X-Git-Url: https://gerrit.onap.org/r/gitweb?a=blobdiff_plain;f=auth%2Fauth-deforg%2Fsrc%2Fmain%2Fjava%2Forg%2Fonap%2Faaf%2Forg%2FDefaultOrg.java;h=c7f3b1cc992c652c15ff28ecb8d57b4f4b48ad65;hb=HEAD;hp=d9336d4e279005a16a43ee22bbafd39d3c5db7e0;hpb=4b5a7d721d994a49057e9bfb403c7bff1b376660;p=aaf%2Fauthz.git diff --git a/auth/auth-deforg/src/main/java/org/onap/aaf/org/DefaultOrg.java b/auth/auth-deforg/src/main/java/org/onap/aaf/org/DefaultOrg.java index d9336d4e..c7f3b1cc 100644 --- a/auth/auth-deforg/src/main/java/org/onap/aaf/org/DefaultOrg.java +++ b/auth/auth-deforg/src/main/java/org/onap/aaf/org/DefaultOrg.java @@ -32,26 +32,31 @@ import java.util.Set; import java.util.regex.Pattern; import org.onap.aaf.auth.env.AuthzTrans; +import org.onap.aaf.auth.local.AbsData.Reuse; import org.onap.aaf.auth.org.EmailWarnings; import org.onap.aaf.auth.org.Executor; import org.onap.aaf.auth.org.Mailer; import org.onap.aaf.auth.org.Organization; import org.onap.aaf.auth.org.OrganizationException; +import org.onap.aaf.cadi.config.Config; import org.onap.aaf.cadi.util.FQI; import org.onap.aaf.misc.env.Env; +import org.onap.aaf.org.Identities.Data; public class DefaultOrg implements Organization { private static final String AAF_DATA_DIR = "aaf_data_dir"; - private static final String PROPERTY_IS_REQUIRED = " property is Required"; // Package on Purpose final String domain; final String atDomain; final String realm; - private final String NAME,mailHost,mailFrom; + private final String root_ns; + + private final String NAME; private final Set supportedRealms; + public DefaultOrg(Env env, String realm) throws OrganizationException { this.realm = realm; @@ -59,69 +64,65 @@ public class DefaultOrg implements Organization { supportedRealms.add(realm); domain=FQI.reverseDomain(realm); atDomain = '@'+domain; - String s; NAME=env.getProperty(realm + ".name","Default Organization"); - mailHost = env.getProperty(s=(realm + ".mailHost"), null); - if(mailHost==null) { - throw new OrganizationException(s + PROPERTY_IS_REQUIRED); - } - mailFrom = env.getProperty(s=(realm + ".mailFrom"), null); - if(mailFrom==null) { - throw new OrganizationException(s + PROPERTY_IS_REQUIRED); - } - - // Note: This code is to avoid including javax.mail into ONAP, because there are security/licence - // exceptions - try { - Class.forName("javax.mail.Session"); // ensure package is loaded - @SuppressWarnings("unchecked") - Class minst = (Class)Class.forName("org.onap.aaf.org.JavaxMailer"); - mailer = minst.newInstance(); - } catch (ClassNotFoundException | InstantiationException | IllegalAccessException e1) { - env.warn().log("JavaxMailer not loaded. Mailing disabled"); - } - - System.getProperties().setProperty("mail.smtp.host",mailHost); - System.getProperties().setProperty("mail.user", mailFrom); + root_ns = env.getProperty(Config.AAF_ROOT_NS,Config.AAF_ROOT_NS_DEF); try { - String defFile; - String temp=env.getProperty(defFile = (getClass().getName()+".file")); + String temp=env.getProperty(realm +".file"); File fIdentities=null; - if(temp==null) { + if (temp==null) { temp = env.getProperty(AAF_DATA_DIR); - if(temp!=null) { - env.warn().log(defFile, " is not defined. Using default: ",temp+"/identities.dat"); + if (temp!=null) { + env.warn().log("Datafile for " + realm + " is not defined. Using default: ",temp+"/identities.dat"); File dir = new File(temp); fIdentities=new File(dir,"identities.dat"); - if(!fIdentities.exists()) { + if (!fIdentities.exists()) { env.warn().log("No",fIdentities.getCanonicalPath(),"exists. Creating."); - if(!dir.exists()) { + if (!dir.exists()) { dir.mkdirs(); } fIdentities.createNewFile(); } + } } else { fIdentities = new File(temp); - if(!fIdentities.exists()) { + if (!fIdentities.exists()) { String dataDir = env.getProperty(AAF_DATA_DIR); - if(dataDir!=null) { + if (dataDir!=null) { fIdentities = new File(dataDir,temp); } } } - if(fIdentities!=null && fIdentities.exists()) { + if (fIdentities!=null && fIdentities.exists()) { identities = new Identities(fIdentities); } else { - if(fIdentities==null) { - throw new OrganizationException("No Identities"); + if (fIdentities==null) { + throw new OrganizationException("No Identities: set \"" + AAF_DATA_DIR + '"'); } else { throw new OrganizationException(fIdentities.getCanonicalPath() + " does not exist."); } } + + File fRevoked=null; + temp=env.getProperty(getClass().getName()+".file.revoked"); + if(temp==null) { + temp = env.getProperty(AAF_DATA_DIR); + if (temp!=null) { + File dir = new File(temp); + fRevoked=new File(dir,"revoked.dat"); + } + } else { + fRevoked = new File(temp); + } + if (fRevoked!=null && fRevoked.exists()) { + revoked = new Identities(fRevoked); + } else { + revoked = null; + } + } catch (IOException e) { throw new OrganizationException(e); } @@ -131,6 +132,7 @@ public class DefaultOrg implements Organization { static final List NULL_DELEGATES = new ArrayList<>(); public Identities identities; + public Identities revoked; private boolean dryRun; private Mailer mailer; public enum Types {Employee, Contractor, Application, NotActive}; @@ -138,7 +140,7 @@ public class DefaultOrg implements Organization { static { typeSet = new HashSet<>(); - for(Types t : Types.values()) { + for (Types t : Types.values()) { typeSet.add(t.name()); } } @@ -166,6 +168,58 @@ public class DefaultOrg implements Organization { return new DefaultOrgIdentity(trans,at<0?id:id.substring(0, at),this); } + /** + * If the ID isn't in the revoked file, if it exists, it is revoked. + */ + @Override + public Date isRevoked(AuthzTrans trans, String key) { + if(revoked!=null) { + try { + revoked.open(trans, DefaultOrgIdentity.TIMEOUT); + try { + Reuse r = revoked.reuse(); + int at = key.indexOf(domain); + String search; + if (at>=0) { + search = key.substring(0,at); + } else { + search = key; + } + Data revokedData = revoked.find(search, r); + return revokedData==null?null:new Date(); + } finally { + revoked.close(trans); + } + } catch (IOException e) { + trans.error().log(e); + } + } + return null; + } + + /* (non-Javadoc) + * @see org.onap.aaf.auth.org.Organization#getEsclaations(org.onap.aaf.auth.env.AuthzTrans, java.lang.String, int) + */ + @Override + public List getIDs(AuthzTrans trans, String user, int escalate) throws OrganizationException { + List rv = new ArrayList<>(); + int end = Math.min(3,Math.abs(escalate)); + Identity id = null; + for(int i=0;i 0) { + if (at > 0) { // Use this to prevent passwords to any but THIS domain. -// if(!id.regionMatches(at+1, domain, 0, id.length()-at-1)) { +// if (!id.regionMatches(at+1, domain, 0, id.length()-at-1)) { // return false; // } sid = id.substring(0,at); @@ -198,7 +252,7 @@ public class DefaultOrg implements Organization { return isValidID(trans, sid)==null; // Check Pattern (if checking existing is too long) - // if(id.endsWith(SUFFIX) && ID_PATTERN.matcher(id).matches()) { + // if (id.endsWith(SUFFIX) && ID_PATTERN.matcher(id).matches()) { // return true; // } // return false; @@ -209,11 +263,11 @@ public class DefaultOrg implements Organization { /** * ( # Start of group * (?=.*[a-z,A-Z]) # must contain one character - * - * (?=.*\d) # must contain one digit from 0-9 + * + * (?=.*\d) # must contain one digit from 0-9 * OR * (?=.*[@#$%]) # must contain one special symbols in the list SPEC_CHARS - * + * * . # match anything with previous condition checking * {6,20} # length at least 6 characters and maximum of 20 * ) # End of group @@ -232,13 +286,13 @@ public class DefaultOrg implements Organization { */ @Override public String isValidPassword(final AuthzTrans trans, final String user, final String password, final String... prev) { - for(String p : prev) { - if(password.contains(p)) { // A more sophisticated algorithm might be better. + for (String p : prev) { + if (password.contains(p)) { // A more sophisticated algorithm might be better. return "Password too similar to previous passwords"; } } // If you have an Organization user/Password scheme, replace the following - if(PASS_PATTERN.matcher(password).matches()) { + if (PASS_PATTERN.matcher(password).matches()) { return ""; } return "Password does not match " + NAME + " Password Standards"; @@ -430,7 +484,7 @@ public class DefaultOrg implements Organization { // Extending Password give 5 extra days, max 8 days from now rv.add(GregorianCalendar.DATE, 5); now.add(GregorianCalendar.DATE, 8); - if(rv.after(now)) { + if (rv.after(now)) { rv = now; } break; @@ -453,7 +507,7 @@ public class DefaultOrg implements Organization { // Delegations expire max in 2 months, renewable to 3 rv.add(GregorianCalendar.MONTH, 2); now.add(GregorianCalendar.MONTH, 3); - if(rv.after(now)) { + if (rv.after(now)) { rv = now; } break; @@ -462,6 +516,10 @@ public class DefaultOrg implements Organization { now.add(GregorianCalendar.MONTH, 6); rv = now; break; + case RevokedGracePeriodEnds: + now.add(GregorianCalendar.DATE, 3); + rv = now; + break; default: // Unless other wise set, 6 months is default now.add(GregorianCalendar.MONTH, 6); @@ -483,9 +541,9 @@ public class DefaultOrg implements Organization { public List getApprovers(AuthzTrans trans, String user) throws OrganizationException { Identity orgIdentity = getIdentity(trans, user); List orgIdentitys = new ArrayList<>(); - if(orgIdentity!=null) { + if (orgIdentity!=null) { Identity supervisor = orgIdentity.responsibleTo(); - if(supervisor!=null) { + if (supervisor!=null) { orgIdentitys.add(supervisor); } } @@ -516,18 +574,19 @@ public class DefaultOrg implements Organization { @Override public String validate(AuthzTrans trans, Policy policy, Executor executor, String... vars) throws OrganizationException { + String user; switch(policy) { case OWNS_MECHID: case CREATE_MECHID: - if(vars.length>0) { + if (vars.length>0) { DefaultOrgIdentity thisID = getIdentity(trans,vars[0]); - if("a".equals(thisID.identity.status)) { // MechID + if ("a".equals(thisID.identity.status)) { // MechID DefaultOrgIdentity requestor = getIdentity(trans, trans.user()); - if(requestor!=null) { + if (requestor!=null) { Identity mechid = getIdentity(trans, vars[0]); - if(mechid!=null) { + if (mechid!=null) { Identity sponsor = mechid.responsibleTo(); - if(sponsor!=null && requestor.fullID().equals(sponsor.fullID())) { + if (sponsor!=null && requestor.fullID().equals(sponsor.fullID())) { return null; } else { return trans.user() + " is not the Sponsor of MechID " + vars[0]; @@ -541,6 +600,12 @@ public class DefaultOrg implements Organization { case CREATE_MECHID_BY_PERM_ONLY: return getName() + " only allows sponsors to create MechIDs"; + case MAY_EXTEND_CRED_EXPIRES: + // If parm, use it, otherwise, trans + user = vars.length>1?vars[1]:trans.user(); + return executor.hasPermission(user, root_ns,"password", root_ns , "extend") + ?null:user + " does not have permission to extend passwords at " + getName(); + default: return policy.name() + " is unsupported at " + getName(); } @@ -558,25 +623,44 @@ public class DefaultOrg implements Organization { private String extractRealm(final String r) { int at; - if((at=r.indexOf('@'))>=0) { + if ((at=r.indexOf('@'))>=0) { return FQI.reverseDomain(r.substring(at+1)); } return r; } @Override public boolean supportsRealm(final String r) { - if(r.endsWith(realm)) { + if (r.endsWith(realm)) { return true; } else { String erealm = extractRealm(r); - for(String sr : supportedRealms) { - if(erealm.startsWith(sr)) { + for (String sr : supportedRealms) { + if (erealm.startsWith(sr)) { return true; } } } return false; } + + @Override + public String supportedDomain(String user) { + if(user!=null) { + int after_at = user.indexOf('@')+1; + if(after_at toList, List ccList, String subject, String body, Boolean urgent) throws OrganizationException { if (mailer!=null) { + String mailFrom = mailer.mailFrom(); List to = new ArrayList<>(); - for(String em : toList) { - if(em.indexOf('@')<0) { + for (String em : toList) { + if (em.indexOf('@')<0) { to.add(new DefaultOrgIdentity(trans, em, this).email()); } else { to.add(em); @@ -597,11 +682,11 @@ public class DefaultOrg implements Organization { } List cc = new ArrayList<>(); - if(ccList!=null) { - if(!ccList.isEmpty()) { + if (ccList!=null) { + if (!ccList.isEmpty()) { - for(String em : ccList) { - if(em.indexOf('@')<0) { + for (String em : ccList) { + if (em.indexOf('@')<0) { cc.add(new DefaultOrgIdentity(trans, em, this).email()); } else { cc.add(em); @@ -615,9 +700,14 @@ public class DefaultOrg implements Organization { } } - return mailer.sendEmail(trans,dryRun,mailFrom,to,cc,subject,body,urgent); + return mailer.sendEmail(trans,dryRun?"DefaultOrg":null,to,cc,subject,body,urgent)?0:1; } else { return 0; } } + + @Override + public boolean isUserExpireExempt(String user, Date expires) { + return false; + } }