X-Git-Url: https://gerrit.onap.org/r/gitweb?a=blobdiff_plain;f=auth%2Fauth-cass%2Fsrc%2Fmain%2Fjava%2Forg%2Fonap%2Faaf%2Fauth%2Fdao%2Fhl%2FQuestion.java;h=2e8e55f5b068fda7fde27d8d8d807f766d14cb3e;hb=274e4bc9d5afa66a788dfab966984e8d60a22b6d;hp=bd0c8355631c44df494bbe77176c55a7f4d24d47;hpb=ff1417ff60baee231a28272f9a16ef2c9c8ea0a2;p=aaf%2Fauthz.git diff --git a/auth/auth-cass/src/main/java/org/onap/aaf/auth/dao/hl/Question.java b/auth/auth-cass/src/main/java/org/onap/aaf/auth/dao/hl/Question.java index bd0c8355..2e8e55f5 100644 --- a/auth/auth-cass/src/main/java/org/onap/aaf/auth/dao/hl/Question.java +++ b/auth/auth-cass/src/main/java/org/onap/aaf/auth/dao/hl/Question.java @@ -7,9 +7,9 @@ * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. * You may obtain a copy of the License at - * + * * http://www.apache.org/licenses/LICENSE-2.0 - * + * * Unless required by applicable law or agreed to in writing, software * distributed under the License is distributed on an "AS IS" BASIS, * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. @@ -26,13 +26,13 @@ import java.nio.ByteBuffer; import java.security.NoSuchAlgorithmException; import java.security.SecureRandom; import java.util.ArrayList; -import java.util.Collections; +import java.util.Collection; import java.util.Date; import java.util.HashSet; import java.util.List; import java.util.Map; -import java.util.Random; import java.util.Set; +import java.util.TreeMap; import java.util.TreeSet; import org.onap.aaf.auth.common.Define; @@ -45,6 +45,7 @@ import org.onap.aaf.auth.dao.cached.CachedNSDAO; import org.onap.aaf.auth.dao.cached.CachedPermDAO; import org.onap.aaf.auth.dao.cached.CachedRoleDAO; import org.onap.aaf.auth.dao.cached.CachedUserRoleDAO; +import org.onap.aaf.auth.dao.cached.FileGetter; import org.onap.aaf.auth.dao.cass.ApprovalDAO; import org.onap.aaf.auth.dao.cass.CacheInfoDAO; import org.onap.aaf.auth.dao.cass.CertDAO; @@ -80,9 +81,9 @@ import com.datastax.driver.core.Cluster; /** * Question HL DAO - * + * * A Data Access Combination Object which asks Security and other Questions - * + * * @author Jonathan * */ @@ -124,7 +125,7 @@ public class Question { static Slot PERMS; private static Set specialLog = null; - public static final Random random = new SecureRandom(); + public static final SecureRandom random = new SecureRandom(); private static long traceID = random.nextLong(); private static Slot specialLogSlot = null; private static Slot transIDSlot = null; @@ -132,61 +133,62 @@ public class Question { private final HistoryDAO historyDAO; public HistoryDAO historyDAO() { - return historyDAO; + return historyDAO; } - + private final CachedNSDAO nsDAO; public CachedNSDAO nsDAO() { - return nsDAO; + return nsDAO; } - + private final CachedRoleDAO roleDAO; public CachedRoleDAO roleDAO() { - return roleDAO; + return roleDAO; } - + private final CachedPermDAO permDAO; public CachedPermDAO permDAO() { - return permDAO; + return permDAO; } - + private final CachedUserRoleDAO userRoleDAO; public CachedUserRoleDAO userRoleDAO() { - return userRoleDAO; + return userRoleDAO; } - + private final CachedCredDAO credDAO; public CachedCredDAO credDAO() { - return credDAO; + return credDAO; } - + private final CachedCertDAO certDAO; public CachedCertDAO certDAO() { - return certDAO; + return certDAO; } - + private final DelegateDAO delegateDAO; public DelegateDAO delegateDAO() { - return delegateDAO; + return delegateDAO; } - + private final FutureDAO futureDAO; public FutureDAO futureDAO() { - return futureDAO; + return futureDAO; } - + private final ApprovalDAO approvalDAO; public ApprovalDAO approvalDAO() { - return approvalDAO; + return approvalDAO; } - + public final LocateDAO locateDAO; public LocateDAO locateDAO() { - return locateDAO; + return locateDAO; } - + private final CacheInfoDAO cacheInfoDAO; - private final int cldays; + private final int cldays; + private final boolean alwaysSpecial; public Question(AuthzTrans trans, Cluster cluster, String keyspace) throws APIException, IOException { PERMS = trans.slot("USER_PERMS"); @@ -201,6 +203,8 @@ public class Question { permDAO = new CachedPermDAO(new PermDAO(trans, historyDAO, cacheInfoDAO), cacheInfoDAO, expiresIn); roleDAO = new CachedRoleDAO(new RoleDAO(trans, historyDAO, cacheInfoDAO), cacheInfoDAO, expiresIn); userRoleDAO = new CachedUserRoleDAO(new UserRoleDAO(trans, historyDAO,cacheInfoDAO), cacheInfoDAO, expiresIn); + // Create if aaf_file_cred exists with file + FileGetter.singleton(trans.env().access()); credDAO = new CachedCredDAO(new CredDAO(trans, historyDAO, cacheInfoDAO), cacheInfoDAO, expiresIn); certDAO = new CachedCertDAO(new CertDAO(trans, historyDAO, cacheInfoDAO), cacheInfoDAO, expiresIn); @@ -212,14 +216,41 @@ public class Question { if (specialLogSlot==null) { specialLogSlot = trans.slot(AuthzTransFilter.SPECIAL_LOG_SLOT); } - + if (transIDSlot==null) { transIDSlot = trans.slot(AuthzTransFilter.TRANS_ID_SLOT); } - + AbsCassDAO.primePSIs(trans); - + cldays = Integer.parseInt(trans.getProperty(Config.AAF_CRED_WARN_DAYS, Config.AAF_CRED_WARN_DAYS_DFT)); + + alwaysSpecial = Boolean.parseBoolean(trans.getProperty("aaf_always_special", Boolean.FALSE.toString())); + } + + /** + * Note: This Constructor created for JUNIT Purposes. Do not use otherwise. + */ + public Question(AuthzTrans trans, HistoryDAO historyDAO, CacheInfoDAO cacheInfoDAO, + CachedNSDAO nsDAO, CachedPermDAO permDAO, CachedRoleDAO roleDAO, + CachedUserRoleDAO userRoleDAO, CachedCredDAO credDAO, CachedCertDAO certDAO, + LocateDAO locateDAO,FutureDAO futureDAO, DelegateDAO delegateDAO, + ApprovalDAO approvalDAO ) { + this.historyDAO = historyDAO; + this.cacheInfoDAO = cacheInfoDAO; + this.nsDAO = nsDAO; + this.permDAO = permDAO; + this.roleDAO = roleDAO; + this.userRoleDAO = userRoleDAO; + this.credDAO = credDAO; + this.certDAO = certDAO; + this.locateDAO = locateDAO; + this.futureDAO = futureDAO; + this.delegateDAO = delegateDAO; + this.approvalDAO = approvalDAO; + + cldays = Integer.parseInt(trans.getProperty(Config.AAF_CRED_WARN_DAYS, Config.AAF_CRED_WARN_DAYS_DFT)); + alwaysSpecial = Boolean.parseBoolean(trans.getProperty("aaf_always_special", Boolean.FALSE.toString())); } public void startTimers(AuthzEnv env) { @@ -228,7 +259,7 @@ public class Question { CachedDAO.startCleansing(env, credDAO, userRoleDAO); CachedDAO.startRefresh(env, cacheInfoDAO); } - + public void close(AuthzTrans trans) { historyDAO.close(trans); cacheInfoDAO.close(trans); @@ -243,23 +274,37 @@ public class Question { approvalDAO.close(trans); } - public Result permFrom(AuthzTrans trans, String type, - String instance, String action) { - Result rnd = deriveNs(trans, type); - if (rnd.isOK()) { - return Result.ok(new PermDAO.Data(new NsSplit(rnd.value, type), - instance, action)); + public Result permFrom(AuthzTrans trans, String type, String instance, String action) { + if(type.indexOf('@') >= 0) { + int colon = type.indexOf(':'); + if(colon>=0) { + PermDAO.Data pdd = new PermDAO.Data(); + pdd.ns = type.substring(0, colon); + pdd.type = type.substring(colon+1); + pdd.instance = instance; + pdd.action = action; + + return Result.ok(pdd); + } else { + return Result.err(Result.ERR_BadData,"Could not extract ns and type from " + type); + } } else { - return Result.err(rnd); + Result rnd = deriveNs(trans, type); + if (rnd.isOK()) { + return Result.ok(new PermDAO.Data(new NsSplit(rnd.value, type), + instance, action)); + } else { + return Result.err(rnd); + } } } /** * getPermsByUser - * + * * Because this call is frequently called internally, AND because we already * look for it in the initial Call, we cache within the Transaction - * + * * @param trans * @param user * @return @@ -267,26 +312,26 @@ public class Question { public Result> getPermsByUser(AuthzTrans trans, String user, boolean lookup) { return PermLookup.get(trans, this, user).getPerms(lookup); } - + public Result> getPermsByUserFromRolesFilter(AuthzTrans trans, String user, String forUser) { PermLookup plUser = PermLookup.get(trans, this, user); Result> plPermNames = plUser.getPermNames(); if (plPermNames.notOK()) { return Result.err(plPermNames); } - + Set nss; if (forUser.equals(user)) { nss = null; } else { - // Setup a TreeSet to check on Namespaces to + // Setup a TreeSet to check on Namespaces to nss = new TreeSet<>(); PermLookup fUser = PermLookup.get(trans, this, forUser); Result> forUpn = fUser.getPermNames(); if (forUpn.notOK()) { return Result.err(forUpn); } - + for (String pn : forUpn.value) { Result decoded = PermDAO.Data.decodeToArray(trans, this, pn); if (decoded.isOKhasData()) { @@ -311,24 +356,42 @@ public class Question { trans.error().log(pn,", derived from a Role, is invalid. Run Data Cleanup:",rpdd.errorString()); } } - return Result.ok(rlpUser); + return Result.ok(rlpUser); } - public Result> getPermsByType(AuthzTrans trans, String perm) { - Result nss = deriveNsSplit(trans, perm); - if (nss.notOK()) { - return Result.err(nss); + public Result> getPermsByType(AuthzTrans trans, String type) { + if(type.indexOf('@') >= 0) { + int colon = type.indexOf(':'); + if(colon>=0) { + return permDAO.readByType(trans, type.substring(0, colon),type.substring(colon+1)); + } else { + return Result.err(Result.ERR_BadData, "%s is malformed",type); + } + } else { + Result nss = deriveNsSplit(trans, type); + if (nss.notOK()) { + return Result.err(nss); + } + return permDAO.readByType(trans, nss.value.ns, nss.value.name); } - return permDAO.readByType(trans, nss.value.ns, nss.value.name); } - public Result> getPermsByName(AuthzTrans trans, - String type, String instance, String action) { - Result nss = deriveNsSplit(trans, type); - if (nss.notOK()) { - return Result.err(nss); + public Result> getPermsByName(AuthzTrans trans, String type, String instance, String action) { + if(type.indexOf('@') >= 0) { + int colon = type.indexOf(':'); + if(colon>=0) { + return permDAO.read(trans, type.substring(0, colon),type.substring(colon+1), instance,action); + } else { + return Result.err(Result.ERR_BadData, "%s is malformed",type); + } + } else { + Result nss = deriveNsSplit(trans, type); + if (nss.notOK()) { + return Result.err(nss); + } + + return permDAO.read(trans, nss.value.ns, nss.value.name, instance,action); } - return permDAO.read(trans, nss.value.ns, nss.value.name, instance,action); } public Result> getPermsByRole(AuthzTrans trans, String role, boolean lookup) { @@ -374,8 +437,14 @@ public class Question { return Result.ok(perms); } - public Result> getRolesByName(AuthzTrans trans, - String role) { + public Result> getRolesByName(AuthzTrans trans, String role) { + if(role.startsWith(trans.user()) ) { + if(role.endsWith(":user")) { + return roleDAO.read(trans,trans.user(), "user"); + } else { + return Result.err(Result.ERR_BadData,"%s is a badly formatted role",role); + } + } Result nss = deriveNsSplit(trans, role); if (nss.notOK()) { return Result.err(nss); @@ -393,31 +462,26 @@ public class Question { /** * Derive NS - * + * * Given a Child Namespace, figure out what the best Namespace parent is. - * + * * For instance, if in the NS table, the parent "org.osaaf" exists, but not * "org.osaaf.child" or "org.osaaf.a.b.c", then passing in either * "org.osaaf.child" or "org.osaaf.a.b.c" will return "org.osaaf" - * + * * Uses recursive search on Cached DAO data - * + * * @param trans * @param child * @return */ public Result deriveNs(AuthzTrans trans, String child) { Result> r = nsDAO.read(trans, child); - + if (r.isOKhasData()) { return Result.ok(r.value.get(0)); } else { - int dot; - if (child==null) { - return Result.err(Status.ERR_NsNotFound, "No Namespace"); - } else { - dot = child.lastIndexOf('.'); - } + int dot = child.lastIndexOf('.'); if (dot < 0) { return Result.err(Status.ERR_NsNotFound, "No Namespace for [%s]", child); } else { @@ -438,7 +502,7 @@ public class Question { return Result.ok(nsd); } else { int dot = str.lastIndexOf('.'); - + if (dot < 0) { return Result.err(Status.ERR_NsNotFound, "No Namespace for [%s]", str); } else { @@ -447,7 +511,7 @@ public class Question { } } else { int dot = str.lastIndexOf('.'); - + if (dot < 0) { return Result.err(Status.ERR_NsNotFound,"There is no valid Company Namespace for %s",str); } else { @@ -475,9 +539,9 @@ public class Question { /** * Translate an ID into it's domain - * + * * i.e. myid1234@aaf.att.com results in domain of com.att.aaf - * + * * @param id * @return */ @@ -504,9 +568,9 @@ public class Question { /** * Validate Namespace of ID@Domain - * + * * Namespace is reverse order of Domain. - * + * * @param trans * @param id * @return @@ -520,7 +584,7 @@ public class Question { ns = domain2ns(id); } if (ns.length() > 0) { - if (!trans.org().getDomain().equals(ns)) { + if (!trans.org().getDomain().equals(ns)) { Result> rlnsd = nsDAO.read(trans, ns); if (rlnsd.isOKhasData()) { return Result.ok(rlnsd.value.get(0)); @@ -534,30 +598,41 @@ public class Question { public Result mayUser(AuthzTrans trans, String user,NsDAO.Data ndd, Access access) { // .access|:role:| String ns = ndd.name; + boolean isRoot = ns.startsWith(Define.ROOT_NS()); int last; do { if (isGranted(trans, user, ns, ACCESS, ":ns", access.name())) { return Result.ok(ndd); } + if(isRoot) { + break; + } if ((last = ns.lastIndexOf('.')) >= 0) { ns = ns.substring(0, last); } } while (last >= 0); - // com.att.aaf.ns|::ns| - // AAF-724 - Make consistent response for May User", and not take the - // last check... too confusing. - Result rv = mayUserVirtueOfNS(trans, user, ndd, ":" + ndd.name + ":ns", access.name()); - if (rv.isOK()) { - return rv; - } else if (rv.status==Result.ERR_Backend) { - return Result.err(rv); - } else { - return Result.err(Status.ERR_Denied, "[%s] may not %s in NS [%s]", - user, access.name(), ndd.name); - } + + // SAFETY - Do not allow these when NS is Root + if(!isRoot) { + // com.att.aaf.ns|::ns| + // AAF-724 - Make consistent response for May User", and not take the + // last check... too confusing. + Result rv = mayUserVirtueOfNS(trans, user, ndd, ":" + ndd.name + ":ns", access.name()); + if (rv.isOK()) { + return rv; + } else if (rv.status==Result.ERR_Backend) { + return Result.err(rv); + } + } + return Result.err(Status.ERR_Denied, "[%s] may not %s in NS [%s]", + user, access.name(), ndd.name); + } public Result mayUser(AuthzTrans trans, String user, RoleDAO.Data rdd, Access access) { + if(trans.user().equals(rdd.ns)) { + return Result.ok((NsDAO.Data)null); + } Result rnsd = deriveNs(trans, rdd.ns); if (rnsd.isOK()) { return mayUser(trans, user, rnsd.value, rdd, access); @@ -566,52 +641,70 @@ public class Question { } public Result mayUser(AuthzTrans trans, String user, NsDAO.Data ndd, RoleDAO.Data rdd, Access access) { - // 1) Is User in the Role? - Result> rurd = userRoleDAO.readUserInRole(trans, user, rdd.fullName()); - if (rurd.isOKhasData()) { - return Result.ok(ndd); + // 1) For "read", Is User in the Role is enough + if(Access.read.equals(access)) { + Result> rurd = userRoleDAO.readUserInRole(trans, user, rdd.fullName()); + if (rurd.isOKhasData()) { + return Result.ok(ndd); + } } String roleInst = ":role:" + rdd.name; // .access|:role:| String ns = rdd.ns; + boolean isRoot = ns.startsWith(Define.ROOT_NS()); int last; do { if (isGranted(trans, user, ns,ACCESS, roleInst, access.name())) { return Result.ok(ndd); } + if(isRoot) { + break; + } if ((last = ns.lastIndexOf('.')) >= 0) { ns = ns.substring(0, last); } } while (last >= 0); - // Check if Access by Global Role perm - // com.att.aaf.ns|::role:name| - Result rnsd = mayUserVirtueOfNS(trans, user, ndd, ":" - + rdd.ns + roleInst, access.name()); - if (rnsd.isOK()) { - return rnsd; - } else if (rnsd.status==Result.ERR_Backend) { - return Result.err(rnsd); - } + // SAFETY - Do not allow these when NS is Root + if(!isRoot) { + // Check if Access by Global Role perm + // com.att.aaf.ns|::role:name| + Result rnsd = mayUserVirtueOfNS(trans, user, ndd, ":" + + rdd.ns + roleInst, access.name()); + if (rnsd.isOK()) { + return rnsd; + } else if (rnsd.status==Result.ERR_Backend) { + return Result.err(rnsd); + } - // Check if Access to Whole NS - // AAF-724 - Make consistent response for May User", and not take the - // last check... too confusing. - Result rv = mayUserVirtueOfNS(trans, user, ndd, - ":" + rdd.ns + ":ns", access.name()); - if (rv.isOK()) { - return rv; - } else if (rnsd.status==Result.ERR_Backend) { - return Result.err(rnsd); - } else { - return Result.err(Status.ERR_Denied, "[%s] may not %s Role [%s]", - user, access.name(), rdd.fullName()); + // Check if Access to Whole NS + // AAF-724 - Make consistent response for May User", and not take the + // last check... too confusing. + Result rv = mayUserVirtueOfNS(trans, user, ndd, + ":" + rdd.ns + ":ns", access.name()); + if (rv.isOK()) { + return rv; + } else if (rnsd.status==Result.ERR_Backend) { + return Result.err(rnsd); + } } - + return Result.err(Status.ERR_Denied, "[%s] may not %s Role [%s]", + user, access.name(), rdd.fullName()); } public Result mayUser(AuthzTrans trans, String user,PermDAO.Data pdd, Access access) { + if(pdd.ns.indexOf('@')>-1) { + if(user.equals(pdd.ns) || isGranted(trans,user,Define.ROOT_NS(),"access",pdd.instance,READ)) { + NsDAO.Data ndd = new NsDAO.Data(); + ndd.name = user; + ndd.type = NsDAO.USER; + ndd.parent = ""; + return Result.ok(ndd); + } else { + return Result.err(Result.ERR_Security,"Only a User may modify User"); + } + } Result rnsd = deriveNs(trans, pdd.ns); if (rnsd.isOK()) { return mayUser(trans, user, rnsd.value, pdd, access); @@ -620,43 +713,50 @@ public class Question { } public Result mayUser(AuthzTrans trans, String user,NsDAO.Data ndd, PermDAO.Data pdd, Access access) { + // Most common occurrence... if granted Permission if (isGranted(trans, user, pdd.ns, pdd.type, pdd.instance, pdd.action)) { return Result.ok(ndd); } + String permInst = ":perm:" + pdd.type + ':' + pdd.instance + ':' + pdd.action; // .access|:role:| String ns = ndd.name; + boolean isRoot = ns.startsWith(Define.ROOT_NS()); int last; do { if (isGranted(trans, user, ns, ACCESS, permInst, access.name())) { return Result.ok(ndd); } + if(isRoot) { + break; + } if ((last = ns.lastIndexOf('.')) >= 0) { ns = ns.substring(0, last); } } while (last >= 0); - // Check if Access by NS perm - // com.att.aaf.ns|::role:name| - Result rnsd = mayUserVirtueOfNS(trans, user, ndd, ":" + pdd.ns + permInst, access.name()); - if (rnsd.isOK()) { - return rnsd; - } else if (rnsd.status==Result.ERR_Backend) { - return Result.err(rnsd); - } + // SAFETY - Do not allow these when NS is Root + if(!isRoot) { + // Check if Access by NS perm + // com.att.aaf.ns|::role:name| + Result rnsd = mayUserVirtueOfNS(trans, user, ndd, ":" + pdd.ns + permInst, access.name()); + if (rnsd.isOK()) { + return rnsd; + } else if (rnsd.status==Result.ERR_Backend) { + return Result.err(rnsd); + } - // Check if Access to Whole NS - // AAF-724 - Make consistent response for May User", and not take the - // last check... too confusing. - Result rv = mayUserVirtueOfNS(trans, user, ndd, ":" + pdd.ns + ":ns", access.name()); - if (rv.isOK()) { - return rv; - } else { - return Result.err(Status.ERR_Denied, - "[%s] may not %s Perm [%s|%s|%s]", user, access.name(), - pdd.fullType(), pdd.instance, pdd.action); + // Check if Access to Whole NS + // AAF-724 - Make consistent response for May User", and not take the + // last check... too confusing. + Result rv = mayUserVirtueOfNS(trans, user, ndd, ":" + pdd.ns + ":ns", access.name()); + if (rv.isOK()) { + return rv; + } } - + return Result.err(Status.ERR_Denied, + "[%s] may not %s Perm [%s|%s|%s]", user, access.name(), + pdd.fullType(), pdd.instance, pdd.action); } public Result mayUser(AuthzTrans trans, DelegateDAO.Data dd, Access access) { @@ -686,16 +786,22 @@ public class Question { return Result.err(Status.ERR_BadData, "[%s] cannot be a delegate for self", dd.user); } - if (!isUser && !isGranted(trans, trans.user(), ROOT_NS,DELG, - org.getDomain(), Question.CREATE)) { - return Result.err(Status.ERR_Denied, + if (!isUser) { + String supportedDomain = org.supportedDomain(dd.user); + if(supportedDomain==null) { + return Result.err(Status.ERR_Denied, + "[%s] may not create a delegate for the domain for [%s]", + trans.user(), dd.user); + } else if(!isGranted(trans, trans.user(), ROOT_NS,DELG,supportedDomain,Question.CREATE)) { + return Result.err(Status.ERR_Denied, "[%s] may not create a delegate for [%s]", trans.user(), dd.user); + } } break; case read: case write: - if (!isUser && !isDelegate && + if (!isUser && !isDelegate && !isGranted(trans, trans.user(), ROOT_NS,DELG,org.getDomain(), access.name())) { return Result.err(Status.ERR_Denied, "[%s] may not %s delegates for [%s]", trans.user(), @@ -718,14 +824,14 @@ public class Question { String ns = nsd.name; // If an ADMIN of the Namespace, then allow - + Result> rurd; if ((rurd = userRoleDAO.readUserInRole(trans, user, ns+DOT_ADMIN)).isOKhasData()) { return Result.ok(nsd); } else if (rurd.status==Result.ERR_Backend) { return Result.err(rurd); } - + // If Specially granted Global Permission if (isGranted(trans, user, ROOT_NS,NS, ns_and_type, access)) { return Result.ok(nsd); @@ -751,13 +857,13 @@ public class Question { ns_and_type); } - + /** * isGranted - * + * * Important function - Check internal Permission Schemes for Permission to * do things - * + * * @param trans * @param type * @param instance @@ -771,7 +877,7 @@ public class Question { if (ns.equals(pd.ns)) { if (type.equals(pd.type)) { if (PermEval.evalInstance(pd.instance, instance)) { - if (PermEval.evalAction(pd.action, action)) { // don't return action here, might miss other action + if (PermEval.evalAction(pd.action, action)) { // don't return action here, might miss other action return true; } } @@ -786,7 +892,7 @@ public class Question { Result> result; TimeTaken tt = trans.start("Read DB Cred", Env.REMOTE); try { - result = credDAO.readID(trans, user); + result = credDAO.readIDBAth(trans, user); } finally { tt.done(); } @@ -800,37 +906,48 @@ public class Question { } } else { Date now = new Date(); - // Bug noticed 6/22. Sorting on the result can cause Concurrency Issues. - List cddl; + // Bug noticed 6/22. Sorting on the result can cause Concurrency Issues. + // 9/14/2019. Use TreeSet for sorting, and using only the LAST of a Tagged entry + Collection cddl; if (result.value.size() > 1) { - cddl = new ArrayList<>(result.value.size()); - for (CredDAO.Data old : result.value) { - if (old.type==CredDAO.BASIC_AUTH || old.type==CredDAO.BASIC_AUTH_SHA256) { - cddl.add(old); + Map mcdd = new TreeMap<>(); + CredDAO.Data cdd; + String tag; + int pseudoTag = 0; + for (CredDAO.Data rcdd : result.value) { + if (rcdd.type==CredDAO.BASIC_AUTH || rcdd.type==CredDAO.BASIC_AUTH_SHA256) { + if(rcdd.tag==null) { + mcdd.put(Integer.toString(++pseudoTag),rcdd); + } else { + tag = rcdd.tag; + cdd = mcdd.get(tag); + if(cdd==null || cdd.expires.before(rcdd.expires)) { + mcdd.put(tag,rcdd); + } + } } } - if (cddl.size()>1) { - Collections.sort(cddl, (a, b) -> b.expires.compareTo(a.expires)); - } + cddl = mcdd.values(); } else { cddl = result.value; } - + Date expired = null; StringBuilder debug = willSpecialLog(trans,user)?new StringBuilder():null; for (CredDAO.Data cdd : cddl) { if (!cdd.id.equals(user)) { trans.error().log("doesUserCredMatch DB call does not match for user: " + user); } - if (cdd.expires.after(now)) { + if (cdd.expires.after(now) || trans.org().isUserExpireExempt(cdd.id, cdd.expires)) { byte[] dbcred = cdd.cred.array(); - + try { switch(cdd.type) { case CredDAO.BASIC_AUTH: byte[] md5=Hash.hashMD5(cred); if (Hash.compareTo(md5,dbcred)==0) { checkLessThanDays(trans,cldays,now,cdd); + trans.setTag(cdd.tag); return Result.ok(cdd.expires); } else if (debug!=null) { load(debug, cdd); @@ -841,9 +958,10 @@ public class Question { bb.putInt(cdd.other); bb.put(cred); byte[] hash = Hash.hashSHA256(bb.array()); - + if (Hash.compareTo(hash,dbcred)==0) { checkLessThanDays(trans,cldays,now,cdd); + trans.setTag(cdd.tag); return Result.ok(cdd.expires); } else if (debug!=null) { load(debug, cdd); @@ -858,34 +976,41 @@ public class Question { } else { if (expired==null || expired.before(cdd.expires)) { expired = cdd.expires; + trans.setTag(cdd.tag); } } } // end for each - if (debug==null) { - trans.audit().printf("No cred matches ip=%s, user=%s\n",trans.ip(),user); - } else { - trans.audit().printf("No cred matches ip=%s, user=%s %s\n",trans.ip(),user,debug.toString()); - } + if (expired!=null) { // Note: this is only returned if there are no good Credentials rv = Result.err(Status.ERR_Security, - "Credentials %s from %s expired %s",trans.user(), trans.ip(), Chrono.dateTime(expired)); + "Credentials expired %s",Chrono.utcStamp(expired)); + } else { + if (debug==null && alwaysSpecial) { + debug = new StringBuilder(); + } + if (debug!=null) { + debug.append(trans.env().encryptor().encrypt(new String(cred))); + rv = Result.err(Status.ERR_Security,String.format("invalid password - %s",debug.toString())); + } } } } else { return Result.err(result); } - return rv == null ? Result.create((Date) null, Status.ERR_Security, "Wrong credential") : rv; + return rv == null ? Result.err(Status.ERR_Security, "Wrong credential") : rv; } private void load(StringBuilder debug, Data cdd) { - debug.append("DB Entry: user="); + debug.append("\nDB Entry: user="); debug.append(cdd.id); debug.append(",type="); debug.append(cdd.type); debug.append(",expires="); debug.append(Chrono.dateTime(cdd.expires)); + debug.append(",tag="); + debug.append(cdd.tag); debug.append('\n'); } @@ -896,7 +1021,7 @@ public class Question { if (cexp userCredCheck(AuthzTrans trans, CredDAO.Data orig, final byte[] raw) { - TimeTaken tt = trans.start("CheckCred Cred", Env.SUB); - try { - switch(orig.type) { - case CredDAO.BASIC_AUTH_SHA256: - ByteBuffer bb = ByteBuffer.allocate(Integer.SIZE + raw.length); - bb.putInt(orig.other); - bb.put(raw); - return Result.ok(Hash.compareTo(orig.cred.array(),Hash.hashSHA256(bb.array()))==0); - case CredDAO.BASIC_AUTH: - return Result.ok( Hash.compareTo(orig.cred.array(), Hash.hashMD5(raw))==0); - default: - return Result.ok(false); - } - } catch (NoSuchAlgorithmException e) { - return Result.err(Status.ERR_General,e.getLocalizedMessage()); - } finally { - tt.done(); + Result rv; + TimeTaken tt = trans.start("CheckCred Cred", Env.SUB); + try { + switch(orig.type) { + case CredDAO.BASIC_AUTH_SHA256: + ByteBuffer bb = ByteBuffer.allocate(Integer.SIZE + raw.length); + bb.putInt(orig.other); + bb.put(raw); + rv = Result.ok(Hash.compareTo(orig.cred.array(),Hash.hashSHA256(bb.array()))==0); + case CredDAO.BASIC_AUTH: + rv= Result.ok( Hash.compareTo(orig.cred.array(), Hash.hashMD5(raw))==0); + case CredDAO.FQI: + default: + rv = Result.ok(false); } + } catch (NoSuchAlgorithmException e) { + rv = Result.err(Status.ERR_General,e.getLocalizedMessage()); + } finally { + tt.done(); + } + return rv; } public static final String APPROVED = "APPROVE"; @@ -1080,7 +1211,7 @@ public class Question { } return b; } - + public static void logEncryptTrace(AuthzTrans trans, String data) { long ti; trans.put(transIDSlot, ti=nextTraceID()); @@ -1097,7 +1228,7 @@ public class Question { } boolean rc = specialLog.add(id); if (rc) { - trans.trace().printf("Trace on for %s requested by %s",id,trans.user()); + trans.trace().printf("Trace on for %s requested by %s",id,trans.user()); } return rc; } @@ -1111,12 +1242,12 @@ public class Question { specialLog = null; } if (rv) { - trans.trace().printf("Trace off for %s requested by %s",id,trans.user()); + trans.trace().printf("Trace off for %s requested by %s",id,trans.user()); } return rv; } - /** + /** * canMove * Which Types can be moved * @param nsType @@ -1138,23 +1269,23 @@ public class Question { } public boolean isAdmin(AuthzTrans trans, String user, String ns) { - Date now = new Date(); Result> rur = userRoleDAO.read(trans, user,ns+DOT_ADMIN); if (rur.isOKhasData()) { - for (UserRoleDAO.Data urdd : rur.value){ - if (urdd.expires.after(now)) { - return true; - } - } + Date now = new Date(); + for (UserRoleDAO.Data urdd : rur.value){ + if (urdd.expires.after(now) || trans.org().isUserExpireExempt(urdd.user, urdd.expires)) { + return true; + } + } }; return false; } - + public boolean isOwner(AuthzTrans trans, String user, String ns) { - Result> rur = userRoleDAO.read(trans, user,ns+DOT_OWNER); - Date now = new Date(); + Result> rur = userRoleDAO().read(trans, user,ns+DOT_OWNER); if (rur.isOKhasData()) {for (UserRoleDAO.Data urdd : rur.value){ - if (urdd.expires.after(now)) { + Date now = new Date(); + if (urdd.expires.after(now) || trans.org().isUserExpireExempt(urdd.user, urdd.expires)) { return true; } }}; @@ -1162,24 +1293,24 @@ public class Question { } public int countOwner(AuthzTrans trans, String ns) { - Result> rur = userRoleDAO.readByRole(trans,ns+DOT_OWNER); + Result> rur = userRoleDAO().readByRole(trans,ns+DOT_OWNER); Date now = new Date(); int count = 0; if (rur.isOKhasData()) {for (UserRoleDAO.Data urdd : rur.value){ - if (urdd.expires.after(now)) { + if (urdd.expires.after(now) || trans.org().isUserExpireExempt(urdd.user, urdd.expires)) { ++count; } }}; return count; } - + /** * Return a Unique String, (same string, if it is already unique), with only * lowercase letters, digits and the '.' character. - * + * * @param name * @return - * @throws IOException + * @throws IOException */ public static String toUnique(String name) throws IOException { byte[] from = name.getBytes(); @@ -1192,7 +1323,7 @@ public class Question { } return sb.toString(); } - + public static String fromUnique(String name) throws IOException { byte[] from = name.getBytes(); StringBuilder sb = new StringBuilder();