2 * ============LICENSE_START====================================================
4 * ===========================================================================
5 * Copyright (c) 2018 AT&T Intellectual Property. All rights reserved.
6 * ===========================================================================
7 * Licensed under the Apache License, Version 2.0 (the "License");
8 * you may not use this file except in compliance with the License.
9 * You may obtain a copy of the License at
11 * http://www.apache.org/licenses/LICENSE-2.0
13 * Unless required by applicable law or agreed to in writing, software
14 * distributed under the License is distributed on an "AS IS" BASIS,
15 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
16 * See the License for the specific language governing permissions and
17 * limitations under the License.
18 * ============LICENSE_END====================================================
22 package org.onap.aaf.auth.reports;
25 import java.io.FileNotFoundException;
26 import java.io.IOException;
27 import java.security.cert.Certificate;
28 import java.security.cert.CertificateException;
29 import java.security.cert.X509Certificate;
30 import java.util.ArrayList;
31 import java.util.Date;
32 import java.util.GregorianCalendar;
33 import java.util.HashSet;
34 import java.util.List;
37 import java.util.TreeMap;
39 import org.onap.aaf.auth.Batch;
40 import org.onap.aaf.auth.dao.cass.CredDAO;
41 import org.onap.aaf.auth.env.AuthzTrans;
42 import org.onap.aaf.auth.helpers.Cred;
43 import org.onap.aaf.auth.helpers.Cred.Instance;
44 import org.onap.aaf.auth.helpers.UserRole;
45 import org.onap.aaf.auth.helpers.Visitor;
46 import org.onap.aaf.auth.helpers.X509;
47 import org.onap.aaf.auth.org.OrganizationException;
48 import org.onap.aaf.cadi.configure.Factory;
49 import org.onap.aaf.cadi.util.CSV;
50 import org.onap.aaf.cadi.util.CSV.Writer;
51 import org.onap.aaf.misc.env.APIException;
52 import org.onap.aaf.misc.env.Env;
53 import org.onap.aaf.misc.env.TimeTaken;
54 import org.onap.aaf.misc.env.util.Chrono;
57 public class Expiring extends Batch {
59 private int minOwners;
60 private ArrayList<Writer> writerList;
63 private Date twoWeeksPast;
64 private Writer twoWeeksPastCSV;
65 private Date twoWeeksAway;
66 private Writer twoWeeksAwayCSV;
67 private Date oneMonthAway;
68 private Writer oneMonthAwayCSV;
69 private Date twoMonthsAway;
70 private Writer twoMonthsAwayCSV;
72 public Expiring(AuthzTrans trans) throws APIException, IOException, OrganizationException {
74 trans.info().log("Starting Connection Process");
76 TimeTaken tt0 = trans.start("Cassandra Initialization", Env.SUB);
78 TimeTaken tt = trans.start("Connect to Cluster", Env.REMOTE);
80 session = cluster.connect();
85 // Load Cred. We don't follow Visitor, because we have to gather up everything into Identity Anyway
86 Cred.load(trans, session);
90 // Create Intermediate Output
91 writerList = new ArrayList<CSV.Writer>();
92 logDir = new File(logDir());
95 GregorianCalendar gc = new GregorianCalendar();
97 gc.add(GregorianCalendar.WEEK_OF_MONTH, -2);
98 twoWeeksPast = gc.getTime();
99 File file = new File(logDir,"Expired"+Chrono.dateOnlyStamp(now)+".csv");
100 twoWeeksPastCSV = new CSV(file).writer();
101 writerList.add(twoWeeksPastCSV);
103 gc.add(GregorianCalendar.WEEK_OF_MONTH, 2+2);
104 twoWeeksAway = gc.getTime();
105 file = new File(logDir,"TwoWeeksAway"+Chrono.dateOnlyStamp(now)+".csv");
106 twoWeeksAwayCSV = new CSV(file).writer();
107 writerList.add(twoWeeksAwayCSV);
109 gc.add(GregorianCalendar.WEEK_OF_MONTH, -2);
110 gc.add(GregorianCalendar.MONTH, 1);
111 oneMonthAway = gc.getTime();
112 file = new File(logDir,"OneMonthAway"+Chrono.dateOnlyStamp(now)+".csv");
113 oneMonthAwayCSV = new CSV(file).writer();
114 writerList.add(oneMonthAwayCSV);
116 gc.add(GregorianCalendar.MONTH, 1);
117 twoMonthsAway = gc.getTime();
118 file = new File(logDir,"TwoMonthsAway"+Chrono.dateOnlyStamp(now)+".csv");
119 twoMonthsAwayCSV = new CSV(file).writer();
120 writerList.add(twoMonthsAwayCSV);
127 protected void run(AuthzTrans trans) {
129 File file = new File(logDir, "AllOwnersExpired" + Chrono.dateOnlyStamp(now) + ".csv");
130 final CSV ownerCSV = new CSV(file);
132 Map<String, Set<UserRole>> owners = new TreeMap<String, Set<UserRole>>();
133 trans.info().log("Process UserRoles");
134 UserRole.load(trans, session, UserRole.v2_0_11, new Visitor<UserRole>() {
136 public void visit(UserRole ur) {
137 // Cannot just delete owners, unless there is at least one left. Process later
138 if ("owner".equals(ur.rname())) {
139 Set<UserRole> urs = owners.get(ur.role());
141 urs = new HashSet<UserRole>();
142 owners.put(ur.role(), urs);
151 // Now Process Owners, one owner Role at a time, ensuring one is left,
153 // a good one. If so, process the others as normal. Otherwise, write
156 if (!owners.values().isEmpty()) {
158 CSV.Writer expOwner = null;
160 for (Set<UserRole> sur : owners.values()) {
162 for (UserRole ur : sur) {
163 if (ur.expires().after(now)) {
168 for (UserRole ur : sur) {
169 if (goodOwners >= minOwners) {
172 if (expOwner == null) {
173 expOwner = ownerCSV.writer();
175 expOwner.row(ur.role(), ur.user(), ur.expires());
184 trans.info().log("Checking for Expired Credentials");
185 for (Cred cred : Cred.data.values()) {
186 List<Instance> linst = cred.instances;
188 Instance lastBath = null;
189 for(Instance inst : linst) {
190 if(inst.expires.before(twoWeeksPast)) {
191 cred.row(twoWeeksPastCSV,inst);
192 } else if(inst.expires.after(now)){
193 if (inst.type == CredDAO.BASIC_AUTH || inst.type == CredDAO.BASIC_AUTH_SHA256) {
194 if(lastBath==null || lastBath.expires.before(inst.expires)) {
197 } else if(inst.type==CredDAO.CERT_SHA256_RSA) {
198 writeAnalysis(cred, inst);
202 writeAnalysis(cred, lastBath);
206 trans.info().log("Checking for Expired X509s");
207 X509.load(trans, session, new Visitor<X509>() {
209 public void visit(X509 x509) {
211 for(Certificate cert : Factory.toX509Certificate(x509.x509)) {
212 writeAnalysis(x509, (X509Certificate)cert);
214 } catch (CertificateException | IOException e) {
215 trans.error().log(e, "Error Decrypting X509");
220 } catch (FileNotFoundException e) {
226 protected void writeAnalysis(UserRole ur) {
227 if(ur.expires().before(twoWeeksPast)) {
228 ur.row(twoWeeksPastCSV);
230 if(ur.expires().after(now) && ur.expires().before(twoWeeksAway)) {
231 ur.row(twoWeeksAwayCSV);
233 if(ur.expires().before(oneMonthAway)) {
234 ur.row(oneMonthAwayCSV);
236 if(ur.expires().before(twoMonthsAway)) {
237 ur.row(twoMonthsAwayCSV);
244 protected void writeAnalysis(Cred cred, Instance inst) {
246 if(inst.expires.after(now) && inst.expires.before(twoWeeksAway)) {
247 cred.row(twoWeeksAwayCSV, inst);
249 if(inst.expires.before(oneMonthAway)) {
250 cred.row(oneMonthAwayCSV, inst);
252 if(inst.expires.before(twoMonthsAway)) {
253 cred.row(twoMonthsAwayCSV, inst);
260 protected void writeAnalysis(X509 x509, X509Certificate x509Cert) throws IOException {
262 if(twoWeeksPast.after(x509Cert.getNotAfter())) {
263 x509.row(twoWeeksPastCSV,x509Cert);
269 protected void _close(AuthzTrans trans) {
271 for(CSV.Writer cw : writerList) {