req, HttpServletResponse resp) throws Exception { + Result r = context.deleteArtifacts(trans, req, resp); + if(r.isOK()) { + resp.setStatus(HttpStatus.OK_200); + } else { + context.error(trans,resp,r); + } + } + }); + - } + } } diff --git a/auth/auth-certman/src/main/java/org/onap/aaf/auth/cm/api/API_Cert.java b/auth/auth-certman/src/main/java/org/onap/aaf/auth/cm/api/API_Cert.java index 0cea9c73..625fed62 100644 --- a/auth/auth-certman/src/main/java/org/onap/aaf/auth/cm/api/API_Cert.java +++ b/auth/auth-certman/src/main/java/org/onap/aaf/auth/cm/api/API_Cert.java @@ -41,102 +41,102 @@ import org.onap.aaf.misc.env.Slot; * */ public class API_Cert { - public static final String CERT_AUTH = "CertAuthority"; - private static Slot sCertAuth; + public static final String CERT_AUTH = "CertAuthority"; + private static Slot sCertAuth; - /** - * Normal Init level APIs - * - * @param aafCM - * @param facade - * @throws Exception - */ - public static void init(final AAF_CM aafCM) throws Exception { - // Check for Created Certificate Authorities in TRANS - sCertAuth = aafCM.env.slot(CERT_AUTH); - - //////// - // Overall APIs - /////// - aafCM.route(HttpMethods.PUT,"/cert/:ca",API.CERT_REQ,new Code(aafCM,"Request Certificate") { - @Override - public void handle(AuthzTrans trans, HttpServletRequest req, HttpServletResponse resp) throws Exception { - String key = pathParam(req, ":ca"); - CA ca; - if((ca = aafCM.getCA(key))==null) { - context.error(trans,resp,Result.ERR_BadData,"CA %s is not supported",key); - } else { - trans.put(sCertAuth, ca); - Result r = context.requestCert(trans, req, resp, ca); - if(r.isOK()) { - resp.setStatus(HttpStatus.OK_200); - } else { - context.error(trans,resp,r); - } - } - } - }); - - aafCM.route(HttpMethods.GET,"/cert/:ca/personal",API.CERT,new Code(aafCM,"Request Personal Certificate") { - @Override - public void handle(AuthzTrans trans, HttpServletRequest req, HttpServletResponse resp) throws Exception { - String key = pathParam(req, ":ca"); - CA ca; - if((ca = aafCM.getCA(key))==null) { - context.error(trans,resp,Result.ERR_BadData,"CA %s is not supported",key); - } else { - trans.put(sCertAuth, ca); - Result r = context.requestPersonalCert(trans, req, resp, ca); - if(r.isOK()) { - resp.setStatus(HttpStatus.OK_200); - } else { - context.error(trans,resp,r); - } - } - } - }); + /** + * Normal Init level APIs + * + * @param aafCM + * @param facade + * @throws Exception + */ + public static void init(final AAF_CM aafCM) throws Exception { + // Check for Created Certificate Authorities in TRANS + sCertAuth = aafCM.env.slot(CERT_AUTH); + + //////// + // Overall APIs + /////// + aafCM.route(HttpMethods.PUT,"/cert/:ca",API.CERT_REQ,new Code(aafCM,"Request Certificate") { + @Override + public void handle(AuthzTrans trans, HttpServletRequest req, HttpServletResponse resp) throws Exception { + String key = pathParam(req, ":ca"); + CA ca; + if((ca = aafCM.getCA(key))==null) { + context.error(trans,resp,Result.ERR_BadData,"CA %s is not supported",key); + } else { + trans.put(sCertAuth, ca); + Result r = context.requestCert(trans, req, resp, ca); + if(r.isOK()) { + resp.setStatus(HttpStatus.OK_200); + } else { + context.error(trans,resp,r); + } + } + } + }); + + aafCM.route(HttpMethods.GET,"/cert/:ca/personal",API.CERT,new Code(aafCM,"Request Personal Certificate") { + @Override + public void handle(AuthzTrans trans, HttpServletRequest req, HttpServletResponse resp) throws Exception { + String key = pathParam(req, ":ca"); + CA ca; + if((ca = aafCM.getCA(key))==null) { + context.error(trans,resp,Result.ERR_BadData,"CA %s is not supported",key); + } else { + trans.put(sCertAuth, ca); + Result r = context.requestPersonalCert(trans, req, resp, ca); + if(r.isOK()) { + resp.setStatus(HttpStatus.OK_200); + } else { + context.error(trans,resp,r); + } + } + } + }); - - /** - * - */ - aafCM.route(HttpMethods.GET, "/cert/may/:perm", API.VOID, new Code(aafCM,"Check Permission") { - @Override - public void handle(AuthzTrans trans, HttpServletRequest req, HttpServletResponse resp) throws Exception { - Result r = context.check(trans, resp, pathParam(req,"perm")); - if(r.isOK()) { - resp.setStatus(HttpStatus.OK_200); - } else { - trans.checkpoint(r.errorString()); - context.error(trans,resp,Result.err(Result.ERR_Denied,"%s does not have Permission.",trans.user())); - } - } - }); + + /** + * + */ + aafCM.route(HttpMethods.GET, "/cert/may/:perm", API.VOID, new Code(aafCM,"Check Permission") { + @Override + public void handle(AuthzTrans trans, HttpServletRequest req, HttpServletResponse resp) throws Exception { + Result r = context.check(trans, resp, pathParam(req,"perm")); + if(r.isOK()) { + resp.setStatus(HttpStatus.OK_200); + } else { + trans.checkpoint(r.errorString()); + context.error(trans,resp,Result.err(Result.ERR_Denied,"%s does not have Permission.",trans.user())); + } + } + }); - /** - * Get Cert by ID and Machine - */ + /** + * Get Cert by ID and Machine + */ - - /** - * Get Certs by ID - */ - aafCM.route(HttpMethods.GET, "/cert/id/:id", API.CERT, new Code(aafCM,"GetByID") { - @Override - public void handle(AuthzTrans trans, HttpServletRequest req, HttpServletResponse resp) throws Exception { - Result r = context.readCertsByMechID(trans, resp, pathParam(req,"id")); - if(r.isOK()) { - resp.setStatus(HttpStatus.OK_200); - } else { - context.error(trans,resp,r); - } - } - }); + + /** + * Get Certs by ID + */ + aafCM.route(HttpMethods.GET, "/cert/id/:id", API.CERT, new Code(aafCM,"GetByID") { + @Override + public void handle(AuthzTrans trans, HttpServletRequest req, HttpServletResponse resp) throws Exception { + Result r = context.readCertsByMechID(trans, resp, pathParam(req,"id")); + if(r.isOK()) { + resp.setStatus(HttpStatus.OK_200); + } else { + context.error(trans,resp,r); + } + } + }); - - /** - * Get Certs by Machine - */ - - } + + /** + * Get Certs by Machine + */ + + } } diff --git a/auth/auth-certman/src/main/java/org/onap/aaf/auth/cm/ca/CA.java b/auth/auth-certman/src/main/java/org/onap/aaf/auth/cm/ca/CA.java index f1f70a7e..820f02d1 100644 --- a/auth/auth-certman/src/main/java/org/onap/aaf/auth/cm/ca/CA.java +++ b/auth/auth-certman/src/main/java/org/onap/aaf/auth/cm/ca/CA.java @@ -42,198 +42,198 @@ import org.onap.aaf.misc.env.Trans; import org.onap.aaf.misc.env.util.Split; public abstract class CA { - private static final String MUST_EXIST_TO_CREATE_CSRS_FOR = " must exist to create CSRs for "; - //TODO figuring out what is an Issuing CA is a matter of convention. Consider SubClassing for Open Source - public static final String ISSUING_CA = "Issuing CA"; - public static final String CM_CA_PREFIX = "cm_ca."; - public static final String CM_CA_BASE_SUBJECT = ".baseSubject"; - protected static final String CM_PUBLIC_DIR = "cm_public_dir"; - private static final String CM_TRUST_CAS = "cm_trust_cas"; - protected static final String CM_BACKUP_CAS = "cm_backup_cas"; + private static final String MUST_EXIST_TO_CREATE_CSRS_FOR = " must exist to create CSRs for "; + //TODO figuring out what is an Issuing CA is a matter of convention. Consider SubClassing for Open Source + public static final String ISSUING_CA = "Issuing CA"; + public static final String CM_CA_PREFIX = "cm_ca."; + public static final String CM_CA_BASE_SUBJECT = ".baseSubject"; + protected static final String CM_PUBLIC_DIR = "cm_public_dir"; + private static final String CM_TRUST_CAS = "cm_trust_cas"; + protected static final String CM_BACKUP_CAS = "cm_backup_cas"; - public static final Set EMPTY = Collections.unmodifiableSet(new HashSet<>()); + public static final Set EMPTY = Collections.unmodifiableSet(new HashSet<>()); - - private final String name; - private final String env; - private MessageDigest messageDigest; - private final String permNS; - private final String permType; - private final ArrayList idDomains; - private String[] trustedCAs; - private String[] caIssuerDNs; - private List rdns; + + private final String name; + private final String env; + private MessageDigest messageDigest; + private final String permNS; + private final String permType; + private final ArrayList idDomains; + private String[] trustedCAs; + private String[] caIssuerDNs; + private List rdns; - protected CA(Access access, String caName, String env) throws IOException, CertException { - trustedCAs = new String[4]; // starting array - this.name = caName; - this.env = env; - permNS = CM_CA_PREFIX + name; - permType = access.getProperty(permNS + ".perm_type",null); - if(permType==null) { - throw new CertException(permNS + ".perm_type" + MUST_EXIST_TO_CREATE_CSRS_FOR + caName); - } - caIssuerDNs = Split.splitTrim(':', access.getProperty(Config.CADI_X509_ISSUERS, null)); - - String tag = CA.CM_CA_PREFIX+caName+CA.CM_CA_BASE_SUBJECT; - - String fields = access.getProperty(tag, null); - if(fields==null) { - throw new CertException(tag + MUST_EXIST_TO_CREATE_CSRS_FOR + caName); - } - access.log(Level.INFO, tag, "=",fields); - rdns = RDN.parse('/',fields); - for(RDN rdn : rdns) { - if(rdn.aoi==BCStyle.EmailAddress) { // Cert Specs say Emails belong in Subject - throw new CertException("email address is not allowed in " + CM_CA_BASE_SUBJECT); - } - } - - idDomains = new ArrayList<>(); - StringBuilder sb = null; - for(String s : Split.splitTrim(',', access.getProperty(CA.CM_CA_PREFIX+caName+".idDomains", ""))) { - if(s.length()>0) { - if(sb==null) { - sb = new StringBuilder(); - } else { - sb.append(", "); - } - idDomains.add(s); - sb.append(s); - } - } - if(sb!=null) { - access.printf(Level.INIT, "CA '%s' supports Personal Certificates for %s", caName, sb); - } - - String dataDir = access.getProperty(CM_PUBLIC_DIR,null); - if(dataDir!=null) { - File data = new File(dataDir); - byte[] bytes; - if(data.exists()) { - String trustCas = access.getProperty(CM_TRUST_CAS,null); - if(trustCas!=null) { - for(String fname : Split.splitTrim(',', trustCas)) { - File crt; - if(fname.contains("/")) { - crt = new File(fname); - } else { - crt = new File(data,fname); - } - if(crt.exists()) { - access.printf(Level.INIT, "Loading CA Cert from %s", crt.getAbsolutePath()); - bytes = new byte[(int)crt.length()]; - FileInputStream fis = new FileInputStream(crt); - try { - int read = fis.read(bytes); - if(read>0) { - addTrustedCA(new String(bytes)); - } - } finally { - fis.close(); - } - } else { - access.printf(Level.INIT, "FAILED to Load CA Cert from %s", crt.getAbsolutePath()); - } - } - } else { - access.printf(Level.INIT, "Cannot load external TRUST CAs: No property %s",CM_TRUST_CAS); - } - } else { - access.printf(Level.INIT, "Cannot load external TRUST CAs: %s doesn't exist, or is not accessible",data.getAbsolutePath()); - } - } - } + protected CA(Access access, String caName, String env) throws IOException, CertException { + trustedCAs = new String[4]; // starting array + this.name = caName; + this.env = env; + permNS = CM_CA_PREFIX + name; + permType = access.getProperty(permNS + ".perm_type",null); + if(permType==null) { + throw new CertException(permNS + ".perm_type" + MUST_EXIST_TO_CREATE_CSRS_FOR + caName); + } + caIssuerDNs = Split.splitTrim(':', access.getProperty(Config.CADI_X509_ISSUERS, null)); + + String tag = CA.CM_CA_PREFIX+caName+CA.CM_CA_BASE_SUBJECT; + + String fields = access.getProperty(tag, null); + if(fields==null) { + throw new CertException(tag + MUST_EXIST_TO_CREATE_CSRS_FOR + caName); + } + access.log(Level.INFO, tag, "=",fields); + rdns = RDN.parse('/',fields); + for(RDN rdn : rdns) { + if(rdn.aoi==BCStyle.EmailAddress) { // Cert Specs say Emails belong in Subject + throw new CertException("email address is not allowed in " + CM_CA_BASE_SUBJECT); + } + } + + idDomains = new ArrayList<>(); + StringBuilder sb = null; + for(String s : Split.splitTrim(',', access.getProperty(CA.CM_CA_PREFIX+caName+".idDomains", ""))) { + if(s.length()>0) { + if(sb==null) { + sb = new StringBuilder(); + } else { + sb.append(", "); + } + idDomains.add(s); + sb.append(s); + } + } + if(sb!=null) { + access.printf(Level.INIT, "CA '%s' supports Personal Certificates for %s", caName, sb); + } + + String dataDir = access.getProperty(CM_PUBLIC_DIR,null); + if(dataDir!=null) { + File data = new File(dataDir); + byte[] bytes; + if(data.exists()) { + String trustCas = access.getProperty(CM_TRUST_CAS,null); + if(trustCas!=null) { + for(String fname : Split.splitTrim(',', trustCas)) { + File crt; + if(fname.contains("/")) { + crt = new File(fname); + } else { + crt = new File(data,fname); + } + if(crt.exists()) { + access.printf(Level.INIT, "Loading CA Cert from %s", crt.getAbsolutePath()); + bytes = new byte[(int)crt.length()]; + FileInputStream fis = new FileInputStream(crt); + try { + int read = fis.read(bytes); + if(read>0) { + addTrustedCA(new String(bytes)); + } + } finally { + fis.close(); + } + } else { + access.printf(Level.INIT, "FAILED to Load CA Cert from %s", crt.getAbsolutePath()); + } + } + } else { + access.printf(Level.INIT, "Cannot load external TRUST CAs: No property %s",CM_TRUST_CAS); + } + } else { + access.printf(Level.INIT, "Cannot load external TRUST CAs: %s doesn't exist, or is not accessible",data.getAbsolutePath()); + } + } + } - protected void addCaIssuerDN(String issuerDN) { - boolean changed = true; - for(String id : caIssuerDNs) { - if(id.equals(issuerDN)) { - changed = false; - break; - } - } - if(changed) { - String[] newsa = new String[caIssuerDNs.length+1]; - newsa[0]=issuerDN; - System.arraycopy(caIssuerDNs, 0, newsa, 1, caIssuerDNs.length); - caIssuerDNs = newsa; - } - } - - protected synchronized void addTrustedCA(final String crtString) { - String crt; - if(crtString.endsWith("\n")) { - crt = crtString; - } else { - crt = crtString + '\n'; - } - for(int i=0;i=0) { - return idDomains.contains(p.getName().substring(at+1)); - } else { - return false; - } - } + /* (non-Javadoc) + * @see org.onap.aaf.auth.cm.ca.CA#inPersonalDomains(java.security.Principal) + */ + public boolean inPersonalDomains(Principal p) { + int at = p.getName().indexOf('@'); + if(at>=0) { + return idDomains.contains(p.getName().substring(at+1)); + } else { + return false; + } + } - public MessageDigest messageDigest() { - return messageDigest; - } + public MessageDigest messageDigest() { + return messageDigest; + } - public CSRMeta newCSRMeta() { - return new CSRMeta(rdns); - } + public CSRMeta newCSRMeta() { + return new CSRMeta(rdns); + } } diff --git a/auth/auth-certman/src/main/java/org/onap/aaf/auth/cm/ca/JscepCA.java b/auth/auth-certman/src/main/java/org/onap/aaf/auth/cm/ca/JscepCA.java index 3f398381..000b6dd5 100644 --- a/auth/auth-certman/src/main/java/org/onap/aaf/auth/cm/ca/JscepCA.java +++ b/auth/auth-certman/src/main/java/org/onap/aaf/auth/cm/ca/JscepCA.java @@ -56,203 +56,203 @@ import org.onap.aaf.misc.env.Trans; import org.onap.aaf.misc.env.util.Split; public class JscepCA extends CA { - static final String CA_PREFIX = "http://"; - static final String CA_POSTFIX="/certsrv/mscep_admin/mscep.dll"; + static final String CA_PREFIX = "http://"; + static final String CA_POSTFIX="/certsrv/mscep_admin/mscep.dll"; - private static final String MS_PROFILE="1"; - private static final int MAX_RETRY=3; - public static final long INVALIDATE_TIME = 1000*60*10L; // 10 mins + private static final String MS_PROFILE="1"; + private static final int MAX_RETRY=3; + public static final long INVALIDATE_TIME = 1000*60*10L; // 10 mins - // package on purpose - private Map mxcwiS; - private Map mxcwiC; + // package on purpose + private Map mxcwiS; + private Map mxcwiC; - private JscepClientLocator clients; + private JscepClientLocator clients; - public JscepCA(final Access access, final String name, final String env, String [][] params) throws IOException, CertException, LocatorException { - super(access, name, env); - mxcwiS = new ConcurrentHashMap<>(); - mxcwiC = new ConcurrentHashMap<>(); - - if(params.length<2) { - throw new CertException("No Trust Chain parameters are included"); - } - if(params[0].length<2) { - throw new CertException("User/Password required for JSCEP"); - } - final String id = params[0][0]; - final String pw = params[0][1]; - - // Set this for NTLM password Microsoft - Authenticator.setDefault(new Authenticator() { - public PasswordAuthentication getPasswordAuthentication () { - try { - return new PasswordAuthentication (id,access.decrypt(pw,true).toCharArray()); - } catch (IOException e) { - access.log(e); - } - return null; - } - }); - - StringBuilder urlstr = new StringBuilder(); + public JscepCA(final Access access, final String name, final String env, String [][] params) throws IOException, CertException, LocatorException { + super(access, name, env); + mxcwiS = new ConcurrentHashMap<>(); + mxcwiC = new ConcurrentHashMap<>(); + + if(params.length<2) { + throw new CertException("No Trust Chain parameters are included"); + } + if(params[0].length<2) { + throw new CertException("User/Password required for JSCEP"); + } + final String id = params[0][0]; + final String pw = params[0][1]; + + // Set this for NTLM password Microsoft + Authenticator.setDefault(new Authenticator() { + public PasswordAuthentication getPasswordAuthentication () { + try { + return new PasswordAuthentication (id,access.decrypt(pw,true).toCharArray()); + } catch (IOException e) { + access.log(e); + } + return null; + } + }); + + StringBuilder urlstr = new StringBuilder(); - for(int i=1;i1) { - urlstr.append(','); // delimiter - } - urlstr.append(params[i][0]); - - String dir = access.getProperty(CM_PUBLIC_DIR, ""); - if(!"".equals(dir) && !dir.endsWith("/")) { - dir = dir + '/'; - } - String path; - List frs = new ArrayList<>(params.length-1); - try { - for(int j=1; j1) { + urlstr.append(','); // delimiter + } + urlstr.append(params[i][0]); + + String dir = access.getProperty(CM_PUBLIC_DIR, ""); + if(!"".equals(dir) && !dir.endsWith("/")) { + dir = dir + '/'; + } + String path; + List frs = new ArrayList<>(params.length-1); + try { + for(int j=1; j { + } else if (er.isPending()) { + trans.checkpoint("Polling, waiting on CA to complete"); + Thread.sleep(3000); + } else if (er.isFailure()) { + throw new CertException(clients.info(item)+':'+er.getFailInfo().toString()); + } + } + } catch(LocatorException e) { + trans.error().log(e); + i=MAX_RETRY; + } catch (ClientException e) { + trans.error().log(e,"SCEP Client Error, Temporarily Invalidating Client: " + clients.info(item)); + try { + clients.invalidate(client); + if(!clients.hasItems()) { + clients.refresh(); + } + } catch (LocatorException e1) { + trans.error().log(e,clients.info(item)); + i=MAX_RETRY; // can't go any further + } + } catch (InterruptedException|TransactionException|CertificateException|OperatorCreationException | CertStoreException e) { + trans.error().log(e); + i=MAX_RETRY; + } finally { + tt.done(); + } + } + + return null; + } + + /** + * Locator specifically for Jscep Clients. + * + * Class based client for access to common Map + */ + private class JscepClientLocator extends HotPeerLocator { - protected JscepClientLocator(Access access, String urlstr)throws LocatorException { - super(access, urlstr, JscepCA.INVALIDATE_TIME, - access.getProperty("cadi_latitude","39.833333"), //Note: Defaulting to GEO center of US - access.getProperty("cadi_longitude","-98.583333") - ); - } + protected JscepClientLocator(Access access, String urlstr)throws LocatorException { + super(access, urlstr, JscepCA.INVALIDATE_TIME, + access.getProperty("cadi_latitude","39.833333"), //Note: Defaulting to GEO center of US + access.getProperty("cadi_longitude","-98.583333") + ); + } - @Override - protected Client _newClient(String urlinfo) throws LocatorException { - try { - String[] info = Split.split('/', urlinfo); - Client c = new Client(new URL(JscepCA.CA_PREFIX + info[0] + JscepCA.CA_POSTFIX), - new CertificateVerifier() { - @Override - public boolean verify(X509Certificate cert) { - //TODO checkIssuer - return true; - } - } - ); - // Map URL to Client, because Client doesn't expose Connection - mxcwiC.put(c, mxcwiS.get(urlinfo)); - return c; - } catch (MalformedURLException e) { - throw new LocatorException(e); - } - } + @Override + protected Client _newClient(String urlinfo) throws LocatorException { + try { + String[] info = Split.split('/', urlinfo); + Client c = new Client(new URL(JscepCA.CA_PREFIX + info[0] + JscepCA.CA_POSTFIX), + new CertificateVerifier() { + @Override + public boolean verify(X509Certificate cert) { + //TODO checkIssuer + return true; + } + } + ); + // Map URL to Client, because Client doesn't expose Connection + mxcwiC.put(c, mxcwiS.get(urlinfo)); + return c; + } catch (MalformedURLException e) { + throw new LocatorException(e); + } + } - @Override - protected Client _invalidate(Client client) { - return null; - } + @Override + protected Client _invalidate(Client client) { + return null; + } - @Override - protected void _destroy(Client client) { - mxcwiC.remove(client); - } - - - } + @Override + protected void _destroy(Client client) { + mxcwiC.remove(client); + } + + + } } diff --git a/auth/auth-certman/src/main/java/org/onap/aaf/auth/cm/ca/LocalCA.java b/auth/auth-certman/src/main/java/org/onap/aaf/auth/cm/ca/LocalCA.java index 893e9f32..b7d78f05 100644 --- a/auth/auth-certman/src/main/java/org/onap/aaf/auth/cm/ca/LocalCA.java +++ b/auth/auth-certman/src/main/java/org/onap/aaf/auth/cm/ca/LocalCA.java @@ -73,194 +73,194 @@ import org.onap.aaf.misc.env.Trans; public class LocalCA extends CA { - private final static BigInteger ONE = new BigInteger("1"); - // Extensions - private static final KeyPurposeId[] ASN_WebUsage = new KeyPurposeId[] { - KeyPurposeId.id_kp_serverAuth, // WebServer - KeyPurposeId.id_kp_clientAuth // WebClient - }; - - private final PrivateKey caKey; - private final X500Name issuer; - private final SecureRandom random = new SecureRandom(); - private BigInteger serial; - private final X509ChainWithIssuer x509cwi; // "Cert" is CACert - - - public LocalCA(Access access, final String name, final String env, final String[][] params) throws IOException, CertException { - super(access, name, env); - - serial = new BigInteger(64,random); + private final static BigInteger ONE = new BigInteger("1"); + // Extensions + private static final KeyPurposeId[] ASN_WebUsage = new KeyPurposeId[] { + KeyPurposeId.id_kp_serverAuth, // WebServer + KeyPurposeId.id_kp_clientAuth // WebClient + }; + + private final PrivateKey caKey; + private final X500Name issuer; + private final SecureRandom random = new SecureRandom(); + private BigInteger serial; + private final X509ChainWithIssuer x509cwi; // "Cert" is CACert + + + public LocalCA(Access access, final String name, final String env, final String[][] params) throws IOException, CertException { + super(access, name, env); + + serial = new BigInteger(64,random); - if(params.length<1 || params[0].length<2) { - throw new IOException("LocalCA expects cm_ca.=org.onap.aaf.auth.cm.ca.LocalCA,[;]+"); - } - - // Read in the Private Key - String configured; - File f = new File(params[0][0]); - if(f.exists() && f.isFile()) { - String fileName = f.getName(); - if(fileName.endsWith(".key")) { - caKey = Factory.toPrivateKey(NullTrans.singleton(),f); - List frs = new ArrayList<>(params.length-1); - try { - String dir = access.getProperty(CM_PUBLIC_DIR, ""); - if(!"".equals(dir) && !dir.endsWith("/")) { - dir = dir + '/'; - } + if(params.length<1 || params[0].length<2) { + throw new IOException("LocalCA expects cm_ca.=org.onap.aaf.auth.cm.ca.LocalCA,[;]+"); + } + + // Read in the Private Key + String configured; + File f = new File(params[0][0]); + if(f.exists() && f.isFile()) { + String fileName = f.getName(); + if(fileName.endsWith(".key")) { + caKey = Factory.toPrivateKey(NullTrans.singleton(),f); + List frs = new ArrayList<>(params.length-1); + try { + String dir = access.getProperty(CM_PUBLIC_DIR, ""); + if(!"".equals(dir) && !dir.endsWith("/")) { + dir = dir + '/'; + } - String path; - for(int i=1; i; enc:>"); - } - try { - Provider p; - KeyStore keyStore; - FileInputStream fis = null; - if(fileName.endsWith(".pkcs11")) { - String ksType="PKCS11"; - p = Factory.getSecurityProvider(ksType,params); - keyStore = KeyStore.getInstance(ksType,p); - } else if(fileName.endsWith(".jks")) { - keyStore = KeyStore.getInstance("JKS"); - fis = new FileInputStream(f); - } else if(fileName.endsWith(".p12") || fileName.endsWith(".pkcs12")) { - keyStore = KeyStore.getInstance("PKCS12"); - fis = new FileInputStream(f); - } else { - throw new CertException("Unknown Keystore type from filename " + fileName); - } - - KeyStore.ProtectionParameter keyPass; + String path; + for(int i=1; i; enc:>"); + } + try { + Provider p; + KeyStore keyStore; + FileInputStream fis = null; + if(fileName.endsWith(".pkcs11")) { + String ksType="PKCS11"; + p = Factory.getSecurityProvider(ksType,params); + keyStore = KeyStore.getInstance(ksType,p); + } else if(fileName.endsWith(".jks")) { + keyStore = KeyStore.getInstance("JKS"); + fis = new FileInputStream(f); + } else if(fileName.endsWith(".p12") || fileName.endsWith(".pkcs12")) { + keyStore = KeyStore.getInstance("PKCS12"); + fis = new FileInputStream(f); + } else { + throw new CertException("Unknown Keystore type from filename " + fileName); + } + + KeyStore.ProtectionParameter keyPass; - try { - String pass = access.decrypt(params[0][2]/*encrypted passcode*/, true); - if(pass==null) { - throw new CertException("Passcode for " + fileName + " cannot be decrypted."); - } - char[] ksPass = pass.toCharArray(); - //Assuming Key Pass is same as Keystore Pass - keyPass = new KeyStore.PasswordProtection(ksPass); + try { + String pass = access.decrypt(params[0][2]/*encrypted passcode*/, true); + if(pass==null) { + throw new CertException("Passcode for " + fileName + " cannot be decrypted."); + } + char[] ksPass = pass.toCharArray(); + //Assuming Key Pass is same as Keystore Pass + keyPass = new KeyStore.PasswordProtection(ksPass); - keyStore.load(fis,ksPass); - } finally { - if (fis != null) - fis.close(); - } - Entry entry; - if(fileName.endsWith(".pkcs11")) { - entry = keyStore.getEntry(params[0][1]/*alias*/, null); - } else { - entry = keyStore.getEntry(params[0][1]/*alias*/, keyPass); - } - if(entry==null) { - throw new CertException("There is no Keystore entry with name '" + params[0][1] +'\''); - } - PrivateKeyEntry privateKeyEntry = (PrivateKeyEntry)entry; - caKey = privateKeyEntry.getPrivateKey(); - - x509cwi = new X509ChainWithIssuer(privateKeyEntry.getCertificateChain()); - configured = "keystore \"" + fileName + "\", alias " + params[0][1]; - } catch (KeyStoreException | NoSuchAlgorithmException | CertificateException | UnrecoverableEntryException e) { - throw new CertException("Exception opening Keystore " + fileName, e); - } - } - } else { - throw new CertException("Private Key, " + f.getPath() + ", does not exist"); - } - - X500NameBuilder xnb = new X500NameBuilder(); - List rp = RDN.parse(',', x509cwi.getIssuerDN()); - Collections.reverse(rp); - for(RDN rnd : rp) { - xnb.addRDN(rnd.aoi,rnd.value); - } - issuer = xnb.build(); - access.printf(Level.INIT, "LocalCA is configured with %s. The Issuer DN is %s.", - configured, issuer.toString()); - } + keyStore.load(fis,ksPass); + } finally { + if (fis != null) + fis.close(); + } + Entry entry; + if(fileName.endsWith(".pkcs11")) { + entry = keyStore.getEntry(params[0][1]/*alias*/, null); + } else { + entry = keyStore.getEntry(params[0][1]/*alias*/, keyPass); + } + if(entry==null) { + throw new CertException("There is no Keystore entry with name '" + params[0][1] +'\''); + } + PrivateKeyEntry privateKeyEntry = (PrivateKeyEntry)entry; + caKey = privateKeyEntry.getPrivateKey(); + + x509cwi = new X509ChainWithIssuer(privateKeyEntry.getCertificateChain()); + configured = "keystore \"" + fileName + "\", alias " + params[0][1]; + } catch (KeyStoreException | NoSuchAlgorithmException | CertificateException | UnrecoverableEntryException e) { + throw new CertException("Exception opening Keystore " + fileName, e); + } + } + } else { + throw new CertException("Private Key, " + f.getPath() + ", does not exist"); + } + + X500NameBuilder xnb = new X500NameBuilder(); + List rp = RDN.parse(',', x509cwi.getIssuerDN()); + Collections.reverse(rp); + for(RDN rnd : rp) { + xnb.addRDN(rnd.aoi,rnd.value); + } + issuer = xnb.build(); + access.printf(Level.INIT, "LocalCA is configured with %s. The Issuer DN is %s.", + configured, issuer.toString()); + } - /* (non-Javadoc) - * @see org.onap.aaf.auth.cm.service.CA#sign(org.bouncycastle.pkcs.PKCS10CertificationRequest) - */ - @Override - public X509andChain sign(Trans trans, CSRMeta csrmeta) throws IOException, CertException { - GregorianCalendar gc = new GregorianCalendar(); - Date start = gc.getTime(); - gc.add(GregorianCalendar.MONTH, 6); - Date end = gc.getTime(); - X509Certificate x509; - TimeTaken tt = trans.start("Create/Sign Cert",Env.SUB); - try { - BigInteger bi; - - synchronized(ONE) { - bi = serial; - serial = serial.add(ONE); - } - - RSAPublicKey rpk = (RSAPublicKey)csrmeta.keypair(trans).getPublic(); - X509v3CertificateBuilder xcb = new X509v3CertificateBuilder( - issuer, - bi, // replace with Serialnumber scheme - start, - end, - csrmeta.x500Name(), - SubjectPublicKeyInfoFactory.createSubjectPublicKeyInfo(new RSAKeyParameters(false,rpk.getModulus(),rpk.getPublicExponent())) -// new SubjectPublicKeyInfo(ASN1Sequence.getInstance(caCert.getPublicKey().getEncoded())) - ); - List lsan = new ArrayList<>(); - for(String s : csrmeta.sans()) { - lsan.add(new GeneralName(GeneralName.dNSName,s)); - } - GeneralName[] sans = new GeneralName[lsan.size()]; - lsan.toArray(sans); + /* (non-Javadoc) + * @see org.onap.aaf.auth.cm.service.CA#sign(org.bouncycastle.pkcs.PKCS10CertificationRequest) + */ + @Override + public X509andChain sign(Trans trans, CSRMeta csrmeta) throws IOException, CertException { + GregorianCalendar gc = new GregorianCalendar(); + Date start = gc.getTime(); + gc.add(GregorianCalendar.MONTH, 6); + Date end = gc.getTime(); + X509Certificate x509; + TimeTaken tt = trans.start("Create/Sign Cert",Env.SUB); + try { + BigInteger bi; + + synchronized(ONE) { + bi = serial; + serial = serial.add(ONE); + } + + RSAPublicKey rpk = (RSAPublicKey)csrmeta.keypair(trans).getPublic(); + X509v3CertificateBuilder xcb = new X509v3CertificateBuilder( + issuer, + bi, // replace with Serialnumber scheme + start, + end, + csrmeta.x500Name(), + SubjectPublicKeyInfoFactory.createSubjectPublicKeyInfo(new RSAKeyParameters(false,rpk.getModulus(),rpk.getPublicExponent())) +// new SubjectPublicKeyInfo(ASN1Sequence.getInstance(caCert.getPublicKey().getEncoded())) + ); + List lsan = new ArrayList<>(); + for(String s : csrmeta.sans()) { + lsan.add(new GeneralName(GeneralName.dNSName,s)); + } + GeneralName[] sans = new GeneralName[lsan.size()]; + lsan.toArray(sans); - JcaX509ExtensionUtils extUtils = new JcaX509ExtensionUtils(); - xcb.addExtension(Extension.basicConstraints, - false, new BasicConstraints(false - )) - .addExtension(Extension.keyUsage, - true, new KeyUsage(KeyUsage.digitalSignature - | KeyUsage.keyEncipherment - | KeyUsage.nonRepudiation)) - .addExtension(Extension.extendedKeyUsage, - true, new ExtendedKeyUsage(ASN_WebUsage)) + JcaX509ExtensionUtils extUtils = new JcaX509ExtensionUtils(); + xcb.addExtension(Extension.basicConstraints, + false, new BasicConstraints(false + )) + .addExtension(Extension.keyUsage, + true, new KeyUsage(KeyUsage.digitalSignature + | KeyUsage.keyEncipherment + | KeyUsage.nonRepudiation)) + .addExtension(Extension.extendedKeyUsage, + true, new ExtendedKeyUsage(ASN_WebUsage)) .addExtension(Extension.authorityKeyIdentifier, - false, extUtils.createAuthorityKeyIdentifier(x509cwi.cert)) + false, extUtils.createAuthorityKeyIdentifier(x509cwi.cert)) .addExtension(Extension.subjectKeyIdentifier, - false, extUtils.createSubjectKeyIdentifier(rpk)) - .addExtension(Extension.subjectAlternativeName, - false, new GeneralNames(sans)) -// .addExtension(MiscObjectIdentifiers.netscape, true, new NetscapeCertType( -// NetscapeCertType.sslClient|NetscapeCertType.sslClient)) - ; - - x509 = new JcaX509CertificateConverter().getCertificate( - xcb.build(BCFactory.contentSigner(caKey))); - } catch (GeneralSecurityException|OperatorCreationException e) { - throw new CertException(e); - } finally { - tt.done(); - } - - return new X509andChain(x509,x509cwi.trustChain); - } + false, extUtils.createSubjectKeyIdentifier(rpk)) + .addExtension(Extension.subjectAlternativeName, + false, new GeneralNames(sans)) +// .addExtension(MiscObjectIdentifiers.netscape, true, new NetscapeCertType( +// NetscapeCertType.sslClient|NetscapeCertType.sslClient)) + ; + + x509 = new JcaX509CertificateConverter().getCertificate( + xcb.build(BCFactory.contentSigner(caKey))); + } catch (GeneralSecurityException|OperatorCreationException e) { + throw new CertException(e); + } finally { + tt.done(); + } + + return new X509andChain(x509,x509cwi.trustChain); + } } diff --git a/auth/auth-certman/src/main/java/org/onap/aaf/auth/cm/ca/X509ChainWithIssuer.java b/auth/auth-certman/src/main/java/org/onap/aaf/auth/cm/ca/X509ChainWithIssuer.java index e31b9988..e51f2faa 100644 --- a/auth/auth-certman/src/main/java/org/onap/aaf/auth/cm/ca/X509ChainWithIssuer.java +++ b/auth/auth-certman/src/main/java/org/onap/aaf/auth/cm/ca/X509ChainWithIssuer.java @@ -33,61 +33,61 @@ import org.onap.aaf.cadi.configure.CertException; import org.onap.aaf.cadi.configure.Factory; public class X509ChainWithIssuer extends X509andChain { - private String issuerDN; - public X509Certificate caX509; + private String issuerDN; + public X509Certificate caX509; - public X509ChainWithIssuer(X509ChainWithIssuer orig, X509Certificate x509) throws IOException, CertException { - super(x509,orig.trustChain); - issuerDN=orig.issuerDN; - } - - public X509ChainWithIssuer(final List rdrs) throws IOException, CertException { - // Trust Chain. Last one should be the CA - Collection certs; - X509Certificate x509; - for(Reader rdr : rdrs) { - if(rdr==null) { // cover for badly formed array - continue; - } - - byte[] bytes = Factory.decode(rdr,null); - try { - certs = Factory.toX509Certificate(bytes); - } catch (CertificateException e) { - throw new CertException(e); - } - for(Certificate c : certs) { - x509=(X509Certificate)c; - Principal subject = x509.getSubjectDN(); - if(subject==null) { - continue; - } - if(cert==null) { // first in Trust Chain - issuerDN = subject.toString(); - cert=x509; // adding each time makes sure last one is signer. - } - addTrustChainEntry(x509); - } - } - } - - public X509ChainWithIssuer(Certificate[] certs) throws IOException, CertException { - X509Certificate x509; - for(int i=certs.length-1; i>=0; --i) { - x509=(X509Certificate)certs[i]; - Principal subject = x509.getSubjectDN(); - if(subject!=null) { - addTrustChainEntry(x509); - if(i==0) { // last one is signer - cert=x509; - issuerDN= subject.toString(); - } - } - } - } + public X509ChainWithIssuer(X509ChainWithIssuer orig, X509Certificate x509) throws IOException, CertException { + super(x509,orig.trustChain); + issuerDN=orig.issuerDN; + } + + public X509ChainWithIssuer(final List rdrs) throws IOException, CertException { + // Trust Chain. Last one should be the CA + Collection certs; + X509Certificate x509; + for(Reader rdr : rdrs) { + if(rdr==null) { // cover for badly formed array + continue; + } + + byte[] bytes = Factory.decode(rdr,null); + try { + certs = Factory.toX509Certificate(bytes); + } catch (CertificateException e) { + throw new CertException(e); + } + for(Certificate c : certs) { + x509=(X509Certificate)c; + Principal subject = x509.getSubjectDN(); + if(subject==null) { + continue; + } + if(cert==null) { // first in Trust Chain + issuerDN = subject.toString(); + cert=x509; // adding each time makes sure last one is signer. + } + addTrustChainEntry(x509); + } + } + } + + public X509ChainWithIssuer(Certificate[] certs) throws IOException, CertException { + X509Certificate x509; + for(int i=certs.length-1; i>=0; --i) { + x509=(X509Certificate)certs[i]; + Principal subject = x509.getSubjectDN(); + if(subject!=null) { + addTrustChainEntry(x509); + if(i==0) { // last one is signer + cert=x509; + issuerDN= subject.toString(); + } + } + } + } - public String getIssuerDN() { - return issuerDN; - } + public String getIssuerDN() { + return issuerDN; + } } \ No newline at end of file diff --git a/auth/auth-certman/src/main/java/org/onap/aaf/auth/cm/ca/X509andChain.java b/auth/auth-certman/src/main/java/org/onap/aaf/auth/cm/ca/X509andChain.java index 5141cc62..3c684db2 100644 --- a/auth/auth-certman/src/main/java/org/onap/aaf/auth/cm/ca/X509andChain.java +++ b/auth/auth-certman/src/main/java/org/onap/aaf/auth/cm/ca/X509andChain.java @@ -37,44 +37,44 @@ import org.onap.aaf.cadi.configure.Factory; * */ public class X509andChain { - protected X509Certificate cert; - protected String[] trustChain; - - public X509andChain() { - cert = null; - trustChain = null; - } - - public X509andChain(X509Certificate cert, String[] tc) throws IOException, CertException { - this.cert = cert; - trustChain=tc; - } + protected X509Certificate cert; + protected String[] trustChain; + + public X509andChain() { + cert = null; + trustChain = null; + } + + public X509andChain(X509Certificate cert, String[] tc) throws IOException, CertException { + this.cert = cert; + trustChain=tc; + } - public X509andChain(X509Certificate cert, List chain) throws IOException, CertException { - this.cert = cert; - trustChain = new String[chain.size()+1]; - chain.toArray(trustChain); - } - - - public void addTrustChainEntry(X509Certificate x509) throws IOException, CertException { - if(trustChain==null) { - trustChain = new String[] {Factory.toString(NullTrans.singleton(),x509)}; - } else { - String[] temp = new String[trustChain.length+1]; - System.arraycopy(trustChain, 0, temp, 0, trustChain.length); - temp[trustChain.length]=Factory.toString(NullTrans.singleton(),x509); - trustChain=temp; - } - } - + public X509andChain(X509Certificate cert, List chain) throws IOException, CertException { + this.cert = cert; + trustChain = new String[chain.size()+1]; + chain.toArray(trustChain); + } + + + public void addTrustChainEntry(X509Certificate x509) throws IOException, CertException { + if(trustChain==null) { + trustChain = new String[] {Factory.toString(NullTrans.singleton(),x509)}; + } else { + String[] temp = new String[trustChain.length+1]; + System.arraycopy(trustChain, 0, temp, 0, trustChain.length); + temp[trustChain.length]=Factory.toString(NullTrans.singleton(),x509); + trustChain=temp; + } + } + - public X509Certificate getX509() { - return cert; - } - - public String[] getTrustChain() { - return trustChain; - } - + public X509Certificate getX509() { + return cert; + } + + public String[] getTrustChain() { + return trustChain; + } + } diff --git a/auth/auth-certman/src/main/java/org/onap/aaf/auth/cm/cert/BCFactory.java b/auth/auth-certman/src/main/java/org/onap/aaf/auth/cm/cert/BCFactory.java index e40a7a21..8edfa634 100644 --- a/auth/auth-certman/src/main/java/org/onap/aaf/auth/cm/cert/BCFactory.java +++ b/auth/auth-certman/src/main/java/org/onap/aaf/auth/cm/cert/BCFactory.java @@ -52,100 +52,100 @@ import org.onap.aaf.misc.env.Trans; * */ public class BCFactory extends Factory { - private static final JcaContentSignerBuilder jcsb; + private static final JcaContentSignerBuilder jcsb; - static { - // Bouncy - jcsb = new JcaContentSignerBuilder(Factory.SIG_ALGO); - } - - public static ContentSigner contentSigner(PrivateKey pk) throws OperatorCreationException { - return jcsb.build(pk); - } - - public static String toString(PKCS10CertificationRequest csr) throws IOException, CertException { - if(csr==null) { - throw new CertException("x509 Certificate Request not built"); - } - return textBuilder("CERTIFICATE REQUEST",csr.getEncoded()); - } + static { + // Bouncy + jcsb = new JcaContentSignerBuilder(Factory.SIG_ALGO); + } + + public static ContentSigner contentSigner(PrivateKey pk) throws OperatorCreationException { + return jcsb.build(pk); + } + + public static String toString(PKCS10CertificationRequest csr) throws IOException, CertException { + if(csr==null) { + throw new CertException("x509 Certificate Request not built"); + } + return textBuilder("CERTIFICATE REQUEST",csr.getEncoded()); + } - public static PKCS10CertificationRequest toCSR(Trans trans, File file) throws IOException { - TimeTaken tt = trans.start("Reconstitute CSR", Env.SUB); - try { - FileReader fr = new FileReader(file); - return new PKCS10CertificationRequest(decode(strip(fr))); - } finally { - tt.done(); - } - } + public static PKCS10CertificationRequest toCSR(Trans trans, File file) throws IOException { + TimeTaken tt = trans.start("Reconstitute CSR", Env.SUB); + try { + FileReader fr = new FileReader(file); + return new PKCS10CertificationRequest(decode(strip(fr))); + } finally { + tt.done(); + } + } - public static byte[] sign(Trans trans, ASN1Object toSign, PrivateKey pk) throws IOException, InvalidKeyException, SignatureException, NoSuchAlgorithmException { - TimeTaken tt = trans.start("Encode Security Object", Env.SUB); - try { - return sign(trans,toSign.getEncoded(),pk); - } finally { - tt.done(); - } - } - - public static CSRMeta createCSRMeta(CA ca, String mechid, String sponsorEmail, List fqdns) throws CertException { - CSRMeta csr = ca.newCSRMeta(); - boolean first = true; - // Set CN (and SAN) - for(String fqdn : fqdns) { - if(first) { - first = false; - csr.cn(fqdn); - } - csr.san(fqdn); // duplicate CN in SAN, per RFC 5280 section 4.2.1.6 - } - - csr.challenge(new String(Symm.randomGen(24))); - csr.mechID(mechid); - csr.email(sponsorEmail); - String errs; - if((errs=validateApp(csr))!=null) { - throw new CertException(errs); - } - return csr; - } - - private static String validateApp(CSRMeta csr) { - CertmanValidator v = new CertmanValidator(); - if(v.nullOrBlank("cn", csr.cn()) - .nullOrBlank("mechID", csr.mechID()) -// .nullOrBlank("email", csr.email()) - .err()) { - return v.errs(); - } else { - return null; - } - } + public static byte[] sign(Trans trans, ASN1Object toSign, PrivateKey pk) throws IOException, InvalidKeyException, SignatureException, NoSuchAlgorithmException { + TimeTaken tt = trans.start("Encode Security Object", Env.SUB); + try { + return sign(trans,toSign.getEncoded(),pk); + } finally { + tt.done(); + } + } + + public static CSRMeta createCSRMeta(CA ca, String mechid, String sponsorEmail, List fqdns) throws CertException { + CSRMeta csr = ca.newCSRMeta(); + boolean first = true; + // Set CN (and SAN) + for(String fqdn : fqdns) { + if(first) { + first = false; + csr.cn(fqdn); + } + csr.san(fqdn); // duplicate CN in SAN, per RFC 5280 section 4.2.1.6 + } + + csr.challenge(new String(Symm.randomGen(24))); + csr.mechID(mechid); + csr.email(sponsorEmail); + String errs; + if((errs=validateApp(csr))!=null) { + throw new CertException(errs); + } + return csr; + } + + private static String validateApp(CSRMeta csr) { + CertmanValidator v = new CertmanValidator(); + if(v.nullOrBlank("cn", csr.cn()) + .nullOrBlank("mechID", csr.mechID()) +// .nullOrBlank("email", csr.email()) + .err()) { + return v.errs(); + } else { + return null; + } + } - public static CSRMeta createPersonalCSRMeta(CA ca, String personal, String email) throws CertException { - CSRMeta csr = ca.newCSRMeta(); - csr.cn(personal); - csr.challenge(new String(Symm.randomGen(24))); - csr.email(email); - String errs; - if((errs=validatePersonal(csr))!=null) { - throw new CertException(errs); - } - return csr; - } + public static CSRMeta createPersonalCSRMeta(CA ca, String personal, String email) throws CertException { + CSRMeta csr = ca.newCSRMeta(); + csr.cn(personal); + csr.challenge(new String(Symm.randomGen(24))); + csr.email(email); + String errs; + if((errs=validatePersonal(csr))!=null) { + throw new CertException(errs); + } + return csr; + } - private static String validatePersonal(CSRMeta csr) { - CertmanValidator v = new CertmanValidator(); - if(v.nullOrBlank("cn", csr.cn()) - .nullOrBlank("email", csr.email()) - .err()) { - return v.errs(); - } else { - return null; - } - } - + private static String validatePersonal(CSRMeta csr) { + CertmanValidator v = new CertmanValidator(); + if(v.nullOrBlank("cn", csr.cn()) + .nullOrBlank("email", csr.email()) + .err()) { + return v.errs(); + } else { + return null; + } + } + } diff --git a/auth/auth-certman/src/main/java/org/onap/aaf/auth/cm/cert/CSRMeta.java b/auth/auth-certman/src/main/java/org/onap/aaf/auth/cm/cert/CSRMeta.java index f9fcad17..5df439ab 100644 --- a/auth/auth-certman/src/main/java/org/onap/aaf/auth/cm/cert/CSRMeta.java +++ b/auth/auth-certman/src/main/java/org/onap/aaf/auth/cm/cert/CSRMeta.java @@ -54,212 +54,212 @@ import org.onap.aaf.cadi.configure.Factory; import org.onap.aaf.misc.env.Trans; public class CSRMeta { - private String cn; - private String mechID; - private String environment; - private String email; - private String challenge; - private List rdns; - private ArrayList sanList = new ArrayList<>(); - private KeyPair keyPair; - private X500Name name = null; - private SecureRandom random = new SecureRandom(); + private String cn; + private String mechID; + private String environment; + private String email; + private String challenge; + private List rdns; + private ArrayList sanList = new ArrayList<>(); + private KeyPair keyPair; + private X500Name name = null; + private SecureRandom random = new SecureRandom(); - public CSRMeta(List rdns) { - this.rdns = rdns; - } + public CSRMeta(List rdns) { + this.rdns = rdns; + } - public X500Name x500Name() { - if(name==null) { - X500NameBuilder xnb = new X500NameBuilder(); - xnb.addRDN(BCStyle.CN,cn); - xnb.addRDN(BCStyle.E,email); - if(mechID!=null) { - if(environment==null) { - xnb.addRDN(BCStyle.OU,mechID); - } else { - xnb.addRDN(BCStyle.OU,mechID+':'+environment); - } - } - for(RDN rdn : rdns) { - xnb.addRDN(rdn.aoi,rdn.value); - } - name = xnb.build(); - } - return name; - } - - - public PKCS10CertificationRequest generateCSR(Trans trans) throws IOException, CertException { - PKCS10CertificationRequestBuilder builder = new JcaPKCS10CertificationRequestBuilder(x500Name(),keypair(trans).getPublic()); - if(challenge!=null) { - DERPrintableString password = new DERPrintableString(challenge); - builder.addAttribute(PKCSObjectIdentifiers.pkcs_9_at_challengePassword, password); - } - - int plus = email==null?0:1; - if(!sanList.isEmpty()) { - GeneralName[] gna = new GeneralName[sanList.size()+plus]; - int i=-1; - for(String s : sanList) { - gna[++i]=new GeneralName(GeneralName.dNSName,s); - } - gna[++i]=new GeneralName(GeneralName.rfc822Name,email); - - builder.addAttribute( - PKCSObjectIdentifiers.pkcs_9_at_extensionRequest, - new Extensions(new Extension[] { - new Extension(Extension.subjectAlternativeName,false,new GeneralNames(gna).getEncoded()) - }) - ); - } + public X500Name x500Name() { + if(name==null) { + X500NameBuilder xnb = new X500NameBuilder(); + xnb.addRDN(BCStyle.CN,cn); + xnb.addRDN(BCStyle.E,email); + if(mechID!=null) { + if(environment==null) { + xnb.addRDN(BCStyle.OU,mechID); + } else { + xnb.addRDN(BCStyle.OU,mechID+':'+environment); + } + } + for(RDN rdn : rdns) { + xnb.addRDN(rdn.aoi,rdn.value); + } + name = xnb.build(); + } + return name; + } + + + public PKCS10CertificationRequest generateCSR(Trans trans) throws IOException, CertException { + PKCS10CertificationRequestBuilder builder = new JcaPKCS10CertificationRequestBuilder(x500Name(),keypair(trans).getPublic()); + if(challenge!=null) { + DERPrintableString password = new DERPrintableString(challenge); + builder.addAttribute(PKCSObjectIdentifiers.pkcs_9_at_challengePassword, password); + } + + int plus = email==null?0:1; + if(!sanList.isEmpty()) { + GeneralName[] gna = new GeneralName[sanList.size()+plus]; + int i=-1; + for(String s : sanList) { + gna[++i]=new GeneralName(GeneralName.dNSName,s); + } + gna[++i]=new GeneralName(GeneralName.rfc822Name,email); + + builder.addAttribute( + PKCSObjectIdentifiers.pkcs_9_at_extensionRequest, + new Extensions(new Extension[] { + new Extension(Extension.subjectAlternativeName,false,new GeneralNames(gna).getEncoded()) + }) + ); + } - try { - return builder.build(BCFactory.contentSigner(keypair(trans).getPrivate())); - } catch (OperatorCreationException e) { - throw new CertException(e); - } - } - - @SuppressWarnings("deprecation") - public static void dump(PKCS10CertificationRequest csr) { - Attribute[] certAttributes = csr.getAttributes(); - for (Attribute attribute : certAttributes) { - if (!attribute.getAttrType().equals(PKCSObjectIdentifiers.pkcs_9_at_extensionRequest)) { - continue; - } + try { + return builder.build(BCFactory.contentSigner(keypair(trans).getPrivate())); + } catch (OperatorCreationException e) { + throw new CertException(e); + } + } + + @SuppressWarnings("deprecation") + public static void dump(PKCS10CertificationRequest csr) { + Attribute[] certAttributes = csr.getAttributes(); + for (Attribute attribute : certAttributes) { + if (!attribute.getAttrType().equals(PKCSObjectIdentifiers.pkcs_9_at_extensionRequest)) { + continue; + } - Extensions extensions = Extensions.getInstance(attribute.getAttrValues().getObjectAt(0)); - GeneralNames gns = GeneralNames.fromExtensions(extensions,Extension.subjectAlternativeName); - GeneralName[] names = gns.getNames(); - for(int k=0; k < names.length; k++) { - String title = ""; - if(names[k].getTagNo() == GeneralName.dNSName) { - title = "dNSName"; - } else if(names[k].getTagNo() == GeneralName.iPAddress) { - title = "iPAddress"; - // Deprecated, but I don't see anything better to use. - names[k].toASN1Object(); - } else if(names[k].getTagNo() == GeneralName.otherName) { - title = "otherName"; - } else if(names[k].getTagNo() == GeneralName.rfc822Name) { - title = "email"; - } + Extensions extensions = Extensions.getInstance(attribute.getAttrValues().getObjectAt(0)); + GeneralNames gns = GeneralNames.fromExtensions(extensions,Extension.subjectAlternativeName); + GeneralName[] names = gns.getNames(); + for(int k=0; k < names.length; k++) { + String title = ""; + if(names[k].getTagNo() == GeneralName.dNSName) { + title = "dNSName"; + } else if(names[k].getTagNo() == GeneralName.iPAddress) { + title = "iPAddress"; + // Deprecated, but I don't see anything better to use. + names[k].toASN1Object(); + } else if(names[k].getTagNo() == GeneralName.otherName) { + title = "otherName"; + } else if(names[k].getTagNo() == GeneralName.rfc822Name) { + title = "email"; + } - System.out.println(title + ": "+ names[k].getName()); - } - } - } - - public X509Certificate initialConversationCert(Trans trans) throws IOException, CertificateException, OperatorCreationException { - GregorianCalendar gc = new GregorianCalendar(); - Date start = gc.getTime(); - gc.add(GregorianCalendar.DAY_OF_MONTH,2); - Date end = gc.getTime(); - @SuppressWarnings("deprecation") - X509v3CertificateBuilder xcb = new X509v3CertificateBuilder( - x500Name(), - new BigInteger(12,random), // replace with Serialnumber scheme - start, - end, - x500Name(), - new SubjectPublicKeyInfo(ASN1Sequence.getInstance(keypair(trans).getPublic().getEncoded())) - ); - return new JcaX509CertificateConverter().getCertificate( - xcb.build(BCFactory.contentSigner(keypair(trans).getPrivate()))); - } + System.out.println(title + ": "+ names[k].getName()); + } + } + } + + public X509Certificate initialConversationCert(Trans trans) throws IOException, CertificateException, OperatorCreationException { + GregorianCalendar gc = new GregorianCalendar(); + Date start = gc.getTime(); + gc.add(GregorianCalendar.DAY_OF_MONTH,2); + Date end = gc.getTime(); + @SuppressWarnings("deprecation") + X509v3CertificateBuilder xcb = new X509v3CertificateBuilder( + x500Name(), + new BigInteger(12,random), // replace with Serialnumber scheme + start, + end, + x500Name(), + new SubjectPublicKeyInfo(ASN1Sequence.getInstance(keypair(trans).getPublic().getEncoded())) + ); + return new JcaX509CertificateConverter().getCertificate( + xcb.build(BCFactory.contentSigner(keypair(trans).getPrivate()))); + } - public CSRMeta san(String v) { - sanList.add(v); - return this; - } + public CSRMeta san(String v) { + sanList.add(v); + return this; + } - public List sans() { - return sanList; - } + public List sans() { + return sanList; + } - public KeyPair keypair(Trans trans) { - if(keyPair == null) { - keyPair = Factory.generateKeyPair(trans); - } - return keyPair; - } + public KeyPair keypair(Trans trans) { + if(keyPair == null) { + keyPair = Factory.generateKeyPair(trans); + } + return keyPair; + } - /** - * @return the cn - */ - public String cn() { - return cn; - } + /** + * @return the cn + */ + public String cn() { + return cn; + } - /** - * @param cn the cn to set - */ - public void cn(String cn) { - this.cn = cn; - } + /** + * @param cn the cn to set + */ + public void cn(String cn) { + this.cn = cn; + } - /** - * Environment of Service MechID is good for - */ - public void environment(String env) { - environment = env; - } - - /** - * - * @return - */ - public String environment() { - return environment; - } - - /** - * @return the mechID - */ - public String mechID() { - return mechID; - } + /** + * Environment of Service MechID is good for + */ + public void environment(String env) { + environment = env; + } + + /** + * + * @return + */ + public String environment() { + return environment; + } + + /** + * @return the mechID + */ + public String mechID() { + return mechID; + } - /** - * @param mechID the mechID to set - */ - public void mechID(String mechID) { - this.mechID = mechID; - } + /** + * @param mechID the mechID to set + */ + public void mechID(String mechID) { + this.mechID = mechID; + } - /** - * @return the email - */ - public String email() { - return email; - } + /** + * @return the email + */ + public String email() { + return email; + } - /** - * @param email the email to set - */ - public void email(String email) { - this.email = email; - } + /** + * @param email the email to set + */ + public void email(String email) { + this.email = email; + } - /** - * @return the challenge - */ - public String challenge() { - return challenge; - } + /** + * @return the challenge + */ + public String challenge() { + return challenge; + } - /** - * @param challenge the challenge to set - */ - public void challenge(String challenge) { - this.challenge = challenge; - } - + /** + * @param challenge the challenge to set + */ + public void challenge(String challenge) { + this.challenge = challenge; + } + } diff --git a/auth/auth-certman/src/main/java/org/onap/aaf/auth/cm/cert/RDN.java b/auth/auth-certman/src/main/java/org/onap/aaf/auth/cm/cert/RDN.java index b109ffcb..c39ba6d3 100644 --- a/auth/auth-certman/src/main/java/org/onap/aaf/auth/cm/cert/RDN.java +++ b/auth/auth-certman/src/main/java/org/onap/aaf/auth/cm/cert/RDN.java @@ -29,75 +29,75 @@ import org.onap.aaf.cadi.configure.CertException; import org.onap.aaf.cadi.util.Split; public class RDN { - public String tag; - public String value; - public ASN1ObjectIdentifier aoi; - public RDN(final String tagValue) throws CertException { - String[] tv = Split.splitTrim('=',tagValue); - switch(tv[0]) { - case "cn":case "CN": aoi = BCStyle.CN; break; - case "c":case "C": aoi = BCStyle.C;break; - case "st":case "ST": aoi = BCStyle.ST;break; - case "l":case "L": aoi = BCStyle.L;break; - case "o":case "O": aoi = BCStyle.O;break; - case "ou":case "OU": aoi = BCStyle.OU;break; - case "dc":case "DC": aoi = BCStyle.DC;break; - case "gn":case "GN": aoi = BCStyle.GIVENNAME; break; - case "sn":case "SN": aoi = BCStyle.SN; break; // surname - case "email":case "EMAIL": - case "emailaddress": - case "EMAILADDRESS": aoi = BCStyle.EmailAddress;break; // should be SAN extension - case "initials": aoi = BCStyle.INITIALS; break; - case "pseudonym": aoi = BCStyle.PSEUDONYM; break; - case "generationQualifier": aoi = BCStyle.GENERATION; break; - case "serialNumber": aoi = BCStyle.SERIALNUMBER; break; - default: - throw new CertException("Unknown ASN1ObjectIdentifier for " + tv[0] + " in " + tagValue); - } - tag = tv[0]; - value = tv[1]; - } - - /** - * Parse various forms of DNs into appropriate RDNs, which have the ASN1ObjectIdentifier - * @param delim - * @param dnString - * @return - * @throws CertException - */ - public static List parse(final char delim, final String dnString ) throws CertException { - List lrnd = new ArrayList<>(); - StringBuilder sb = new StringBuilder(); - boolean inQuotes = false; - for(int i=0;i0) { - lrnd.add(new RDN(sb.toString())); - sb.setLength(0); - } - } else { - sb.append(dnString.charAt(i)); - } - } - } - if(sb.indexOf("=")>0) { - lrnd.add(new RDN(sb.toString())); - } - return lrnd; - } - - @Override - public String toString() { - return tag + '=' + value; - } + public String tag; + public String value; + public ASN1ObjectIdentifier aoi; + public RDN(final String tagValue) throws CertException { + String[] tv = Split.splitTrim('=',tagValue); + switch(tv[0]) { + case "cn":case "CN": aoi = BCStyle.CN; break; + case "c":case "C": aoi = BCStyle.C;break; + case "st":case "ST": aoi = BCStyle.ST;break; + case "l":case "L": aoi = BCStyle.L;break; + case "o":case "O": aoi = BCStyle.O;break; + case "ou":case "OU": aoi = BCStyle.OU;break; + case "dc":case "DC": aoi = BCStyle.DC;break; + case "gn":case "GN": aoi = BCStyle.GIVENNAME; break; + case "sn":case "SN": aoi = BCStyle.SN; break; // surname + case "email":case "EMAIL": + case "emailaddress": + case "EMAILADDRESS": aoi = BCStyle.EmailAddress;break; // should be SAN extension + case "initials": aoi = BCStyle.INITIALS; break; + case "pseudonym": aoi = BCStyle.PSEUDONYM; break; + case "generationQualifier": aoi = BCStyle.GENERATION; break; + case "serialNumber": aoi = BCStyle.SERIALNUMBER; break; + default: + throw new CertException("Unknown ASN1ObjectIdentifier for " + tv[0] + " in " + tagValue); + } + tag = tv[0]; + value = tv[1]; + } + + /** + * Parse various forms of DNs into appropriate RDNs, which have the ASN1ObjectIdentifier + * @param delim + * @param dnString + * @return + * @throws CertException + */ + public static List parse(final char delim, final String dnString ) throws CertException { + List lrnd = new ArrayList<>(); + StringBuilder sb = new StringBuilder(); + boolean inQuotes = false; + for(int i=0;i0) { + lrnd.add(new RDN(sb.toString())); + sb.setLength(0); + } + } else { + sb.append(dnString.charAt(i)); + } + } + } + if(sb.indexOf("=")>0) { + lrnd.add(new RDN(sb.toString())); + } + return lrnd; + } + + @Override + public String toString() { + return tag + '=' + value; + } } \ No newline at end of file diff --git a/auth/auth-certman/src/main/java/org/onap/aaf/auth/cm/data/CertReq.java b/auth/auth-certman/src/main/java/org/onap/aaf/auth/cm/data/CertReq.java index d960945c..ad7f10eb 100644 --- a/auth/auth-certman/src/main/java/org/onap/aaf/auth/cm/data/CertReq.java +++ b/auth/auth-certman/src/main/java/org/onap/aaf/auth/cm/data/CertReq.java @@ -31,19 +31,19 @@ import org.onap.aaf.auth.cm.cert.CSRMeta; import org.onap.aaf.cadi.configure.CertException; public class CertReq { - // These cannot be null - public CA certAuthority; - public String mechid; - public List fqdns; - // Notify - public List emails; - - - // These may be null - public String sponsor; - public XMLGregorianCalendar start, end; - - public CSRMeta getCSRMeta() throws CertException { - return BCFactory.createCSRMeta(certAuthority, mechid, sponsor,fqdns); - } + // These cannot be null + public CA certAuthority; + public String mechid; + public List fqdns; + // Notify + public List emails; + + + // These may be null + public String sponsor; + public XMLGregorianCalendar start, end; + + public CSRMeta getCSRMeta() throws CertException { + return BCFactory.createCSRMeta(certAuthority, mechid, sponsor,fqdns); + } } diff --git a/auth/auth-certman/src/main/java/org/onap/aaf/auth/cm/data/CertResp.java b/auth/auth-certman/src/main/java/org/onap/aaf/auth/cm/data/CertResp.java index 970bfb85..e156fe91 100644 --- a/auth/auth-certman/src/main/java/org/onap/aaf/auth/cm/data/CertResp.java +++ b/auth/auth-certman/src/main/java/org/onap/aaf/auth/cm/data/CertResp.java @@ -33,59 +33,59 @@ import org.onap.aaf.cadi.configure.Factory; import org.onap.aaf.misc.env.Trans; public class CertResp { - private CA ca; - private KeyPair keyPair; - private String challenge; - - private String privateKey, certString; - private String[] trustChain; - private String[] notes; - - public CertResp(Trans trans, CA ca, X509Certificate x509, CSRMeta csrMeta, String[] trustChain, String[] notes) throws IOException, GeneralSecurityException, CertException { - keyPair = csrMeta.keypair(trans); - privateKey = Factory.toString(trans, keyPair.getPrivate()); - certString = Factory.toString(trans,x509); - challenge=csrMeta.challenge(); - this.ca = ca; - this.trustChain = trustChain; - this.notes = notes; - } + private CA ca; + private KeyPair keyPair; + private String challenge; + + private String privateKey, certString; + private String[] trustChain; + private String[] notes; + + public CertResp(Trans trans, CA ca, X509Certificate x509, CSRMeta csrMeta, String[] trustChain, String[] notes) throws IOException, GeneralSecurityException, CertException { + keyPair = csrMeta.keypair(trans); + privateKey = Factory.toString(trans, keyPair.getPrivate()); + certString = Factory.toString(trans,x509); + challenge=csrMeta.challenge(); + this.ca = ca; + this.trustChain = trustChain; + this.notes = notes; + } - // Use for Read Responses, etc - public CertResp(String cert) { - certString = cert; - } + // Use for Read Responses, etc + public CertResp(String cert) { + certString = cert; + } - - public String asCertString() { - return certString; - } - - public String privateString() throws IOException { - return privateKey; - } - - public String challenge() { - return challenge==null?"":challenge; - } - - public String[] notes() { - return notes; - } - - public String[] caIssuerDNs() { - return ca.getCaIssuerDNs(); - } - - public String env() { - return ca.getEnv(); - } - - public String[] trustChain() { - return trustChain; - } - - public String[] trustCAs() { - return ca.getTrustedCAs(); - } + + public String asCertString() { + return certString; + } + + public String privateString() throws IOException { + return privateKey; + } + + public String challenge() { + return challenge==null?"":challenge; + } + + public String[] notes() { + return notes; + } + + public String[] caIssuerDNs() { + return ca.getCaIssuerDNs(); + } + + public String env() { + return ca.getEnv(); + } + + public String[] trustChain() { + return trustChain; + } + + public String[] trustCAs() { + return ca.getTrustedCAs(); + } } diff --git a/auth/auth-certman/src/main/java/org/onap/aaf/auth/cm/facade/Facade.java b/auth/auth-certman/src/main/java/org/onap/aaf/auth/cm/facade/Facade.java index 9eb9c2fa..4952dbec 100644 --- a/auth/auth-certman/src/main/java/org/onap/aaf/auth/cm/facade/Facade.java +++ b/auth/auth-certman/src/main/java/org/onap/aaf/auth/cm/facade/Facade.java @@ -40,143 +40,143 @@ import org.onap.aaf.auth.layer.Result; public interface Facade { ///////////////////// STANDARD ELEMENTS ////////////////// - /** - * @param trans - * @param response - * @param result - */ - void error(AuthzTrans trans, HttpServletResponse response, Result result); - - /** - * - * @param trans - * @param response - * @param status - */ - void error(AuthzTrans trans, HttpServletResponse response, int status, String msg, String ... detail); - - /** - * Permission checker - * - * @param trans - * @param resp - * @param perm - * @return - * @throws IOException - */ - Result check(AuthzTrans trans, HttpServletResponse resp, String perm) throws IOException; - - /** - * - * @return - */ - public Mapper mapper(); + /** + * @param trans + * @param response + * @param result + */ + void error(AuthzTrans trans, HttpServletResponse response, Result result); + + /** + * + * @param trans + * @param response + * @param status + */ + void error(AuthzTrans trans, HttpServletResponse response, int status, String msg, String ... detail); + + /** + * Permission checker + * + * @param trans + * @param resp + * @param perm + * @return + * @throws IOException + */ + Result check(AuthzTrans trans, HttpServletResponse resp, String perm) throws IOException; + + /** + * + * @return + */ + public Mapper mapper(); ///////////////////// STANDARD ELEMENTS ////////////////// - - /** - * - * @param trans - * @param resp - * @param rservlet - * @return - */ - public abstract Result requestCert(AuthzTrans trans, HttpServletRequest req, HttpServletResponse resp, CA ca); - - /** - * - * @param trans - * @param resp - * @param rservlet - * @return - */ - public abstract Result requestPersonalCert(AuthzTrans trans, HttpServletRequest req, HttpServletResponse resp, CA ca); - - - /** - * - * @param trans - * @param req - * @param resp - * @return - */ - public abstract Result renewCert(AuthzTrans trans, HttpServletRequest req, HttpServletResponse resp, boolean withTrust); - - /** - * - * @param trans - * @param req - * @param resp - * @return - */ - public abstract Result dropCert(AuthzTrans trans, HttpServletRequest req, HttpServletResponse resp); - - - /** - * - * @param trans - * @param resp - * @param pathParam - * @return - */ - public Result readCertsByMechID(AuthzTrans trans, HttpServletResponse resp, String mechID); - - - /** - * - * @param trans - * @param req - * @param resp - * @return - */ - Result createArtifacts(AuthzTrans trans, HttpServletRequest req, HttpServletResponse resp); - - /** - * - * @param trans - * @param req - * @param resp - * @return - */ - Result readArtifacts(AuthzTrans trans, HttpServletRequest req, HttpServletResponse resp); - - /** - * - * @param trans - * @param resp - * @param mechid - * @param machine - * @return - */ - Result readArtifacts(AuthzTrans trans, HttpServletResponse resp, String mechid, String machine); - - /** - * - * @param trans - * @param req - * @param resp - * @return - */ - Result updateArtifacts(AuthzTrans trans, HttpServletRequest req, HttpServletResponse resp); - - /** - * - * @param trans - * @param req - * @param resp - * @return - */ - Result deleteArtifacts(AuthzTrans trans, HttpServletRequest req, HttpServletResponse resp); - - /** - * - * @param trans - * @param resp - * @param mechid - * @param machine - * @return - */ - Result deleteArtifacts(AuthzTrans trans, HttpServletResponse resp, String mechid, String machine); + + /** + * + * @param trans + * @param resp + * @param rservlet + * @return + */ + public abstract Result requestCert(AuthzTrans trans, HttpServletRequest req, HttpServletResponse resp, CA ca); + + /** + * + * @param trans + * @param resp + * @param rservlet + * @return + */ + public abstract Result requestPersonalCert(AuthzTrans trans, HttpServletRequest req, HttpServletResponse resp, CA ca); + + + /** + * + * @param trans + * @param req + * @param resp + * @return + */ + public abstract Result renewCert(AuthzTrans trans, HttpServletRequest req, HttpServletResponse resp, boolean withTrust); + + /** + * + * @param trans + * @param req + * @param resp + * @return + */ + public abstract Result dropCert(AuthzTrans trans, HttpServletRequest req, HttpServletResponse resp); + + + /** + * + * @param trans + * @param resp + * @param pathParam + * @return + */ + public Result readCertsByMechID(AuthzTrans trans, HttpServletResponse resp, String mechID); + + + /** + * + * @param trans + * @param req + * @param resp + * @return + */ + Result createArtifacts(AuthzTrans trans, HttpServletRequest req, HttpServletResponse resp); + + /** + * + * @param trans + * @param req + * @param resp + * @return + */ + Result readArtifacts(AuthzTrans trans, HttpServletRequest req, HttpServletResponse resp); + + /** + * + * @param trans + * @param resp + * @param mechid + * @param machine + * @return + */ + Result readArtifacts(AuthzTrans trans, HttpServletResponse resp, String mechid, String machine); + + /** + * + * @param trans + * @param req + * @param resp + * @return + */ + Result updateArtifacts(AuthzTrans trans, HttpServletRequest req, HttpServletResponse resp); + + /** + * + * @param trans + * @param req + * @param resp + * @return + */ + Result deleteArtifacts(AuthzTrans trans, HttpServletRequest req, HttpServletResponse resp); + + /** + * + * @param trans + * @param resp + * @param mechid + * @param machine + * @return + */ + Result deleteArtifacts(AuthzTrans trans, HttpServletResponse resp, String mechid, String machine); } \ No newline at end of file diff --git a/auth/auth-certman/src/main/java/org/onap/aaf/auth/cm/facade/Facade1_0.java b/auth/auth-certman/src/main/java/org/onap/aaf/auth/cm/facade/Facade1_0.java index 49d976b2..4a3b5cbe 100644 --- a/auth/auth-certman/src/main/java/org/onap/aaf/auth/cm/facade/Facade1_0.java +++ b/auth/auth-certman/src/main/java/org/onap/aaf/auth/cm/facade/Facade1_0.java @@ -37,10 +37,10 @@ import certman.v1_0.CertInfo; * */ public class Facade1_0 extends FacadeImpl { - public Facade1_0(AAF_CM certman, - CMService service, - Mapper mapper, - Data.TYPE type) throws APIException { - super(certman, service, mapper, type); - } + public Facade1_0(AAF_CM certman, + CMService service, + Mapper mapper, + Data.TYPE type) throws APIException { + super(certman, service, mapper, type); + } } diff --git a/auth/auth-certman/src/main/java/org/onap/aaf/auth/cm/facade/FacadeFactory.java b/auth/auth-certman/src/main/java/org/onap/aaf/auth/cm/facade/FacadeFactory.java index 6eb13f93..e9ffb908 100644 --- a/auth/auth-certman/src/main/java/org/onap/aaf/auth/cm/facade/FacadeFactory.java +++ b/auth/auth-certman/src/main/java/org/onap/aaf/auth/cm/facade/FacadeFactory.java @@ -30,12 +30,12 @@ import org.onap.aaf.misc.env.Data; public class FacadeFactory { - public static Facade1_0 v1_0(AAF_CM certman, AuthzTrans trans, CMService service, Data.TYPE type) throws APIException { - return new Facade1_0( - certman, - service, - new Mapper1_0(), - type); - } + public static Facade1_0 v1_0(AAF_CM certman, AuthzTrans trans, CMService service, Data.TYPE type) throws APIException { + return new Facade1_0( + certman, + service, + new Mapper1_0(), + type); + } } diff --git a/auth/auth-certman/src/main/java/org/onap/aaf/auth/cm/facade/FacadeImpl.java b/auth/auth-certman/src/main/java/org/onap/aaf/auth/cm/facade/FacadeImpl.java index 98fdf11b..310ea8b2 100644 --- a/auth/auth-certman/src/main/java/org/onap/aaf/auth/cm/facade/FacadeImpl.java +++ b/auth/auth-certman/src/main/java/org/onap/aaf/auth/cm/facade/FacadeImpl.java @@ -66,7 +66,7 @@ import org.onap.aaf.misc.rosetta.env.RosettaData; * 1) Interact with the Service Implementation (which might be supported by various kinds of Backend Storage) * 2) Validate incoming data (if applicable) * 3) Convert the Service response into the right Format, and mark the Content Type - * a) In the future, we may support multiple Response Formats, aka JSON or XML, based on User Request. + * a) In the future, we may support multiple Response Formats, aka JSON or XML, based on User Request. * 4) Log Service info, warnings and exceptions as necessary * 5) When asked by the API layer, this will create and write Error content to the OutputStream * @@ -77,562 +77,562 @@ import org.onap.aaf.misc.rosetta.env.RosettaData; * */ public abstract class FacadeImpl extends org.onap.aaf.auth.layer.FacadeImpl implements Facade - { - private static final String TRUE = "TRUE"; - private static final String REQUEST_CERT = "Request New Certificate"; - private static final String RENEW_CERT = "Renew Certificate"; - private static final String DROP_CERT = "Drop Certificate"; - private static final String READ_CERTS_MECHID = "Read Certificates by MechID"; - private static final String CREATE_ARTIFACTS = "Create Deployment Artifact"; - private static final String READ_ARTIFACTS = "Read Deployment Artifact"; - private static final String UPDATE_ARTIFACTS = "Update Deployment Artifact"; - private static final String DELETE_ARTIFACTS = "Delete Deployment Artifact"; - - private CMService service; - - private final RosettaDF errDF; - private final RosettaDF certRequestDF, certRenewDF, certDropDF; - private final RosettaDF certDF; - private final RosettaDF artiDF; - private Mapper mapper; -// private Slot sCertAuth; - private AAF_CM certman; - private final String voidResp; - - public FacadeImpl(AAF_CM certman, - CMService service, - Mapper mapper, - Data.TYPE dataType) throws APIException { - this.service = service; - this.mapper = mapper; - this.certman = certman; - AuthzEnv env = certman.env; - //TODO: Gabe [JUnit] Static issue, talk to Jonathan - (errDF = env.newDataFactory(mapper.getClass(API.ERROR))).in(dataType).out(dataType); - (certRequestDF = env.newDataFactory(mapper.getClass(API.CERT_REQ))).in(dataType).out(dataType); - (certRenewDF = env.newDataFactory(mapper.getClass(API.CERT_RENEW))).in(dataType).out(dataType); - (certDropDF = env.newDataFactory(mapper.getClass(API.CERT_DROP))).in(dataType).out(dataType); - (certDF = env.newDataFactory(mapper.getClass(API.CERT))).in(dataType).out(dataType); - (artiDF = env.newDataFactory(mapper.getClass(API.ARTIFACTS))).in(dataType).out(dataType); -// sCertAuth = env.slot(API_Cert.CERT_AUTH); - if(artiDF.getOutType().name().contains("xml")) { - voidResp = "application/Void+xml;charset=utf-8;version=1.0,application/xml;version=1.0,*/*"; - } else { - voidResp = "application/Void+json;charset=utf-8;version=1.0,application/json;version=1.0,*/*"; - } - } - - public Mapper mapper() { - return mapper; - } - - /* (non-Javadoc) - * @see com.att.authz.facade.AuthzFacade#error(org.onap.aaf.auth.env.test.AuthzTrans, javax.servlet.http.HttpServletResponse, int) - * - * Note: Conforms to AT&T TSS RESTful Error Structure - */ - @Override - public void error(AuthzTrans trans, HttpServletResponse response, Result result) { - error(trans, response, result.status, - result.details==null?"":result.details.trim(), - result.variables==null?new String[0]:result.variables); - } - - @Override - public void error(AuthzTrans trans, HttpServletResponse response, int status, final String _msg, final String ... _detail) { - String msgId; - String prefix; - boolean hidemsg=false; - switch(status) { - case 202: - case ERR_ActionNotCompleted: - msgId = "SVC1202"; - prefix = "Accepted, Action not complete"; - response.setStatus(/*httpstatus=*/202); - break; - - case 403: - case ERR_Policy: - case ERR_Security: - case ERR_Denied: - msgId = "SVC1403"; - prefix = "Forbidden"; - response.setStatus(/*httpstatus=*/403); - break; - - case 404: - case ERR_NotFound: - msgId = "SVC1404"; - prefix = "Not Found"; - response.setStatus(/*httpstatus=*/404); - break; - - case 406: - case ERR_BadData: - msgId="SVC1406"; - prefix = "Not Acceptable"; - response.setStatus(/*httpstatus=*/406); - break; - - case 409: - case ERR_ConflictAlreadyExists: - msgId = "SVC1409"; - prefix = "Conflict Already Exists"; - response.setStatus(/*httpstatus=*/409); - break; - - case 501: - case ERR_NotImplemented: - msgId = "SVC1501"; - prefix = "Not Implemented"; - response.setStatus(/*httpstatus=*/501); - break; - - - default: - msgId = "SVC1500"; - prefix = "General Service Error"; - response.setStatus(/*httpstatus=*/500); - hidemsg=true; - break; - } - - try { - StringBuilder holder = new StringBuilder(); - ERROR em = mapper().errorFromMessage(holder, msgId,prefix + ": " + _msg,_detail); - trans.checkpoint( - "ErrResp [" + - msgId + - "] " + - holder.toString(), - Env.ALWAYS); - if(hidemsg) { - holder.setLength(0); - em = mapper().errorFromMessage(holder, msgId, "Server had an issue processing this request"); - } - errDF.newData(trans).load(em).to(response.getOutputStream()); - - } catch (Exception e) { - trans.error().log(e,"unable to send response for",_msg); - } - } - - @Override - public Result check(AuthzTrans trans, HttpServletResponse resp, String perm) throws IOException { - String[] p = Split.split('|',perm); - AAFPermission ap; - switch(p.length) { - case 3: - ap = new AAFPermission(null, p[0],p[1],p[2]); - break; - case 4: - ap = new AAFPermission(p[0],p[1],p[2],p[3]); - break; - default: - return Result.err(Result.ERR_BadData,"Invalid Perm String"); - } - if(certman.aafLurPerm.fish(trans.getUserPrincipal(), ap)) { - resp.setContentType(voidResp); - resp.getOutputStream().write(0); - return Result.ok(); - } else { - return Result.err(Result.ERR_Denied,"%s does not have %s",trans.user(),ap.getKey()); - } - } - - /* (non-Javadoc) - * @see com.att.auth.certman.facade.Facade#requestCert(org.onap.aaf.auth.env.test.AuthzTrans, javax.servlet.http.HttpServletRequest, javax.servlet.http.HttpServletResponse) - */ - @Override - public Result requestCert(AuthzTrans trans, HttpServletRequest req, HttpServletResponse resp, CA ca) { - TimeTaken tt = trans.start(REQUEST_CERT, Env.SUB|Env.ALWAYS); - String wt; - boolean withTrust=(wt=req.getParameter("withTrust"))!=null || TRUE.equalsIgnoreCase(wt); - try { - REQ request; - try { - Data rd = certRequestDF.newData().load(req.getInputStream()); - request = rd.asObject(); - } catch(APIException e) { - trans.error().log("Invalid Input",IN,REQUEST_CERT); - return Result.err(Result.ERR_BadData,"Invalid Input"); - } - - Result rcr = service.requestCert(trans,mapper.toReq(trans,request), ca); - if(rcr.notOK()) { - return Result.err(rcr); - } - -// CA certAuth = trans.get(sCertAuth,null); - Result rc = mapper.toCert(trans, rcr, withTrust); - switch(rc.status) { - case OK: - RosettaData data = certDF.newData(trans).load(rc.value); - data.to(resp.getOutputStream()); - - setContentType(resp,certDF.getOutType()); - return Result.ok(); - default: - return Result.err(rc); - } - - } catch (Exception e) { - trans.error().log(e,IN,REQUEST_CERT); - return Result.err(e); - } finally { - tt.done(); - } - } - - /* (non-Javadoc) - * @see org.onap.aaf.auth.cm.facade.Facade#requestPersonalCert(org.onap.aaf.auth.env.test.AuthzTrans, javax.servlet.http.HttpServletRequest, javax.servlet.http.HttpServletResponse, boolean) - */ - @Override - public Result requestPersonalCert(AuthzTrans trans, HttpServletRequest req, HttpServletResponse resp, CA ca) { - return Result.err(Result.ERR_NotImplemented,"not implemented yet"); -// Result rcr = service.requestPersonalCert(trans,ca); -// if(rcr.notOK()) { -// return Result.err(rcr); -// } else { -// try { -// resp.setContentType("application/zip, application/octet-stream"); -// ZipOutputStream zos = new ZipOutputStream(resp.getOutputStream()); -// PrintStream ps = new PrintStream(zos); -// ZipEntry ze = new ZipEntry(trans.user()+".key"); -// zos.putNextEntry(ze); -// ps.print(rcr.value.privateString()); -// zos.closeEntry(); + { + private static final String TRUE = "TRUE"; + private static final String REQUEST_CERT = "Request New Certificate"; + private static final String RENEW_CERT = "Renew Certificate"; + private static final String DROP_CERT = "Drop Certificate"; + private static final String READ_CERTS_MECHID = "Read Certificates by MechID"; + private static final String CREATE_ARTIFACTS = "Create Deployment Artifact"; + private static final String READ_ARTIFACTS = "Read Deployment Artifact"; + private static final String UPDATE_ARTIFACTS = "Update Deployment Artifact"; + private static final String DELETE_ARTIFACTS = "Delete Deployment Artifact"; + + private CMService service; + + private final RosettaDF errDF; + private final RosettaDF certRequestDF, certRenewDF, certDropDF; + private final RosettaDF certDF; + private final RosettaDF artiDF; + private Mapper mapper; +// private Slot sCertAuth; + private AAF_CM certman; + private final String voidResp; + + public FacadeImpl(AAF_CM certman, + CMService service, + Mapper mapper, + Data.TYPE dataType) throws APIException { + this.service = service; + this.mapper = mapper; + this.certman = certman; + AuthzEnv env = certman.env; + //TODO: Gabe [JUnit] Static issue, talk to Jonathan + (errDF = env.newDataFactory(mapper.getClass(API.ERROR))).in(dataType).out(dataType); + (certRequestDF = env.newDataFactory(mapper.getClass(API.CERT_REQ))).in(dataType).out(dataType); + (certRenewDF = env.newDataFactory(mapper.getClass(API.CERT_RENEW))).in(dataType).out(dataType); + (certDropDF = env.newDataFactory(mapper.getClass(API.CERT_DROP))).in(dataType).out(dataType); + (certDF = env.newDataFactory(mapper.getClass(API.CERT))).in(dataType).out(dataType); + (artiDF = env.newDataFactory(mapper.getClass(API.ARTIFACTS))).in(dataType).out(dataType); +// sCertAuth = env.slot(API_Cert.CERT_AUTH); + if(artiDF.getOutType().name().contains("xml")) { + voidResp = "application/Void+xml;charset=utf-8;version=1.0,application/xml;version=1.0,*/*"; + } else { + voidResp = "application/Void+json;charset=utf-8;version=1.0,application/json;version=1.0,*/*"; + } + } + + public Mapper mapper() { + return mapper; + } + + /* (non-Javadoc) + * @see com.att.authz.facade.AuthzFacade#error(org.onap.aaf.auth.env.test.AuthzTrans, javax.servlet.http.HttpServletResponse, int) + * + * Note: Conforms to AT&T TSS RESTful Error Structure + */ + @Override + public void error(AuthzTrans trans, HttpServletResponse response, Result result) { + error(trans, response, result.status, + result.details==null?"":result.details.trim(), + result.variables==null?new String[0]:result.variables); + } + + @Override + public void error(AuthzTrans trans, HttpServletResponse response, int status, final String _msg, final String ... _detail) { + String msgId; + String prefix; + boolean hidemsg=false; + switch(status) { + case 202: + case ERR_ActionNotCompleted: + msgId = "SVC1202"; + prefix = "Accepted, Action not complete"; + response.setStatus(/*httpstatus=*/202); + break; + + case 403: + case ERR_Policy: + case ERR_Security: + case ERR_Denied: + msgId = "SVC1403"; + prefix = "Forbidden"; + response.setStatus(/*httpstatus=*/403); + break; + + case 404: + case ERR_NotFound: + msgId = "SVC1404"; + prefix = "Not Found"; + response.setStatus(/*httpstatus=*/404); + break; + + case 406: + case ERR_BadData: + msgId="SVC1406"; + prefix = "Not Acceptable"; + response.setStatus(/*httpstatus=*/406); + break; + + case 409: + case ERR_ConflictAlreadyExists: + msgId = "SVC1409"; + prefix = "Conflict Already Exists"; + response.setStatus(/*httpstatus=*/409); + break; + + case 501: + case ERR_NotImplemented: + msgId = "SVC1501"; + prefix = "Not Implemented"; + response.setStatus(/*httpstatus=*/501); + break; + + + default: + msgId = "SVC1500"; + prefix = "General Service Error"; + response.setStatus(/*httpstatus=*/500); + hidemsg=true; + break; + } + + try { + StringBuilder holder = new StringBuilder(); + ERROR em = mapper().errorFromMessage(holder, msgId,prefix + ": " + _msg,_detail); + trans.checkpoint( + "ErrResp [" + + msgId + + "] " + + holder.toString(), + Env.ALWAYS); + if(hidemsg) { + holder.setLength(0); + em = mapper().errorFromMessage(holder, msgId, "Server had an issue processing this request"); + } + errDF.newData(trans).load(em).to(response.getOutputStream()); + + } catch (Exception e) { + trans.error().log(e,"unable to send response for",_msg); + } + } + + @Override + public Result check(AuthzTrans trans, HttpServletResponse resp, String perm) throws IOException { + String[] p = Split.split('|',perm); + AAFPermission ap; + switch(p.length) { + case 3: + ap = new AAFPermission(null, p[0],p[1],p[2]); + break; + case 4: + ap = new AAFPermission(p[0],p[1],p[2],p[3]); + break; + default: + return Result.err(Result.ERR_BadData,"Invalid Perm String"); + } + if(certman.aafLurPerm.fish(trans.getUserPrincipal(), ap)) { + resp.setContentType(voidResp); + resp.getOutputStream().write(0); + return Result.ok(); + } else { + return Result.err(Result.ERR_Denied,"%s does not have %s",trans.user(),ap.getKey()); + } + } + + /* (non-Javadoc) + * @see com.att.auth.certman.facade.Facade#requestCert(org.onap.aaf.auth.env.test.AuthzTrans, javax.servlet.http.HttpServletRequest, javax.servlet.http.HttpServletResponse) + */ + @Override + public Result requestCert(AuthzTrans trans, HttpServletRequest req, HttpServletResponse resp, CA ca) { + TimeTaken tt = trans.start(REQUEST_CERT, Env.SUB|Env.ALWAYS); + String wt; + boolean withTrust=(wt=req.getParameter("withTrust"))!=null || TRUE.equalsIgnoreCase(wt); + try { + REQ request; + try { + Data rd = certRequestDF.newData().load(req.getInputStream()); + request = rd.asObject(); + } catch(APIException e) { + trans.error().log("Invalid Input",IN,REQUEST_CERT); + return Result.err(Result.ERR_BadData,"Invalid Input"); + } + + Result rcr = service.requestCert(trans,mapper.toReq(trans,request), ca); + if(rcr.notOK()) { + return Result.err(rcr); + } + +// CA certAuth = trans.get(sCertAuth,null); + Result rc = mapper.toCert(trans, rcr, withTrust); + switch(rc.status) { + case OK: + RosettaData data = certDF.newData(trans).load(rc.value); + data.to(resp.getOutputStream()); + + setContentType(resp,certDF.getOutType()); + return Result.ok(); + default: + return Result.err(rc); + } + + } catch (Exception e) { + trans.error().log(e,IN,REQUEST_CERT); + return Result.err(e); + } finally { + tt.done(); + } + } + + /* (non-Javadoc) + * @see org.onap.aaf.auth.cm.facade.Facade#requestPersonalCert(org.onap.aaf.auth.env.test.AuthzTrans, javax.servlet.http.HttpServletRequest, javax.servlet.http.HttpServletResponse, boolean) + */ + @Override + public Result requestPersonalCert(AuthzTrans trans, HttpServletRequest req, HttpServletResponse resp, CA ca) { + return Result.err(Result.ERR_NotImplemented,"not implemented yet"); +// Result rcr = service.requestPersonalCert(trans,ca); +// if(rcr.notOK()) { +// return Result.err(rcr); +// } else { +// try { +// resp.setContentType("application/zip, application/octet-stream"); +// ZipOutputStream zos = new ZipOutputStream(resp.getOutputStream()); +// PrintStream ps = new PrintStream(zos); +// ZipEntry ze = new ZipEntry(trans.user()+".key"); +// zos.putNextEntry(ze); +// ps.print(rcr.value.privateString()); +// zos.closeEntry(); // -// zos.putNextEntry(new ZipEntry(trans.user()+".crt")); -// ps.print(rcr.value.asCertString()); -// zos.closeEntry(); -// -// String wt; -// if((wt=req.getParameter("withTrust"))!=null || TRUE.equalsIgnoreCase(wt)) { -// zos.putNextEntry(new ZipEntry(trans.user()+".trustCrts")); -// for(String s : ca.getTrustChain()) { -// ps.println(s); -// } -// zos.closeEntry(); -// } -// -// boolean withJKS = (wt=req.getParameter("withJKS"))!=null || TRUE.equalsIgnoreCase(wt); -// if(withJKS) { -// if(trans.getUserPrincipal() instanceof BasicPrincipal) { -// char[] cap = new String(((BasicPrincipal)trans.getUserPrincipal()).getCred()).toCharArray(); -// KeyStore ks = keystore(trans, rcr.value, ca.getTrustChain(), trans.user(), cap); -// zos.putNextEntry(new ZipEntry(trans.user()+".jks")); -// ks.store(zos, cap); -// zos.closeEntry(); -// } -// } -// -// zos.putNextEntry(new ZipEntry("cert_deploy.sh")); -// ps.println("# Deploy Certificate to ~/.aaf"); -// ps.println("if [ \"$1\" = \"\" ]; then echo \"sh deploy.sh \";exit; else chmod 700 $HOME/.aaf; fi"); -// ps.println("chmod 600 $1"); -// ps.println("if [ ! -e $HOME/.aaf ]; then mkdir -m 700 $HOME/.aaf; fi"); -// ps.println("THE_PWD=`pwd`"); -// ps.println("cd $HOME/.aaf"); -// ps.println("echo \"Deploying to `pwd`\""); -// ps.println("jar -xvf $THE_PWD/$1 " + trans.user()); -// ps.println("chmod 600 " + trans.user() + ".key"); -// if(withJKS) { -// ps.println("chmod 600 " + trans.user() + ".jks"); -// } -// ps.println("cd $THE_PWD"); -// ps.println("rm cert_deploy.sh"); -// zos.closeEntry(); -// +// zos.putNextEntry(new ZipEntry(trans.user()+".crt")); +// ps.print(rcr.value.asCertString()); +// zos.closeEntry(); +// +// String wt; +// if((wt=req.getParameter("withTrust"))!=null || TRUE.equalsIgnoreCase(wt)) { +// zos.putNextEntry(new ZipEntry(trans.user()+".trustCrts")); +// for(String s : ca.getTrustChain()) { +// ps.println(s); +// } +// zos.closeEntry(); +// } +// +// boolean withJKS = (wt=req.getParameter("withJKS"))!=null || TRUE.equalsIgnoreCase(wt); +// if(withJKS) { +// if(trans.getUserPrincipal() instanceof BasicPrincipal) { +// char[] cap = new String(((BasicPrincipal)trans.getUserPrincipal()).getCred()).toCharArray(); +// KeyStore ks = keystore(trans, rcr.value, ca.getTrustChain(), trans.user(), cap); +// zos.putNextEntry(new ZipEntry(trans.user()+".jks")); +// ks.store(zos, cap); +// zos.closeEntry(); +// } +// } +// +// zos.putNextEntry(new ZipEntry("cert_deploy.sh")); +// ps.println("# Deploy Certificate to ~/.aaf"); +// ps.println("if [ \"$1\" = \"\" ]; then echo \"sh deploy.sh \";exit; else chmod 700 $HOME/.aaf; fi"); +// ps.println("chmod 600 $1"); +// ps.println("if [ ! -e $HOME/.aaf ]; then mkdir -m 700 $HOME/.aaf; fi"); +// ps.println("THE_PWD=`pwd`"); +// ps.println("cd $HOME/.aaf"); +// ps.println("echo \"Deploying to `pwd`\""); +// ps.println("jar -xvf $THE_PWD/$1 " + trans.user()); +// ps.println("chmod 600 " + trans.user() + ".key"); +// if(withJKS) { +// ps.println("chmod 600 " + trans.user() + ".jks"); +// } +// ps.println("cd $THE_PWD"); +// ps.println("rm cert_deploy.sh"); +// zos.closeEntry(); +// // -// zos.close(); -// -// } catch (IOException | KeyStoreException | CertificateException | APIException | CertException | NoSuchAlgorithmException e) { -// return Result.err(e); -// } -// } +// zos.close(); +// +// } catch (IOException | KeyStoreException | CertificateException | APIException | CertException | NoSuchAlgorithmException e) { +// return Result.err(e); +// } +// } // -// return Result.ok(); - } - -// private KeyStore keystore(AuthzTrans trans, CertResp cr, String[] trustChain, String name, char[] cap) throws KeyStoreException, CertificateException, APIException, IOException, CertException, NoSuchAlgorithmException { -// KeyStore jks = KeyStore.getInstance("jks"); -// jks.load(null, cap); -// -// // Get the Cert(s)... Might include Trust store -// List lcerts = new ArrayList<>(); -// lcerts.add(cr.asCertString()); -// for(String s : trustChain) { -// lcerts.add(s); -// } -// -// Collection certColl = Factory.toX509Certificate(lcerts); -// X509Certificate[] certs = new X509Certificate[certColl.size()]; -// certColl.toArray(certs); -// KeyStore.ProtectionParameter protParam = new KeyStore.PasswordProtection(cap); -// -// PrivateKey pk = Factory.toPrivateKey(trans, cr.privateString()); -// KeyStore.PrivateKeyEntry pkEntry = -// new KeyStore.PrivateKeyEntry(pk, new Certificate[] {certs[0]}); -// jks.setEntry(name, pkEntry, protParam); -// -// int i=0; -// for(X509Certificate x509 : certs) { -// jks.setCertificateEntry("cert_"+ ++i, x509); -// } -// return jks; -// } - - @Override - public Result renewCert(AuthzTrans trans, HttpServletRequest req, HttpServletResponse resp, boolean withTrust) { - TimeTaken tt = trans.start(RENEW_CERT, Env.SUB|Env.ALWAYS); - try { - REQ request; - try { - Data rd = certRenewDF.newData().load(req.getInputStream()); - request = rd.asObject(); - } catch(APIException e) { - trans.error().log("Invalid Input",IN,RENEW_CERT); - return Result.err(Result.ERR_BadData,"Invalid Input"); - } - -// String certAuth = trans.get(sCertAuth,null); - Result rcr = service.renewCert(trans,mapper.toRenew(trans,request)); - Result rc = mapper.toCert(trans, rcr, withTrust); - - switch(rc.status) { - case OK: - RosettaData data = certDF.newData(trans).load(rc.value); - data.to(resp.getOutputStream()); - - setContentType(resp,certDF.getOutType()); - return Result.ok(); - default: - return Result.err(rc); - } - } catch (Exception e) { - trans.error().log(e,IN,RENEW_CERT); - return Result.err(e); - } finally { - tt.done(); - } - - } - - @Override - public Result dropCert(AuthzTrans trans, HttpServletRequest req, HttpServletResponse resp) { - TimeTaken tt = trans.start(DROP_CERT, Env.SUB|Env.ALWAYS); - try { - REQ request; - try { - Data rd = certDropDF.newData().load(req.getInputStream()); - request = rd.asObject(); - } catch(APIException e) { - trans.error().log("Invalid Input",IN,DROP_CERT); - return Result.err(Result.ERR_BadData,"Invalid Input"); - } - - Result rv = service.dropCert(trans,mapper.toDrop(trans, request)); - switch(rv.status) { - case OK: - setContentType(resp,certRequestDF.getOutType()); - return Result.ok(); - default: - return Result.err(rv); - } - } catch (Exception e) { - trans.error().log(e,IN,DROP_CERT); - return Result.err(e); - } finally { - tt.done(); - } - } - - /* (non-Javadoc) - * @see org.onap.aaf.auth.cm.facade.Facade#readCertsByMechID(org.onap.aaf.auth.env.test.AuthzTrans, javax.servlet.http.HttpServletResponse, java.lang.String) - */ - @Override - public Result readCertsByMechID(AuthzTrans trans, HttpServletResponse resp, String mechID) { - TimeTaken tt = trans.start(READ_CERTS_MECHID, Env.SUB|Env.ALWAYS); - try { - Result rc = mapper.toCert(trans, service.readCertsByMechID(trans,mechID)); - switch(rc.status) { - case OK: - RosettaData data = certDF.newData(trans).load(rc.value); - data.to(resp.getOutputStream()); - - setContentType(resp,certDF.getOutType()); - return Result.ok(); - default: - return Result.err(rc); - } - } catch (Exception e) { - trans.error().log(e,IN,READ_CERTS_MECHID); - return Result.err(e); - } finally { - tt.done(); - } - } - - //////////////////////////// - // Artifacts - //////////////////////////// - @Override - public Result createArtifacts(AuthzTrans trans, HttpServletRequest req, HttpServletResponse resp) { - TimeTaken tt = trans.start(CREATE_ARTIFACTS, Env.SUB); - try { - ARTIFACTS arti; - try { - Data rd = artiDF.newData().load(req.getInputStream()); - arti = rd.asObject(); - } catch(APIException e) { - trans.error().log("Invalid Input",IN,CREATE_ARTIFACTS); - return Result.err(Result.ERR_BadData,"Invalid Input"); - } - - return service.createArtifact(trans,mapper.toArtifact(trans,arti)); - } catch (Exception e) { - - trans.error().log(e,IN,CREATE_ARTIFACTS); - return Result.err(e); - } finally { - tt.done(); - } - } - - @Override - public Result readArtifacts(AuthzTrans trans, HttpServletRequest req, HttpServletResponse resp) { - TimeTaken tt = trans.start(READ_ARTIFACTS, Env.SUB); - try { - String mechid = req.getParameter("mechid"); - String machine = req.getParameter("machine"); - String ns = req.getParameter("ns"); - - Result ra; - if( machine !=null && mechid == null) { - ra = mapper.fromArtifacts(service.readArtifactsByMachine(trans, machine)); - } else if(mechid!=null && machine==null) { - ra = mapper.fromArtifacts(service.readArtifactsByMechID(trans, mechid)); - } else if(mechid!=null && machine!=null) { - ArtiDAO.Data add = new ArtiDAO.Data(); - add.mechid = mechid; - add.machine = machine; - add.ns = ns; - ra = mapper.fromArtifacts(service.readArtifacts(trans,add)); - } else if(ns!=null) { - ra = mapper.fromArtifacts(service.readArtifactsByNs(trans, ns)); - } else { - ra = Result.err(Status.ERR_BadData,"Invalid request inputs"); - } - - if(ra.isOK()) { - RosettaData data = artiDF.newData(trans).load(ra.value); - data.to(resp.getOutputStream()); - setContentType(resp,artiDF.getOutType()); - return Result.ok(); - } else { - return Result.err(ra); - } - - } catch (Exception e) { - trans.error().log(e,IN,READ_ARTIFACTS); - return Result.err(e); - } finally { - tt.done(); - } - } - - @Override - public Result readArtifacts(AuthzTrans trans, HttpServletResponse resp, String mechid, String machine) { - TimeTaken tt = trans.start(READ_ARTIFACTS, Env.SUB); - try { - ArtiDAO.Data add = new ArtiDAO.Data(); - add.mechid = mechid; - add.machine = machine; - Result ra = mapper.fromArtifacts(service.readArtifacts(trans,add)); - if(ra.isOK()) { - RosettaData data = artiDF.newData(trans).load(ra.value); - data.to(resp.getOutputStream()); - setContentType(resp,artiDF.getOutType()); - return Result.ok(); - } else { - return Result.err(ra); - } - } catch (Exception e) { - trans.error().log(e,IN,READ_ARTIFACTS); - return Result.err(e); - } finally { - tt.done(); - } - } - - - @Override - public Result updateArtifacts(AuthzTrans trans, HttpServletRequest req, HttpServletResponse resp) { - TimeTaken tt = trans.start(UPDATE_ARTIFACTS, Env.SUB); - try { - ARTIFACTS arti; - try { - Data rd = artiDF.newData().load(req.getInputStream()); - arti = rd.asObject(); - } catch(APIException e) { - trans.error().log("Invalid Input",IN,UPDATE_ARTIFACTS); - return Result.err(Result.ERR_BadData,"Invalid Input"); - } - - return service.updateArtifact(trans,mapper.toArtifact(trans,arti)); - } catch (Exception e) { - trans.error().log(e,IN,UPDATE_ARTIFACTS); - return Result.err(e); - } finally { - tt.done(); - } - } - - @Override - public Result deleteArtifacts(AuthzTrans trans, HttpServletRequest req, HttpServletResponse resp) { - TimeTaken tt = trans.start(DELETE_ARTIFACTS, Env.SUB); - try { - ARTIFACTS arti; - try { - Data rd = artiDF.newData().load(req.getInputStream()); - arti = rd.asObject(); - } catch(APIException e) { - trans.error().log("Invalid Input",IN,DELETE_ARTIFACTS); - return Result.err(Result.ERR_BadData,"Invalid Input"); - } - - Result rv = service.deleteArtifact(trans,mapper.toArtifact(trans,arti)); - switch(rv.status) { - case OK: - setContentType(resp,artiDF.getOutType()); - } - return rv; - } catch (Exception e) { - trans.error().log(e,IN,DELETE_ARTIFACTS); - return Result.err(e); - } finally { - tt.done(); - } - } - - @Override - public Result deleteArtifacts(AuthzTrans trans, HttpServletResponse resp, String mechid, String machine) { - TimeTaken tt = trans.start(DELETE_ARTIFACTS, Env.SUB); - try { - Result rv = service.deleteArtifact(trans, mechid, machine); - switch(rv.status) { - case OK: - setContentType(resp,artiDF.getOutType()); - } - return rv; - } catch (Exception e) { - trans.error().log(e,IN,DELETE_ARTIFACTS); - return Result.err(e); - } finally { - tt.done(); - } - } +// return Result.ok(); + } + +// private KeyStore keystore(AuthzTrans trans, CertResp cr, String[] trustChain, String name, char[] cap) throws KeyStoreException, CertificateException, APIException, IOException, CertException, NoSuchAlgorithmException { +// KeyStore jks = KeyStore.getInstance("jks"); +// jks.load(null, cap); +// +// // Get the Cert(s)... Might include Trust store +// List lcerts = new ArrayList<>(); +// lcerts.add(cr.asCertString()); +// for(String s : trustChain) { +// lcerts.add(s); +// } +// +// Collection certColl = Factory.toX509Certificate(lcerts); +// X509Certificate[] certs = new X509Certificate[certColl.size()]; +// certColl.toArray(certs); +// KeyStore.ProtectionParameter protParam = new KeyStore.PasswordProtection(cap); +// +// PrivateKey pk = Factory.toPrivateKey(trans, cr.privateString()); +// KeyStore.PrivateKeyEntry pkEntry = +// new KeyStore.PrivateKeyEntry(pk, new Certificate[] {certs[0]}); +// jks.setEntry(name, pkEntry, protParam); +// +// int i=0; +// for(X509Certificate x509 : certs) { +// jks.setCertificateEntry("cert_"+ ++i, x509); +// } +// return jks; +// } + + @Override + public Result renewCert(AuthzTrans trans, HttpServletRequest req, HttpServletResponse resp, boolean withTrust) { + TimeTaken tt = trans.start(RENEW_CERT, Env.SUB|Env.ALWAYS); + try { + REQ request; + try { + Data rd = certRenewDF.newData().load(req.getInputStream()); + request = rd.asObject(); + } catch(APIException e) { + trans.error().log("Invalid Input",IN,RENEW_CERT); + return Result.err(Result.ERR_BadData,"Invalid Input"); + } + +// String certAuth = trans.get(sCertAuth,null); + Result rcr = service.renewCert(trans,mapper.toRenew(trans,request)); + Result rc = mapper.toCert(trans, rcr, withTrust); + + switch(rc.status) { + case OK: + RosettaData data = certDF.newData(trans).load(rc.value); + data.to(resp.getOutputStream()); + + setContentType(resp,certDF.getOutType()); + return Result.ok(); + default: + return Result.err(rc); + } + } catch (Exception e) { + trans.error().log(e,IN,RENEW_CERT); + return Result.err(e); + } finally { + tt.done(); + } + + } + + @Override + public Result dropCert(AuthzTrans trans, HttpServletRequest req, HttpServletResponse resp) { + TimeTaken tt = trans.start(DROP_CERT, Env.SUB|Env.ALWAYS); + try { + REQ request; + try { + Data rd = certDropDF.newData().load(req.getInputStream()); + request = rd.asObject(); + } catch(APIException e) { + trans.error().log("Invalid Input",IN,DROP_CERT); + return Result.err(Result.ERR_BadData,"Invalid Input"); + } + + Result rv = service.dropCert(trans,mapper.toDrop(trans, request)); + switch(rv.status) { + case OK: + setContentType(resp,certRequestDF.getOutType()); + return Result.ok(); + default: + return Result.err(rv); + } + } catch (Exception e) { + trans.error().log(e,IN,DROP_CERT); + return Result.err(e); + } finally { + tt.done(); + } + } + + /* (non-Javadoc) + * @see org.onap.aaf.auth.cm.facade.Facade#readCertsByMechID(org.onap.aaf.auth.env.test.AuthzTrans, javax.servlet.http.HttpServletResponse, java.lang.String) + */ + @Override + public Result readCertsByMechID(AuthzTrans trans, HttpServletResponse resp, String mechID) { + TimeTaken tt = trans.start(READ_CERTS_MECHID, Env.SUB|Env.ALWAYS); + try { + Result rc = mapper.toCert(trans, service.readCertsByMechID(trans,mechID)); + switch(rc.status) { + case OK: + RosettaData data = certDF.newData(trans).load(rc.value); + data.to(resp.getOutputStream()); + + setContentType(resp,certDF.getOutType()); + return Result.ok(); + default: + return Result.err(rc); + } + } catch (Exception e) { + trans.error().log(e,IN,READ_CERTS_MECHID); + return Result.err(e); + } finally { + tt.done(); + } + } + + //////////////////////////// + // Artifacts + //////////////////////////// + @Override + public Result createArtifacts(AuthzTrans trans, HttpServletRequest req, HttpServletResponse resp) { + TimeTaken tt = trans.start(CREATE_ARTIFACTS, Env.SUB); + try { + ARTIFACTS arti; + try { + Data rd = artiDF.newData().load(req.getInputStream()); + arti = rd.asObject(); + } catch(APIException e) { + trans.error().log("Invalid Input",IN,CREATE_ARTIFACTS); + return Result.err(Result.ERR_BadData,"Invalid Input"); + } + + return service.createArtifact(trans,mapper.toArtifact(trans,arti)); + } catch (Exception e) { + + trans.error().log(e,IN,CREATE_ARTIFACTS); + return Result.err(e); + } finally { + tt.done(); + } + } + + @Override + public Result readArtifacts(AuthzTrans trans, HttpServletRequest req, HttpServletResponse resp) { + TimeTaken tt = trans.start(READ_ARTIFACTS, Env.SUB); + try { + String mechid = req.getParameter("mechid"); + String machine = req.getParameter("machine"); + String ns = req.getParameter("ns"); + + Result ra; + if( machine !=null && mechid == null) { + ra = mapper.fromArtifacts(service.readArtifactsByMachine(trans, machine)); + } else if(mechid!=null && machine==null) { + ra = mapper.fromArtifacts(service.readArtifactsByMechID(trans, mechid)); + } else if(mechid!=null && machine!=null) { + ArtiDAO.Data add = new ArtiDAO.Data(); + add.mechid = mechid; + add.machine = machine; + add.ns = ns; + ra = mapper.fromArtifacts(service.readArtifacts(trans,add)); + } else if(ns!=null) { + ra = mapper.fromArtifacts(service.readArtifactsByNs(trans, ns)); + } else { + ra = Result.err(Status.ERR_BadData,"Invalid request inputs"); + } + + if(ra.isOK()) { + RosettaData data = artiDF.newData(trans).load(ra.value); + data.to(resp.getOutputStream()); + setContentType(resp,artiDF.getOutType()); + return Result.ok(); + } else { + return Result.err(ra); + } + + } catch (Exception e) { + trans.error().log(e,IN,READ_ARTIFACTS); + return Result.err(e); + } finally { + tt.done(); + } + } + + @Override + public Result readArtifacts(AuthzTrans trans, HttpServletResponse resp, String mechid, String machine) { + TimeTaken tt = trans.start(READ_ARTIFACTS, Env.SUB); + try { + ArtiDAO.Data add = new ArtiDAO.Data(); + add.mechid = mechid; + add.machine = machine; + Result ra = mapper.fromArtifacts(service.readArtifacts(trans,add)); + if(ra.isOK()) { + RosettaData data = artiDF.newData(trans).load(ra.value); + data.to(resp.getOutputStream()); + setContentType(resp,artiDF.getOutType()); + return Result.ok(); + } else { + return Result.err(ra); + } + } catch (Exception e) { + trans.error().log(e,IN,READ_ARTIFACTS); + return Result.err(e); + } finally { + tt.done(); + } + } + + + @Override + public Result updateArtifacts(AuthzTrans trans, HttpServletRequest req, HttpServletResponse resp) { + TimeTaken tt = trans.start(UPDATE_ARTIFACTS, Env.SUB); + try { + ARTIFACTS arti; + try { + Data rd = artiDF.newData().load(req.getInputStream()); + arti = rd.asObject(); + } catch(APIException e) { + trans.error().log("Invalid Input",IN,UPDATE_ARTIFACTS); + return Result.err(Result.ERR_BadData,"Invalid Input"); + } + + return service.updateArtifact(trans,mapper.toArtifact(trans,arti)); + } catch (Exception e) { + trans.error().log(e,IN,UPDATE_ARTIFACTS); + return Result.err(e); + } finally { + tt.done(); + } + } + + @Override + public Result deleteArtifacts(AuthzTrans trans, HttpServletRequest req, HttpServletResponse resp) { + TimeTaken tt = trans.start(DELETE_ARTIFACTS, Env.SUB); + try { + ARTIFACTS arti; + try { + Data rd = artiDF.newData().load(req.getInputStream()); + arti = rd.asObject(); + } catch(APIException e) { + trans.error().log("Invalid Input",IN,DELETE_ARTIFACTS); + return Result.err(Result.ERR_BadData,"Invalid Input"); + } + + Result rv = service.deleteArtifact(trans,mapper.toArtifact(trans,arti)); + switch(rv.status) { + case OK: + setContentType(resp,artiDF.getOutType()); + } + return rv; + } catch (Exception e) { + trans.error().log(e,IN,DELETE_ARTIFACTS); + return Result.err(e); + } finally { + tt.done(); + } + } + + @Override + public Result deleteArtifacts(AuthzTrans trans, HttpServletResponse resp, String mechid, String machine) { + TimeTaken tt = trans.start(DELETE_ARTIFACTS, Env.SUB); + try { + Result rv = service.deleteArtifact(trans, mechid, machine); + switch(rv.status) { + case OK: + setContentType(resp,artiDF.getOutType()); + } + return rv; + } catch (Exception e) { + trans.error().log(e,IN,DELETE_ARTIFACTS); + return Result.err(e); + } finally { + tt.done(); + } + } } \ No newline at end of file diff --git a/auth/auth-certman/src/main/java/org/onap/aaf/auth/cm/mapper/Mapper.java b/auth/auth-certman/src/main/java/org/onap/aaf/auth/cm/mapper/Mapper.java index aadb6650..7328f099 100644 --- a/auth/auth-certman/src/main/java/org/onap/aaf/auth/cm/mapper/Mapper.java +++ b/auth/auth-certman/src/main/java/org/onap/aaf/auth/cm/mapper/Mapper.java @@ -35,20 +35,20 @@ import org.onap.aaf.auth.layer.Result; public interface Mapper { - public enum API{ERROR,VOID,CERT,CERT_REQ,CERT_RENEW,CERT_DROP,ARTIFACTS}; - - public Class getClass(API api); - public A newInstance(API api); + public enum API{ERROR,VOID,CERT,CERT_REQ,CERT_RENEW,CERT_DROP,ARTIFACTS}; + + public Class getClass(API api); + public A newInstance(API api); - public ERROR errorFromMessage(StringBuilder holder, String msgID, String text, String... detail); - - public Result toCert(AuthzTrans trans, Result in, boolean withTrustChain) throws IOException; - public Result toCert(AuthzTrans trans, Result> in); + public ERROR errorFromMessage(StringBuilder holder, String msgID, String text, String... detail); + + public Result toCert(AuthzTrans trans, Result in, boolean withTrustChain) throws IOException; + public Result toCert(AuthzTrans trans, Result> in); - public Result toReq(AuthzTrans trans, REQ req); - public Result toRenew(AuthzTrans trans, REQ req); - public Result toDrop(AuthzTrans trans, REQ req); - - public List toArtifact(AuthzTrans trans, ARTIFACTS arti); - public Result fromArtifacts(Result> readArtifactsByMachine); + public Result toReq(AuthzTrans trans, REQ req); + public Result toRenew(AuthzTrans trans, REQ req); + public Result toDrop(AuthzTrans trans, REQ req); + + public List toArtifact(AuthzTrans trans, ARTIFACTS arti); + public Result fromArtifacts(Result> readArtifactsByMachine); } diff --git a/auth/auth-certman/src/main/java/org/onap/aaf/auth/cm/mapper/Mapper1_0.java b/auth/auth-certman/src/main/java/org/onap/aaf/auth/cm/mapper/Mapper1_0.java index c06734f4..53b97626 100644 --- a/auth/auth-certman/src/main/java/org/onap/aaf/auth/cm/mapper/Mapper1_0.java +++ b/auth/auth-certman/src/main/java/org/onap/aaf/auth/cm/mapper/Mapper1_0.java @@ -49,234 +49,234 @@ import certman.v1_0.CertificateRequest; public class Mapper1_0 implements Mapper { - - @Override - public Class getClass(API api) { - switch(api) { - case CERT_REQ: return CertificateRequest.class; - case CERT_RENEW: return CertificateRenew.class; - case CERT_DROP: return CertificateDrop.class; - case CERT: return CertInfo.class; - case ARTIFACTS: return Artifacts.class; - case ERROR: return Error.class; - case VOID: return Void.class; - } - return null; - } + + @Override + public Class getClass(API api) { + switch(api) { + case CERT_REQ: return CertificateRequest.class; + case CERT_RENEW: return CertificateRenew.class; + case CERT_DROP: return CertificateDrop.class; + case CERT: return CertInfo.class; + case ARTIFACTS: return Artifacts.class; + case ERROR: return Error.class; + case VOID: return Void.class; + } + return null; + } - @SuppressWarnings("unchecked") - @Override - public A newInstance(API api) { - switch(api) { - case CERT_REQ: return (A) new CertificateRequest(); - case CERT_RENEW: return (A) new CertificateRenew(); - case CERT_DROP: return (A) new CertificateDrop(); - case CERT: return (A) new CertInfo(); - case ARTIFACTS: return (A) new Artifacts(); - case ERROR: return (A)new Error(); - case VOID: return null; - } - return null; - } + @SuppressWarnings("unchecked") + @Override + public A newInstance(API api) { + switch(api) { + case CERT_REQ: return (A) new CertificateRequest(); + case CERT_RENEW: return (A) new CertificateRenew(); + case CERT_DROP: return (A) new CertificateDrop(); + case CERT: return (A) new CertInfo(); + case ARTIFACTS: return (A) new Artifacts(); + case ERROR: return (A)new Error(); + case VOID: return null; + } + return null; + } - ////////////// Mapping Functions ///////////// - @Override - public Error errorFromMessage(StringBuilder holder, String msgID, String text, String... var) { - Error err = new Error(); - err.setMessageId(msgID); - // AT&T Restful Error Format requires numbers "%" placements - err.setText(Vars.convert(holder, text, var)); - for(String s : var) { - err.getVariables().add(s); - } - return err; - } + ////////////// Mapping Functions ///////////// + @Override + public Error errorFromMessage(StringBuilder holder, String msgID, String text, String... var) { + Error err = new Error(); + err.setMessageId(msgID); + // AT&T Restful Error Format requires numbers "%" placements + err.setText(Vars.convert(holder, text, var)); + for(String s : var) { + err.getVariables().add(s); + } + return err; + } - /* (non-Javadoc) - * @see com.att.authz.certman.mapper.Mapper#toCert(org.onap.aaf.auth.env.test.AuthzTrans, org.onap.aaf.auth.layer.test.Result) - */ - @Override - public Result toCert(AuthzTrans trans, Result in, boolean withTrustChain) throws IOException { - if(!in.isOK()) { - return Result.err(in); - } + /* (non-Javadoc) + * @see com.att.authz.certman.mapper.Mapper#toCert(org.onap.aaf.auth.env.test.AuthzTrans, org.onap.aaf.auth.layer.test.Result) + */ + @Override + public Result toCert(AuthzTrans trans, Result in, boolean withTrustChain) throws IOException { + if(!in.isOK()) { + return Result.err(in); + } - CertResp cin = in.value; - CertInfo cout = newInstance(API.CERT); - cout.setPrivatekey(cin.privateString()); - String value; - if((value=cin.challenge())!=null) { - cout.setChallenge(value); - } - // In Version 1, Cert is always first - cout.getCerts().add(cin.asCertString()); - // Follow with Trust Chain - if(cin.trustChain()!=null) { - for(String c : cin.trustChain()) { - if(c!=null) { - cout.getCerts().add(c); - } - } - } + CertResp cin = in.value; + CertInfo cout = newInstance(API.CERT); + cout.setPrivatekey(cin.privateString()); + String value; + if((value=cin.challenge())!=null) { + cout.setChallenge(value); + } + // In Version 1, Cert is always first + cout.getCerts().add(cin.asCertString()); + // Follow with Trust Chain + if(cin.trustChain()!=null) { + for(String c : cin.trustChain()) { + if(c!=null) { + cout.getCerts().add(c); + } + } + } - // Adding all the Certs in one response is a mistake. Makes it very hard for Agent to setup - // Certs in keystore versus Truststore. Separate in Version 2_0 - if(cin.trustCAs()!=null) { - for(String c : cin.trustCAs()) { - if(c!=null) { - if(!cout.getCerts().contains(c)) { - cout.getCerts().add(c); - } - } - } - } - if(cin.notes()!=null) { - boolean first = true; - StringBuilder sb = new StringBuilder(); - for(String n : cin.notes()) { - if(first) { - first = false; - } else { - sb.append('\n'); - } - sb.append(n); - } - cout.setNotes(sb.toString()); - } - List caIssuerDNs = cout.getCaIssuerDNs(); - for(String s : cin.caIssuerDNs()) { - caIssuerDNs.add(s); - } - cout.setEnv(cin.env()); - return Result.ok(cout); + // Adding all the Certs in one response is a mistake. Makes it very hard for Agent to setup + // Certs in keystore versus Truststore. Separate in Version 2_0 + if(cin.trustCAs()!=null) { + for(String c : cin.trustCAs()) { + if(c!=null) { + if(!cout.getCerts().contains(c)) { + cout.getCerts().add(c); + } + } + } + } + if(cin.notes()!=null) { + boolean first = true; + StringBuilder sb = new StringBuilder(); + for(String n : cin.notes()) { + if(first) { + first = false; + } else { + sb.append('\n'); + } + sb.append(n); + } + cout.setNotes(sb.toString()); + } + List caIssuerDNs = cout.getCaIssuerDNs(); + for(String s : cin.caIssuerDNs()) { + caIssuerDNs.add(s); + } + cout.setEnv(cin.env()); + return Result.ok(cout); - } + } - @Override - public Result toCert(AuthzTrans trans, Result> in) { - if(in.isOK()) { - CertInfo cout = newInstance(API.CERT); - List certs = cout.getCerts(); - for(CertDAO.Data cdd : in.value) { - certs.add(cdd.x509); - } - return Result.ok(cout); - } else { - return Result.err(in); - } - } + @Override + public Result toCert(AuthzTrans trans, Result> in) { + if(in.isOK()) { + CertInfo cout = newInstance(API.CERT); + List certs = cout.getCerts(); + for(CertDAO.Data cdd : in.value) { + certs.add(cdd.x509); + } + return Result.ok(cout); + } else { + return Result.err(in); + } + } - /* (non-Javadoc) - * @see com.att.authz.certman.mapper.Mapper#toReq(org.onap.aaf.auth.env.test.AuthzTrans, java.lang.Object) - */ - @Override - public Result toReq(AuthzTrans trans, BaseRequest req) { - CertificateRequest in; - try { - in = (CertificateRequest)req; - } catch(ClassCastException e) { - return Result.err(Result.ERR_BadData,"Request is not a CertificateRequest"); - } + /* (non-Javadoc) + * @see com.att.authz.certman.mapper.Mapper#toReq(org.onap.aaf.auth.env.test.AuthzTrans, java.lang.Object) + */ + @Override + public Result toReq(AuthzTrans trans, BaseRequest req) { + CertificateRequest in; + try { + in = (CertificateRequest)req; + } catch(ClassCastException e) { + return Result.err(Result.ERR_BadData,"Request is not a CertificateRequest"); + } - CertReq out = new CertReq(); - CertmanValidator v = new CertmanValidator(); - out.mechid=in.getMechid(); - out.fqdns=in.getFqdns(); - v.isNull("CertRequest", req).nullOrBlank("MechID", out.mechid); - v.nullBlankMin("FQDNs", out.fqdns,1); - if(v.err()) { - return Result.err(Result.ERR_BadData, v.errs()); - } - out.emails = in.getEmail(); - out.sponsor=in.getSponsor(); - out.start = in.getStart(); - out.end = in.getEnd(); - out.fqdns = in.getFqdns(); - return Result.ok(out); - } + CertReq out = new CertReq(); + CertmanValidator v = new CertmanValidator(); + out.mechid=in.getMechid(); + out.fqdns=in.getFqdns(); + v.isNull("CertRequest", req).nullOrBlank("MechID", out.mechid); + v.nullBlankMin("FQDNs", out.fqdns,1); + if(v.err()) { + return Result.err(Result.ERR_BadData, v.errs()); + } + out.emails = in.getEmail(); + out.sponsor=in.getSponsor(); + out.start = in.getStart(); + out.end = in.getEnd(); + out.fqdns = in.getFqdns(); + return Result.ok(out); + } - /* (non-Javadoc) - * @see com.att.authz.certman.mapper.Mapper#toRenew(org.onap.aaf.auth.env.test.AuthzTrans, java.lang.Object) - */ - @Override - public Result toRenew(AuthzTrans trans, BaseRequest req) { - return Result.err(Result.ERR_NotImplemented,"Not Implemented... yet"); - } + /* (non-Javadoc) + * @see com.att.authz.certman.mapper.Mapper#toRenew(org.onap.aaf.auth.env.test.AuthzTrans, java.lang.Object) + */ + @Override + public Result toRenew(AuthzTrans trans, BaseRequest req) { + return Result.err(Result.ERR_NotImplemented,"Not Implemented... yet"); + } - /* (non-Javadoc) - * @see com.att.authz.certman.mapper.Mapper#toDrop(org.onap.aaf.auth.env.test.AuthzTrans, java.lang.Object) - */ - @Override - public Result toDrop(AuthzTrans trans, BaseRequest req) { - return Result.err(Result.ERR_NotImplemented,"Not Implemented... yet"); - } + /* (non-Javadoc) + * @see com.att.authz.certman.mapper.Mapper#toDrop(org.onap.aaf.auth.env.test.AuthzTrans, java.lang.Object) + */ + @Override + public Result toDrop(AuthzTrans trans, BaseRequest req) { + return Result.err(Result.ERR_NotImplemented,"Not Implemented... yet"); + } - /* (non-Javadoc) - * @see org.onap.aaf.auth.cm.mapper.Mapper#toArtifact(org.onap.aaf.auth.env.test.AuthzTrans, java.lang.Object) - */ - @Override - public List toArtifact(AuthzTrans trans, Artifacts artifacts) { - List ladd = new ArrayList<>(); - for(Artifact arti : artifacts.getArtifact()) { - ArtiDAO.Data data = new ArtiDAO.Data(); - data.mechid = arti.getMechid(); - data.machine = arti.getMachine(); - data.type(true).addAll(arti.getType()); - data.ca = arti.getCa(); - data.dir = arti.getDir(); - data.os_user = arti.getOsUser(); - // Optional (on way in) - data.ns = arti.getNs(); - data.renewDays = arti.getRenewDays(); - data.notify = arti.getNotification(); - - // Ignored on way in for create/update - data.sponsor = arti.getSponsor(); - data.expires = null; - - // Derive Optional Data from Machine (Domain) if exists - if(data.machine!=null) { - if(data.ca==null && data.machine.endsWith(".att.com")) { - data.ca = "aaf"; // default - } - if(data.ns==null ) { - data.ns=FQI.reverseDomain(data.machine); - } - } - data.sans(true).addAll(arti.getSans()); - ladd.add(data); - } - return ladd; - } + /* (non-Javadoc) + * @see org.onap.aaf.auth.cm.mapper.Mapper#toArtifact(org.onap.aaf.auth.env.test.AuthzTrans, java.lang.Object) + */ + @Override + public List toArtifact(AuthzTrans trans, Artifacts artifacts) { + List ladd = new ArrayList<>(); + for(Artifact arti : artifacts.getArtifact()) { + ArtiDAO.Data data = new ArtiDAO.Data(); + data.mechid = arti.getMechid(); + data.machine = arti.getMachine(); + data.type(true).addAll(arti.getType()); + data.ca = arti.getCa(); + data.dir = arti.getDir(); + data.os_user = arti.getOsUser(); + // Optional (on way in) + data.ns = arti.getNs(); + data.renewDays = arti.getRenewDays(); + data.notify = arti.getNotification(); + + // Ignored on way in for create/update + data.sponsor = arti.getSponsor(); + data.expires = null; + + // Derive Optional Data from Machine (Domain) if exists + if(data.machine!=null) { + if(data.ca==null && data.machine.endsWith(".att.com")) { + data.ca = "aaf"; // default + } + if(data.ns==null ) { + data.ns=FQI.reverseDomain(data.machine); + } + } + data.sans(true).addAll(arti.getSans()); + ladd.add(data); + } + return ladd; + } - /* (non-Javadoc) - * @see org.onap.aaf.auth.cm.mapper.Mapper#fromArtifacts(org.onap.aaf.auth.layer.test.Result) - */ - @Override - public Result fromArtifacts(Result> lArtiDAO) { - if(lArtiDAO.isOK()) { - Artifacts artis = new Artifacts(); - for(ArtiDAO.Data arti : lArtiDAO.value) { - Artifact a = new Artifact(); - a.setMechid(arti.mechid); - a.setMachine(arti.machine); - a.setSponsor(arti.sponsor); - a.setNs(arti.ns); - a.setCa(arti.ca); - a.setDir(arti.dir); - a.getType().addAll(arti.type(false)); - a.setOsUser(arti.os_user); - a.setRenewDays(arti.renewDays); - a.setNotification(arti.notify); - a.getSans().addAll(arti.sans(false)); - artis.getArtifact().add(a); - } - return Result.ok(artis); - } else { - return Result.err(lArtiDAO); - } - } - - + /* (non-Javadoc) + * @see org.onap.aaf.auth.cm.mapper.Mapper#fromArtifacts(org.onap.aaf.auth.layer.test.Result) + */ + @Override + public Result fromArtifacts(Result> lArtiDAO) { + if(lArtiDAO.isOK()) { + Artifacts artis = new Artifacts(); + for(ArtiDAO.Data arti : lArtiDAO.value) { + Artifact a = new Artifact(); + a.setMechid(arti.mechid); + a.setMachine(arti.machine); + a.setSponsor(arti.sponsor); + a.setNs(arti.ns); + a.setCa(arti.ca); + a.setDir(arti.dir); + a.getType().addAll(arti.type(false)); + a.setOsUser(arti.os_user); + a.setRenewDays(arti.renewDays); + a.setNotification(arti.notify); + a.getSans().addAll(arti.sans(false)); + artis.getArtifact().add(a); + } + return Result.ok(artis); + } else { + return Result.err(lArtiDAO); + } + } + + } \ No newline at end of file diff --git a/auth/auth-certman/src/main/java/org/onap/aaf/auth/cm/mapper/Mapper2_0.java b/auth/auth-certman/src/main/java/org/onap/aaf/auth/cm/mapper/Mapper2_0.java index 23a0c543..d85ea2ca 100644 --- a/auth/auth-certman/src/main/java/org/onap/aaf/auth/cm/mapper/Mapper2_0.java +++ b/auth/auth-certman/src/main/java/org/onap/aaf/auth/cm/mapper/Mapper2_0.java @@ -49,225 +49,225 @@ import certman.v1_0.CertificateRequest; public class Mapper2_0 implements Mapper { - - @Override - public Class getClass(API api) { - switch(api) { - case CERT_REQ: return CertificateRequest.class; - case CERT_RENEW: return CertificateRenew.class; - case CERT_DROP: return CertificateDrop.class; - case CERT: return CertInfo.class; - case ARTIFACTS: return Artifacts.class; - case ERROR: return Error.class; - case VOID: return Void.class; - } - return null; - } + + @Override + public Class getClass(API api) { + switch(api) { + case CERT_REQ: return CertificateRequest.class; + case CERT_RENEW: return CertificateRenew.class; + case CERT_DROP: return CertificateDrop.class; + case CERT: return CertInfo.class; + case ARTIFACTS: return Artifacts.class; + case ERROR: return Error.class; + case VOID: return Void.class; + } + return null; + } - @SuppressWarnings("unchecked") - @Override - public A newInstance(API api) { - switch(api) { - case CERT_REQ: return (A) new CertificateRequest(); - case CERT_RENEW: return (A) new CertificateRenew(); - case CERT_DROP: return (A) new CertificateDrop(); - case CERT: return (A) new CertInfo(); - case ARTIFACTS: return (A) new Artifacts(); - case ERROR: return (A)new Error(); - case VOID: return null; - } - return null; - } + @SuppressWarnings("unchecked") + @Override + public A newInstance(API api) { + switch(api) { + case CERT_REQ: return (A) new CertificateRequest(); + case CERT_RENEW: return (A) new CertificateRenew(); + case CERT_DROP: return (A) new CertificateDrop(); + case CERT: return (A) new CertInfo(); + case ARTIFACTS: return (A) new Artifacts(); + case ERROR: return (A)new Error(); + case VOID: return null; + } + return null; + } - ////////////// Mapping Functions ///////////// - @Override - public Error errorFromMessage(StringBuilder holder, String msgID, String text, String... var) { - Error err = new Error(); - err.setMessageId(msgID); - // AT&T Restful Error Format requires numbers "%" placements - err.setText(Vars.convert(holder, text, var)); - for(String s : var) { - err.getVariables().add(s); - } - return err; - } + ////////////// Mapping Functions ///////////// + @Override + public Error errorFromMessage(StringBuilder holder, String msgID, String text, String... var) { + Error err = new Error(); + err.setMessageId(msgID); + // AT&T Restful Error Format requires numbers "%" placements + err.setText(Vars.convert(holder, text, var)); + for(String s : var) { + err.getVariables().add(s); + } + return err; + } - /* (non-Javadoc) - * @see com.att.authz.certman.mapper.Mapper#toCert(org.onap.aaf.auth.env.test.AuthzTrans, org.onap.aaf.auth.layer.test.Result) - */ - /* (non-Javadoc) - * @see com.att.authz.certman.mapper.Mapper#toCert(org.onap.aaf.auth.env.test.AuthzTrans, org.onap.aaf.auth.layer.test.Result) - */ - @Override - public Result toCert(AuthzTrans trans, Result in, boolean withTrustChain) throws IOException { - if(!in.isOK()) { - CertResp cin = in.value; - CertInfo cout = newInstance(API.CERT); - cout.setPrivatekey(cin.privateString()); - String value; - if((value=cin.challenge())!=null) { - cout.setChallenge(value); - } - cout.getCerts().add(cin.asCertString()); - if(cin.trustChain()!=null) { - for(String c : cin.trustChain()) { - cout.getCerts().add(c); - } - } - if(cin.notes()!=null) { - boolean first = true; - StringBuilder sb = new StringBuilder(); - for(String n : cin.notes()) { - if(first) { - first = false; - } else { - sb.append('\n'); - } - sb.append(n); - } - cout.setNotes(sb.toString()); - } - - List caIssuerDNs = cout.getCaIssuerDNs(); - for(String s : cin.caIssuerDNs()) { - caIssuerDNs.add(s); - } + /* (non-Javadoc) + * @see com.att.authz.certman.mapper.Mapper#toCert(org.onap.aaf.auth.env.test.AuthzTrans, org.onap.aaf.auth.layer.test.Result) + */ + /* (non-Javadoc) + * @see com.att.authz.certman.mapper.Mapper#toCert(org.onap.aaf.auth.env.test.AuthzTrans, org.onap.aaf.auth.layer.test.Result) + */ + @Override + public Result toCert(AuthzTrans trans, Result in, boolean withTrustChain) throws IOException { + if(!in.isOK()) { + CertResp cin = in.value; + CertInfo cout = newInstance(API.CERT); + cout.setPrivatekey(cin.privateString()); + String value; + if((value=cin.challenge())!=null) { + cout.setChallenge(value); + } + cout.getCerts().add(cin.asCertString()); + if(cin.trustChain()!=null) { + for(String c : cin.trustChain()) { + cout.getCerts().add(c); + } + } + if(cin.notes()!=null) { + boolean first = true; + StringBuilder sb = new StringBuilder(); + for(String n : cin.notes()) { + if(first) { + first = false; + } else { + sb.append('\n'); + } + sb.append(n); + } + cout.setNotes(sb.toString()); + } + + List caIssuerDNs = cout.getCaIssuerDNs(); + for(String s : cin.caIssuerDNs()) { + caIssuerDNs.add(s); + } - cout.setEnv(cin.env()); - return Result.ok(cout); - } else { - return Result.err(in); - } - } + cout.setEnv(cin.env()); + return Result.ok(cout); + } else { + return Result.err(in); + } + } - @Override - public Result toCert(AuthzTrans trans, Result> in) { - if(in.isOK()) { - CertInfo cout = newInstance(API.CERT); - List certs = cout.getCerts(); - for(CertDAO.Data cdd : in.value) { - certs.add(cdd.x509); - } - return Result.ok(cout); - } else { - return Result.err(in); - } - } + @Override + public Result toCert(AuthzTrans trans, Result> in) { + if(in.isOK()) { + CertInfo cout = newInstance(API.CERT); + List certs = cout.getCerts(); + for(CertDAO.Data cdd : in.value) { + certs.add(cdd.x509); + } + return Result.ok(cout); + } else { + return Result.err(in); + } + } - /* (non-Javadoc) - * @see com.att.authz.certman.mapper.Mapper#toReq(org.onap.aaf.auth.env.test.AuthzTrans, java.lang.Object) - */ - @Override - public Result toReq(AuthzTrans trans, BaseRequest req) { - CertificateRequest in; - try { - in = (CertificateRequest)req; - } catch(ClassCastException e) { - return Result.err(Result.ERR_BadData,"Request is not a CertificateRequest"); - } + /* (non-Javadoc) + * @see com.att.authz.certman.mapper.Mapper#toReq(org.onap.aaf.auth.env.test.AuthzTrans, java.lang.Object) + */ + @Override + public Result toReq(AuthzTrans trans, BaseRequest req) { + CertificateRequest in; + try { + in = (CertificateRequest)req; + } catch(ClassCastException e) { + return Result.err(Result.ERR_BadData,"Request is not a CertificateRequest"); + } - CertReq out = new CertReq(); - CertmanValidator v = new CertmanValidator(); - v.isNull("CertRequest", req) - .nullOrBlank("MechID", out.mechid=in.getMechid()); - v.nullBlankMin("FQDNs", out.fqdns=in.getFqdns(),1); - if(v.err()) { - return Result.err(Result.ERR_BadData, v.errs()); - } + CertReq out = new CertReq(); + CertmanValidator v = new CertmanValidator(); + v.isNull("CertRequest", req) + .nullOrBlank("MechID", out.mechid=in.getMechid()); + v.nullBlankMin("FQDNs", out.fqdns=in.getFqdns(),1); + if(v.err()) { + return Result.err(Result.ERR_BadData, v.errs()); + } - out.emails = in.getEmail(); - out.sponsor=in.getSponsor(); - out.start = in.getStart(); - out.end = in.getEnd(); - out.fqdns = in.getFqdns(); - return Result.ok(out); - } + out.emails = in.getEmail(); + out.sponsor=in.getSponsor(); + out.start = in.getStart(); + out.end = in.getEnd(); + out.fqdns = in.getFqdns(); + return Result.ok(out); + } - /* (non-Javadoc) - * @see com.att.authz.certman.mapper.Mapper#toRenew(org.onap.aaf.auth.env.test.AuthzTrans, java.lang.Object) - */ - @Override - public Result toRenew(AuthzTrans trans, BaseRequest req) { - return Result.err(Result.ERR_NotImplemented,"Not Implemented... yet"); - } + /* (non-Javadoc) + * @see com.att.authz.certman.mapper.Mapper#toRenew(org.onap.aaf.auth.env.test.AuthzTrans, java.lang.Object) + */ + @Override + public Result toRenew(AuthzTrans trans, BaseRequest req) { + return Result.err(Result.ERR_NotImplemented,"Not Implemented... yet"); + } - /* (non-Javadoc) - * @see com.att.authz.certman.mapper.Mapper#toDrop(org.onap.aaf.auth.env.test.AuthzTrans, java.lang.Object) - */ - @Override - public Result toDrop(AuthzTrans trans, BaseRequest req) { - return Result.err(Result.ERR_NotImplemented,"Not Implemented... yet"); - } + /* (non-Javadoc) + * @see com.att.authz.certman.mapper.Mapper#toDrop(org.onap.aaf.auth.env.test.AuthzTrans, java.lang.Object) + */ + @Override + public Result toDrop(AuthzTrans trans, BaseRequest req) { + return Result.err(Result.ERR_NotImplemented,"Not Implemented... yet"); + } - /* (non-Javadoc) - * @see org.onap.aaf.auth.cm.mapper.Mapper#toArtifact(org.onap.aaf.auth.env.test.AuthzTrans, java.lang.Object) - */ - @Override - public List toArtifact(AuthzTrans trans, Artifacts artifacts) { - List ladd = new ArrayList<>(); - for(Artifact arti : artifacts.getArtifact()) { - ArtiDAO.Data data = new ArtiDAO.Data(); - data.mechid = arti.getMechid(); - data.machine = arti.getMachine(); - data.type(true).addAll(arti.getType()); - data.ca = arti.getCa(); - data.dir = arti.getDir(); - data.os_user = arti.getOsUser(); - // Optional (on way in) - data.ns = arti.getNs(); - data.renewDays = arti.getRenewDays(); - data.notify = arti.getNotification(); - - // Ignored on way in for create/update - data.sponsor = arti.getSponsor(); - data.expires = null; - - // Derive Optional Data from Machine (Domain) if exists - if(data.machine!=null) { - if(data.ca==null) { - if(data.machine.endsWith(".att.com")) { - data.ca = "aaf"; // default - } - } - if(data.ns==null ) { - data.ns=FQI.reverseDomain(data.machine); - } - } - data.sans(true).addAll(arti.getSans()); - ladd.add(data); - } - return ladd; - } + /* (non-Javadoc) + * @see org.onap.aaf.auth.cm.mapper.Mapper#toArtifact(org.onap.aaf.auth.env.test.AuthzTrans, java.lang.Object) + */ + @Override + public List toArtifact(AuthzTrans trans, Artifacts artifacts) { + List ladd = new ArrayList<>(); + for(Artifact arti : artifacts.getArtifact()) { + ArtiDAO.Data data = new ArtiDAO.Data(); + data.mechid = arti.getMechid(); + data.machine = arti.getMachine(); + data.type(true).addAll(arti.getType()); + data.ca = arti.getCa(); + data.dir = arti.getDir(); + data.os_user = arti.getOsUser(); + // Optional (on way in) + data.ns = arti.getNs(); + data.renewDays = arti.getRenewDays(); + data.notify = arti.getNotification(); + + // Ignored on way in for create/update + data.sponsor = arti.getSponsor(); + data.expires = null; + + // Derive Optional Data from Machine (Domain) if exists + if(data.machine!=null) { + if(data.ca==null) { + if(data.machine.endsWith(".att.com")) { + data.ca = "aaf"; // default + } + } + if(data.ns==null ) { + data.ns=FQI.reverseDomain(data.machine); + } + } + data.sans(true).addAll(arti.getSans()); + ladd.add(data); + } + return ladd; + } - /* (non-Javadoc) - * @see org.onap.aaf.auth.cm.mapper.Mapper#fromArtifacts(org.onap.aaf.auth.layer.test.Result) - */ - @Override - public Result fromArtifacts(Result> lArtiDAO) { - if(lArtiDAO.isOK()) { - Artifacts artis = new Artifacts(); - for(ArtiDAO.Data arti : lArtiDAO.value) { - Artifact a = new Artifact(); - a.setMechid(arti.mechid); - a.setMachine(arti.machine); - a.setSponsor(arti.sponsor); - a.setNs(arti.ns); - a.setCa(arti.ca); - a.setDir(arti.dir); - a.getType().addAll(arti.type(false)); - a.setOsUser(arti.os_user); - a.setRenewDays(arti.renewDays); - a.setNotification(arti.notify); - a.getSans().addAll(arti.sans(false)); - artis.getArtifact().add(a); - } - return Result.ok(artis); - } else { - return Result.err(lArtiDAO); - } - } - - + /* (non-Javadoc) + * @see org.onap.aaf.auth.cm.mapper.Mapper#fromArtifacts(org.onap.aaf.auth.layer.test.Result) + */ + @Override + public Result fromArtifacts(Result> lArtiDAO) { + if(lArtiDAO.isOK()) { + Artifacts artis = new Artifacts(); + for(ArtiDAO.Data arti : lArtiDAO.value) { + Artifact a = new Artifact(); + a.setMechid(arti.mechid); + a.setMachine(arti.machine); + a.setSponsor(arti.sponsor); + a.setNs(arti.ns); + a.setCa(arti.ca); + a.setDir(arti.dir); + a.getType().addAll(arti.type(false)); + a.setOsUser(arti.os_user); + a.setRenewDays(arti.renewDays); + a.setNotification(arti.notify); + a.getSans().addAll(arti.sans(false)); + artis.getArtifact().add(a); + } + return Result.ok(artis); + } else { + return Result.err(lArtiDAO); + } + } + + } \ No newline at end of file diff --git a/auth/auth-certman/src/main/java/org/onap/aaf/auth/cm/service/CMService.java b/auth/auth-certman/src/main/java/org/onap/aaf/auth/cm/service/CMService.java index 259dfac9..62f0d680 100644 --- a/auth/auth-certman/src/main/java/org/onap/aaf/auth/cm/service/CMService.java +++ b/auth/auth-certman/src/main/java/org/onap/aaf/auth/cm/service/CMService.java @@ -67,632 +67,632 @@ import org.onap.aaf.misc.env.APIException; import org.onap.aaf.misc.env.util.Chrono; public class CMService { - // If we add more CAs, may want to parameterize - private static final int STD_RENEWAL = 30; - private static final int MAX_RENEWAL = 60; - private static final int MIN_RENEWAL = 10; - - public static final String REQUEST = "request"; - public static final String IGNORE_IPS = "ignoreIPs"; - public static final String RENEW = "renew"; - public static final String DROP = "drop"; - public static final String DOMAIN = "domain"; - - private static final String CERTMAN = "certman"; - private static final String ACCESS = "access"; - - private static final String[] NO_NOTES = new String[0]; - private final Permission root_read_permission; - private final CertDAO certDAO; - private final CredDAO credDAO; - private final ArtiDAO artiDAO; - private AAF_CM certman; - - // @SuppressWarnings("unchecked") - public CMService(final AuthzTrans trans, AAF_CM certman) throws APIException, IOException { - // Jonathan 4/2015 SessionFilter unneeded... DataStax already deals with - // Multithreading well - - HistoryDAO hd = new HistoryDAO(trans, certman.cluster, CassAccess.KEYSPACE); - CacheInfoDAO cid = new CacheInfoDAO(trans, hd); - certDAO = new CertDAO(trans, hd, cid); - credDAO = new CredDAO(trans, hd, cid); - artiDAO = new ArtiDAO(trans, hd, cid); - - this.certman = certman; - - root_read_permission=new AAFPermission( - trans.getProperty(Config.AAF_ROOT_NS, Config.AAF_ROOT_NS_DEF), - "access", - "*", - "read" - ); - } - - public Result requestCert(final AuthzTrans trans, final Result req, final CA ca) { - if (req.isOK()) { - - if (req.value.fqdns.isEmpty()) { - return Result.err(Result.ERR_BadData, "No Machines passed in Request"); - } - - String key = req.value.fqdns.get(0); - - // Policy 6: Requester must be granted Change permission in Namespace requested - String mechNS = FQI.reverseDomain(req.value.mechid); - if (mechNS == null) { - return Result.err(Status.ERR_Denied, "%s does not reflect a valid AAF Namespace", req.value.mechid); - } - - List notes = null; - List fqdns = new ArrayList<>(req.value.fqdns); - - String email = null; - - try { - Organization org = trans.org(); - - boolean ignoreIPs = trans.fish(new AAFPermission(mechNS,CERTMAN, ca.getName(), IGNORE_IPS)); - - InetAddress primary = null; - // Organize incoming information to get to appropriate Artifact - if (!fqdns.isEmpty()) { - // Accept domain wild cards, but turn into real machines - // Need *domain.com:real.machine.domain.com:san.machine.domain.com:... - if (fqdns.get(0).startsWith("*")) { // Domain set - if (!trans.fish(new AAFPermission(null,ca.getPermType(), ca.getName(), DOMAIN))) { - return Result.err(Result.ERR_Denied, - "Domain based Authorizations (" + fqdns.get(0) + ") requires Exception"); - } - - // TODO check for Permission in Add Artifact? - String domain = fqdns.get(0).substring(1); - fqdns.remove(0); - if (fqdns.isEmpty()) { - return Result.err(Result.ERR_Denied, "Requests using domain require machine declaration"); - } - - if (!ignoreIPs) { - InetAddress ia = InetAddress.getByName(fqdns.get(0)); - if (ia == null) { - return Result.err(Result.ERR_Denied, - "Request not made from matching IP matching domain"); - } else if (ia.getHostName().endsWith(domain)) { - primary = ia; - } - } - - } else { - for (String cn : req.value.fqdns) { - if(!ignoreIPs) { - try { - InetAddress[] ias = InetAddress.getAllByName(cn); - Set potentialSanNames = new HashSet<>(); - for (InetAddress ia1 : ias) { - InetAddress ia2 = InetAddress.getByAddress(ia1.getAddress()); - if (primary == null && ias.length == 1 && trans.ip().equals(ia1.getHostAddress())) { - primary = ia1; - } else if (!cn.equals(ia1.getHostName()) - && !ia2.getHostName().equals(ia2.getHostAddress())) { - potentialSanNames.add(ia1.getHostName()); - } - } - } catch (UnknownHostException e1) { - return Result.err(Result.ERR_BadData, "There is no DNS lookup for %s", cn); - } - } - } - } - } - - final String host; - if(ignoreIPs) { - host = req.value.fqdns.get(0); - } else if (primary == null) { - return Result.err(Result.ERR_Denied, "Request not made from matching IP (%s)", trans.ip()); - } else { - host = primary.getHostAddress(); - } - - ArtiDAO.Data add = null; - Result> ra = artiDAO.read(trans, req.value.mechid, host); - if (ra.isOKhasData()) { - if (add == null) { - add = ra.value.get(0); // single key - } - } else { - ra = artiDAO.read(trans, req.value.mechid, key); - if (ra.isOKhasData()) { // is the Template available? - add = ra.value.get(0); - add.machine = host; - for (String s : fqdns) { - if (!s.equals(add.machine)) { - add.sans(true).add(s); - } - } - Result rc = artiDAO.create(trans, add); // Create new Artifact from Template - if (rc.notOK()) { - return Result.err(rc); - } - } else { - add = ra.value.get(0); - } - } - - // Add Artifact listed FQDNs - if (add.sans != null) { - for (String s : add.sans) { - if (!fqdns.contains(s)) { - fqdns.add(s); - } - } - } - - // Policy 2: If Config marked as Expired, do not create or renew - Date now = new Date(); - if (add.expires != null && now.after(add.expires)) { - return Result.err(Result.ERR_Policy, "Configuration for %s %s is expired %s", add.mechid, - add.machine, Chrono.dateFmt.format(add.expires)); - } - - // Policy 3: MechID must be current - Identity muser = org.getIdentity(trans, add.mechid); - if (muser == null) { - return Result.err(Result.ERR_Policy, "MechID must exist in %s", org.getName()); - } - - // Policy 4: Sponsor must be current - Identity ouser = muser.responsibleTo(); - if (ouser == null) { - return Result.err(Result.ERR_Policy, "%s does not have a current sponsor at %s", add.mechid, - org.getName()); - } else if (!ouser.isFound() || ouser.mayOwn() != null) { - return Result.err(Result.ERR_Policy, "%s reports that %s cannot be responsible for %s", - org.getName(), trans.user()); - } - - // Set Email from most current Sponsor - email = ouser.email(); - - // Policy 5: keep Artifact data current - if (!ouser.fullID().equals(add.sponsor)) { - add.sponsor = ouser.fullID(); - artiDAO.update(trans, add); - } - - // Policy 7: Caller must be the MechID or have specifically delegated - // permissions - if (!(trans.user().equals(req.value.mechid) - || trans.fish(new AAFPermission(mechNS,CERTMAN, ca.getName(), REQUEST)))) { - return Result.err(Status.ERR_Denied, "%s must have access to modify x509 certs in NS %s", - trans.user(), mechNS); - } - - // Make sure Primary is the first in fqdns - if (fqdns.size() > 1) { - for (int i = 0; i < fqdns.size(); ++i) { - if(primary==null) { - trans.error().log("CMService var primary is null"); - } else { - String fg = fqdns.get(i); - if (fg!=null && fg.equals(primary.getHostName())) { - if (i != 0) { - String tmp = fqdns.get(0); - fqdns.set(0, primary.getHostName()); - fqdns.set(i, tmp); - } - } - } - } - } - } catch (Exception e) { - e.printStackTrace(); - trans.error().log(e); - return Result.err(Status.ERR_Denied, - "AppID Sponsorship cannot be determined at this time. Try later."); - } - - CSRMeta csrMeta; - try { - csrMeta = BCFactory.createCSRMeta(ca, req.value.mechid, email, fqdns); - X509andChain x509ac = ca.sign(trans, csrMeta); - if (x509ac == null) { - return Result.err(Result.ERR_ActionNotCompleted, "x509 Certificate not signed by CA"); - } - trans.info().printf("X509 Subject: %s", x509ac.getX509().getSubjectDN()); - - X509Certificate x509 = x509ac.getX509(); - CertDAO.Data cdd = new CertDAO.Data(); - cdd.ca = ca.getName(); - cdd.serial = x509.getSerialNumber(); - cdd.id = req.value.mechid; - cdd.x500 = x509.getSubjectDN().getName(); - cdd.x509 = Factory.toString(trans, x509); - certDAO.create(trans, cdd); - - CredDAO.Data crdd = new CredDAO.Data(); - crdd.other = Question.random.nextInt(); - crdd.cred = getChallenge256SaltedHash(csrMeta.challenge(), crdd.other); - crdd.expires = x509.getNotAfter(); - crdd.id = req.value.mechid; - crdd.ns = Question.domain2ns(crdd.id); - crdd.type = CredDAO.CERT_SHA256_RSA; - credDAO.create(trans, crdd); - - CertResp cr = new CertResp(trans, ca, x509, csrMeta, x509ac.getTrustChain(), compileNotes(notes)); - return Result.ok(cr); - } catch (Exception e) { - trans.error().log(e); - return Result.err(Result.ERR_ActionNotCompleted, e.getMessage()); - } - } else { - return Result.err(req); - } - } - - public Result renewCert(AuthzTrans trans, Result renew) { - if (renew.isOK()) { - return Result.err(Result.ERR_NotImplemented, "Not implemented yet"); - } else { - return Result.err(renew); - } - } - - public Result dropCert(AuthzTrans trans, Result drop) { - if (drop.isOK()) { - return Result.err(Result.ERR_NotImplemented, "Not implemented yet"); - } else { - return Result.err(drop); - } - } - - public Result> readCertsByMechID(AuthzTrans trans, String mechID) { - // Policy 1: To Read, must have NS Read or is Sponsor - String ns = Question.domain2ns(mechID); - try { - if (trans.user().equals(mechID) || trans.fish(new AAFPermission(ns,ACCESS, "*", "read")) - || (trans.org().validate(trans, Organization.Policy.OWNS_MECHID, null, mechID)) == null) { - return certDAO.readID(trans, mechID); - } else { - return Result.err(Result.ERR_Denied, "%s is not the ID, Sponsor or NS Owner/Admin for %s at %s", - trans.user(), mechID, trans.org().getName()); - } - } catch (OrganizationException e) { - return Result.err(e); - } - } - - public Result requestPersonalCert(AuthzTrans trans, CA ca) { - if (ca.inPersonalDomains(trans.getUserPrincipal())) { - Organization org = trans.org(); - - // Policy 1: MechID must be current - Identity ouser; - try { - ouser = org.getIdentity(trans, trans.user()); - } catch (OrganizationException e1) { - trans.error().log(e1); - ouser = null; - } - if (ouser == null) { - return Result.err(Result.ERR_Policy, "Requesting User must exist in %s", org.getName()); - } - - // Set Email from most current Sponsor - - CSRMeta csrMeta; - try { - csrMeta = BCFactory.createPersonalCSRMeta(ca, trans.user(), ouser.email()); - X509andChain x509ac = ca.sign(trans, csrMeta); - if (x509ac == null) { - return Result.err(Result.ERR_ActionNotCompleted, "x509 Certificate not signed by CA"); - } - X509Certificate x509 = x509ac.getX509(); - CertDAO.Data cdd = new CertDAO.Data(); - cdd.ca = ca.getName(); - cdd.serial = x509.getSerialNumber(); - cdd.id = trans.user(); - cdd.x500 = x509.getSubjectDN().getName(); - cdd.x509 = Factory.toString(trans, x509); - certDAO.create(trans, cdd); - - CertResp cr = new CertResp(trans, ca, x509, csrMeta, x509ac.getTrustChain(), compileNotes(null)); - return Result.ok(cr); - } catch (Exception e) { - trans.error().log(e); - return Result.err(Result.ERR_ActionNotCompleted, e.getMessage()); - } - } else { - return Result.err(Result.ERR_Denied, trans.user(), " not supported for CA", ca.getName()); - } - } - - /////////////// - // Artifact - ////////////// - public Result createArtifact(AuthzTrans trans, List list) { - CertmanValidator v = new CertmanValidator().artisRequired(list, 1); - if (v.err()) { - return Result.err(Result.ERR_BadData, v.errs()); - } - for (ArtiDAO.Data add : list) { - try { - // Policy 1: MechID must exist in Org - Identity muser = trans.org().getIdentity(trans, add.mechid); - if (muser == null) { - return Result.err(Result.ERR_Denied, "%s is not valid for %s", add.mechid, trans.org().getName()); - } - - // Policy 2: MechID must have valid Organization Owner - Identity emailUser; - if (muser.isPerson()) { - emailUser = muser; - } else { - Identity ouser = muser.responsibleTo(); - if (ouser == null) { - return Result.err(Result.ERR_Denied, "%s is not a valid Sponsor for %s at %s", trans.user(), - add.mechid, trans.org().getName()); - } - - // Policy 3: Calling ID must be MechID Owner - if (!trans.user().startsWith(ouser.id())) { - return Result.err(Result.ERR_Denied, "%s is not the Sponsor for %s at %s", trans.user(), - add.mechid, trans.org().getName()); - } - emailUser = ouser; - } - - // Policy 4: Renewal Days are between 10 and 60 (constants, may be - // parameterized) - if (add.renewDays < MIN_RENEWAL) { - add.renewDays = STD_RENEWAL; - } else if (add.renewDays > MAX_RENEWAL) { - add.renewDays = MAX_RENEWAL; - } - - // Policy 5: If Notify is blank, set to Owner's Email - if (add.notify == null || add.notify.length() == 0) { - add.notify = "mailto:" + emailUser.email(); - } - - // Policy 6: Only do Domain by Exception - if (add.machine.startsWith("*")) { // Domain set - CA ca = certman.getCA(add.ca); - - if (!trans.fish(new AAFPermission(ca.getPermNS(),ca.getPermType(), add.ca, DOMAIN))) { - return Result.err(Result.ERR_Denied, "Domain Artifacts (%s) requires specific Permission", - add.machine); - } - } - - // Set Sponsor from Golden Source - add.sponsor = emailUser.fullID(); - - } catch (OrganizationException e) { - return Result.err(e); - } - // Add to DB - Result rv = artiDAO.create(trans, add); - // TODO come up with Partial Reporting Scheme, or allow only one at a time. - if (rv.notOK()) { - return Result.err(rv); - } - } - return Result.ok(); - } - - public Result> readArtifacts(AuthzTrans trans, ArtiDAO.Data add) throws OrganizationException { - CertmanValidator v = new CertmanValidator().keys(add); - if (v.err()) { - return Result.err(Result.ERR_BadData, v.errs()); - } - Result> data = artiDAO.read(trans, add); - if (data.notOKorIsEmpty()) { - return data; - } - add = data.value.get(0); - if (trans.user().equals(add.mechid) - || trans.fish(root_read_permission, - new AAFPermission(add.ns,ACCESS, "*", "read"), - new AAFPermission(add.ns,CERTMAN, add.ca, "read"), - new AAFPermission(add.ns,CERTMAN, add.ca, "request")) - || (trans.org().validate(trans, Organization.Policy.OWNS_MECHID, null, add.mechid)) == null) { - return data; - } else { - return Result.err(Result.ERR_Denied, - "%s is not %s, is not the sponsor, and doesn't have delegated permission.", trans.user(), - add.mechid, add.ns + ".certman|" + add.ca + "|read or ...|request"); // note: reason is set by 2nd - // case, if 1st case misses - } - - } - - public Result> readArtifactsByMechID(AuthzTrans trans, String mechid) - throws OrganizationException { - CertmanValidator v = new CertmanValidator(); - v.nullOrBlank("mechid", mechid); - if (v.err()) { - return Result.err(Result.ERR_BadData, v.errs()); - } - String ns = FQI.reverseDomain(mechid); - - String reason; - if (trans.fish(new AAFPermission(ns, ACCESS, "*", "read")) - || (reason = trans.org().validate(trans, Organization.Policy.OWNS_MECHID, null, mechid)) == null) { - return artiDAO.readByMechID(trans, mechid); - } else { - return Result.err(Result.ERR_Denied, reason); // note: reason is set by 2nd case, if 1st case misses - } - - } - - public Result> readArtifactsByMachine(AuthzTrans trans, String machine) { - CertmanValidator v = new CertmanValidator(); - v.nullOrBlank("machine", machine); - if (v.err()) { - return Result.err(Result.ERR_BadData, v.errs()); - } - - // TODO do some checks? - - Result> rv = artiDAO.readByMachine(trans, machine); - return rv; - } - - public Result> readArtifactsByNs(AuthzTrans trans, String ns) { - CertmanValidator v = new CertmanValidator(); - v.nullOrBlank("ns", ns); - if (v.err()) { - return Result.err(Result.ERR_BadData, v.errs()); - } - - // TODO do some checks? - - return artiDAO.readByNs(trans, ns); - } - - public Result updateArtifact(AuthzTrans trans, List list) throws OrganizationException { - CertmanValidator v = new CertmanValidator(); - v.artisRequired(list, 1); - if (v.err()) { - return Result.err(Result.ERR_BadData, v.errs()); - } - - // Check if requesting User is Sponsor - // TODO - Shall we do one, or multiples? - for (ArtiDAO.Data add : list) { - // Policy 1: MechID must exist in Org - Identity muser = trans.org().getIdentity(trans, add.mechid); - if (muser == null) { - return Result.err(Result.ERR_Denied, "%s is not valid for %s", add.mechid, trans.org().getName()); - } - - // Policy 2: MechID must have valid Organization Owner - Identity ouser = muser.responsibleTo(); - if (ouser == null) { - return Result.err(Result.ERR_Denied, "%s is not a valid Sponsor for %s at %s", trans.user(), add.mechid, - trans.org().getName()); - } - - // Policy 3: Renewal Days are between 10 and 60 (constants, may be - // parameterized) - if (add.renewDays < MIN_RENEWAL) { - add.renewDays = STD_RENEWAL; - } else if (add.renewDays > MAX_RENEWAL) { - add.renewDays = MAX_RENEWAL; - } - - // Policy 4: Data is always updated with the latest Sponsor - // Add to Sponsor, to make sure we are always up to date. - add.sponsor = ouser.fullID(); - - // Policy 5: If Notify is blank, set to Owner's Email - if (add.notify == null || add.notify.length() == 0) { - add.notify = "mailto:" + ouser.email(); - } - // Policy 6: Only do Domain by Exception - if (add.machine.startsWith("*")) { // Domain set - CA ca = certman.getCA(add.ca); - if (ca == null) { - return Result.err(Result.ERR_BadData, "CA is required in Artifact"); - } - if (!trans.fish(new AAFPermission(null,ca.getPermType(), add.ca, DOMAIN))) { - return Result.err(Result.ERR_Denied, "Domain Artifacts (%s) requires specific Permission", - add.machine); - } - } - - // Policy 7: only Owner may update info - if (trans.user().startsWith(ouser.id())) { - return artiDAO.update(trans, add); - } else { - return Result.err(Result.ERR_Denied, "%s may not update info for %s", trans.user(), muser.fullID()); - } - } - return Result.err(Result.ERR_BadData, "No Artifacts to update"); - } - - public Result deleteArtifact(AuthzTrans trans, String mechid, String machine) throws OrganizationException { - CertmanValidator v = new CertmanValidator(); - v.nullOrBlank("mechid", mechid).nullOrBlank("machine", machine); - if (v.err()) { - return Result.err(Result.ERR_BadData, v.errs()); - } - - Result> rlad = artiDAO.read(trans, mechid, machine); - if (rlad.notOKorIsEmpty()) { - return Result.err(Result.ERR_NotFound, "Artifact for %s %s does not exist.", mechid, machine); - } - - return deleteArtifact(trans, rlad.value.get(0)); - } - - private Result deleteArtifact(AuthzTrans trans, ArtiDAO.Data add) throws OrganizationException { - // Policy 1: Record should be delete able only by Existing Sponsor. - String sponsor = null; - Identity muser = trans.org().getIdentity(trans, add.mechid); - if (muser != null) { - Identity ouser = muser.responsibleTo(); - if (ouser != null) { - sponsor = ouser.fullID(); - } - } - // Policy 1.a: If Sponsorship is deleted in system of Record, then - // accept deletion by sponsor in Artifact Table - if (sponsor == null) { - sponsor = add.sponsor; - } - - String ns = FQI.reverseDomain(add.mechid); - - if (trans.fish(new AAFPermission(ns,ACCESS, "*", "write")) || trans.user().equals(sponsor)) { - return artiDAO.delete(trans, add, false); - } - return Result.err(Result.ERR_Denied, "%1 is not allowed to delete this item", trans.user()); - } - - public Result deleteArtifact(AuthzTrans trans, List list) { - CertmanValidator v = new CertmanValidator().artisRequired(list, 1); - if (v.err()) { - return Result.err(Result.ERR_BadData, v.errs()); - } - - try { - boolean partial = false; - Result result = null; - for (ArtiDAO.Data add : list) { - result = deleteArtifact(trans, add); - if (result.notOK()) { - partial = true; - } - } - if (result == null) { - result = Result.err(Result.ERR_BadData, "No Artifacts to delete"); - } else if (partial) { - result.partialContent(true); - } - return result; - } catch (Exception e) { - return Result.err(e); - } - } - - private String[] compileNotes(List notes) { - String[] rv; - if (notes == null) { - rv = NO_NOTES; - } else { - rv = new String[notes.size()]; - notes.toArray(rv); - } - return rv; - } - - private ByteBuffer getChallenge256SaltedHash(String challenge, int salt) throws NoSuchAlgorithmException { - ByteBuffer bb = ByteBuffer.allocate(Integer.SIZE + challenge.length()); - bb.putInt(salt); - bb.put(challenge.getBytes()); - byte[] hash = Hash.hashSHA256(bb.array()); - return ByteBuffer.wrap(hash); - } + // If we add more CAs, may want to parameterize + private static final int STD_RENEWAL = 30; + private static final int MAX_RENEWAL = 60; + private static final int MIN_RENEWAL = 10; + + public static final String REQUEST = "request"; + public static final String IGNORE_IPS = "ignoreIPs"; + public static final String RENEW = "renew"; + public static final String DROP = "drop"; + public static final String DOMAIN = "domain"; + + private static final String CERTMAN = "certman"; + private static final String ACCESS = "access"; + + private static final String[] NO_NOTES = new String[0]; + private final Permission root_read_permission; + private final CertDAO certDAO; + private final CredDAO credDAO; + private final ArtiDAO artiDAO; + private AAF_CM certman; + + // @SuppressWarnings("unchecked") + public CMService(final AuthzTrans trans, AAF_CM certman) throws APIException, IOException { + // Jonathan 4/2015 SessionFilter unneeded... DataStax already deals with + // Multithreading well + + HistoryDAO hd = new HistoryDAO(trans, certman.cluster, CassAccess.KEYSPACE); + CacheInfoDAO cid = new CacheInfoDAO(trans, hd); + certDAO = new CertDAO(trans, hd, cid); + credDAO = new CredDAO(trans, hd, cid); + artiDAO = new ArtiDAO(trans, hd, cid); + + this.certman = certman; + + root_read_permission=new AAFPermission( + trans.getProperty(Config.AAF_ROOT_NS, Config.AAF_ROOT_NS_DEF), + "access", + "*", + "read" + ); + } + + public Result requestCert(final AuthzTrans trans, final Result req, final CA ca) { + if (req.isOK()) { + + if (req.value.fqdns.isEmpty()) { + return Result.err(Result.ERR_BadData, "No Machines passed in Request"); + } + + String key = req.value.fqdns.get(0); + + // Policy 6: Requester must be granted Change permission in Namespace requested + String mechNS = FQI.reverseDomain(req.value.mechid); + if (mechNS == null) { + return Result.err(Status.ERR_Denied, "%s does not reflect a valid AAF Namespace", req.value.mechid); + } + + List notes = null; + List fqdns = new ArrayList<>(req.value.fqdns); + + String email = null; + + try { + Organization org = trans.org(); + + boolean ignoreIPs = trans.fish(new AAFPermission(mechNS,CERTMAN, ca.getName(), IGNORE_IPS)); + + InetAddress primary = null; + // Organize incoming information to get to appropriate Artifact + if (!fqdns.isEmpty()) { + // Accept domain wild cards, but turn into real machines + // Need *domain.com:real.machine.domain.com:san.machine.domain.com:... + if (fqdns.get(0).startsWith("*")) { // Domain set + if (!trans.fish(new AAFPermission(null,ca.getPermType(), ca.getName(), DOMAIN))) { + return Result.err(Result.ERR_Denied, + "Domain based Authorizations (" + fqdns.get(0) + ") requires Exception"); + } + + // TODO check for Permission in Add Artifact? + String domain = fqdns.get(0).substring(1); + fqdns.remove(0); + if (fqdns.isEmpty()) { + return Result.err(Result.ERR_Denied, "Requests using domain require machine declaration"); + } + + if (!ignoreIPs) { + InetAddress ia = InetAddress.getByName(fqdns.get(0)); + if (ia == null) { + return Result.err(Result.ERR_Denied, + "Request not made from matching IP matching domain"); + } else if (ia.getHostName().endsWith(domain)) { + primary = ia; + } + } + + } else { + for (String cn : req.value.fqdns) { + if(!ignoreIPs) { + try { + InetAddress[] ias = InetAddress.getAllByName(cn); + Set potentialSanNames = new HashSet<>(); + for (InetAddress ia1 : ias) { + InetAddress ia2 = InetAddress.getByAddress(ia1.getAddress()); + if (primary == null && ias.length == 1 && trans.ip().equals(ia1.getHostAddress())) { + primary = ia1; + } else if (!cn.equals(ia1.getHostName()) + && !ia2.getHostName().equals(ia2.getHostAddress())) { + potentialSanNames.add(ia1.getHostName()); + } + } + } catch (UnknownHostException e1) { + return Result.err(Result.ERR_BadData, "There is no DNS lookup for %s", cn); + } + } + } + } + } + + final String host; + if(ignoreIPs) { + host = req.value.fqdns.get(0); + } else if (primary == null) { + return Result.err(Result.ERR_Denied, "Request not made from matching IP (%s)", trans.ip()); + } else { + host = primary.getHostAddress(); + } + + ArtiDAO.Data add = null; + Result> ra = artiDAO.read(trans, req.value.mechid, host); + if (ra.isOKhasData()) { + if (add == null) { + add = ra.value.get(0); // single key + } + } else { + ra = artiDAO.read(trans, req.value.mechid, key); + if (ra.isOKhasData()) { // is the Template available? + add = ra.value.get(0); + add.machine = host; + for (String s : fqdns) { + if (!s.equals(add.machine)) { + add.sans(true).add(s); + } + } + Result rc = artiDAO.create(trans, add); // Create new Artifact from Template + if (rc.notOK()) { + return Result.err(rc); + } + } else { + add = ra.value.get(0); + } + } + + // Add Artifact listed FQDNs + if (add.sans != null) { + for (String s : add.sans) { + if (!fqdns.contains(s)) { + fqdns.add(s); + } + } + } + + // Policy 2: If Config marked as Expired, do not create or renew + Date now = new Date(); + if (add.expires != null && now.after(add.expires)) { + return Result.err(Result.ERR_Policy, "Configuration for %s %s is expired %s", add.mechid, + add.machine, Chrono.dateFmt.format(add.expires)); + } + + // Policy 3: MechID must be current + Identity muser = org.getIdentity(trans, add.mechid); + if (muser == null) { + return Result.err(Result.ERR_Policy, "MechID must exist in %s", org.getName()); + } + + // Policy 4: Sponsor must be current + Identity ouser = muser.responsibleTo(); + if (ouser == null) { + return Result.err(Result.ERR_Policy, "%s does not have a current sponsor at %s", add.mechid, + org.getName()); + } else if (!ouser.isFound() || ouser.mayOwn() != null) { + return Result.err(Result.ERR_Policy, "%s reports that %s cannot be responsible for %s", + org.getName(), trans.user()); + } + + // Set Email from most current Sponsor + email = ouser.email(); + + // Policy 5: keep Artifact data current + if (!ouser.fullID().equals(add.sponsor)) { + add.sponsor = ouser.fullID(); + artiDAO.update(trans, add); + } + + // Policy 7: Caller must be the MechID or have specifically delegated + // permissions + if (!(trans.user().equals(req.value.mechid) + || trans.fish(new AAFPermission(mechNS,CERTMAN, ca.getName(), REQUEST)))) { + return Result.err(Status.ERR_Denied, "%s must have access to modify x509 certs in NS %s", + trans.user(), mechNS); + } + + // Make sure Primary is the first in fqdns + if (fqdns.size() > 1) { + for (int i = 0; i < fqdns.size(); ++i) { + if(primary==null) { + trans.error().log("CMService var primary is null"); + } else { + String fg = fqdns.get(i); + if (fg!=null && fg.equals(primary.getHostName())) { + if (i != 0) { + String tmp = fqdns.get(0); + fqdns.set(0, primary.getHostName()); + fqdns.set(i, tmp); + } + } + } + } + } + } catch (Exception e) { + e.printStackTrace(); + trans.error().log(e); + return Result.err(Status.ERR_Denied, + "AppID Sponsorship cannot be determined at this time. Try later."); + } + + CSRMeta csrMeta; + try { + csrMeta = BCFactory.createCSRMeta(ca, req.value.mechid, email, fqdns); + X509andChain x509ac = ca.sign(trans, csrMeta); + if (x509ac == null) { + return Result.err(Result.ERR_ActionNotCompleted, "x509 Certificate not signed by CA"); + } + trans.info().printf("X509 Subject: %s", x509ac.getX509().getSubjectDN()); + + X509Certificate x509 = x509ac.getX509(); + CertDAO.Data cdd = new CertDAO.Data(); + cdd.ca = ca.getName(); + cdd.serial = x509.getSerialNumber(); + cdd.id = req.value.mechid; + cdd.x500 = x509.getSubjectDN().getName(); + cdd.x509 = Factory.toString(trans, x509); + certDAO.create(trans, cdd); + + CredDAO.Data crdd = new CredDAO.Data(); + crdd.other = Question.random.nextInt(); + crdd.cred = getChallenge256SaltedHash(csrMeta.challenge(), crdd.other); + crdd.expires = x509.getNotAfter(); + crdd.id = req.value.mechid; + crdd.ns = Question.domain2ns(crdd.id); + crdd.type = CredDAO.CERT_SHA256_RSA; + credDAO.create(trans, crdd); + + CertResp cr = new CertResp(trans, ca, x509, csrMeta, x509ac.getTrustChain(), compileNotes(notes)); + return Result.ok(cr); + } catch (Exception e) { + trans.error().log(e); + return Result.err(Result.ERR_ActionNotCompleted, e.getMessage()); + } + } else { + return Result.err(req); + } + } + + public Result renewCert(AuthzTrans trans, Result renew) { + if (renew.isOK()) { + return Result.err(Result.ERR_NotImplemented, "Not implemented yet"); + } else { + return Result.err(renew); + } + } + + public Result dropCert(AuthzTrans trans, Result drop) { + if (drop.isOK()) { + return Result.err(Result.ERR_NotImplemented, "Not implemented yet"); + } else { + return Result.err(drop); + } + } + + public Result> readCertsByMechID(AuthzTrans trans, String mechID) { + // Policy 1: To Read, must have NS Read or is Sponsor + String ns = Question.domain2ns(mechID); + try { + if (trans.user().equals(mechID) || trans.fish(new AAFPermission(ns,ACCESS, "*", "read")) + || (trans.org().validate(trans, Organization.Policy.OWNS_MECHID, null, mechID)) == null) { + return certDAO.readID(trans, mechID); + } else { + return Result.err(Result.ERR_Denied, "%s is not the ID, Sponsor or NS Owner/Admin for %s at %s", + trans.user(), mechID, trans.org().getName()); + } + } catch (OrganizationException e) { + return Result.err(e); + } + } + + public Result requestPersonalCert(AuthzTrans trans, CA ca) { + if (ca.inPersonalDomains(trans.getUserPrincipal())) { + Organization org = trans.org(); + + // Policy 1: MechID must be current + Identity ouser; + try { + ouser = org.getIdentity(trans, trans.user()); + } catch (OrganizationException e1) { + trans.error().log(e1); + ouser = null; + } + if (ouser == null) { + return Result.err(Result.ERR_Policy, "Requesting User must exist in %s", org.getName()); + } + + // Set Email from most current Sponsor + + CSRMeta csrMeta; + try { + csrMeta = BCFactory.createPersonalCSRMeta(ca, trans.user(), ouser.email()); + X509andChain x509ac = ca.sign(trans, csrMeta); + if (x509ac == null) { + return Result.err(Result.ERR_ActionNotCompleted, "x509 Certificate not signed by CA"); + } + X509Certificate x509 = x509ac.getX509(); + CertDAO.Data cdd = new CertDAO.Data(); + cdd.ca = ca.getName(); + cdd.serial = x509.getSerialNumber(); + cdd.id = trans.user(); + cdd.x500 = x509.getSubjectDN().getName(); + cdd.x509 = Factory.toString(trans, x509); + certDAO.create(trans, cdd); + + CertResp cr = new CertResp(trans, ca, x509, csrMeta, x509ac.getTrustChain(), compileNotes(null)); + return Result.ok(cr); + } catch (Exception e) { + trans.error().log(e); + return Result.err(Result.ERR_ActionNotCompleted, e.getMessage()); + } + } else { + return Result.err(Result.ERR_Denied, trans.user(), " not supported for CA", ca.getName()); + } + } + + /////////////// + // Artifact + ////////////// + public Result createArtifact(AuthzTrans trans, List list) { + CertmanValidator v = new CertmanValidator().artisRequired(list, 1); + if (v.err()) { + return Result.err(Result.ERR_BadData, v.errs()); + } + for (ArtiDAO.Data add : list) { + try { + // Policy 1: MechID must exist in Org + Identity muser = trans.org().getIdentity(trans, add.mechid); + if (muser == null) { + return Result.err(Result.ERR_Denied, "%s is not valid for %s", add.mechid, trans.org().getName()); + } + + // Policy 2: MechID must have valid Organization Owner + Identity emailUser; + if (muser.isPerson()) { + emailUser = muser; + } else { + Identity ouser = muser.responsibleTo(); + if (ouser == null) { + return Result.err(Result.ERR_Denied, "%s is not a valid Sponsor for %s at %s", trans.user(), + add.mechid, trans.org().getName()); + } + + // Policy 3: Calling ID must be MechID Owner + if (!trans.user().startsWith(ouser.id())) { + return Result.err(Result.ERR_Denied, "%s is not the Sponsor for %s at %s", trans.user(), + add.mechid, trans.org().getName()); + } + emailUser = ouser; + } + + // Policy 4: Renewal Days are between 10 and 60 (constants, may be + // parameterized) + if (add.renewDays < MIN_RENEWAL) { + add.renewDays = STD_RENEWAL; + } else if (add.renewDays > MAX_RENEWAL) { + add.renewDays = MAX_RENEWAL; + } + + // Policy 5: If Notify is blank, set to Owner's Email + if (add.notify == null || add.notify.length() == 0) { + add.notify = "mailto:" + emailUser.email(); + } + + // Policy 6: Only do Domain by Exception + if (add.machine.startsWith("*")) { // Domain set + CA ca = certman.getCA(add.ca); + + if (!trans.fish(new AAFPermission(ca.getPermNS(),ca.getPermType(), add.ca, DOMAIN))) { + return Result.err(Result.ERR_Denied, "Domain Artifacts (%s) requires specific Permission", + add.machine); + } + } + + // Set Sponsor from Golden Source + add.sponsor = emailUser.fullID(); + + } catch (OrganizationException e) { + return Result.err(e); + } + // Add to DB + Result rv = artiDAO.create(trans, add); + // TODO come up with Partial Reporting Scheme, or allow only one at a time. + if (rv.notOK()) { + return Result.err(rv); + } + } + return Result.ok(); + } + + public Result> readArtifacts(AuthzTrans trans, ArtiDAO.Data add) throws OrganizationException { + CertmanValidator v = new CertmanValidator().keys(add); + if (v.err()) { + return Result.err(Result.ERR_BadData, v.errs()); + } + Result> data = artiDAO.read(trans, add); + if (data.notOKorIsEmpty()) { + return data; + } + add = data.value.get(0); + if (trans.user().equals(add.mechid) + || trans.fish(root_read_permission, + new AAFPermission(add.ns,ACCESS, "*", "read"), + new AAFPermission(add.ns,CERTMAN, add.ca, "read"), + new AAFPermission(add.ns,CERTMAN, add.ca, "request")) + || (trans.org().validate(trans, Organization.Policy.OWNS_MECHID, null, add.mechid)) == null) { + return data; + } else { + return Result.err(Result.ERR_Denied, + "%s is not %s, is not the sponsor, and doesn't have delegated permission.", trans.user(), + add.mechid, add.ns + ".certman|" + add.ca + "|read or ...|request"); // note: reason is set by 2nd + // case, if 1st case misses + } + + } + + public Result> readArtifactsByMechID(AuthzTrans trans, String mechid) + throws OrganizationException { + CertmanValidator v = new CertmanValidator(); + v.nullOrBlank("mechid", mechid); + if (v.err()) { + return Result.err(Result.ERR_BadData, v.errs()); + } + String ns = FQI.reverseDomain(mechid); + + String reason; + if (trans.fish(new AAFPermission(ns, ACCESS, "*", "read")) + || (reason = trans.org().validate(trans, Organization.Policy.OWNS_MECHID, null, mechid)) == null) { + return artiDAO.readByMechID(trans, mechid); + } else { + return Result.err(Result.ERR_Denied, reason); // note: reason is set by 2nd case, if 1st case misses + } + + } + + public Result> readArtifactsByMachine(AuthzTrans trans, String machine) { + CertmanValidator v = new CertmanValidator(); + v.nullOrBlank("machine", machine); + if (v.err()) { + return Result.err(Result.ERR_BadData, v.errs()); + } + + // TODO do some checks? + + Result> rv = artiDAO.readByMachine(trans, machine); + return rv; + } + + public Result> readArtifactsByNs(AuthzTrans trans, String ns) { + CertmanValidator v = new CertmanValidator(); + v.nullOrBlank("ns", ns); + if (v.err()) { + return Result.err(Result.ERR_BadData, v.errs()); + } + + // TODO do some checks? + + return artiDAO.readByNs(trans, ns); + } + + public Result updateArtifact(AuthzTrans trans, List list) throws OrganizationException { + CertmanValidator v = new CertmanValidator(); + v.artisRequired(list, 1); + if (v.err()) { + return Result.err(Result.ERR_BadData, v.errs()); + } + + // Check if requesting User is Sponsor + // TODO - Shall we do one, or multiples? + for (ArtiDAO.Data add : list) { + // Policy 1: MechID must exist in Org + Identity muser = trans.org().getIdentity(trans, add.mechid); + if (muser == null) { + return Result.err(Result.ERR_Denied, "%s is not valid for %s", add.mechid, trans.org().getName()); + } + + // Policy 2: MechID must have valid Organization Owner + Identity ouser = muser.responsibleTo(); + if (ouser == null) { + return Result.err(Result.ERR_Denied, "%s is not a valid Sponsor for %s at %s", trans.user(), add.mechid, + trans.org().getName()); + } + + // Policy 3: Renewal Days are between 10 and 60 (constants, may be + // parameterized) + if (add.renewDays < MIN_RENEWAL) { + add.renewDays = STD_RENEWAL; + } else if (add.renewDays > MAX_RENEWAL) { + add.renewDays = MAX_RENEWAL; + } + + // Policy 4: Data is always updated with the latest Sponsor + // Add to Sponsor, to make sure we are always up to date. + add.sponsor = ouser.fullID(); + + // Policy 5: If Notify is blank, set to Owner's Email + if (add.notify == null || add.notify.length() == 0) { + add.notify = "mailto:" + ouser.email(); + } + // Policy 6: Only do Domain by Exception + if (add.machine.startsWith("*")) { // Domain set + CA ca = certman.getCA(add.ca); + if (ca == null) { + return Result.err(Result.ERR_BadData, "CA is required in Artifact"); + } + if (!trans.fish(new AAFPermission(null,ca.getPermType(), add.ca, DOMAIN))) { + return Result.err(Result.ERR_Denied, "Domain Artifacts (%s) requires specific Permission", + add.machine); + } + } + + // Policy 7: only Owner may update info + if (trans.user().startsWith(ouser.id())) { + return artiDAO.update(trans, add); + } else { + return Result.err(Result.ERR_Denied, "%s may not update info for %s", trans.user(), muser.fullID()); + } + } + return Result.err(Result.ERR_BadData, "No Artifacts to update"); + } + + public Result deleteArtifact(AuthzTrans trans, String mechid, String machine) throws OrganizationException { + CertmanValidator v = new CertmanValidator(); + v.nullOrBlank("mechid", mechid).nullOrBlank("machine", machine); + if (v.err()) { + return Result.err(Result.ERR_BadData, v.errs()); + } + + Result> rlad = artiDAO.read(trans, mechid, machine); + if (rlad.notOKorIsEmpty()) { + return Result.err(Result.ERR_NotFound, "Artifact for %s %s does not exist.", mechid, machine); + } + + return deleteArtifact(trans, rlad.value.get(0)); + } + + private Result deleteArtifact(AuthzTrans trans, ArtiDAO.Data add) throws OrganizationException { + // Policy 1: Record should be delete able only by Existing Sponsor. + String sponsor = null; + Identity muser = trans.org().getIdentity(trans, add.mechid); + if (muser != null) { + Identity ouser = muser.responsibleTo(); + if (ouser != null) { + sponsor = ouser.fullID(); + } + } + // Policy 1.a: If Sponsorship is deleted in system of Record, then + // accept deletion by sponsor in Artifact Table + if (sponsor == null) { + sponsor = add.sponsor; + } + + String ns = FQI.reverseDomain(add.mechid); + + if (trans.fish(new AAFPermission(ns,ACCESS, "*", "write")) || trans.user().equals(sponsor)) { + return artiDAO.delete(trans, add, false); + } + return Result.err(Result.ERR_Denied, "%1 is not allowed to delete this item", trans.user()); + } + + public Result deleteArtifact(AuthzTrans trans, List list) { + CertmanValidator v = new CertmanValidator().artisRequired(list, 1); + if (v.err()) { + return Result.err(Result.ERR_BadData, v.errs()); + } + + try { + boolean partial = false; + Result result = null; + for (ArtiDAO.Data add : list) { + result = deleteArtifact(trans, add); + if (result.notOK()) { + partial = true; + } + } + if (result == null) { + result = Result.err(Result.ERR_BadData, "No Artifacts to delete"); + } else if (partial) { + result.partialContent(true); + } + return result; + } catch (Exception e) { + return Result.err(e); + } + } + + private String[] compileNotes(List notes) { + String[] rv; + if (notes == null) { + rv = NO_NOTES; + } else { + rv = new String[notes.size()]; + notes.toArray(rv); + } + return rv; + } + + private ByteBuffer getChallenge256SaltedHash(String challenge, int salt) throws NoSuchAlgorithmException { + ByteBuffer bb = ByteBuffer.allocate(Integer.SIZE + challenge.length()); + bb.putInt(salt); + bb.put(challenge.getBytes()); + byte[] hash = Hash.hashSHA256(bb.array()); + return ByteBuffer.wrap(hash); + } } diff --git a/auth/auth-certman/src/main/java/org/onap/aaf/auth/cm/service/Code.java b/auth/auth-certman/src/main/java/org/onap/aaf/auth/cm/service/Code.java index ce2ca065..a6663ad7 100644 --- a/auth/auth-certman/src/main/java/org/onap/aaf/auth/cm/service/Code.java +++ b/auth/auth-certman/src/main/java/org/onap/aaf/auth/cm/service/Code.java @@ -28,18 +28,18 @@ import org.onap.aaf.auth.rserv.HttpCode; public abstract class Code extends HttpCode implements Cloneable { - public Code(AAF_CM cma, String description, String ... roles) { - super(cma.facade1_0, description, roles); - // Note, the first "Code" will be created with default Facade, "JSON". - // use clone for another Code with XML - } - + public Code(AAF_CM cma, String description, String ... roles) { + super(cma.facade1_0, description, roles); + // Note, the first "Code" will be created with default Facade, "JSON". + // use clone for another Code with XML + } + - public D clone(Facade1_0 facade) throws Exception { - @SuppressWarnings("unchecked") - D d = (D)clone(); - d.context = facade; - return d; - } + public D clone(Facade1_0 facade) throws Exception { + @SuppressWarnings("unchecked") + D d = (D)clone(); + d.context = facade; + return d; + } } diff --git a/auth/auth-certman/src/main/java/org/onap/aaf/auth/cm/validation/CertmanValidator.java b/auth/auth-certman/src/main/java/org/onap/aaf/auth/cm/validation/CertmanValidator.java index d3ce0ace..ea97dd0d 100644 --- a/auth/auth-certman/src/main/java/org/onap/aaf/auth/cm/validation/CertmanValidator.java +++ b/auth/auth-certman/src/main/java/org/onap/aaf/auth/cm/validation/CertmanValidator.java @@ -37,85 +37,85 @@ import org.onap.aaf.auth.validation.Validator; * */ public class CertmanValidator extends Validator{ - // Repeated Msg fragments - private static final String MECHID = "mechid"; - private static final String MACHINE = "machine"; - private static final String ARTIFACT_LIST_IS_NULL = "Artifact List is null."; - private static final String Y = "y."; - private static final String IES = "ies."; - private static final String ENTR = " entr"; - private static final String MUST_HAVE_AT_LEAST = " must have at least "; - private static final String IS_NULL = " is null."; - private static final String ARTIFACTS_MUST_HAVE_AT_LEAST = "Artifacts must have at least "; + // Repeated Msg fragments + private static final String MECHID = "mechid"; + private static final String MACHINE = "machine"; + private static final String ARTIFACT_LIST_IS_NULL = "Artifact List is null."; + private static final String Y = "y."; + private static final String IES = "ies."; + private static final String ENTR = " entr"; + private static final String MUST_HAVE_AT_LEAST = " must have at least "; + private static final String IS_NULL = " is null."; + private static final String ARTIFACTS_MUST_HAVE_AT_LEAST = "Artifacts must have at least "; - public CertmanValidator nullBlankMin(String name, List list, int min) { - if(list==null) { - msg(name + IS_NULL); - } else { - if(list.size() list, int min) { + if(list==null) { + msg(name + IS_NULL); + } else { + if(list.size() list, int min) { - if(list==null) { - msg(ARTIFACT_LIST_IS_NULL); - } else { - if(list.size() list, int min) { + if(list==null) { + msg(ARTIFACT_LIST_IS_NULL); + } else { + if(list.size() list, int min) { - if(list==null) { - msg(ARTIFACT_LIST_IS_NULL); - } else { - if(list.size() list, int min) { + if(list==null) { + msg(ARTIFACT_LIST_IS_NULL); + } else { + if(list.size()