X-Git-Url: https://gerrit.onap.org/r/gitweb?a=blobdiff_plain;f=auth%2Fauth-certman%2Fsrc%2Fmain%2Fjava%2Forg%2Fonap%2Faaf%2Fauth%2Fcm%2Fservice%2FCMService.java;h=26b3a22a9801d7c938878f9880308588b52d6b5c;hb=b3a6814af9ab63fa59d0233f5d2ebb032f0b1597;hp=18f062d53658fa5e8d581e6f0c8c6ff679db7003;hpb=628b7105ce4d9818aac69a082e515f9275fd46fd;p=aaf%2Fauthz.git

diff --git a/auth/auth-certman/src/main/java/org/onap/aaf/auth/cm/service/CMService.java b/auth/auth-certman/src/main/java/org/onap/aaf/auth/cm/service/CMService.java
index 18f062d5..26b3a22a 100644
--- a/auth/auth-certman/src/main/java/org/onap/aaf/auth/cm/service/CMService.java
+++ b/auth/auth-certman/src/main/java/org/onap/aaf/auth/cm/service/CMService.java
@@ -60,6 +60,7 @@ import org.onap.aaf.auth.org.Organization.Identity;
 import org.onap.aaf.auth.org.OrganizationException;
 import org.onap.aaf.cadi.Hash;
 import org.onap.aaf.cadi.Permission;
+import org.onap.aaf.cadi.Access.Level;
 import org.onap.aaf.cadi.aaf.AAFPermission;
 import org.onap.aaf.cadi.config.Config;
 import org.onap.aaf.cadi.configure.Factory;
@@ -88,6 +89,8 @@ public class CMService {
     private final CredDAO credDAO;
     private final ArtiDAO artiDAO;
     private AAF_CM certManager;
+	private Boolean allowIgnoreIPs;
+	private Boolean alwaysIgnoreIPs;
 
     // @SuppressWarnings("unchecked")
     public CMService(final AuthzTrans trans, AAF_CM certman) throws APIException, IOException {
@@ -108,6 +111,15 @@ public class CMService {
                 "*",
                 "read"
         );
+        alwaysIgnoreIPs = Boolean.valueOf(certman.access.getProperty(Config.CM_ALWAYS_IGNORE_IPS, "false"));
+        if(alwaysIgnoreIPs) {
+        	trans.env().access().log(Level.INIT, "DNS Evaluation for Cert Creation is turned off with " + Config.CM_ALWAYS_IGNORE_IPS );
+        } else {
+	        allowIgnoreIPs = Boolean.valueOf(certman.access.getProperty(Config.CM_ALLOW_IGNORE_IPS, "false"));
+	        if(allowIgnoreIPs) {
+	            trans.env().access().log(Level.INIT, "Allowing DNS Evaluation to be turned off with <ns>.certman|<ca name>|"+IGNORE_IPS);
+	        }
+        }
     }
 
     public Result<CertResp> requestCert(final AuthzTrans trans, final Result<CertReq> req, final CA ca) {
@@ -133,7 +145,15 @@ public class CMService {
             try {
                 Organization org = trans.org();
 
-                boolean ignoreIPs = trans.fish(new AAFPermission(mechNS,CERTMAN, ca.getName(), IGNORE_IPS));
+                boolean ignoreIPs;
+                if(alwaysIgnoreIPs) {
+                	ignoreIPs=true;
+                } else if(allowIgnoreIPs) {
+                	ignoreIPs = trans.fish(new AAFPermission(mechNS,CERTMAN, ca.getName(), IGNORE_IPS));
+                } else {
+                	ignoreIPs = false;
+                }
+                
 
                 InetAddress primary = null;
                 // Organize incoming information to get to appropriate Artifact
@@ -164,8 +184,8 @@ public class CMService {
                         }
 
                     } else {
-                        for (String cn : req.value.fqdns) {
-                            if (!ignoreIPs) {
+                        if (!ignoreIPs) {
+                        	for (String cn : req.value.fqdns) {
                                 try {
                                     InetAddress[] ias = InetAddress.getAllByName(cn);
                                     Set<String> potentialSanNames = new HashSet<>();
@@ -193,7 +213,8 @@ public class CMService {
                 } else if (primary == null) {
                     return Result.err(Result.ERR_Denied, "Request not made from matching IP (%s)", trans.ip());
                 } else {
-                    host = primary.getHostAddress();
+                    String thost = primary.getHostName();
+                    host = thost==null?primary.getHostAddress():thost;
                 }
 
                 ArtiDAO.Data add = null;
@@ -273,11 +294,11 @@ public class CMService {
                 // Make sure Primary is the first in fqdns
                 if (fqdns.size() > 1) {
                     for (int i = 0; i < fqdns.size(); ++i) {
-                        if (primary==null) {
+                        if (primary==null && !ignoreIPs) {
                             trans.error().log("CMService var primary is null");
                         } else {
                             String fg = fqdns.get(i);
-                            if (fg!=null && fg.equals(primary.getHostName())) {
+                            if (fg!=null && primary!=null && fg.equals(primary.getHostName())) {
                                 if (i != 0) {
                                     String tmp = fqdns.get(0);
                                     fqdns.set(0, primary.getHostName());
@@ -288,7 +309,7 @@ public class CMService {
                     }
                 }
             } catch (Exception e) {
-                trans.debug().log(e);
+                trans.error().log(e);
                 return Result.err(Status.ERR_Denied,
                         "AppID Sponsorship cannot be determined at this time.  Try later.");
             }
@@ -296,6 +317,7 @@ public class CMService {
             CSRMeta csrMeta;
             try {
                 csrMeta = BCFactory.createCSRMeta(ca, req.value.mechid, email, fqdns);
+                csrMeta.environment(ca.getEnv());
                 X509andChain x509ac = ca.sign(trans, csrMeta);
                 if (x509ac == null) {
                     return Result.err(Result.ERR_ActionNotCompleted, "x509 Certificate not signed by CA");
@@ -460,7 +482,6 @@ public class CMService {
                 // Policy 6: Only do Domain by Exception
                 if (add.machine.startsWith("*")) { // Domain set
                     CA ca = certManager.getCA(add.ca);
-
                     if (!trans.fish(new AAFPermission(ca.getPermNS(),ca.getPermType(), add.ca, DOMAIN))) {
                         return Result.err(Result.ERR_Denied, "Domain Artifacts (%s) requires specific Permission",
                                 add.machine);