X-Git-Url: https://gerrit.onap.org/r/gitweb?a=blobdiff_plain;f=auth%2Fauth-cass%2Fsrc%2Fmain%2Fjava%2Forg%2Fonap%2Faaf%2Fauth%2Fdao%2Fhl%2FQuestion.java;h=7160edec50d408dbb72246a463a1fadde2a487a1;hb=a77e3d6e9180c1722a9d18f7717034bb0650a130;hp=a513da0a56e875b9f99b5f9100092bec7e378b74;hpb=6fa244073a612906f9b836679da38c78162418d2;p=aaf%2Fauthz.git diff --git a/auth/auth-cass/src/main/java/org/onap/aaf/auth/dao/hl/Question.java b/auth/auth-cass/src/main/java/org/onap/aaf/auth/dao/hl/Question.java index a513da0a..7160edec 100644 --- a/auth/auth-cass/src/main/java/org/onap/aaf/auth/dao/hl/Question.java +++ b/auth/auth-cass/src/main/java/org/onap/aaf/auth/dao/hl/Question.java @@ -27,7 +27,6 @@ import java.security.NoSuchAlgorithmException; import java.security.SecureRandom; import java.util.ArrayList; import java.util.Collections; -import java.util.Comparator; import java.util.Date; import java.util.HashSet; import java.util.List; @@ -62,6 +61,7 @@ import org.onap.aaf.auth.dao.cass.PermDAO; import org.onap.aaf.auth.dao.cass.RoleDAO; import org.onap.aaf.auth.dao.cass.Status; import org.onap.aaf.auth.dao.cass.UserRoleDAO; +import org.onap.aaf.auth.env.AuthzEnv; import org.onap.aaf.auth.env.AuthzTrans; import org.onap.aaf.auth.env.AuthzTrans.REQD_TYPE; import org.onap.aaf.auth.env.AuthzTransFilter; @@ -89,7 +89,7 @@ import com.datastax.driver.core.Cluster; public class Question { // DON'T CHANGE FROM lower Case!!! - public static enum Type { + public enum Type { ns, role, perm, cred }; @@ -101,7 +101,7 @@ public class Question { static final String ASTERIX = "*"; - public static enum Access { + public enum Access { read, write, create }; @@ -130,22 +130,67 @@ public class Question { private static Slot transIDSlot = null; - public final HistoryDAO historyDAO; - public final CachedNSDAO nsDAO; - public CachedRoleDAO roleDAO; - public final CachedPermDAO permDAO; - public CachedUserRoleDAO userRoleDAO; - public final CachedCredDAO credDAO; - public final CachedCertDAO certDAO; - public final DelegateDAO delegateDAO; - public final FutureDAO futureDAO; - public final ApprovalDAO approvalDAO; - private final CacheInfoDAO cacheInfoDAO; + private final HistoryDAO historyDAO; + public HistoryDAO historyDAO() { + return historyDAO; + } + + private final CachedNSDAO nsDAO; + public CachedNSDAO nsDAO() { + return nsDAO; + } + + private final CachedRoleDAO roleDAO; + public CachedRoleDAO roleDAO() { + return roleDAO; + } + + private final CachedPermDAO permDAO; + public CachedPermDAO permDAO() { + return permDAO; + } + + private final CachedUserRoleDAO userRoleDAO; + public CachedUserRoleDAO userRoleDAO() { + return userRoleDAO; + } + + private final CachedCredDAO credDAO; + public CachedCredDAO credDAO() { + return credDAO; + } + + private final CachedCertDAO certDAO; + public CachedCertDAO certDAO() { + return certDAO; + } + + private final DelegateDAO delegateDAO; + public DelegateDAO delegateDAO() { + return delegateDAO; + } + + private final FutureDAO futureDAO; + public FutureDAO futureDAO() { + return futureDAO; + } + + private final ApprovalDAO approvalDAO; + public ApprovalDAO approvalDAO() { + return approvalDAO; + } + public final LocateDAO locateDAO; + public LocateDAO locateDAO() { + return locateDAO; + } + + private final CacheInfoDAO cacheInfoDAO; + private final int cldays; + private final boolean alwaysSpecial; - public Question(AuthzTrans trans, Cluster cluster, String keyspace, boolean startClean) throws APIException, IOException { + public Question(AuthzTrans trans, Cluster cluster, String keyspace) throws APIException, IOException { PERMS = trans.slot("USER_PERMS"); - System.out.println(trans.init()); trans.init().log("Instantiating DAOs"); long expiresIn = Long.parseLong(trans.getProperty(Config.AAF_USER_EXPIRES, Config.AAF_USER_EXPIRES_DEF)); historyDAO = new HistoryDAO(trans, cluster, keyspace); @@ -165,14 +210,6 @@ public class Question { delegateDAO = new DelegateDAO(trans, historyDAO); approvalDAO = new ApprovalDAO(trans, historyDAO); - // Only want to aggressively cleanse User related Caches... The others, - // just normal refresh - if (startClean) { - CachedDAO.startCleansing(trans.env(), credDAO, userRoleDAO); - CachedDAO.startRefresh(trans.env(), cacheInfoDAO); - } - // Set a Timer to Check Caches to send messages for Caching changes - if (specialLogSlot==null) { specialLogSlot = trans.slot(AuthzTransFilter.SPECIAL_LOG_SLOT); } @@ -182,9 +219,19 @@ public class Question { } AbsCassDAO.primePSIs(trans); + + cldays = Integer.parseInt(trans.getProperty(Config.AAF_CRED_WARN_DAYS, Config.AAF_CRED_WARN_DAYS_DFT)); + + alwaysSpecial = Boolean.parseBoolean(trans.getProperty("aaf_always_special", Boolean.FALSE.toString())); } - + public void startTimers(AuthzEnv env) { + // Only want to aggressively cleanse User related Caches... The others, + // just normal refresh + CachedDAO.startCleansing(env, credDAO, userRoleDAO); + CachedDAO.startRefresh(env, cacheInfoDAO); + } + public void close(AuthzTrans trans) { historyDAO.close(trans); cacheInfoDAO.close(trans); @@ -568,6 +615,17 @@ public class Question { } public Result mayUser(AuthzTrans trans, String user,PermDAO.Data pdd, Access access) { + if(pdd.ns.indexOf('@')>-1) { + if(user.equals(pdd.ns)) { + NsDAO.Data ndd = new NsDAO.Data(); + ndd.name = user; + ndd.type = NsDAO.USER; + ndd.parent = ""; + return Result.ok(ndd); + } else { + return Result.err(Result.ERR_Security,"Only a User may modify User"); + } + } Result rnsd = deriveNs(trans, pdd.ns); if (rnsd.isOK()) { return mayUser(trans, user, rnsd.value, pdd, access); @@ -755,7 +813,7 @@ public class Question { trans.audit().log("Special DEBUG:", user, " does not exist in DB"); } } else { - Date now = new Date();//long now = System.currentTimeMillis(); + Date now = new Date(); // Bug noticed 6/22. Sorting on the result can cause Concurrency Issues. List cddl; if (result.value.size() > 1) { @@ -766,13 +824,7 @@ public class Question { } } if (cddl.size()>1) { - Collections.sort(cddl,new Comparator() { - @Override - public int compare(org.onap.aaf.auth.dao.cass.CredDAO.Data a, - org.onap.aaf.auth.dao.cass.CredDAO.Data b) { - return b.expires.compareTo(a.expires); - } - }); + Collections.sort(cddl, (a, b) -> b.expires.compareTo(a.expires)); } } else { cddl = result.value; @@ -792,7 +844,8 @@ public class Question { case CredDAO.BASIC_AUTH: byte[] md5=Hash.hashMD5(cred); if (Hash.compareTo(md5,dbcred)==0) { - checkLessThanDays(trans,7,now,cdd); + checkLessThanDays(trans,cldays,now,cdd); + trans.setTag(cdd.tag); return Result.ok(cdd.expires); } else if (debug!=null) { load(debug, cdd); @@ -805,7 +858,8 @@ public class Question { byte[] hash = Hash.hashSHA256(bb.array()); if (Hash.compareTo(hash,dbcred)==0) { - checkLessThanDays(trans,7,now,cdd); + checkLessThanDays(trans,cldays,now,cdd); + trans.setTag(cdd.tag); return Result.ok(cdd.expires); } else if (debug!=null) { load(debug, cdd); @@ -820,34 +874,41 @@ public class Question { } else { if (expired==null || expired.before(cdd.expires)) { expired = cdd.expires; + trans.setTag(cdd.tag); } } } // end for each - if (debug==null) { - trans.audit().printf("No cred matches ip=%s, user=%s\n",trans.ip(),user); - } else { - trans.audit().printf("No cred matches ip=%s, user=%s %s\n",trans.ip(),user,debug.toString()); - } + if (expired!=null) { // Note: this is only returned if there are no good Credentials rv = Result.err(Status.ERR_Security, - "Credentials %s from %s expired %s",trans.user(), trans.ip(), Chrono.dateTime(expired)); + "Credentials expired %s",Chrono.utcStamp(expired)); + } else { + if (debug==null && alwaysSpecial) { + debug = new StringBuilder(); + } + if (debug!=null) { + debug.append(trans.env().encryptor().encrypt(new String(cred))); + rv = Result.err(Status.ERR_Security,String.format("invalid password - %s",debug.toString())); + } } } } else { return Result.err(result); } - return rv == null ? Result.create((Date) null, Status.ERR_Security, "Wrong credential") : rv; + return rv == null ? Result.err(Status.ERR_Security, "Wrong credential") : rv; } private void load(StringBuilder debug, Data cdd) { - debug.append("DB Entry: user="); + debug.append("\nDB Entry: user="); debug.append(cdd.id); debug.append(",type="); debug.append(cdd.type); debug.append(",expires="); debug.append(Chrono.dateTime(cdd.expires)); + debug.append(",tag="); + debug.append(cdd.tag); debug.append('\n'); } @@ -857,8 +918,9 @@ public class Question { long cexp=cdd.expires.getTime(); if (cexp rv = null; if (all || NsDAO.TABLE.equals(cname)) { - int seg[] = series(NsDAO.CACHE_SEG); + int[] seg = series(NsDAO.CACHE_SEG); for (int i: seg) {cacheClear(trans, NsDAO.TABLE,i);} rv = cacheInfoDAO.touch(trans, NsDAO.TABLE, seg); } if (all || PermDAO.TABLE.equals(cname)) { - int seg[] = series(PermDAO.CACHE_SEG); + int[] seg = series(PermDAO.CACHE_SEG); for (int i: seg) {cacheClear(trans, PermDAO.TABLE,i);} rv = cacheInfoDAO.touch(trans, PermDAO.TABLE,seg); } if (all || RoleDAO.TABLE.equals(cname)) { - int seg[] = series(RoleDAO.CACHE_SEG); + int[] seg = series(RoleDAO.CACHE_SEG); for (int i: seg) {cacheClear(trans, RoleDAO.TABLE,i);} rv = cacheInfoDAO.touch(trans, RoleDAO.TABLE,seg); } if (all || UserRoleDAO.TABLE.equals(cname)) { - int seg[] = series(UserRoleDAO.CACHE_SEG); + int[] seg = series(UserRoleDAO.CACHE_SEG); for (int i: seg) {cacheClear(trans, UserRoleDAO.TABLE,i);} rv = cacheInfoDAO.touch(trans, UserRoleDAO.TABLE,seg); } if (all || CredDAO.TABLE.equals(cname)) { - int seg[] = series(CredDAO.CACHE_SEG); + int[] seg = series(CredDAO.CACHE_SEG); for (int i: seg) {cacheClear(trans, CredDAO.TABLE,i);} rv = cacheInfoDAO.touch(trans, CredDAO.TABLE,seg); } if (all || CertDAO.TABLE.equals(cname)) { - int seg[] = series(CertDAO.CACHE_SEG); + int[] seg = series(CertDAO.CACHE_SEG); for (int i: seg) {cacheClear(trans, CertDAO.TABLE,i);} rv = cacheInfoDAO.touch(trans, CertDAO.TABLE,seg); } @@ -1101,11 +1166,13 @@ public class Question { public boolean isAdmin(AuthzTrans trans, String user, String ns) { Date now = new Date(); Result> rur = userRoleDAO.read(trans, user,ns+DOT_ADMIN); - if (rur.isOKhasData()) {for (UserRoleDAO.Data urdd : rur.value){ - if (urdd.expires.after(now)) { - return true; - } - }}; + if (rur.isOKhasData()) { + for (UserRoleDAO.Data urdd : rur.value){ + if (urdd.expires.after(now)) { + return true; + } + } + }; return false; }