From 1040ac183218c750779af25a0679b0904a6b1804 Mon Sep 17 00:00:00 2001 From: burdziak Date: Wed, 11 Jul 2018 12:05:51 +0200 Subject: Fixes sonar issues in CMService Change-Id: I8973b2188b53421d147b014f7187e6506fe28231 Issue-ID: AAF-368 Signed-off-by: burdziak --- .../org/onap/aaf/auth/cm/service/CMService.java | 71 ++++++++-------------- 1 file changed, 24 insertions(+), 47 deletions(-) (limited to 'auth') diff --git a/auth/auth-certman/src/main/java/org/onap/aaf/auth/cm/service/CMService.java b/auth/auth-certman/src/main/java/org/onap/aaf/auth/cm/service/CMService.java index dee788e4..376ae1b1 100644 --- a/auth/auth-certman/src/main/java/org/onap/aaf/auth/cm/service/CMService.java +++ b/auth/auth-certman/src/main/java/org/onap/aaf/auth/cm/service/CMService.java @@ -74,15 +74,16 @@ public class CMService { public static final String REQUEST = "request"; public static final String RENEW = "renew"; public static final String DROP = "drop"; -// public static final String SANS = "san"; public static final String IPS = "ips"; public static final String DOMAIN = "domain"; + + private static final String CERTMAN = ".certman"; + private static final String ACCESS = ".access"; private static final String[] NO_NOTES = new String[0]; private final CertDAO certDAO; private final CredDAO credDAO; private final ArtiDAO artiDAO; -// private DAO[] daos; private AAF_CM certman; // @SuppressWarnings("unchecked") @@ -94,11 +95,7 @@ public class CMService { certDAO = new CertDAO(trans, hd, cid); credDAO = new CredDAO(trans, hd, cid); artiDAO = new ArtiDAO(trans, hd, cid); - -// daos =(DAO[]) new DAO[] { -// hd,cid,certDAO,credDAO,artiDAO -// }; -// + this.certman = certman; } @@ -119,7 +116,7 @@ public class CMService { // Disallow non-AAF CA without special permission - if(!ca.getName().equals("aaf") && !trans.fish( new AAFPermission(mechNS+".certman", ca.getName(), REQUEST))) { + if(!"aaf".equals(ca.getName()) && !trans.fish( new AAFPermission(mechNS+CERTMAN, ca.getName(), REQUEST))) { return Result.err(Status.ERR_Denied, "'%s' does not have permission to request Certificates from Certificate Authority '%s'", trans.user(),ca.getName()); } @@ -135,7 +132,7 @@ public class CMService { InetAddress primary = null; // Organize incoming information to get to appropriate Artifact - if(fqdns.size()>=1) { + if(!fqdns.isEmpty()) { // Accept domain wild cards, but turn into real machines // Need *domain.com:real.machine.domain.com:san.machine.domain.com:... if(fqdns.get(0).startsWith("*")) { // Domain set @@ -146,16 +143,16 @@ public class CMService { //TODO check for Permission in Add Artifact? String domain = fqdns.get(0).substring(1); fqdns.remove(0); - if(fqdns.size()>=1) { - InetAddress ia = InetAddress.getByName(fqdns.get(0)); - if(ia==null) { - return Result.err(Result.ERR_Denied, "Request not made from matching IP matching domain"); - } else if(ia.getHostName().endsWith(domain)) { - primary = ia; - } - } else { - return Result.err(Result.ERR_Denied, "Requests using domain require machine declaration"); - } + if(fqdns.isEmpty()) { + return Result.err(Result.ERR_Denied, "Requests using domain require machine declaration"); + } + + InetAddress ia = InetAddress.getByName(fqdns.get(0)); + if(ia==null) { + return Result.err(Result.ERR_Denied, "Request not made from matching IP matching domain"); + } else if(ia.getHostName().endsWith(domain)) { + primary = ia; + } } else { for(String cn : req.value.fqdns) { @@ -180,7 +177,6 @@ public class CMService { if(primary==null) { return Result.err(Result.ERR_Denied, "Request not made from matching IP (%s)",trans.ip()); -// return Result.err(Result.ERR_BadData,"Calling Machine does not match DNS lookup for %s",req.value.fqdns.get(0)); } ArtiDAO.Data add = null; @@ -247,25 +243,10 @@ public class CMService { } // Policy 7: Caller must be the MechID or have specifically delegated permissions - if(!(trans.user().equals(req.value.mechid) || trans.fish(new AAFPermission(mechNS + ".certman", ca.getName() , "request")))) { + if(!(trans.user().equals(req.value.mechid) || trans.fish(new AAFPermission(mechNS + CERTMAN, ca.getName() , REQUEST)))) { return Result.err(Status.ERR_Denied, "%s must have access to modify x509 certs in NS %s",trans.user(),mechNS); } - // Policy 8: SANs only allowed by Exception... need permission - // 7/25/2017 - SAN Permission no longer required. CSO -// if(fqdns.size()>1 && !certman.aafLurPerm.fish( -// new Principal() { -// @Override -// public String getName() { -// return req.value.mechid; -// } -// }, -// new AAFPermission(ca.getPermType(), ca.getName(), SANS))) { -// if(notes==null) {notes = new ArrayList<>();} -// notes.add("Warning: Subject Alternative Names only allowed by Permission: Get CSO Exception."); -// return Result.err(Status.ERR_Denied, "%s must have a CSO Exception to work with SAN",trans.user()); -// } - // Make sure Primary is the first in fqdns if(fqdns.size()>1) { for(int i=0;i> rv = artiDAO.readByNs(trans, ns); - return rv; + return artiDAO.readByNs(trans, ns); } @@ -646,7 +623,7 @@ public class CMService { String ns = FQI.reverseDomain(add.mechid); - if(trans.fish(new AAFPermission(ns + ".access", "*", "write")) + if(trans.fish(new AAFPermission(ns + ACCESS, "*", "write")) || trans.user().equals(sponsor)) { return artiDAO.delete(trans, add, false); } -- cgit 1.2.3-korg