import java.util.regex.Pattern;
import org.onap.aaf.auth.env.AuthzTrans;
+import org.onap.aaf.auth.local.AbsData.Reuse;
import org.onap.aaf.auth.org.EmailWarnings;
import org.onap.aaf.auth.org.Executor;
import org.onap.aaf.auth.org.Mailer;
import org.onap.aaf.auth.org.Organization;
import org.onap.aaf.auth.org.OrganizationException;
+import org.onap.aaf.cadi.config.Config;
import org.onap.aaf.cadi.util.FQI;
import org.onap.aaf.misc.env.Env;
public class DefaultOrg implements Organization {
private static final String AAF_DATA_DIR = "aaf_data_dir";
- private static final String PROPERTY_IS_REQUIRED = " property is Required";
// Package on Purpose
final String domain;
final String atDomain;
final String realm;
- private final String NAME,mailHost,mailFrom;
+ private final String root_ns;
+
+ private final String NAME;
private final Set<String> supportedRealms;
+
public DefaultOrg(Env env, String realm) throws OrganizationException {
this.realm = realm;
supportedRealms.add(realm);
domain=FQI.reverseDomain(realm);
atDomain = '@'+domain;
- String s;
NAME=env.getProperty(realm + ".name","Default Organization");
- mailHost = env.getProperty(s=(realm + ".mailHost"), null);
- if(mailHost==null) {
- throw new OrganizationException(s + PROPERTY_IS_REQUIRED);
- }
- mailFrom = env.getProperty(s=(realm + ".mailFrom"), null);
- if(mailFrom==null) {
- throw new OrganizationException(s + PROPERTY_IS_REQUIRED);
- }
-
- // Note: This code is to avoid including javax.mail into ONAP, because there are security/licence
- // exceptions
- try {
- Class.forName("javax.mail.Session"); // ensure package is loaded
- @SuppressWarnings("unchecked")
- Class<Mailer> minst = (Class<Mailer>)Class.forName("org.onap.aaf.org.JavaxMailer");
- mailer = minst.newInstance();
- } catch (ClassNotFoundException | InstantiationException | IllegalAccessException e1) {
- env.warn().log("JavaxMailer not loaded. Mailing disabled");
- }
-
- System.getProperties().setProperty("mail.smtp.host",mailHost);
- System.getProperties().setProperty("mail.user", mailFrom);
+ root_ns = env.getProperty(Config.AAF_ROOT_NS,Config.AAF_ROOT_NS_DEF);
try {
String defFile;
String temp=env.getProperty(defFile = (getClass().getName()+".file"));
File fIdentities=null;
- if(temp==null) {
+ if (temp==null) {
temp = env.getProperty(AAF_DATA_DIR);
- if(temp!=null) {
+ if (temp!=null) {
env.warn().log(defFile, " is not defined. Using default: ",temp+"/identities.dat");
File dir = new File(temp);
fIdentities=new File(dir,"identities.dat");
- if(!fIdentities.exists()) {
+ if (!fIdentities.exists()) {
env.warn().log("No",fIdentities.getCanonicalPath(),"exists. Creating.");
- if(!dir.exists()) {
+ if (!dir.exists()) {
dir.mkdirs();
}
fIdentities.createNewFile();
}
+
}
} else {
fIdentities = new File(temp);
- if(!fIdentities.exists()) {
+ if (!fIdentities.exists()) {
String dataDir = env.getProperty(AAF_DATA_DIR);
- if(dataDir!=null) {
+ if (dataDir!=null) {
fIdentities = new File(dataDir,temp);
}
}
}
- if(fIdentities!=null && fIdentities.exists()) {
+ if (fIdentities!=null && fIdentities.exists()) {
identities = new Identities(fIdentities);
} else {
- if(fIdentities==null) {
- throw new OrganizationException("No Identities");
+ if (fIdentities==null) {
+ throw new OrganizationException("No Identities: set \"" + AAF_DATA_DIR + '"');
} else {
throw new OrganizationException(fIdentities.getCanonicalPath() + " does not exist.");
}
}
+
+ File fRevoked=null;
+ temp=env.getProperty(getClass().getName()+".file.revoked");
+ if(temp==null) {
+ temp = env.getProperty(AAF_DATA_DIR);
+ if (temp!=null) {
+ File dir = new File(temp);
+ fRevoked=new File(dir,"revoked.dat");
+ }
+ } else {
+ fRevoked = new File(temp);
+ }
+ if (fRevoked!=null && fRevoked.exists()) {
+ revoked = new Identities(fRevoked);
+ } else {
+ revoked = null;
+ }
+
} catch (IOException e) {
throw new OrganizationException(e);
}
static final List<String> NULL_DELEGATES = new ArrayList<>();
public Identities identities;
+ public Identities revoked;
private boolean dryRun;
private Mailer mailer;
public enum Types {Employee, Contractor, Application, NotActive};
static {
typeSet = new HashSet<>();
- for(Types t : Types.values()) {
+ for (Types t : Types.values()) {
typeSet.add(t.name());
}
}
return new DefaultOrgIdentity(trans,at<0?id:id.substring(0, at),this);
}
+ /**
+ * If the ID isn't in the revoked file, if it exists, it is revoked.
+ */
+ @Override
+ public boolean isRevoked(AuthzTrans trans, String key) {
+ if(revoked!=null) {
+ try {
+ revoked.open(trans, DefaultOrgIdentity.TIMEOUT);
+ try {
+ Reuse r = revoked.reuse();
+ int at = key.indexOf(domain);
+ String search;
+ if (at>=0) {
+ search = key.substring(0,at);
+ } else {
+ search = key;
+ }
+ return revoked.find(search, r)!=null;
+ } finally {
+ revoked.close(trans);
+ }
+ } catch (IOException e) {
+ trans.error().log(e);
+ }
+ }
+ return false;
+ }
+
+ /* (non-Javadoc)
+ * @see org.onap.aaf.auth.org.Organization#getEsclaations(org.onap.aaf.auth.env.AuthzTrans, java.lang.String, int)
+ */
+ @Override
+ public List<Identity> getIDs(AuthzTrans trans, String user, int escalate) throws OrganizationException {
+ List<Identity> rv = new ArrayList<>();
+ int end = Math.min(3,Math.abs(escalate));
+ Identity id = null;
+ for(int i=0;i<end;++i) {
+ if(id==null) {
+ id = getIdentity(trans,user);
+ } else {
+ id = id.responsibleTo();
+ }
+ if(id==null) {
+ break;
+ } else {
+ rv.add(id);
+ }
+ }
+ return rv;
+ }
+
// Note: Return a null if found; return a String Message explaining why not found.
@Override
public String isValidID(final AuthzTrans trans, final String id) {
// have domain?
int at = id.indexOf('@');
String sid;
- if(at > 0) {
+ if (at > 0) {
// Use this to prevent passwords to any but THIS domain.
-// if(!id.regionMatches(at+1, domain, 0, id.length()-at-1)) {
+// if (!id.regionMatches(at+1, domain, 0, id.length()-at-1)) {
// return false;
// }
sid = id.substring(0,at);
return isValidID(trans, sid)==null;
// Check Pattern (if checking existing is too long)
- // if(id.endsWith(SUFFIX) && ID_PATTERN.matcher(id).matches()) {
+ // if (id.endsWith(SUFFIX) && ID_PATTERN.matcher(id).matches()) {
// return true;
// }
// return false;
/**
* ( # Start of group
* (?=.*[a-z,A-Z]) # must contain one character
- *
- * (?=.*\d) # must contain one digit from 0-9
+ *
+ * (?=.*\d) # must contain one digit from 0-9
* OR
* (?=.*[@#$%]) # must contain one special symbols in the list SPEC_CHARS
- *
+ *
* . # match anything with previous condition checking
* {6,20} # length at least 6 characters and maximum of 20
* ) # End of group
*/
@Override
public String isValidPassword(final AuthzTrans trans, final String user, final String password, final String... prev) {
- for(String p : prev) {
- if(password.contains(p)) { // A more sophisticated algorithm might be better.
+ for (String p : prev) {
+ if (password.contains(p)) { // A more sophisticated algorithm might be better.
return "Password too similar to previous passwords";
}
}
// If you have an Organization user/Password scheme, replace the following
- if(PASS_PATTERN.matcher(password).matches()) {
+ if (PASS_PATTERN.matcher(password).matches()) {
return "";
}
return "Password does not match " + NAME + " Password Standards";
// Extending Password give 5 extra days, max 8 days from now
rv.add(GregorianCalendar.DATE, 5);
now.add(GregorianCalendar.DATE, 8);
- if(rv.after(now)) {
+ if (rv.after(now)) {
rv = now;
}
break;
// Delegations expire max in 2 months, renewable to 3
rv.add(GregorianCalendar.MONTH, 2);
now.add(GregorianCalendar.MONTH, 3);
- if(rv.after(now)) {
+ if (rv.after(now)) {
rv = now;
}
break;
public List<Identity> getApprovers(AuthzTrans trans, String user) throws OrganizationException {
Identity orgIdentity = getIdentity(trans, user);
List<Identity> orgIdentitys = new ArrayList<>();
- if(orgIdentity!=null) {
+ if (orgIdentity!=null) {
Identity supervisor = orgIdentity.responsibleTo();
- if(supervisor!=null) {
+ if (supervisor!=null) {
orgIdentitys.add(supervisor);
}
}
@Override
public String validate(AuthzTrans trans, Policy policy, Executor executor, String... vars) throws OrganizationException {
+ String user;
switch(policy) {
case OWNS_MECHID:
case CREATE_MECHID:
- if(vars.length>0) {
+ if (vars.length>0) {
DefaultOrgIdentity thisID = getIdentity(trans,vars[0]);
- if("a".equals(thisID.identity.status)) { // MechID
+ if ("a".equals(thisID.identity.status)) { // MechID
DefaultOrgIdentity requestor = getIdentity(trans, trans.user());
- if(requestor!=null) {
+ if (requestor!=null) {
Identity mechid = getIdentity(trans, vars[0]);
- if(mechid!=null) {
+ if (mechid!=null) {
Identity sponsor = mechid.responsibleTo();
- if(sponsor!=null && requestor.fullID().equals(sponsor.fullID())) {
+ if (sponsor!=null && requestor.fullID().equals(sponsor.fullID())) {
return null;
} else {
return trans.user() + " is not the Sponsor of MechID " + vars[0];
case CREATE_MECHID_BY_PERM_ONLY:
return getName() + " only allows sponsors to create MechIDs";
+ case MAY_EXTEND_CRED_EXPIRES:
+ // If parm, use it, otherwise, trans
+ user = vars.length>1?vars[1]:trans.user();
+ return executor.hasPermission(user, root_ns,"password", root_ns , "extend")
+ ?null:user + " does not have permission to extend passwords at " + getName();
+
default:
return policy.name() + " is unsupported at " + getName();
}
private String extractRealm(final String r) {
int at;
- if((at=r.indexOf('@'))>=0) {
+ if ((at=r.indexOf('@'))>=0) {
return FQI.reverseDomain(r.substring(at+1));
}
return r;
}
@Override
public boolean supportsRealm(final String r) {
- if(r.endsWith(realm)) {
+ if (r.endsWith(realm)) {
return true;
} else {
String erealm = extractRealm(r);
- for(String sr : supportedRealms) {
- if(erealm.startsWith(sr)) {
+ for (String sr : supportedRealms) {
+ if (erealm.startsWith(sr)) {
return true;
}
}
}
return false;
}
+
+ @Override
+ public String supportedDomain(String user) {
+ if(user!=null) {
+ int after_at = user.indexOf('@')+1;
+ if(after_at<user.length()) {
+ String ud = FQI.reverseDomain(user);
+ if(ud.startsWith(getDomain())) {
+ return getDomain();
+ }
+ for(String s : supportedRealms) {
+ if(ud.startsWith(s)) {
+ return FQI.reverseDomain(s);
+ }
+ }
+ }
+ }
+ return null;
+ }
@Override
public synchronized void addSupportedRealm(final String r) {
public int sendEmail(AuthzTrans trans, List<String> toList, List<String> ccList, String subject, String body,
Boolean urgent) throws OrganizationException {
if (mailer!=null) {
+ String mailFrom = mailer.mailFrom();
List<String> to = new ArrayList<>();
- for(String em : toList) {
- if(em.indexOf('@')<0) {
+ for (String em : toList) {
+ if (em.indexOf('@')<0) {
to.add(new DefaultOrgIdentity(trans, em, this).email());
} else {
to.add(em);
}
List<String> cc = new ArrayList<>();
- if(ccList!=null) {
- if(!ccList.isEmpty()) {
+ if (ccList!=null) {
+ if (!ccList.isEmpty()) {
- for(String em : ccList) {
- if(em.indexOf('@')<0) {
+ for (String em : ccList) {
+ if (em.indexOf('@')<0) {
cc.add(new DefaultOrgIdentity(trans, em, this).email());
} else {
cc.add(em);
}
}
- return mailer.sendEmail(trans,dryRun,mailFrom,to,cc,subject,body,urgent);
+ return mailer.sendEmail(trans,dryRun?"DefaultOrg":null,to,cc,subject,body,urgent)?0:1;
} else {
return 0;
}