X-Git-Url: https://gerrit.onap.org/r/gitweb?a=blobdiff_plain;f=auth%2Fauth-cass%2Fsrc%2Fmain%2Fjava%2Forg%2Fonap%2Faaf%2Fauth%2Fdao%2Fhl%2FQuestion.java;h=3b61da31eefe1ab7188d9fdb1448ba43034a79f6;hb=58c2a7132f861e269ed707eb585657b0c9ead9f5;hp=4a3076938254c78af428d2efb30860118160076a;hpb=613846477296bd3888ba6e5f939afe688b486ad7;p=aaf%2Fauthz.git

diff --git a/auth/auth-cass/src/main/java/org/onap/aaf/auth/dao/hl/Question.java b/auth/auth-cass/src/main/java/org/onap/aaf/auth/dao/hl/Question.java
index 4a307693..3b61da31 100644
--- a/auth/auth-cass/src/main/java/org/onap/aaf/auth/dao/hl/Question.java
+++ b/auth/auth-cass/src/main/java/org/onap/aaf/auth/dao/hl/Question.java
@@ -27,7 +27,6 @@ import java.security.NoSuchAlgorithmException;
 import java.security.SecureRandom;
 import java.util.ArrayList;
 import java.util.Collections;
-import java.util.Comparator;
 import java.util.Date;
 import java.util.HashSet;
 import java.util.List;
@@ -62,6 +61,7 @@ import org.onap.aaf.auth.dao.cass.PermDAO;
 import org.onap.aaf.auth.dao.cass.RoleDAO;
 import org.onap.aaf.auth.dao.cass.Status;
 import org.onap.aaf.auth.dao.cass.UserRoleDAO;
+import org.onap.aaf.auth.env.AuthzEnv;
 import org.onap.aaf.auth.env.AuthzTrans;
 import org.onap.aaf.auth.env.AuthzTrans.REQD_TYPE;
 import org.onap.aaf.auth.env.AuthzTransFilter;
@@ -89,7 +89,7 @@ import com.datastax.driver.core.Cluster;
 public class Question {
 
     // DON'T CHANGE FROM lower Case!!!
-    public static enum Type {
+    public enum Type {
         ns, role, perm, cred
     };
 
@@ -101,7 +101,7 @@ public class Question {
 
     static final String ASTERIX = "*";
 
-    public static enum Access {
+    public enum Access {
         read, write, create
     };
 
@@ -130,20 +130,66 @@ public class Question {
     private static Slot transIDSlot = null;
 
 
-    public final HistoryDAO historyDAO;
-    public final CachedNSDAO nsDAO;
-    public final CachedRoleDAO roleDAO;
-    public final CachedPermDAO permDAO;
-    public final CachedUserRoleDAO userRoleDAO;
-    public final CachedCredDAO credDAO;
-    public final CachedCertDAO certDAO;
-    public final DelegateDAO delegateDAO;
-    public final FutureDAO futureDAO;
-    public final ApprovalDAO approvalDAO;
-    private final CacheInfoDAO cacheInfoDAO;
+    private final HistoryDAO historyDAO;
+    public HistoryDAO historyDAO() {
+    	return historyDAO;
+    }
+    
+    private final CachedNSDAO nsDAO;
+    public CachedNSDAO nsDAO() {
+    	return nsDAO;
+    }
+    
+    private final CachedRoleDAO roleDAO;
+    public CachedRoleDAO roleDAO() {
+    	return roleDAO;
+    }
+    
+    private final CachedPermDAO permDAO;
+    public CachedPermDAO permDAO() {
+    	return permDAO;
+    }
+    
+    private final CachedUserRoleDAO userRoleDAO;
+    public CachedUserRoleDAO userRoleDAO() {
+    	return userRoleDAO;
+    }
+    
+    private final CachedCredDAO credDAO;
+    public CachedCredDAO credDAO() {
+    	return credDAO;
+    }
+    
+    private final CachedCertDAO certDAO;
+    public CachedCertDAO certDAO() {
+    	return certDAO;
+    }
+    
+    private final DelegateDAO delegateDAO;
+    public DelegateDAO delegateDAO() {
+    	return delegateDAO;
+    }
+    
+    private final FutureDAO futureDAO;
+    public FutureDAO futureDAO() {
+    	return futureDAO;
+    }
+    
+    private final ApprovalDAO approvalDAO;
+    public ApprovalDAO approvalDAO() {
+    	return approvalDAO;
+    }
+    
     public final LocateDAO locateDAO;
+    public LocateDAO locateDAO() {
+    	return locateDAO;
+    }
+    
+    private final CacheInfoDAO cacheInfoDAO;
+	private final int cldays;
+	private final boolean alwaysSpecial;
 
-    public Question(AuthzTrans trans, Cluster cluster, String keyspace, boolean startClean) throws APIException, IOException {
+    public Question(AuthzTrans trans, Cluster cluster, String keyspace) throws APIException, IOException {
         PERMS = trans.slot("USER_PERMS");
         trans.init().log("Instantiating DAOs");
         long expiresIn = Long.parseLong(trans.getProperty(Config.AAF_USER_EXPIRES, Config.AAF_USER_EXPIRES_DEF));
@@ -164,14 +210,6 @@ public class Question {
         delegateDAO = new DelegateDAO(trans, historyDAO);
         approvalDAO = new ApprovalDAO(trans, historyDAO);
 
-        // Only want to aggressively cleanse User related Caches... The others,
-        // just normal refresh
-        if (startClean) {
-            CachedDAO.startCleansing(trans.env(), credDAO, userRoleDAO);
-            CachedDAO.startRefresh(trans.env(), cacheInfoDAO);
-        }
-        // Set a Timer to Check Caches to send messages for Caching changes
-        
         if (specialLogSlot==null) {
             specialLogSlot = trans.slot(AuthzTransFilter.SPECIAL_LOG_SLOT);
         }
@@ -181,9 +219,19 @@ public class Question {
         }
         
         AbsCassDAO.primePSIs(trans);
+        
+        cldays = Integer.parseInt(trans.getProperty(Config.AAF_CRED_WARN_DAYS, Config.AAF_CRED_WARN_DAYS_DFT));
+        
+        alwaysSpecial = Boolean.parseBoolean(trans.getProperty("aaf_always_special", Boolean.FALSE.toString()));
     }
 
-
+    public void startTimers(AuthzEnv env) {
+        // Only want to aggressively cleanse User related Caches... The others,
+        // just normal refresh
+        CachedDAO.startCleansing(env, credDAO, userRoleDAO);
+        CachedDAO.startRefresh(env, cacheInfoDAO);
+    }
+    
     public void close(AuthzTrans trans) {
         historyDAO.close(trans);
         cacheInfoDAO.close(trans);
@@ -198,15 +246,29 @@ public class Question {
         approvalDAO.close(trans);
     }
 
-    public Result<PermDAO.Data> permFrom(AuthzTrans trans, String type,
-            String instance, String action) {
-        Result<NsDAO.Data> rnd = deriveNs(trans, type);
-        if (rnd.isOK()) {
-            return Result.ok(new PermDAO.Data(new NsSplit(rnd.value, type),
-                    instance, action));
-        } else {
-            return Result.err(rnd);
-        }
+    public Result<PermDAO.Data> permFrom(AuthzTrans trans, String type, String instance, String action) {
+    	if(type.indexOf('@') >= 0) {
+    		int colon = type.indexOf(':');
+    		if(colon>=0) {
+    			PermDAO.Data pdd = new PermDAO.Data();
+    			pdd.ns = type.substring(0, colon);
+    			pdd.type = type.substring(colon+1);
+    			pdd.instance = instance;
+    			pdd.action = action;
+    		
+    			return Result.ok(pdd);
+    		} else {
+    			return Result.err(Result.ERR_BadData,"Could not extract ns and type from " + type);
+    		}
+    	} else {
+	        Result<NsDAO.Data> rnd = deriveNs(trans, type);
+	        if (rnd.isOK()) {
+	            return Result.ok(new PermDAO.Data(new NsSplit(rnd.value, type),
+	                    instance, action));
+	        } else {
+	            return Result.err(rnd);
+	        }
+    	}
     }
 
     /**
@@ -269,21 +331,39 @@ public class Question {
         return Result.ok(rlpUser); 
     }
 
-    public Result<List<PermDAO.Data>> getPermsByType(AuthzTrans trans, String perm) {
-        Result<NsSplit> nss = deriveNsSplit(trans, perm);
-        if (nss.notOK()) {
-            return Result.err(nss);
-        }
-        return permDAO.readByType(trans, nss.value.ns, nss.value.name);
+    public Result<List<PermDAO.Data>> getPermsByType(AuthzTrans trans, String type) {
+    	if(type.indexOf('@') >= 0) {
+    		int colon = type.indexOf(':');
+    		if(colon>=0) {
+    			return permDAO.readByType(trans, type.substring(0, colon),type.substring(colon+1));
+    		} else {
+    			return Result.err(Result.ERR_BadData, "%s is malformed",type);
+    		}
+    	} else {
+	        Result<NsSplit> nss = deriveNsSplit(trans, type);
+	        if (nss.notOK()) {
+	            return Result.err(nss);
+	        }
+	        return permDAO.readByType(trans, nss.value.ns, nss.value.name);
+    	}
     }
 
-    public Result<List<PermDAO.Data>> getPermsByName(AuthzTrans trans,
-            String type, String instance, String action) {
-        Result<NsSplit> nss = deriveNsSplit(trans, type);
-        if (nss.notOK()) {
-            return Result.err(nss);
-        }
-        return permDAO.read(trans, nss.value.ns, nss.value.name, instance,action);
+    public Result<List<PermDAO.Data>> getPermsByName(AuthzTrans trans, String type, String instance, String action) {
+    	if(type.indexOf('@') >= 0) {
+    		int colon = type.indexOf(':');
+    		if(colon>=0) {
+    			return permDAO.read(trans, type.substring(0, colon),type.substring(colon+1), instance,action);
+    		} else {
+    			return Result.err(Result.ERR_BadData, "%s is malformed",type);
+    		}
+    	} else {
+	        Result<NsSplit> nss = deriveNsSplit(trans, type);
+	        if (nss.notOK()) {
+	            return Result.err(nss);
+	        }
+	        
+	        return permDAO.read(trans, nss.value.ns, nss.value.name, instance,action);
+    	}
     }
 
     public Result<List<PermDAO.Data>> getPermsByRole(AuthzTrans trans, String role, boolean lookup) {
@@ -329,8 +409,14 @@ public class Question {
         return Result.ok(perms);
     }
 
-    public Result<List<RoleDAO.Data>> getRolesByName(AuthzTrans trans,
-            String role) {
+    public Result<List<RoleDAO.Data>> getRolesByName(AuthzTrans trans, String role) {
+    	if(role.startsWith(trans.user()) ) {
+    		if(role.endsWith(":user")) {
+    			return roleDAO.read(trans,trans.user(), "user");
+    		} else {
+    			return Result.err(Result.ERR_BadData,"%s is a badly formatted role",role);
+    		}
+    	}
         Result<NsSplit> nss = deriveNsSplit(trans, role);
         if (nss.notOK()) {
             return Result.err(nss);
@@ -367,12 +453,7 @@ public class Question {
         if (r.isOKhasData()) {
             return Result.ok(r.value.get(0));
         } else {
-            int dot;
-            if (child==null) {
-                return Result.err(Status.ERR_NsNotFound, "No Namespace");
-            } else {
-                dot = child.lastIndexOf('.');
-            }
+            int dot = child.lastIndexOf('.');
             if (dot < 0) {
                 return Result.err(Status.ERR_NsNotFound, "No Namespace for [%s]", child);
             } else {
@@ -513,6 +594,9 @@ public class Question {
     }
 
     public Result<NsDAO.Data> mayUser(AuthzTrans trans, String user, RoleDAO.Data rdd, Access access) {
+    	if(trans.user().equals(rdd.ns)) {
+    		return Result.ok((NsDAO.Data)null);
+    	}
         Result<NsDAO.Data> rnsd = deriveNs(trans, rdd.ns);
         if (rnsd.isOK()) {
             return mayUser(trans, user, rnsd.value, rdd, access);
@@ -567,6 +651,17 @@ public class Question {
     }
 
     public Result<NsDAO.Data> mayUser(AuthzTrans trans, String user,PermDAO.Data pdd, Access access) {
+    	if(pdd.ns.indexOf('@')>-1) {
+	    	if(user.equals(pdd.ns) || isGranted(trans,user,Define.ROOT_NS(),"access",pdd.instance,READ)) {
+	    		NsDAO.Data ndd = new NsDAO.Data();
+	    		ndd.name = user;
+	    		ndd.type = NsDAO.USER;
+	    		ndd.parent = "";
+	    		return Result.ok(ndd);
+	    	} else {
+	    		return Result.err(Result.ERR_Security,"Only a User may modify User");
+	    	}
+    	}
         Result<NsDAO.Data> rnsd = deriveNs(trans, pdd.ns);
         if (rnsd.isOK()) {
             return mayUser(trans, user, rnsd.value, pdd, access);
@@ -754,7 +849,7 @@ public class Question {
                     trans.audit().log("Special DEBUG:", user, " does not exist in DB");
                 }
             } else {
-                Date now = new Date();//long now = System.currentTimeMillis();
+                Date now = new Date();
                 // Bug noticed 6/22. Sorting on the result can cause Concurrency Issues.     
                 List<CredDAO.Data> cddl;
                 if (result.value.size() > 1) {
@@ -765,13 +860,7 @@ public class Question {
                         }
                     }
                     if (cddl.size()>1) {
-                        Collections.sort(cddl,new Comparator<CredDAO.Data>() {
-                            @Override
-                            public int compare(org.onap.aaf.auth.dao.cass.CredDAO.Data a,
-                                               org.onap.aaf.auth.dao.cass.CredDAO.Data b) {
-                                return b.expires.compareTo(a.expires);
-                            }
-                        });
+                    	Collections.sort(cddl, (a, b) -> b.expires.compareTo(a.expires));
                     }
                 } else {
                     cddl = result.value;
@@ -791,7 +880,8 @@ public class Question {
                                 case CredDAO.BASIC_AUTH:
                                     byte[] md5=Hash.hashMD5(cred);
                                     if (Hash.compareTo(md5,dbcred)==0) {
-                                        checkLessThanDays(trans,7,now,cdd);
+                                        checkLessThanDays(trans,cldays,now,cdd);
+                                        trans.setTag(cdd.tag);
                                         return Result.ok(cdd.expires);
                                     } else if (debug!=null) {
                                         load(debug, cdd);
@@ -804,7 +894,8 @@ public class Question {
                                     byte[] hash = Hash.hashSHA256(bb.array());
     
                                     if (Hash.compareTo(hash,dbcred)==0) {
-                                        checkLessThanDays(trans,7,now,cdd);
+                                        checkLessThanDays(trans,cldays,now,cdd);
+                                        trans.setTag(cdd.tag);
                                         return Result.ok(cdd.expires);
                                     } else if (debug!=null) {
                                         load(debug, cdd);
@@ -819,34 +910,41 @@ public class Question {
                     } else {
                         if (expired==null || expired.before(cdd.expires)) {
                             expired = cdd.expires;
+                            trans.setTag(cdd.tag);
                         }
                     }
                 } // end for each
-                if (debug==null) {
-                    trans.audit().printf("No cred matches ip=%s, user=%s\n",trans.ip(),user);
-                } else {
-                    trans.audit().printf("No cred matches ip=%s, user=%s %s\n",trans.ip(),user,debug.toString());
-                }
+                
                 if (expired!=null) {
                     // Note: this is only returned if there are no good Credentials
                     rv = Result.err(Status.ERR_Security,
-                            "Credentials %s from %s expired %s",trans.user(), trans.ip(), Chrono.dateTime(expired));
+                            "Credentials expired %s",Chrono.utcStamp(expired));
+                } else {
+	                if (debug==null && alwaysSpecial) {
+	                	debug = new StringBuilder();
+	                }
+	                if (debug!=null) {
+	                	debug.append(trans.env().encryptor().encrypt(new String(cred)));
+	                	rv = Result.err(Status.ERR_Security,String.format("invalid password - %s",debug.toString()));
+	                }
                 }
             }
         } else {
             return Result.err(result);
         }
-        return rv == null ? Result.create((Date) null, Status.ERR_Security, "Wrong credential") : rv;
+        return rv == null ? Result.err(Status.ERR_Security, "Wrong credential") : rv;
     }
 
 
     private void load(StringBuilder debug, Data cdd) {
-        debug.append("DB Entry: user=");
+        debug.append("\nDB Entry: user=");
         debug.append(cdd.id);
         debug.append(",type=");
         debug.append(cdd.type);
         debug.append(",expires=");
         debug.append(Chrono.dateTime(cdd.expires));
+        debug.append(",tag=");
+        debug.append(cdd.tag);
         debug.append('\n');
     }
 
@@ -856,8 +954,9 @@ public class Question {
         long cexp=cdd.expires.getTime();
         if (cexp<close) {
             int daysLeft = days-(int)((close-cexp)/86400000);
-            trans.audit().printf("user=%s,ip=%s,expires=%s,days=%d,msg=\"Password expires in less than %d day%s\"",
-                cdd.id,trans.ip(),Chrono.dateOnlyStamp(cdd.expires),daysLeft, daysLeft,daysLeft==1?"":"s");
+            trans.audit().printf("user=%s,ip=%s,expires=%s,days=%d,tag=%s,msg=\"Password expires in less than %d day%s\"",
+                cdd.id,trans.ip(),Chrono.dateOnlyStamp(cdd.expires),daysLeft, cdd.tag, 
+                daysLeft,daysLeft==1?"":"s");
         }
     }
 
@@ -880,6 +979,9 @@ public class Question {
                 tt.done();
             }
             
+        } else if (cred.type==CredDAO.FQI) {
+        	cred.cred = null;
+        	return Result.ok(cred);
         }
         return Result.err(Status.ERR_Security,"invalid/unreadable credential");
     }
@@ -895,6 +997,7 @@ public class Question {
                         return Result.ok(Hash.compareTo(orig.cred.array(),Hash.hashSHA256(bb.array()))==0);
                     case CredDAO.BASIC_AUTH:
                         return Result.ok( Hash.compareTo(orig.cred.array(), Hash.hashMD5(raw))==0);
+                    case CredDAO.FQI:
                     default:
                         return Result.ok(false);
                 }
@@ -948,32 +1051,32 @@ public class Question {
         Result<Void> rv = null;
 
         if (all || NsDAO.TABLE.equals(cname)) {
-            int seg[] = series(NsDAO.CACHE_SEG);
+            int[] seg = series(NsDAO.CACHE_SEG);
             for (int i: seg) {cacheClear(trans, NsDAO.TABLE,i);}
             rv = cacheInfoDAO.touch(trans, NsDAO.TABLE, seg);
         }
         if (all || PermDAO.TABLE.equals(cname)) {
-            int seg[] = series(PermDAO.CACHE_SEG);
+            int[] seg = series(PermDAO.CACHE_SEG);
             for (int i: seg) {cacheClear(trans, PermDAO.TABLE,i);}
             rv = cacheInfoDAO.touch(trans, PermDAO.TABLE,seg);
         }
         if (all || RoleDAO.TABLE.equals(cname)) {
-            int seg[] = series(RoleDAO.CACHE_SEG);
+            int[] seg = series(RoleDAO.CACHE_SEG);
             for (int i: seg) {cacheClear(trans, RoleDAO.TABLE,i);}
             rv = cacheInfoDAO.touch(trans, RoleDAO.TABLE,seg);
         }
         if (all || UserRoleDAO.TABLE.equals(cname)) {
-            int seg[] = series(UserRoleDAO.CACHE_SEG);
+            int[] seg = series(UserRoleDAO.CACHE_SEG);
             for (int i: seg) {cacheClear(trans, UserRoleDAO.TABLE,i);}
             rv = cacheInfoDAO.touch(trans, UserRoleDAO.TABLE,seg);
         }
         if (all || CredDAO.TABLE.equals(cname)) {
-            int seg[] = series(CredDAO.CACHE_SEG);
+            int[] seg = series(CredDAO.CACHE_SEG);
             for (int i: seg) {cacheClear(trans, CredDAO.TABLE,i);}
             rv = cacheInfoDAO.touch(trans, CredDAO.TABLE,seg);
         }
         if (all || CertDAO.TABLE.equals(cname)) {
-            int seg[] = series(CertDAO.CACHE_SEG);
+            int[] seg = series(CertDAO.CACHE_SEG);
             for (int i: seg) {cacheClear(trans, CertDAO.TABLE,i);}
             rv = cacheInfoDAO.touch(trans, CertDAO.TABLE,seg);
         }
@@ -1098,20 +1201,22 @@ public class Question {
     }
 
     public boolean isAdmin(AuthzTrans trans, String user, String ns) {
-        Date now = new Date();
         Result<List<UserRoleDAO.Data>> rur = userRoleDAO.read(trans, user,ns+DOT_ADMIN);
-        if (rur.isOKhasData()) {for (UserRoleDAO.Data urdd : rur.value){
-            if (urdd.expires.after(now)) {
-                return true;
-            }
-        }};
+        if (rur.isOKhasData()) {
+            Date now = new Date();
+        	for (UserRoleDAO.Data urdd : rur.value){
+	            if (urdd.expires.after(now)) {
+	                return true;
+	            }
+	        }
+        };
         return false;
     }
     
     public boolean isOwner(AuthzTrans trans, String user, String ns) {
         Result<List<UserRoleDAO.Data>> rur = userRoleDAO.read(trans, user,ns+DOT_OWNER);
-        Date now = new Date();
         if (rur.isOKhasData()) {for (UserRoleDAO.Data urdd : rur.value){
+            Date now = new Date();
             if (urdd.expires.after(now)) {
                 return true;
             }