X-Git-Url: https://gerrit.onap.org/r/gitweb?a=blobdiff_plain;f=auth%2Fauth-service%2Fsrc%2Fmain%2Fjava%2Forg%2Fonap%2Faaf%2Fauth%2Fservice%2FAuthzCassServiceImpl.java;h=b57b07088f9eba80de51f7e8233ef4a0e0778d40;hb=b3814beaec2b6f439ffb7af1594e70b5339a9e5f;hp=37ca509ab47a8885dee7a0622cf2df8def06b525;hpb=feab2592f964ff68e04812aeafc807b4ce71048c;p=aaf%2Fauthz.git

diff --git a/auth/auth-service/src/main/java/org/onap/aaf/auth/service/AuthzCassServiceImpl.java b/auth/auth-service/src/main/java/org/onap/aaf/auth/service/AuthzCassServiceImpl.java
index 37ca509a..b57b0708 100644
--- a/auth/auth-service/src/main/java/org/onap/aaf/auth/service/AuthzCassServiceImpl.java
+++ b/auth/auth-service/src/main/java/org/onap/aaf/auth/service/AuthzCassServiceImpl.java
@@ -42,6 +42,7 @@ import java.util.Map;
 import java.util.Set;
 import java.util.TreeMap;
 import java.util.UUID;
+import java.util.concurrent.TimeUnit;
 
 import javax.servlet.http.HttpServletRequest;
 
@@ -70,6 +71,7 @@ import org.onap.aaf.auth.dao.hl.Function;
 import org.onap.aaf.auth.dao.hl.Function.FUTURE_OP;
 import org.onap.aaf.auth.dao.hl.Function.Lookup;
 import org.onap.aaf.auth.dao.hl.Function.OP_STATUS;
+import org.onap.aaf.auth.dao.hl.PermLookup;
 import org.onap.aaf.auth.dao.hl.Question;
 import org.onap.aaf.auth.dao.hl.Question.Access;
 import org.onap.aaf.auth.env.AuthzTrans;
@@ -1011,8 +1013,8 @@ public class AuthzCassServiceImpl    <NSS,PERMS,PERMKEY,ROLES,USERS,USERROLES,DE
             return Result.err(Status.ERR_BadData,v.errs());
         }
 
-        Result<List<PermDAO.Data>> rlpd = ques.getPermsByUser(trans, user, 
-                trans.requested(force));
+        PermLookup pl = PermLookup.get(trans,ques,user);
+        Result<List<PermDAO.Data>> rlpd = pl.getPerms(trans.requested(force));
         if (rlpd.notOK()) {
             return Result.err(rlpd);
         }
@@ -1100,7 +1102,8 @@ public class AuthzCassServiceImpl    <NSS,PERMS,PERMKEY,ROLES,USERS,USERROLES,DE
         }
         
         //////////////
-        Result<List<PermDAO.Data>> rlpd = ques.getPermsByUser(trans, user,trans.requested(force));
+        PermLookup pl = PermLookup.get(trans,ques,user);
+        Result<List<PermDAO.Data>> rlpd = pl.getPerms(trans.requested(force));
         if (rlpd.notOK()) {
             return Result.err(rlpd);
         }
@@ -2428,16 +2431,28 @@ public class AuthzCassServiceImpl    <NSS,PERMS,PERMKEY,ROLES,USERS,USERROLES,DE
                         // Note: ASPR specifies character differences, but we don't actually store the
                         // password to validate char differences.
                         
-//                      byte[] rawCred = rcred.value.type==CredDAO.RAW?null:;
-
-                        rb = ques.userCredCheck(trans, curr, rcred.value.cred.array());
-                        if (rb.notOK()) {
-                            return Result.err(rb);
-                        } else if (rb.value){
-                            return Result.err(Status.ERR_Policy, "Credential content cannot be reused.");
-                        } else if (Chrono.dateOnlyStamp(curr.expires).equals(Chrono.dateOnlyStamp(rcred.value.expires)) && curr.type==rcred.value.type) {
-                            return Result.err(Status.ERR_ConflictAlreadyExists, "Credential with same Expiration Date exists, use 'reset'");
-                        }
+//                      byte[] rawCred = rcred.value.type==CredDAO.RAW?null:;                            return Result.err(Status.ERR_ConflictAlreadyExists, "Credential with same Expiration Date exists");
+                    	if(rcred.value.type==CredDAO.FQI ) {
+                    		if(curr.type==CredDAO.FQI) {
+                    	        return Result.err(Status.ERR_ConflictAlreadyExists, "Credential with same Expiration Date exists");
+                    		}
+                    	} else {
+	
+	                        rb = ques.userCredCheck(trans, curr, rcred.value.cred!=null?rcred.value.cred.array():null);
+	                        if (rb.notOK()) {
+	                            return Result.err(rb);
+	                        } else if (rb.value){
+	                            return Result.err(Status.ERR_Policy, "Credential content cannot be reused.");
+	                        } else if(Chrono.dateOnlyStamp(curr.expires).equals(Chrono.dateOnlyStamp(rcred.value.expires)) 
+	                        		&& curr.type==rcred.value.type 
+	                        		) {
+	                        	// Allow if expiring differential is greater than 1 day (for TEMP)
+	                        	// Unless expiring in 1 day
+	                        	if(System.currentTimeMillis() - rcred.value.expires.getTime() > TimeUnit.DAYS.toMillis(1)) {
+	                        		return Result.err(Status.ERR_ConflictAlreadyExists, "Credential with same Expiration Date exists");
+	                        	}
+	                        }
+                    	}
                     }    
                 } else {
                     try {
@@ -2493,13 +2508,20 @@ public class AuthzCassServiceImpl    <NSS,PERMS,PERMKEY,ROLES,USERS,USERROLES,DE
                     case Status.ACC_Now:
                         try {
                             if (firstID) {
-    //                            && !nsr.value.get(0).isAdmin(trans.getUserPrincipal().getName())) {
-                                Result<List<String>> admins = func.getAdmins(trans, nsr.value.get(0).name, false);
-                                // OK, it's a first ID, and not by NS Admin, so let's set TempPassword length
-                                // Note, we only do this on First time, because of possibility of 
-                                // prematurely expiring a production id
-                                if (admins.isOKhasData() && !admins.value.contains(trans.user())) {
-                                    rcred.value.expires = org.expiration(null, Expiration.TempPassword).getTime();
+                                // OK, it's a first ID, and not by NS Owner
+                                if(!ques.isOwner(trans,trans.user(),cdd.ns)) {
+                                	// Admins are not allowed to set first Cred, but Org has already
+                                	// said entity MAY create, typically by Permission
+                                	// We can't know which reason they are allowed here, so we 
+                                	// have to assume that any with Special Permission would not be 
+                                	// an Admin.
+                                	if(ques.isAdmin(trans, trans.user(), cdd.ns)) {
+                                		return Result.err(Result.ERR_Denied, 
+                                			"Only Owners may create first passwords in their Namespace. Admins may modify after one exists" );
+                                	} else {
+                                		// Allow IDs that AREN'T part of NS with Org Onboarding Permission  (see Org object) to create Temp Passwords.
+                                        rcred.value.expires = org.expiration(null, Expiration.TempPassword).getTime();
+                                	}
                                 }
                             }
                         } catch (Exception e) {
@@ -2813,7 +2835,7 @@ public class AuthzCassServiceImpl    <NSS,PERMS,PERMKEY,ROLES,USERS,USERROLES,DE
 
             //Need to do the "Pick Entry" mechanism
             // Note, this sorts
-            Result<Integer> ri = selectEntryIfMultiple((CredRequest)from, lcdd, "extend");
+            Result<Integer> ri = selectEntryIfMultiple((CredRequest)from, lcdd, MayChangeCred.EXTEND);
             if (ri.notOK()) {
                 return Result.err(ri);
             }
@@ -2827,8 +2849,11 @@ public class AuthzCassServiceImpl    <NSS,PERMS,PERMKEY,ROLES,USERS,USERROLES,DE
             cd.type = found.type;
             cd.ns = found.ns;
             cd.notes = "Extended";
-            cd.expires = org.expiration(null, Expiration.ExtendPassword,days).getTime();
             cd.tag = found.tag;
+            cd.expires = org.expiration(null, Expiration.ExtendPassword,days).getTime();
+            if(cd.expires.before(found.expires)) {
+            	return Result.err(Result.ERR_BadData,String.format("Credential's expiration date is more than %s days in the future",days));
+            }
             
             cred = ques.credDAO().create(trans, cd);
             if (cred.isOK()) {
@@ -2864,58 +2889,88 @@ public class AuthzCassServiceImpl    <NSS,PERMS,PERMKEY,ROLES,USERS,USERROLES,DE
 	    if (rmc.notOK()) {
 	        return Result.err(rmc);
 	    }
-
+	    
+	    boolean doForce = trans.requested(force);
 	    Result<List<CredDAO.Data>> rlcd = ques.credDAO().readID(trans, cred.value.id);
 	    if (rlcd.notOKorIsEmpty()) {
-	        // Empty Creds should have no user_roles.
+	        // Empty Creds should not have user_roles.
 	        Result<List<UserRoleDAO.Data>> rlurd = ques.userRoleDAO().readByUser(trans, cred.value.id);
-	        if (rlurd.isOK()) {
+	        if (rlurd.isOKhasData()) {
 	            for (UserRoleDAO.Data data : rlurd.value) {
 	                ques.userRoleDAO().delete(trans, data, false);
 	            }
-	        }
+        	}
 	        return Result.err(Status.ERR_UserNotFound, "Credential does not exist");
 	    }
 	    boolean isLastCred = rlcd.value.size()==1;
 	    
-	    
-	    int entry = 0;
-	    if (!trans.requested(force)) {
-	        if (rlcd.value.size() > 1) {
-	            CredRequest cr = (CredRequest)from;
-	            String inputOption = cr.getEntry();
-	            if (inputOption == null) {
-	            	List<CredDAO.Data> list = filterList(rlcd.value,CredDAO.BASIC_AUTH,CredDAO.BASIC_AUTH_SHA256,CredDAO.CERT_SHA256_RSA);
-	                String message = selectCredFromList(list, MayChangeCred.DELETE);
-	                Object[] variables = buildVariables(list);
-	                return Result.err(Status.ERR_ChoiceNeeded, message, variables);
-	            } else {
-	                try {
-	                    if (inputOption.length()>5) { // should be a date
-	                        Date d = Chrono.xmlDatatypeFactory.newXMLGregorianCalendar(inputOption).toGregorianCalendar().getTime();
-	                        entry = 0;
-	                        for (CredDAO.Data cd : rlcd.value) {
-	                            if (cd.type.equals(cr.getType()) && cd.expires.equals(d)) {
-	                                break;
-	                            }
-	                            ++entry;
-	                        }
-	                    } else {
-	                        entry = Integer.parseInt(inputOption) - 1;
-	                    }
-	                } catch (NullPointerException e) {
-	                    return Result.err(Status.ERR_BadData, "Invalid Date Format for Entry");
-	                } catch (NumberFormatException e) {
-	                    return Result.err(Status.ERR_BadData, "User chose invalid credential selection");
-	                }
-	            }
-	            isLastCred = (entry==-1)?true:false;
-	        } else {
-	            isLastCred = true;
-	        }
-	        if (entry < -1 || entry >= rlcd.value.size()) {
+	    int entry;
+	    CredRequest cr = (CredRequest)from;
+	    if(isLastCred) {
+	    	if(cr.getEntry()==null || "1".equals(cr.getEntry())) {
+	    		entry = 0;
+	    	} else {
 	            return Result.err(Status.ERR_BadData, "User chose invalid credential selection");
-	        }
+	    	}
+	    } else {
+		    entry = -1;
+	    	int fentry = entry;
+		    if(cred.value.type==CredDAO.FQI) {
+		    	entry = -1;
+		    	for(CredDAO.Data cdd : rlcd.value) {
+		    		++fentry;
+		    		if(cdd.type == CredDAO.FQI) {
+		    			entry = fentry;
+		    			break; 
+		    		}
+		    	}
+		    } else {
+			    if (!doForce) {
+			        if (rlcd.value.size() > 1) {
+			            String inputOption = cr.getEntry();
+			            if (inputOption == null) {
+			            	List<CredDAO.Data> list = filterList(rlcd.value,CredDAO.BASIC_AUTH,CredDAO.BASIC_AUTH_SHA256,CredDAO.CERT_SHA256_RSA);
+			                String message = selectCredFromList(list, MayChangeCred.DELETE);
+			                Object[] variables = buildVariables(list);
+			                return Result.err(Status.ERR_ChoiceNeeded, message, variables);
+			            } else {
+			                try {
+			                    if (inputOption.length()>5) { // should be a date
+			                        Date d = Chrono.xmlDatatypeFactory.newXMLGregorianCalendar(inputOption).toGregorianCalendar().getTime();
+			                        for (CredDAO.Data cd : rlcd.value) {
+			                        	++fentry;
+			                            if (cd.type.equals(cr.getType()) && cd.expires.equals(d)) {
+			                            	entry = fentry;
+			                                break;
+			                            }
+			                        }
+			                    } else {
+		                        	entry = Integer.parseInt(inputOption) - 1;
+		                        	int count = 0;
+			                        for (CredDAO.Data cd : rlcd.value) {
+			                        	if(cd.type!=CredDAO.BASIC_AUTH && cd.type!=CredDAO.BASIC_AUTH_SHA256 && cd.type!=CredDAO.CERT_SHA256_RSA) {
+			                        		++entry;
+			                        	}
+			                        	if(++count>entry) {
+			                        		break;
+			                        	}
+			                        }
+			                    }
+			                } catch (NullPointerException e) {
+			                    return Result.err(Status.ERR_BadData, "Invalid Date Format for Entry");
+			                } catch (NumberFormatException e) {
+			                    return Result.err(Status.ERR_BadData, "User chose invalid credential selection");
+			                }
+			            }
+			            isLastCred = (entry==-1)?true:false;
+			        } else {
+			            isLastCred = true;
+			        }
+			        if (entry < -1 || entry >= rlcd.value.size()) {
+			            return Result.err(Status.ERR_BadData, "User chose invalid credential selection");
+			        }
+			    }
+		    }
 	    }
 	    
 	    Result<FutureDAO.Data> fd = mapper.future(trans,CredDAO.TABLE,from,cred.value,false,
@@ -2943,7 +2998,11 @@ public class AuthzCassServiceImpl    <NSS,PERMS,PERMKEY,ROLES,USERS,USERROLES,DE
 	            Result<?>udr = null;
 	            if (!trans.requested(force)) {
 	                if (entry<0 || entry >= rlcd.value.size()) {
-	                    return Result.err(Status.ERR_BadData,"Invalid Choice [" + entry + "] chosen for Delete [%s] is saved for future processing",cred.value.id);
+	                	if(cred.value.type==CredDAO.FQI) {
+	                		return Result.err(Status.ERR_BadData,"FQI does not exist");
+	                	} else {
+	                		return Result.err(Status.ERR_BadData,"Invalid Choice [" + entry + "] chosen for Delete [%s] is saved for future processing",cred.value.id);
+	                	}
 	                }
 	                udr = ques.credDAO().delete(trans, rlcd.value.get(entry),false);
 	            } else {
@@ -2987,6 +3046,32 @@ public class AuthzCassServiceImpl    <NSS,PERMS,PERMKEY,ROLES,USERS,USERROLES,DE
 	            Object[] variables = buildVariables(lcd);
 	            return Result.err(Status.ERR_ChoiceNeeded, message, variables);
 	        } else {
+	        	if(MayChangeCred.EXTEND.equals(action)) {
+	        		// might be Tag
+	        		if(inputOption.length()>4) { //Tag is at least 12
+	        			int e = 0;
+	        			CredDAO.Data last = null;
+	        			int lastIdx = -1;
+	        			for(CredDAO.Data cdd : lcd) {
+	        				if(inputOption.equals(cdd.tag)) {
+	        					if(last==null) {
+	        						last = cdd;
+	        						lastIdx = e;
+	        					} else {
+	        						if(last.expires.before(cdd.expires)) {
+	        							last = cdd;
+	        							lastIdx = e;
+	        						}
+	        					}
+	        				}
+	        				++e;
+	        			}
+	        			if(last!=null) {
+	        				return Result.ok(lastIdx);
+	        			}
+	        			return Result.err(Status.ERR_BadData, "User chose unknown Tag");
+	        		}
+	        	}
 	            entry = Integer.parseInt(inputOption) - 1;
 	        }
 	        if (entry < 0 || entry >= lcd.size()) {
@@ -3007,20 +3092,23 @@ public class AuthzCassServiceImpl    <NSS,PERMS,PERMKEY,ROLES,USERS,USERROLES,DE
 	        	}
         	}
         }
+        Collections.sort(rv, (o1,o2) -> {
+        	if(o1.type==o2.type) {
+        		return o1.expires.compareTo(o2.expires);
+        	} else {
+        		return o1.type.compareTo(o2.type);
+        	}
+        });
 		return rv;
 	}
 
 	private String[] buildVariables(List<CredDAO.Data> value) {
-        // ensure credentials are sorted so we can fully automate Cred regression test
-        Collections.sort(value, (cred1, cred2) -> 
-        	cred1.type==cred2.type?cred2.expires.compareTo(cred1.expires):
-        		cred1.type<cred2.type?-1:1);
-        String [] vars = new String[value.size()+1];
-        vars[0]="Choice";
+        String [] vars = new String[value.size()];
         CredDAO.Data cdd;
+        
         for (int i = 0; i < value.size(); i++) {
         	cdd = value.get(i);
-        	vars[i+1] = cdd.id + TWO_SPACE + cdd.type + TWO_SPACE + (cdd.type<10?TWO_SPACE:"")+ cdd.expires + TWO_SPACE + cdd.tag;
+        	vars[i] = cdd.id + TWO_SPACE + Define.getCredType(cdd.type) + TWO_SPACE + Chrono.niceUTCStamp(cdd.expires) + TWO_SPACE + cdd.tag;
         }
         return vars;
     }
@@ -3037,12 +3125,15 @@ public class AuthzCassServiceImpl    <NSS,PERMS,PERMKEY,ROLES,USERS,USERROLES,DE
         for (int i = 0; i < numSpaces; i++) {
             errMessage.append(' ');
         }
-        errMessage.append(" Type  Expires                       Tag " + '\n');
+        errMessage.append("  Type  Expires               Tag " + '\n');
         for (int i=0;i<value.size();++i) {
             errMessage.append("    %s\n");
         }
-        errMessage.append("Run same command again with chosen entry as last parameter");
-        
+        if(MayChangeCred.EXTEND.equals(action)) {
+            errMessage.append("Run same command again with chosen entry or Tag as last parameter");
+        } else {
+        	errMessage.append("Run same command again with chosen entry as last parameter");
+        }
         return errMessage.toString();
         
     }