X-Git-Url: https://gerrit.onap.org/r/gitweb?a=blobdiff_plain;f=auth%2Fauth-cass%2Fsrc%2Fmain%2Fjava%2Forg%2Fonap%2Faaf%2Fauth%2Fdao%2Fhl%2FQuestion.java;h=6b6c23bfc6922b5ca8b477467d40a98a43c164c4;hb=321dce367d74092a0ba09930c3aa526abdbd5da8;hp=7201958d5b953cc449bba3c1e16466f65937900d;hpb=f64f482462b697e06a47ad55aa5447dc829ce727;p=aaf%2Fauthz.git diff --git a/auth/auth-cass/src/main/java/org/onap/aaf/auth/dao/hl/Question.java b/auth/auth-cass/src/main/java/org/onap/aaf/auth/dao/hl/Question.java index 7201958d..6b6c23bf 100644 --- a/auth/auth-cass/src/main/java/org/onap/aaf/auth/dao/hl/Question.java +++ b/auth/auth-cass/src/main/java/org/onap/aaf/auth/dao/hl/Question.java @@ -61,6 +61,7 @@ import org.onap.aaf.auth.dao.cass.PermDAO; import org.onap.aaf.auth.dao.cass.RoleDAO; import org.onap.aaf.auth.dao.cass.Status; import org.onap.aaf.auth.dao.cass.UserRoleDAO; +import org.onap.aaf.auth.env.AuthzEnv; import org.onap.aaf.auth.env.AuthzTrans; import org.onap.aaf.auth.env.AuthzTrans.REQD_TYPE; import org.onap.aaf.auth.env.AuthzTransFilter; @@ -129,20 +130,66 @@ public class Question { private static Slot transIDSlot = null; - public final HistoryDAO historyDAO; - public final CachedNSDAO nsDAO; - public CachedRoleDAO roleDAO; - public final CachedPermDAO permDAO; - public CachedUserRoleDAO userRoleDAO; - public final CachedCredDAO credDAO; - public final CachedCertDAO certDAO; - public final DelegateDAO delegateDAO; - public final FutureDAO futureDAO; - public final ApprovalDAO approvalDAO; - private final CacheInfoDAO cacheInfoDAO; + private final HistoryDAO historyDAO; + public HistoryDAO historyDAO() { + return historyDAO; + } + + private final CachedNSDAO nsDAO; + public CachedNSDAO nsDAO() { + return nsDAO; + } + + private final CachedRoleDAO roleDAO; + public CachedRoleDAO roleDAO() { + return roleDAO; + } + + private final CachedPermDAO permDAO; + public CachedPermDAO permDAO() { + return permDAO; + } + + private final CachedUserRoleDAO userRoleDAO; + public CachedUserRoleDAO userRoleDAO() { + return userRoleDAO; + } + + private final CachedCredDAO credDAO; + public CachedCredDAO credDAO() { + return credDAO; + } + + private final CachedCertDAO certDAO; + public CachedCertDAO certDAO() { + return certDAO; + } + + private final DelegateDAO delegateDAO; + public DelegateDAO delegateDAO() { + return delegateDAO; + } + + private final FutureDAO futureDAO; + public FutureDAO futureDAO() { + return futureDAO; + } + + private final ApprovalDAO approvalDAO; + public ApprovalDAO approvalDAO() { + return approvalDAO; + } + public final LocateDAO locateDAO; + public LocateDAO locateDAO() { + return locateDAO; + } + + private final CacheInfoDAO cacheInfoDAO; + private final int cldays; + private final boolean alwaysSpecial; - public Question(AuthzTrans trans, Cluster cluster, String keyspace, boolean startClean) throws APIException, IOException { + public Question(AuthzTrans trans, Cluster cluster, String keyspace) throws APIException, IOException { PERMS = trans.slot("USER_PERMS"); trans.init().log("Instantiating DAOs"); long expiresIn = Long.parseLong(trans.getProperty(Config.AAF_USER_EXPIRES, Config.AAF_USER_EXPIRES_DEF)); @@ -163,14 +210,6 @@ public class Question { delegateDAO = new DelegateDAO(trans, historyDAO); approvalDAO = new ApprovalDAO(trans, historyDAO); - // Only want to aggressively cleanse User related Caches... The others, - // just normal refresh - if (startClean) { - CachedDAO.startCleansing(trans.env(), credDAO, userRoleDAO); - CachedDAO.startRefresh(trans.env(), cacheInfoDAO); - } - // Set a Timer to Check Caches to send messages for Caching changes - if (specialLogSlot==null) { specialLogSlot = trans.slot(AuthzTransFilter.SPECIAL_LOG_SLOT); } @@ -180,9 +219,44 @@ public class Question { } AbsCassDAO.primePSIs(trans); + + cldays = Integer.parseInt(trans.getProperty(Config.AAF_CRED_WARN_DAYS, Config.AAF_CRED_WARN_DAYS_DFT)); + + alwaysSpecial = Boolean.parseBoolean(trans.getProperty("aaf_always_special", Boolean.FALSE.toString())); + } + + /** + * Note: This Constructor created for JUNIT Purposes. Do not use otherwise. + */ + public Question(AuthzTrans trans, HistoryDAO historyDAO, CacheInfoDAO cacheInfoDAO, + CachedNSDAO nsDAO, CachedPermDAO permDAO, CachedRoleDAO roleDAO, + CachedUserRoleDAO userRoleDAO, CachedCredDAO credDAO, CachedCertDAO certDAO, + LocateDAO locateDAO,FutureDAO futureDAO, DelegateDAO delegateDAO, + ApprovalDAO approvalDAO ) { + this.historyDAO = historyDAO; + this.cacheInfoDAO = cacheInfoDAO; + this.nsDAO = nsDAO; + this.permDAO = permDAO; + this.roleDAO = roleDAO; + this.userRoleDAO = userRoleDAO; + this.credDAO = credDAO; + this.certDAO = certDAO; + this.locateDAO = locateDAO; + this.futureDAO = futureDAO; + this.delegateDAO = delegateDAO; + this.approvalDAO = approvalDAO; + + cldays = Integer.parseInt(trans.getProperty(Config.AAF_CRED_WARN_DAYS, Config.AAF_CRED_WARN_DAYS_DFT)); + alwaysSpecial = Boolean.parseBoolean(trans.getProperty("aaf_always_special", Boolean.FALSE.toString())); } - + public void startTimers(AuthzEnv env) { + // Only want to aggressively cleanse User related Caches... The others, + // just normal refresh + CachedDAO.startCleansing(env, credDAO, userRoleDAO); + CachedDAO.startRefresh(env, cacheInfoDAO); + } + public void close(AuthzTrans trans) { historyDAO.close(trans); cacheInfoDAO.close(trans); @@ -197,15 +271,29 @@ public class Question { approvalDAO.close(trans); } - public Result permFrom(AuthzTrans trans, String type, - String instance, String action) { - Result rnd = deriveNs(trans, type); - if (rnd.isOK()) { - return Result.ok(new PermDAO.Data(new NsSplit(rnd.value, type), - instance, action)); - } else { - return Result.err(rnd); - } + public Result permFrom(AuthzTrans trans, String type, String instance, String action) { + if(type.indexOf('@') >= 0) { + int colon = type.indexOf(':'); + if(colon>=0) { + PermDAO.Data pdd = new PermDAO.Data(); + pdd.ns = type.substring(0, colon); + pdd.type = type.substring(colon+1); + pdd.instance = instance; + pdd.action = action; + + return Result.ok(pdd); + } else { + return Result.err(Result.ERR_BadData,"Could not extract ns and type from " + type); + } + } else { + Result rnd = deriveNs(trans, type); + if (rnd.isOK()) { + return Result.ok(new PermDAO.Data(new NsSplit(rnd.value, type), + instance, action)); + } else { + return Result.err(rnd); + } + } } /** @@ -268,21 +356,39 @@ public class Question { return Result.ok(rlpUser); } - public Result> getPermsByType(AuthzTrans trans, String perm) { - Result nss = deriveNsSplit(trans, perm); - if (nss.notOK()) { - return Result.err(nss); - } - return permDAO.readByType(trans, nss.value.ns, nss.value.name); + public Result> getPermsByType(AuthzTrans trans, String type) { + if(type.indexOf('@') >= 0) { + int colon = type.indexOf(':'); + if(colon>=0) { + return permDAO.readByType(trans, type.substring(0, colon),type.substring(colon+1)); + } else { + return Result.err(Result.ERR_BadData, "%s is malformed",type); + } + } else { + Result nss = deriveNsSplit(trans, type); + if (nss.notOK()) { + return Result.err(nss); + } + return permDAO.readByType(trans, nss.value.ns, nss.value.name); + } } - public Result> getPermsByName(AuthzTrans trans, - String type, String instance, String action) { - Result nss = deriveNsSplit(trans, type); - if (nss.notOK()) { - return Result.err(nss); - } - return permDAO.read(trans, nss.value.ns, nss.value.name, instance,action); + public Result> getPermsByName(AuthzTrans trans, String type, String instance, String action) { + if(type.indexOf('@') >= 0) { + int colon = type.indexOf(':'); + if(colon>=0) { + return permDAO.read(trans, type.substring(0, colon),type.substring(colon+1), instance,action); + } else { + return Result.err(Result.ERR_BadData, "%s is malformed",type); + } + } else { + Result nss = deriveNsSplit(trans, type); + if (nss.notOK()) { + return Result.err(nss); + } + + return permDAO.read(trans, nss.value.ns, nss.value.name, instance,action); + } } public Result> getPermsByRole(AuthzTrans trans, String role, boolean lookup) { @@ -328,8 +434,14 @@ public class Question { return Result.ok(perms); } - public Result> getRolesByName(AuthzTrans trans, - String role) { + public Result> getRolesByName(AuthzTrans trans, String role) { + if(role.startsWith(trans.user()) ) { + if(role.endsWith(":user")) { + return roleDAO.read(trans,trans.user(), "user"); + } else { + return Result.err(Result.ERR_BadData,"%s is a badly formatted role",role); + } + } Result nss = deriveNsSplit(trans, role); if (nss.notOK()) { return Result.err(nss); @@ -366,12 +478,7 @@ public class Question { if (r.isOKhasData()) { return Result.ok(r.value.get(0)); } else { - int dot; - if (child==null) { - return Result.err(Status.ERR_NsNotFound, "No Namespace"); - } else { - dot = child.lastIndexOf('.'); - } + int dot = child.lastIndexOf('.'); if (dot < 0) { return Result.err(Status.ERR_NsNotFound, "No Namespace for [%s]", child); } else { @@ -512,6 +619,9 @@ public class Question { } public Result mayUser(AuthzTrans trans, String user, RoleDAO.Data rdd, Access access) { + if(trans.user().equals(rdd.ns)) { + return Result.ok((NsDAO.Data)null); + } Result rnsd = deriveNs(trans, rdd.ns); if (rnsd.isOK()) { return mayUser(trans, user, rnsd.value, rdd, access); @@ -566,6 +676,17 @@ public class Question { } public Result mayUser(AuthzTrans trans, String user,PermDAO.Data pdd, Access access) { + if(pdd.ns.indexOf('@')>-1) { + if(user.equals(pdd.ns) || isGranted(trans,user,Define.ROOT_NS(),"access",pdd.instance,READ)) { + NsDAO.Data ndd = new NsDAO.Data(); + ndd.name = user; + ndd.type = NsDAO.USER; + ndd.parent = ""; + return Result.ok(ndd); + } else { + return Result.err(Result.ERR_Security,"Only a User may modify User"); + } + } Result rnsd = deriveNs(trans, pdd.ns); if (rnsd.isOK()) { return mayUser(trans, user, rnsd.value, pdd, access); @@ -784,7 +905,8 @@ public class Question { case CredDAO.BASIC_AUTH: byte[] md5=Hash.hashMD5(cred); if (Hash.compareTo(md5,dbcred)==0) { - checkLessThanDays(trans,7,now,cdd); + checkLessThanDays(trans,cldays,now,cdd); + trans.setTag(cdd.tag); return Result.ok(cdd.expires); } else if (debug!=null) { load(debug, cdd); @@ -797,7 +919,8 @@ public class Question { byte[] hash = Hash.hashSHA256(bb.array()); if (Hash.compareTo(hash,dbcred)==0) { - checkLessThanDays(trans,7,now,cdd); + checkLessThanDays(trans,cldays,now,cdd); + trans.setTag(cdd.tag); return Result.ok(cdd.expires); } else if (debug!=null) { load(debug, cdd); @@ -812,34 +935,41 @@ public class Question { } else { if (expired==null || expired.before(cdd.expires)) { expired = cdd.expires; + trans.setTag(cdd.tag); } } } // end for each - if (debug==null) { - trans.audit().printf("No cred matches ip=%s, user=%s\n",trans.ip(),user); - } else { - trans.audit().printf("No cred matches ip=%s, user=%s %s\n",trans.ip(),user,debug.toString()); - } + if (expired!=null) { // Note: this is only returned if there are no good Credentials rv = Result.err(Status.ERR_Security, - "Credentials %s from %s expired %s",trans.user(), trans.ip(), Chrono.dateTime(expired)); + "Credentials expired %s",Chrono.utcStamp(expired)); + } else { + if (debug==null && alwaysSpecial) { + debug = new StringBuilder(); + } + if (debug!=null) { + debug.append(trans.env().encryptor().encrypt(new String(cred))); + rv = Result.err(Status.ERR_Security,String.format("invalid password - %s",debug.toString())); + } } } } else { return Result.err(result); } - return rv == null ? Result.create((Date) null, Status.ERR_Security, "Wrong credential") : rv; + return rv == null ? Result.err(Status.ERR_Security, "Wrong credential") : rv; } private void load(StringBuilder debug, Data cdd) { - debug.append("DB Entry: user="); + debug.append("\nDB Entry: user="); debug.append(cdd.id); debug.append(",type="); debug.append(cdd.type); debug.append(",expires="); debug.append(Chrono.dateTime(cdd.expires)); + debug.append(",tag="); + debug.append(cdd.tag); debug.append('\n'); } @@ -849,8 +979,9 @@ public class Question { long cexp=cdd.expires.getTime(); if (cexp userCredCheck(AuthzTrans trans, CredDAO.Data orig, final byte[] raw) { - TimeTaken tt = trans.start("CheckCred Cred", Env.SUB); - try { - switch(orig.type) { - case CredDAO.BASIC_AUTH_SHA256: - ByteBuffer bb = ByteBuffer.allocate(Integer.SIZE + raw.length); - bb.putInt(orig.other); - bb.put(raw); - return Result.ok(Hash.compareTo(orig.cred.array(),Hash.hashSHA256(bb.array()))==0); - case CredDAO.BASIC_AUTH: - return Result.ok( Hash.compareTo(orig.cred.array(), Hash.hashMD5(raw))==0); - default: - return Result.ok(false); - } - } catch (NoSuchAlgorithmException e) { - return Result.err(Status.ERR_General,e.getLocalizedMessage()); - } finally { - tt.done(); + Result rv; + TimeTaken tt = trans.start("CheckCred Cred", Env.SUB); + try { + switch(orig.type) { + case CredDAO.BASIC_AUTH_SHA256: + ByteBuffer bb = ByteBuffer.allocate(Integer.SIZE + raw.length); + bb.putInt(orig.other); + bb.put(raw); + rv = Result.ok(Hash.compareTo(orig.cred.array(),Hash.hashSHA256(bb.array()))==0); + case CredDAO.BASIC_AUTH: + rv= Result.ok( Hash.compareTo(orig.cred.array(), Hash.hashMD5(raw))==0); + case CredDAO.FQI: + default: + rv = Result.ok(false); } + } catch (NoSuchAlgorithmException e) { + rv = Result.err(Status.ERR_General,e.getLocalizedMessage()); + } finally { + tt.done(); + } + return rv; } public static final String APPROVED = "APPROVE"; @@ -1091,9 +1228,9 @@ public class Question { } public boolean isAdmin(AuthzTrans trans, String user, String ns) { - Date now = new Date(); Result> rur = userRoleDAO.read(trans, user,ns+DOT_ADMIN); if (rur.isOKhasData()) { + Date now = new Date(); for (UserRoleDAO.Data urdd : rur.value){ if (urdd.expires.after(now)) { return true; @@ -1104,9 +1241,9 @@ public class Question { } public boolean isOwner(AuthzTrans trans, String user, String ns) { - Result> rur = userRoleDAO.read(trans, user,ns+DOT_OWNER); - Date now = new Date(); + Result> rur = userRoleDAO().read(trans, user,ns+DOT_OWNER); if (rur.isOKhasData()) {for (UserRoleDAO.Data urdd : rur.value){ + Date now = new Date(); if (urdd.expires.after(now)) { return true; } @@ -1115,7 +1252,7 @@ public class Question { } public int countOwner(AuthzTrans trans, String ns) { - Result> rur = userRoleDAO.readByRole(trans,ns+DOT_OWNER); + Result> rur = userRoleDAO().readByRole(trans,ns+DOT_OWNER); Date now = new Date(); int count = 0; if (rur.isOKhasData()) {for (UserRoleDAO.Data urdd : rur.value){