From ca76fbda94492f1b0c895ff0f4070381f17472f0 Mon Sep 17 00:00:00 2001
From: Instrumental <jonathan.gathman@att.com>
Date: Mon, 2 Jul 2018 21:41:55 -0500
Subject: Add ability for BAuth by domain

Issue-ID: AAF-361
Change-Id: I6f437ffcfef5555f44acfb32fd6020f86f8cf403
Signed-off-by: Instrumental <jonathan.gathman@att.com>
---
 .../onap/aaf/auth/direct/DirectCertIdentity.java   |  2 +-
 .../org/onap/aaf/auth/cm/service/CMService.java    | 29 ++++++++-----
 .../java/org/onap/aaf/auth/server/AbsService.java  |  1 +
 .../org/onap/aaf/auth/service/AAF_Service.java     |  6 +--
 .../aaf/auth/service/AuthzCassServiceImpl.java     |  1 -
 .../org/onap/aaf/auth/service/api/API_Creds.java   | 47 ++++++++++++++--------
 6 files changed, 54 insertions(+), 32 deletions(-)

(limited to 'auth')

diff --git a/auth/auth-cass/src/main/java/org/onap/aaf/auth/direct/DirectCertIdentity.java b/auth/auth-cass/src/main/java/org/onap/aaf/auth/direct/DirectCertIdentity.java
index b5fcd690..2c0c054b 100644
--- a/auth/auth-cass/src/main/java/org/onap/aaf/auth/direct/DirectCertIdentity.java
+++ b/auth/auth-cass/src/main/java/org/onap/aaf/auth/direct/DirectCertIdentity.java
@@ -66,7 +66,7 @@ public class DirectCertIdentity implements CertIdentity {
 		Result<List<Data>> cresp = certDAO.read(trans, ByteBuffer.wrap(fingerprint));
 		if(cresp.isOKhasData()) {
 			Data cdata = cresp.value.get(0);
-			return new X509Principal(cdata.id,cert,certBytes);
+			return new X509Principal(cdata.id,cert,certBytes,null);
 		}
 		return null;
 	}
diff --git a/auth/auth-certman/src/main/java/org/onap/aaf/auth/cm/service/CMService.java b/auth/auth-certman/src/main/java/org/onap/aaf/auth/cm/service/CMService.java
index 8d39f540..ea65659a 100644
--- a/auth/auth-certman/src/main/java/org/onap/aaf/auth/cm/service/CMService.java
+++ b/auth/auth-certman/src/main/java/org/onap/aaf/auth/cm/service/CMService.java
@@ -426,17 +426,24 @@ public class CMService {
 				}
 				
 				// Policy 2: MechID must have valid Organization Owner
-				Identity ouser = muser.responsibleTo();
-				if(ouser == null) {
-					return Result.err(Result.ERR_Denied,"%s is not a valid Sponsor for %s at %s",
-							trans.user(),add.mechid,trans.org().getName());
+				Identity emailUser;
+				if(muser.isPerson()) {
+					emailUser = muser;
+				} else {
+					Identity ouser = muser.responsibleTo();
+					if(ouser == null) {
+						return Result.err(Result.ERR_Denied,"%s is not a valid Sponsor for %s at %s",
+								trans.user(),add.mechid,trans.org().getName());
+					}
+
+					// Policy 3: Calling ID must be MechID Owner
+					if(!trans.user().equals(ouser.fullID())) {
+						return Result.err(Result.ERR_Denied,"%s is not the Sponsor for %s at %s",
+								trans.user(),add.mechid,trans.org().getName());
+					}
+					emailUser = ouser;
 				}
 				
-				// Policy 3: Calling ID must be MechID Owner
-				if(!trans.user().equals(ouser.fullID())) {
-					return Result.err(Result.ERR_Denied,"%s is not the Sponsor for %s at %s",
-							trans.user(),add.mechid,trans.org().getName());
-				}
 
 				// Policy 4: Renewal Days are between 10 and 60 (constants, may be parameterized)
 				if(add.renewDays<MIN_RENEWAL) {
@@ -447,7 +454,7 @@ public class CMService {
 				
 				// Policy 5: If Notify is blank, set to Owner's Email
 				if(add.notify==null || add.notify.length()==0) {
-					add.notify = "mailto:"+ouser.email();
+					add.notify = "mailto:"+emailUser.email();
 				}
 				
 				// Policy 6: Only do Domain by Exception
@@ -462,7 +469,7 @@ public class CMService {
 				}
 
 				// Set Sponsor from Golden Source
-				add.sponsor = ouser.fullID();
+				add.sponsor = emailUser.fullID();
 				
 				
 			} catch (OrganizationException e) {
diff --git a/auth/auth-core/src/main/java/org/onap/aaf/auth/server/AbsService.java b/auth/auth-core/src/main/java/org/onap/aaf/auth/server/AbsService.java
index af6c88dc..0c28c7ca 100644
--- a/auth/auth-core/src/main/java/org/onap/aaf/auth/server/AbsService.java
+++ b/auth/auth-core/src/main/java/org/onap/aaf/auth/server/AbsService.java
@@ -186,4 +186,5 @@ public abstract class AbsService<ENV extends BasicEnv, TRANS extends Trans> exte
 		}
 		return def;
 	}
+
 }
diff --git a/auth/auth-service/src/main/java/org/onap/aaf/auth/service/AAF_Service.java b/auth/auth-service/src/main/java/org/onap/aaf/auth/service/AAF_Service.java
index 3ae2fbfb..40640007 100644
--- a/auth/auth-service/src/main/java/org/onap/aaf/auth/service/AAF_Service.java
+++ b/auth/auth-service/src/main/java/org/onap/aaf/auth/service/AAF_Service.java
@@ -163,9 +163,9 @@ public class AAF_Service extends AbsService<AuthzEnv,AuthzTrans> {
 		try {
         	Object[] atl=new Object[additionalTafLurs.length+2];
         	atl[0]=new DirectAAFLur(env,question); // Note, this will be assigned by AuthzTransFilter to TrustChecker
-			atl[1]=new BasicHttpTaf(env, directAAFUserPass,
-				domain,Long.parseLong(env.getProperty(Config.AAF_CLEAN_INTERVAL, Config.AAF_CLEAN_INTERVAL_DEF)),
-				false);
+			atl[1]= new BasicHttpTaf(env, directAAFUserPass,
+					domain,Long.parseLong(env.getProperty(Config.AAF_CLEAN_INTERVAL, Config.AAF_CLEAN_INTERVAL_DEF)),
+					false);
 
 	        if(additionalTafLurs.length>0) {
 	        	System.arraycopy(additionalTafLurs, 0, atl, 2, additionalTafLurs.length);
diff --git a/auth/auth-service/src/main/java/org/onap/aaf/auth/service/AuthzCassServiceImpl.java b/auth/auth-service/src/main/java/org/onap/aaf/auth/service/AuthzCassServiceImpl.java
index 519721ce..f3207798 100644
--- a/auth/auth-service/src/main/java/org/onap/aaf/auth/service/AuthzCassServiceImpl.java
+++ b/auth/auth-service/src/main/java/org/onap/aaf/auth/service/AuthzCassServiceImpl.java
@@ -532,7 +532,6 @@ public class AuthzCassServiceImpl	<NSS,PERMS,PERMKEY,ROLES,USERS,USERROLES,DELGS
 		NSS nss = mapper.newInstance(API.NSS);
 		// Note: "loadNamespace" already validates view of Namespace
 		return mapper.nss(trans, rn.value, nss);
-
 	}
 
 	@ApiDoc(
diff --git a/auth/auth-service/src/main/java/org/onap/aaf/auth/service/api/API_Creds.java b/auth/auth-service/src/main/java/org/onap/aaf/auth/service/api/API_Creds.java
index d31c9d01..390c3089 100644
--- a/auth/auth-service/src/main/java/org/onap/aaf/auth/service/api/API_Creds.java
+++ b/auth/auth-service/src/main/java/org/onap/aaf/auth/service/api/API_Creds.java
@@ -42,9 +42,11 @@ import org.onap.aaf.auth.service.Code;
 import org.onap.aaf.auth.service.facade.AuthzFacade;
 import org.onap.aaf.auth.service.mapper.Mapper.API;
 import org.onap.aaf.cadi.CredVal;
+import org.onap.aaf.cadi.CredVal.Type;
 import org.onap.aaf.cadi.Symm;
 import org.onap.aaf.cadi.principal.BasicPrincipal;
 import org.onap.aaf.cadi.principal.X509Principal;
+import org.onap.aaf.cadi.taf.basic.BasicHttpTaf;
 import org.onap.aaf.misc.env.Env;
 import org.onap.aaf.misc.env.TimeTaken;
 
@@ -90,23 +92,36 @@ public class API_Creds {
 					// have to check Basic Auth here, because it might be CSP.
 					String authz = req.getHeader("Authorization");
 					if(authz.startsWith("Basic ")) {
-						String decoded = Symm.base64noSplit.decode(authz.substring(6));
-						int colon = decoded.indexOf(':');
-						TimeTaken tt = trans.start("Direct Validation", Env.REMOTE);
-						try {
-							if(directAAFUserPass.validate(
-									decoded.substring(0,colon), 
-									CredVal.Type.PASSWORD , 
-									decoded.substring(colon+1).getBytes(),trans)) {
-								
-								resp.setStatus(HttpStatus.OK_200);
-							} else {
-								// DME2 at this version crashes without some sort of response
-								resp.getOutputStream().print("");
-								resp.setStatus(HttpStatus.FORBIDDEN_403);
+						BasicHttpTaf bht = ((X509Principal)p).getBasicHttpTaf(); 
+						if(bht!=null) {
+							BasicPrincipal bp = new BasicPrincipal(authz,"");
+							CredVal cv = bht.getCredVal(bp.getDomain());
+							if(cv!=null) {
+								if(cv.validate(bp.getName(), Type.PASSWORD, bp.getCred(), null) ) {
+									resp.setStatus(HttpStatus.OK_200);
+								} else {
+									resp.setStatus(HttpStatus.FORBIDDEN_403);
+								}
+							}
+						} else {
+							String decoded = Symm.base64noSplit.decode(authz.substring(6));
+							int colon = decoded.indexOf(':');
+							TimeTaken tt = trans.start("Direct Validation", Env.REMOTE);
+							try {
+								if(directAAFUserPass.validate(
+										decoded.substring(0,colon), 
+										CredVal.Type.PASSWORD , 
+										decoded.substring(colon+1).getBytes(),trans)) {
+									
+									resp.setStatus(HttpStatus.OK_200);
+								} else {
+									// DME2 at this version crashes without some sort of response
+									resp.getOutputStream().print("");
+									resp.setStatus(HttpStatus.FORBIDDEN_403);
+								}
+							} finally {
+								tt.done();
 							}
-						} finally {
-							tt.done();
 						}
 					}
 				} else if(p == null) {
-- 
cgit 1.2.3-korg