X-Git-Url: https://gerrit.onap.org/r/gitweb?a=blobdiff_plain;f=auth%2Fauth-service%2Fsrc%2Fmain%2Fjava%2Forg%2Fonap%2Faaf%2Fauth%2Fservice%2FAuthzCassServiceImpl.java;h=d102b04562de9064bf62b1a25c5e3a3b1bf9d0f5;hb=1c887acbb462552aa6478e72c1bf3cf0f145e74d;hp=9a6ef7e322e05e346b8c48e2dade104e34fc223a;hpb=d0d6604a0371457d84eceb56d9fff668e865253f;p=aaf%2Fauthz.git

diff --git a/auth/auth-service/src/main/java/org/onap/aaf/auth/service/AuthzCassServiceImpl.java b/auth/auth-service/src/main/java/org/onap/aaf/auth/service/AuthzCassServiceImpl.java
index 9a6ef7e3..d102b045 100644
--- a/auth/auth-service/src/main/java/org/onap/aaf/auth/service/AuthzCassServiceImpl.java
+++ b/auth/auth-service/src/main/java/org/onap/aaf/auth/service/AuthzCassServiceImpl.java
@@ -42,6 +42,7 @@ import java.util.Map;
 import java.util.Set;
 import java.util.TreeMap;
 import java.util.UUID;
+import java.util.concurrent.TimeUnit;
 
 import javax.servlet.http.HttpServletRequest;
 
@@ -2442,8 +2443,14 @@ public class AuthzCassServiceImpl    <NSS,PERMS,PERMKEY,ROLES,USERS,USERROLES,DE
 	                            return Result.err(rb);
 	                        } else if (rb.value){
 	                            return Result.err(Status.ERR_Policy, "Credential content cannot be reused.");
-	                        } else if ((Chrono.dateOnlyStamp(curr.expires).equals(Chrono.dateOnlyStamp(rcred.value.expires)) && curr.type==rcred.value.type)) {
-	                            return Result.err(Status.ERR_ConflictAlreadyExists, "Credential with same Expiration Date exists");
+	                        } else if(Chrono.dateOnlyStamp(curr.expires).equals(Chrono.dateOnlyStamp(rcred.value.expires)) 
+	                        		&& curr.type==rcred.value.type 
+	                        		) {
+	                        	// Allow if expiring differential is greater than 1 day (for TEMP)
+	                        	// Unless expiring in 1 day
+	                        	if(System.currentTimeMillis() - rcred.value.expires.getTime() > TimeUnit.DAYS.toMillis(1)) {
+	                        		return Result.err(Status.ERR_ConflictAlreadyExists, "Credential with same Expiration Date exists");
+	                        	}
 	                        }
                     	}
                     }    
@@ -2501,13 +2508,20 @@ public class AuthzCassServiceImpl    <NSS,PERMS,PERMKEY,ROLES,USERS,USERROLES,DE
                     case Status.ACC_Now:
                         try {
                             if (firstID) {
-    //                            && !nsr.value.get(0).isAdmin(trans.getUserPrincipal().getName())) {
-                                Result<List<String>> admins = func.getAdmins(trans, nsr.value.get(0).name, false);
-                                // OK, it's a first ID, and not by NS Admin, so let's set TempPassword length
-                                // Note, we only do this on First time, because of possibility of 
-                                // prematurely expiring a production id
-                                if (admins.isOKhasData() && !admins.value.contains(trans.user())) {
-                                    rcred.value.expires = org.expiration(null, Expiration.TempPassword).getTime();
+                                // OK, it's a first ID, and not by NS Owner
+                                if(!ques.isOwner(trans,trans.user(),cdd.ns)) {
+                                	// Admins are not allowed to set first Cred, but Org has already
+                                	// said entity MAY create, typically by Permission
+                                	// We can't know which reason they are allowed here, so we 
+                                	// have to assume that any with Special Permission would not be 
+                                	// an Admin.
+                                	if(ques.isAdmin(trans, trans.user(), cdd.ns)) {
+                                		return Result.err(Result.ERR_Denied, 
+                                			"Only Owners may create first passwords in their Namespace. Admins may modify after one exists" );
+                                	} else {
+                                		// Allow IDs that AREN'T part of NS with Org Onboarding Permission  (see Org object) to create Temp Passwords.
+                                        rcred.value.expires = org.expiration(null, Expiration.TempPassword).getTime();
+                                	}
                                 }
                             }
                         } catch (Exception e) {
@@ -2821,7 +2835,7 @@ public class AuthzCassServiceImpl    <NSS,PERMS,PERMKEY,ROLES,USERS,USERROLES,DE
 
             //Need to do the "Pick Entry" mechanism
             // Note, this sorts
-            Result<Integer> ri = selectEntryIfMultiple((CredRequest)from, lcdd, "extend");
+            Result<Integer> ri = selectEntryIfMultiple((CredRequest)from, lcdd, MayChangeCred.EXTEND);
             if (ri.notOK()) {
                 return Result.err(ri);
             }
@@ -2835,8 +2849,11 @@ public class AuthzCassServiceImpl    <NSS,PERMS,PERMKEY,ROLES,USERS,USERROLES,DE
             cd.type = found.type;
             cd.ns = found.ns;
             cd.notes = "Extended";
-            cd.expires = org.expiration(null, Expiration.ExtendPassword,days).getTime();
             cd.tag = found.tag;
+            cd.expires = org.expiration(null, Expiration.ExtendPassword,days).getTime();
+            if(cd.expires.before(found.expires)) {
+            	return Result.err(Result.ERR_BadData,String.format("Credential's expiration date is more than %s days in the future",days));
+            }
             
             cred = ques.credDAO().create(trans, cd);
             if (cred.isOK()) {
@@ -2887,63 +2904,72 @@ public class AuthzCassServiceImpl    <NSS,PERMS,PERMKEY,ROLES,USERS,USERROLES,DE
 	    }
 	    boolean isLastCred = rlcd.value.size()==1;
 	    
-	    int entry = -1;
-    	int fentry = entry;
-	    if(cred.value.type==CredDAO.FQI) {
-	    	entry = -1;
-	    	for(CredDAO.Data cdd : rlcd.value) {
-	    		++fentry;
-	    		if(cdd.type == CredDAO.FQI) {
-	    			entry = fentry;
-	    			break; 
-	    		}
+	    int entry;
+	    CredRequest cr = (CredRequest)from;
+	    if(isLastCred) {
+	    	if(cr.getEntry()==null || "1".equals(cr.getEntry())) {
+	    		entry = 0;
+	    	} else {
+	            return Result.err(Status.ERR_BadData, "User chose invalid credential selection");
 	    	}
 	    } else {
-		    if (!doForce) {
-		        if (rlcd.value.size() > 1) {
-		            CredRequest cr = (CredRequest)from;
-		            String inputOption = cr.getEntry();
-		            if (inputOption == null) {
-		            	List<CredDAO.Data> list = filterList(rlcd.value,CredDAO.BASIC_AUTH,CredDAO.BASIC_AUTH_SHA256,CredDAO.CERT_SHA256_RSA);
-		                String message = selectCredFromList(list, MayChangeCred.DELETE);
-		                Object[] variables = buildVariables(list);
-		                return Result.err(Status.ERR_ChoiceNeeded, message, variables);
-		            } else {
-		                try {
-		                    if (inputOption.length()>5) { // should be a date
-		                        Date d = Chrono.xmlDatatypeFactory.newXMLGregorianCalendar(inputOption).toGregorianCalendar().getTime();
-		                        for (CredDAO.Data cd : rlcd.value) {
-		                        	++fentry;
-		                            if (cd.type.equals(cr.getType()) && cd.expires.equals(d)) {
-		                            	entry = fentry;
-		                                break;
-		                            }
-		                        }
-		                    } else {
-	                        	entry = Integer.parseInt(inputOption) - 1;
-	                        	int count = 0;
-		                        for (CredDAO.Data cd : rlcd.value) {
-		                        	if(cd.type!=CredDAO.BASIC_AUTH && cd.type!=CredDAO.BASIC_AUTH_SHA256 && cd.type!=CredDAO.CERT_SHA256_RSA) {
-		                        		++entry;
-		                        	}
-		                        	if(++count>entry) {
-		                        		break;
-		                        	}
-		                        }
-		                    }
-		                } catch (NullPointerException e) {
-		                    return Result.err(Status.ERR_BadData, "Invalid Date Format for Entry");
-		                } catch (NumberFormatException e) {
-		                    return Result.err(Status.ERR_BadData, "User chose invalid credential selection");
-		                }
-		            }
-		            isLastCred = (entry==-1)?true:false;
-		        } else {
-		            isLastCred = true;
-		        }
-		        if (entry < -1 || entry >= rlcd.value.size()) {
-		            return Result.err(Status.ERR_BadData, "User chose invalid credential selection");
-		        }
+		    entry = -1;
+	    	int fentry = entry;
+		    if(cred.value.type==CredDAO.FQI) {
+		    	entry = -1;
+		    	for(CredDAO.Data cdd : rlcd.value) {
+		    		++fentry;
+		    		if(cdd.type == CredDAO.FQI) {
+		    			entry = fentry;
+		    			break; 
+		    		}
+		    	}
+		    } else {
+			    if (!doForce) {
+			        if (rlcd.value.size() > 1) {
+			            String inputOption = cr.getEntry();
+			            if (inputOption == null) {
+			            	List<CredDAO.Data> list = filterList(rlcd.value,CredDAO.BASIC_AUTH,CredDAO.BASIC_AUTH_SHA256,CredDAO.CERT_SHA256_RSA);
+			                String message = selectCredFromList(list, MayChangeCred.DELETE);
+			                Object[] variables = buildVariables(list);
+			                return Result.err(Status.ERR_ChoiceNeeded, message, variables);
+			            } else {
+			                try {
+			                    if (inputOption.length()>5) { // should be a date
+			                        Date d = Chrono.xmlDatatypeFactory.newXMLGregorianCalendar(inputOption).toGregorianCalendar().getTime();
+			                        for (CredDAO.Data cd : rlcd.value) {
+			                        	++fentry;
+			                            if (cd.type.equals(cr.getType()) && cd.expires.equals(d)) {
+			                            	entry = fentry;
+			                                break;
+			                            }
+			                        }
+			                    } else {
+		                        	entry = Integer.parseInt(inputOption) - 1;
+		                        	int count = 0;
+			                        for (CredDAO.Data cd : rlcd.value) {
+			                        	if(cd.type!=CredDAO.BASIC_AUTH && cd.type!=CredDAO.BASIC_AUTH_SHA256 && cd.type!=CredDAO.CERT_SHA256_RSA) {
+			                        		++entry;
+			                        	}
+			                        	if(++count>entry) {
+			                        		break;
+			                        	}
+			                        }
+			                    }
+			                } catch (NullPointerException e) {
+			                    return Result.err(Status.ERR_BadData, "Invalid Date Format for Entry");
+			                } catch (NumberFormatException e) {
+			                    return Result.err(Status.ERR_BadData, "User chose invalid credential selection");
+			                }
+			            }
+			            isLastCred = (entry==-1);
+			        } else {
+			            isLastCred = true;
+			        }
+			        if (entry < -1 || entry >= rlcd.value.size()) {
+			            return Result.err(Status.ERR_BadData, "User chose invalid credential selection");
+			        }
+			    }
 		    }
 	    }
 	    
@@ -3020,6 +3046,32 @@ public class AuthzCassServiceImpl    <NSS,PERMS,PERMKEY,ROLES,USERS,USERROLES,DE
 	            Object[] variables = buildVariables(lcd);
 	            return Result.err(Status.ERR_ChoiceNeeded, message, variables);
 	        } else {
+	        	if(MayChangeCred.EXTEND.equals(action)) {
+	        		// might be Tag
+	        		if(inputOption.length()>4) { //Tag is at least 12
+	        			int e = 0;
+	        			CredDAO.Data last = null;
+	        			int lastIdx = -1;
+	        			for(CredDAO.Data cdd : lcd) {
+	        				if(inputOption.equals(cdd.tag)) {
+	        					if(last==null) {
+	        						last = cdd;
+	        						lastIdx = e;
+	        					} else {
+	        						if(last.expires.before(cdd.expires)) {
+	        							last = cdd;
+	        							lastIdx = e;
+	        						}
+	        					}
+	        				}
+	        				++e;
+	        			}
+	        			if(last!=null) {
+	        				return Result.ok(lastIdx);
+	        			}
+	        			return Result.err(Status.ERR_BadData, "User chose unknown Tag");
+	        		}
+	        	}
 	            entry = Integer.parseInt(inputOption) - 1;
 	        }
 	        if (entry < 0 || entry >= lcd.size()) {
@@ -3040,20 +3092,23 @@ public class AuthzCassServiceImpl    <NSS,PERMS,PERMKEY,ROLES,USERS,USERROLES,DE
 	        	}
         	}
         }
+        Collections.sort(rv, (o1,o2) -> {
+        	if(o1.type==o2.type) {
+        		return o1.expires.compareTo(o2.expires);
+        	} else {
+        		return o1.type.compareTo(o2.type);
+        	}
+        });
 		return rv;
 	}
 
 	private String[] buildVariables(List<CredDAO.Data> value) {
-        // ensure credentials are sorted so we can fully automate Cred regression test
-        Collections.sort(value, (cred1, cred2) -> 
-        	cred1.type==cred2.type?cred2.expires.compareTo(cred1.expires):
-        		cred1.type<cred2.type?-1:1);
         String [] vars = new String[value.size()];
         CredDAO.Data cdd;
         
         for (int i = 0; i < value.size(); i++) {
         	cdd = value.get(i);
-        	vars[i] = cdd.id + TWO_SPACE + cdd.type + TWO_SPACE + (cdd.type<10?TWO_SPACE:"")+ cdd.expires + TWO_SPACE + cdd.tag;
+        	vars[i] = cdd.id + TWO_SPACE + Define.getCredType(cdd.type) + TWO_SPACE + Chrono.niceUTCStamp(cdd.expires) + TWO_SPACE + cdd.tag;
         }
         return vars;
     }
@@ -3070,12 +3125,15 @@ public class AuthzCassServiceImpl    <NSS,PERMS,PERMKEY,ROLES,USERS,USERROLES,DE
         for (int i = 0; i < numSpaces; i++) {
             errMessage.append(' ');
         }
-        errMessage.append(" Type  Expires                       Tag " + '\n');
+        errMessage.append("  Type  Expires               Tag " + '\n');
         for (int i=0;i<value.size();++i) {
             errMessage.append("    %s\n");
         }
-        errMessage.append("Run same command again with chosen entry as last parameter");
-        
+        if(MayChangeCred.EXTEND.equals(action)) {
+            errMessage.append("Run same command again with chosen entry or Tag as last parameter");
+        } else {
+        	errMessage.append("Run same command again with chosen entry as last parameter");
+        }
         return errMessage.toString();
         
     }