import org.onap.aaf.auth.org.OrganizationException;
import org.onap.aaf.cadi.Hash;
import org.onap.aaf.cadi.Permission;
+import org.onap.aaf.cadi.Access.Level;
import org.onap.aaf.cadi.aaf.AAFPermission;
import org.onap.aaf.cadi.config.Config;
import org.onap.aaf.cadi.configure.Factory;
private final CredDAO credDAO;
private final ArtiDAO artiDAO;
private AAF_CM certManager;
+ private Boolean allowIgnoreIPs;
+ private Boolean alwaysIgnoreIPs;
// @SuppressWarnings("unchecked")
public CMService(final AuthzTrans trans, AAF_CM certman) throws APIException, IOException {
"*",
"read"
);
+ alwaysIgnoreIPs = Boolean.valueOf(certman.access.getProperty(Config.CM_ALWAYS_IGNORE_IPS, "false"));
+ if(alwaysIgnoreIPs) {
+ trans.env().access().log(Level.INIT, "DNS Evaluation for Cert Creation is turned off with " + Config.CM_ALWAYS_IGNORE_IPS );
+ } else {
+ allowIgnoreIPs = Boolean.valueOf(certman.access.getProperty(Config.CM_ALLOW_IGNORE_IPS, "false"));
+ if(allowIgnoreIPs) {
+ trans.env().access().log(Level.INIT, "Allowing DNS Evaluation to be turned off with <ns>.certman|<ca name>|"+IGNORE_IPS);
+ }
+ }
}
public Result<CertResp> requestCert(final AuthzTrans trans, final Result<CertReq> req, final CA ca) {
try {
Organization org = trans.org();
- boolean ignoreIPs = trans.fish(new AAFPermission(mechNS,CERTMAN, ca.getName(), IGNORE_IPS));
+ boolean ignoreIPs;
+ if(alwaysIgnoreIPs) {
+ ignoreIPs=true;
+ } else if(allowIgnoreIPs) {
+ ignoreIPs = trans.fish(new AAFPermission(mechNS,CERTMAN, ca.getName(), IGNORE_IPS));
+ } else {
+ ignoreIPs = false;
+ }
+
InetAddress primary = null;
// Organize incoming information to get to appropriate Artifact
}
} else {
- for (String cn : req.value.fqdns) {
- if (!ignoreIPs) {
+ if (!ignoreIPs) {
+ for (String cn : req.value.fqdns) {
try {
InetAddress[] ias = InetAddress.getAllByName(cn);
Set<String> potentialSanNames = new HashSet<>();
} else if (primary == null) {
return Result.err(Result.ERR_Denied, "Request not made from matching IP (%s)", trans.ip());
} else {
- host = primary.getHostAddress();
+ String thost = primary.getHostName();
+ host = thost==null?primary.getHostAddress():thost;
}
ArtiDAO.Data add = null;
// Make sure Primary is the first in fqdns
if (fqdns.size() > 1) {
for (int i = 0; i < fqdns.size(); ++i) {
- if (primary==null) {
+ if (primary==null && !ignoreIPs) {
trans.error().log("CMService var primary is null");
} else {
String fg = fqdns.get(i);
- if (fg!=null && fg.equals(primary.getHostName())) {
+ if (fg!=null && primary!=null && fg.equals(primary.getHostName())) {
if (i != 0) {
String tmp = fqdns.get(0);
fqdns.set(0, primary.getHostName());
}
}
} catch (Exception e) {
- trans.debug().log(e);
+ trans.error().log(e);
return Result.err(Status.ERR_Denied,
"AppID Sponsorship cannot be determined at this time. Try later.");
}
CSRMeta csrMeta;
try {
csrMeta = BCFactory.createCSRMeta(ca, req.value.mechid, email, fqdns);
+ csrMeta.environment(ca.getEnv());
X509andChain x509ac = ca.sign(trans, csrMeta);
if (x509ac == null) {
return Result.err(Result.ERR_ActionNotCompleted, "x509 Certificate not signed by CA");
// Policy 6: Only do Domain by Exception
if (add.machine.startsWith("*")) { // Domain set
CA ca = certManager.getCA(add.ca);
-
if (!trans.fish(new AAFPermission(ca.getPermNS(),ca.getPermType(), add.ca, DOMAIN))) {
return Result.err(Result.ERR_Denied, "Domain Artifacts (%s) requires specific Permission",
add.machine);
Code Review / aaf / authz.git / blobdiff