2 * ============LICENSE_START====================================================
4 * ===========================================================================
5 * Copyright (c) 2018 AT&T Intellectual Property. All rights reserved.
6 * ===========================================================================
7 * Licensed under the Apache License, Version 2.0 (the "License");
8 * you may not use this file except in compliance with the License.
9 * You may obtain a copy of the License at
11 * http://www.apache.org/licenses/LICENSE-2.0
13 * Unless required by applicable law or agreed to in writing, software
14 * distributed under the License is distributed on an "AS IS" BASIS,
15 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
16 * See the License for the specific language governing permissions and
17 * limitations under the License.
18 * ============LICENSE_END====================================================
22 package org.onap.aaf.auth.reports;
25 import java.io.FileNotFoundException;
26 import java.io.IOException;
27 import java.security.cert.Certificate;
28 import java.security.cert.CertificateException;
29 import java.security.cert.X509Certificate;
30 import java.util.Date;
31 import java.util.HashMap;
32 import java.util.HashSet;
33 import java.util.List;
36 import java.util.TreeMap;
38 import org.onap.aaf.auth.Batch;
39 import org.onap.aaf.auth.dao.cass.CredDAO;
40 import org.onap.aaf.auth.env.AuthzTrans;
41 import org.onap.aaf.auth.helpers.Cred;
42 import org.onap.aaf.auth.helpers.Cred.Instance;
43 import org.onap.aaf.auth.helpers.UserRole;
44 import org.onap.aaf.auth.helpers.Visitor;
45 import org.onap.aaf.auth.helpers.X509;
46 import org.onap.aaf.auth.org.ExpireRange;
47 import org.onap.aaf.auth.org.ExpireRange.Range;
48 import org.onap.aaf.auth.org.OrganizationException;
49 import org.onap.aaf.cadi.configure.Factory;
50 import org.onap.aaf.cadi.util.CSV;
51 import org.onap.aaf.misc.env.APIException;
52 import org.onap.aaf.misc.env.Env;
53 import org.onap.aaf.misc.env.TimeTaken;
54 import org.onap.aaf.misc.env.util.Chrono;
57 public class Expiring extends Batch {
59 private static final String CSV = ".csv";
60 private static final String INFO = "info";
61 private static final String EXPIRED_OWNERS = "ExpiredOwners";
62 private int minOwners;
63 private Map<String, CSV.Writer> writerList;
65 private ExpireRange expireRange;
66 private Date deleteDate;
68 public Expiring(AuthzTrans trans) throws APIException, IOException, OrganizationException {
70 trans.info().log("Starting Connection Process");
72 TimeTaken tt0 = trans.start("Cassandra Initialization", Env.SUB);
74 TimeTaken tt = trans.start("Connect to Cluster", Env.REMOTE);
76 session = cluster.connect();
81 // Load Cred. We don't follow Visitor, because we have to gather up everything into Identity Anyway
82 Cred.load(trans, session);
83 UserRole.load(trans, session, UserRole.v2_0_11, new UserRole.DataLoadVisitor());
87 // Create Intermediate Output
88 writerList = new HashMap<>();
89 logDir = new File(logDir());
92 expireRange = new ExpireRange(trans.env().access());
93 String sdate = Chrono.dateOnlyStamp(expireRange.now);
94 for( List<Range> lr : expireRange.ranges.values()) {
96 if(writerList.get(r.name())==null) {
97 File file = new File(logDir,r.name() + sdate +CSV);
98 CSV csv = new CSV(file);
99 CSV.Writer cw = csv.writer(false);
100 cw.row(INFO,r.name(),Chrono.dateOnlyStamp(expireRange.now),r.reportingLevel());
101 writerList.put(r.name(),cw);
102 if("Delete".equals(r.name())) {
103 deleteDate = r.getStart();
115 protected void run(AuthzTrans trans) {
117 File file = new File(logDir, EXPIRED_OWNERS + Chrono.dateOnlyStamp(expireRange.now) + CSV);
118 final CSV ownerCSV = new CSV(file);
120 Map<String, Set<UserRole>> owners = new TreeMap<String, Set<UserRole>>();
121 trans.info().log("Process UserRoles");
122 UserRole.load(trans, session, UserRole.v2_0_11, new Visitor<UserRole>() {
124 public void visit(UserRole ur) {
125 // Cannot just delete owners, unless there is at least one left. Process later
126 if ("owner".equals(ur.rname())) {
127 Set<UserRole> urs = owners.get(ur.role());
129 urs = new HashSet<UserRole>();
130 owners.put(ur.role(), urs);
134 writeAnalysis(trans,ur);
139 // Now Process Owners, one owner Role at a time, ensuring one is left,
141 // a good one. If so, process the others as normal. Otherwise, write
144 if (!owners.values().isEmpty()) {
146 CSV.Writer expOwner = null;
148 for (Set<UserRole> sur : owners.values()) {
150 for (UserRole ur : sur) {
151 if (ur.expires().after(expireRange.now)) {
156 for (UserRole ur : sur) {
157 if (goodOwners >= minOwners) {
158 writeAnalysis(trans, ur);
160 if (expOwner == null) {
161 expOwner = ownerCSV.writer();
162 expOwner.row(INFO,EXPIRED_OWNERS,Chrono.dateOnlyStamp(expireRange.now),2);
164 expOwner.row("owner",ur.role(), ur.user(), Chrono.dateOnlyStamp(ur.expires()));
173 trans.info().log("Checking for Expired Credentials");
175 for (Cred cred : Cred.data.values()) {
176 List<Instance> linst = cred.instances;
178 Instance lastBath = null;
179 for(Instance inst : linst) {
180 // Special Behavior: only eval the LAST Instance
181 if (inst.type == CredDAO.BASIC_AUTH || inst.type == CredDAO.BASIC_AUTH_SHA256) {
182 if(deleteDate!=null && inst.expires.before(deleteDate)) {
183 writeAnalysis(trans, cred, inst); // will go to Delete
184 } else if(lastBath==null || lastBath.expires.before(inst.expires)) {
188 writeAnalysis(trans, cred, inst);
192 writeAnalysis(trans, cred, lastBath);
197 trans.info().log("Checking for Expired X509s");
198 X509.load(trans, session, new Visitor<X509>() {
200 public void visit(X509 x509) {
202 for(Certificate cert : Factory.toX509Certificate(x509.x509)) {
203 writeAnalysis(trans, x509, (X509Certificate)cert);
205 } catch (CertificateException | IOException e) {
206 trans.error().log(e, "Error Decrypting X509");
211 } catch (FileNotFoundException e) {
217 private void writeAnalysis(AuthzTrans trans, UserRole ur) {
218 Range r = expireRange.getRange("ur", ur.expires());
220 CSV.Writer cw = writerList.get(r.name());
227 private void writeAnalysis(AuthzTrans trans, Cred cred, Instance inst) {
228 if(cred!=null && inst!=null) {
229 Range r = expireRange.getRange("cred", inst.expires);
231 CSV.Writer cw = writerList.get(r.name());
239 private void writeAnalysis(AuthzTrans trans, X509 x509, X509Certificate x509Cert) throws IOException {
240 Range r = expireRange.getRange("x509", x509Cert.getNotAfter());
242 CSV.Writer cw = writerList.get(r.name());
244 x509.row(cw,x509Cert);
250 private String[] contacts(final AuthzTrans trans, final String ns, final int levels) {
251 List<UserRole> owners = UserRole.getByRole().get(ns+".owner");
252 List<UserRole> current = new ArrayList<>();
253 for(UserRole ur : owners) {
254 if(expireRange.now.before(ur.expires())) {
258 if(current.isEmpty()) {
259 trans.warn().log(ns,"has no current owners");
263 List<String> email = new ArrayList<>();
264 for(UserRole ur : current) {
269 id = org.getIdentity(trans, ur.user());
272 email.add(id.email());
274 id = id.responsibleTo();
282 } catch (OrganizationException e) {
283 trans.error().log(e);
287 return email.toArray(new String[email.size()]);
292 protected void _close(AuthzTrans trans) {
294 for(CSV.Writer cw : writerList.values()) {
Code Review / aaf / authz.git / blob