X-Git-Url: https://gerrit.onap.org/r/gitweb?a=blobdiff_plain;f=auth%2Fauth-certman%2Fsrc%2Fmain%2Fjava%2Forg%2Fonap%2Faaf%2Fauth%2Fcm%2Fservice%2FCMService.java;h=893a6b170e199d9c2f66b27640520c89ea17f76f;hb=0e302ed774f4c371b9414fe99836836f775b688d;hp=18f062d53658fa5e8d581e6f0c8c6ff679db7003;hpb=2b5103e038a7727734097a671d331db9aaab77ba;p=aaf%2Fauthz.git diff --git a/auth/auth-certman/src/main/java/org/onap/aaf/auth/cm/service/CMService.java b/auth/auth-certman/src/main/java/org/onap/aaf/auth/cm/service/CMService.java index 18f062d5..893a6b17 100644 --- a/auth/auth-certman/src/main/java/org/onap/aaf/auth/cm/service/CMService.java +++ b/auth/auth-certman/src/main/java/org/onap/aaf/auth/cm/service/CMService.java @@ -60,6 +60,7 @@ import org.onap.aaf.auth.org.Organization.Identity; import org.onap.aaf.auth.org.OrganizationException; import org.onap.aaf.cadi.Hash; import org.onap.aaf.cadi.Permission; +import org.onap.aaf.cadi.Access.Level; import org.onap.aaf.cadi.aaf.AAFPermission; import org.onap.aaf.cadi.config.Config; import org.onap.aaf.cadi.configure.Factory; @@ -88,6 +89,7 @@ public class CMService { private final CredDAO credDAO; private final ArtiDAO artiDAO; private AAF_CM certManager; + private Boolean allowIgnoreIPs; // @SuppressWarnings("unchecked") public CMService(final AuthzTrans trans, AAF_CM certman) throws APIException, IOException { @@ -108,6 +110,10 @@ public class CMService { "*", "read" ); + allowIgnoreIPs = Boolean.valueOf(certman.access.getProperty(Config.CM_ALLOW_IGNORE_IPS, "false")); + if(allowIgnoreIPs) { + trans.env().access().log(Level.INIT, "Allowing DNS Evaluation to be turned off with .certman||"+IGNORE_IPS); + } } public Result requestCert(final AuthzTrans trans, final Result req, final CA ca) { @@ -133,7 +139,13 @@ public class CMService { try { Organization org = trans.org(); - boolean ignoreIPs = trans.fish(new AAFPermission(mechNS,CERTMAN, ca.getName(), IGNORE_IPS)); + boolean ignoreIPs; + if(allowIgnoreIPs) { + ignoreIPs = trans.fish(new AAFPermission(mechNS,CERTMAN, ca.getName(), IGNORE_IPS)); + } else { + ignoreIPs = false; + } + InetAddress primary = null; // Organize incoming information to get to appropriate Artifact @@ -164,8 +176,8 @@ public class CMService { } } else { - for (String cn : req.value.fqdns) { - if (!ignoreIPs) { + if (!ignoreIPs) { + for (String cn : req.value.fqdns) { try { InetAddress[] ias = InetAddress.getAllByName(cn); Set potentialSanNames = new HashSet<>(); @@ -193,7 +205,8 @@ public class CMService { } else if (primary == null) { return Result.err(Result.ERR_Denied, "Request not made from matching IP (%s)", trans.ip()); } else { - host = primary.getHostAddress(); + String thost = primary.getHostName(); + host = thost==null?primary.getHostAddress():thost; } ArtiDAO.Data add = null; @@ -273,7 +286,7 @@ public class CMService { // Make sure Primary is the first in fqdns if (fqdns.size() > 1) { for (int i = 0; i < fqdns.size(); ++i) { - if (primary==null) { + if (primary==null && !ignoreIPs) { trans.error().log("CMService var primary is null"); } else { String fg = fqdns.get(i); @@ -296,6 +309,7 @@ public class CMService { CSRMeta csrMeta; try { csrMeta = BCFactory.createCSRMeta(ca, req.value.mechid, email, fqdns); + csrMeta.environment(ca.getEnv()); X509andChain x509ac = ca.sign(trans, csrMeta); if (x509ac == null) { return Result.err(Result.ERR_ActionNotCompleted, "x509 Certificate not signed by CA");