X-Git-Url: https://gerrit.onap.org/r/gitweb?a=blobdiff_plain;f=auth%2Fauth-certman%2Fsrc%2Fmain%2Fjava%2Forg%2Fonap%2Faaf%2Fauth%2Fcm%2Fca%2FCA.java;h=275ad549b2ee09778f30aab032e8020d037f9320;hb=be1edcb6830745015f5de72e820f40f36dd571ad;hp=820f02d1f3418c2d8b812efae72d77de4dc1a054;hpb=4b5a7d721d994a49057e9bfb403c7bff1b376660;p=aaf%2Fauthz.git

diff --git a/auth/auth-certman/src/main/java/org/onap/aaf/auth/cm/ca/CA.java b/auth/auth-certman/src/main/java/org/onap/aaf/auth/cm/ca/CA.java
index 820f02d1..275ad549 100644
--- a/auth/auth-certman/src/main/java/org/onap/aaf/auth/cm/ca/CA.java
+++ b/auth/auth-certman/src/main/java/org/onap/aaf/auth/cm/ca/CA.java
@@ -7,9 +7,9 @@
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
  * You may obtain a copy of the License at
- * 
+ *
  *      http://www.apache.org/licenses/LICENSE-2.0
- * 
+ *
  * Unless required by applicable law or agreed to in writing, software
  * distributed under the License is distributed on an "AS IS" BASIS,
  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
@@ -30,6 +30,7 @@ import java.util.Collections;
 import java.util.HashSet;
 import java.util.List;
 import java.util.Set;
+import java.util.regex.Pattern;
 
 import org.bouncycastle.asn1.x500.style.BCStyle;
 import org.onap.aaf.auth.cm.cert.CSRMeta;
@@ -42,59 +43,68 @@ import org.onap.aaf.misc.env.Trans;
 import org.onap.aaf.misc.env.util.Split;
 
 public abstract class CA {
+    public static final Pattern IPV4_PATTERN = Pattern.compile("\\A(25[0-5]|2[0-4]\\d|[0-1]?\\d?\\d)(\\.(25[0-5]|2[0-4]\\d|[0-1]?\\d?\\d)){3}\\z");
+    public static final Pattern IPV6_PATTERN = Pattern.compile("\\A(?:[0-9a-fA-F]{1,4}:){7}[0-9a-fA-F]{1,4}\\z");
+    
+
     private static final String MUST_EXIST_TO_CREATE_CSRS_FOR = " must exist to create CSRs for ";
     //TODO figuring out what is an Issuing CA is a matter of convention.  Consider SubClassing for Open Source
     public static final String ISSUING_CA = "Issuing CA";
     public static final String CM_CA_PREFIX = "cm_ca.";
     public static final String CM_CA_BASE_SUBJECT = ".baseSubject";
+    public static final String CM_CA_ENV_TAG = ".env_tag";
     protected static final String CM_PUBLIC_DIR = "cm_public_dir";
     private static final String CM_TRUST_CAS = "cm_trust_cas";
     protected static final String CM_BACKUP_CAS = "cm_backup_cas";
 
     public static final Set<String> EMPTY = Collections.unmodifiableSet(new HashSet<>());
 
-    
+
     private final String name;
     private final String env;
     private MessageDigest messageDigest;
-    private final String permNS; 
+    private final String permNS;
     private final String permType;
     private final ArrayList<String> idDomains;
     private String[] trustedCAs;
     private String[] caIssuerDNs;
     private List<RDN> rdns;
+    private final boolean env_tag;
 
 
     protected CA(Access access, String caName, String env) throws IOException, CertException {
         trustedCAs = new String[4]; // starting array
         this.name = caName;
         this.env = env;
-        permNS = CM_CA_PREFIX + name;
-        permType = access.getProperty(permNS + ".perm_type",null);
-        if(permType==null) {
-            throw new CertException(permNS + ".perm_type" + MUST_EXIST_TO_CREATE_CSRS_FOR + caName);
+        this.env_tag = env==null || env.isEmpty()?false:
+                Boolean.parseBoolean(access.getProperty(CM_CA_ENV_TAG, Boolean.FALSE.toString()));
+        permNS=null;
+        String prefix = CM_CA_PREFIX + name;
+        permType = access.getProperty(prefix + ".perm_type",null);
+        if (permType==null) {
+            throw new CertException(prefix + ".perm_type" + MUST_EXIST_TO_CREATE_CSRS_FOR + caName);
         }
         caIssuerDNs = Split.splitTrim(':', access.getProperty(Config.CADI_X509_ISSUERS, null));
-        
+
         String tag = CA.CM_CA_PREFIX+caName+CA.CM_CA_BASE_SUBJECT;
-        
+
         String fields = access.getProperty(tag, null);
-        if(fields==null) {
+        if (fields==null) {
             throw new CertException(tag + MUST_EXIST_TO_CREATE_CSRS_FOR + caName);
         }
         access.log(Level.INFO, tag, "=",fields);
         rdns = RDN.parse('/',fields);
-        for(RDN rdn : rdns) {
-            if(rdn.aoi==BCStyle.EmailAddress) { // Cert Specs say Emails belong in Subject
+        for (RDN rdn : rdns) {
+            if (rdn.aoi==BCStyle.EmailAddress) { // Cert Specs say Emails belong in Subject
                 throw new CertException("email address is not allowed in " + CM_CA_BASE_SUBJECT);
             }
         }
-        
+
         idDomains = new ArrayList<>();
         StringBuilder sb = null;
-        for(String s : Split.splitTrim(',', access.getProperty(CA.CM_CA_PREFIX+caName+".idDomains", ""))) {
-            if(s.length()>0) {
-                if(sb==null) {
+        for (String s : Split.splitTrim(',', access.getProperty(CA.CM_CA_PREFIX+caName+".idDomains", ""))) {
+            if (s.length()>0) {
+                if (sb==null) {
                     sb = new StringBuilder();
                 } else {
                     sb.append(", ");
@@ -103,31 +113,31 @@ public abstract class CA {
                 sb.append(s);
             }
         }
-        if(sb!=null) {
+        if (sb!=null) {
             access.printf(Level.INIT, "CA '%s' supports Personal Certificates for %s", caName, sb);
         }
-        
+
         String dataDir = access.getProperty(CM_PUBLIC_DIR,null);
-        if(dataDir!=null) {
+        if (dataDir!=null) {
             File data = new File(dataDir);
             byte[] bytes;
-            if(data.exists()) {
+            if (data.exists()) {
                 String trustCas = access.getProperty(CM_TRUST_CAS,null);
-                if(trustCas!=null) {
-                    for(String fname : Split.splitTrim(',', trustCas)) {
+                if (trustCas!=null) {
+                    for (String fname : Split.splitTrim(',', trustCas)) {
                         File crt;
-                        if(fname.contains("/")) {
+                        if (fname.contains("/")) {
                             crt = new File(fname);
                         } else {
                             crt = new File(data,fname);
                         }
-                        if(crt.exists()) {
+                        if (crt.exists()) {
                             access.printf(Level.INIT, "Loading CA Cert from %s", crt.getAbsolutePath());
                             bytes = new byte[(int)crt.length()];
                             FileInputStream fis = new FileInputStream(crt);
                             try {
                                 int read = fis.read(bytes);
-                                if(read>0) {    
+                                if (read>0) {
                                     addTrustedCA(new String(bytes));
                                 }
                             } finally {
@@ -148,29 +158,29 @@ public abstract class CA {
 
     protected void addCaIssuerDN(String issuerDN) {
         boolean changed = true;
-        for(String id : caIssuerDNs) {
-            if(id.equals(issuerDN)) {
+        for (String id : caIssuerDNs) {
+            if (id.equals(issuerDN)) {
                 changed = false;
                 break;
             }
         }
-        if(changed) {
+        if (changed) {
             String[] newsa = new String[caIssuerDNs.length+1];
             newsa[0]=issuerDN;
             System.arraycopy(caIssuerDNs, 0, newsa, 1, caIssuerDNs.length);
             caIssuerDNs = newsa;
         }
     }
-    
+
     protected synchronized void addTrustedCA(final String crtString) {
         String crt;
-        if(crtString.endsWith("\n")) {
+        if (crtString.endsWith("\n")) {
             crt = crtString;
         } else {
             crt = crtString + '\n';
         }
-        for(int i=0;i<trustedCAs.length;++i) {
-            if(trustedCAs[i]==null) {
+        for (int i=0;i<trustedCAs.length;++i) {
+            if (trustedCAs[i]==null) {
                 trustedCAs[i]=crt;
                 return;
             }
@@ -180,15 +190,19 @@ public abstract class CA {
         temp[trustedCAs.length]=crt;
         trustedCAs = temp;
     }
-    
+
     public String[] getCaIssuerDNs() {
         return caIssuerDNs;
     }
-    
+
     public String[] getTrustedCAs() {
         return trustedCAs;
     }
-    
+
+    public boolean shouldAddEnvTag() {
+        return env_tag;
+    }
+
     public String getEnv() {
         return env;
     }
@@ -204,16 +218,16 @@ public abstract class CA {
     public String getName() {
         return name;
     }
-    
-    
+
+
     public String getPermNS() {
         return permNS;
     }
-    
+
     public String getPermType() {
         return permType;
     }
-    
+
     public abstract X509andChain sign(Trans trans, CSRMeta csrmeta) throws IOException, CertException;
 
     /* (non-Javadoc)
@@ -221,7 +235,7 @@ public abstract class CA {
      */
     public boolean inPersonalDomains(Principal p) {
         int at = p.getName().indexOf('@');
-        if(at>=0) {
+        if (at>=0) {
             return idDomains.contains(p.getName().substring(at+1));
         } else {
             return false;