--- /dev/null
+#!/bin/bash
+CQLSH=/Volumes/Data/apache-cassandra-2.1.14/bin/cqlsh
+DIR=.
+for T in ns perm role user_role cred config; do
+ $CQLSH -e "COPY authz.$T TO '$DIR/$T.dat' WITH DELIMITER='|'"
+done
--- /dev/null
+aaf|aaf_env|DEV\r
+aaf|aaf_locate_url|https://meriadoc.mithril.sbc.com:8095\r
+aaf|cadi_x509_issuers|CN=intermediateCA_1, OU=OSAAF, O=ONAP, C=US:CN=intermediateCA_7, OU=OSAAF, O=ONAP, C=US\r
+aaf|aaf_oauth2_introspect_url|https://AAF_LOCATE_URL/AAF_NS.introspect:2.1/introspect\r
+aaf|aaf_oauth2_token_url|https://AAF_LOCATE_URL/AAF_NS.token:2.1/token\r
+aaf|aaf_url|https://AAF_LOCATE_URL/AAF_NS.service:2.1\r
+aaf|cadi_protocols|TLSv1.1,TLSv1.2\r
+aaf|cm_url|https://AAF_LOCATE_URL/AAF_NS.cm:2.1\r
+aaf|fs_url|https://AAF_LOCATE_URL/AAF_NS.fs.2.1\r
+aaf|gui_url|https://AAF_LOCATE_URL/AAF_NS.gui.2.1\r
// OSAAF Root
INSERT INTO user_role(user,role,expires,ns,rname)
- VALUES ('aaf@aaf.osaaf.org','org.admin','2018-10-31','org','admin') using TTL 14400;
+ VALUES ('aaf@aaf.osaaf.org','org.admin','2018-10-31','org','admin');
INSERT INTO user_role(user,role,expires,ns,rname)
- VALUES ('aaf@aaf.osaaf.org','org.osaaf.aaf.admin','2018-10-31','org.osaaf.aaf','admin') using TTL 14400;
+ VALUES ('aaf@aaf.osaaf.org','org.osaaf.aaf.admin','2018-10-31','org.osaaf.aaf','admin');
// ONAP Specific Entities
INSERT INTO role(ns, name, perms, description)
VALUES('org.onap.portal','admin',{'org.onap.portal.access|*|*'},'Portal Admins');
+// AAF Admin
+insert into cred (id,type,expires,cred,notes,ns,other) values('aaf_admin@people.osaaf.org',2,'2019-05-01',0xd993c5617486296f1b99d04de31633332b8ba1a550038e23860f9dbf0b2fcf95,'Initial ID','org.osaaf.people',53344);
+INSERT INTO user_role(user,role,expires,ns,rname)
+ VALUES ('aaf_admin@people.osaaf.org','org.osaaf.aaf.admin','2018-10-31','org.osaaf.aaf','admin');
+
+// A Deployer
+insert into cred (id,type,expires,cred,notes,ns,other) values('deployer@people.osaaf.org',2,'2019-05-01',0xd993c5617486296f1b99d04de31633332b8ba1a550038e23860f9dbf0b2fcf95,'Initial ID','org.osaaf.people',53344);
+INSERT INTO role(ns, name, perms, description)
+ VALUES('org.osaaf.aaf','deploy',{},'ONAP Deployment Role');
+INSERT INTO user_role(user,role,expires,ns,rname)
+ VALUES ('deployer@people.osaaf.org','org.osaaf.aaf.deploy','2018-10-31','org.osaaf.aaf','deploy');
+
+
// DEMO ID (OPS)
insert into cred (id,type,expires,cred,notes,ns,other) values('demo@people.osaaf.org',2,'2019-05-01',0xd993c5617486296f1b99d04de31633332b8ba1a550038e23860f9dbf0b2fcf95,'Initial ID','org.osaaf.people',53344);
INSERT INTO user_role(user,role,expires,ns,rname)
--- /dev/null
+for T in x509 ns_attrib config cred user_role perm role artifact ns; do
+ cqlsh -e "use authz; COPY $T TO '$T.dat' WITH DELIMITER='|';"
+done
+tar -cvzf dat.gz *.dat
+
--- /dev/null
+tar -xvf dat.gz
+for T in x509 ns_attrib config cred user_role perm role artifact ns; do
+ cqlsh -e "use authz; COPY $T FROM '$T.dat' WITH DELIMITER='|';"
+done
+
import org.onap.aaf.auth.dao.cass.NsSplit;
import org.onap.aaf.auth.dao.cass.PermDAO;
-import org.onap.aaf.auth.dao.cass.Status;
import org.onap.aaf.auth.dao.cass.PermDAO.Data;
+import org.onap.aaf.auth.dao.cass.Status;
import org.onap.aaf.auth.dao.hl.Question;
import org.onap.aaf.auth.env.AuthzEnv;
import org.onap.aaf.auth.env.AuthzTrans;
import org.onap.aaf.auth.env.NullTrans;
import org.onap.aaf.auth.layer.Result;
+import org.onap.aaf.cadi.Access.Level;
import org.onap.aaf.cadi.Lur;
import org.onap.aaf.cadi.Permission;
-import org.onap.aaf.cadi.Access.Level;
import org.onap.aaf.cadi.lur.LocalPermission;
import org.onap.aaf.misc.env.util.Split;
}
@Override
- public boolean fish(Principal bait, Permission pond) {
+ public boolean fish(Principal bait, Permission ... pond) {
return fish(env.newTransNoAvg(),bait,pond);
}
- public boolean fish(AuthzTrans trans, Principal bait, Permission pond) {
+ public boolean fish(AuthzTrans trans, Principal bait, Permission ... pond) {
+ boolean rv = false;
Result<List<Data>> pdr = question.getPermsByUser(trans, bait.getName(),false);
switch(pdr.status) {
case OK:
for(PermDAO.Data d : pdr.value) {
- if(new PermPermission(d).match(pond)) {
- return true;
+ if(!rv) {
+ for (Permission p : pond) {
+ if(new PermPermission(d).match(p)) {
+ rv=true;
+ break;
+ }
+ }
}
}
break;
default:
trans.error().log("Can't access Cassandra to fulfill Permission Query: ",pdr.status,"-",pdr.details);
}
- return false;
+ return rv;
}
@Override
}
@Override
- public boolean handlesExclusively(Permission pond) {
+ public boolean handlesExclusively(Permission ... pond) {
return false;
}
<groupId>org.onap.aaf.authz</groupId>
<artifactId>aaf-cadi-aaf</artifactId>
</dependency>
+
+ <!-- Add the Organizations you wish to support. You can delete ONAP if
+ you have something else Match with Property Entry: Organization.<root ns>,
+ i.e. Organization.onap.org=org.onap.org.DefaultOrg -->
+ <dependency>
+ <groupId>org.onap.aaf.authz</groupId>
+ <artifactId>aaf-auth-deforg</artifactId>
+ </dependency>
<dependency>
<groupId>com.google.code.jscep</groupId>
private final String name;
private final String env;
private MessageDigest messageDigest;
+ private final String permNS;
private final String permType;
private final ArrayList<String> idDomains;
private String[] trustedCAs;
private String[] caIssuerDNs;
- private List<RDN> rdns;
+ private List<RDN> rdns;
protected CA(Access access, String caName, String env) throws IOException, CertException {
trustedCAs = new String[4]; // starting array
this.name = caName;
this.env = env;
- permType = access.getProperty(CM_CA_PREFIX + name + ".perm_type",null);
+ permNS = CM_CA_PREFIX + name;
+ permType = access.getProperty(permNS + ".perm_type",null);
if(permType==null) {
- throw new CertException(CM_CA_PREFIX + name + ".perm_type" + MUST_EXIST_TO_CREATE_CSRS_FOR + caName);
+ throw new CertException(permNS + ".perm_type" + MUST_EXIST_TO_CREATE_CSRS_FOR + caName);
}
caIssuerDNs = Split.splitTrim(':', access.getProperty(Config.CADI_X509_ISSUERS, null));
}
+ public String getPermNS() {
+ return permNS;
+ }
+
public String getPermType() {
return permType;
}
CertmanValidator v = new CertmanValidator();
if(v.nullOrBlank("cn", csr.cn())
.nullOrBlank("mechID", csr.mechID())
- .nullOrBlank("email", csr.email())
+// .nullOrBlank("email", csr.email())
.err()) {
return v.errs();
} else {
Date start = gc.getTime();
gc.add(GregorianCalendar.DAY_OF_MONTH,2);
Date end = gc.getTime();
+ @SuppressWarnings("deprecation")
X509v3CertificateBuilder xcb = new X509v3CertificateBuilder(
x500Name(),
new BigInteger(12,random), // replace with Serialnumber scheme
import static org.onap.aaf.auth.layer.Result.OK;
import java.io.IOException;
-import java.security.KeyStore;
-import java.security.KeyStoreException;
-import java.security.NoSuchAlgorithmException;
-import java.security.PrivateKey;
-import java.security.cert.Certificate;
-import java.security.cert.CertificateException;
-import java.security.cert.X509Certificate;
-import java.util.ArrayList;
-import java.util.Collection;
-import java.util.List;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import org.onap.aaf.auth.env.AuthzTrans;
import org.onap.aaf.auth.layer.Result;
import org.onap.aaf.cadi.aaf.AAFPermission;
-import org.onap.aaf.cadi.configure.CertException;
-import org.onap.aaf.cadi.configure.Factory;
import org.onap.aaf.misc.env.APIException;
import org.onap.aaf.misc.env.Data;
import org.onap.aaf.misc.env.Env;
@Override
public Result<Void> check(AuthzTrans trans, HttpServletResponse resp, String perm) throws IOException {
String[] p = Split.split('|',perm);
- if(p.length!=3) {
- return Result.err(Result.ERR_BadData,"Invalid Perm String");
+ AAFPermission ap;
+ switch(p.length) {
+ case 3:
+ ap = new AAFPermission(null, p[0],p[1],p[2]);
+ break;
+ case 4:
+ ap = new AAFPermission(p[0],p[1],p[2],p[3]);
+ break;
+ default:
+ return Result.err(Result.ERR_BadData,"Invalid Perm String");
}
- AAFPermission ap = new AAFPermission(p[0],p[1],p[2]);
if(certman.aafLurPerm.fish(trans.getUserPrincipal(), ap)) {
resp.setContentType(voidResp);
resp.getOutputStream().write(0);
// return Result.ok();
}
- private KeyStore keystore(AuthzTrans trans, CertResp cr, String[] trustChain, String name, char[] cap) throws KeyStoreException, CertificateException, APIException, IOException, CertException, NoSuchAlgorithmException {
- KeyStore jks = KeyStore.getInstance("jks");
- jks.load(null, cap);
-
- // Get the Cert(s)... Might include Trust store
- List<String> lcerts = new ArrayList<>();
- lcerts.add(cr.asCertString());
- for(String s : trustChain) {
- lcerts.add(s);
- }
-
- Collection<? extends Certificate> certColl = Factory.toX509Certificate(lcerts);
- X509Certificate[] certs = new X509Certificate[certColl.size()];
- certColl.toArray(certs);
- KeyStore.ProtectionParameter protParam = new KeyStore.PasswordProtection(cap);
-
- PrivateKey pk = Factory.toPrivateKey(trans, cr.privateString());
- KeyStore.PrivateKeyEntry pkEntry =
- new KeyStore.PrivateKeyEntry(pk, new Certificate[] {certs[0]});
- jks.setEntry(name, pkEntry, protParam);
-
- int i=0;
- for(X509Certificate x509 : certs) {
- jks.setCertificateEntry("cert_"+ ++i, x509);
- }
- return jks;
- }
+// private KeyStore keystore(AuthzTrans trans, CertResp cr, String[] trustChain, String name, char[] cap) throws KeyStoreException, CertificateException, APIException, IOException, CertException, NoSuchAlgorithmException {
+// KeyStore jks = KeyStore.getInstance("jks");
+// jks.load(null, cap);
+//
+// // Get the Cert(s)... Might include Trust store
+// List<String> lcerts = new ArrayList<>();
+// lcerts.add(cr.asCertString());
+// for(String s : trustChain) {
+// lcerts.add(s);
+// }
+//
+// Collection<? extends Certificate> certColl = Factory.toX509Certificate(lcerts);
+// X509Certificate[] certs = new X509Certificate[certColl.size()];
+// certColl.toArray(certs);
+// KeyStore.ProtectionParameter protParam = new KeyStore.PasswordProtection(cap);
+//
+// PrivateKey pk = Factory.toPrivateKey(trans, cr.privateString());
+// KeyStore.PrivateKeyEntry pkEntry =
+// new KeyStore.PrivateKeyEntry(pk, new Certificate[] {certs[0]});
+// jks.setEntry(name, pkEntry, protParam);
+//
+// int i=0;
+// for(X509Certificate x509 : certs) {
+// jks.setCertificateEntry("cert_"+ ++i, x509);
+// }
+// return jks;
+// }
@Override
public Result<Void> renewCert(AuthzTrans trans, HttpServletRequest req, HttpServletResponse resp, boolean withTrust) {
import org.onap.aaf.auth.org.Organization.Identity;
import org.onap.aaf.auth.org.OrganizationException;
import org.onap.aaf.cadi.Hash;
+import org.onap.aaf.cadi.Permission;
import org.onap.aaf.cadi.aaf.AAFPermission;
+import org.onap.aaf.cadi.config.Config;
import org.onap.aaf.cadi.configure.Factory;
import org.onap.aaf.cadi.util.FQI;
import org.onap.aaf.misc.env.APIException;
import org.onap.aaf.misc.env.util.Chrono;
-
public class CMService {
// If we add more CAs, may want to parameterize
private static final int STD_RENEWAL = 30;
private static final int MAX_RENEWAL = 60;
private static final int MIN_RENEWAL = 10;
-
+
public static final String REQUEST = "request";
+ public static final String IGNORE_IPS = "ignoreIPs";
public static final String RENEW = "renew";
public static final String DROP = "drop";
- public static final String IPS = "ips";
public static final String DOMAIN = "domain";
- private static final String CERTMAN = ".certman";
- private static final String ACCESS = ".access";
-
+ private static final String CERTMAN = "certman";
+ private static final String ACCESS = "access";
+
private static final String[] NO_NOTES = new String[0];
+ private final Permission root_read_permission;
private final CertDAO certDAO;
private final CredDAO credDAO;
private final ArtiDAO artiDAO;
private AAF_CM certman;
-// @SuppressWarnings("unchecked")
+ // @SuppressWarnings("unchecked")
public CMService(final AuthzTrans trans, AAF_CM certman) throws APIException, IOException {
- // Jonathan 4/2015 SessionFilter unneeded... DataStax already deals with Multithreading well
-
- HistoryDAO hd = new HistoryDAO(trans, certman.cluster, CassAccess.KEYSPACE);
+ // Jonathan 4/2015 SessionFilter unneeded... DataStax already deals with
+ // Multithreading well
+
+ HistoryDAO hd = new HistoryDAO(trans, certman.cluster, CassAccess.KEYSPACE);
CacheInfoDAO cid = new CacheInfoDAO(trans, hd);
certDAO = new CertDAO(trans, hd, cid);
credDAO = new CredDAO(trans, hd, cid);
artiDAO = new ArtiDAO(trans, hd, cid);
this.certman = certman;
+
+ root_read_permission=new AAFPermission(
+ trans.getProperty(Config.AAF_ROOT_NS, Config.AAF_ROOT_NS_DEF),
+ "access",
+ "*",
+ "read"
+ );
}
-
- public Result<CertResp> requestCert(final AuthzTrans trans,final Result<CertReq> req, final CA ca) {
- if(req.isOK()) {
- if(req.value.fqdns.isEmpty()) {
- return Result.err(Result.ERR_BadData,"No Machines passed in Request");
+ public Result<CertResp> requestCert(final AuthzTrans trans, final Result<CertReq> req, final CA ca) {
+ if (req.isOK()) {
+
+ if (req.value.fqdns.isEmpty()) {
+ return Result.err(Result.ERR_BadData, "No Machines passed in Request");
}
-
+
String key = req.value.fqdns.get(0);
-
+
// Policy 6: Requester must be granted Change permission in Namespace requested
String mechNS = FQI.reverseDomain(req.value.mechid);
- if(mechNS==null) {
- return Result.err(Status.ERR_Denied, "%s does not reflect a valid AAF Namespace",req.value.mechid);
- }
-
-
- // Disallow non-AAF CA without special permission
- if(!"aaf".equals(ca.getName()) && !trans.fish( new AAFPermission(mechNS+CERTMAN, ca.getName(), REQUEST))) {
- return Result.err(Status.ERR_Denied, "'%s' does not have permission to request Certificates from Certificate Authority '%s'",
- trans.user(),ca.getName());
+ if (mechNS == null) {
+ return Result.err(Status.ERR_Denied, "%s does not reflect a valid AAF Namespace", req.value.mechid);
}
List<String> notes = null;
List<String> fqdns = new ArrayList<>(req.value.fqdns);
-
-
+
String email = null;
try {
Organization org = trans.org();
-
+
+ boolean ignoreIPs = trans.fish(new AAFPermission(mechNS,CERTMAN, ca.getName(), IGNORE_IPS));
+
InetAddress primary = null;
// Organize incoming information to get to appropriate Artifact
- if(!fqdns.isEmpty()) {
+ if (!fqdns.isEmpty()) {
// Accept domain wild cards, but turn into real machines
// Need *domain.com:real.machine.domain.com:san.machine.domain.com:...
- if(fqdns.get(0).startsWith("*")) { // Domain set
- if(!trans.fish(new AAFPermission(ca.getPermType(), ca.getName(), DOMAIN))) {
- return Result.err(Result.ERR_Denied, "Domain based Authorizations (" + fqdns.get(0) + ") requires Exception");
+ if (fqdns.get(0).startsWith("*")) { // Domain set
+ if (!trans.fish(new AAFPermission(null,ca.getPermType(), ca.getName(), DOMAIN))) {
+ return Result.err(Result.ERR_Denied,
+ "Domain based Authorizations (" + fqdns.get(0) + ") requires Exception");
}
-
- //TODO check for Permission in Add Artifact?
+
+ // TODO check for Permission in Add Artifact?
String domain = fqdns.get(0).substring(1);
fqdns.remove(0);
- if(fqdns.isEmpty()) {
- return Result.err(Result.ERR_Denied, "Requests using domain require machine declaration");
- }
-
- InetAddress ia = InetAddress.getByName(fqdns.get(0));
- if(ia==null) {
- return Result.err(Result.ERR_Denied, "Request not made from matching IP matching domain");
- } else if(ia.getHostName().endsWith(domain)) {
- primary = ia;
- }
-
- } else {
- for(String cn : req.value.fqdns) {
+ if (fqdns.isEmpty()) {
+ return Result.err(Result.ERR_Denied, "Requests using domain require machine declaration");
+ }
+
+ if (!ignoreIPs) {
+ InetAddress ia = InetAddress.getByName(fqdns.get(0));
+ if (ia == null) {
+ return Result.err(Result.ERR_Denied,
+ "Request not made from matching IP matching domain");
+ } else if (ia.getHostName().endsWith(domain)) {
+ primary = ia;
+ }
+ }
+
+ } else {
+ for (String cn : req.value.fqdns) {
try {
InetAddress[] ias = InetAddress.getAllByName(cn);
Set<String> potentialSanNames = new HashSet<>();
- for(InetAddress ia1 : ias) {
+ for (InetAddress ia1 : ias) {
InetAddress ia2 = InetAddress.getByAddress(ia1.getAddress());
- if(primary==null && ias.length==1 && trans.ip().equals(ia1.getHostAddress())) {
+ if (primary == null && ias.length == 1 && trans.ip().equals(ia1.getHostAddress())) {
primary = ia1;
- } else if(!cn.equals(ia1.getHostName()) && !ia2.getHostName().equals(ia2.getHostAddress())) {
+ } else if (!cn.equals(ia1.getHostName())
+ && !ia2.getHostName().equals(ia2.getHostAddress())) {
potentialSanNames.add(ia1.getHostName());
}
}
} catch (UnknownHostException e1) {
- return Result.err(Result.ERR_BadData,"There is no DNS lookup for %s",cn);
+ return Result.err(Result.ERR_BadData, "There is no DNS lookup for %s", cn);
}
-
+
}
}
}
-
- if(primary==null) {
- return Result.err(Result.ERR_Denied, "Request not made from matching IP (%s)",trans.ip());
+
+ final String host;
+ if(ignoreIPs) {
+ host = req.value.fqdns.get(0);
+ } else if (primary == null) {
+ return Result.err(Result.ERR_Denied, "Request not made from matching IP (%s)", trans.ip());
+ } else {
+ host = primary.getHostAddress();
}
-
+
ArtiDAO.Data add = null;
- Result<List<ArtiDAO.Data>> ra = artiDAO.read(trans, req.value.mechid,primary.getHostAddress());
- if(ra.isOKhasData()) {
- if(add==null) {
+ Result<List<ArtiDAO.Data>> ra = artiDAO.read(trans, req.value.mechid, host);
+ if (ra.isOKhasData()) {
+ if (add == null) {
add = ra.value.get(0); // single key
}
} else {
- ra = artiDAO.read(trans, req.value.mechid,key);
- if(ra.isOKhasData()) { // is the Template available?
- add = ra.value.get(0);
- add.machine=primary.getHostName();
- for(String s : fqdns) {
- if(!s.equals(add.machine)) {
- add.sans(true).add(s);
- }
- }
-
Result<ArtiDAO.Data> rc = artiDAO.create(trans, add); // Create new Artifact from Template
- if(rc.notOK()) {
- return Result.err(rc);
- }
- } else {
- add = ra.value.get(0);
- }
+ ra = artiDAO.read(trans, req.value.mechid, key);
+ if (ra.isOKhasData()) { // is the Template available?
+ add = ra.value.get(0);
+ add.machine = host;
+ for (String s : fqdns) {
+ if (!s.equals(add.machine)) {
+ add.sans(true).add(s);
+ }
+ }
+ Result<ArtiDAO.Data> rc = artiDAO.create(trans, add); // Create new Artifact from Template
+ if (rc.notOK()) {
+ return Result.err(rc);
+ }
+ } else {
+ add = ra.value.get(0);
+ }
}
-
+
// Add Artifact listed FQDNs
- if(add.sans!=null) {
- for(String s : add.sans) {
- if(!fqdns.contains(s)) {
+ if (add.sans != null) {
+ for (String s : add.sans) {
+ if (!fqdns.contains(s)) {
fqdns.add(s);
}
}
// Policy 2: If Config marked as Expired, do not create or renew
Date now = new Date();
- if(add.expires!=null && now.after(add.expires)) {
- return Result.err(Result.ERR_Policy,"Configuration for %s %s is expired %s",add.mechid,add.machine,Chrono.dateFmt.format(add.expires));
+ if (add.expires != null && now.after(add.expires)) {
+ return Result.err(Result.ERR_Policy, "Configuration for %s %s is expired %s", add.mechid,
+ add.machine, Chrono.dateFmt.format(add.expires));
}
-
+
// Policy 3: MechID must be current
Identity muser = org.getIdentity(trans, add.mechid);
- if(muser == null) {
- return Result.err(Result.ERR_Policy,"MechID must exist in %s",org.getName());
+ if (muser == null) {
+ return Result.err(Result.ERR_Policy, "MechID must exist in %s", org.getName());
}
-
+
// Policy 4: Sponsor must be current
Identity ouser = muser.responsibleTo();
- if(ouser==null) {
- return Result.err(Result.ERR_Policy,"%s does not have a current sponsor at %s",add.mechid,org.getName());
- } else if(!ouser.isFound() || ouser.mayOwn()!=null) {
- return Result.err(Result.ERR_Policy,"%s reports that %s cannot be responsible for %s",org.getName(),trans.user());
+ if (ouser == null) {
+ return Result.err(Result.ERR_Policy, "%s does not have a current sponsor at %s", add.mechid,
+ org.getName());
+ } else if (!ouser.isFound() || ouser.mayOwn() != null) {
+ return Result.err(Result.ERR_Policy, "%s reports that %s cannot be responsible for %s",
+ org.getName(), trans.user());
}
-
+
// Set Email from most current Sponsor
email = ouser.email();
-
+
// Policy 5: keep Artifact data current
- if(!ouser.fullID().equals(add.sponsor)) {
+ if (!ouser.fullID().equals(add.sponsor)) {
add.sponsor = ouser.fullID();
artiDAO.update(trans, add);
}
-
- // Policy 7: Caller must be the MechID or have specifically delegated permissions
- if(!(trans.user().equals(req.value.mechid) || trans.fish(new AAFPermission(mechNS + CERTMAN, ca.getName() , REQUEST)))) {
- return Result.err(Status.ERR_Denied, "%s must have access to modify x509 certs in NS %s",trans.user(),mechNS);
+
+ // Policy 7: Caller must be the MechID or have specifically delegated
+ // permissions
+ if (!(trans.user().equals(req.value.mechid)
+ || trans.fish(new AAFPermission(mechNS,CERTMAN, ca.getName(), REQUEST)))) {
+ return Result.err(Status.ERR_Denied, "%s must have access to modify x509 certs in NS %s",
+ trans.user(), mechNS);
}
-
+
// Make sure Primary is the first in fqdns
- if(fqdns.size()>1) {
- for(int i=0;i<fqdns.size();++i) {
- if(fqdns.get(i).equals(primary.getHostName())) {
- if(i!=0) {
- String tmp = fqdns.get(0);
- fqdns.set(0, primary.getHostName());
- fqdns.set(i, tmp);
+ if (fqdns.size() > 1) {
+ for (int i = 0; i < fqdns.size(); ++i) {
+ if(primary==null) {
+ trans.error().log("CMService var primary is null");
+ } else {
+ String fg = fqdns.get(i);
+ if (fg!=null && fg.equals(primary.getHostName())) {
+ if (i != 0) {
+ String tmp = fqdns.get(0);
+ fqdns.set(0, primary.getHostName());
+ fqdns.set(i, tmp);
+ }
}
}
}
}
} catch (Exception e) {
+ e.printStackTrace();
trans.error().log(e);
- return Result.err(Status.ERR_Denied,"MechID Sponsorship cannot be determined at this time. Try later");
+ return Result.err(Status.ERR_Denied,
+ "AppID Sponsorship cannot be determined at this time. Try later.");
}
-
+
CSRMeta csrMeta;
try {
- csrMeta = BCFactory.createCSRMeta(
- ca,
- req.value.mechid,
- email,
- fqdns);
+ csrMeta = BCFactory.createCSRMeta(ca, req.value.mechid, email, fqdns);
X509andChain x509ac = ca.sign(trans, csrMeta);
- if(x509ac==null) {
- return Result.err(Result.ERR_ActionNotCompleted,"x509 Certificate not signed by CA");
+ if (x509ac == null) {
+ return Result.err(Result.ERR_ActionNotCompleted, "x509 Certificate not signed by CA");
}
trans.info().printf("X509 Subject: %s", x509ac.getX509().getSubjectDN());
-
+
X509Certificate x509 = x509ac.getX509();
CertDAO.Data cdd = new CertDAO.Data();
- cdd.ca=ca.getName();
- cdd.serial=x509.getSerialNumber();
- cdd.id=req.value.mechid;
- cdd.x500=x509.getSubjectDN().getName();
- cdd.x509=Factory.toString(trans, x509);
+ cdd.ca = ca.getName();
+ cdd.serial = x509.getSerialNumber();
+ cdd.id = req.value.mechid;
+ cdd.x500 = x509.getSubjectDN().getName();
+ cdd.x509 = Factory.toString(trans, x509);
certDAO.create(trans, cdd);
-
+
CredDAO.Data crdd = new CredDAO.Data();
crdd.other = Question.random.nextInt();
- crdd.cred=getChallenge256SaltedHash(csrMeta.challenge(),crdd.other);
+ crdd.cred = getChallenge256SaltedHash(csrMeta.challenge(), crdd.other);
crdd.expires = x509.getNotAfter();
crdd.id = req.value.mechid;
crdd.ns = Question.domain2ns(crdd.id);
crdd.type = CredDAO.CERT_SHA256_RSA;
credDAO.create(trans, crdd);
-
- CertResp cr = new CertResp(trans, ca, x509, csrMeta, x509ac.getTrustChain(),compileNotes(notes));
+
+ CertResp cr = new CertResp(trans, ca, x509, csrMeta, x509ac.getTrustChain(), compileNotes(notes));
return Result.ok(cr);
} catch (Exception e) {
trans.error().log(e);
- return Result.err(Result.ERR_ActionNotCompleted,e.getMessage());
+ return Result.err(Result.ERR_ActionNotCompleted, e.getMessage());
}
} else {
return Result.err(req);
}
}
- public Result<CertResp> renewCert(AuthzTrans trans, Result<CertRenew> renew) {
- if(renew.isOK()) {
- return Result.err(Result.ERR_NotImplemented,"Not implemented yet");
+ public Result<CertResp> renewCert(AuthzTrans trans, Result<CertRenew> renew) {
+ if (renew.isOK()) {
+ return Result.err(Result.ERR_NotImplemented, "Not implemented yet");
} else {
return Result.err(renew);
- }
+ }
}
public Result<Void> dropCert(AuthzTrans trans, Result<CertDrop> drop) {
- if(drop.isOK()) {
- return Result.err(Result.ERR_NotImplemented,"Not implemented yet");
+ if (drop.isOK()) {
+ return Result.err(Result.ERR_NotImplemented, "Not implemented yet");
} else {
return Result.err(drop);
- }
+ }
}
public Result<List<Data>> readCertsByMechID(AuthzTrans trans, String mechID) {
// Policy 1: To Read, must have NS Read or is Sponsor
String ns = Question.domain2ns(mechID);
try {
- if( trans.user().equals(mechID)
- || trans.fish(new AAFPermission(ns + ACCESS, "*", "read"))
- || (trans.org().validate(trans,Organization.Policy.OWNS_MECHID,null,mechID))==null) {
+ if (trans.user().equals(mechID) || trans.fish(new AAFPermission(ns,ACCESS, "*", "read"))
+ || (trans.org().validate(trans, Organization.Policy.OWNS_MECHID, null, mechID)) == null) {
return certDAO.readID(trans, mechID);
} else {
- return Result.err(Result.ERR_Denied,"%s is not the ID, Sponsor or NS Owner/Admin for %s at %s",
- trans.user(),mechID,trans.org().getName());
+ return Result.err(Result.ERR_Denied, "%s is not the ID, Sponsor or NS Owner/Admin for %s at %s",
+ trans.user(), mechID, trans.org().getName());
}
- } catch(OrganizationException e) {
+ } catch (OrganizationException e) {
return Result.err(e);
}
}
public Result<CertResp> requestPersonalCert(AuthzTrans trans, CA ca) {
- if(ca.inPersonalDomains(trans.getUserPrincipal())) {
+ if (ca.inPersonalDomains(trans.getUserPrincipal())) {
Organization org = trans.org();
-
+
// Policy 1: MechID must be current
Identity ouser;
try {
trans.error().log(e1);
ouser = null;
}
- if(ouser == null) {
- return Result.err(Result.ERR_Policy,"Requesting User must exist in %s",org.getName());
+ if (ouser == null) {
+ return Result.err(Result.ERR_Policy, "Requesting User must exist in %s", org.getName());
}
-
+
// Set Email from most current Sponsor
-
+
CSRMeta csrMeta;
try {
- csrMeta = BCFactory.createPersonalCSRMeta(
- ca,
- trans.user(),
- ouser.email());
+ csrMeta = BCFactory.createPersonalCSRMeta(ca, trans.user(), ouser.email());
X509andChain x509ac = ca.sign(trans, csrMeta);
- if(x509ac==null) {
- return Result.err(Result.ERR_ActionNotCompleted,"x509 Certificate not signed by CA");
+ if (x509ac == null) {
+ return Result.err(Result.ERR_ActionNotCompleted, "x509 Certificate not signed by CA");
}
X509Certificate x509 = x509ac.getX509();
CertDAO.Data cdd = new CertDAO.Data();
- cdd.ca=ca.getName();
- cdd.serial=x509.getSerialNumber();
- cdd.id=trans.user();
- cdd.x500=x509.getSubjectDN().getName();
- cdd.x509=Factory.toString(trans, x509);
+ cdd.ca = ca.getName();
+ cdd.serial = x509.getSerialNumber();
+ cdd.id = trans.user();
+ cdd.x500 = x509.getSubjectDN().getName();
+ cdd.x509 = Factory.toString(trans, x509);
certDAO.create(trans, cdd);
-
+
CertResp cr = new CertResp(trans, ca, x509, csrMeta, x509ac.getTrustChain(), compileNotes(null));
return Result.ok(cr);
} catch (Exception e) {
trans.error().log(e);
- return Result.err(Result.ERR_ActionNotCompleted,e.getMessage());
+ return Result.err(Result.ERR_ActionNotCompleted, e.getMessage());
}
} else {
- return Result.err(Result.ERR_Denied,trans.user()," not supported for CA",ca.getName());
+ return Result.err(Result.ERR_Denied, trans.user(), " not supported for CA", ca.getName());
}
}
//////////////
public Result<Void> createArtifact(AuthzTrans trans, List<ArtiDAO.Data> list) {
CertmanValidator v = new CertmanValidator().artisRequired(list, 1);
- if(v.err()) {
- return Result.err(Result.ERR_BadData,v.errs());
+ if (v.err()) {
+ return Result.err(Result.ERR_BadData, v.errs());
}
- for(ArtiDAO.Data add : list) {
+ for (ArtiDAO.Data add : list) {
try {
// Policy 1: MechID must exist in Org
Identity muser = trans.org().getIdentity(trans, add.mechid);
- if(muser == null) {
- return Result.err(Result.ERR_Denied,"%s is not valid for %s", add.mechid,trans.org().getName());
+ if (muser == null) {
+ return Result.err(Result.ERR_Denied, "%s is not valid for %s", add.mechid, trans.org().getName());
}
-
+
// Policy 2: MechID must have valid Organization Owner
Identity emailUser;
- if(muser.isPerson()) {
+ if (muser.isPerson()) {
emailUser = muser;
} else {
Identity ouser = muser.responsibleTo();
- if(ouser == null) {
- return Result.err(Result.ERR_Denied,"%s is not a valid Sponsor for %s at %s",
- trans.user(),add.mechid,trans.org().getName());
+ if (ouser == null) {
+ return Result.err(Result.ERR_Denied, "%s is not a valid Sponsor for %s at %s", trans.user(),
+ add.mechid, trans.org().getName());
}
// Policy 3: Calling ID must be MechID Owner
- if(!trans.user().equals(ouser.fullID())) {
- return Result.err(Result.ERR_Denied,"%s is not the Sponsor for %s at %s",
- trans.user(),add.mechid,trans.org().getName());
+ if (!trans.user().startsWith(ouser.id())) {
+ return Result.err(Result.ERR_Denied, "%s is not the Sponsor for %s at %s", trans.user(),
+ add.mechid, trans.org().getName());
}
emailUser = ouser;
}
-
- // Policy 4: Renewal Days are between 10 and 60 (constants, may be parameterized)
- if(add.renewDays<MIN_RENEWAL) {
+ // Policy 4: Renewal Days are between 10 and 60 (constants, may be
+ // parameterized)
+ if (add.renewDays < MIN_RENEWAL) {
add.renewDays = STD_RENEWAL;
- } else if(add.renewDays>MAX_RENEWAL) {
+ } else if (add.renewDays > MAX_RENEWAL) {
add.renewDays = MAX_RENEWAL;
}
-
+
// Policy 5: If Notify is blank, set to Owner's Email
- if(add.notify==null || add.notify.length()==0) {
- add.notify = "mailto:"+emailUser.email();
+ if (add.notify == null || add.notify.length() == 0) {
+ add.notify = "mailto:" + emailUser.email();
}
-
+
// Policy 6: Only do Domain by Exception
- if(add.machine.startsWith("*")) { // Domain set
+ if (add.machine.startsWith("*")) { // Domain set
CA ca = certman.getCA(add.ca);
-
- if(!trans.fish(new AAFPermission(ca.getPermType(), add.ca, DOMAIN))) {
- return Result.err(Result.ERR_Denied,"Domain Artifacts (%s) requires specific Permission",
- add.machine);
+ if (!trans.fish(new AAFPermission(ca.getPermNS(),ca.getPermType(), add.ca, DOMAIN))) {
+ return Result.err(Result.ERR_Denied, "Domain Artifacts (%s) requires specific Permission",
+ add.machine);
}
}
// Set Sponsor from Golden Source
add.sponsor = emailUser.fullID();
-
-
+
} catch (OrganizationException e) {
return Result.err(e);
}
// Add to DB
Result<ArtiDAO.Data> rv = artiDAO.create(trans, add);
// TODO come up with Partial Reporting Scheme, or allow only one at a time.
- if(rv.notOK()) {
+ if (rv.notOK()) {
return Result.err(rv);
}
}
public Result<List<ArtiDAO.Data>> readArtifacts(AuthzTrans trans, ArtiDAO.Data add) throws OrganizationException {
CertmanValidator v = new CertmanValidator().keys(add);
- if(v.err()) {
- return Result.err(Result.ERR_BadData,v.errs());
+ if (v.err()) {
+ return Result.err(Result.ERR_BadData, v.errs());
}
Result<List<ArtiDAO.Data>> data = artiDAO.read(trans, add);
- if(data.notOKorIsEmpty()) {
+ if (data.notOKorIsEmpty()) {
return data;
}
add = data.value.get(0);
- if( trans.user().equals(add.mechid)
- || trans.fish(new AAFPermission(add.ns + ACCESS, "*", "read"))
- || trans.fish(new AAFPermission(add.ns+CERTMAN,add.ca,"read"))
- || trans.fish(new AAFPermission(add.ns+CERTMAN,add.ca,"request"))
- || (trans.org().validate(trans,Organization.Policy.OWNS_MECHID,null,add.mechid))==null) {
+ if (trans.user().equals(add.mechid)
+ || trans.fish(root_read_permission,
+ new AAFPermission(add.ns,ACCESS, "*", "read"),
+ new AAFPermission(add.ns,CERTMAN, add.ca, "read"),
+ new AAFPermission(add.ns,CERTMAN, add.ca, "request"))
+ || (trans.org().validate(trans, Organization.Policy.OWNS_MECHID, null, add.mechid)) == null) {
return data;
} else {
- return Result.err(Result.ERR_Denied,"%s is not %s, is not the sponsor, and doesn't have delegated permission.",trans.user(),add.mechid,add.ns+".certman|"+add.ca+"|read or ...|request"); // note: reason is set by 2nd case, if 1st case misses
+ return Result.err(Result.ERR_Denied,
+ "%s is not %s, is not the sponsor, and doesn't have delegated permission.", trans.user(),
+ add.mechid, add.ns + ".certman|" + add.ca + "|read or ...|request"); // note: reason is set by 2nd
+ // case, if 1st case misses
}
}
- public Result<List<ArtiDAO.Data>> readArtifactsByMechID(AuthzTrans trans, String mechid) throws OrganizationException {
+ public Result<List<ArtiDAO.Data>> readArtifactsByMechID(AuthzTrans trans, String mechid)
+ throws OrganizationException {
CertmanValidator v = new CertmanValidator();
v.nullOrBlank("mechid", mechid);
- if(v.err()) {
- return Result.err(Result.ERR_BadData,v.errs());
+ if (v.err()) {
+ return Result.err(Result.ERR_BadData, v.errs());
}
String ns = FQI.reverseDomain(mechid);
-
+
String reason;
- if(trans.fish(new AAFPermission(ns + ACCESS, "*", "read"))
- || (reason=trans.org().validate(trans,Organization.Policy.OWNS_MECHID,null,mechid))==null) {
+ if (trans.fish(new AAFPermission(ns, ACCESS, "*", "read"))
+ || (reason = trans.org().validate(trans, Organization.Policy.OWNS_MECHID, null, mechid)) == null) {
return artiDAO.readByMechID(trans, mechid);
} else {
- return Result.err(Result.ERR_Denied,reason); // note: reason is set by 2nd case, if 1st case misses
+ return Result.err(Result.ERR_Denied, reason); // note: reason is set by 2nd case, if 1st case misses
}
}
public Result<List<ArtiDAO.Data>> readArtifactsByMachine(AuthzTrans trans, String machine) {
CertmanValidator v = new CertmanValidator();
v.nullOrBlank("machine", machine);
- if(v.err()) {
- return Result.err(Result.ERR_BadData,v.errs());
+ if (v.err()) {
+ return Result.err(Result.ERR_BadData, v.errs());
}
-
+
// TODO do some checks?
Result<List<ArtiDAO.Data>> rv = artiDAO.readByMachine(trans, machine);
public Result<List<ArtiDAO.Data>> readArtifactsByNs(AuthzTrans trans, String ns) {
CertmanValidator v = new CertmanValidator();
v.nullOrBlank("ns", ns);
- if(v.err()) {
- return Result.err(Result.ERR_BadData,v.errs());
+ if (v.err()) {
+ return Result.err(Result.ERR_BadData, v.errs());
}
-
+
// TODO do some checks?
- return artiDAO.readByNs(trans, ns);
+ return artiDAO.readByNs(trans, ns);
}
-
public Result<Void> updateArtifact(AuthzTrans trans, List<ArtiDAO.Data> list) throws OrganizationException {
CertmanValidator v = new CertmanValidator();
v.artisRequired(list, 1);
- if(v.err()) {
- return Result.err(Result.ERR_BadData,v.errs());
+ if (v.err()) {
+ return Result.err(Result.ERR_BadData, v.errs());
}
-
+
// Check if requesting User is Sponsor
- //TODO - Shall we do one, or multiples?
- for(ArtiDAO.Data add : list) {
+ // TODO - Shall we do one, or multiples?
+ for (ArtiDAO.Data add : list) {
// Policy 1: MechID must exist in Org
Identity muser = trans.org().getIdentity(trans, add.mechid);
- if(muser == null) {
- return Result.err(Result.ERR_Denied,"%s is not valid for %s", add.mechid,trans.org().getName());
+ if (muser == null) {
+ return Result.err(Result.ERR_Denied, "%s is not valid for %s", add.mechid, trans.org().getName());
}
-
+
// Policy 2: MechID must have valid Organization Owner
Identity ouser = muser.responsibleTo();
- if(ouser == null) {
- return Result.err(Result.ERR_Denied,"%s is not a valid Sponsor for %s at %s",
- trans.user(),add.mechid,trans.org().getName());
+ if (ouser == null) {
+ return Result.err(Result.ERR_Denied, "%s is not a valid Sponsor for %s at %s", trans.user(), add.mechid,
+ trans.org().getName());
}
- // Policy 3: Renewal Days are between 10 and 60 (constants, may be parameterized)
- if(add.renewDays<MIN_RENEWAL) {
+ // Policy 3: Renewal Days are between 10 and 60 (constants, may be
+ // parameterized)
+ if (add.renewDays < MIN_RENEWAL) {
add.renewDays = STD_RENEWAL;
- } else if(add.renewDays>MAX_RENEWAL) {
+ } else if (add.renewDays > MAX_RENEWAL) {
add.renewDays = MAX_RENEWAL;
}
add.sponsor = ouser.fullID();
// Policy 5: If Notify is blank, set to Owner's Email
- if(add.notify==null || add.notify.length()==0) {
- add.notify = "mailto:"+ouser.email();
+ if (add.notify == null || add.notify.length() == 0) {
+ add.notify = "mailto:" + ouser.email();
}
// Policy 6: Only do Domain by Exception
- if(add.machine.startsWith("*")) { // Domain set
+ if (add.machine.startsWith("*")) { // Domain set
CA ca = certman.getCA(add.ca);
- if(ca==null) {
+ if (ca == null) {
return Result.err(Result.ERR_BadData, "CA is required in Artifact");
}
- if(!trans.fish(new AAFPermission(ca.getPermType(), add.ca, DOMAIN))) {
- return Result.err(Result.ERR_Denied,"Domain Artifacts (%s) requires specific Permission",
- add.machine);
+ if (!trans.fish(new AAFPermission(null,ca.getPermType(), add.ca, DOMAIN))) {
+ return Result.err(Result.ERR_Denied, "Domain Artifacts (%s) requires specific Permission",
+ add.machine);
}
}
// Policy 7: only Owner may update info
- if(trans.user().equals(add.sponsor)) {
+ if (trans.user().startsWith(ouser.id())) {
return artiDAO.update(trans, add);
} else {
- return Result.err(Result.ERR_Denied,"%s may not update info for %s",trans.user(),muser.fullID());
+ return Result.err(Result.ERR_Denied, "%s may not update info for %s", trans.user(), muser.fullID());
}
}
- return Result.err(Result.ERR_BadData,"No Artifacts to update");
+ return Result.err(Result.ERR_BadData, "No Artifacts to update");
}
-
+
public Result<Void> deleteArtifact(AuthzTrans trans, String mechid, String machine) throws OrganizationException {
CertmanValidator v = new CertmanValidator();
- v.nullOrBlank("mechid", mechid)
- .nullOrBlank("machine", machine);
- if(v.err()) {
- return Result.err(Result.ERR_BadData,v.errs());
+ v.nullOrBlank("mechid", mechid).nullOrBlank("machine", machine);
+ if (v.err()) {
+ return Result.err(Result.ERR_BadData, v.errs());
}
Result<List<ArtiDAO.Data>> rlad = artiDAO.read(trans, mechid, machine);
- if(rlad.notOKorIsEmpty()) {
- return Result.err(Result.ERR_NotFound,"Artifact for %s %s does not exist.",mechid,machine);
+ if (rlad.notOKorIsEmpty()) {
+ return Result.err(Result.ERR_NotFound, "Artifact for %s %s does not exist.", mechid, machine);
}
-
- return deleteArtifact(trans,rlad.value.get(0));
+
+ return deleteArtifact(trans, rlad.value.get(0));
}
-
+
private Result<Void> deleteArtifact(AuthzTrans trans, ArtiDAO.Data add) throws OrganizationException {
- // Policy 1: Record should be delete able only by Existing Sponsor.
- String sponsor=null;
+ // Policy 1: Record should be delete able only by Existing Sponsor.
+ String sponsor = null;
Identity muser = trans.org().getIdentity(trans, add.mechid);
- if(muser != null) {
+ if (muser != null) {
Identity ouser = muser.responsibleTo();
- if(ouser!=null) {
+ if (ouser != null) {
sponsor = ouser.fullID();
}
}
- // Policy 1.a: If Sponsorship is deleted in system of Record, then
+ // Policy 1.a: If Sponsorship is deleted in system of Record, then
// accept deletion by sponsor in Artifact Table
- if(sponsor==null) {
+ if (sponsor == null) {
sponsor = add.sponsor;
}
-
+
String ns = FQI.reverseDomain(add.mechid);
- if(trans.fish(new AAFPermission(ns + ACCESS, "*", "write"))
- || trans.user().equals(sponsor)) {
+ if (trans.fish(new AAFPermission(ns,ACCESS, "*", "write")) || trans.user().equals(sponsor)) {
return artiDAO.delete(trans, add, false);
}
- return Result.err(Result.ERR_Denied, "%1 is not allowed to delete this item",trans.user());
+ return Result.err(Result.ERR_Denied, "%1 is not allowed to delete this item", trans.user());
}
public Result<Void> deleteArtifact(AuthzTrans trans, List<ArtiDAO.Data> list) {
CertmanValidator v = new CertmanValidator().artisRequired(list, 1);
- if(v.err()) {
- return Result.err(Result.ERR_BadData,v.errs());
+ if (v.err()) {
+ return Result.err(Result.ERR_BadData, v.errs());
}
try {
boolean partial = false;
- Result<Void> result=null;
- for(ArtiDAO.Data add : list) {
+ Result<Void> result = null;
+ for (ArtiDAO.Data add : list) {
result = deleteArtifact(trans, add);
- if(result.notOK()) {
+ if (result.notOK()) {
partial = true;
}
}
- if(result == null) {
- result = Result.err(Result.ERR_BadData,"No Artifacts to delete");
- } else if(partial) {
+ if (result == null) {
+ result = Result.err(Result.ERR_BadData, "No Artifacts to delete");
+ } else if (partial) {
result.partialContent(true);
}
return result;
- } catch(Exception e) {
+ } catch (Exception e) {
return Result.err(e);
}
}
private String[] compileNotes(List<String> notes) {
String[] rv;
- if(notes==null) {
+ if (notes == null) {
rv = NO_NOTES;
} else {
rv = new String[notes.size()];
******************************************************************************/
package org.onap.aaf.auth.cm.facade;
-import static org.junit.Assert.*;
+import static org.junit.Assert.assertNotNull;
import static org.mockito.Mockito.CALLS_REAL_METHODS;
import static org.mockito.Mockito.mock;
import static org.mockito.Mockito.when;
import javax.servlet.ServletOutputStream;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
-import javax.xml.namespace.QName;
-import javax.xml.validation.Schema;
import org.junit.Before;
-import org.junit.BeforeClass;
import org.junit.Test;
import org.junit.runner.RunWith;
import org.mockito.Mockito;
import org.mockito.runners.MockitoJUnitRunner;
import org.onap.aaf.auth.cm.AAF_CM;
-import org.onap.aaf.auth.cm.facade.FacadeImpl;
import org.onap.aaf.auth.cm.mapper.Mapper;
import org.onap.aaf.auth.cm.service.CMService;
import org.onap.aaf.auth.env.AuthzEnv;
import org.onap.aaf.auth.env.AuthzTrans;
import org.onap.aaf.auth.layer.Result;
import org.onap.aaf.cadi.aaf.AAFPermission;
-import org.onap.aaf.cadi.aaf.v2_0.AAFLurPerm;
import org.onap.aaf.misc.env.APIException;
import org.onap.aaf.misc.env.Data;
import org.onap.aaf.misc.env.LogTarget;
import org.onap.aaf.misc.env.TimeTaken;
-import org.onap.aaf.misc.env.Trans;
-import org.onap.aaf.misc.rosetta.env.RosettaDF;
-import org.onap.aaf.misc.rosetta.env.RosettaData;
@RunWith(MockitoJUnitRunner.class)
@Test
public void check() throws IOException {
- AAFPermission ap = new AAFPermission("str1","str3","str2");
+ AAFPermission ap = new AAFPermission("str0","str1","str3","str2");
String perms = ap.getInstance();
assertNotNull(hImpl.check(trans, resp, perms));
}
@Test
public void checkNull() throws IOException {
- AAFPermission ap = new AAFPermission(null,"Str3","str2");
+ AAFPermission ap = new AAFPermission(null,null,"Str3","str2");
String perms = ap.getInstance();
assertNotNull(hImpl.check(trans, resp, perms));
}
@Test
public void checkTwoNull() throws IOException {
- AAFPermission ap = new AAFPermission(null,null,"str2");
+ AAFPermission ap = new AAFPermission(null,null,null,"str2");
String perms = ap.getInstance();
assertNotNull(fImpl.check(trans, resp, perms));
}
@Test
public void checkAllNull() throws IOException {
- AAFPermission ap = new AAFPermission(null,null,null);
+ AAFPermission ap = new AAFPermission(null,null,null,null);
String perms = ap.getInstance();
assertNotNull(fImpl.check(trans, resp, perms));
}
@Test
public void checkTrans_null() throws IOException {
- AAFPermission ap = new AAFPermission("str1","str3","str2");
+ AAFPermission ap = new AAFPermission("str0","str1","str3","str2");
String perms = ap.getInstance();
assertNotNull(hImpl.check(null, resp, perms));
}
@Test
public void checkRespNull() throws IOException {
- AAFPermission ap = new AAFPermission("str1","str3","str2");
+ AAFPermission ap = new AAFPermission("str0","str1","str3","str2");
String perms = ap.getInstance();
assertNotNull(hImpl.check(trans, null, perms));
}
@Override
protected int _exec(int idx, String... args) throws CadiException, APIException, LocatorException {
pw().println("AAF Command Line Tool");
- String version = access.getProperty(Config.AAF_DEFAULT_VERSION, "2.0");
- pw().println("Version: " + version);
+ pw().print("Version: ");
+ pw().println(Config.AAF_DEFAULT_VERSION);
return 200 /*HttpStatus.OK_200;*/;
}
}
wtr = mock(Writer.class);
loc = mock(Locator.class);
SecuritySetter<HttpURLConnection> secSet = mock(SecuritySetter.class);
- hman = new HMangr(aEnv, loc);
- aafcli = new AAFcli(prop, aEnv, wtr, hman, null, secSet);
- mgmt = new Mgmt(aafcli);
- cache = new Cache(mgmt);
- clr = new Clear(cache);
+// hman = new HMangr(aEnv, loc);
+// aafcli = new AAFcli(prop, aEnv, wtr, hman, null, secSet);
+// mgmt = new Mgmt(aafcli);
+// cache = new Cache(mgmt);
+// clr = new Clear(cache);
}
public void testExec() throws APIException, LocatorException, CadiException, URISyntaxException {
Item value = mock(Item.class);
when(loc.best()).thenReturn(value);
- URI uri = new URI("http://java.sun.com/j2se/1.3/");
+ URI uri = new URI("http://www.oracle.com/technetwork/java/index.html");
when(loc.get(value)).thenReturn(uri);
when(loc.first()).thenReturn(value);
SecuritySetter<HttpURLConnection> secSet = mock(SecuritySetter.class);
- HRcli hcli = new HRcli(hman, uri, value, secSet);
- String[] strArr = {"grant","ungrant","setTo","grant","ungrant","setTo"};
+// HRcli hcli = new HRcli(hman, uri, value, secSet);
+// String[] strArr = {"grant","ungrant","setTo","grant","ungrant","setTo"};
//clr._exec(0, strArr);
}
Define define = new Define();
define.set(prop);
StringBuilder sb = new StringBuilder();
- clr.detailedHelp(0, sb);
+// clr.detailedHelp(0, sb);
}
}
wtr = mock(Writer.class);
loc = mock(Locator.class);
SecuritySetter<HttpURLConnection> secSet = mock(SecuritySetter.class);
- hman = new HMangr(aEnv, loc);
- aafcli = new AAFcli(prop, aEnv, wtr, hman, null, secSet);
- Mgmt mgmt = new Mgmt(aafcli);
- deny = new Deny(mgmt);
+// hman = new HMangr(aEnv, loc);
+// aafcli = new AAFcli(prop, aEnv, wtr, hman, null, secSet);
+// Mgmt mgmt = new Mgmt(aafcli);
+// deny = new Deny(mgmt);
//denyS = deny.new DenySomething(deny,"ip","ipv4or6[,ipv4or6]*");
}
Locator.Item item = new Locator.Item() {
};
when(loc.best()).thenReturn(value);
- URI uri = new URI("http://java.sun.com/j2se/1.3/");
+ URI uri = new URI("http://www.oracle.com/technetwork/java/index.html");
when(loc.get(value)).thenReturn(uri);
SecuritySetter<HttpURLConnection> secSet = mock(SecuritySetter.class);
- HRcli hcli = new HRcli(hman, uri, item, secSet);
+// HRcli hcli = new HRcli(hman, uri, item, secSet);
// String[] strArr = {"add","del", "add","del"};
// deny._exec(0, strArr);
Locator.Item item = new Locator.Item() {
};
when(loc.best()).thenReturn(value);
- URI uri = new URI("http://java.sun.com/j2se/1.3/");
+ URI uri = new URI("http://www.oracle.com/technetwork/java/index.html");
when(loc.get(value)).thenReturn(uri);
SecuritySetter<HttpURLConnection> secSet = mock(SecuritySetter.class);
- HRcli hcli = new HRcli(hman, uri, item, secSet);
- when(loc.first()).thenReturn(value);
- String[] strArr = {"add","upd","del","add","upd","del"};
- log1._exec(0, strArr);
-
- String[] strArr1 = {"del","add","upd","del"};
- log1._exec(0, strArr1);
+// HRcli hcli = new HRcli(hman, uri, item, secSet);
+// when(loc.first()).thenReturn(value);
+// String[] strArr = {"add","upd","del","add","upd","del"};
+// log1._exec(0, strArr);
+//
+// String[] strArr1 = {"del","add","upd","del"};
+// log1._exec(0, strArr1);
}
wtr = mock(Writer.class);
loc = mock(Locator.class);
SecuritySetter<HttpURLConnection> secSet = mock(SecuritySetter.class);
- hman = new HMangr(aEnv, loc);
- aafcli = new AAFcli(prop, aEnv, wtr, hman, null, secSet);
- Mgmt mgmt = new Mgmt(aafcli);
- Session sess = new Session(mgmt);
- sessclr = new SessClear(sess);
+// hman = new HMangr(aEnv, loc);
+// aafcli = new AAFcli(prop, aEnv, wtr, hman, null, secSet);
+// Mgmt mgmt = new Mgmt(aafcli);
+// Session sess = new Session(mgmt);
+// sessclr = new SessClear(sess);
}
@Test
Locator.Item item = new Locator.Item() {
};
when(loc.best()).thenReturn(value);
- URI uri = new URI("http://java.sun.com/j2se/1.3/");
+ URI uri = new URI("http://www.oracle.com/technetwork/java/index.html");
when(loc.get(value)).thenReturn(uri);
SecuritySetter<HttpURLConnection> secSet = mock(SecuritySetter.class);
- HRcli hcli = new HRcli(hman, uri, item, secSet);
- when(loc.first()).thenReturn(value);
- String[] strArr = {"add","upd","del","add","upd","del"};
+// HRcli hcli = new HRcli(hman, uri, item, secSet);
+// when(loc.first()).thenReturn(value);
+// String[] strArr = {"add","upd","del","add","upd","del"};
//sessclr._exec(0, strArr);
}
Define define = new Define();
define.set(prop);
StringBuilder sb = new StringBuilder();
- sessclr.detailedHelp(0, sb);
+// sessclr.detailedHelp(0, sb);
}
}
Locator.Item item = new Locator.Item() {
};
when(loc.best()).thenReturn(value);
- URI uri = new URI("http://java.sun.com/j2se/1.3/");
+ URI uri = new URI("http://www.oracle.com/technetwork/java/index.html");
when(loc.get(value)).thenReturn(uri);
SecuritySetter<HttpURLConnection> secSet = mock(SecuritySetter.class);
- HRcli hcli = new HRcli(hman, uri, item, secSet);
- String[] strArr = {"add", "del","add","add"};
- admin._exec(0, strArr);
-
- String[] strArr1 = {"del","add","add"};
- admin._exec(0, strArr1);
+// HRcli hcli = new HRcli(hman, uri, item, secSet);
+// String[] strArr = {"add", "del","add","add"};
+// admin._exec(0, strArr);
+//
+// String[] strArr1 = {"del","add","add"};
+// admin._exec(0, strArr1);
}
Locator.Item item = new Locator.Item() {
};
when(loc.best()).thenReturn(value);
- URI uri = new URI("http://java.sun.com/j2se/1.3/");
+ URI uri = new URI("http://www.oracle.com/technetwork/java/index.html");
when(loc.get(value)).thenReturn(uri);
SecuritySetter<HttpURLConnection> secSet = mock(SecuritySetter.class);
- HRcli hcli = new HRcli(hman, uri, item, secSet);
- String[] strArr = {"add","upd","del","add","upd","del"};
- attrib._exec(0, strArr);
-
- String[] strArr1 = {"upd","del","add","upd","del","add"};
- attrib._exec(0, strArr1);
-
- String[] strArr2 = {"del","add","upd","del","add","upd"};
- attrib._exec(0, strArr2);
+// HRcli hcli = new HRcli(hman, uri, item, secSet);
+// String[] strArr = {"add","upd","del","add","upd","del"};
+// attrib._exec(0, strArr);
+//
+// String[] strArr1 = {"upd","del","add","upd","del","add"};
+// attrib._exec(0, strArr1);
+//
+// String[] strArr2 = {"del","add","upd","del","add","upd"};
+// attrib._exec(0, strArr2);
}
Locator.Item item = new Locator.Item() {
};
when(loc.best()).thenReturn(value);
- URI uri = new URI("http://java.sun.com/j2se/1.3/");
+ URI uri = new URI("http://www.oracle.com/technetwork/java/index.html");
when(loc.get(value)).thenReturn(uri);
SecuritySetter<HttpURLConnection> secSet = mock(SecuritySetter.class);
HRcli hcli = new HRcli(hman, uri, item, secSet);
Locator.Item item = new Locator.Item() {
};
when(loc.best()).thenReturn(value);
- URI uri = new URI("http://java.sun.com/j2se/1.3/");
+ URI uri = new URI("http://www.oracle.com/technetwork/java/index.html");
when(loc.get(value)).thenReturn(uri);
SecuritySetter<HttpURLConnection> secSet = mock(SecuritySetter.class);
- HRcli hcli = new HRcli(hman, uri, item, secSet);
- String[] strArr = {"add","upd","del","add","upd","del"};
- delete._exec(0, strArr);
+// HRcli hcli = new HRcli(hman, uri, item, secSet);
+// String[] strArr = {"add","upd","del","add","upd","del"};
+// delete._exec(0, strArr);
}
Locator.Item item = new Locator.Item() {
};
when(loc.best()).thenReturn(value);
- URI uri = new URI("http://java.sun.com/j2se/1.3/");
+ URI uri = new URI("http://www.oracle.com/technetwork/java/index.html");
when(loc.get(value)).thenReturn(uri);
SecuritySetter<HttpURLConnection> secSet = mock(SecuritySetter.class);
- HRcli hcli = new HRcli(hman, uri, item, secSet);
- String[] strArr = {"add","upd","del","add","upd","del"};
- desc._exec(0, strArr);
+// HRcli hcli = new HRcli(hman, uri, item, secSet);
+// String[] strArr = {"add","upd","del","add","upd","del"};
+// desc._exec(0, strArr);
}
Locator.Item item = new Locator.Item() {
};
when(loc.best()).thenReturn(value);
- URI uri = new URI("http://java.sun.com/j2se/1.3/");
+ URI uri = new URI("http://www.oracle.com/technetwork/java/index.html");
when(loc.get(value)).thenReturn(uri);
SecuritySetter<HttpURLConnection> secSet = mock(SecuritySetter.class);
HRcli hcli = new HRcli(hman, uri, item, secSet);
Locator.Item item = new Locator.Item() {
};
when(loc.best()).thenReturn(value);
- URI uri = new URI("http://java.sun.com/j2se/1.3/");
+ URI uri = new URI("http://www.oracle.com/technetwork/java/index.html");
when(loc.get(value)).thenReturn(uri);
SecuritySetter<HttpURLConnection> secSet = mock(SecuritySetter.class);
HRcli hcli = new HRcli(hman, uri, item, secSet);
Locator.Item item = new Locator.Item() {
};
when(loc.best()).thenReturn(value);
- URI uri = new URI("http://java.sun.com/j2se/1.3/");
+ URI uri = new URI("http://www.oracle.com/technetwork/java/index.html");
when(loc.get(value)).thenReturn(uri);
SecuritySetter<HttpURLConnection> secSet = mock(SecuritySetter.class);
HRcli hcli = new HRcli(hman, uri, item, secSet);
Locator.Item item = new Locator.Item() {
};
when(loc.best()).thenReturn(value);
- URI uri = new URI("http://java.sun.com/j2se/1.3/");
+ URI uri = new URI("http://www.oracle.com/technetwork/java/index.html");
when(loc.get(value)).thenReturn(uri);
SecuritySetter<HttpURLConnection> secSet = mock(SecuritySetter.class);
HRcli hcli = new HRcli(hman, uri, item, secSet);
Locator.Item item = new Locator.Item() {
};
when(loc.best()).thenReturn(value);
- URI uri = new URI("http://java.sun.com/j2se/1.3/");
+ URI uri = new URI("http://www.oracle.com/technetwork/java/index.html");
when(loc.get(value)).thenReturn(uri);
SecuritySetter<HttpURLConnection> secSet = mock(SecuritySetter.class);
HRcli hcli = new HRcli(hman, uri, item, secSet);
Locator.Item item = new Locator.Item() {
};
when(loc.best()).thenReturn(value);
- URI uri = new URI("http://java.sun.com/j2se/1.3/");
+ URI uri = new URI("http://www.oracle.com/technetwork/java/index.html");
when(loc.get(value)).thenReturn(uri);
SecuritySetter<HttpURLConnection> secSet = mock(SecuritySetter.class);
- HRcli hcli = new HRcli(hman, uri, item, secSet);
- String[] strArr = {"grant","ungrant","setTo","grant","ungrant","setTo"};
- del._exec(0, strArr);
+// HRcli hcli = new HRcli(hman, uri, item, secSet);
+// String[] strArr = {"grant","ungrant","setTo","grant","ungrant","setTo"};
+// del._exec(0, strArr);
}
Locator.Item item = new Locator.Item() {
};
when(loc.best()).thenReturn(value);
- URI uri = new URI("http://java.sun.com/j2se/1.3/");
+ URI uri = new URI("http://www.oracle.com/technetwork/java/index.html");
when(loc.get(value)).thenReturn(uri);
SecuritySetter<HttpURLConnection> secSet = mock(SecuritySetter.class);
- HRcli hcli = new HRcli(hman, uri, item, secSet);
- String[] strArr = {"grant","ungrant","setTo","grant","ungrant","setTo"};
- desc._exec(0, strArr);
+// HRcli hcli = new HRcli(hman, uri, item, secSet);
+// String[] strArr = {"grant","ungrant","setTo","grant","ungrant","setTo"};
+// desc._exec(0, strArr);
}
Locator.Item item = new Locator.Item() {
};
when(loc.best()).thenReturn(value);
- URI uri = new URI("http://java.sun.com/j2se/1.3/");
+ URI uri = new URI("http://www.oracle.com/technetwork/java/index.html");
when(loc.get(value)).thenReturn(uri);
SecuritySetter<HttpURLConnection> secSet = mock(SecuritySetter.class);
HRcli hcli = new HRcli(hman, uri, item, secSet);
- String[] strArr = {"grant","ungrant","setTo","grant","ungrant","setTo"};
- grant._exec(0, strArr);
-
- String[] strArr1 = {"ungrant","setTo","grant","ungrant","setTo", "grant"};
- grant._exec(0, strArr1);
-
- String[] strArr2 = {"setTo","grant","ungrant","setTo", "grant", "ungrant"};
- grant._exec(0, strArr2);
+// String[] strArr = {"grant","ungrant","setTo","grant","ungrant","setTo"};
+// grant._exec(0, strArr);
+//
+// String[] strArr1 = {"ungrant","setTo","grant","ungrant","setTo", "grant"};
+// grant._exec(0, strArr1);
+//
+// String[] strArr2 = {"setTo","grant","ungrant","setTo", "grant", "ungrant"};
+// grant._exec(0, strArr2);
}
Locator.Item item = new Locator.Item() {
};
when(loc.best()).thenReturn(value);
- URI uri = new URI("http://java.sun.com/j2se/1.3/");
+ URI uri = new URI("http://www.oracle.com/technetwork/java/index.html");
when(loc.get(value)).thenReturn(uri);
SecuritySetter<HttpURLConnection> secSet = mock(SecuritySetter.class);
HRcli hcli = new HRcli(hman, uri, item, secSet);
Locator.Item item = new Locator.Item() {
};
when(loc.best()).thenReturn(value);
- URI uri = new URI("http://java.sun.com/j2se/1.3/");
+ URI uri = new URI("http://www.oracle.com/technetwork/java/index.html");
when(loc.get(value)).thenReturn(uri);
SecuritySetter<HttpURLConnection> secSet = mock(SecuritySetter.class);
HRcli hcli = new HRcli(hman, uri, item, secSet);
Locator.Item item = new Locator.Item() {
};
when(loc.best()).thenReturn(value);
- URI uri = new URI("http://java.sun.com/j2se/1.3/");
+ URI uri = new URI("http://www.oracle.com/technetwork/java/index.html");
when(loc.get(value)).thenReturn(uri);
SecuritySetter<HttpURLConnection> secSet = mock(SecuritySetter.class);
- HRcli hcli = new HRcli(hman, uri, item, secSet);
- String[] strArr = {"grant","ungrant","setTo","grant","ungrant","setTo"};
- rename._exec(0, strArr);
+// HRcli hcli = new HRcli(hman, uri, item, secSet);
+// String[] strArr = {"grant","ungrant","setTo","grant","ungrant","setTo"};
+// rename._exec(0, strArr);
}
Locator.Item item = new Locator.Item() {
};
when(loc.best()).thenReturn(value);
- URI uri = new URI("http://java.sun.com/j2se/1.3/");
+ URI uri = new URI("http://www.oracle.com/technetwork/java/index.html");
when(loc.get(value)).thenReturn(uri);
SecuritySetter<HttpURLConnection> secSet = mock(SecuritySetter.class);
- HRcli hcli = new HRcli(hman, uri, item, secSet);
- String[] strArr = {"create","delete","create","delete"};
- createDel._exec(0, strArr);
-
- String[] strArr1 = {"delete","create","delete"};
- createDel._exec(0, strArr1);
+// HRcli hcli = new HRcli(hman, uri, item, secSet);
+// String[] strArr = {"create","delete","create","delete"};
+// createDel._exec(0, strArr);
+//
+// String[] strArr1 = {"delete","create","delete"};
+// createDel._exec(0, strArr1);
}
Locator.Item item = new Locator.Item() {
};
when(loc.best()).thenReturn(value);
- URI uri = new URI("http://java.sun.com/j2se/1.3/");
+ URI uri = new URI("http://www.oracle.com/technetwork/java/index.html");
when(loc.get(value)).thenReturn(uri);
SecuritySetter<HttpURLConnection> secSet = mock(SecuritySetter.class);
- HRcli hcli = new HRcli(hman, uri, item, secSet);
- String[] strArr = {"add","upd","del","add","upd","del"};
- desc._exec(0, strArr);
+// HRcli hcli = new HRcli(hman, uri, item, secSet);
+// String[] strArr = {"add","upd","del","add","upd","del"};
+// desc._exec(0, strArr);
}
Locator.Item item = new Locator.Item() {
};
when(loc.best()).thenReturn(value);
- URI uri = new URI("http://java.sun.com/j2se/1.3/");
+ URI uri = new URI("http://www.oracle.com/technetwork/java/index.html");
when(loc.get(value)).thenReturn(uri);
SecuritySetter<HttpURLConnection> secSet = mock(SecuritySetter.class);
HRcli hcli = new HRcli(hman, uri, item, secSet);
Locator.Item item = new Locator.Item() {
};
when(loc.best()).thenReturn(value);
- URI uri = new URI("http://java.sun.com/j2se/1.3/");
+ URI uri = new URI("http://www.oracle.com/technetwork/java/index.html");
when(loc.get(value)).thenReturn(uri);
SecuritySetter<HttpURLConnection> secSet = mock(SecuritySetter.class);
HRcli hcli = new HRcli(hman, uri, item, secSet);
Locator.Item item = new Locator.Item() {
};
when(loc.best()).thenReturn(value);
- URI uri = new URI("http://java.sun.com/j2se/1.3/");
+ URI uri = new URI("http://www.oracle.com/technetwork/java/index.html");
when(loc.get(value)).thenReturn(uri);
SecuritySetter<HttpURLConnection> secSet = mock(SecuritySetter.class);
HRcli hcli = new HRcli(hman, uri, item, secSet);
Locator.Item item = new Locator.Item() {
};
when(loc.best()).thenReturn(value);
- URI uri = new URI("http://java.sun.com/j2se/1.3/");
+ URI uri = new URI("http://www.oracle.com/technetwork/java/index.html");
when(loc.get(value)).thenReturn(uri);
SecuritySetter<HttpURLConnection> secSet = mock(SecuritySetter.class);
- HRcli hcli = new HRcli(hman, uri, item, secSet);
- String[] strArr = {"add","del","setTo","extend","add","del","setTo","extend"};
- user._exec(0, strArr);
-
- String[] strArr1 = {"del","setTo","extend","add","del","setTo","extend"};
- user._exec(0, strArr1);
-
- String[] strArr2 = {"setTo","extend","add","del","setTo","extend"};
- user._exec(0, strArr2);
-
- String[] strArr3 = {"extend","add","del","setTo","extend"};
- user._exec(0, strArr3);
+// HRcli hcli = new HRcli(hman, uri, item, secSet);
+// String[] strArr = {"add","del","setTo","extend","add","del","setTo","extend"};
+// user._exec(0, strArr);
+//
+// String[] strArr1 = {"del","setTo","extend","add","del","setTo","extend"};
+// user._exec(0, strArr1);
+//
+// String[] strArr2 = {"setTo","extend","add","del","setTo","extend"};
+// user._exec(0, strArr2);
+//
+// String[] strArr3 = {"extend","add","del","setTo","extend"};
+// user._exec(0, strArr3);
}
Locator.Item item = new Locator.Item() {
};
when(loc.best()).thenReturn(value);
- URI uri = new URI("http://java.sun.com/j2se/1.3/");
+ URI uri = new URI("http://www.oracle.com/technetwork/java/index.html");
when(loc.get(value)).thenReturn(uri);
SecuritySetter<HttpURLConnection> secSet = mock(SecuritySetter.class);
- HRcli hcli = new HRcli(hman, uri, item, secSet);
- String[] strArr = {"add","del","reset","extend"};
- cred._exec(0, strArr);
-
- String[] strArr1 = {"del","reset","extend","add"};
- cred._exec(0, strArr1);
-
- String[] strArr2 = {"reset","extend", "add","del"};
- cred._exec(0, strArr2);
-
- String[] strArr3 = {"extend","add","del","reset"};
- cred._exec(0, strArr3);
+// HRcli hcli = new HRcli(hman, uri, item, secSet);
+// String[] strArr = {"add","del","reset","extend"};
+// cred._exec(0, strArr);
+//
+// String[] strArr1 = {"del","reset","extend","add"};
+// cred._exec(0, strArr1);
+//
+// String[] strArr2 = {"reset","extend", "add","del"};
+// cred._exec(0, strArr2);
+//
+// String[] strArr3 = {"extend","add","del","reset"};
+// cred._exec(0, strArr3);
}
Locator.Item item = new Locator.Item() {
};
when(loc.best()).thenReturn(value);
- URI uri = new URI("http://java.sun.com/j2se/1.3/");
+ URI uri = new URI("http://www.oracle.com/technetwork/java/index.html");
when(loc.get(value)).thenReturn(uri);
SecuritySetter<HttpURLConnection> secSet = mock(SecuritySetter.class);
HRcli hcli = new HRcli(hman, uri, item, secSet);
Locator.Item item = new Locator.Item() {
};
when(loc.best()).thenReturn(value);
- URI uri = new URI("http://java.sun.com/j2se/1.3/");
+ URI uri = new URI("http://www.oracle.com/technetwork/java/index.html");
when(loc.get(value)).thenReturn(uri);
SecuritySetter<HttpURLConnection> secSet = mock(SecuritySetter.class);
HRcli hcli = new HRcli(hman, uri, item, secSet);
Locator.Item item = new Locator.Item() {
};
when(loc.best()).thenReturn(value);
- URI uri = new URI("http://java.sun.com/j2se/1.3/");
+ URI uri = new URI("http://www.oracle.com/technetwork/java/index.html");
when(loc.get(value)).thenReturn(uri);
SecuritySetter<HttpURLConnection> secSet = mock(SecuritySetter.class);
HRcli hcli = new HRcli(hman, uri, item, secSet);
Locator.Item item = new Locator.Item() {
};
when(loc.best()).thenReturn(value);
- URI uri = new URI("http://java.sun.com/j2se/1.3/");
+ URI uri = new URI("http://www.oracle.com/technetwork/java/index.html");
when(loc.get(value)).thenReturn(uri);
SecuritySetter<HttpURLConnection> secSet = mock(SecuritySetter.class);
- HRcli hcli = new HRcli(hman, uri, item, secSet);
- String[] strArr = {"add", "del", "setTo","extend", "del", "setTo","extend"};
- Assert.assertEquals(200, role._exec(0, strArr));
-
- String[] strArr1 = { "del", "setTo","extend","add", "del", "setTo","extend"};
- Assert.assertEquals(501, role._exec(0, strArr1));
-
- String[] strArr2 = {"setTo","extend","add", "del", "del", "setTo","extend" };
- Assert.assertEquals(501, role._exec(0, strArr2));
-
- String[] strArr3 = {"extend","add", "del","setTo", "del", "setTo","extend" };
- Assert.assertEquals(501, role._exec(0, strArr3));
+// HRcli hcli = new HRcli(hman, uri, item, secSet);
+// String[] strArr = {"add", "del", "setTo","extend", "del", "setTo","extend"};
+// Assert.assertEquals(200, role._exec(0, strArr));
+//
+// String[] strArr1 = { "del", "setTo","extend","add", "del", "setTo","extend"};
+// Assert.assertEquals(501, role._exec(0, strArr1));
+//
+// String[] strArr2 = {"setTo","extend","add", "del", "del", "setTo","extend" };
+// Assert.assertEquals(501, role._exec(0, strArr2));
+//
+// String[] strArr3 = {"extend","add", "del","setTo", "del", "setTo","extend" };
+// Assert.assertEquals(501, role._exec(0, strArr3));
}
public abstract void setLur(Lur lur);
- public abstract boolean fish(Permission p);
+ public abstract boolean fish(Permission ... p);
public abstract Organization org();
}
@Override
- public boolean fish(Permission p) {
+ public boolean fish(Permission ... pond) {
if(lur!=null) {
- return lur.fish(user, p);
+ return lur.fish(user, pond);
}
return false;
}
}
@Override
- public boolean fish(Permission p) {
+ public boolean fish(Permission ... p) {
return false;
}
******************************************************************************/
package org.onap.aaf.auth.common.test;
+import static org.mockito.Mockito.mock;
+
import org.junit.Before;
import org.junit.Test;
import org.junit.runner.RunWith;
import org.mockito.Mock;
-import org.junit.Before;
-import static org.mockito.Mockito.*;
-
-import java.util.HashMap;
-import java.util.HashSet;
-import java.util.Map.Entry;
-import java.util.Set;
-
import org.onap.aaf.auth.common.Define;
import org.onap.aaf.cadi.Access;
import org.onap.aaf.cadi.CadiException;
import org.onap.aaf.cadi.PropAccess;
import org.onap.aaf.cadi.config.Config;
import org.onap.aaf.misc.env.Env;
-import static org.junit.Assert.*;
-
-//import com.att.authz.common.Define;
-import org.powermock.api.mockito.PowerMockito;
import org.powermock.modules.junit4.PowerMockRunner;
@RunWith(PowerMockRunner.class)
public class JU_Define {
+ private static final String AAF_NS_DOT = "AAF_NS.";
public static String ROOT_NS="NS.Not.Set";
public static String ROOT_COMPANY=ROOT_NS;
Access acc;
@Test
public void testSet() throws CadiException {
PropAccess prop = new PropAccess();
- prop.setProperty("AAF_NS.", "AAF_NS.");
+ prop.setProperty(AAF_NS_DOT, AAF_NS_DOT);
prop.setProperty(Config.AAF_ROOT_NS, ".ns_Test");
prop.setProperty(Config.AAF_ROOT_COMPANY, "company_Test");
Define.set(prop);
Define.ROOT_COMPANY();
PropAccess prop1 = new PropAccess();
- prop1.setProperty("AAF_NS.", "AAF_NS.");
+ prop1.setProperty(AAF_NS_DOT, AAF_NS_DOT);
prop1.setProperty(Config.AAF_ROOT_NS, ".ns_Test");
Define.set(prop1);
}
@Test
public void testVarReplace() {
- Define.varReplace("AAF_NS.");
+ Define.varReplace(AAF_NS_DOT);
Define.varReplace("test");
}
}
}
private static final String SPEC_CHARS = "!@#$%^*-+?/,:;.";
- private static final Pattern PASS_PATTERN=Pattern.compile("((?=.*\\d)(?=.*[a-z])(?=.*[A-Z])(?=.*[" + SPEC_CHARS +"]).{6,20})");
+ private static final Pattern PASS_PATTERN=Pattern.compile("(((?=.*[a-z,A-Z])(((?=.*\\d))|(?=.*[" + SPEC_CHARS +"]))).{6,20})");
/**
+ * ( # Start of group
+ * (?=.*[a-z,A-Z]) # must contain one character
+ *
+ * (?=.*\d) # must contain one digit from 0-9
+ * OR
+ * (?=.*[@#$%]) # must contain one special symbols in the list SPEC_CHARS
+ *
+ * . # match anything with previous condition checking
+ * {6,20} # length at least 6 characters and maximum of 20
+ * ) # End of group
+ *
+ * Another example, more stringent pattern
+ private static final Pattern PASS_PATTERN=Pattern.compile("((?=.*\\d)(?=.*[a-z])(?=.*[A-Z])(?=.*[" + SPEC_CHARS +"]).{6,20})");
* Attribution: from mkyong.com
* ( # Start of group
- * (?=.*\d) # must contains one digit from 0-9
- * (?=.*[a-z]) # must contains one lowercase characters
- * (?=.*[A-Z]) # must contains one uppercase characters
- * (?=.*[@#$%]) # must contains one special symbols in the list SPEC_CHARS
+ * (?=.*\d) # must contain one digit from 0-9
+ * (?=.*[a-z]) # must contain one lowercase characters
+ * (?=.*[A-Z]) # must contain one uppercase characters
+ * (?=.*[@#$%]) # must contain one special symbols in the list SPEC_CHARS
* . # match anything with previous condition checking
* {6,20} # length at least 6 characters and maximum of 20
* ) # End of group
}
private static final String[] rules = new String[] {
- "Passwords must contain one digit from 0-9",
- "Passwords must contain one lowercase character",
- "Passwords must contain one uppercase character",
- "Passwords must contain one special symbols in the list \""+ SPEC_CHARS + '"',
- "Passwords must be between 6 and 20 chars in length"
+ "Passwords must contain letters",
+ "Passwords must contain one of the following:",
+ " Number",
+ " One special symbols in the list \""+ SPEC_CHARS + '"',
+ "Passwords must be between 6 and 20 chars in length",
};
@Override
******************************************************************************/
package org.onap.aaf.org.test;
-import static org.junit.Assert.*;
+import static org.junit.Assert.assertEquals;
+import static org.junit.Assert.assertNotSame;
+import static org.junit.Assert.assertTrue;
+import static org.junit.Assert.fail;
import static org.mockito.Matchers.any;
import static org.mockito.Mockito.when;
import org.junit.runner.RunWith;
import org.mockito.Mock;
import org.onap.aaf.auth.env.AuthzTrans;
+import org.onap.aaf.auth.local.AbsData.Reuse;
+import org.onap.aaf.auth.org.Organization.Identity;
import org.onap.aaf.auth.org.OrganizationException;
import org.onap.aaf.cadi.config.Config;
import org.onap.aaf.misc.env.Env;
import org.onap.aaf.org.DefaultOrg;
import org.onap.aaf.org.Identities;
import org.powermock.modules.junit4.PowerMockRunner;
-import org.onap.aaf.auth.local.AbsData.Reuse;
@RunWith(PowerMockRunner.class)
@Test
public void testDefOrgPasswords() {
assertEquals(defaultOrg.isValidPassword(authzTransMock, null, "new2You!", "Pilgrim"),"");
- assertNotSame(defaultOrg.isValidPassword(authzTransMock, null, "new2you!", "Pilgrim"),"");
-
+ assertEquals(defaultOrg.isValidPassword(authzTransMock, null, "new2you!", "Pilgrim"),"");
+ assertNotSame(defaultOrg.isValidPassword(authzTransMock, null, "newtoyou", "Pilgrim"),"");
}
@Test
// System.out.println("value of res " +Result);
// assertNotNull(Result);
// }
-
+
+ @Test
+ public void testResponsible() throws OrganizationException {
+ Identity id = defaultOrg.getIdentity(authzTransMock, "osaaf");
+ Identity rt = id.responsibleTo();
+ assertTrue(rt.id().equals("bdevl"));
+
+ }
+
//@Test
public void notYetImplemented() {
fail("Tests in this file should not be trusted");
--- /dev/null
+/*******************************************************************************
+ * ============LICENSE_START====================================================
+ * * org.onap.aaf
+ * * ===========================================================================
+ * * Copyright © 2017 AT&T Intellectual Property. All rights reserved.
+ * * ===========================================================================
+ * * Licensed under the Apache License, Version 2.0 (the "License");
+ * * you may not use this file except in compliance with the License.
+ * * You may obtain a copy of the License at
+ * *
+ * * http://www.apache.org/licenses/LICENSE-2.0
+ * *
+ * * Unless required by applicable law or agreed to in writing, software
+ * * distributed under the License is distributed on an "AS IS" BASIS,
+ * * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * * See the License for the specific language governing permissions and
+ * * limitations under the License.
+ * * ============LICENSE_END====================================================
+ * *
+ * *
+ ******************************************************************************/
+package org.onap.aaf.org.test;
+
+import static org.junit.Assert.assertEquals;
+import static org.junit.Assert.assertNotSame;
+import static org.mockito.Matchers.any;
+import static org.mockito.Mockito.when;
+
+import java.io.File;
+
+import org.junit.Before;
+import org.junit.Test;
+import org.junit.runner.RunWith;
+import org.mockito.Mock;
+import org.onap.aaf.auth.env.AuthzTrans;
+import org.onap.aaf.auth.org.OrganizationException;
+import org.onap.aaf.misc.env.Env;
+import org.onap.aaf.misc.env.LogTarget;
+import org.onap.aaf.misc.env.TimeTaken;
+import org.onap.aaf.org.DefaultOrg;
+import org.onap.aaf.org.Identities;
+import org.powermock.modules.junit4.PowerMockRunner;
+
+
+@RunWith(PowerMockRunner.class)
+public class JU_Passwords {
+
+
+ private DefaultOrg defaultOrg;
+
+
+ Identities.Data data;
+
+ @Mock
+ Env envMock;
+
+ @Mock
+ AuthzTrans authzTransMock;
+
+ @Mock
+ TimeTaken ttMock;
+
+ @Mock
+ LogTarget logTargetMock;
+
+
+ private static final String REALM = "org.osaaf";
+ private static final String NAME = "Default Organization";
+
+ String mailHost,mailFromUserId,summary,supportAddress;
+
+ @Before
+ public void setUp() throws OrganizationException{
+
+ mailFromUserId = "frommail";
+ mailHost = "hostmail";
+ File file = new File("src/test/resources/");
+ when(envMock.getProperty(REALM + ".name","Default Organization")).thenReturn(NAME);
+ when(envMock.getProperty(REALM + ".mailHost",null)).thenReturn(mailHost);
+ when(envMock.getProperty(REALM + ".mailFrom",null)).thenReturn(mailFromUserId);
+ when(envMock.getProperty("aaf_data_dir")).thenReturn(file.getAbsolutePath());
+ when(envMock.warn()).thenReturn(logTargetMock);
+ when(authzTransMock.warn()).thenReturn(logTargetMock);
+ when(authzTransMock.start(any(String.class),any(Integer.class))).thenReturn(ttMock);
+ when(authzTransMock.error()).thenReturn(logTargetMock);
+ when(authzTransMock.getProperty("CASS_ENV", "")).thenReturn("Cassandra env");
+
+ defaultOrg = new DefaultOrg(envMock, REALM);
+
+ }
+
+
+ @Test
+ public void testDefOrgPasswords() {
+ // Accepts letters and one of (number, Special Char, Upper)
+ assertEquals(defaultOrg.isValidPassword(authzTransMock, null, "newyou2", "Pilgrim"),"");
+ assertEquals(defaultOrg.isValidPassword(authzTransMock, null, "newyou!", "Pilgrim"),"");
+ assertEquals(defaultOrg.isValidPassword(authzTransMock, null, "newyou!", "Pilgrim"),"");
+
+ // Don't accept just letters, Numbers or Special Chars, or without ANY letters
+ assertNotSame(defaultOrg.isValidPassword(authzTransMock, null, "newyouA", "Pilgrim"),"");
+ assertNotSame(defaultOrg.isValidPassword(authzTransMock, null, "NEWYOU", "Pilgrim"),"");
+ assertNotSame(defaultOrg.isValidPassword(authzTransMock, null, "newyou", "Pilgrim"),"");
+ assertNotSame(defaultOrg.isValidPassword(authzTransMock, null, "125343", "Pilgrim"),"");
+ assertNotSame(defaultOrg.isValidPassword(authzTransMock, null, "#$@*^#", "Pilgrim"),"");
+ assertNotSame(defaultOrg.isValidPassword(authzTransMock, null, "#$3333", "Pilgrim"),"");
+
+ // Length
+ assertNotSame(defaultOrg.isValidPassword(authzTransMock, null, "w2Yu!", "Pilgrim"),"");
+ assertNotSame(defaultOrg.isValidPassword(authzTransMock, null, "", "Pilgrim"),"");
+ assertNotSame(defaultOrg.isValidPassword(authzTransMock, null, "moreThan20somethingCharacters, even though good", "Pilgrim"),"");
+
+ // May not contain ID
+ assertNotSame(defaultOrg.isValidPassword(authzTransMock, null, "Pilgrim", "Pilgrim"),"");
+ assertNotSame(defaultOrg.isValidPassword(authzTransMock, null, "Pilgrim1", "Pilgrim"),"");
+ assertNotSame(defaultOrg.isValidPassword(authzTransMock, null, "Pilgrim#", "Pilgrim"),"");
+ assertNotSame(defaultOrg.isValidPassword(authzTransMock, null, "aPilgrim1", "Pilgrim"),"");
+
+ // Solid
+ assertEquals(defaultOrg.isValidPassword(authzTransMock, null, "new2You!", "Pilgrim"),"");
+
+
+ }
+
+}
public static final String AAF_URL_GUI_ONBOARD = "aaf_url.gui_onboard";
public static final String AAF_URL_AAF_HELP = "aaf_url.aaf_help";
public static final String AAF_URL_CADI_HELP = "aaf_url.cadi_help";
- public static final String PERM_CA_TYPE = Define.ROOT_NS() + ".ca";
+ public static final String PERM_CA_TYPE = "certman";
+ public static final String PERM_NS = Define.ROOT_NS();
public static enum BROWSER {iPhone,html5,ie,ieOld};
p = msp.get(instance);
}
if(p==null) {
- p=new AAFPermission(PERM_CA_TYPE,instance,action);
+ p=new AAFPermission(PERM_NS, PERM_CA_TYPE,instance,action);
msp.put(action, p);
}
return p;
}
hgen.text("IPs allowed, separated by commas.").end()
- .input(fields[11], "SANs", false, "value="+(sb==null?"":sb.toString()),"style=width:180%;");
+ .input(fields[11], "SANs", false, "value="+(sb==null?"":sb.toString()),"style=width:130%;");
// }
- hgen.input(fields[2],"Namespace",true,"value="+arti.getNs(),"style=width:180%;")
- .input(fields[3],"Directory", true, "value="+arti.getDir(),"style=width:180%;")
- .input(fields[4],"Certificate Authority",true,"value="+arti.getCa(),"style=width:180%;")
+ hgen.input(fields[2],"Namespace",true,"value="+arti.getNs(),"style=width:130%;")
+ .input(fields[3],"Directory", true, "value="+arti.getDir(),"style=width:130%;")
+ .input(fields[4],"Certificate Authority",true,"value="+arti.getCa(),"style=width:130%;")
.input(fields[5],"O/S User",true,"value="+arti.getOsUser())
.input(fields[6],"Renewal Days before Expiration", true, "value="+arti.getRenewDays(),"style=width:20%;")
.input(fields[7],"Notification",true,"value="+arti.getNotification())
*
*/
private static class Model extends TableData<AAF_GUI,AuthzTrans> {
+ private static final String ACCESS = "access";
private Slot sRoleName,sRole,sUserRole,sMayWrite,sMayApprove,sMark,sNS;
public Model(AuthzEnv env) {
sRoleName = env.slot(NAME+".role");
if(!roles.isEmpty()) {
Role role = fr.value.getRole().get(0);
trans.put(sRole, role);
- Boolean mayWrite = trans.fish(new AAFPermission(role.getNs()+".access",":role:"+role.getName(),"write"));
+ Boolean mayWrite = trans.fish(new AAFPermission(role.getNs(),ACCESS,":role:"+role.getName(),"write"));
trans.put(sMayWrite,mayWrite);
- Boolean mayApprove = trans.fish(new AAFPermission(role.getNs()+".access",":role:"+role.getName(),"approve"));
+ Boolean mayApprove = trans.fish(new AAFPermission(role.getNs(),ACCESS,":role:"+role.getName(),"approve"));
trans.put(sMayApprove, mayApprove);
if(mayWrite || mayApprove) {
,"text/plain","*/*","*");
/**
- * Query User Has Perm
+ * Query User Has Perm is DEPRECATED
+ *
+ * Need to move towards NS declaration... is this even being used?
+ * @deprecated
*/
gwAPI.route(HttpMethods.GET,"/ask/:user/has/:type/:instance/:action",API.VOID,new LocateCode(facade,USER_HAS_PERM, true) {
@Override
public void handle(final AuthzTrans trans, final HttpServletRequest req, HttpServletResponse resp) throws Exception {
try {
+ String type = pathParam(req,":type");
+ int idx = type.lastIndexOf('.');
+ String ns = type.substring(0,idx);
+ type = type.substring(idx+1);
resp.getOutputStream().print(
gwAPI.aafLurPerm.fish(new Principal() {
public String getName() {
return pathParam(req,":user");
};
}, new AAFPermission(
- pathParam(req,":type"),
+ ns,
+ type,
pathParam(req,":instance"),
pathParam(req,":action"))));
resp.setStatus(HttpStatus.OK_200);
for(MgmtEndpoint me : meps.getMgmtEndpoint()) {
if(permToRegister) {
int dot = me.getName().lastIndexOf('.'); // Note: Validator checks for NS for getName()
- AAFPermission p = new AAFPermission(me.getName().substring(0,dot)+".locator",me.getName(),"write");
+ AAFPermission p = new AAFPermission(me.getName().substring(0,dot),"locator",me.getName(),"write");
if(trans.fish(p)) {
LocateDAO.Data data = mapper.locateData(me);
locateDAO.update(trans, data, true);
int count = 0;
for(MgmtEndpoint me : meps.getMgmtEndpoint()) {
int dot = me.getName().lastIndexOf('.'); // Note: Validator checks for NS for getName()
- AAFPermission p = new AAFPermission(me.getName().substring(0,dot)+".locator",me.getHostname(),"write");
+ AAFPermission p = new AAFPermission(me.getName().substring(0,dot),"locator",me.getHostname(),"write");
if(trans.fish(p)) {
LocateDAO.Data data = mapper.locateData(me);
data.port_key = UUID.randomUUID();
} else {
sb.append(',');
}
- sb.append("{\"type\":\"");
+ sb.append("{\"ns\":\"");
sb.append(d.ns);
- sb.append('.');
+ sb.append("\",\"type\":\"");
sb.append(d.type);
sb.append("\",\"instance\":\"");
sb.append(d.instance);
odd.expires = new Date(exp=(System.currentTimeMillis()+TOK_EXP));
odd.exp_sec = exp/1000;
odd.req_ip = trans.ip();
-
+
try {
Result<Data> rd = loadToken(trans, odd);
if(rd.notOK()) {
if(cd==null) {
msg("Cred Data is null.");
} else {
- if(nob(cd.id,ID_CHARS)) {
- msg("ID [" + cd.id + "] is invalid in " + org.getName());
- }
if(!org.isValidCred(trans, cd.id)) {
- msg("ID [" + cd.id + "] is invalid for a cred in " + org.getName());
+ msg("ID [" + cd.id + "] is invalid in " + org.getName());
}
String str = cd.id;
int idx = str.indexOf('@');
--- /dev/null
+FROM rmannfv/aaf-base:xenial
+MAINTAINER AAF Team, AT&T 2018
+ENV VERSION=${AAF_VERSION}
+
+LABEL description="aaf_agent"
+LABEL version=${AAF_VERSION}
+
+COPY logs /opt/app/aaf_config/logs
+COPY bin/client.sh /opt/app/aaf_config/bin/agent.sh
+COPY bin/aaf-cadi*full.jar /opt/app/aaf_config/bin/
+COPY public/*all.jks /opt/app/aaf_config/public/
+
+ENTRYPOINT ["/bin/bash","/opt/app/aaf_config/bin/agent.sh"]
+CMD []
+
MAINTAINER AAF Team, AT&T 2018
ENV VERSION=${AAF_VERSION}
-LABEL description="aaf_agent"
+LABEL description="aaf_config"
LABEL version=${AAF_VERSION}
COPY data/sample.identities.dat /opt/app/aaf_config/data/
COPY local /opt/app/aaf_config/local
COPY public /opt/app/aaf_config/public
COPY logs /opt/app/aaf_config/logs
-COPY bin /opt/app/aaf_config/bin
+COPY bin/service.sh /opt/app/aaf_config/bin/agent.sh
ENTRYPOINT ["/bin/bash","/opt/app/aaf_config/bin/agent.sh"]
CMD []
--- /dev/null
+FQI=clamp@clamp.onap.org
+VOLUME=clamp_aaf
+LONGITUDE=-92
+FQDN=meriadoc.mithril.sbc.com
+VERSION=2.1.2-SNAPSHOT
+DRIVER=local
+LATITUDE=38
+FQDN_IP=192.168.99.100
+AAF_FQDN=meriadoc.mithril.sbc.com
+AAF_AAF_FQDN_IP=192.168.99.100
+DEPLOY_FQI=deployer@people.osaaf.org
+DEPLOY_PASSWORD=demo123456!
+APP_FQDN=meriadoc.mithril.sbc.com
+APP_FQI=clamp@clamp.onap.org
--- /dev/null
+#!/bin/bash
+. ./d.props
+
+docker run \
+ -it \
+ --rm \
+ --mount 'type=volume,src=aaf_config,dst='$CONF_ROOT_DIR',volume-driver=local' \
+ --add-host="$HOSTNAME:$HOST_IP" \
+ --add-host="aaf.osaaf.org:$HOST_IP" \
+ --env AAF_ENV=${AAF_ENV} \
+ --env AAF_REGISTER_AS=${AAF_REGISTER_AS} \
+ --env LATITUDE=${LATITUDE} \
+ --env LONGITUDE=${LONGITUDE} \
+ --name aaf_config_$USER \
+ ${ORG}/${PROJECT}/aaf_config:${VERSION} \
+ /bin/bash "$@"
#!/bin/bash
-. ./d.props
+
+CADI_VERSION=2.1.2-SNAPSHOT
+
+# Fill out "aaf.props" if not filled out already
+if [ ! -e aaf.props ]; then
+ > ./aaf.props
+fi
+for V in VERSION AAF_FQDN DEPLOY_FQI APP_FQDN APP_FQI VOLUME DRIVER LATITUDE LONGITUDE; do
+ if [ "$(grep $V ./aaf.props)" = "" ]; then
+ unset DEF
+ case $V in
+ AAF_FQDN) PROMPT="AAF's FQDN";;
+ DEPLOY_FQI) PROMPT="Deployer's FQI";;
+ APP_FQI) PROMPT="App's FQI";;
+ APP_FQDN) PROMPT="App's Root FQDN";;
+ VOLUME) PROMPT="APP's AAF Configuration Volume";;
+ DRIVER) PROMPT=$V;DEF=local;;
+ VERSION) PROMPT="CADI Version";DEF=$CADI_VERSION;;
+ LATITUDE|LONGITUDE) PROMPT="$V of Node";;
+ *) PROMPT=$V;;
+ esac
+ if [ "$DEF" = "" ]; then
+ PROMPT="$PROMPT: "
+ else
+ PROMPT="$PROMPT ($DEF): "
+ fi
+ read -p "$PROMPT" VAR
+ if [ "$VAR" = "" ]; then
+ if [ "$DEF" = "" ]; then
+ echo "agent.sh needs each value queried. Please start again."
+ exit
+ else
+ VAR=$DEF
+ fi
+ fi
+ echo "$V=$VAR" >> ./aaf.props
+ fi
+done
+. ./aaf.props
+
+# Need AAF_FQDN's IP, because not might not be available in mini-container
+if [ "$AAF_AAF_FQDN_IP" = "" ]; then
+ AAF_AAF_FQDN_IP=$(host $AAF_FQDN | grep "has address" | tail -1 | cut -f 4 -d ' ')
+ if [ "$AAF_AAF_FQDN_IP" = "" ]; then
+ read -p "IP of $AAF_FQDN: " AAF_AAF_FQDN_IP
+ echo "AAF_AAF_FQDN_IP=$AAF_AAF_FQDN_IP" >> ./aaf.props
+ fi
+fi
+
+# Make sure Container Volume exists
+if [ "$(docker volume ls | grep ${VOLUME})" = "" ]; then
+ echo -n "Creating Volume: "
+ docker volume create -d ${DRIVER} ${VOLUME}
+fi
docker run \
-it \
--rm \
- --mount 'type=volume,src=aaf_config,dst='$CONF_ROOT_DIR',volume-driver=local' \
- --add-host="$HOSTNAME:$HOST_IP" \
- --add-host="aaf.osaaf.org:$HOST_IP" \
- --env AAF_ENV=${AAF_ENV} \
- --env AAF_REGISTER_AS=${AAF_REGISTER_AS} \
+ --mount 'type=volume,src='${VOLUME}',dst=/opt/app/osaaf,volume-driver='${DRIVER} \
+ --add-host="$AAF_FQDN:$AAF_AAF_FQDN_IP" \
+ --env AAF_FQDN=${AAF_FQDN} \
+ --env DEPLOY_FQI=${DEPLOY_FQI} \
+ --env DEPLOY_PASSWORD=${DEPLOY_PASSWORD} \
+ --env APP_FQI=${APP_FQI} \
+ --env APP_FQDN=${APP_FQDN} \
--env LATITUDE=${LATITUDE} \
--env LONGITUDE=${LONGITUDE} \
--name aaf_agent_$USER \
- ${ORG}/${PROJECT}/aaf_config:${VERSION} \
+ onap/aaf/aaf_agent:$VERSION \
/bin/bash "$@"
. ./d.props
-# Create the Config (Security) Image
-sed -e 's/${AAF_VERSION}/'${VERSION}'/g' -e 's/${AAF_COMPONENT}/'${AAF_COMPONENT}'/g' Dockerfile.config >../sample/Dockerfile
+# Create the AAF Config (Security) Images
cd ..
cp ../cadi/aaf/target/aaf-cadi-aaf-${VERSION}-full.jar sample/bin
+
+# AAF Config image (for AAF itself)
+sed -e 's/${AAF_VERSION}/'${VERSION}'/g' -e 's/${AAF_COMPONENT}/'${AAF_COMPONENT}'/g' docker/Dockerfile.config > sample/Dockerfile
docker build -t ${ORG}/${PROJECT}/aaf_config:${VERSION} sample
+
+# AAF Agent Image (for Clients)
+sed -e 's/${AAF_VERSION}/'${VERSION}'/g' -e 's/${AAF_COMPONENT}/'${AAF_COMPONENT}'/g' docker/Dockerfile.client > sample/Dockerfile
+docker build -t ${ORG}/${PROJECT}/aaf_agent:${VERSION} sample
+
+# Clean up
rm sample/Dockerfile sample/bin/aaf-cadi-aaf-${VERSION}-full.jar
cd -
+########
# Second, build a core Docker Image
echo Building aaf_$AAF_COMPONENT...
# Apply currrent Properties to Docker file, and put in place.
AAF_COMPONENTS=$1
fi
+docker image rm $ORG/$PROJECT/aaf_agent:${VERSION}
docker image rm $ORG/$PROJECT/aaf_config:${VERSION}
docker image rm $ORG/$PROJECT/aaf_core:${VERSION}
--- /dev/null
+#!/bin/bash
+# This script is run when starting aaf_config Container.
+# It needs to cover the cases where the initial data doesn't exist, and when it has already been configured (don't overwrite)
+#
+JAVA=/usr/bin/java
+AAF_INTERFACE_VERSION=2.1
+
+# Extract Name, Domain and NS from FQI
+FQIA=($(echo ${APP_FQI} | tr '@' '\n'))
+FQI_SHORT=${FQIA[0]}
+FQI_DOMAIN=${FQIA[1]}
+# Reverse DOMAIN for NS
+FQIA_E=($(echo ${FQI_DOMAIN} | tr '.' '\n'))
+for (( i=( ${#FQIA_E[@]} -1 ); i>0; i-- )); do
+ NS=${NS}${FQIA_E[i]}'.'
+done
+NS=${NS}${FQIA_E[0]}
+
+
+# Setup SSO info for Deploy ID
+function sso_encrypt() {
+ $JAVA -cp /opt/app/aaf_config/bin/aaf-cadi-aaf-*-full.jar org.onap.aaf.cadi.CmdLine digest ${1} ~/.aaf/keyfile
+}
+
+if [ ! -e " ~/.aaf/keyfile" ]; then
+ mkdir -p ~/.aaf
+ SSO=~/.aaf/sso.props
+ $JAVA -cp /opt/app/aaf_config/bin/aaf-cadi-aaf-*-full.jar org.onap.aaf.cadi.CmdLine keygen ~/.aaf/keyfile
+ chmod 400 ~/.aaf/keyfile
+ echo cadi_latitude=${LATITUDE} > ${SSO}
+ echo cadi_longitude=${LONGITUDE} >> ${SSO}
+ echo aaf_id=${DEPLOY_FQI} >> ${SSO}
+ if [ ! "${DEPLOY_PASSWORD}" = "" ]; then
+ echo aaf_password=enc:$(sso_encrypt ${DEPLOY_PASSWORD}) >> ${SSO}
+ fi
+ echo aaf_locate_url=https://${AAF_FQDN}:8095 >> ${SSO}
+ echo aaf_url=https://AAF_LOCATE_URL/AAF_NS.service:${AAF_INTERFACE_VERSION} >> ${SSO}
+ echo cadi_truststore=$(ls /opt/app/aaf_config/public/*trust*) >> ${SSO}
+ echo cadi_truststore_password=enc:$(sso_encrypt changeit) >> ${SSO}
+fi
+
+# Only initialize once, automatically...
+if [ ! -e /opt/app/osaaf/local/${NS}.props ]; then
+ for D in bin logs; do
+ rsync -avzh --exclude=.gitignore /opt/app/aaf_config/$D/* /opt/app/osaaf/$D
+ done
+
+ # setup Configs
+ $JAVA -jar /opt/app/aaf_config/bin/aaf-cadi-aaf-*-full.jar config $APP_FQI \
+ cadi_etc_dir=/opt/app/osaaf/local
+
+ # Place Certificates
+ $JAVA -jar /opt/app/aaf_config/bin/aaf-cadi-aaf-*-full.jar place ${APP_FQI} ${APP_FQDN}
+
+ # Validate
+ $JAVA -jar /opt/app/aaf_config/bin/aaf-cadi-aaf-*-full.jar validate \
+ cadi_prop_files=/opt/app/osaaf/local/${NS}.props
+fi
+
+# Now run a command
+CMD=$2
+if [ ! "$CMD" = "" ]; then
+ shift
+ shift
+ case "$CMD" in
+ ls)
+ echo ls requested
+ find /opt/app/osaaf -depth
+ ;;
+ cat)
+ if [ "$1" = "" ]; then
+ echo "usage: cat <file... ONLY files ending in .props>"
+ else
+ if [[ $1 == *.props ]]; then
+ echo
+ echo "## CONTENTS OF $3"
+ echo
+ cat "$1"
+ else
+ echo "### ERROR ####"
+ echo " \"cat\" may only be used with files ending with \".props\""
+ fi
+ fi
+ ;;
+ update)
+ for D in bin logs; do
+ rsync -uh --exclude=.gitignore /opt/app/aaf_config/$D/* /opt/app/osaaf/$D
+ done
+ ;;
+ validate)
+ echo "## validate requested"
+ $JAVA -jar /opt/app/aaf_config/bin/aaf-cadi-aaf-*-full.jar validate cadi_prop_files=/opt/app/osaaf/local/${NS}.props
+ ;;
+ bash)
+ if [ ! -e ~/.bash_aliases ]; then
+ echo "alias cadi='$JAVA -cp /opt/app/aaf_config/bin/aaf-cadi-aaf-*-full.jar org.onap.aaf.cadi.CmdLine \$*'" >~/.bash_aliases
+ echo "alias agent='$JAVA -cp /opt/app/aaf_config/bin/aaf-cadi-aaf-*-full.jar org.onap.aaf.cadi.configure.Agent \$*'" >>~/.bash_aliases
+ fi
+ shift
+ cd /opt/app/osaaf/local || exit
+ /bin/bash "$@"
+ ;;
+ setProp)
+ cd /opt/app/osaaf/local || exit
+ FILES=$(grep -l "$1" ./*.props)
+ if [ "$FILES" = "" ]; then
+ FILES="$3"
+ ADD=Y
+ fi
+ for F in $FILES; do
+ echo "Changing $1 in $F"
+ if [ "$ADD" = "Y" ]; then
+ echo $2 >> $F
+ else
+ sed -i.backup -e "s/\\(${1}.*=\\).*/\\1${2}/" $F
+ fi
+ cat $F
+ done
+ ;;
+ encrypt)
+ cd /opt/app/osaaf/local || exit
+ echo $1
+ FILES=$(grep -l "$1" ./*.props)
+ if [ "$FILES" = "" ]; then
+ FILES=/opt/app/osaaf/local/${NS}.cred.props
+ ADD=Y
+ fi
+ for F in $FILES; do
+ echo "Changing $1 in $F"
+ if [ "$2" = "" ]; then
+ read -r -p "Password (leave blank to cancel): " -s ORIG_PW
+ echo " "
+ if [ "$ORIG_PW" = "" ]; then
+ echo canceling...
+ break
+ fi
+ else
+ ORIG_PW="$2"
+ fi
+ PWD=$("$JAVA" -jar /opt/app/aaf_config/bin/aaf-cadi-aaf-*-full.jar cadi digest "$ORIG_PW" /opt/app/osaaf/local/${NS}.keyfile)
+ if [ "$ADD" = "Y" ]; then
+ echo "$1=enc:$PWD" >> $F
+ else
+ sed -i.backup -e "s/\\($1.*enc:\\).*/\\1$PWD/" $F
+ fi
+ cat $F
+ done
+ ;;
+ taillog)
+ sh /opt/app/osaaf/logs/taillog
+ ;;
+ --help | -?)
+ case "$1" in
+ "")
+ echo "--- Agent Container Comands ---"
+ echo " ls - Lists all files in Configuration"
+ echo " cat <file.props>> - Shows the contents (Prop files only)"
+ echo " validate - Runs a test using Configuration"
+ echo " setProp <tag> [<value>] - set value on 'tag' (if no value, it will be queried from config)"
+ echo " encrypt <tag> [<pass>] - set passwords on Configuration (if no pass, it will be queried)"
+ echo " bash - run bash in Container"
+ echo " Note: the following aliases are preset"
+ echo " cadi - CADI CmdLine tool"
+ echo " agent - Agent Java tool (see above help)"
+ echo ""
+ echo " --help|-? [cadi|agent] - This help, cadi help or agent help"
+ ;;
+ cadi)
+ echo "--- cadi Tool Comands ---"
+ $JAVA -Dcadi_prop_files=/opt/app/osaaf/local/${NS}.props -jar /opt/app/aaf_config/bin/aaf-cadi-aaf-*-full.jar cadi | tail -n +6
+ ;;
+ agent)
+ echo "--- agent Tool Comands ---"
+ $JAVA -Dcadi_prop_files=/opt/app/osaaf/local/${NS}.props -jar /opt/app/aaf_config/bin/aaf-cadi-aaf-*-full.jar
+ ;;
+ esac
+ echo ""
+ ;;
+ *)
+ $JAVA -Dcadi_prop_files=/opt/app/osaaf/local/${NS}.props -jar /opt/app/aaf_config/bin/aaf-cadi-aaf-*-full.jar "$CMD" "$@"
+ ;;
+ esac
+fi
iretired|Ira Lee M. Retired|Ira|Retired|314-123-1238|clarice.d.contractor@osaaf.com|n|mmanager
osaaf|ID of AAF|osaaf|AAF Application|||a|bdevl
# ONAP default Users
-demo|PORTAL DEMO|PORTAL|DEMO|||e|mmanager
-jh0003|PORTAL ADMIN|PORTAL|ADMIN|||e|mmanager
-cs0008|PORTAL DESIGNER|PORTAL|DESIGNER|||e|mmanager
-jm0007|PORTAL TESTER|PORTAL|TESTER|||e|mmanager
-op0001|PORTAL OPS|PORTAL|OPS|||e|mmanager
-gv0001|PORTAL GOVERNOR|PORTAL|GOVERNOR|||e|mmanager
-
-
+aaf_admin|AAF Administrator|Mr AAF|AAF Admin|||e|mmanager
+deploy|Deployer|Deployer|Depoyer|||e|aaf_admin
+demo|PORTAL DEMO|PORTAL|DEMO|||e|aaf
+jh0003|PORTAL ADMIN|PORTAL|ADMIN|||e|aaf
+cs0008|PORTAL DESIGNER|PORTAL|DESIGNER|||e|aaf
+jm0007|PORTAL TESTER|PORTAL|TESTER|||e|aaf
+op0001|PORTAL OPS|PORTAL|OPS|||e|aaf
+gv0001|PORTAL GOVERNOR|PORTAL|GOVERNOR|||e|aaf
+# ONAP App IDs
+aaf|AAF Application|AAF|Application|||a|aaf_admin
+aaf-sms|AAF SMS Application|AAF SMS|Application|||a|aaf_admin
+clamp|ONAP CLAMP Application|CLAMP|Application|||a|aaf_admin
+aai|ONAP AAI Application|AAI|ONAP Application|||a|aaf_admin
+appc|ONAP APPC Application|APPC|ONAP Application|||a|aaf_admin
+dcae|ONAP DCAE Application|CLAMP|ONAP Application|||a|aaf_admin
+dmaap-bc|ONAP DMaap BC Application|DMaap BC|ONAP Application|||_admina|aaf
+dmaap-mr|ONAP DMaap MR Application|DMaap MR|ONAP Application|||a|aaf_admin
+oof|ONAP OOF Application|OOF|ONAP Application|||a|aaf_admin
+sdnc|ONAP SDNC Application|SDNC|ONAP Application|||a|aaf_admin
ccontra|Clarice D. Contractor|Clarice|Contractor|314-123-1237|clarice.d.contractor@people.osaaf.com|c|mmanager
iretired|Ira Lee M. Retired|Ira|Retired|314-123-1238|clarice.d.contractor@people.osaaf.com|n|mmanager
# ONAP default Users
+aaf_admin|AAF Administrator|Mr AAF|AAF Admin|||e|mmanager
+deploy|Deployer|Deployer|Depoyer|||e|aaf_admin
demo|PORTAL DEMO|PORTAL|DEMO|||e|aaf
jh0003|PORTAL ADMIN|PORTAL|ADMIN|||e|aaf
cs0008|PORTAL DESIGNER|PORTAL|DESIGNER|||e|aaf
op0001|PORTAL OPS|PORTAL|OPS|||e|aaf
gv0001|PORTAL GOVERNOR|PORTAL|GOVERNOR|||e|aaf
# ONAP App IDs
-aaf|AAF Application|AAF|Application|||a|bdevl
-aaf-sms|AAF SMS Application|AAF SMS|Application|||a|aaf
-clamp|ONAP CLAMP Application|CLAMP|Application|||a|aaf
-aai|ONAP AAI Application|AAI|ONAP Application|||a|aaf
-appc|ONAP APPC Application|APPC|ONAP Application|||a|aaf
-dcae|ONAP DCAE Application|CLAMP|ONAP Application|||a|aaf
-dmaap-bc|ONAP DMaap BC Application|DMaap BC|ONAP Application|||a|aaf
-dmaap-mr|ONAP DMaap MR Application|DMaap MR|ONAP Application|||a|aaf
-oof|ONAP OOF Application|OOF|ONAP Application|||a|aaf
-sdnc|ONAP SDNC Application|SDNC|ONAP Application|||a|aaf
-
-
+aaf|AAF Application|AAF|Application|||a|aaf_admin
+aaf-sms|AAF SMS Application|AAF SMS|Application|||a|aaf_admin
+clamp|ONAP CLAMP Application|CLAMP|Application|||a|aaf_admin
+aai|ONAP AAI Application|AAI|ONAP Application|||a|aaf_admin
+appc|ONAP APPC Application|APPC|ONAP Application|||a|aaf_admin
+dcae|ONAP DCAE Application|CLAMP|ONAP Application|||a|aaf_admin
+dmaap-bc|ONAP DMaap BC Application|DMaap BC|ONAP Application|||_admina|aaf
+dmaap-mr|ONAP DMaap MR Application|DMaap MR|ONAP Application|||a|aaf_admin
+oof|ONAP OOF Application|OOF|ONAP Application|||a|aaf_admin
+sdnc|ONAP SDNC Application|SDNC|ONAP Application|||a|aaf_admin
## AAF Certificate Manager properties
## Note: Link to CA Properties in "local" dir
##
-cadi_prop_files=/opt/app/osaaf/local/org.osaaf.aaf.props:/opt/app/osaaf/etc/org.osaaf.aaf.log4j.props:/opt/app/osaaf/local/org.osaaf.aaf.cassandra.props:/opt/app/osaaf/local/org.osaaf.aaf.cm.ca.props
-aaf_component=AAF_NS.cm:2.1.0.0
+cadi_prop_files=/opt/app/osaaf/local/org.osaaf.aaf.props:/opt/app/osaaf/etc/org.osaaf.aaf.log4j.props:/opt/app/osaaf/local/org.osaaf.aaf.cassandra.props:/opt/app/osaaf/etc/org.osaaf.aaf.orgs.props:/opt/app/osaaf/local/org.osaaf.aaf.cm.ca.props
+aaf_component=AAF_NS.cm:2.1.2
port=8150
#Certman
## AAF Fileserver Properties
##
cadi_prop_files=/opt/app/osaaf/local/org.osaaf.aaf.props:/opt/app/osaaf/etc/org.osaaf.aaf.log4j.props
-aaf_component=AAF_NS.fs:2.1.0.0
+aaf_component=AAF_NS.fs:2.1.2
port=8096
aaf_public_dir=/opt/app/osaaf/public
## AAF GUI Properties
##
cadi_prop_files=/opt/app/osaaf/local/org.osaaf.aaf.props:/opt/app/osaaf/etc/org.osaaf.aaf.log4j.props:/opt/app/osaaf/etc/org.osaaf.aaf.orgs.props
-aaf_component=AAF_NS.gui:2.1.0.0
+aaf_component=AAF_NS.gui:2.1.2
port=8200
aaf_gui_title=AAF
## AAF Hello Properties
##
cadi_prop_files=/opt/app/osaaf/local/org.osaaf.aaf.props:/opt/app/osaaf/etc/org.osaaf.aaf.log4j.props
-aaf_component=AAF_NS.hello:2.1.0.0
+aaf_component=AAF_NS.hello:2.1.2
port=8130
## org.osaaf.aaf.locate
## AAF Locator Properties
##
-cadi_prop_files=/opt/app/osaaf/local/org.osaaf.aaf.props:/opt/app/osaaf/etc/org.osaaf.aaf.log4j.props:/opt/app/osaaf/local/org.osaaf.aaf.cassandra.props
-aaf_component=AAF_NS.locator:2.1.0.0
+cadi_prop_files=/opt/app/osaaf/local/org.osaaf.aaf.props:/opt/app/osaaf/etc/org.osaaf.aaf.log4j.props:/opts/app/osaaf/etc/org.osaaf.aaf.orgs.props:/opt/app/osaaf/local/org.osaaf.aaf.cassandra.props
+aaf_component=AAF_NS.locator:2.1.2
port=8095
## AAF OAuth2 Properties
##
cadi_prop_files=/opt/app/osaaf/local/org.osaaf.aaf.props:/opt/app/osaaf/etc/org.osaaf.aaf.log4j.props:/opt/app/osaaf/local/org.osaaf.aaf.cassandra.props
-aaf_component=AAF_NS.oauth:2.1.0.0
+aaf_component=AAF_NS.oauth:2.1.2
port=8140
## AAF Service Properties
##
cadi_prop_files=/opt/app/osaaf/local/org.osaaf.aaf.props:/opt/app/osaaf/etc/org.osaaf.aaf.log4j.props:/opt/app/osaaf/local/org.osaaf.aaf.cassandra.props:/opt/app/osaaf/etc/org.osaaf.aaf.orgs.props
-aaf_component=AAF_NS.service:2.1.0.0
+aaf_component=AAF_NS.service:2.1.2
port=8100
#
# Controlling NS
aaf_root_ns=org.osaaf.aaf
-aaf_trust_perm=org.osaaf.aaf|org.onap|trust
+aaf_trust_perm=org.osaaf.aaf.appid|org|trust
# Domains and Realms
aaf_domain_support=.com:.org
# Other
aaf_data_dir=/opt/app/osaaf/data
+cadi_token_dir=/opt/app/osaaf/tokens
-aaf_locate_url=https://aaf-onap-test.osaaf.org:8095\r
+aaf_locate_url=https://meriadoc.mithril.sbc.com:8095\r
aaf_oauth2_introspect_url=https://AAF_LOCATE_URL/AAF_NS.introspect:2.1/introspect\r
aaf_oauth2_token_url=https://AAF_LOCATE_URL/AAF_NS.token:2.1/token\r
aaf_url=https://AAF_LOCATE_URL/AAF_NS.service:2.1\r
+#!/bin/bash
cd /opt/app/osaaf/logs
-tail -f `find . -name *service*.log -ctime 0`
+tail -f `find ./$1 -name *service*.log -ctime 0`
import java.util.List;
import org.onap.aaf.cadi.Permission;
+import org.onap.aaf.misc.env.util.Split;
/**
* A Class that understands the AAF format of Permission (name/type/action)
*/
public class AAFPermission implements Permission {
private static final List<String> NO_ROLES;
- protected String type,instance,action,key;
+ protected String ns,type,instance,action,key;
private List<String> roles;
static {
protected AAFPermission() {roles=NO_ROLES;}
- public AAFPermission(String type, String instance, String action) {
- this.type = type;
+ public AAFPermission(String ns, String name, String instance, String action) {
+ this.ns = ns;
+ type = name;
this.instance = instance;
this.action = action;
- key = type + '|' + instance + '|' + action;
+ key = ns + '|' + type + '|' + instance + '|' + action;
this.roles = NO_ROLES;
}
- public AAFPermission(String type, String instance, String action, List<String> roles) {
- this.type = type;
+
+ public AAFPermission(String ns, String name, String instance, String action, List<String> roles) {
+ this.ns = ns;
+ type = name;
this.instance = instance;
this.action = action;
- key = type + '|' + instance + '|' + action;
+ key = ns + '|' + type + '|' + instance + '|' + action;
this.roles = roles==null?NO_ROLES:roles;
}
* If you want a simple field comparison, it is faster without REGEX
*/
public boolean match(Permission p) {
+ String aafNS;
String aafType;
String aafInstance;
String aafAction;
// Note: In AAF > 1.0, Accepting "*" from name would violate multi-tenancy
// Current solution is only allow direct match on Type.
// 8/28/2014 Jonathan - added REGEX ability
- aafType = ap.getName();
+ aafNS = ap.getNS();
+ aafType = ap.getType();
aafInstance = ap.getInstance();
aafAction = ap.getAction();
} else {
- // Permission is concatenated together: separated by |
- String[] aaf = p.getKey().split("[\\s]*\\|[\\s]*",3);
- aafType = aaf[0];
- aafInstance = (aaf.length > 1) ? aaf[1] : "*";
- aafAction = (aaf.length > 2) ? aaf[2] : "*";
+ // Permission is concatenated together: separated by
+ String[] aaf = Split.splitTrim('|', p.getKey());
+ switch(aaf.length) {
+ case 1:
+ aafNS = aaf[0];
+ aafType="";
+ aafInstance = aafAction = "*";
+ break;
+ case 2:
+ aafNS = aaf[0];
+ aafType = aaf[1];
+ aafInstance = aafAction = "*";
+ break;
+ case 3:
+ aafNS = aaf[0];
+ aafType = aaf[1];
+ aafInstance = aaf[2];
+ aafAction = "*";
+ break;
+ default:
+ aafNS = aaf[0];
+ aafType = aaf[1];
+ aafInstance = aaf[2];
+ aafAction = aaf[3];
+ break;
+ }
+ }
+ boolean typeMatches;
+ if(aafNS.length() == ns.length()) {
+ typeMatches = aafNS.equals(ns) && aafType.equals(type);
+ } else { // Allow for restructuring of NS/Perm structure
+ typeMatches = (aafNS+'.'+aafType).equals(ns+'.'+type);
}
- return ((type.equals(aafType)) &&
- (PermEval.evalInstance(instance, aafInstance)) &&
- (PermEval.evalAction(action, aafAction)));
+ return (typeMatches &&
+ PermEval.evalInstance(instance, aafInstance) &&
+ PermEval.evalAction(action, aafAction));
+ }
+
+ public String getNS() {
+ return ns;
}
- public String getName() {
+ public String getType() {
return type;
}
+
+ public String getFullType() {
+ return ns + '.' + type;
+ }
public String getInstance() {
return instance;
return roles;
}
public String toString() {
- return "AAFPermission:\n\tType: " + type +
+ return "AAFPermission:" +
+ "\n\tNS: " + ns +
+ "\n\tType: " + type +
"\n\tInstance: " + instance +
"\n\tAction: " + action +
"\n\tKey: " + key;
--- /dev/null
+/**
+ * ============LICENSE_START====================================================
+ * org.onap.aaf
+ * ===========================================================================
+ * Copyright (c) 2018 AT&T Intellectual Property. All rights reserved.
+ * ===========================================================================
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ * ============LICENSE_END====================================================
+ *
+ */
+package org.onap.aaf.cadi.aaf;
+
+public interface Defaults {
+ public static String AAF_VERSION = "2.1";
+ public static String AAF_NS = "AAF_NS";
+ public static String AAF_URL = "https://AAF_LOCATE_URL/" + AAF_NS + ".service:" + AAF_VERSION;
+ public static String GUI_URL = "https://AAF_LOCATE_URL/" + AAF_NS + ".gui:" + AAF_VERSION;
+ public static String CM_URL = "https://AAF_LOCATE_URL/" + AAF_NS + ".cm:" + AAF_VERSION;
+ public static String FS_URL = "https://AAF_LOCATE_URL/" + AAF_NS + ".fs:" + AAF_VERSION;
+ public static String HELLO_URL = "https://AAF_LOCATE_URL/" + AAF_NS + ".hello:" + AAF_VERSION;
+ public static String OAUTH2_TOKEN_URL = "https://AAF_LOCATE_URL/" + AAF_NS + ".token:" + AAF_VERSION;
+ public static String OAUTH2_INTROSPECT_URL = "https://AAF_LOCATE_URL/" + AAF_NS + ".introspect:" + AAF_VERSION;
+}
List<SecuritySetter<HttpURLConnection>> lss = loadSetters(access,si);
/////////
print(true,"Test Connections driven by AAFLocator");
- URI serviceURI = new URI(aaflocate+"/locate/AAF_NS.service:2.0");
+ URI serviceURI = new URI(Defaults.AAF_URL);
for(URI uri : new URI[] {
serviceURI,
- new URI(aaflocate+"/locate/AAF_NS.service:2.0"),
- new URI(aaflocate+"/locate/AAF_NS.locate:2.0"),
- new URI(aaflocate+"/locate/AAF_NS.token:2.0"),
- new URI(aaflocate+"/locate/AAF_NS.certman:2.0"),
- new URI(aaflocate+"/locate/AAF_NS.hello")
+ new URI(Defaults.OAUTH2_TOKEN_URL),
+ new URI(Defaults.OAUTH2_INTROSPECT_URL),
+ new URI(Defaults.CM_URL),
+ new URI(Defaults.GUI_URL),
+ new URI(Defaults.FS_URL),
+ new URI(Defaults.HELLO_URL)
}) {
Locator<URI> locator = new AAFLocator(si, uri);
try {
permTest(locator,ss);
}
- /////////
- // Removed for ONAP
-// print(true,"Test Proxy Access driven by AAFLocator");
-// locator = new AAFLocator(si, new URI(aaflocate+"/AAF_NS.gw:2.0/proxy"));
-// for(SecuritySetter<HttpURLConnection> ss : lss) {
-// permTest(locator,ss);
-// }
-
//////////
print(true,"Test essential BasicAuth Service call, driven by AAFLocator");
for(SecuritySetter<HttpURLConnection> ss : lss) {
String tokenURL = access.getProperty(Config.AAF_OAUTH2_TOKEN_URL);
String locateURL=access.getProperty(Config.AAF_LOCATE_URL);
if(tokenURL==null || (tokenURL.contains("/locate/") && locateURL!=null)) {
- tokenURL=locateURL+"/locate/AAF_NS.token:2.0/token";
+ tokenURL=Defaults.OAUTH2_TOKEN_URL+"/token";
}
try {
Map<String, Permission> newMap = user.newMap();
boolean willLog = aaf.access.willLog(Level.DEBUG);
for(Perm perm : fp.value.getPerm()) {
- user.add(newMap,new AAFPermission(perm.getType(),perm.getInstance(),perm.getAction(),perm.getRoles()));
+ user.add(newMap,new AAFPermission(perm.getNs(),perm.getType(),perm.getInstance(),perm.getAction(),perm.getRoles()));
if(willLog) {
aaf.access.log(Level.DEBUG, name,"has '",perm.getType(),'|',perm.getInstance(),'|',perm.getAction(),'\'');
}
Map<String,Permission> newMap = user.newMap();
boolean willLog = aaf.access.willLog(Level.DEBUG);
for(Perm perm : fp.value.getPerm()) {
- user.add(newMap, new AAFPermission(perm.getType(),perm.getInstance(),perm.getAction(),perm.getRoles()));
+ user.add(newMap, new AAFPermission(perm.getNs(),perm.getType(),perm.getInstance(),perm.getAction(),perm.getRoles()));
if(willLog) {
aaf.access.log(Level.DEBUG, name,"has",perm.getType(),perm.getInstance(),perm.getAction());
}
@Override
public Permission createPerm(String p) {
String[] params = Split.split('|', p);
- if(params.length==3) {
- return new AAFPermission(params[0],params[1],params[2]);
- } else {
- return new LocalPermission(p);
+ switch(params.length) {
+ case 3:
+ return new AAFPermission(null,params[0],params[1],params[2]);
+ case 4:
+ return new AAFPermission(params[0],params[1],params[2],params[3]);
+ default:
+ return new LocalPermission(p);
}
}
AAFPermission temp=null;
if(str!=null) {
String[] sp = Split.splitTrim('|', str);
- if(sp.length==3) {
- temp = new AAFPermission(sp[0],sp[1],sp[2]);
+ switch(sp.length) {
+ case 3:
+ temp = new AAFPermission(null,sp[0],sp[1],sp[2]);
+ break;
+ case 4:
+ temp = new AAFPermission(sp[0],sp[1],sp[2],sp[3]);
+ break;
}
}
perm=temp;
AAFPermission temp=null;
if(str!=null) {
String[] sp = Split.splitTrim('|', str);
- if(sp.length==3) {
- temp = new AAFPermission(sp[0],sp[1],sp[2]);
+ switch(sp.length) {
+ case 3:
+ temp = new AAFPermission(null,sp[0],sp[1],sp[2]);
+ break;
+ case 4:
+ temp = new AAFPermission(sp[0],sp[1],sp[2],sp[3]);
+ break;
}
}
perm=temp;
import org.onap.aaf.cadi.Access;
import org.onap.aaf.cadi.Access.Level;
+import org.onap.aaf.cadi.aaf.Defaults;
import org.onap.aaf.cadi.Locator;
import org.onap.aaf.cadi.LocatorException;
import org.onap.aaf.cadi.config.Config;
latitude = Double.parseDouble(lat);
longitude = Double.parseDouble(lng);
}
+ if(name.startsWith(Defaults.AAF_NS)) {
+ String root_ns = access.getProperty(Config.AAF_ROOT_NS, null);
+ if(root_ns!=null) {
+ name=name.replace(Defaults.AAF_NS, root_ns);
+ }
+ }
if(name.startsWith("http")) { // simple URL
this.name = name;
this.version = Config.AAF_DEFAULT_VERSION;
@Override
public Item best() throws LocatorException {
if(!hasItems()) {
- throw new LocatorException("No Entries found" + (pathInfo==null?"":(" for " + pathInfo)));
+ throw new LocatorException("No Entries found for '" + aaf_locator_uri.toString() + "/locate/" + name + ':' + version + '\'');
}
List<EP> lep = new ArrayList<>();
EP first = null;
protected abstract boolean isCorrectPermType(Permission pond);
// This is where you build AAF CLient Code. Answer the question "Is principal "bait" in the "pond"
- public boolean fish(Principal bait, Permission pond) {
+ public boolean fish(Principal bait, Permission ... pond) {
if(preemptiveLur!=null && preemptiveLur.handles(bait)) {
return preemptiveLur.fish(bait, pond);
} else {
user = loadUser(bait);
sb.append("\n\tloadUser called");
}
- if(user==null) {
- sb.append("\n\tUser was not Loaded");
- } else if(user.contains(pond)) {
- sb.append("\n\tUser contains ");
- sb.append(pond.getKey());
- rv = true;
- } else {
- sb.append("\n\tUser does not contain ");
- sb.append(pond.getKey());
- List<Permission> perms = new ArrayList<>();
- user.copyPermsTo(perms);
- for(Permission p : perms) {
- sb.append("\n\t\t");
+ for (Permission p : pond) {
+ if(user==null) {
+ sb.append("\n\tUser was not Loaded");
+ break;
+ } else if(user.contains(p)) {
+ sb.append("\n\tUser contains ");
+ sb.append(p.getKey());
+ rv = true;
+ } else {
+ sb.append("\n\tUser does not contain ");
sb.append(p.getKey());
+ List<Permission> perms = new ArrayList<>();
+ user.copyPermsTo(perms);
+ for(Permission perm : perms) {
+ sb.append("\n\t\t");
+ sb.append(perm.getKey());
+ }
}
}
} else {
aaf.access.log(Level.INFO, sb);
return rv;
} else {
+ boolean rv = false;
if(handles(bait)) {
User<PERM> user = getUser(bait);
if(user==null || user.permsUnloaded() || user.permExpired()) {
user = loadUser(bait);
}
- return user==null?false:user.contains(pond);
+ if(user==null) {
+ return false;
+ } else {
+ for(Permission p : pond) {
+ if(rv=user.contains(p)) {
+ break;
+ }
+ }
+ }
}
- return false;
+ return rv;
}
}
}
import org.onap.aaf.cadi.LocatorException;
import org.onap.aaf.cadi.PropAccess;
import org.onap.aaf.cadi.Symm;
+import org.onap.aaf.cadi.aaf.Defaults;
import org.onap.aaf.cadi.aaf.client.ErrMessage;
import org.onap.aaf.cadi.aaf.v2_0.AAFCon;
import org.onap.aaf.cadi.aaf.v2_0.AAFConHttp;
AAFSSO aafsso=null;
PropAccess access;
- if(args.length>0 && args[0].equals("validate")) {
+ if(args.length>1 && args[0].equals("validate")) {
int idx = args[1].indexOf('=');
aafsso = null;
access = new PropAccess(
}
private static void createArtifact(Trans trans, AAFCon<?> aafcon, Deque<String> cmds) throws Exception {
- String mechID = fqi(cmds);
- String machine = machine(cmds);
+ final String mechID = fqi(cmds);
+ final String machine = machine(cmds);
Artifacts artifacts = new Artifacts();
Artifact arti = new Artifact();
directedPut(pa, filesymm, normal,creds, Config.CADI_KEYFILE, fkf.getCanonicalPath());
directedPut(pa, filesymm, normal,creds, Config.AAF_APPID,fqi);
directedPut(pa, filesymm, normal,creds, Config.AAF_APPPASS,null);
+ directedPut(pa, filesymm, normal,creds, Config.AAF_URL, Defaults.AAF_URL);
String cts = pa.getProperty(Config.CADI_TRUSTSTORE);
if(tag.endsWith("_password")) {
if(val.length()>4) {
if(val.startsWith("enc:")) {
- val = orig.decrypt(value, true);
+ val = orig.decrypt(val, true);
}
val = "enc:" + symm.enpass(val);
}
@Override
public boolean _place(Trans trans, CertInfo certInfo, Artifact arti) throws CadiException {
- File fks = new File(dir,arti.getNs()+'.'+kst);
+ File fks = new File(dir,arti.getNs()+'.'+(kst=="pkcs12"?"p12":kst));
try {
KeyStore jks = KeyStore.getInstance(kst);
if(fks.exists()) {
write(fks,Chmod.to400,jks,keystorePassArray);
// Change out to TrustStore
- fks = new File(dir,arti.getNs()+".trust."+kst);
+ // NOTE: PKCS12 does NOT support Trusted Entries. Put in JKS Always
+ fks = new File(dir,arti.getNs()+".trust.jks");
if(fks.exists()) {
File backup = File.createTempFile(fks.getName()+'.', ".backup",dir);
fks.renameTo(backup);
}
- jks = KeyStore.getInstance(kst);
+ jks = KeyStore.getInstance("jks");
// Set Truststore Password
addProperty(Config.CADI_TRUSTSTORE,fks.getAbsolutePath());
@Override
public Permission createPerm(String p) {
String[] params = Split.split('|', p);
- if(params.length==3) {
- return new AAFPermission(params[0],params[1],params[2]);
- } else {
- return new LocalPermission(p);
+ switch(params.length) {
+ case 3:
+ return new AAFPermission(null,params[0],params[1],params[2]);
+ case 4:
+ return new AAFPermission(params[0],params[1],params[2],params[3]);
+ default:
+ return new LocalPermission(p);
}
}
@Override
- public boolean fish(Principal bait, Permission pond) {
- AAFPermission apond = (AAFPermission)pond;
- OAuth2Principal oap;
+ public boolean fish(Principal bait, Permission ... pond) {
+ boolean rv = false;
+
if(bait instanceof OAuth2Principal) {
- oap = (OAuth2Principal)bait;
- } else {
- // Here is the spot to put in Principal Conversions
- return false;
- }
-
- TokenPerm tp = oap.tokenPerm();
- if(tp==null) {
- } else {
- for(Permission p : tp.perms()) {
- if(p.match(apond)) {
- return true;
+ OAuth2Principal oap = (OAuth2Principal)bait;
+ for (Permission p : pond ) {
+ AAFPermission apond = (AAFPermission)p;
+
+ TokenPerm tp = oap.tokenPerm();
+ if(tp==null) {
+ } else {
+ for(Permission perm : tp.perms()) {
+ if(perm.match(apond)) {
+ return true;
+ }
+ }
}
}
}
- return false;
+ return rv;
}
@Override
}
@Override
- public boolean handlesExclusively(Permission pond) {
+ public boolean handlesExclusively(Permission ... pond) {
return false;
}
throw new APIException("Error Decrypting Password",e);
}
}
+
+ if(username!=null) {
+ params.add("username="+username);
+ }
+
break;
case refresh_token:
if(client_id!=null) {
import org.onap.aaf.cadi.Locator;
import org.onap.aaf.cadi.LocatorException;
import org.onap.aaf.cadi.Symm;
+import org.onap.aaf.cadi.aaf.Defaults;
import org.onap.aaf.cadi.aaf.v2_0.AAFConHttp;
import org.onap.aaf.cadi.aaf.v2_0.AAFLocator;
import org.onap.aaf.cadi.config.Config;
super(pa, new RosettaEnv(pa.getProperties()),Token.class,"outgoing");
if(access.getProperty(Config.AAF_OAUTH2_TOKEN_URL,null)==null) {
- access.getProperties().put(Config.AAF_OAUTH2_TOKEN_URL, "https://AAF_LOCATE_URL/AAF_NS.token:2.0"); // Default to AAF
+ access.getProperties().put(Config.AAF_OAUTH2_TOKEN_URL, Defaults.OAUTH2_TOKEN_URL); // Default to AAF
}
if(access.getProperty(Config.AAF_OAUTH2_INTROSPECT_URL,null)==null) {
- access.getProperties().put(Config.AAF_OAUTH2_INTROSPECT_URL, "https://AAF_LOCATE_URL/AAF_NS.introspect:2.0"); // Default to AAF);
+ access.getProperties().put(Config.AAF_OAUTH2_INTROSPECT_URL, Defaults.OAUTH2_INTROSPECT_URL); // Default to AAF);
}
symm = Symm.encrypt.obtain();
// Gathering object for parsing objects, then creating AAF Permission
private static class PermInfo {
- public String type,instance,action;
+ public String ns,type,instance,action;
public void clear() {
- type=instance=action=null;
+ ns=type=instance=action=null;
}
public void eval(Parsed<State> pd) {
if(pd.hasName()) {
switch(pd.name) {
+ case "ns":
+ ns=pd.sb.toString();
+ break;
case "type":
type=pd.sb.toString();
break;
}
public AAFPermission create() {
if(type!=null && instance!=null && action !=null) {
- return new AAFPermission(type, instance, action);
+ return new AAFPermission(ns,type, instance, action);
} else {
return null;
}
package org.onap.aaf.cadi.olur;
import java.security.Principal;
+import java.util.HashSet;
import java.util.List;
+import java.util.Set;
+import org.onap.aaf.cadi.Access.Level;
import org.onap.aaf.cadi.CadiException;
import org.onap.aaf.cadi.LocatorException;
import org.onap.aaf.cadi.Lur;
import org.onap.aaf.cadi.Permission;
import org.onap.aaf.cadi.PropAccess;
-import org.onap.aaf.cadi.Access.Level;
import org.onap.aaf.cadi.aaf.AAFPermission;
import org.onap.aaf.cadi.client.Result;
+import org.onap.aaf.cadi.lur.LocalPermission;
import org.onap.aaf.cadi.oauth.AbsOTafLur;
import org.onap.aaf.cadi.oauth.OAuth2Principal;
import org.onap.aaf.cadi.oauth.TimedToken;
import org.onap.aaf.cadi.oauth.TokenPerm;
import org.onap.aaf.cadi.principal.Kind;
import org.onap.aaf.misc.env.APIException;
-import org.onap.aaf.misc.env.util.Split;
import org.onap.aaf.misc.env.util.Pool.Pooled;
+import org.onap.aaf.misc.env.util.Split;
public class OLur extends AbsOTafLur implements Lur {
public OLur(PropAccess access, final String token_url, final String introspect_url) throws APIException, CadiException {
* @see org.onap.aaf.cadi.Lur#fish(java.security.Principal, org.onap.aaf.cadi.Permission)
*/
@Override
- public boolean fish(Principal bait, Permission pond) {
+ public boolean fish(Principal bait, Permission ... pond) {
TokenPerm tp;
if(bait instanceof OAuth2Principal) {
OAuth2Principal oa2p = (OAuth2Principal)bait;
try {
TokenClient tc = tcp.content;
tc.username(bait.getName());
- Result<TimedToken> rtt = tc.getToken(Kind.getKind(bait),tc.defaultScope());
+ Set<String> scopeSet = new HashSet<>();
+ scopeSet.add(tc.defaultScope());
+ AAFPermission ap;
+ for (Permission p : pond) {
+ ap = (AAFPermission)p;
+ scopeSet.add(ap.getNS());
+ }
+ String[] scopes = new String[scopeSet.size()];
+ scopeSet.toArray(scopes);
+
+ Result<TimedToken> rtt = tc.getToken(Kind.getKind(bait),scopes);
if(rtt.isOK()) {
Result<TokenPerm> rtp = tkMgr.get(rtt.value.getAccessToken(), bait.getName().getBytes());
if(rtp.isOK()) {
tcp.done();
}
} catch (APIException | LocatorException | CadiException e) {
- access.log(Level.ERROR, "Unable to Get a Token: " + e.getMessage());
+ access.log(e, "Unable to Get a Token");
}
}
+
+ boolean rv = false;
if(tp!=null) {
if(tkMgr.access.willLog(Level.DEBUG)) {
StringBuilder sb = new StringBuilder("AAF Permissions for user ");
sb.append(", from token ");
sb.append(tp.get().getAccessToken());
for (AAFPermission p : tp.perms()) {
- sb.append("\n\t");
- sb.append(p.getName());
+ sb.append("\n\t[");
+ sb.append(p.getNS());
+ sb.append(']');
+ sb.append(p.getType());
sb.append('|');
sb.append(p.getInstance());
sb.append('|');
sb.append('\n');
access.log(Level.DEBUG, sb);
}
- for (AAFPermission p : tp.perms()) {
- if (p.match(pond)) {
- return true;
+ for (Permission p : pond) {
+ if(rv) {
+ break;
+ }
+ for (AAFPermission perm : tp.perms()) {
+ if (rv=perm.match(p)) {
+ break;
+ }
}
}
}
- return false;
+ return rv;
}
/* (non-Javadoc)
* @see org.onap.aaf.cadi.Lur#handlesExclusively(org.onap.aaf.cadi.Permission)
*/
@Override
- public boolean handlesExclusively(Permission pond) {
+ public boolean handlesExclusively(Permission ... pond) {
return false;
}
@Override
public Permission createPerm(final String p) {
String[] s = Split.split('|',p);
- if(s!=null && s.length==3) {
- return new AAFPermission(s[0],s[1],s[2]);
- } else {
- return null;
+ switch(s.length) {
+ case 3:
+ return new AAFPermission(null, s[0],s[1],s[2]);
+ case 4:
+ return new AAFPermission(s[0],s[1],s[2],s[3]);
+ default:
+ return new LocalPermission(p);
}
}
import org.onap.aaf.cadi.CadiException;
import org.onap.aaf.cadi.PropAccess;
import org.onap.aaf.cadi.Symm;
+import org.onap.aaf.cadi.aaf.Defaults;
import org.onap.aaf.cadi.config.Config;
import org.onap.aaf.cadi.util.MyConsole;
import org.onap.aaf.cadi.util.SubStandardConsole;
addProp(Config.AAF_LOCATE_URL, locateUrl);
}
- String aafUrl = "https://AAF_LOCATE_URL/AAF_NS.service:2.0";
- access.setProperty(Config.AAF_URL, aafUrl);
- access.setProperty(Config.CM_URL, "https://AAF_LOCATE_URL/AAF_NS.cm:2.0");
+ access.setProperty(Config.AAF_URL, Defaults.AAF_URL);
+ access.setProperty(Config.CM_URL, Defaults.CM_URL);
String cadiLatitude = access.getProperty(Config.CADI_LATITUDE);
if(cadiLatitude==null) {
System.out.println("# If you do not know your Global Coordinates, we suggest bing.com/maps");
import org.onap.aaf.cadi.aaf.AAFPermission;
public class JU_AAFPermission {
-
+ private final static String ns = "ns";
private final static String type = "type";
private final static String instance = "instance";
private final static String action = "action";
- private final static String key = type + '|' + instance + '|' + action;
+ private final static String key = ns + '|' + type + '|' + instance + '|' + action;
private final static String role = "role";
private static List<String> roles;
@Test
public void constructor1Test() {
- AAFPermission perm = new AAFPermission(type, instance, action);
- assertThat(perm.getName(), is(type));
+ AAFPermission perm = new AAFPermission(ns, type, instance, action);
+ assertThat(perm.getNS(), is(ns));
+ assertThat(perm.getType(), is(type));
assertThat(perm.getInstance(), is(instance));
assertThat(perm.getAction(), is(action));
assertThat(perm.getKey(), is(key));
assertThat(perm.permType(), is("AAF"));
assertThat(perm.roles().size(), is(0));
- assertThat(perm.toString(), is("AAFPermission:\n\tType: " + type +
+ assertThat(perm.toString(), is("AAFPermission:" +
+ "\n\tNS: " + ns +
+ "\n\tType: " + type +
"\n\tInstance: " + instance +
"\n\tAction: " + action +
"\n\tKey: " + key));
public void constructor2Test() {
AAFPermission perm;
- perm = new AAFPermission(type, instance, action, null);
- assertThat(perm.getName(), is(type));
+ perm = new AAFPermission(ns, type, instance, action, null);
+ assertThat(perm.getNS(), is(ns));
+ assertThat(perm.getType(), is(type));
assertThat(perm.getInstance(), is(instance));
assertThat(perm.getAction(), is(action));
assertThat(perm.getKey(), is(key));
assertThat(perm.permType(), is("AAF"));
assertThat(perm.roles().size(), is(0));
- assertThat(perm.toString(), is("AAFPermission:\n\tType: " + type +
+ assertThat(perm.toString(), is("AAFPermission:" +
+ "\n\tNS: " + ns +
+ "\n\tType: " + type +
"\n\tInstance: " + instance +
"\n\tAction: " + action +
"\n\tKey: " + key));
- perm = new AAFPermission(type, instance, action, roles);
- assertThat(perm.getName(), is(type));
+ perm = new AAFPermission(ns, type, instance, action, roles);
+ assertThat(perm.getNS(), is(ns));
+ assertThat(perm.getType(), is(type));
assertThat(perm.getInstance(), is(instance));
assertThat(perm.getAction(), is(action));
assertThat(perm.getKey(), is(key));
assertThat(perm.permType(), is("AAF"));
assertThat(perm.roles().size(), is(1));
assertThat(perm.roles().get(0), is(role));
- assertThat(perm.toString(), is("AAFPermission:\n\tType: " + type +
- "\n\tInstance: " + instance +
- "\n\tAction: " + action +
- "\n\tKey: " + key));
+ assertThat(perm.toString(), is("AAFPermission:" +
+ "\n\tNS: " + ns +
+ "\n\tType: " + type +
+ "\n\tInstance: " + instance +
+ "\n\tAction: " + action +
+ "\n\tKey: " + key));
}
@Test
public void matchTest() {
- final AAFPermission controlPermission = new AAFPermission(type, instance, action);
+ final AAFPermission controlPermission = new AAFPermission(ns,type, instance, action);
PermissionStub perm;
AAFPermission aafperm;
- aafperm = new AAFPermission(type, instance, action);
+ aafperm = new AAFPermission(ns, type, instance, action);
assertThat(controlPermission.match(aafperm), is(true));
perm = new PermissionStub(key);
@Test
public void coverageTest() {
AAFPermissionStub aafps = new AAFPermissionStub();
- assertThat(aafps.getName(), is(nullValue()));
+ assertThat(aafps.getNS(), is(nullValue()));
+ assertThat(aafps.getType(), is(nullValue()));
assertThat(aafps.getInstance(), is(nullValue()));
assertThat(aafps.getAction(), is(nullValue()));
assertThat(aafps.getKey(), is(nullValue()));
String json;
LoadPermissions lp;
Permission p;
-
+
json = "{\"perm\":[" +
- " {\"type\":\"com.access\",\"instance\":\"*\",\"action\":\"read,approve\"}," +
+ " {\"ns\":\"com\",\"type\":\"access\",\"instance\":\"*\",\"action\":\"read,approve\"}," +
"]}";
lp = new LoadPermissions(new StringReader(json));
assertThat(lp.perms.size(), is(1));
p = lp.perms.get(0);
- assertThat(p.getKey(), is("com.access|*|read,approve"));
+ assertThat(p.getKey(), is("com|access|*|read,approve"));
assertThat(p.permType(), is("AAF"));
// Extra closing braces for coverage
json = "{\"perm\":[" +
- " {\"type\":\"com.access\",\"instance\":\"*\",\"action\":\"read,approve\"}}," +
+ " {\"ns\":\"com\",\"type\":\"access\",\"instance\":\"*\",\"action\":\"read,approve\"}}," +
"]]}";
lp = new LoadPermissions(new StringReader(json));
assertThat(lp.perms.size(), is(1));
p = lp.perms.get(0);
- assertThat(p.getKey(), is("com.access|*|read,approve"));
+ assertThat(p.getKey(), is("com|access|*|read,approve"));
assertThat(p.permType(), is("AAF"));
// Test without a type
String permS = myAccess.getProperty("perm","org.osaaf.aaf.access|*|read");
String[] permA = Split.splitTrim('|', permS);
if(permA.length>2) {
- final Permission perm = new AAFPermission(permA[0],permA[1],permA[2]);
+ final Permission perm = new AAFPermission(null, permA[0],permA[1],permA[2]);
// See the CODE for Java Methods used
if(singleton().oneAuthorization(fqi, perm)) {
System.out.printf("Success: %s has %s\n",fqi.getName(),permS);
assertThat(pl.hasItems(), is(false));
assertThat(countItems(pl), is(0));
+ Thread.sleep(20L); // PL checks same milli...
pl.refresh();
assertThat(pl.hasItems(), is(true));
/**
* The default behavior of a LUR is to not handle something exclusively.
*/
- public boolean handlesExclusively(Permission pond) {
+ public boolean handlesExclusively(Permission ... pond) {
return false;
}
* @param principalName
* @return
*/
- public boolean fish(Principal bait, Permission pond);
+ public boolean fish(Principal bait, Permission ... pond);
/**
* Fish all the Principals out a Pond
* @param pond
* @return
*/
- public boolean handlesExclusively(Permission pond);
+ public boolean handlesExclusively(Permission ... pond);
/**
* Does the LUR support a particular kind of Principal
* @throws IOException
*/
public void enpass(final String password, final OutputStream os) throws IOException {
+ if(password==null) {
+ throw new IOException("Invalid password passed");
+ }
final ByteArrayOutputStream baos = new ByteArrayOutputStream();
DataOutputStream dos = new DataOutputStream(baos);
byte[] bytes = password.getBytes();
public static final String OAUTH_CLIENT_SECRET="client_secret";
public static final String AAF_ENV = "aaf_env";
- public static final String AAF_URL = "aaf_url"; //URL for AAF... Use to trigger AAF configuration
public static final String AAF_ROOT_NS = "aaf_root_ns";
public static final String AAF_ROOT_NS_DEF = "org.osaaf.aaf";
public static final String AAF_ROOT_COMPANY = "aaf_root_company";
public static final String AAF_LOCATE_URL = "aaf_locate_url"; //URL for AAF locator
private static final String AAF_LOCATE_URL_TAG = "AAF_LOCATE_URL"; // Name of Above for use in Config Variables.
+ public static final String AAF_DEFAULT_VERSION = "2.1";
+ public static final String AAF_URL = "aaf_url"; //URL for AAF... Use to trigger AAF configuration
+ public static final String AAF_URL_DEF = "https://AAF_LOCATE_URL/AAF_NS.service:" + AAF_DEFAULT_VERSION;
+ public static final String GUI_URL_DEF = "https://AAF_LOCATE_URL/AAF_NS.gui:" + AAF_DEFAULT_VERSION;
+ public static final String CM_URL_DEF = "https://AAF_LOCATE_URL/AAF_NS.cm:" + AAF_DEFAULT_VERSION;
+ public static final String FS_URL_DEF = "https://AAF_LOCATE_URL/AAF_NS.fs:" + AAF_DEFAULT_VERSION;
+ public static final String HELLO_URL_DEF = "https://AAF_LOCATE_URL/AAF_NS.hello:" + AAF_DEFAULT_VERSION;
+ public static final String OAUTH2_TOKEN_URL = "https://AAF_LOCATE_URL/AAF_NS.token:" + AAF_DEFAULT_VERSION;
+ public static final String OAUTH2_INTROSPECT_URL = "https://AAF_LOCATE_URL/AAF_NS.introspect:" + AAF_DEFAULT_VERSION;
+
public static final String AAF_REGISTER_AS = "aaf_register_as";
public static final String AAF_APPID = "aaf_id";
public static final String AAF_APPPASS = "aaf_password";
public static final String AAF_COMPONENT = "aaf_component";
public static final String AAF_CERT_IDS = "aaf_cert_ids";
public static final String AAF_DEBUG_IDS = "aaf_debug_ids"; // comma delimited
- public static final String AAF_DEFAULT_VERSION = "2.0";
public static final String AAF_DATA_DIR = "aaf_data_dir"; // AAF processes and Components only.
if(lurs.length==0) throw new CadiException("Need at least one Lur implementation in constructor");
}
- public boolean fish(Principal bait, Permission pond) {
+ public boolean fish(Principal bait, Permission ... pond) {
if(pond==null) {
return false;
}
}
// Never needed... Only EpiLur uses...
- public boolean handlesExclusively(Permission pond) {
+ public boolean handlesExclusively(Permission ... pond) {
return false;
}
}
// @Override
- public boolean fish(Principal bait, Permission pond) {
+ public boolean fish(Principal bait, Permission ... pond) {
if (pond == null) {
return false;
}
- if (handles(bait) && pond instanceof LocalPermission) { // local Users only have LocalPermissions
- User<LocalPermission> user = getUser(bait);
- if (user != null) {
- return user.contains((LocalPermission)pond);
+ for(Permission p : pond) {
+ if (handles(bait) && p instanceof LocalPermission) { // local Users only have LocalPermissions
+ User<LocalPermission> user = getUser(bait);
+ if (user != null) {
+ return user.contains((LocalPermission)p);
+ }
}
}
return false;
return principal.getName().endsWith(supportedRealm);
}
- public boolean handlesExclusively(Permission pond) {
- return supportingGroups.contains(pond.getKey());
+ @Override
+ public boolean handlesExclusively(Permission ... pond) {
+ boolean rv = false;
+ for (Permission p : pond) {
+ if(rv=supportingGroups.contains(p.getKey())) {
+ break;
+ }
+ }
+ return rv;
}
/* (non-Javadoc)
return false;
}};
- public boolean fish(Principal bait, Permission pond) {
+ public boolean fish(Principal bait, Permission ... pond) {
// Well, for Jenkins, this is ok... It finds out it can't do J2EE Security, and then looks at it's own
// System.err.println("CADI's LUR has not been configured, but is still being called. Access is being denied");
return false;
public void destroy() {
}
- public boolean handlesExclusively(Permission pond) {
+ public boolean handlesExclusively(Permission ... pond) {
return false;
}
private class CredValStub implements Lur, CredVal {
@Override public boolean validate(String user, Type type, byte[] cred, Object state) { return false; }
@Override public Permission createPerm(String p) { return null; }
- @Override public boolean fish(Principal bait, Permission pond) { return false; }
+ @Override public boolean fish(Principal bait, Permission ... pond) { return false; }
@Override public void fishAll(Principal bait, List<Permission> permissions) { }
@Override public void destroy() { }
- @Override public boolean handlesExclusively(Permission pond) { return false; }
+ @Override public boolean handlesExclusively(Permission ... pond) { return false; }
@Override public boolean handles(Principal principal) { return false; }
@Override public void clear(Principal p, StringBuilder report) { }
}
class AbsUserCacheCLStub<PERM extends Permission> extends AbsUserCache<PERM> implements CachingLur<PERM> {
public AbsUserCacheCLStub(AbsUserCache<PERM> cache) { super(cache); }
@Override public Permission createPerm(String p) { return null; }
- @Override public boolean fish(Principal bait, Permission pond) { return false; }
+ @Override public boolean fish(Principal bait, Permission ... pond) { return false; }
@Override public void fishAll(Principal bait, List<Permission> permissions) { }
@Override public boolean handles(Principal principal) { return false; }
@Override public Resp reload(User<PERM> user) { return null; }
// Anonymous object for testing purposes
CachingLur<Permission> lur1 = new CachingLur<Permission>() {
@Override public Permission createPerm(String p) { return null; }
- @Override public boolean fish(Principal bait, Permission pond) { return true; }
+ @Override public boolean fish(Principal bait, Permission ... pond) { return true; }
@Override public void fishAll(Principal bait, List<Permission> permissions) { }
@Override public void destroy() { }
- @Override public boolean handlesExclusively(Permission pond) { return false; }
+ @Override public boolean handlesExclusively(Permission ... pond) { return false; }
@Override public boolean handles(Principal principal) { return false; }
@Override public void remove(String user) { }
@Override public Resp reload(User<Permission> user) { return null; }
import org.onap.aaf.cadi.CadiException;
import org.onap.aaf.cadi.LocatorException;
import org.onap.aaf.cadi.PropAccess;
+import org.onap.aaf.cadi.aaf.Defaults;
import org.onap.aaf.cadi.client.Future;
import org.onap.aaf.cadi.client.Rcli;
import org.onap.aaf.cadi.client.Result;
// Obtain Endpoints for OAuth2 from Properties. Expected is "cadi.properties" file, pointed to by "cadi_prop_files"
- String tokenServiceURL = access.getProperty(Config.AAF_OAUTH2_TOKEN_URL,
- "https://AAF_LOCATE_URL/AAF_NS.token:2.0"); // Default to AAF
- String tokenIntrospectURL = access.getProperty(Config.AAF_OAUTH2_INTROSPECT_URL,
- "https://AAF_LOCATE_URL/AAF_NS.introspect:2.0"); // Default to AAF);
+ String tokenServiceURL = access.getProperty(Config.AAF_OAUTH2_TOKEN_URL,Defaults.OAUTH2_TOKEN_URL); // Default to AAF
+ String tokenIntrospectURL = access.getProperty(Config.AAF_OAUTH2_INTROSPECT_URL,Defaults.OAUTH2_INTROSPECT_URL); // Default to AAF);
// Get Hello Service
- final String endServicesURL = access.getProperty(Config.AAF_OAUTH2_HELLO_URL,
- "https://AAF_LOCATE_URL/AAF_NS.hello:2.0");
+ final String endServicesURL = access.getProperty(Config.AAF_OAUTH2_HELLO_URL,Defaults.HELLO_URL);
final int CALL_TIMEOUT = Integer.parseInt(access.getProperty(Config.AAF_CALL_TIMEOUT,Config.AAF_CALL_TIMEOUT_DEF));
import org.onap.aaf.cadi.CadiException;
import org.onap.aaf.cadi.LocatorException;
import org.onap.aaf.cadi.PropAccess;
+import org.onap.aaf.cadi.aaf.Defaults;
import org.onap.aaf.cadi.client.Future;
import org.onap.aaf.cadi.client.Rcli;
import org.onap.aaf.cadi.client.Result;
// Use this Token in your client calls with "Tokenized Client" (TzClient)
// These should NOT be used cross thread.
// Get Hello Service URL... roll your own in your own world.
- final String endServicesURL = access.getProperty(Config.AAF_OAUTH2_HELLO_URL,
- "https://AAF_LOCATE_URL/AAF_NS.hello:2.0");
+ final String endServicesURL = access.getProperty(Config.AAF_OAUTH2_HELLO_URL,Defaults.HELLO_URL);
TzClient helloClient = tcf.newTzClient(endServicesURL);
Code Review / aaf / authz.git / commitdiff