id: 'giri'
timezone: 'India/Bangalore'
- name: 'Huabing Zhao'
- email: 'zhao.huabing@zte.com.cn'
+ email: 'zhaohuabing@gmail.com'
company: 'ZTE'
- id: 'HuabingZhao'
+ id: 'Huabing_Zhao'
timezone: 'China/Chengdu'
- name: 'Kiran Kamineni'
email: 'kiran.k.kamineni@intel.com'
<parent>
<groupId>org.onap.aaf.authz</groupId>
<artifactId>parent</artifactId>
- <version>2.1.0-SNAPSHOT</version>
+ <version>2.1.2-SNAPSHOT</version>
</parent>
<artifactId>aaf-auth-client</artifactId>
<packaging>jar</packaging>
<properties>
- <project.interfaceVersion>2.1.0-SNAPSHOT</project.interfaceVersion>
+ <project.interfaceVersion>2.1.1-SNAPSHOT</project.interfaceVersion>
<project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
<maven.test.failure.ignore>true</maven.test.failure.ignore>
<!-- SONAR -->
--- /dev/null
+<!--
+ * ============LICENSE_START====================================================
+ * org.onap.aaf
+ * ===========================================================================
+ * Copyright (c) 2018 AT&T Intellectual Property. All rights reserved.
+ * ===========================================================================
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ * ============LICENSE_END====================================================
+ *
+-->
+<xs:schema
+ xmlns:xs="http://www.w3.org/2001/XMLSchema"
+ xmlns:locate_local="urn:locate:v1_1"
+ targetNamespace="urn:locate:v1_1"
+ elementFormDefault="qualified">
+
+
+<!--
+ Configurations
+ -->
+ <xs:element name="Configuration">
+ <xs:complexType>
+ <xs:sequence>
+ <xs:element name="name" type="xs:string"/>
+ <xs:element name="props" minOccurs="0" maxOccurs="unbounded">
+ <xs:complexType>
+ <xs:sequence>
+ <xs:element name="tag" type="xs:string"/>
+ <xs:element name="value" type="xs:string"/>
+ </xs:sequence>
+ </xs:complexType>
+ </xs:element>
+ </xs:sequence>
+ </xs:complexType>
+ </xs:element>
+</xs:schema>
\ No newline at end of file
<parent>
<groupId>org.onap.aaf.authz</groupId>
<artifactId>authparent</artifactId>
- <version>2.1.0-SNAPSHOT</version>
+ <version>2.1.2-SNAPSHOT</version>
<relativePath>../pom.xml</relativePath>
</parent>
- <artifactId>auth-batch</artifactId>
+ <artifactId>aaf-auth-batch</artifactId>
<name>AAF Auth Batch</name>
<description>Batch Processing for AAF Auth</description>
<packaging>jar</packaging>
<dependency>
<groupId>org.onap.aaf.authz</groupId>
<artifactId>aaf-misc-env</artifactId>
- <version>${project.version}</version>
</dependency>
<dependency>
<groupId>org.onap.aaf.authz</groupId>
<artifactId>aaf-cadi-core</artifactId>
- <version>${project.version}</version>
</dependency>
<dependency>
<groupId>org.onap.aaf.authz</groupId>
<artifactId>aaf-misc-rosetta</artifactId>
- <version>${project.version}</version>
</dependency>
<dependency>
<groupId>org.onap.aaf.authz</groupId>
<artifactId>aaf-cadi-aaf</artifactId>
- <version>${project.version}</version>
</dependency>
<dependency>
<groupId>org.onap.aaf.authz</groupId>
<artifactId>aaf-auth-cass</artifactId>
- <version>${project.version}</version>
</dependency>
<dependency>
<plugin>
<groupId>org.sonatype.plugins</groupId>
<artifactId>nexus-staging-maven-plugin</artifactId>
- <version>1.6.7</version>
<extensions>true</extensions>
<configuration>
<nexusUrl>${nexusproxy}</nexusUrl>
<plugin>
<groupId>org.jacoco</groupId>
<artifactId>jacoco-maven-plugin</artifactId>
- <version>${jacoco.version}</version>
<configuration>
<excludes>
<exclude>**/gen/**</exclude>
public abstract class Batch {
- private static String ROOT_NS;
+ private static String rootNs;
private static StaticSlot ssargs;
public static final String CASS_ENV = "CASS_ENV";
public static final String LOG_DIR = "LOG_DIR";
- protected final static String PUNT="punt";
- protected final static String MAX_EMAILS="MAX_EMAILS";
- protected final static String VERSION="VERSION";
- public final static String GUI_URL="GUI_URL";
+ protected static final String PUNT="punt";
+ protected static final String MAX_EMAILS="MAX_EMAILS";
+ protected static final String VERSION="VERSION";
+ public static final String GUI_URL="GUI_URL";
- protected final static String ORA_URL="ora_url";
- protected final static String ORA_PASSWORD="ora_password";
protected final Organization org;
cluster = CassAccess.cluster(env,batchEnv);
env.info().log("cluster name - ",cluster.getClusterName());
String dryRunStr = env.getProperty( "DRY_RUN" );
- if ( dryRunStr == null || dryRunStr.trim().equals("false") ) {
+ if ( dryRunStr == null || "false".equals(dryRunStr.trim()) ) {
dryRun = false;
} else {
dryRun = true;
org.setTestMode(dryRun);
// Special names to allow behaviors beyond normal rules
- specialNames = new HashSet<String>();
+ specialNames = new HashSet<>();
String names = env.getProperty( "SPECIAL_NAMES" );
if ( names != null )
{
}
}
- protected abstract void run(AuthzTrans trans);
+ protected abstract void run(AuthzTrans trans);
protected abstract void _close(AuthzTrans trans);
public String[] args() {
- return (String[])env.get(ssargs);
+ return env.get(ssargs);
}
public boolean isDryRun()
}
}
- protected PrintStream fallout(PrintStream _fallout, String logType)
+ protected PrintStream fallout(PrintStream inFallout, String logType)
throws IOException {
- PrintStream fallout = _fallout;
+ PrintStream fallout = inFallout;
if (fallout == null) {
File dir = new File("logs");
if (!dir.exists()) {
}
File f = null;
- // String os = System.getProperty("os.name").toLowerCase();
long uniq = System.currentTimeMillis();
f = new File(dir, getClass().getSimpleName() + "_" + logType + "_"
}
public Organization getOrgFromID(AuthzTrans trans, String user) {
- Organization org;
+ Organization organization;
try {
- org = OrganizationFactory.obtain(trans.env(),user.toLowerCase());
+ organization = OrganizationFactory.obtain(trans.env(),user.toLowerCase());
} catch (OrganizationException e1) {
trans.error().log(e1);
- org=null;
+ organization=null;
}
- if (org == null) {
+ if (organization == null) {
PrintStream fallout = null;
try {
return (null);
}
- return (org);
+ return (organization);
}
public static Row executeDeleteQuery(Statement stmt) {
String envStr = env.getProperty("AFT_ENVIRONMENT");
if (envStr != null) {
- if (envStr.equals("AFTPRD")) {
+ if ("AFTPRD".equals(envStr)) {
testEnv = false;
}
} else {
// IMPORTANT! VALIDATE Organization isUser method
protected void checkOrganizationAcccess(AuthzTrans trans, Question q) throws APIException, OrganizationException {
- Set<String> testUsers = new HashSet<String>();
- Result<List<RoleDAO.Data>> rrd = q.roleDAO.readNS(trans, ROOT_NS);
- if(rrd.isOK()) {
- for(RoleDAO.Data r : rrd.value) {
- Result<List<UserRoleDAO.Data>> rur = q.userRoleDAO.readByRole(trans, r.fullName());
- if(rur.isOK()) {
- for(UserRoleDAO.Data udd : rur.value) {
+ Set<String> testUsers = new HashSet<>();
+ Result<List<RoleDAO.Data>> rrd = q.roleDAO.readNS(trans, rootNs);
+ if (rrd.isOK()) {
+ for (RoleDAO.Data r : rrd.value) {
+ Result<List<UserRoleDAO.Data>> rur = q.userRoleDAO.readByRole(trans, r.fullName());
+ if (!rur.isOK()) {
+ continue;
+ }
+ for (UserRoleDAO.Data udd : rur.value) {
testUsers.add(udd.user);
}
}
+ if (testUsers.size() < 2) {
+ throw new APIException("Not enough Users in Roles for " + rootNs + " to Validate");
+ }
+
+ Identity iden;
+ for (String user : testUsers) {
+ if ((iden = org.getIdentity(trans, user)) == null) {
+ throw new APIException("Failed Organization Entity Validation Check: " + user);
+ } else {
+ trans.info().log("Organization Validation Check: " + iden.id());
+ }
+ }
}
}
- if(testUsers.size()<2) {
- throw new APIException("Not enough Users in Roles for " + ROOT_NS + " to Validate");
- }
-
- Identity iden;
- for(String user : testUsers) {
- if((iden=org.getIdentity(trans,user))==null) {
- throw new APIException("Failed Organization Entity Validation Check: " + user);
- } else {
- trans.info().log("Organization Validation Check: " + iden.id());
- }
- }
- }
protected static String logDir() {
String ld = env.getProperty(LOG_DIR);
String propLoc;
try {
Define.set(access);
- ROOT_NS=Define.ROOT_NS();
+ rootNs =Define.ROOT_NS();
File f = new File("etc/authzBatch.props");
try {
private final String name;
public BatchPrincipal(final String name) {
- this.name = name;
+ this.name = "batch:"+name;
}
@Override
@Override
public String tag() {
- return "Batch";
+ return "Btch";
}
}
public Email(String ... defaultCC) {
- toList = new ArrayList<String>();
+ toList = new ArrayList<>();
this.defaultCC = defaultCC;
- ccList = new ArrayList<String>();
+ ccList = new ArrayList<>();
clear();
}
}
public Email addTo(Identity id) {
- if(id!=null) {
- if(!toList.contains(id.email())) {
+ if(id!=null && !toList.contains(id.email())) {
toList.add(id.email());
- }
}
return this;
}
}
public Email addCC(Identity id) {
- if(id!=null) {
- if(!ccList.contains(id.email())) {
+ if(id!=null && !ccList.contains(id.email())) {
ccList.add(id.email());
- }
}
return this;
}
public final List<String> lines;
public Message() {
- lines = new ArrayList<String>();
+ lines = new ArrayList<>();
}
public void clear() {
}
public void msg(StringBuilder sb, String lineIndent) {
- if(lines.size()>0) {
+ if(!lines.isEmpty()) {
for(String line : lines) {
sb.append(lineIndent);
sb.append(line);
return Result.err(Result.ERR_ActionNotCompleted,"Not Executed");
} else {
// Save on Lookups
- final List<ApprovalDAO.Data> apprs = new ArrayList<ApprovalDAO.Data>();
- final List<UserRoleDAO.Data> urs = new ArrayList<UserRoleDAO.Data>();
+ final List<ApprovalDAO.Data> apprs = new ArrayList<>();
+ final List<UserRoleDAO.Data> urs = new ArrayList<>();
for(Approval a : app) {
apprs.add(a.add);
UserRole ur = UserRole.get(a.add.user, future.role);
public static final String RE_VALIDATE_ADMIN = "Re-Validate as Administrator for AAF Namespace '";
public static final String RE_VALIDATE_OWNER = "Re-Validate Ownership for AAF Namespace '";
- public static TreeMap<String,List<Approval>> byApprover = new TreeMap<String,List<Approval>>();
- public static TreeMap<String,List<Approval>> byUser = new TreeMap<String,List<Approval>>();
- public static TreeMap<UUID,List<Approval>> byTicket = new TreeMap<UUID,List<Approval>>();
- private final static CacheChange<Approval> cache = new CacheChange<Approval>();
+ public static TreeMap<String,List<Approval>> byApprover = new TreeMap<>();
+ public static TreeMap<String,List<Approval>> byUser = new TreeMap<>();
+ public static TreeMap<UUID,List<Approval>> byTicket = new TreeMap<>();
+ private final static CacheChange<Approval> cache = new CacheChange<>();
public final ApprovalDAO.Data add;
private String role;
if(person!=null) {
ln = byApprover.get(person);
if(ln==null) {
- ln = new ArrayList<Approval>();
+ ln = new ArrayList<>();
byApprover.put(app.getApprover(), ln);
}
ln.add(app);
if(person!=null) {
ln = byUser.get(person);
if(ln==null) {
- ln = new ArrayList<Approval>();
+ ln = new ArrayList<>();
byUser.put(app.getUser(), ln);
}
ln.add(app);
if(ticket!=null) {
ln = byTicket.get(ticket);
if(ln==null) {
- ln = new ArrayList<Approval>();
+ ln = new ArrayList<>();
byTicket.put(app.getTicket(), ln);
}
ln.add(app);
public Approver(String approver, Organization org) {
this.name = approver;
this.org = org;
- userRequests = new HashMap<String, Integer>();
+ userRequests = new HashMap<>();
}
public void addRequest(String user) {
private List<T> removed;
public CacheChange() {
- removed = new ArrayList<T>();
+ removed = new ArrayList<>();
}
interface Data {
import com.datastax.driver.core.Statement;
public class Cred {
- public static final TreeMap<String,Cred> data = new TreeMap<String,Cred>();
- public static final TreeMap<String,List<Cred>> byNS = new TreeMap<String,List<Cred>>();
+ public static final TreeMap<String,Cred> data = new TreeMap<>();
+ public static final TreeMap<String,List<Cred>> byNS = new TreeMap<>();
public final String id;
public final List<Instance> instances;
public Cred(String id) {
this.id = id;
- instances = new ArrayList<Instance>();
+ instances = new ArrayList<>();
ns=Question.domain2ns(id);
}
public Set<Integer> types() {
- Set<Integer> types = new HashSet<Integer>();
+ Set<Integer> types = new HashSet<>();
for(Instance i : instances) {
types.add(i.type);
}
List<Cred> lscd = byNS.get(cred.ns);
if(lscd==null) {
- byNS.put(cred.ns, (lscd=new ArrayList<Cred>()));
+ byNS.put(cred.ns, (lscd=new ArrayList<>()));
}
boolean found = false;
for(Cred c : lscd) {
import com.datastax.driver.core.Statement;
public class Future implements CacheChange.Data, Comparable<Future> {
- public static final Map<UUID,Future> data = new TreeMap<UUID,Future>();
- public static final Map<String,List<Future>> byRole = new TreeMap<String,List<Future>>();
+ public static final Map<UUID,Future> data = new TreeMap<>();
+ public static final Map<String,List<Future>> byRole = new TreeMap<>();
public final FutureDAO.Data fdd;
public final String role; // derived
- private final static CacheChange<Future> cache = new CacheChange<Future>();
+ private static final CacheChange<Future> cache = new CacheChange<>();
public final UUID id() {
++count;
Future f = creator.create(row);
data.put(f.fdd.id,f);
- if(f.role!=null) {
- List<Future> lf = byRole.get(f.role);
- if(lf==null) {
- byRole.put(f.role,lf = new ArrayList<Future>());
- }
- lf.add(f);
+ if(f.role==null) {
+ continue;
}
+ List<Future> lf = byRole.get(f.role);
+ if(lf==null) {
+ lf = new ArrayList<>();
+ byRole.put(f.role,lf);
+ }
+ lf.add(f);
+
}
} finally {
tt.done();
import com.datastax.driver.core.Statement;
public class MiscID {
- public static final TreeMap<String,MiscID> data = new TreeMap<String,MiscID>();
+ public static final TreeMap<String,MiscID> data = new TreeMap<>();
/*
Sample Record
aad890|mj9030|20040902|20120207
import java.util.TreeMap;
public class MonthData {
- public final Map<Integer,Set<Row>> data =
- new TreeMap<Integer,Set<Row>>();
+ public final Map<Integer,Set<Row>> data = new TreeMap<>();
private File f;
public MonthData(String env) throws IOException {
public void add(int yr_mon, String target, long total, long adds, long drops) {
Set<Row> row = data.get(yr_mon);
if(row==null) {
- data.put(yr_mon, (row=new HashSet<Row>()));
+ data.put(yr_mon, (row=new HashSet<>()));
}
row.add(new Row(target,total,adds,drops));
}
import com.datastax.driver.core.Statement;
public class NS implements Comparable<NS> {
- public final static Map<String,NS> data = new TreeMap<String,NS>();
+ public final static Map<String,NS> data = new TreeMap<>();
public final String name, description, parent;
public final int scope,type;
}
- public static final TreeMap<String,List<Notification>> data = new TreeMap<String,List<Notification>>();
+ public static final TreeMap<String,List<Notification>> data = new TreeMap<>();
public static final Date now = new Date();
public final String user;
Notification not = creator.create(row);
List<Notification> ln = data.get(not.user);
if(ln==null) {
- ln = new ArrayList<Notification>();
+ ln = new ArrayList<>();
data.put(not.user, ln);
}
ln.add(not);
import java.util.ArrayList;
import java.util.List;
+import java.util.SortedMap;
import java.util.TreeMap;
import org.onap.aaf.misc.env.Env;
import com.datastax.driver.core.Statement;
public class NsAttrib {
- public static final List<NsAttrib> data = new ArrayList<NsAttrib>();
- public static final TreeMap<String,List<NsAttrib>> byKey = new TreeMap<String,List<NsAttrib>>();
- public static final TreeMap<String,List<NsAttrib>> byNS = new TreeMap<String,List<NsAttrib>>();
+ public static final List<NsAttrib> data = new ArrayList<>();
+ public static final SortedMap<String,List<NsAttrib>> byKey = new TreeMap<>();
+ public static final SortedMap<String,List<NsAttrib>> byNS = new TreeMap<>();
- public final String ns,key,value;
+ public final String ns;
+ public final String key;
+ public final String value;
+ public static Creator<NsAttrib> v2_0_11 = new Creator<NsAttrib>() {
+ @Override
+ public NsAttrib create(Row row) {
+ return new NsAttrib(row.getString(0), row.getString(1), row.getString(2));
+ }
+
+ @Override
+ public String select() {
+ return "select ns,key,value from authz.ns_attrib";
+ }
+ };
public NsAttrib(String ns, String key, String value) {
this.ns = ns;
List<NsAttrib> lna = byKey.get(ur.key);
if(lna==null) {
- lna = new ArrayList<NsAttrib>();
+ lna = new ArrayList<>();
byKey.put(ur.key, lna);
}
lna.add(ur);
lna = byNS.get(ur.ns);
if(lna==null) {
- lna = new ArrayList<NsAttrib>();
+ lna = new ArrayList<>();
byNS.put(ur.ns, lna);
}
lna.add(ur);
}
}
- public static Creator<NsAttrib> v2_0_11 = new Creator<NsAttrib>() {
- @Override
- public NsAttrib create(Row row) {
- return new NsAttrib(row.getString(0), row.getString(1), row.getString(2));
- }
-
- @Override
- public String select() {
- return "select ns,key,value from authz.ns_attrib";
- }
- };
-
-
public String toString() {
return '"' + ns + "\",\"" + key + "\",\"" + value +'"';
}
import com.datastax.driver.core.Statement;
public class Perm implements Comparable<Perm> {
- public static final TreeMap<Perm,Set<String>> data = new TreeMap<Perm,Set<String>>();
- public static final TreeMap<String,Perm> keys = new TreeMap<String,Perm>();
- private static List<Perm> deletePerms = new ArrayList<Perm>();
+ public static final TreeMap<Perm,Set<String>> data = new TreeMap<>();
+ public static final TreeMap<String,Perm> keys = new TreeMap<>();
+ private static List<Perm> deletePerms = new ArrayList<>();
public final String ns, type, instance, action,description;
private String fullType = null, fullPerm = null, encode = null;
import com.datastax.driver.core.Statement;
public class Role implements Comparable<Role> {
- public static final TreeMap<Role,Set<String>> data = new TreeMap<Role,Set<String>>();
- public static final TreeMap<String,Role> keys = new TreeMap<String,Role>();
- public static final TreeMap<String,Role> byName = new TreeMap<String,Role>();
- private static List<Role> deleteRoles = new ArrayList<Role>();
+ public static final TreeMap<Role,Set<String>> data = new TreeMap<>();
+ public static final TreeMap<String,Role> keys = new TreeMap<>();
+ public static final TreeMap<String,Role> byName = new TreeMap<>();
+ private static List<Role> deleteRoles = new ArrayList<>();
public final String ns, name, description;
private String full, encode;
public Role(String full) {
ns = name = description = "";
this.full = full;
- perms = new HashSet<String>();
+ perms = new HashSet<>();
}
public Role(String ns, String name, String description,Set<String> perms) {
import com.datastax.driver.core.Statement;
public class UserRole implements Cloneable, CacheChange.Data {
- public static final List<UserRole> data = new ArrayList<UserRole>();
- public static final TreeMap<String,List<UserRole>> byUser = new TreeMap<String,List<UserRole>>();
- public static final TreeMap<String,List<UserRole>> byRole = new TreeMap<String,List<UserRole>>();
- private final static CacheChange<UserRole> cache = new CacheChange<UserRole>();
+ public static final List<UserRole> data = new ArrayList<>();
+ public static final TreeMap<String,List<UserRole>> byUser = new TreeMap<>();
+ public static final TreeMap<String,List<UserRole>> byRole = new TreeMap<>();
+ private final static CacheChange<UserRole> cache = new CacheChange<>();
private static PrintStream urDelete=System.out,urRecover=System.err;
private static int totalLoaded;
private static int deleted;
List<UserRole> lur = byUser.get(ur.urdd.user);
if(lur==null) {
- lur = new ArrayList<UserRole>();
+ lur = new ArrayList<>();
byUser.put(ur.urdd.user, lur);
}
lur.add(ur);
lur = byRole.get(ur.urdd.role);
if(lur==null) {
- lur = new ArrayList<UserRole>();
+ lur = new ArrayList<>();
byRole.put(ur.urdd.role, lur);
}
lur.add(ur);
Date earliestUR = gc.getTime();
Date earliestCred = gc.getTime();
// Run for Roles
- List<String> expiring = new ArrayList<String>();
+ List<String> expiring = new ArrayList<>();
trans.info().log("Checking for Expired UserRoles");
for(UserRole ur : UserRole.data) {
trans.info().log("### Removed",Future.sizeForDeletion(),"Future and",Approval.sizeForDeletion(),"Approvals");
Future.resetLocalData();
Approval.resetLocalData();
- } catch (Throwable t) {
+ } catch (Exception t) {
t.printStackTrace();
}
trans.info().log("### Removed",Future.sizeForDeletion(),"Future and",Approval.sizeForDeletion(),"Approvals");
Future.resetLocalData();
Approval.resetLocalData();
- } catch (Throwable t) {
+ } catch (Exception t) {
t.printStackTrace();
}
trans.info().log("### Removed",Future.sizeForDeletion(),"Future and",Approval.sizeForDeletion(),"Approvals");
Future.resetLocalData();
Approval.resetLocalData();
- } catch (Throwable t) {
+ } catch (Exception t) {
t.printStackTrace();
}
} finally {
trans.info().log("### Removed",Future.sizeForDeletion(),"Future and",Approval.sizeForDeletion(),"Approvals");
Future.resetLocalData();
Approval.resetLocalData();
- } catch (Throwable t) {
+ } catch (Exception t) {
t.printStackTrace();
}
String line,prev="";
try {
UserRole ur;
- Map<String,Count> tally = new HashMap<String,Count>();
+ Map<String,Count> tally = new HashMap<>();
int count=0;
try {
while((line=urDeleteF.readLine())!=null) {
Message msg = new Message();
int emailCount = 0;
- List<Approval> pending = new ArrayList<Approval>();
+ List<Approval> pending = new ArrayList<>();
boolean isOwner,isSupervisor;
for(Entry<String, List<Approval>> es : Approval.byApprover.entrySet()) {
isOwner = isSupervisor = false;
Date tooLate = new Date(now);
// Temp structures
- Map<String,Cred> lastCred = new HashMap<String,Cred>();
- Map<String,List<LastCred>> ownerCreds = new TreeMap<String,List<LastCred>>();
+ Map<String,Cred> lastCred = new HashMap<>();
+ Map<String,List<LastCred>> ownerCreds = new TreeMap<>();
Date last;
- List<LastCred> noOwner = new ArrayList<LastCred>();
+ List<LastCred> noOwner = new ArrayList<>();
ownerCreds.put(UNKNOWN_ID,noOwner);
// Get a list of ONLY the ones needing email by Owner
String owner = ur.user();
List<LastCred> llc = ownerCreds.get(owner);
if(llc==null) {
- ownerCreds.put(owner, (llc=new ArrayList<LastCred>()));
+ ownerCreds.put(owner, (llc=new ArrayList<>()));
}
llc.add(new LastCred(c,last));
}
import static org.mockito.Mockito.*;
+import java.io.ByteArrayOutputStream;
import java.io.FileNotFoundException;
import java.io.PrintStream;
import java.util.Collection;
public class JU_Email {
+ private ByteArrayOutputStream outStream;
+ private ByteArrayOutputStream errStream;
Email email;
Identity usersI;
Message msg;
+ PrintStream ps;
@Before
- public void setUp() {
+ public void setUp() throws FileNotFoundException {
+ outStream = new ByteArrayOutputStream();
+ errStream = new ByteArrayOutputStream();
+ ps = new PrintStream(errStream);
+ System.setOut(new PrintStream(outStream));
+ System.setErr(ps);
+
usersI = mock(Identity.class);
msg = new Message();
email = new Email();
@Test
public void testLog() throws FileNotFoundException {
- PrintStream ps = new PrintStream("test");
email.addTo("email");
email.addCC("email");
email.log(ps, "email");
email.addCC("emails");
email.log(ps, "emails");
}
+
+ @After
+ public void cleanUp() {
+ System.setErr(System.err);
+ System.setOut(System.out);
+ }
}
--- /dev/null
+/**
+ * ============LICENSE_START====================================================
+ * org.onap.aaf
+ * ===========================================================================
+ * Copyright (c) 2018 AT&T Intellectual Property. All rights reserved.
+ * ===========================================================================
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ * ============LICENSE_END====================================================
+ *
+ */
+
+package org.onap.aaf.auth.actions.test;
+
+import static org.junit.Assert.*;
+import org.junit.After;
+import org.junit.Before;
+import org.junit.Test;
+import org.mockito.Mock;
+import org.mockito.Mockito;
+import org.onap.aaf.auth.actions.EmailPrint;
+import org.onap.aaf.auth.env.AuthzTrans;
+import org.onap.aaf.auth.org.Organization;
+import org.onap.aaf.cadi.client.Future;
+import org.onap.aaf.cadi.client.Rcli;
+
+import static org.mockito.Mockito.*;
+
+import java.io.ByteArrayOutputStream;
+import java.io.PrintStream;
+import java.lang.reflect.InvocationTargetException;
+import java.lang.reflect.Method;
+
+import org.junit.Test;
+
+public class JU_EmailPrint {
+
+ private ByteArrayOutputStream outStream;
+ private ByteArrayOutputStream errStream;
+ EmailPrint ePrint;
+ AuthzTrans trans;
+ Organization org;
+ StringBuilder strBuilder;
+
+ @Before
+ public void setUp() {
+ outStream = new ByteArrayOutputStream();
+ errStream = new ByteArrayOutputStream();
+ System.setOut(new PrintStream(outStream));
+ System.setErr(new PrintStream(errStream));
+ ePrint = new EmailPrint();
+ trans = mock(AuthzTrans.class);
+ org = mock(Organization.class);
+ strBuilder = new StringBuilder();
+ strBuilder.append("test\nte\nst");
+ ePrint.addTo("test");
+ ePrint.addTo("test1");
+ ePrint.addTo("test2");
+ ePrint.addCC("test");
+ ePrint.addCC("test1");
+ ePrint.addCC("test2");
+
+ }
+
+ @Test
+ public void testExec() throws NoSuchMethodException, SecurityException, IllegalAccessException, IllegalArgumentException, InvocationTargetException {
+ Class c = ePrint.getClass();
+ Class[] cArg = new Class[3];
+ cArg[0] = AuthzTrans.class;
+ cArg[1] = Organization.class;
+ cArg[2] = StringBuilder.class;//Steps to test a protected method
+ Method execMethod = c.getDeclaredMethod("exec", cArg);
+ execMethod.setAccessible(true);
+ execMethod.invoke(ePrint, trans, org, strBuilder);
+ }
+
+ @After
+ public void cleanUp() {
+ System.setErr(System.err);
+ System.setOut(System.out);
+ }
+
+}
--- /dev/null
+/**
+ * ============LICENSE_START====================================================
+ * org.onap.aaf
+ * ===========================================================================
+ * Copyright (c) 2018 AT&T Intellectual Property. All rights reserved.
+ * ===========================================================================
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ * ============LICENSE_END====================================================
+ *
+ */
+
+package org.onap.aaf.auth.actions.test;
+
+import static org.junit.Assert.*;
+import org.junit.After;
+import org.junit.Before;
+import org.junit.Test;
+import org.mockito.Mock;
+import org.mockito.Mockito;
+import org.onap.aaf.auth.actions.Message;
+
+import static org.mockito.Mockito.*;
+import org.junit.Test;
+
+public class JU_Message {
+
+ Message msg;
+
+ @Before
+ public void setUp() {
+ msg = new Message();
+ }
+
+ @Test
+ public void testLine() {
+ msg.line("test");
+ }
+
+ @Test
+ public void testClear() {
+ msg.clear();
+ }
+
+ @Test
+ public void testMsg() {
+ StringBuilder sb = new StringBuilder();
+ msg.line("test");
+ msg.line("test1");
+ msg.msg(sb, "indent");
+ }
+
+}
@Test
public void testBatchPrincipal() {
bPrincipal = new BatchPrincipal("name");
- bPrincipal.getName();
- Assert.assertEquals("Batch", bPrincipal.tag());
+ Assert.assertEquals("batch:name", bPrincipal.getName());
+ Assert.assertEquals("Btch", bPrincipal.tag());
}
}
<parent>
<groupId>org.onap.aaf.authz</groupId>
<artifactId>authparent</artifactId>
- <version>2.1.0-SNAPSHOT</version>
+ <version>2.1.2-SNAPSHOT</version>
<relativePath>../pom.xml</relativePath>
</parent>
--- /dev/null
+CREATE TABLE config (
+ name varchar,
+ tag varchar,
+ value varchar,
+ PRIMARY KEY (name,tag)
+);
protected Class<DATA> dataClass;
private final String name;
// private static Slot sessionSlot; // not used since 2015
- private static final ArrayList<AbsCassDAO<? extends TransStore,?>.PSInfo> psinfos = new ArrayList<AbsCassDAO<? extends TransStore,?>.PSInfo>();
- private static final List<Object> EMPTY = new ArrayList<Object>(0);
+ private static final ArrayList<AbsCassDAO<? extends TransStore,?>.PSInfo> psinfos = new ArrayList<>();
+ private static final List<Object> EMPTY = new ArrayList<>(0);
private static final Deque<ResetRequest> resetDeque = new ConcurrentLinkedDeque<ResetRequest>();
private static boolean resetTrigger = false;
private static long nextAvailableReset = 0;
/// TEST CODE for Exception
// boolean force = true;
// if(force) {
-// Map<InetSocketAddress, Throwable> misa = new HashMap<InetSocketAddress,Throwable>();
+// Map<InetSocketAddress, Throwable> misa = new HashMap<>();
// //misa.put(new InetSocketAddress(444),new Exception("no host was tried"));
// misa.put(new InetSocketAddress(444),new Exception("Connection has been closed"));
// throw new com.datastax.driver.core.exceptions.NoHostAvailableException(misa);
return Result.ok((List<DATA>)EMPTY); // Result sets now .emptyList(true);
} else {
DATA d;
- List<DATA> data = indata==null?new ArrayList<DATA>(rows.size()):indata;
+ List<DATA> data = indata==null?new ArrayList<>(rows.size()):indata;
for(Row row : rows) {
try {
public void add(DATA data) {
String key = keyFromObjs(dao.keyFrom(data));
- List<DATA> list = new ArrayList<DATA>();
+ List<DATA> list = new ArrayList<>();
list.add(data);
super.add(key,list);
}
public static final String CASSANDRA_CLUSTERS_USER_NAME = "cassandra.clusters.user";
public static final String CASSANDRA_CLUSTERS_PASSWORD = "cassandra.clusters.password";
public static final String CASSANDRA_RESET_EXCEPTIONS = "cassandra.reset.exceptions";
- private static final List<Resettable> resetExceptions = new ArrayList<Resettable>();
+ private static final List<Resettable> resetExceptions = new ArrayList<>();
public static final String ERR_ACCESS_MSG = "Accessing Backend";
private static Builder cb = null;
}
}
if(split.length>1) {
- messages=new ArrayList<String>();
+ messages=new ArrayList<>();
for(int i=1;i<split.length;++i) {
String str = split[i];
int start = str.startsWith("\"")?1:0;
if(l<0) {
return null;
}
- Set<String> set = new HashSet<String>(l);
+ Set<String> set = new HashSet<>(l);
for(int i=0;i<l;++i) {
set.add(readString(is,buff));
}
if(l<0) {
return null;
}
- List<String> list = new ArrayList<String>(l);
+ List<String> list = new ArrayList<>(l);
for(int i=0;i<l;++i) {
list.add(Loader.readString(is,buff));
}
if(l<0) {
return null;
}
- Map<String,String> map = new HashMap<String,String>(l);
+ Map<String,String> map = new HashMap<>(l);
for(int i=0;i<l;++i) {
String key = readString(is,buff);
map.put(key,readString(is,buff));
if(user.equals(trans.user())) {
Result<List<Data>> rrbu = readByUser(trans, user);
if(rrbu.isOK()) {
- List<Data> ld = new ArrayList<Data>(1);
+ List<Data> ld = new ArrayList<>(1);
for(Data d : rrbu.value) {
if(d.role.equals(role)) {
ld.add(d);
// // Getters
public Set<String> type(boolean mutable) {
if (type == null) {
- type = new HashSet<String>();
+ type = new HashSet<>();
} else if (mutable && !(type instanceof HashSet)) {
- type = new HashSet<String>(type);
+ type = new HashSet<>(type);
}
return type;
}
public Set<String> sans(boolean mutable) {
if (sans == null) {
- sans = new HashSet<String>();
+ sans = new HashSet<>();
} else if (mutable && !(sans instanceof HashSet)) {
- sans = new HashSet<String>(sans);
+ sans = new HashSet<>(sans);
}
return sans;
}
data.mechid = readString(is,buff);
data.machine = readString(is,buff);
int size = is.readInt();
- data.type = new HashSet<String>(size);
+ data.type = new HashSet<>(size);
for(int i=0;i<size;++i) {
data.type.add(readString(is,buff));
}
data.expires = l<0?null:new Date(l);
data.renewDays = is.readInt();
size = is.readInt();
- data.sans = new HashSet<String>(size);
+ data.sans = new HashSet<>(size);
for(int i=0;i<size;++i) {
data.sans.add(readString(is,buff));
}
public class CacheInfoDAO extends CassDAOImpl<AuthzTrans,CacheInfoDAO.Data> implements CIDAO<AuthzTrans> {
private static final String TABLE = "cache";
- public static final Map<String,Date[]> info = new ConcurrentHashMap<String,Date[]>();
+ public static final Map<String,Date[]> info = new ConcurrentHashMap<>();
private static CacheUpdate cacheUpdate;
}
public void add(int[] ints) {
if(set==null) {
- set = new HashSet<Integer>();
+ set = new HashSet<>();
for(int i=0;i<raw.length;++i) {
set.add(raw[i]);
start = System.nanoTime();
trans = env.newTransNoAvg();
cc = new CacheClear(trans);
- gather = new HashMap<String,IntHolder>();
+ gather = new HashMap<>();
}
IntHolder prev = gather.get(data.table);
if(prev==null) {
--- /dev/null
+/**
+ * ============LICENSE_START====================================================
+ * org.onap.aaf
+ * ===========================================================================
+ * Copyright (c) 2018 AT&T Intellectual Property. All rights reserved.
+ * ===========================================================================
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ * ============LICENSE_END====================================================
+ *
+ */
+
+package org.onap.aaf.auth.dao.cass;
+
+import java.io.DataInputStream;
+import java.io.DataOutputStream;
+import java.io.IOException;
+import java.util.List;
+
+import org.onap.aaf.auth.dao.AbsCassDAO;
+import org.onap.aaf.auth.dao.CassDAOImpl;
+import org.onap.aaf.auth.dao.Loader;
+import org.onap.aaf.auth.dao.Streamer;
+import org.onap.aaf.auth.env.AuthzTrans;
+import org.onap.aaf.auth.layer.Result;
+import org.onap.aaf.misc.env.APIException;
+
+import com.datastax.driver.core.Cluster;
+import com.datastax.driver.core.Row;
+
+/**
+ * CredDAO manages credentials.
+ * @author Jonathan
+ * Date: 6/25/18
+ */
+public class ConfigDAO extends CassDAOImpl<AuthzTrans,ConfigDAO.Data> {
+ public static final String TABLE = "config";
+ public static final int CACHE_SEG = 0x40; // yields segment 0x0-0x3F
+ private PSInfo psName;
+
+ public ConfigDAO(AuthzTrans trans, Cluster cluster, String keyspace) throws APIException, IOException {
+ super(trans, ConfigDAO.class.getSimpleName(),cluster, keyspace, Data.class,TABLE, readConsistency(trans,TABLE), writeConsistency(trans,TABLE));
+ init(trans);
+ }
+
+ public ConfigDAO(AuthzTrans trans, AbsCassDAO<AuthzTrans,?> aDao) throws APIException, IOException {
+ super(trans, ConfigDAO.class.getSimpleName(),aDao, Data.class,TABLE, readConsistency(trans,TABLE), writeConsistency(trans,TABLE));
+ init(trans);
+ }
+
+ public static final int KEYLIMIT = 2;
+ public static class Data {
+ public String name;
+ public String tag;
+ public String value;
+ }
+
+ private static class ConfigLoader extends Loader<Data> implements Streamer<Data>{
+ public static final int MAGIC=2673849;
+ public static final int VERSION=1;
+ public static final int BUFF_SIZE=48;
+
+ public static final ConfigLoader deflt = new ConfigLoader(KEYLIMIT);
+ public ConfigLoader(int keylimit) {
+ super(keylimit);
+ }
+
+ @Override
+ public Data load(Data data, Row row) {
+ data.name = row.getString(0);
+ data.tag = row.getString(1);
+ data.value = row.getString(2);
+ return data;
+ }
+
+ @Override
+ protected void key(Data data, int idx, Object[] obj) {
+ obj[idx] = data.name;
+ obj[++idx] = data.tag;
+ }
+
+ @Override
+ protected void body(Data data, int _idx, Object[] obj) {
+ obj[_idx] = data.value;
+ }
+
+ @Override
+ public void marshal(Data data, DataOutputStream os) throws IOException {
+ writeHeader(os,MAGIC,VERSION);
+ writeString(os, data.name);
+ writeString(os, data.tag);
+ writeString(os, data.value);
+ }
+
+ @Override
+ public void unmarshal(Data data, DataInputStream is) throws IOException {
+ /*int version = */readHeader(is,MAGIC,VERSION);
+ // If Version Changes between Production runs, you'll need to do a switch Statement, and adequately read in fields
+ byte[] buff = new byte[BUFF_SIZE];
+ data.name = readString(is,buff);
+ data.tag = readString(is,buff);
+ data.value = readString(is,buff);
+ }
+ }
+
+ private void init(AuthzTrans trans) throws APIException, IOException {
+ String[] helpers = setCRUD(trans, TABLE, Data.class, ConfigLoader.deflt);
+
+ psName = new PSInfo(trans, SELECT_SP + helpers[FIELD_COMMAS] + " FROM " + TABLE +
+ " WHERE name = ?", ConfigLoader.deflt,readConsistency);
+ }
+
+
+ /**
+ * Log Modification statements to History
+ *
+ * @param modified which CRUD action was done
+ * @param data entity data that needs a log entry
+ * @param overrideMessage if this is specified, we use it rather than crafting a history message based on data
+ */
+ @Override
+ protected void wasModified(AuthzTrans trans, CRUD modified, Data data, String ... override) {
+ // not an auditable table.
+ }
+
+ public Result<List<Data>> readName(AuthzTrans trans, String name) {
+ return psName.read(trans, R_TEXT, new Object[]{name});
+ }
+
+
+}
public String target;
public String subject;
public String memo;
-// Map<String, String> detail = null;
-// public Map<String, String> detail() {
-// if(detail == null) {
-// detail = new HashMap<String, String>();
-// }
-// return detail;
-// }
public ByteBuffer reconstruct;
}
data.target = row.getString(4);
data.subject = row.getString(5);
data.memo = row.getString(6);
-// data.detail = row.getMap(6, String.class, String.class);
data.reconstruct = row.getBytes(7);
return data;
}
// Getters
public Set<String> subprotocol(boolean mutable) {
if (subprotocol == null) {
- subprotocol = new HashSet<String>();
+ subprotocol = new HashSet<>();
} else if (mutable && !(subprotocol instanceof HashSet)) {
- subprotocol = new HashSet<String>(subprotocol);
+ subprotocol = new HashSet<>(subprotocol);
}
return subprotocol;
}
data.protocol = readString(is,buff);
int size = is.readInt();
- data.subprotocol = new HashSet<String>(size);
+ data.subprotocol = new HashSet<>(size);
for(int i=0;i<size;++i) {
data.subprotocol.add(readString(is,buff));
}
type = ndd.type;
parent = ndd.parent;
if(ndd.attrib!=null && !ndd.attrib.isEmpty()) {
- attrib = new ArrayList<Pair<String,String>>();
+ attrib = new ArrayList<>();
for( Entry<String, String> entry : ndd.attrib.entrySet()) {
attrib.add(new Pair<String,String>(entry.getKey(),entry.getValue()));
}
type = ndd.type;
parent = ndd.parent;
if(ndd.attrib!=null && !ndd.attrib.isEmpty()) {
- attrib = new ArrayList<Pair<String,String>>();
+ attrib = new ArrayList<>();
for( Entry<String, String> entry : ndd.attrib.entrySet()) {
attrib.add(new Pair<String,String>(entry.getKey(),entry.getValue()));
}
// // Getters
public Map<String,String> attrib(boolean mutable) {
if (attrib == null) {
- attrib = new HashMap<String,String>();
+ attrib = new HashMap<>();
} else if (mutable && !(attrib instanceof HashMap)) {
- attrib = new HashMap<String,String>(attrib);
+ attrib = new HashMap<>(attrib);
}
return attrib;
}
//// TEST CODE for Exception
// boolean force = true;
// if(force) {
-// throw new com.datastax.driver.core.exceptions.NoHostAvailableException(new HashMap<InetSocketAddress,Throwable>());
+// throw new com.datastax.driver.core.exceptions.NoHostAvailableException(new HashMap<>());
//// throw new com.datastax.driver.core.exceptions.AuthenticationException(new InetSocketAddress(9999),"Sample Message");
// }
////END TEST CODE
}
public Result<Map<String,String>> readAttribByNS(AuthzTrans trans, String ns) {
- Map<String,String> map = new HashMap<String,String>();
+ Map<String,String> map = new HashMap<>();
TimeTaken tt = trans.start("readAttribByNS " + ns, Env.REMOTE);
try {
ResultSet rs = getSession(trans).execute("SELECT key,value FROM "
}
public Result<Set<String>> readNsByAttrib(AuthzTrans trans, String key) {
- Set<String> set = new HashSet<String>();
+ Set<String> set = new HashSet<>();
TimeTaken tt = trans.start("readNsBykey " + key, Env.REMOTE);
try {
ResultSet rs = getSession(trans).execute("SELECT ns FROM "
public Set<String> scopes(boolean mutable) {
if (scopes == null) {
- scopes = new HashSet<String>();
+ scopes = new HashSet<>();
} else if (mutable && !(scopes instanceof HashSet)) {
- scopes = new HashSet<String>(scopes);
+ scopes = new HashSet<>(scopes);
}
return scopes;
}
// Getters
public Set<String> roles(boolean mutable) {
if (roles == null) {
- roles = new HashSet<String>();
+ roles = new HashSet<>();
} else if (mutable && !(roles instanceof HashSet)) {
- roles = new HashSet<String>(roles);
+ roles = new HashSet<>(roles);
}
return roles;
}
// Getters
public Set<String> perms(boolean mutable) {
if (perms == null) {
- perms = new HashSet<String>();
+ perms = new HashSet<>();
} else if (mutable && !(perms instanceof HashSet)) {
- perms = new HashSet<String>(perms);
+ perms = new HashSet<>(perms);
}
return perms;
}
public static final String FOP_PERM = "perm";
public static final String FOP_ROLE = "role";
public static final String FOP_USER_ROLE = "user_role";
- private static final List<Identity> NO_ADDL_APPROVE = new ArrayList<Identity>();
+ private static final List<Identity> NO_ADDL_APPROVE = new ArrayList<>();
private static final String ROOT_NS = Define.ROOT_NS();
// First Action should ALWAYS be "write", see "CreateRole"
public final Question q;
if (result.notOK()) {
if (sb == null) {
sb = new StringBuilder();
- ao = new ArrayList<String>();
+ ao = new ArrayList<>();
}
sb.append(result.details);
sb.append('\n');
if (rrdc.isOKhasData()) {
for (RoleDAO.Data rdd : rrdc.value) {
// Remove old Role from Perms, save them off
- List<PermDAO.Data> lpdd = new ArrayList<PermDAO.Data>();
+ List<PermDAO.Data> lpdd = new ArrayList<>();
for(String p : rdd.perms(false)) {
Result<PermDAO.Data> rpdd = PermDAO.Data.decode(trans,q,p);
if(rpdd.isOKhasData()) {
if (rpdc.isOKhasData()) {
for (PermDAO.Data pdd : rpdc.value) {
// Remove old Perm from Roles, save them off
- List<RoleDAO.Data> lrdd = new ArrayList<RoleDAO.Data>();
+ List<RoleDAO.Data> lrdd = new ArrayList<>();
for(String rl : pdd.roles(false)) {
Result<RoleDAO.Data> rrdd = RoleDAO.Data.decode(trans,q,rl);
pd.action = Question.ASTERIX;
pd.description = "AAF Namespace Write Access";
- rd.perms = new HashSet<String>();
+ rd.perms = new HashSet<>();
rd.perms.add(pd.encode());
eb.log(q.roleDAO.create(trans, rd));
- pd.roles = new HashSet<String>();
+ pd.roles = new HashSet<>();
pd.roles.add(rd.encode());
eb.log(q.permDAO.create(trans, pd));
}
pd.action = Question.READ;
pd.description = "AAF Namespace Read Access";
- rd.perms = new HashSet<String>();
+ rd.perms = new HashSet<>();
rd.perms.add(pd.encode());
eb.log(q.roleDAO.create(trans, rd));
- pd.roles = new HashSet<String>();
+ pd.roles = new HashSet<>();
pd.roles.add(rd.encode());
eb.log(q.permDAO.create(trans, pd));
}
continue;
}
// Remove old Perm from Roles, save them off
- List<RoleDAO.Data> lrdd = new ArrayList<RoleDAO.Data>();
+ List<RoleDAO.Data> lrdd = new ArrayList<>();
for(String rl : pdd.roles(false)) {
Result<RoleDAO.Data> rrdd = RoleDAO.Data.decode(trans,q,rl);
continue;
}
// Remove old Role from Perms, save them off
- List<PermDAO.Data> lpdd = new ArrayList<PermDAO.Data>();
+ List<PermDAO.Data> lpdd = new ArrayList<>();
for(String p : rdd.perms(false)) {
Result<PermDAO.Data> rpdd = PermDAO.Data.decode(trans,q,p);
if(rpdd.isOKhasData()) {
}
Date now = new Date();
List<UserRoleDAO.Data> list = rurdd.value;
- List<String> rv = new ArrayList<String>(list.size()); // presize
+ List<String> rv = new ArrayList<>(list.size()); // presize
for (UserRoleDAO.Data urdd : rurdd.value) {
if (includeExpired || urdd.expires.after(now)) {
rv.add(urdd.user);
Organization org = trans.org();
// For Reapproval, only check Owners.. Do Supervisors, etc, separately
List<Identity> approvers = op.equals(FUTURE_OP.A)?NO_ADDL_APPROVE:org.getApprovers(trans, user);
- List<Identity> owners = new ArrayList<Identity>();
+ List<Identity> owners = new ArrayList<>();
if (nsd != null) {
Result<List<UserRoleDAO.Data>> rrbr = q.userRoleDAO
.readByRole(trans, nsd.name + Question.DOT_OWNER);
default:
}
}
- } catch (Throwable e) {
+ } catch (Exception e) {
trans.error().log("Exception: ", e.getMessage(),
" \n occurred while performing", curr.memo,
" from Ticket ", curr.id.toString());
PermLookup lp=null;
Map<String, PermLookup> permMap = trans.get(Question.PERMS, null);
if (permMap == null) {
- trans.put(Question.PERMS, permMap = new HashMap<String, PermLookup>());
+ trans.put(Question.PERMS, permMap = new HashMap<>());
} else {
lp = permMap.get(user);
}
if(userRoles==null) {
userRoles = q.userRoleDAO.readByUser(trans,user);
if(userRoles.isOKhasData()) {
- List<UserRoleDAO.Data> lurdd = new ArrayList<UserRoleDAO.Data>();
+ List<UserRoleDAO.Data> lurdd = new ArrayList<>();
Date now = new Date();
for(UserRoleDAO.Data urdd : userRoles.value) {
if(urdd.expires.after(now)) { // Remove Expired
if(roles==null) {
Result<List<UserRoleDAO.Data>> rur = getUserRoles();
if(rur.isOK()) {
- List<RoleDAO.Data> lrdd = new ArrayList<RoleDAO.Data>();
+ List<RoleDAO.Data> lrdd = new ArrayList<>();
for (UserRoleDAO.Data urdata : rur.value) {
// Gather all permissions from all Roles
if(urdata.ns==null || urdata.rname==null) {
if(permNames==null) {
Result<List<RoleDAO.Data>> rlrd = getRoles();
if (rlrd.isOK()) {
- Set<String> pns = new TreeSet<String>();
+ Set<String> pns = new TreeSet<>();
for (RoleDAO.Data rdata : rlrd.value) {
pns.addAll(rdata.perms(false));
}
// Jonathan 8/12/2013
Result<Set<String>> rss = getPermNames();
if(rss.isOK()) {
- List<PermDAO.Data> lpdd = new ArrayList<PermDAO.Data>();
+ List<PermDAO.Data> lpdd = new ArrayList<>();
for (String perm : rss.value) {
if(lookup) {
Result<String[]> ap = PermDAO.Data.decodeToArray(trans, q, perm);
nss = null;
} else {
// Setup a TreeSet to check on Namespaces to
- nss = new TreeSet<String>();
+ nss = new TreeSet<>();
PermLookup fUser = PermLookup.get(trans, this, forUser);
Result<Set<String>> forUpn = fUser.getPermNames();
if(forUpn.notOK()) {
}
}
- List<PermDAO.Data> rlpUser = new ArrayList<PermDAO.Data>();
+ List<PermDAO.Data> rlpUser = new ArrayList<>();
Result<PermDAO.Data> rpdd;
PermDAO.Data pdd;
for(String pn : plPermNames.value) {
return Result.err(rlrd);
}
// Using Set to avoid duplicates
- Set<String> permNames = new HashSet<String>();
+ Set<String> permNames = new HashSet<>();
if (rlrd.isOKhasData()) {
for (RoleDAO.Data drr : rlrd.value) {
permNames.addAll(drr.perms(false));
// Note: It should be ok for a Valid user to have no permissions -
// Jonathan 8/12/2013
- List<PermDAO.Data> perms = new ArrayList<PermDAO.Data>();
+ List<PermDAO.Data> perms = new ArrayList<>();
for (String perm : permNames) {
Result<PermDAO.Data> pr = PermDAO.Data.decode(trans, this, perm);
if (pr.notOK()) {
// Bug noticed 6/22. Sorting on the result can cause Concurrency Issues.
List<CredDAO.Data> cddl;
if(result.value.size() > 1) {
- cddl = new ArrayList<CredDAO.Data>(result.value.size());
+ cddl = new ArrayList<>(result.value.size());
for(CredDAO.Data old : result.value) {
if(old.type==CredDAO.BASIC_AUTH || old.type==CredDAO.BASIC_AUTH_SHA256) {
cddl.add(old);
public static synchronized boolean specialLogOn(AuthzTrans trans, String id) {
if (specialLog == null) {
- specialLog = new HashSet<String>();
+ specialLog = new HashSet<>();
}
boolean rc = specialLog.add(id);
if(rc) {
AuthzTrans trans = env.newTransNoAvg();
Result<List<Data>> rl = ldao.readByName(trans, name);
if(rl.isOK()) {
- LinkedList<EP> epl = new LinkedList<EP>();
+ LinkedList<EP> epl = new LinkedList<>();
for(Data d : rl.value) {
// if(myhostname!=null && d.port==myport && d.hostname.equals(myhostname)) {
// continue;
Result<List<Data>> cresp = certDAO.read(trans, ByteBuffer.wrap(fingerprint));
if(cresp.isOKhasData()) {
Data cdata = cresp.value.get(0);
- return new X509Principal(cdata.id,cert,certBytes);
+ return new X509Principal(cdata.id,cert,certBytes,null);
}
return null;
}
@Test
public void testInvalidate(){
Cached<Trans, DataStub> cached = new Cached<Trans, DataStub>(ciDaoMock, name, 5, 30000L);
- cached.add("test", new ArrayList<DataStub>());
+ cached.add("test", new ArrayList<>());
cached.invalidate("test");
cached.invalidate("test1");
}
public static final String CASSANDRA_RESET_EXCEPTIONS = "cassandra.reset.exceptions";
public static final String LATITUDE = "LATITUDE";
public static final String LONGITUDE = "LONGITUDE";
- //private static final List<Resettable> resetExceptions = new ArrayList<Resettable>();
+ //private static final List<Resettable> resetExceptions = new ArrayList<>();
public static final String ERR_ACCESS_MSG = "Accessing Backend";
private static Builder cb = null;
@Mock
<parent>
<groupId>org.onap.aaf.authz</groupId>
<artifactId>authparent</artifactId>
- <version>2.1.0-SNAPSHOT</version>
+ <version>2.1.2-SNAPSHOT</version>
<relativePath>../pom.xml</relativePath>
</parent>
public class AAF_CM extends AbsService<AuthzEnv, AuthzTrans> {
private static final String USER_PERMS = "userPerms";
- private static final Map<String,CA> certAuths = new TreeMap<String,CA>();
+ private static final Map<String,CA> certAuths = new TreeMap<>();
public Facade1_0 facade1_0; // this is the default Facade
public Facade1_0 facade1_0_XML; // this is the XML Facade
public Map<String, Dated> cacheUser;
}
@Override
- public Filter[] filters() throws CadiException, LocatorException {
+ public Filter[] _filters(Object ... additionalTafLurs) throws CadiException, LocatorException {
try {
return new Filter[] {
new AuthzTransFilter(env,aafCon(),
- new AAFTrustChecker((Env)env))
+ new AAFTrustChecker((Env)env),
+ additionalTafLurs)
};
} catch (NumberFormatException e) {
throw new CadiException("Invalid Property information", e);
import org.onap.aaf.auth.cm.cert.RDN;
import org.onap.aaf.cadi.Access;
import org.onap.aaf.cadi.Access.Level;
-import org.onap.aaf.cadi.cm.CertException;
+import org.onap.aaf.cadi.config.Config;
+import org.onap.aaf.cadi.configure.CertException;
import org.onap.aaf.misc.env.Trans;
import org.onap.aaf.misc.env.util.Split;
private static final String CM_TRUST_CAS = "cm_trust_cas";
protected static final String CM_BACKUP_CAS = "cm_backup_cas";
- public static final Set<String> EMPTY = Collections.unmodifiableSet(new HashSet<String>());
+ public static final Set<String> EMPTY = Collections.unmodifiableSet(new HashSet<>());
- private final String name,env;
+ private final String name;
+ private final String env;
private MessageDigest messageDigest;
private final String permType;
- private Set<String> caIssuerDNs;
private final ArrayList<String> idDomains;
private String[] trustedCAs;
+ private String[] caIssuerDNs;
private List<RDN> rdns;
if(permType==null) {
throw new CertException(CM_CA_PREFIX + name + ".perm_type" + MUST_EXIST_TO_CREATE_CSRS_FOR + caName);
}
- caIssuerDNs = new HashSet<String>();
+ caIssuerDNs = Split.splitTrim(':', access.getProperty(Config.CADI_X509_ISSUERS, null));
String tag = CA.CM_CA_PREFIX+caName+CA.CM_CA_BASE_SUBJECT;
throw new CertException(tag + MUST_EXIST_TO_CREATE_CSRS_FOR + caName);
}
access.log(Level.INFO, tag, "=",fields);
- for(RDN rdn : rdns = RDN.parse('/',fields)) {
+ rdns = RDN.parse('/',fields);
+ for(RDN rdn : rdns) {
if(rdn.aoi==BCStyle.EmailAddress) { // Cert Specs say Emails belong in Subject
throw new CertException("email address is not allowed in " + CM_CA_BASE_SUBJECT);
}
}
- idDomains = new ArrayList<String>();
+ idDomains = new ArrayList<>();
StringBuilder sb = null;
for(String s : Split.splitTrim(',', access.getProperty(CA.CM_CA_PREFIX+caName+".idDomains", ""))) {
if(s.length()>0) {
access.printf(Level.INIT, "CA '%s' supports Personal Certificates for %s", caName, sb);
}
- String data_dir = access.getProperty(CM_PUBLIC_DIR,null);
- if(data_dir!=null) {
- File data = new File(data_dir);
+ String dataDir = access.getProperty(CM_PUBLIC_DIR,null);
+ if(dataDir!=null) {
+ File data = new File(dataDir);
byte[] bytes;
if(data.exists()) {
- String trust_cas = access.getProperty(CM_TRUST_CAS,null);
- if(trust_cas!=null) {
- for(String fname : Split.splitTrim(',', trust_cas)) {
- File crt = new File(data,fname);
+ String trustCas = access.getProperty(CM_TRUST_CAS,null);
+ if(trustCas!=null) {
+ for(String fname : Split.splitTrim(',', trustCas)) {
+ File crt;
+ if(fname.contains("/")) {
+ crt = new File(fname);
+ } else {
+ crt = new File(data,fname);
+ }
if(crt.exists()) {
access.printf(Level.INIT, "Loading CA Cert from %s", crt.getAbsolutePath());
bytes = new byte[(int)crt.length()];
}
protected void addCaIssuerDN(String issuerDN) {
- caIssuerDNs.add(issuerDN);
+ boolean changed = true;
+ for(String id : caIssuerDNs) {
+ if(id.equals(issuerDN)) {
+ changed = false;
+ break;
+ }
+ }
+ if(changed) {
+ String[] newsa = new String[caIssuerDNs.length+1];
+ newsa[0]=issuerDN;
+ System.arraycopy(caIssuerDNs, 0, newsa, 1, caIssuerDNs.length);
+ caIssuerDNs = newsa;
+ }
}
protected synchronized void addTrustedCA(final String crtString) {
trustedCAs = temp;
}
- public Set<String> getCaIssuerDNs() {
+ public String[] getCaIssuerDNs() {
return caIssuerDNs;
}
public CSRMeta newCSRMeta() {
return new CSRMeta(rdns);
}
+
}
import org.onap.aaf.cadi.LocatorException;
import org.onap.aaf.cadi.Access.Level;
import org.onap.aaf.cadi.Locator.Item;
-import org.onap.aaf.cadi.cm.CertException;
+import org.onap.aaf.cadi.configure.CertException;
import org.onap.aaf.cadi.locator.HotPeerLocator;
import org.onap.aaf.misc.env.Env;
import org.onap.aaf.misc.env.TimeTaken;
static final String CA_PREFIX = "http://";
static final String CA_POSTFIX="/certsrv/mscep_admin/mscep.dll";
- private final static String MS_PROFILE="1";
- private final static int MAX_RETRY=3;
+ private static final String MS_PROFILE="1";
+ private static final int MAX_RETRY=3;
public static final long INVALIDATE_TIME = 1000*60*10L; // 10 mins
// package on purpose
- private Map<String,X509ChainWithIssuer> mxcwi_s;
- private Map<Client,X509ChainWithIssuer> mxcwi_c;
+ private Map<String,X509ChainWithIssuer> mxcwiS;
+ private Map<Client,X509ChainWithIssuer> mxcwiC;
private JscepClientLocator clients;
public JscepCA(final Access access, final String name, final String env, String [][] params) throws IOException, CertException, LocatorException {
super(access, name, env);
- mxcwi_s = new ConcurrentHashMap<String,X509ChainWithIssuer>();
- mxcwi_c = new ConcurrentHashMap<Client,X509ChainWithIssuer>();
+ mxcwiS = new ConcurrentHashMap<>();
+ mxcwiC = new ConcurrentHashMap<>();
if(params.length<2) {
throw new CertException("No Trust Chain parameters are included");
dir = dir + '/';
}
String path;
- List<FileReader> frs = new ArrayList<FileReader>(params.length-1);
+ List<FileReader> frs = new ArrayList<>(params.length-1);
try {
for(int j=1; j<params[i].length; ++j) { // first 3 taken up, see above
path = !params[i][j].contains("/")?dir+params[i][j]:params[i][j];
}
X509ChainWithIssuer xcwi = new X509ChainWithIssuer(frs);
addCaIssuerDN(xcwi.getIssuerDN());
- mxcwi_s.put(params[i][0],xcwi);
+ mxcwiS.put(params[i][0],xcwi);
} finally {
for(FileReader fr : frs) {
if(fr!=null) {
break;
}
}
- X509ChainWithIssuer mxcwi = mxcwi_c.get(client);
+ X509ChainWithIssuer mxcwi = mxcwiC.get(client);
return new X509ChainWithIssuer(mxcwi,x509);
-// break;
+
} else if (er.isPending()) {
trans.checkpoint("Polling, waiting on CA to complete");
Thread.sleep(3000);
} else if (er.isFailure()) {
-// switch(er.getFailInfo()) {
-// case badMessageCheck:
-// throw new ClientException("Received BadMessageCheck from Jscep");
-// case badAlg:
-// case badCertId:
-// case badRequest:
-// case badTime:
-// default:
-// }
throw new CertException(clients.info(item)+':'+er.getFailInfo().toString());
}
}
- //i=MAX_RETRY;
} catch(LocatorException e) {
trans.error().log(e);
i=MAX_RETRY;
}
);
// Map URL to Client, because Client doesn't expose Connection
- mxcwi_c.put(c,mxcwi_s.get(urlinfo));
+ mxcwiC.put(c, mxcwiS.get(urlinfo));
return c;
} catch (MalformedURLException e) {
throw new LocatorException(e);
@Override
protected void _destroy(Client client) {
- mxcwi_c.remove(client);
+ mxcwiC.remove(client);
}
import java.security.cert.X509Certificate;
import java.security.interfaces.RSAPublicKey;
import java.util.ArrayList;
+import java.util.Collections;
import java.util.Date;
import java.util.GregorianCalendar;
import java.util.List;
import org.onap.aaf.auth.env.NullTrans;
import org.onap.aaf.cadi.Access;
import org.onap.aaf.cadi.Access.Level;
-import org.onap.aaf.cadi.cm.CertException;
-import org.onap.aaf.cadi.cm.Factory;
+import org.onap.aaf.cadi.configure.CertException;
+import org.onap.aaf.cadi.configure.Factory;
import org.onap.aaf.misc.env.Env;
import org.onap.aaf.misc.env.TimeTaken;
import org.onap.aaf.misc.env.Trans;
public class LocalCA extends CA {
+ private final static BigInteger ONE = new BigInteger("1");
// Extensions
private static final KeyPurposeId[] ASN_WebUsage = new KeyPurposeId[] {
KeyPurposeId.id_kp_serverAuth, // WebServer
- KeyPurposeId.id_kp_clientAuth};// WebClient
-
+ KeyPurposeId.id_kp_clientAuth // WebClient
+ };
+
private final PrivateKey caKey;
private final X500Name issuer;
private final SecureRandom random = new SecureRandom();
- private byte[] serialish;
+ private BigInteger serial;
private final X509ChainWithIssuer x509cwi; // "Cert" is CACert
-
+
+
public LocalCA(Access access, final String name, final String env, final String[][] params) throws IOException, CertException {
super(access, name, env);
- serialish = new byte[24];
+
+ serial = new BigInteger(64,random);
+
if(params.length<1 || params[0].length<2) {
throw new IOException("LocalCA expects cm_ca.<ca name>=org.onap.aaf.auth.cm.ca.LocalCA,<full path to key file>[;<Full Path to Trust Chain, ending with actual CA>]+");
}
String fileName = f.getName();
if(fileName.endsWith(".key")) {
caKey = Factory.toPrivateKey(NullTrans.singleton(),f);
- List<FileReader> frs = new ArrayList<FileReader>(params.length-1);
+ List<FileReader> frs = new ArrayList<>(params.length-1);
try {
String dir = access.getProperty(CM_PUBLIC_DIR, "");
if(!"".equals(dir) && !dir.endsWith("/")) {
KeyStore keyStore;
FileInputStream fis = null;
if(fileName.endsWith(".pkcs11")) {
- String ksType;
- p = Factory.getSecurityProvider(ksType="PKCS11",params);
+ String ksType="PKCS11";
+ p = Factory.getSecurityProvider(ksType,params);
keyStore = KeyStore.getInstance(ksType,p);
} else if(fileName.endsWith(".jks")) {
keyStore = KeyStore.getInstance("JKS");
}
X500NameBuilder xnb = new X500NameBuilder();
- for(RDN rnd : RDN.parse(',', x509cwi.getIssuerDN())) {
+ List<RDN> rp = RDN.parse(',', x509cwi.getIssuerDN());
+ Collections.reverse(rp);
+ for(RDN rnd : rp) {
xnb.addRDN(rnd.aoi,rnd.value);
}
issuer = xnb.build();
TimeTaken tt = trans.start("Create/Sign Cert",Env.SUB);
try {
BigInteger bi;
- synchronized(serialish) {
- random.nextBytes(serialish);
- bi = new BigInteger(serialish);
+
+ synchronized(ONE) {
+ bi = serial;
+ serial = serial.add(ONE);
}
RSAPublicKey rpk = (RSAPublicKey)csrmeta.keypair(trans).getPublic();
SubjectPublicKeyInfoFactory.createSubjectPublicKeyInfo(new RSAKeyParameters(false,rpk.getModulus(),rpk.getPublicExponent()))
// new SubjectPublicKeyInfo(ASN1Sequence.getInstance(caCert.getPublicKey().getEncoded()))
);
- List<GeneralName> lsan = new ArrayList<GeneralName>();
+ List<GeneralName> lsan = new ArrayList<>();
for(String s : csrmeta.sans()) {
lsan.add(new GeneralName(GeneralName.dNSName,s));
}
JcaX509ExtensionUtils extUtils = new JcaX509ExtensionUtils();
xcb.addExtension(Extension.basicConstraints,
- false, new BasicConstraints(false))
+ false, new BasicConstraints(false
+ ))
.addExtension(Extension.keyUsage,
true, new KeyUsage(KeyUsage.digitalSignature
- | KeyUsage.keyEncipherment))
+ | KeyUsage.keyEncipherment
+ | KeyUsage.nonRepudiation))
.addExtension(Extension.extendedKeyUsage,
true, new ExtendedKeyUsage(ASN_WebUsage))
-
.addExtension(Extension.authorityKeyIdentifier,
- false, extUtils.createAuthorityKeyIdentifier(x509cwi.cert))
- .addExtension(Extension.subjectKeyIdentifier,
- false, extUtils.createSubjectKeyIdentifier(x509cwi.cert.getPublicKey()))
+ false, extUtils.createAuthorityKeyIdentifier(x509cwi.cert))
+ .addExtension(Extension.subjectKeyIdentifier,
+ false, extUtils.createSubjectKeyIdentifier(rpk))
.addExtension(Extension.subjectAlternativeName,
false, new GeneralNames(sans))
- ;
+// .addExtension(MiscObjectIdentifiers.netscape, true, new NetscapeCertType(
+// NetscapeCertType.sslClient|NetscapeCertType.sslClient))
+ ;
x509 = new JcaX509CertificateConverter().getCertificate(
xcb.build(BCFactory.contentSigner(caKey)));
tt.done();
}
- return new X509ChainWithIssuer(x509cwi,x509);
+ return new X509andChain(x509,x509cwi.trustChain);
}
}
import java.util.Collection;
import java.util.List;
-import org.onap.aaf.cadi.cm.CertException;
-import org.onap.aaf.cadi.cm.Factory;
+import org.onap.aaf.cadi.configure.CertException;
+import org.onap.aaf.cadi.configure.Factory;
public class X509ChainWithIssuer extends X509andChain {
private String issuerDN;
+ public X509Certificate caX509;
- public X509ChainWithIssuer(X509ChainWithIssuer orig, X509Certificate x509) {
+ public X509ChainWithIssuer(X509ChainWithIssuer orig, X509Certificate x509) throws IOException, CertException {
super(x509,orig.trustChain);
issuerDN=orig.issuerDN;
}
Collection<? extends Certificate> certs;
X509Certificate x509;
for(Reader rdr : rdrs) {
- if(rdr!=null) { // cover for badly formed array
- byte[] bytes = Factory.decode(rdr);
- try {
- certs = Factory.toX509Certificate(bytes);
- } catch (CertificateException e) {
- throw new CertException(e);
+ if(rdr==null) { // cover for badly formed array
+ continue;
+ }
+
+ byte[] bytes = Factory.decode(rdr,null);
+ try {
+ certs = Factory.toX509Certificate(bytes);
+ } catch (CertificateException e) {
+ throw new CertException(e);
+ }
+ for(Certificate c : certs) {
+ x509=(X509Certificate)c;
+ Principal subject = x509.getSubjectDN();
+ if(subject==null) {
+ continue;
}
- for(Certificate c : certs) {
- x509=(X509Certificate)c;
- Principal subject = x509.getSubjectDN();
- if(subject!=null) {
- if(cert==null) { // first in Trust Chain
- issuerDN= subject.toString();
- }
- addTrustChainEntry(x509);
- cert=x509; // adding each time makes sure last one is signer.
- }
+ if(cert==null) { // first in Trust Chain
+ issuerDN = subject.toString();
+ cert=x509; // adding each time makes sure last one is signer.
}
+ addTrustChainEntry(x509);
}
}
}
public X509ChainWithIssuer(Certificate[] certs) throws IOException, CertException {
X509Certificate x509;
- for(Certificate c : certs) {
- x509=(X509Certificate)c;
+ for(int i=certs.length-1; i>=0; --i) {
+ x509=(X509Certificate)certs[i];
Principal subject = x509.getSubjectDN();
if(subject!=null) {
- if(cert==null) { // first in Trust Chain
- issuerDN= subject.toString();
- }
addTrustChainEntry(x509);
- cert=x509; // adding each time makes sure last one is signer.
+ if(i==0) { // last one is signer
+ cert=x509;
+ issuerDN= subject.toString();
+ }
}
}
}
import java.util.List;
import org.onap.aaf.auth.env.NullTrans;
-import org.onap.aaf.cadi.cm.CertException;
-import org.onap.aaf.cadi.cm.Factory;
+import org.onap.aaf.cadi.configure.CertException;
+import org.onap.aaf.cadi.configure.Factory;
/**
trustChain = null;
}
- public X509andChain(X509Certificate cert, String[] trustChain) {
+ public X509andChain(X509Certificate cert, String[] tc) throws IOException, CertException {
this.cert = cert;
- this.trustChain = trustChain;
+ trustChain=tc;
}
- public X509andChain(X509Certificate cert, List<String> chain) {
+ public X509andChain(X509Certificate cert, List<String> chain) throws IOException, CertException {
this.cert = cert;
- trustChain = new String[chain.size()];
+ trustChain = new String[chain.size()+1];
chain.toArray(trustChain);
}
trustChain=temp;
}
}
+
public X509Certificate getX509() {
return cert;
import org.onap.aaf.auth.cm.ca.CA;
import org.onap.aaf.auth.cm.validation.CertmanValidator;
import org.onap.aaf.cadi.Symm;
-import org.onap.aaf.cadi.cm.CertException;
-import org.onap.aaf.cadi.cm.Factory;
+import org.onap.aaf.cadi.configure.CertException;
+import org.onap.aaf.cadi.configure.Factory;
import org.onap.aaf.misc.env.Env;
import org.onap.aaf.misc.env.TimeTaken;
import org.onap.aaf.misc.env.Trans;
import org.bouncycastle.pkcs.PKCS10CertificationRequest;
import org.bouncycastle.pkcs.PKCS10CertificationRequestBuilder;
import org.bouncycastle.pkcs.jcajce.JcaPKCS10CertificationRequestBuilder;
-import org.onap.aaf.cadi.cm.CertException;
-import org.onap.aaf.cadi.cm.Factory;
+import org.onap.aaf.cadi.configure.CertException;
+import org.onap.aaf.cadi.configure.Factory;
import org.onap.aaf.misc.env.Trans;
public class CSRMeta {
private String email;
private String challenge;
private List<RDN> rdns;
-
- public CSRMeta(List<RDN> rdns) {
- this.rdns = rdns;
- }
-
- private ArrayList<String> sanList = new ArrayList<String>();
+ private ArrayList<String> sanList = new ArrayList<>();
private KeyPair keyPair;
private X500Name name = null;
private SecureRandom random = new SecureRandom();
- public X500Name x500Name() throws IOException {
+ public CSRMeta(List<RDN> rdns) {
+ this.rdns = rdns;
+ }
+
+ public X500Name x500Name() {
if(name==null) {
X500NameBuilder xnb = new X500NameBuilder();
xnb.addRDN(BCStyle.CN,cn);
}
int plus = email==null?0:1;
- if(sanList.size()>0) {
+ if(!sanList.isEmpty()) {
GeneralName[] gna = new GeneralName[sanList.size()+plus];
int i=-1;
for(String s : sanList) {
})
);
}
-
- if(email!=null) {
-
- }
+
try {
return builder.build(BCFactory.contentSigner(keypair(trans).getPrivate()));
} catch (OperatorCreationException e) {
public static void dump(PKCS10CertificationRequest csr) {
Attribute[] certAttributes = csr.getAttributes();
for (Attribute attribute : certAttributes) {
- if (attribute.getAttrType().equals(PKCSObjectIdentifiers.pkcs_9_at_extensionRequest)) {
- Extensions extensions = Extensions.getInstance(attribute.getAttrValues().getObjectAt(0));
- GeneralNames gns = GeneralNames.fromExtensions(extensions,Extension.subjectAlternativeName);
- GeneralName[] names = gns.getNames();
- for(int k=0; k < names.length; k++) {
- String title = "";
- if(names[k].getTagNo() == GeneralName.dNSName) {
- title = "dNSName";
- } else if(names[k].getTagNo() == GeneralName.iPAddress) {
- title = "iPAddress";
- // Deprecated, but I don't see anything better to use.
- names[k].toASN1Object();
- } else if(names[k].getTagNo() == GeneralName.otherName) {
- title = "otherName";
- } else if(names[k].getTagNo() == GeneralName.rfc822Name) {
- title = "email";
- }
+ if (!attribute.getAttrType().equals(PKCSObjectIdentifiers.pkcs_9_at_extensionRequest)) {
+ continue;
+ }
+
+ Extensions extensions = Extensions.getInstance(attribute.getAttrValues().getObjectAt(0));
+ GeneralNames gns = GeneralNames.fromExtensions(extensions,Extension.subjectAlternativeName);
+ GeneralName[] names = gns.getNames();
+ for(int k=0; k < names.length; k++) {
+ String title = "";
+ if(names[k].getTagNo() == GeneralName.dNSName) {
+ title = "dNSName";
+ } else if(names[k].getTagNo() == GeneralName.iPAddress) {
+ title = "iPAddress";
+ // Deprecated, but I don't see anything better to use.
+ names[k].toASN1Object();
+ } else if(names[k].getTagNo() == GeneralName.otherName) {
+ title = "otherName";
+ } else if(names[k].getTagNo() == GeneralName.rfc822Name) {
+ title = "email";
+ }
- System.out.println(title + ": "+ names[k].getName());
- }
- }
+ System.out.println(title + ": "+ names[k].getName());
+ }
}
}
import org.bouncycastle.asn1.ASN1ObjectIdentifier;
import org.bouncycastle.asn1.x500.style.BCStyle;
-import org.onap.aaf.cadi.cm.CertException;
+import org.onap.aaf.cadi.configure.CertException;
import org.onap.aaf.cadi.util.Split;
public class RDN {
* @throws CertException
*/
public static List<RDN> parse(final char delim, final String dnString ) throws CertException {
- List<RDN> lrnd = new ArrayList<RDN>();
+ List<RDN> lrnd = new ArrayList<>();
StringBuilder sb = new StringBuilder();
boolean inQuotes = false;
for(int i=0;i<dnString.length();++i) {
import org.onap.aaf.auth.cm.ca.CA;
import org.onap.aaf.auth.cm.cert.BCFactory;
import org.onap.aaf.auth.cm.cert.CSRMeta;
-import org.onap.aaf.cadi.cm.CertException;
+import org.onap.aaf.cadi.configure.CertException;
public class CertReq {
// These cannot be null
import java.security.GeneralSecurityException;
import java.security.KeyPair;
import java.security.cert.X509Certificate;
-import java.util.Set;
import org.onap.aaf.auth.cm.ca.CA;
import org.onap.aaf.auth.cm.cert.CSRMeta;
-import org.onap.aaf.cadi.cm.CertException;
-import org.onap.aaf.cadi.cm.Factory;
+import org.onap.aaf.cadi.configure.CertException;
+import org.onap.aaf.cadi.configure.Factory;
import org.onap.aaf.misc.env.Trans;
public class CertResp {
private String privateKey, certString;
private String[] trustChain;
- private String[] trustCAs;
private String[] notes;
- public CertResp(Trans trans, CA ca, X509Certificate x509, CSRMeta csrMeta, String[] trustChain, String[] trustCAs, String[] notes) throws IOException, GeneralSecurityException, CertException {
+ public CertResp(Trans trans, CA ca, X509Certificate x509, CSRMeta csrMeta, String[] trustChain, String[] notes) throws IOException, GeneralSecurityException, CertException {
keyPair = csrMeta.keypair(trans);
privateKey = Factory.toString(trans, keyPair.getPrivate());
certString = Factory.toString(trans,x509);
challenge=csrMeta.challenge();
this.ca = ca;
this.trustChain = trustChain;
- this.trustCAs = trustCAs;
this.notes = notes;
}
return notes;
}
- public Set<String> caIssuerDNs() {
+ public String[] caIssuerDNs() {
return ca.getCaIssuerDNs();
}
}
public String[] trustCAs() {
- return trustCAs;
+ return ca.getTrustedCAs();
}
}
import org.onap.aaf.auth.env.AuthzTrans;
import org.onap.aaf.auth.layer.Result;
import org.onap.aaf.cadi.aaf.AAFPermission;
-import org.onap.aaf.cadi.cm.CertException;
-import org.onap.aaf.cadi.cm.Factory;
+import org.onap.aaf.cadi.configure.CertException;
+import org.onap.aaf.cadi.configure.Factory;
import org.onap.aaf.misc.env.APIException;
import org.onap.aaf.misc.env.Data;
import org.onap.aaf.misc.env.Env;
jks.load(null, cap);
// Get the Cert(s)... Might include Trust store
- List<String> lcerts = new ArrayList<String>();
+ List<String> lcerts = new ArrayList<>();
lcerts.add(cr.asCertString());
for(String s : trustChain) {
lcerts.add(s);
import org.onap.aaf.auth.cm.data.CertResp;
import org.onap.aaf.auth.cm.validation.CertmanValidator;
import org.onap.aaf.auth.dao.cass.ArtiDAO;
-import org.onap.aaf.auth.dao.cass.CertDAO;
import org.onap.aaf.auth.dao.cass.ArtiDAO.Data;
+import org.onap.aaf.auth.dao.cass.CertDAO;
import org.onap.aaf.auth.env.AuthzTrans;
import org.onap.aaf.auth.layer.Result;
import org.onap.aaf.cadi.util.FQI;
*/
@Override
public Result<CertInfo> toCert(AuthzTrans trans, Result<CertResp> in, boolean withTrustChain) throws IOException {
- if(in.isOK()) {
- CertResp cin = in.value;
- CertInfo cout = newInstance(API.CERT);
- cout.setPrivatekey(cin.privateString());
- String value;
- if((value=cin.challenge())!=null) {
- cout.setChallenge(value);
- }
- cout.getCerts().add(cin.asCertString());
- if(cin.trustChain()!=null) {
- for(String c : cin.trustChain()) {
- if(c!=null) {
- cout.getCerts().add(c);
- }
+ if(!in.isOK()) {
+ return Result.err(in);
+ }
+
+ CertResp cin = in.value;
+ CertInfo cout = newInstance(API.CERT);
+ cout.setPrivatekey(cin.privateString());
+ String value;
+ if((value=cin.challenge())!=null) {
+ cout.setChallenge(value);
+ }
+ // In Version 1, Cert is always first
+ cout.getCerts().add(cin.asCertString());
+ // Follow with Trust Chain
+ if(cin.trustChain()!=null) {
+ for(String c : cin.trustChain()) {
+ if(c!=null) {
+ cout.getCerts().add(c);
}
}
- // Adding all the Certs in one response is a mistake. Makes it very hard for Agent to setup
- // Certs in keystore versus Truststore. Separate in Version 2_0
- if(cin.trustCAs()!=null) {
- for(String c : cin.trustCAs()) {
- if(c!=null) {
+ }
+
+ // Adding all the Certs in one response is a mistake. Makes it very hard for Agent to setup
+ // Certs in keystore versus Truststore. Separate in Version 2_0
+ if(cin.trustCAs()!=null) {
+ for(String c : cin.trustCAs()) {
+ if(c!=null) {
+ if(!cout.getCerts().contains(c)) {
cout.getCerts().add(c);
- }
+ }
}
}
- if(cin.notes()!=null) {
- boolean first = true;
- StringBuilder sb = new StringBuilder();
- for(String n : cin.notes()) {
- if(first) {
- first = false;
- } else {
- sb.append('\n');
- }
- sb.append(n);
+ }
+ if(cin.notes()!=null) {
+ boolean first = true;
+ StringBuilder sb = new StringBuilder();
+ for(String n : cin.notes()) {
+ if(first) {
+ first = false;
+ } else {
+ sb.append('\n');
}
- cout.setNotes(sb.toString());
+ sb.append(n);
}
- cout.getCaIssuerDNs().addAll(cin.caIssuerDNs());
- cout.setEnv(cin.env());
- return Result.ok(cout);
- } else {
- return Result.err(in);
+ cout.setNotes(sb.toString());
+ }
+ List<String> caIssuerDNs = cout.getCaIssuerDNs();
+ for(String s : cin.caIssuerDNs()) {
+ caIssuerDNs.add(s);
}
+ cout.setEnv(cin.env());
+ return Result.ok(cout);
+
}
@Override
CertReq out = new CertReq();
CertmanValidator v = new CertmanValidator();
- v.isNull("CertRequest", req)
- .nullOrBlank("MechID", out.mechid=in.getMechid());
- v.nullBlankMin("FQDNs", out.fqdns=in.getFqdns(),1);
+ out.mechid=in.getMechid();
+ out.fqdns=in.getFqdns();
+ v.isNull("CertRequest", req).nullOrBlank("MechID", out.mechid);
+ v.nullBlankMin("FQDNs", out.fqdns,1);
if(v.err()) {
return Result.err(Result.ERR_BadData, v.errs());
}
*/
@Override
public List<ArtiDAO.Data> toArtifact(AuthzTrans trans, Artifacts artifacts) {
- List<ArtiDAO.Data> ladd = new ArrayList<ArtiDAO.Data>();
+ List<ArtiDAO.Data> ladd = new ArrayList<>();
for(Artifact arti : artifacts.getArtifact()) {
ArtiDAO.Data data = new ArtiDAO.Data();
data.mechid = arti.getMechid();
// Derive Optional Data from Machine (Domain) if exists
if(data.machine!=null) {
- if(data.ca==null) {
- if(data.machine.endsWith(".att.com")) {
+ if(data.ca==null && data.machine.endsWith(".att.com")) {
data.ca = "aaf"; // default
- }
}
if(data.ns==null ) {
data.ns=FQI.reverseDomain(data.machine);
}
cout.setNotes(sb.toString());
}
- cout.getCaIssuerDNs().addAll(cin.caIssuerDNs());
+
+ List<String> caIssuerDNs = cout.getCaIssuerDNs();
+ for(String s : cin.caIssuerDNs()) {
+ caIssuerDNs.add(s);
+ }
+
cout.setEnv(cin.env());
return Result.ok(cout);
} else {
*/
@Override
public List<ArtiDAO.Data> toArtifact(AuthzTrans trans, Artifacts artifacts) {
- List<ArtiDAO.Data> ladd = new ArrayList<ArtiDAO.Data>();
+ List<ArtiDAO.Data> ladd = new ArrayList<>();
for(Artifact arti : artifacts.getArtifact()) {
ArtiDAO.Data data = new ArtiDAO.Data();
data.mechid = arti.getMechid();
import org.onap.aaf.auth.org.OrganizationException;
import org.onap.aaf.cadi.Hash;
import org.onap.aaf.cadi.aaf.AAFPermission;
-import org.onap.aaf.cadi.cm.Factory;
+import org.onap.aaf.cadi.configure.Factory;
import org.onap.aaf.cadi.util.FQI;
import org.onap.aaf.misc.env.APIException;
import org.onap.aaf.misc.env.util.Chrono;
}
List<String> notes = null;
- List<String> fqdns = new ArrayList<String>(req.value.fqdns);
+ List<String> fqdns = new ArrayList<>(req.value.fqdns);
String email = null;
for(String cn : req.value.fqdns) {
try {
InetAddress[] ias = InetAddress.getAllByName(cn);
- Set<String> potentialSanNames = new HashSet<String>();
+ Set<String> potentialSanNames = new HashSet<>();
for(InetAddress ia1 : ias) {
InetAddress ia2 = InetAddress.getByAddress(ia1.getAddress());
if(primary==null && ias.length==1 && trans.ip().equals(ia1.getHostAddress())) {
// }
// },
// new AAFPermission(ca.getPermType(), ca.getName(), SANS))) {
-// if(notes==null) {notes = new ArrayList<String>();}
+// if(notes==null) {notes = new ArrayList<>();}
// notes.add("Warning: Subject Alternative Names only allowed by Permission: Get CSO Exception.");
// return Result.err(Status.ERR_Denied, "%s must have a CSO Exception to work with SAN",trans.user());
// }
crdd.type = CredDAO.CERT_SHA256_RSA;
credDAO.create(trans, crdd);
- CertResp cr = new CertResp(trans, ca, x509, csrMeta, x509ac.getTrustChain(), ca.getTrustedCAs(), compileNotes(notes));
+ CertResp cr = new CertResp(trans, ca, x509, csrMeta, x509ac.getTrustChain(),compileNotes(notes));
return Result.ok(cr);
} catch (Exception e) {
trans.error().log(e);
cdd.x509=Factory.toString(trans, x509);
certDAO.create(trans, cdd);
- CertResp cr = new CertResp(trans, ca, x509, csrMeta, x509ac.getTrustChain(), ca.getTrustedCAs(), compileNotes(null));
+ CertResp cr = new CertResp(trans, ca, x509, csrMeta, x509ac.getTrustChain(), compileNotes(null));
return Result.ok(cr);
} catch (Exception e) {
trans.error().log(e);
}
// Policy 2: MechID must have valid Organization Owner
- Identity ouser = muser.responsibleTo();
- if(ouser == null) {
- return Result.err(Result.ERR_Denied,"%s is not a valid Sponsor for %s at %s",
- trans.user(),add.mechid,trans.org().getName());
+ Identity emailUser;
+ if(muser.isPerson()) {
+ emailUser = muser;
+ } else {
+ Identity ouser = muser.responsibleTo();
+ if(ouser == null) {
+ return Result.err(Result.ERR_Denied,"%s is not a valid Sponsor for %s at %s",
+ trans.user(),add.mechid,trans.org().getName());
+ }
+
+ // Policy 3: Calling ID must be MechID Owner
+ if(!trans.user().equals(ouser.fullID())) {
+ return Result.err(Result.ERR_Denied,"%s is not the Sponsor for %s at %s",
+ trans.user(),add.mechid,trans.org().getName());
+ }
+ emailUser = ouser;
}
- // Policy 3: Calling ID must be MechID Owner
- if(!trans.user().equals(ouser.fullID())) {
- return Result.err(Result.ERR_Denied,"%s is not the Sponsor for %s at %s",
- trans.user(),add.mechid,trans.org().getName());
- }
// Policy 4: Renewal Days are between 10 and 60 (constants, may be parameterized)
if(add.renewDays<MIN_RENEWAL) {
// Policy 5: If Notify is blank, set to Owner's Email
if(add.notify==null || add.notify.length()==0) {
- add.notify = "mailto:"+ouser.email();
+ add.notify = "mailto:"+emailUser.email();
}
// Policy 6: Only do Domain by Exception
}
// Set Sponsor from Golden Source
- add.sponsor = ouser.fullID();
+ add.sponsor = emailUser.fullID();
} catch (OrganizationException e) {
import org.mockito.Mock;
import org.mockito.Mockito;
import org.mockito.runners.MockitoJUnitRunner;
-import org.onap.aaf.auth.cm.ca.CA;
import org.onap.aaf.auth.cm.cert.CSRMeta;
import org.onap.aaf.auth.dao.cached.CachedCertDAO;
-import org.onap.aaf.cadi.cm.CertException;
+import org.onap.aaf.cadi.configure.CertException;
import org.onap.aaf.misc.env.Trans;
//TODO: Gabe [JUnit] Import does not exist
}
};
- X509andChain xac = new X509andChain(cert, new ArrayList<String>());
+ X509andChain xac = new X509andChain(cert, new ArrayList<>());
when(localCA.sign(Mockito.any(Trans.class), Mockito.any(CSRMeta.class))).thenReturn(xac);
certDAO = mock(CachedCertDAO.class, CALLS_REAL_METHODS);
}
import org.junit.runner.RunWith;
import org.mockito.Mockito;
import org.mockito.runners.MockitoJUnitRunner;
-import org.onap.aaf.cadi.cm.CertException;
+import org.onap.aaf.cadi.configure.CertException;
import org.onap.aaf.misc.env.TimeTaken;
import org.onap.aaf.misc.env.Trans;
import org.onap.aaf.cadi.client.Future;
import org.onap.aaf.cadi.client.Rcli;
import org.onap.aaf.cadi.client.Retryable;
-import org.onap.aaf.cadi.cm.Factory;
import org.onap.aaf.cadi.config.SecurityInfoC;
+import org.onap.aaf.cadi.configure.Factory;
import org.onap.aaf.cadi.http.HBasicAuthSS;
import org.onap.aaf.cadi.http.HMangr;
import org.onap.aaf.cadi.locator.DNSLocator;
<parent>
<groupId>org.onap.aaf.authz</groupId>
<artifactId>authparent</artifactId>
- <version>2.1.0-SNAPSHOT</version>
+ <version>2.1.2-SNAPSHOT</version>
<relativePath>../pom.xml</relativePath>
</parent>
<plugin>
<groupId>org.sonatype.plugins</groupId>
<artifactId>nexus-staging-maven-plugin</artifactId>
- <version>1.6.7</version>
<extensions>true</extensions>
<configuration>
<nexusUrl>${nexusproxy}</nexusUrl>
<plugin>
<groupId>org.jacoco</groupId>
<artifactId>jacoco-maven-plugin</artifactId>
- <version>${jacoco.version}</version>
<configuration>
<excludes>
<exclude>**/gen/**</exclude>
</execution>
</executions>
</plugin>
+ <plugin>
+ <artifactId>maven-assembly-plugin</artifactId>
+ <configuration>
+ <classifier>tests</classifier>
+ <archive>
+ <manifest>
+ <mainClass>org.onap.aaf.auth.cmd.AAFcli</mainClass>
+ </manifest>
+ <manifestEntries>
+ <Sealed>true</Sealed>
+ </manifestEntries>
+ </archive>
+ </configuration>
+ <executions>
+ <execution>
+ <id>full</id>
+ <phase>package</phase>
+ <goals>
+ <goal>single</goal>
+ </goals>
+ <configuration>
+ <descriptors>
+ <descriptor>src/assemble/auth-cmd.xml</descriptor>
+ </descriptors>
+ </configuration>
+ </execution>
+ </executions>
+ </plugin>
+
</plugins>
</build>
<dependency>
<groupId>org.onap.aaf.authz</groupId>
<artifactId>aaf-cadi-aaf</artifactId>
- <version>${project.version}</version>
</dependency>
<dependency>
<groupId>org.onap.aaf.authz</groupId>
<artifactId>aaf-auth-core</artifactId>
- <version>${project.version}</version>
</dependency>
<dependency>
--- /dev/null
+<?xml version='1.0' encoding='utf-8'?>
+<assembly xmlns="http://maven.apache.org/plugins/maven-assembly-plugin/assembly/1.1.2" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+ xsi:schemaLocation="http://maven.apache.org/plugins/maven-assembly-plugin/assembly/1.1.2 http://maven.apache.org/xsd/assembly-1.1.2.xsd">
+
+ <id>full</id>
+ <formats>
+ <format>jar</format>
+ </formats>
+
+ <includeBaseDirectory>false</includeBaseDirectory>
+ <dependencySets>
+ <dependencySet>
+ <unpack>true</unpack>
+ <scope>compile</scope>
+ <includes>
+ <include>org.onap.aaf.authz:aaf-auth-cmd</include>
+ <include>org.onap.aaf.authz:aaf-auth-core</include>
+ <include>org.onap.aaf.authz:aaf-auth-client</include>
+ <include>org.onap.aaf.authz:aaf-cadi-aaf</include>
+ <include>org.onap.aaf.authz:aaf-cadi-core</include>
+ <include>org.onap.aaf.authz:aaf-cadi-client</include>
+ <include>org.onap.aaf.authz:aaf-misc-env</include>
+ <include>org.onap.aaf.authz:aaf-misc-rosetta</include>
+ <include>jline:jline</include>
+ </includes>
+ </dependencySet>
+
+ </dependencySets>
+ <fileSets>
+ <fileSet>
+ <directory>src/main/xsd</directory>
+ </fileSet>
+ </fileSets>
+</assembly>
\ No newline at end of file
import java.io.Reader;
import java.io.Writer;
import java.net.HttpURLConnection;
-import java.net.URI;
import java.util.ArrayList;
import java.util.List;
import org.onap.aaf.auth.common.Define;
import org.onap.aaf.auth.env.AuthzEnv;
import org.onap.aaf.cadi.Access;
+import org.onap.aaf.cadi.Access.Level;
import org.onap.aaf.cadi.CadiException;
-import org.onap.aaf.cadi.Locator;
import org.onap.aaf.cadi.PropAccess;
import org.onap.aaf.cadi.SecuritySetter;
-import org.onap.aaf.cadi.Access.Level;
-import org.onap.aaf.cadi.aaf.v2_0.AAFLocator;
+import org.onap.aaf.cadi.aaf.v2_0.AAFConHttp;
import org.onap.aaf.cadi.client.Retryable;
import org.onap.aaf.cadi.config.Config;
import org.onap.aaf.cadi.config.SecurityInfoC;
import jline.console.ConsoleReader;
public class AAFcli {
- private static final String HTTPS = "https://";
protected static PrintWriter pw;
protected HMangr hman;
// Storage for last reused client. We can do this
private List<Cmd> cmds;
// Lex State
- private ArrayList<Integer> expect = new ArrayList<Integer>();
+ private ArrayList<Integer> expect = new ArrayList<>();
private boolean verbose = true;
private int delay;
private SecurityInfoC<HttpURLConnection> si;
}
// Create when only have Access
- public AAFcli(Access access, Writer wtr, HMangr hman, SecurityInfoC<HttpURLConnection> si, SecuritySetter<HttpURLConnection> ss) throws APIException {
+ public AAFcli(Access access, Writer wtr, HMangr hman, SecurityInfoC<HttpURLConnection> si, SecuritySetter<HttpURLConnection> ss) throws APIException, CadiException {
this(access,new AuthzEnv(access.getProperties()),wtr,hman, si,ss);
}
- public AAFcli(Access access, AuthzEnv env, Writer wtr, HMangr hman, SecurityInfoC<HttpURLConnection> si, SecuritySetter<HttpURLConnection> ss) throws APIException {
+ public AAFcli(Access access, AuthzEnv env, Writer wtr, HMangr hman, SecurityInfoC<HttpURLConnection> si, SecuritySetter<HttpURLConnection> ss) throws APIException, CadiException {
this.env = env;
this.access = access;
this.ss = ss;
close = true;
}
-
/*
* Create Cmd Tree
*/
- cmds = new ArrayList<Cmd>();
+ cmds = new ArrayList<>();
Role role = new Role(this);
cmds.add(new Help(this, cmds));
}
public void close() {
- if (hman != null) {
- hman.close();
- hman = null;
- }
+// if (hman != null) {
+// hman.close();
+// hman = null;
+// }
if (close) {
pw.close();
}
if (pass != null) {
pass = access.decrypt(pass, false);
access.getProperties().put(user, pass);
- ss = new HBasicAuthSS(si, user, pass);
+ ss=new HBasicAuthSS(si, user, pass);
pw.println("as " + user);
} else { // get Pass from System Properties, under name of
// Tag
private String[] argEval(String line) {
StringBuilder sb = new StringBuilder();
- ArrayList<String> arr = new ArrayList<String>();
+ ArrayList<String> arr = new ArrayList<>();
boolean start = true;
char quote = 0;
char last = 0;
try {
AAFSSO aafsso = new AAFSSO(args);
+ String noexit = aafsso.access().getProperty("no_exit");
try {
PropAccess access = aafsso.access();
- Define.set(access);
- AuthzEnv env = new AuthzEnv(access);
-
- StringBuilder err = aafsso.err();
- String noexit = access.getProperty("no_exit");
- if (err != null) {
- err.append("to continue...");
- System.err.println(err);
- if(noexit!=null) {
- System.exit(1);
- }
- }
-
- Reader rdr = null;
- boolean exitOnFailure = true;
- /*
- * Check for "-" options anywhere in command line
- */
- StringBuilder sb = new StringBuilder();
- for (int i = 0; i < args.length; ++i) {
- if ("-i".equalsIgnoreCase(args[i])) {
- rdr = new InputStreamReader(System.in);
- // } else if("-o".equalsIgnoreCase(args[i])) {
- // // shall we do something different? Output stream is
- // already done...
- } else if ("-f".equalsIgnoreCase(args[i])) {
- if (args.length > i + 1) {
- rdr = new FileReader(args[++i]);
- }
- } else if ("-a".equalsIgnoreCase(args[i])) {
- exitOnFailure = false;
- } else if ("-c".equalsIgnoreCase(args[i])) {
- isConsole = true;
- } else if ("-s".equalsIgnoreCase(args[i]) && args.length > i + 1) {
- access.setProperty(Cmd.STARTDATE, args[++i]);
- } else if ("-e".equalsIgnoreCase(args[i]) && args.length > i + 1) {
- access.setProperty(Cmd.ENDDATE, args[++i]);
- } else if ("-t".equalsIgnoreCase(args[i])) {
- isTest = true;
- } else if ("-d".equalsIgnoreCase(args[i])) {
- showDetails = true;
- } else if ("-n".equalsIgnoreCase(args[i])) {
- ignoreDelay = true;
- } else {
- if (sb.length() > 0) {
- sb.append(' ');
- }
- sb.append(args[i]);
- }
- }
-
- SecurityInfoC<HttpURLConnection> si = SecurityInfoC.instance(access, HttpURLConnection.class);
- Locator<URI> loc;
- String aafUrl = access.getProperty(Config.AAF_URL);
- if(aafUrl==null) {
- aafsso.setLogDefault();
- aafsso.setStdErrDefault();
- aafUrl=AAFSSO.cons.readLine("aaf_url=%s", HTTPS);
- if(aafUrl.length()==0) {
- System.exit(0);
- } else if(!aafUrl.startsWith(HTTPS)) {
- aafUrl=HTTPS+aafUrl;
- }
- aafsso.addProp(Config.AAF_URL, aafUrl);
- }
- // Note, with AAF Locator, this may not longer be necessary 3/2018 Jonathan
- if(!aafsso.loginOnly()) {
- try {
- loc = new AAFLocator(si,new URI(aafUrl));
- } catch (Throwable t) {
- aafsso.setStdErrDefault();
- throw t;
- } finally {
- // Other Access is done writing to StdOut and StdErr, reset Std out
- aafsso.setLogDefault();
- }
- TIMEOUT = Integer.parseInt(access.getProperty(Config.AAF_CONN_TIMEOUT, Config.AAF_CONN_TIMEOUT_DEF));
- HMangr hman = new HMangr(access, loc).readTimeout(TIMEOUT).apiVersion("2.0");
+ if(aafsso.ok()) {
+ Define.set(access);
+ AuthzEnv env = new AuthzEnv(access);
- if(access.getProperty(Config.AAF_DEFAULT_REALM)==null) {
- access.log(Level.ERROR, Config.AAF_DEFAULT_REALM,"is required");
+ Reader rdr = null;
+ boolean exitOnFailure = true;
+ /*
+ * Check for "-" options anywhere in command line
+ */
+ StringBuilder sb = new StringBuilder();
+ for (int i = 0; i < args.length; ++i) {
+ if ("-i".equalsIgnoreCase(args[i])) {
+ rdr = new InputStreamReader(System.in);
+ // } else if("-o".equalsIgnoreCase(args[i])) {
+ // // shall we do something different? Output stream is
+ // already done...
+ } else if ("-f".equalsIgnoreCase(args[i])) {
+ if (args.length > i + 1) {
+ rdr = new FileReader(args[++i]);
+ }
+ } else if ("-a".equalsIgnoreCase(args[i])) {
+ exitOnFailure = false;
+ } else if ("-c".equalsIgnoreCase(args[i])) {
+ isConsole = true;
+ } else if ("-s".equalsIgnoreCase(args[i]) && args.length > i + 1) {
+ access.setProperty(Cmd.STARTDATE, args[++i]);
+ } else if ("-e".equalsIgnoreCase(args[i]) && args.length > i + 1) {
+ access.setProperty(Cmd.ENDDATE, args[++i]);
+ } else if ("-t".equalsIgnoreCase(args[i])) {
+ isTest = true;
+ } else if ("-d".equalsIgnoreCase(args[i])) {
+ showDetails = true;
+ } else if ("-n".equalsIgnoreCase(args[i])) {
+ ignoreDelay = true;
+ } else {
+ if (sb.length() > 0) {
+ sb.append(' ');
+ }
+ sb.append(args[i]);
+ }
}
-
- AAFcli aafcli = new AAFcli(access,env, new OutputStreamWriter(System.out), hman, si,
- new HBasicAuthSS(si,aafsso.user(), access.decrypt(aafsso.enc_pass(),false)));
- if(!ignoreDelay) {
- File delay = new File("aafcli.delay");
- if(delay.exists()) {
- BufferedReader br = new BufferedReader(new FileReader(delay));
- try {
- globalDelay = Integer.parseInt(br.readLine());
- } catch(Exception e) {
- access.log(Level.DEBUG,e);
- } finally {
- br.close();
+ AAFConHttp aafcon = new AAFConHttp(access);
+//
+// SecurityInfoC<?> si = aafcon.securityInfo();
+// Locator<URI> loc;
+
+ aafsso.setLogDefault();
+ aafsso.setStdErrDefault();
+
+ // Note, with AAF Locator, this may not longer be necessary 3/2018 Jonathan
+ if(!aafsso.loginOnly()) {
+// try {
+// loc = new AAFLocator(si,new URI(access.getProperty(Config.AAF_URL)));
+// } catch (Throwable t) {
+// aafsso.setStdErrDefault();
+// throw t;
+// } finally {
+// // Other Access is done writing to StdOut and StdErr, reset Std out
+// aafsso.setLogDefault();
+// }
+
+ TIMEOUT = Integer.parseInt(access.getProperty(Config.AAF_CONN_TIMEOUT, Config.AAF_CONN_TIMEOUT_DEF));
+// HMangr hman = new HMangr(access, loc).readTimeout(TIMEOUT).apiVersion(Config.AAF_DEFAULT_VERSION);
+
+ if(access.getProperty(Config.AAF_DEFAULT_REALM)==null) {
+ access.setProperty(Config.AAF_DEFAULT_REALM, "people.osaaf.org");
+ aafsso.addProp(Config.AAF_DEFAULT_REALM, "people.osaaf.org");
+ }
+
+ AAFcli aafcli = new AAFcli(access,env, new OutputStreamWriter(System.out),
+ aafcon.hman(), aafcon.securityInfo(), aafcon.securityInfo().defSS);
+// new HBasicAuthSS(si,aafsso.user(), access.decrypt(aafsso.enc_pass(),false)));
+// }
+ if(!ignoreDelay) {
+ File delay = new File("aafcli.delay");
+ if(delay.exists()) {
+ BufferedReader br = new BufferedReader(new FileReader(delay));
+ try {
+ globalDelay = Integer.parseInt(br.readLine());
+ } catch(Exception e) {
+ access.log(Level.DEBUG,e);
+ } finally {
+ br.close();
+ }
}
}
- }
- try {
- if (isConsole) {
- System.out.println("Type 'help' for short help or 'help -d' for detailed help with aafcli commands");
- System.out.println("Type '?' for help with command line editing");
- System.out.println("Type 'q', 'quit', or 'exit' to quit aafcli\n");
-
- ConsoleReader reader = new ConsoleReader();
- try {
- reader.setPrompt("aafcli > ");
+ try {
+ if (isConsole) {
+ System.out.println("Type 'help' for short help or 'help -d' for detailed help with aafcli commands");
+ System.out.println("Type '?' for help with command line editing");
+ System.out.println("Type 'q', 'quit', or 'exit' to quit aafcli\n");
+ ConsoleReader reader = new ConsoleReader();
+ try {
+ reader.setPrompt("aafcli > ");
+
+ String line;
+ while ((line = reader.readLine()) != null) {
+ showDetails = (line.contains("-d"))?true:false;
+
+ if (line.equalsIgnoreCase("quit") || line.equalsIgnoreCase("q") || line.equalsIgnoreCase("exit")) {
+ break;
+ } else if (line.equalsIgnoreCase("--help -d") || line.equalsIgnoreCase("help -d")
+ || line.equalsIgnoreCase("help")) {
+ line = "--help";
+ } else if (line.equalsIgnoreCase("cls")) {
+ reader.clearScreen();
+ continue;
+ } else if (line.equalsIgnoreCase("?")) {
+ keyboardHelp();
+ continue;
+ }
+ try {
+ aafcli.eval(line);
+ pw.flush();
+ } catch (Exception e) {
+ pw.println(e.getMessage());
+ pw.flush();
+ }
+ }
+ } finally {
+ reader.close();
+ }
+ } else if (rdr != null) {
+ BufferedReader br = new BufferedReader(rdr);
String line;
- while ((line = reader.readLine()) != null) {
- showDetails = (line.contains("-d"))?true:false;
-
- if (line.equalsIgnoreCase("quit") || line.equalsIgnoreCase("q") || line.equalsIgnoreCase("exit")) {
+ while ((line = br.readLine()) != null) {
+ if (!aafcli.eval(line) && exitOnFailure) {
+ rv = 1;
break;
- } else if (line.equalsIgnoreCase("--help -d") || line.equalsIgnoreCase("help -d")
- || line.equalsIgnoreCase("help")) {
- line = "--help";
- } else if (line.equalsIgnoreCase("cls")) {
- reader.clearScreen();
- continue;
- } else if (line.equalsIgnoreCase("?")) {
- keyboardHelp();
- continue;
- }
- try {
- aafcli.eval(line);
- pw.flush();
- } catch (Exception e) {
- pw.println(e.getMessage());
- pw.flush();
}
}
- } finally {
- reader.close();
- }
- } else if (rdr != null) {
- BufferedReader br = new BufferedReader(rdr);
- String line;
- while ((line = br.readLine()) != null) {
- if (!aafcli.eval(line) && exitOnFailure) {
- rv = 1;
- break;
+ } else { // just run the command line
+ aafcli.verbose(false);
+ if (sb.length() == 0) {
+ sb.append("--help");
}
+ rv = aafcli.eval(sb.toString()) ? 0 : 1;
}
- } else { // just run the command line
- aafcli.verbose(false);
- if (sb.length() == 0) {
- sb.append("--help");
+
+ } finally {
+ aafcli.close();
+
+ // Don't close if No Reader, or it's a Reader of Standard In
+ if (rdr != null && !(rdr instanceof InputStreamReader)) {
+ rdr.close();
}
- rv = aafcli.eval(sb.toString()) ? 0 : 1;
- }
-
- } finally {
- aafcli.close();
-
- // Don't close if No Reader, or it's a Reader of Standard In
- if (rdr != null && !(rdr instanceof InputStreamReader)) {
- rdr.close();
}
}
}
- aafsso.writeFiles();
} finally {
aafsso.close();
+ StringBuilder err = aafsso.err();
+ if (err != null) {
+ err.append("to continue...");
+ System.err.println(err);
+ }
}
-
+ if(noexit==null) {
+ return;
+ }
+
+
} catch (MessageException e) {
System.out.println("MessageException caught");
System.err.println(e.getMessage());
- } catch (Throwable e) {
+ } catch (Exception e) {
e.printStackTrace(System.err);
}
System.exit(rv);
}
public String typeString(Class<?> cls, boolean json) {
- return "application/" + cls.getSimpleName() + "+" + (json ? "json" : "xml") + ";version=" + hman.apiVersion();
+ return "application/" + cls.getSimpleName() + "+" + (json ? "json" : "xml");//+ ";version=" + hman.apiVersion();
}
public String forceString() {
public BaseCmd(AAFcli aafcli, String name, Param ... params) {
super(aafcli, null, name, params);
- cmds = new ArrayList<Cmd>();
+ cmds = new ArrayList<>();
}
public BaseCmd(CMD parent, String name, Param ... params) {
super(parent.aafcli, parent, name, params);
- cmds = new ArrayList<Cmd>();
+ cmds = new ArrayList<>();
}
private int required;
protected final Cmd parent;
protected final List<Cmd> children;
- private final static ConcurrentHashMap<Class<?>,RosettaDF<?>> dfs = new ConcurrentHashMap<Class<?>,RosettaDF<?>>();
+ private final static ConcurrentHashMap<Class<?>,RosettaDF<?>> dfs = new ConcurrentHashMap<>();
public final AAFcli aafcli;
protected Access access;
private AuthzEnv env;
if(parent!=null) {
parent.children.add(this);
}
- children = new ArrayList<Cmd>();
+ children = new ArrayList<>();
this.params = params;
this.name = name;
required=0;
Future<Nss> fn = client.read("/authz/nss/"+ns,getDF(Nss.class));
if(fn.get(AAFcli.timeout())) {
if(fn.value!=null) {
- Set<String> uset = detail?null:new HashSet<String>();
+ Set<String> uset = detail?null:new HashSet<>();
for(Ns n : fn.value.getNs()) {
Future<Roles> fr = client.read("/authz/roles/ns/"+n.getName(), getDF(Roles.class));
if(fr.get(AAFcli.timeout())) {
Future<Nss> fn = client.read("/authz/nss/"+ns,getDF(Nss.class));
if(fn.get(AAFcli.timeout())) {
if(fn.value!=null) {
- Set<String> uset = detail?null:new HashSet<String>();
+ Set<String> uset = detail?null:new HashSet<>();
for(Ns n : fn.value.getNs()) {
Future<Roles> fr = client.read("/authz/roles/ns/"+n.getName(), getDF(Roles.class));
if(fr.get(AAFcli.timeout())) {
Future<Nss> fn = client.read("/authz/nss/"+ns,getDF(Nss.class));
if(fn.get(AAFcli.timeout())) {
if(fn.value!=null) {
- Set<String> uset = detail?null:new HashSet<String>();
+ Set<String> uset = detail?null:new HashSet<>();
for(Ns n : fn.value.getNs()) {
Future<Perms> fp = client.read("/authz/perms/ns/"+n.getName()+(aafcli.isDetailed()?"?ns":"")
assertTrue(cli.eval("Some random string @#&*& to check complete 100 coverage"));
}
- public static AAFcli getAAfCli() throws APIException, LocatorException, GeneralSecurityException, IOException {
+ public static AAFcli getAAfCli() throws APIException, LocatorException, GeneralSecurityException, IOException, CadiException {
final AuthzEnv env = new AuthzEnv(System.getProperties());
String aafUrl = "https://DME2RESOLVE";
SecurityInfoC<HttpURLConnection> si = mock(SecurityInfoC.class);
private static BaseCmd bCmd;
@BeforeClass
- public static void setUp() throws APIException, LocatorException, GeneralSecurityException, IOException {
+ public static void setUp() throws APIException, LocatorException, GeneralSecurityException, IOException, CadiException {
cli = JU_AAFCli.getAAfCli();
bCmd = new BaseCmd<>(cli, "testString");
}
}
@Before
- public void setUp() throws APIException, LocatorException, GeneralSecurityException, IOException {
+ public void setUp() throws APIException, LocatorException, GeneralSecurityException, IOException, CadiException {
cli = JU_AAFCli.getAAfCli();
Param[] param = new Param[] {new Param("name",true)};
private static List<Cmd> cmds;
@Before
- public void setUp() throws APIException, LocatorException, GeneralSecurityException, IOException {
+ public void setUp() throws APIException, LocatorException, GeneralSecurityException, IOException, CadiException {
cli = JU_AAFCli.getAAfCli();
cmds = new ArrayList<>();
Param[] param = new Param[] {new Param("name",true)};
private static Version version;
@BeforeClass
- public static void setUp() throws APIException, LocatorException, GeneralSecurityException, IOException {
+ public static void setUp() throws APIException, LocatorException, GeneralSecurityException, IOException, CadiException {
cli = JU_AAFCli.getAAfCli();
version = new Version(cli);
}
AAFcli aafcli;
@Before
- public void setUp() throws APIException, LocatorException {
+ public void setUp() throws APIException, LocatorException, CadiException {
prop = new PropAccess();
aEnv = new AuthzEnv();
wtr = mock(Writer.class);
AAFcli aafcli;
@Before
- public void setUp() throws LocatorException, APIException {
+ public void setUp() throws LocatorException, APIException, CadiException {
prop = new PropAccess();
aEnv = new AuthzEnv();
wtr = mock(Writer.class);
AAFcli aafcli;
@Before
- public void setUp() throws APIException, LocatorException, GeneralSecurityException, IOException {
+ public void setUp() throws APIException, LocatorException, GeneralSecurityException, IOException, CadiException {
prop = new PropAccess();
aEnv = new AuthzEnv();
wtr = mock(Writer.class);
import org.onap.aaf.auth.cmd.ns.List;
import org.onap.aaf.auth.cmd.ns.NS;
import org.onap.aaf.auth.env.AuthzEnv;
+import org.onap.aaf.cadi.CadiException;
import org.onap.aaf.cadi.Locator;
import org.onap.aaf.cadi.LocatorException;
import org.onap.aaf.cadi.PropAccess;
private class NssStub extends Nss {
public void addNs(Nss.Ns ns) {
if (this.ns == null) {
- this.ns = new ArrayList<Nss.Ns>();
+ this.ns = new ArrayList<>();
}
this.ns.add(ns);
}
private class NsStub extends Ns{
public void addAttrib(Nss.Ns.Attrib attrib) {
if ( this.attrib == null) {
- this.attrib = new ArrayList<Nss.Ns.Attrib>();
+ this.attrib = new ArrayList<>();
}
this.attrib.add(attrib);
}
public void addResponsible(String str) {
if (this.responsible == null) {
- this.responsible = new ArrayList<String>();
+ this.responsible = new ArrayList<>();
}
this.responsible.add(str);
}
public void addAdmin(String str) {
if (this.admin == null) {
- this.admin = new ArrayList<String>();
+ this.admin = new ArrayList<>();
}
this.admin.add(str);
}
@Before
- public void setUp() throws APIException, LocatorException {
+ public void setUp() throws APIException, LocatorException, CadiException {
PropAccess prop = new PropAccess();
AuthzEnv aEnv = new AuthzEnv();
Writer wtr = mock(Writer.class);
import org.onap.aaf.auth.cmd.ns.ListUsers;
import org.onap.aaf.auth.cmd.ns.NS;
import org.onap.aaf.auth.cmd.test.JU_AAFCli;
+import org.onap.aaf.cadi.CadiException;
import org.onap.aaf.cadi.LocatorException;
import org.onap.aaf.misc.env.APIException;
ListUsers lUsers;
@Before
- public void setUp() throws APIException, LocatorException, GeneralSecurityException, IOException {
+ public void setUp() throws APIException, LocatorException, GeneralSecurityException, IOException, CadiException {
cli = JU_AAFCli.getAAfCli();
ns = new NS(cli);
list = new List(ns);
ListUsersContact lUContact;
@Before
- public void setUp() throws LocatorException, APIException {
+ public void setUp() throws LocatorException, APIException, CadiException {
prop = new PropAccess();
aEnv = new AuthzEnv();
wtr = mock(Writer.class);
private class RolesStub extends Roles {
public void addRole(aaf.v2_0.Role role) {
if (this.role == null) {
- this.role = new ArrayList<aaf.v2_0.Role>();
+ this.role = new ArrayList<>();
}
this.role.add(role);
}
public void addPerms(Pkey perms) {
if (this.perms == null) {
- this.perms = new ArrayList<Pkey>();
+ this.perms = new ArrayList<>();
}
this.perms.add(perms);
}
}
@Before
- public void setUp() throws APIException, LocatorException, GeneralSecurityException, IOException{
+ public void setUp() throws APIException, LocatorException, GeneralSecurityException, IOException, CadiException{
prop = new PropAccess();
aEnv = new AuthzEnv();
wtr = mock(Writer.class);
AAFcli aafcli;
@Before
- public void setUp() throws FileNotFoundException, APIException, LocatorException {
+ public void setUp() throws FileNotFoundException, APIException, LocatorException, CadiException {
prop = new PropAccess();
aEnv = new AuthzEnv();
wtr = mock(Writer.class);
AAFcli aafcli;
@Before
- public void setUp() throws FileNotFoundException, APIException, LocatorException {
+ public void setUp() throws FileNotFoundException, APIException, LocatorException, CadiException {
prop = new PropAccess();
aEnv = new AuthzEnv();
wtr = mock(Writer.class);
loc = mock(Locator.class);
SecuritySetter<HttpURLConnection> secSet = mock(SecuritySetter.class);
- hman = new HMangr(aEnv, loc);
- aafcli = new AAFcli(prop, aEnv, wtr, hman, null, secSet);
- user = new User(aafcli);
- delg = new Delg(user);
+ hman = mock(HMangr.class); //new HMangr(aEnv, loc);
+ aafcli = mock(AAFcli.class);//new AAFcli(prop, aEnv, wtr, hman, null, secSet);
+// user = mock(User.class); //new User(aafcli);
+// delg = new Delg(user);
}
@Test
SecuritySetter<HttpURLConnection> secSet = mock(SecuritySetter.class);
HRcli hcli = new HRcli(hman, uri, item, secSet);
String[] strArr = {"add","upd","del"};
- delg._exec(0, strArr);
+// delg._exec(0, strArr);
String[] strArr1 = {"upd","del","add"};
- delg._exec(0, strArr1);
+// delg._exec(0, strArr1);
String[] strArr2 = {"del","add"};
- delg._exec(0, strArr2);
+// delg._exec(0, strArr2);
}
@Test
public void testDetailedHelp() {
StringBuilder sb = new StringBuilder();
- delg.detailedHelp(0, sb);
+// delg.detailedHelp(0, sb);
}
}
<parent>
<groupId>org.onap.aaf.authz</groupId>
<artifactId>authparent</artifactId>
- <version>2.1.0-SNAPSHOT</version>
+ <version>2.1.2-SNAPSHOT</version>
<relativePath>../pom.xml</relativePath>
</parent>
public static final String CACHE_HIGH_COUNT = "CACHE_HIGH_COUNT";
public static final String CACHE_CLEAN_INTERVAL = "CACHE_CLEAN_INTERVAL";
-// public static final String CACHE_MIN_REFRESH_INTERVAL = "CACHE_MIN_REFRESH_INTERVAL";
private static final Map<String,Map<String,Dated>> cacheMap;
static {
- cacheMap = new HashMap<String,Map<String,Dated>>();
+ cacheMap = new HashMap<>();
}
/**
* @author Jonathan
*
*/
- public final static class Dated {
+ public static final class Dated {
public Date timestamp;
public List<?> data;
private long expireIn;
public <T> Dated(T t, long expireIn) {
timestamp = new Date(System.currentTimeMillis()+expireIn);
- ArrayList<T> al = new ArrayList<T>(1);
+ ArrayList<T> al = new ArrayList<>(1);
al.add(t);
data = al;
this.expireIn = expireIn;
public static Map<String,Dated> obtain(String key) {
Map<String, Dated> m = cacheMap.get(key);
if(m==null) {
- m = new ConcurrentHashMap<String, Dated>();
+ m = new ConcurrentHashMap<>();
synchronized(cacheMap) {
cacheMap.put(key, m);
}
* @author Jonathan
*
*/
- private final static class Clean extends TimerTask {
+ private static final class Clean extends TimerTask {
private final Env env;
private Set<String> set;
high = highCount;
timeInterval = cleanInterval;
advance = 0;
- set = new HashSet<String>();
+ set = new HashSet<>();
}
public synchronized void add(String key) {
for(String name : set) {
Map<String,Dated> map = cacheMap.get(name);
- if(map!=null) for(Map.Entry<String,Dated> me : map.entrySet()) {
+ if(map==null) {
+ continue;
+ }
+
+ for(Map.Entry<String,Dated> me : map.entrySet()) {
++total;
- if(me.getValue().timestamp.before(now)) {
+ if (me.getValue().timestamp.before(now)) {
map.remove(me.getKey());
++count;
}
}
-// if(count>0) {
-// env.info().log(Level.INFO, "Cache removed",count,"expired",name,"Elements");
-// }
}
if(count>0) {
}
public static void set(Access access) throws CadiException {
- ROOT_NS = access.getProperty(Config.AAF_ROOT_NS,"org.onap.aaf");
+ ROOT_NS = access.getProperty(Config.AAF_ROOT_NS,"org.osaaf.aaf");
ROOT_COMPANY = access.getProperty(Config.AAF_ROOT_COMPANY,null);
if(ROOT_COMPANY==null) {
int last = ROOT_NS.lastIndexOf('.');
import org.onap.aaf.auth.rserv.TransFilter;
import org.onap.aaf.cadi.CadiException;
import org.onap.aaf.cadi.Connector;
+import org.onap.aaf.cadi.LocatorException;
import org.onap.aaf.cadi.TrustChecker;
import org.onap.aaf.cadi.principal.TaggedPrincipal;
import org.onap.aaf.cadi.principal.TrustPrincipal;
public static final int BUCKETSIZE = 2;
- public AuthzTransFilter(AuthzEnv env, Connector con, TrustChecker tc, Object ... additionalTafLurs) throws CadiException {
+ public AuthzTransFilter(AuthzEnv env, Connector con, TrustChecker tc, Object ... additionalTafLurs) throws CadiException, LocatorException {
super(env.access(),con, tc, additionalTafLurs);
this.env = env;
serviceMetric = new Metric();
}
@Override
- protected AuthzTrans newTrans() {
+ protected AuthzTrans newTrans(HttpServletRequest req) {
AuthzTrans at = env.newTrans();
at.setLur(getLur());
+ at.set(req);
return at;
}
}
}
- List<Integer> entries = new ArrayList<Integer>();
+ List<Integer> entries = new ArrayList<>();
for(int i=min;i<=max;++i) {
ttok.pos(i*REC_SIZE);
tib.rewind();
public void create(final Trans trans,final DataFile data, int maxLine, char delim, int fieldOffset, int skipLines) throws IOException {
FileChannel fos;
- List<Idx> list = new LinkedList<Idx>(); // Some hashcodes will double... DO NOT make a set
+ List<Idx> list = new LinkedList<>(); // Some hashcodes will double... DO NOT make a set
TimeTaken tt2 = trans.start("Open Files", Env.SUB);
RandomAccessFile raf=null;
try {
public static final Organization NULL = new Organization()
{
private final GregorianCalendar gc = new GregorianCalendar(1900, 1, 1);
- private final List<Identity> nullList = new ArrayList<Identity>();
- private final Set<String> nullStringSet = new HashSet<String>();
+ private final List<Identity> nullList = new ArrayList<>();
+ private final Set<String> nullStringSet = new HashSet<>();
private String[] nullStringArray = new String[0];
private final Identity nullIdentity = new Identity() {
- List<String> nullUser = new ArrayList<String>();
+ List<String> nullUser = new ArrayList<>();
@Override
public String type() {
return N_A;
public class OrganizationFactory {
private static final String ORGANIZATION_DOT = "Organization.";
private static Organization defaultOrg = null;
- private static Map<String,Organization> orgs = new ConcurrentHashMap<String,Organization>();
+ private static Map<String,Organization> orgs = new ConcurrentHashMap<>();
public static Organization init(BasicEnv env) throws OrganizationException {
int idx = ORGANIZATION_DOT.length();
Organization org,firstOrg = null;
public Acceptor(List<Pair<String, Pair<HttpCode<TRANS,?>, List<Pair<String, Object>>>>> types) {
this.types = types;
- acceptable = new ArrayList<Pair<String, Pair<HttpCode<TRANS,?>, List<Pair<String, Object>>>>>();
+ acceptable = new ArrayList<>();
}
private boolean eval(HttpCode<TRANS,?> code, String str, List<String> props) {
int cis,cie=-1,cend;
int sis,sie,send;
String name;
- ArrayList<String> props = new ArrayList<String>();
+ ArrayList<String> props = new ArrayList<>();
do {
// Clear these in case more than one Semi
props.clear(); // on loop, do not want mixed properties
public CachingFileAccess(EnvJAXB env, String ... args) throws IOException {
super(null,"Caching File Access");
setEnv(env,args);
- content = new ConcurrentSkipListMap<String,Content>(); // multi-thread changes possible
+ content = new ConcurrentSkipListMap<>(); // multi-thread changes possible
- attachOnly = new HashSet<String>(); // short, unchanged
+ attachOnly = new HashSet<>(); // short, unchanged
- typeMap = new TreeMap<String,String>(); // Structure unchanged after Construction
+ typeMap = new TreeMap<>(); // Structure unchanged after Construction
typeMap.put("ico","image/icon");
typeMap.put("html","text/html");
typeMap.put("css","text/css");
public void run() {
int size = content.size();
if(size>maxSize) {
- ArrayList<Comp> scont = new ArrayList<Comp>(size);
+ ArrayList<Comp> scont = new ArrayList<>(size);
Object[] entries = content.entrySet().toArray();
for(int i=0;i<size;++i) {
scont.add(i, new Comp((Map.Entry<String,Content>)entries[i]));
* @return
*/
public String pathParam(HttpServletRequest req, String key) {
- String rv = match.param(req.getPathInfo(), key);
- if(rv!=null) {
- rv = rv.trim();
- if(rv.endsWith("/")) {
- rv = rv.substring(0, rv.length()-1);
+ String rv = req.getParameter(key);
+ if(rv==null) {
+ rv = match.param(req.getPathInfo(), key);
+ if(rv!=null) {
+ rv = rv.trim();
+ if(rv.endsWith("/")) {
+ rv = rv.substring(0, rv.length()-1);
+ }
}
}
return rv;
*/
public Match(String path) {
// IF DEBUG: System.out.print("\n[" + path + "]");
- params = new HashMap<String,Integer>();
+ params = new HashMap<>();
if(path!=null) {
String[] pa = path.split("/");
values = new byte[pa.length][];
public HttpMethods meth;
public String path;
public String desc;
- public final List<String> contextTypes = new ArrayList<String>();
+ public final List<String> contextTypes = new ArrayList<>();
}
}
public List<RouteReport> routeReport() {
- ArrayList<RouteReport> ltr = new ArrayList<RouteReport>();
+ ArrayList<RouteReport> ltr = new ArrayList<>();
for(int i=0;i<end;++i) {
ltr.add(routes[i].api());
}
import org.onap.aaf.cadi.CadiException;
import org.onap.aaf.cadi.CadiWrap;
import org.onap.aaf.cadi.Connector;
+import org.onap.aaf.cadi.LocatorException;
import org.onap.aaf.cadi.Lur;
import org.onap.aaf.cadi.TrustChecker;
import org.onap.aaf.cadi.config.Config;
private final String[] no_authn;
- public TransFilter(Access access, Connector con, TrustChecker tc, Object ... additionalTafLurs) throws CadiException {
+ public TransFilter(Access access, Connector con, TrustChecker tc, Object ... additionalTafLurs) throws CadiException, LocatorException {
cadi = new CadiHTTPManip(access, con, tc, additionalTafLurs);
String no = access.getProperty(Config.CADI_NOAUTHN, null);
if(no!=null) {
return cadi.getLur();
}
- protected abstract TRANS newTrans();
+ protected abstract TRANS newTrans(HttpServletRequest request);
protected abstract TimeTaken start(TRANS trans, ServletRequest request);
protected abstract void authenticated(TRANS trans, Principal p);
protected abstract void tallyHo(TRANS trans);
@Override
public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException {
- TRANS trans = newTrans();
+ HttpServletRequest req = (HttpServletRequest)request;
+ HttpServletResponse res = (HttpServletResponse)response;
+
+ TRANS trans = newTrans(req);
TimeTaken overall = start(trans,request);
try {
request.setAttribute(TRANS_TAG, trans);
- HttpServletRequest req = (HttpServletRequest)request;
- HttpServletResponse res = (HttpServletResponse)response;
-
if(no_authn!=null) {
for(String prefix : no_authn) {
if(req.getPathInfo().startsWith(prefix)) {
private List<Pair<String, Pair<HttpCode<TRANS,?>,List<Pair<String, Object>>>>> types;
public TypedCode() {
- types = new ArrayList<Pair<String,Pair<HttpCode<TRANS,?>,List<Pair<String,Object>>>>>();
+ types = new ArrayList<>();
}
/**
@Override
protected Pair<String, Pair<HttpCode<TRANS,?>, List<Pair<String, Object>>>> types(HttpCode<TRANS,?> code, String str) {
Pair<String, Pair<HttpCode<TRANS,?>,List<Pair<String, Object>>>> type = null;
- ArrayList<Pair<String, Object>> props = new ArrayList<Pair<String,Object>>();
+ ArrayList<Pair<String, Object>> props = new ArrayList<>();
// Want Q percentage is to be first in the array everytime. If not listed, 1.0 is default
props.add(new Pair<String,Object>(Q,1f));
Pair<HttpCode<TRANS,?>, List<Pair<String,Object>>> cl = new Pair<HttpCode<TRANS,?>, List<Pair<String,Object>>>(code, props);
public void api(RouteReport tr) {
// Need to build up a map, because Prop entries can be in several places.
- HashMap<HttpCode<?,?>,StringBuilder> psb = new HashMap<HttpCode<?,?>,StringBuilder>();
+ HashMap<HttpCode<?,?>,StringBuilder> psb = new HashMap<>();
StringBuilder temp;
tr.desc = null;
}
}
- public abstract Filter[] filters() throws CadiException, LocatorException;
-
+ protected abstract Filter[] _filters(Object ... additionalTafLurs) throws CadiException, LocatorException;
+
+ /**
+ * Overload this method to add new TAF or LURs
+ *
+ * @return
+ * @throws CadiException
+ * @throws LocatorException
+ */
+ public Filter[] filters() throws CadiException, LocatorException {
+ return _filters();
+ }
public abstract Registrant<ENV>[] registrants(final int port) throws CadiException, LocatorException;
}
return def;
}
+
}
try {
register(service.registrants(port));
access().printf(Level.INIT, "Starting Jetty Service for %s, version %s, on %s://%s:%d", service.app_name,service.app_version,protocol,hostname,port);
+ server.join();
} catch(Exception e) {
access().log(e,"Error registering " + service.app_name);
- // Question: Should Registered Services terminate?
+ String doExit = access().getProperty("cadi_exitOnFailure", "true");
+ if (doExit == "true") {
+ System.exit(1);
+ } else {
+ throw e;
+ }
}
- server.join();
}
private FilterChain buildFilterChain(final AbsService<?,?> as, final FilterChain doLast) throws CadiException, LocatorException {
logs.mkdirs();
}
+ if(System.getProperty("log4j.configuration")==null) {
+ System.setProperty("log4j.configuration", etc_dir+'/'+propsFile);
+ }
LogFileNamer lfn = new LogFileNamer(log_dir,root);
try {
service=lfn.setAppender("service"); // when name is split, i.e. authz|service, the Appender is "authz", and "service"
private StringBuilder msgs;
static {
- nsKeywords = new ArrayList<String>();
+ nsKeywords = new ArrayList<>();
nsKeywords.add(".access");
nsKeywords.add(".owner");
nsKeywords.add(".admin");
Collection<String> col1 = new ArrayList();
List<String> list1 = new ArrayList();
- Set<String> set1 = new HashSet<String>();
+ Set<String> set1 = new HashSet<>();
Integer[] R1 = new Integer[0];
set1.add("derp");
list1.add("test");
// File file = new File("../authz-batch/data/v1.dat");
// DataFile df = new DataFile(file,"r");
// int count = 0;
-// List<String> list = new ArrayList<String>();
+// List<String> list = new ArrayList<>();
// try {
// df.open();
// Token tok = df.new Token(1024000);
Assert.assertTrue(Organization.NULL.getPasswordRules() instanceof String[]);
}
-
}
@Test
public void testCleanupParams() {
- NavigableMap<String,org.onap.aaf.auth.rserv.Content> content = new ConcurrentSkipListMap<String,org.onap.aaf.auth.rserv.Content>();
+ NavigableMap<String,org.onap.aaf.auth.rserv.Content> content = new ConcurrentSkipListMap<>();
cachingFileAccess.cleanupParams(50, 500); //TODO: find right input
}
@Test
public void testInvalidate() {
- //NavigableMap<String,org.onap.aaf.auth.rserv.Content> content = new ConcurrentSkipListMap<String,org.onap.aaf.auth.rserv.Content>();
+ //NavigableMap<String,org.onap.aaf.auth.rserv.Content> content = new ConcurrentSkipListMap<>();
//Content con = mock(Content.class);
//content.put("hello", con);
cachingFileAccess.invalidate("hello");
}
@Override
- public Filter[] filters() throws CadiException, LocatorException {
+ public Filter[] _filters(Object ... additionalTafLurs) throws CadiException, LocatorException {
// TODO Auto-generated method stub
return null;
}
}
@Override
- public Filter[] filters() throws CadiException, LocatorException {
+ public Filter[] _filters(Object ... additionalTafLurs) throws CadiException, LocatorException {
// TODO Auto-generated method stub
return null;
}
}
@Override
- public Filter[] filters() throws CadiException, LocatorException {
+ public Filter[] _filters(Object ... additionalTafLurs) throws CadiException, LocatorException {
// TODO Auto-generated method stub
return null;
}
<artifactId>authparent</artifactId>
<relativePath>../pom.xml</relativePath>
<groupId>org.onap.aaf.authz</groupId>
- <version>2.1.0-SNAPSHOT</version>
+ <version>2.1.2-SNAPSHOT</version>
</parent>
<artifactId>aaf-auth-deforg</artifactId>
<dependency>
<groupId>org.onap.aaf.authz</groupId>
<artifactId>aaf-cadi-core</artifactId>
- <version>${project.version}</version>
</dependency>
<dependency>
<groupId>org.onap.aaf.authz</groupId>
<artifactId>aaf-auth-core</artifactId>
- <version>${project.version}</version>
</dependency>
<dependency>
******************************************************************************/
package org.onap.aaf.org;
-import java.io.*;
+import java.io.File;
+import java.io.IOException;
import java.util.ArrayList;
import java.util.Date;
import java.util.GregorianCalendar;
public DefaultOrg(Env env, String realm) throws OrganizationException {
this.realm = realm;
- supportedRealms=new HashSet<String>();
+ supportedRealms=new HashSet<>();
supportedRealms.add(realm);
domain=FQI.reverseDomain(realm);
atDomain = '@'+domain;
}
// Implement your own Delegation System
- static final List<String> NULL_DELEGATES = new ArrayList<String>();
+ static final List<String> NULL_DELEGATES = new ArrayList<>();
public Identities identities;
private boolean dryRun;
private final static Set<String> typeSet;
static {
- typeSet = new HashSet<String>();
+ typeSet = new HashSet<>();
for(Types t : Types.values()) {
typeSet.add(t.name());
}
@Override
public DefaultOrgIdentity getIdentity(AuthzTrans trans, String id) throws OrganizationException {
int at = id.indexOf('@');
- String attt = at<0?id:id.substring(0, at);
return new DefaultOrgIdentity(trans,at<0?id:id.substring(0, at),this);
}
public Response notify(AuthzTrans trans, Notify type, String url, String[] identities, String[] ccs, String summary, Boolean urgent) {
String system = trans.getProperty("CASS_ENV", "");
- ArrayList<String> toList = new ArrayList<String>();
+ ArrayList<String> toList = new ArrayList<>();
Identity identity;
if (identities != null) {
for (String user : identities) {
return Response.ERR_NotificationFailure;
}
- ArrayList<String> ccList = new ArrayList<String>();
+ ArrayList<String> ccList = new ArrayList<>();
// If we're sending an urgent email, CC the user's supervisor
//
int status = 1;
- List<String> to = new ArrayList<String>();
+ List<String> to = new ArrayList<>();
for(String em : toList) {
if(em.indexOf('@')<0) {
to.add(new DefaultOrgIdentity(trans, em, this).email());
}
}
- List<String> cc = new ArrayList<String>();
+ List<String> cc = new ArrayList<>();
if(ccList!=null) {
if(!ccList.isEmpty()) {
message.addHeader("X-Priority", "1");
}
- ArrayList<String> newBody = new ArrayList<String>();
+ ArrayList<String> newBody = new ArrayList<>();
Address temp[] = getAddresses(to);
String headerString = "TO:\t" + InternetAddress.toString(temp) + "\n";
@Override
public List<Identity> getApprovers(AuthzTrans trans, String user) throws OrganizationException {
Identity orgIdentity = getIdentity(trans, user);
- List<Identity> orgIdentitys = new ArrayList<Identity>();
+ List<Identity> orgIdentitys = new ArrayList<>();
if(orgIdentity!=null) {
Identity supervisor = orgIdentity.responsibleTo();
if(supervisor!=null) {
assertEquals(response.name(), "OK");
}
-
+
+ @Test
+ public void testDefOrgPasswords() {
+ assertEquals(defaultOrg.isValidPassword(authzTransMock, null, "new2You!", "Pilgrim"),"");
+ assertNotSame(defaultOrg.isValidPassword(authzTransMock, null, "new2you!", "Pilgrim"),"");
+
+ }
@Test
public void testDefOrgNotifyPasswordExpiration_returnResponseOK() {
<parent>
<groupId>org.onap.aaf.authz</groupId>
<artifactId>authparent</artifactId>
- <version>2.1.0-SNAPSHOT</version>
+ <version>2.1.2-SNAPSHOT</version>
<relativePath>../pom.xml</relativePath>
</parent>
<dependency>
<groupId>org.onap.aaf.authz</groupId>
<artifactId>aaf-auth-core</artifactId>
- <version>${project.version}</version>
</dependency>
<dependency>
<groupId>org.onap.aaf.authz</groupId>
<artifactId>aaf-cadi-core</artifactId>
- <version>${project.version}</version>
</dependency>
</dependencies>
<plugin>
<groupId>org.sonatype.plugins</groupId>
<artifactId>nexus-staging-maven-plugin</artifactId>
- <version>1.6.7</version>
<extensions>true</extensions>
<configuration>
<nexusUrl>${nexusproxy}</nexusUrl>
<plugin>
<groupId>org.jacoco</groupId>
<artifactId>jacoco-maven-plugin</artifactId>
- <version>${jacoco.version}</version>
<configuration>
<excludes>
<exclude>**/gen/**</exclude>
};
@Override
- public Filter[] filters() throws CadiException, LocatorException {
+ public Filter[] _filters(Object ... additionalTafLurs) throws CadiException, LocatorException {
+ // Note: No TAFs and Lurs on FileServer
return new Filter[] {
new AuthzTransOnlyFilter(env)
};
<parent>
<groupId>org.onap.aaf.authz</groupId>
<artifactId>authparent</artifactId>
- <version>2.1.0-SNAPSHOT</version>
+ <version>2.1.2-SNAPSHOT</version>
<relativePath>../pom.xml</relativePath>
</parent>
<dependency>
<groupId>org.onap.aaf.authz</groupId>
<artifactId>aaf-auth-core</artifactId>
- <version>${project.version}</version>
</dependency>
<dependency>
<groupId>org.onap.aaf.authz</groupId>
<artifactId>aaf-auth-client</artifactId>
- <version>${project.version}</version>
</dependency>
<dependency>
<groupId>org.onap.aaf.authz</groupId>
<artifactId>aaf-auth-cmd</artifactId>
- <version>${project.version}</version>
</dependency>
<!-- Add the Organizations you wish to support. You can delete ONAP if
<dependency>
<groupId>org.onap.aaf.authz</groupId>
<artifactId>aaf-auth-deforg</artifactId>
- <version>${project.version}</version>
</dependency>
<dependency>
<groupId>org.onap.aaf.authz</groupId>
<artifactId>aaf-cadi-aaf</artifactId>
- <version>${project.version}</version>
</dependency>
<dependency>
<groupId>org.onap.aaf.authz</groupId>
<artifactId>aaf-cadi-client</artifactId>
- <version>${project.version}</version>
</dependency>
<dependency>
<groupId>org.onap.aaf.authz</groupId>
<artifactId>aaf-misc-xgen</artifactId>
- <version>${project.version}</version>
</dependency>
<plugin>
<groupId>org.sonatype.plugins</groupId>
<artifactId>nexus-staging-maven-plugin</artifactId>
- <version>1.6.7</version>
<extensions>true</extensions>
<configuration>
<nexusUrl>${nexusproxy}</nexusUrl>
<plugin>
<groupId>org.jacoco</groupId>
<artifactId>jacoco-maven-plugin</artifactId>
- <version>${jacoco.version}</version>
<configuration>
<excludes>
<exclude>**/gen/**</exclude>
public<RET> RET cmClientAsUser(TaggedPrincipal p,Retryable<RET> retryable) throws APIException, LocatorException, CadiException {
return cmCon.hman().best(new HTransferSS(p,app, aafCon.securityInfo()), retryable);
}
+
@Override
- public Filter[] filters() throws CadiException, LocatorException {
+ public Filter[] _filters(Object ... additionalTafLurs) throws CadiException, LocatorException {
try {
return new Filter[] {
new XFrameFilter(XFrameFilter.TYPE.none),
new AuthzTransFilter(env,aafCon(),
- new AAFTrustChecker((Env)env)),
+ new AAFTrustChecker((Env)env),
+ additionalTafLurs),
new OrgLookupFilter()
};
} catch (NumberFormatException e) {
Identity id;
try {
id = trans.org().getIdentity(trans, p.getName());
- if(id.isFound()) {
+ if(id!=null && id.isFound()) {
return id.firstName();
}
} catch (OrganizationException e) {
public final boolean no_cache;
// Note: Only access is synchronized in "getPerm"
- private final static Map<String,Map<String,Permission>> perms = new HashMap<String,Map<String,Permission>>();
+ private final static Map<String,Map<String,Permission>> perms = new HashMap<>();
public String name() {
return bcName;
Map<String,Permission> msp = perms.get(instance);
Permission p;
if(msp==null) {
- msp = new HashMap<String,Permission>();
+ msp = new HashMap<>();
perms.put(instance, msp);
p=null;
} else {
@Override
public Cells get(final AuthzTrans trans, final AAF_GUI gui) {
- final ArrayList<AbsCell[]> ns = new ArrayList<AbsCell[]>();
- final ArrayList<AbsCell[]> perms = new ArrayList<AbsCell[]>();
- final ArrayList<AbsCell[]> roles = new ArrayList<AbsCell[]>();
- final ArrayList<AbsCell[]> user = new ArrayList<AbsCell[]>();
- final ArrayList<AbsCell[]> aafOnly = new ArrayList<AbsCell[]>();
- final ArrayList<AbsCell[]> rv = new ArrayList<AbsCell[]>();
+ final ArrayList<AbsCell[]> ns = new ArrayList<>();
+ final ArrayList<AbsCell[]> perms = new ArrayList<>();
+ final ArrayList<AbsCell[]> roles = new ArrayList<>();
+ final ArrayList<AbsCell[]> user = new ArrayList<>();
+ final ArrayList<AbsCell[]> aafOnly = new ArrayList<>();
+ final ArrayList<AbsCell[]> rv = new ArrayList<>();
final TimeTaken tt = trans.start("AAF APIs",Env.REMOTE);
@Override
public Cells get(final AuthzTrans trans, final AAF_GUI gui) {
final String userParam = trans.get(sUser, null);
- ArrayList<AbsCell[]> rv = new ArrayList<AbsCell[]>();
+ ArrayList<AbsCell[]> rv = new ArrayList<>();
String msg = null;
TimeTaken tt = trans.start("AAF Get Approvals for Approver",Env.REMOTE);
try {
- final List<Approval> pendingApprovals = new ArrayList<Approval>();
- final List<Integer> beginIndicesPerApprover = new ArrayList<Integer>();
+ final List<Approval> pendingApprovals = new ArrayList<>();
+ final List<Integer> beginIndicesPerApprover = new ArrayList<>();
int numLeft = gui.clientAsUser(trans.getUserPrincipal(), new Retryable<Integer>() {
@Override
public Integer code(Rcli<?> client) throws CadiException, ConnectException, APIException {
if(fa.value!=null) {
for (Approval appr : fa.value.getApprovals()) {
- if (appr.getStatus().equals("pending")) {
- if (userParam!=null) {
- if (!appr.getUser().equalsIgnoreCase(userParam)) {
+ if ("pending".equals(appr.getStatus())) {
+ if (userParam!=null && !appr.getUser().equalsIgnoreCase(userParam)) {
numLeft++;
continue;
- }
}
pendingApprovals.add(appr);
}
}
});
- if (pendingApprovals.size() > 0) {
+ if (!pendingApprovals.isEmpty()) {
// Only add select all links if we have approvals
AbsCell[] selectAllRow = new AbsCell[] {
AbsCell.Null,
int line=-1;
- while (beginIndicesPerApprover.size() > 0) {
+ while (!beginIndicesPerApprover.isEmpty()) {
int beginIndex = beginIndicesPerApprover.remove(0);
int endIndex = (beginIndicesPerApprover.isEmpty()?pendingApprovals.size():beginIndicesPerApprover.get(0));
List<Approval> currApproverList = pendingApprovals.subList(beginIndex, endIndex);
} else {
Identity au = org.getIdentity(trans, user);
if(au!=null) {
- if(au.type().equals("MECHID")) {
+ if("MECHID".equals(au.type())) {
Identity managedBy = au.responsibleTo();
if(managedBy==null) {
title ="title=" + au.type();
title="title=Not a User at " + org.getName();
}
}
- userCell = new RefCell(prevUser=user,
+ prevUser=user;
+ userCell = new RefCell(prevUser,
TODO_ILM_INFO+user.substring(0, user.length()-DOMAIN_OF_USER.length()),
true,
title);
} else {
- userCell = new TextCell(prevUser=user);
+ userCell = new TextCell(prevUser);
}
AbsCell[] sa = new AbsCell[] {
userCell,
if(numLeft>0) {
msg = "After these, there will be " + numLeft + " approvals left to process";
}
- if(rv.size()==0) {
+ if(rv.isEmpty()) {
if (numLeft>0) {
msg = "No Approvals to process at this time for user " + userParam +". You have "
+ numLeft + " other approvals to process.";
import org.onap.aaf.cadi.client.Future;
import org.onap.aaf.cadi.client.Rcli;
import org.onap.aaf.cadi.client.Retryable;
-import org.onap.aaf.cadi.cm.Factory;
+import org.onap.aaf.cadi.configure.Factory;
import org.onap.aaf.cadi.util.FQI;
import org.onap.aaf.misc.env.APIException;
import org.onap.aaf.misc.env.Env;
return Cells.EMPTY;
}
final String id = str.indexOf('@')>=0?str:str + '@' + FQI.reverseDomain(sc.get(trans,Params.ns, ""));
- final ArrayList<AbsCell[]> rv = new ArrayList<AbsCell[]>();
+ final ArrayList<AbsCell[]> rv = new ArrayList<>();
final TimeTaken tt = trans.start("AAF X509 Details",Env.REMOTE);
try {
gui.cmClientAsUser(trans.getUserPrincipal(),new Retryable<Void>() {
if(ns==null) {
return Cells.EMPTY;
}
- final ArrayList<AbsCell[]> rv = new ArrayList<AbsCell[]>();
+ final ArrayList<AbsCell[]> rv = new ArrayList<>();
final TimeTaken tt = trans.start("AAF Cred Details",Env.REMOTE);
List<Artifact> la;
try {
}
});
- final Set<String> lns = new HashSet<String>();
+ final Set<String> lns = new HashSet<>();
if(la!=null) {
for(Artifact a : la){
lns.add(a.getMechid());
Future<Users> fu = client.read("/authn/creds/ns/"+ns,gui.getDF(Users.class));
if(fu.get(AAFcli.timeout())) {
// Organize User entries
- Map<String,List<Map<Integer,List<User>>>> users = new HashMap<String,List<Map<Integer,List<User>>>>();
+ Map<String,List<Map<Integer,List<User>>>> users = new HashMap<>();
List<Map<Integer,List<User>>> lmu=null;
Map<Integer, List<User>> mu = null;
}
lmu = users.get(u.getId());
if(lmu==null) {
- users.put(u.getId(),lmu=new ArrayList<Map<Integer,List<User>>>());
+ users.put(u.getId(),lmu=new ArrayList<>());
}
mu=null;
for(Map<Integer,List<User>> xmu : lmu) {
}
if(mu==null) {
- lmu.add(mu=new HashMap<Integer,List<User>>());
+ lmu.add(mu=new HashMap<>());
}
lu = mu.get(u.getType());
if(lu==null) {
- mu.put(u.getType(),lu = new ArrayList<User>());
+ mu.put(u.getType(),lu = new ArrayList<>());
}
lu.add(u);
}
if(nsName==null) {
return Cells.EMPTY;
}
- final ArrayList<AbsCell[]> rv = new ArrayList<AbsCell[]>();
+ final ArrayList<AbsCell[]> rv = new ArrayList<>();
rv.add(new AbsCell[]{new TextCell("Name:"),new TextCell(nsName)});
final TimeTaken tt = trans.start("AAF Namespace Details",Env.REMOTE);
"/authz/roles/ns/"+nsName,
gui.getDF(Roles.class)
);
- List<String> roles = new ArrayList<String>();
+ List<String> roles = new ArrayList<>();
if(fr.get(AAFcli.timeout())) {
for (Role r : fr.value.getRole()) {
roles.add(r.getName());
"/authz/perms/ns/"+nsName,
gui.getDF(Perms.class)
);
- List<String> perms = new ArrayList<String>();
+ List<String> perms = new ArrayList<>();
if(fp.get(AAFcli.timeout())) {
for (Perm p : fp.value.getPerm()) {
return Cells.EMPTY;
}
- final ArrayList<AbsCell[]> rv = new ArrayList<AbsCell[]>();
+ final ArrayList<AbsCell[]> rv = new ArrayList<>();
String msg = null;
final TimeTaken tt = trans.start("AAF Get History for Namespace ["+oName+"]",Env.REMOTE);
try {
String user = i.getUser();
AbsCell userCell = new TextCell(user);
+ String memo = i.getMemo().replace("<script>", "<script>").replace("</script>", "</script>");
rv.add(new AbsCell[] {
new TextCell(i.getTimestamp().toGregorianCalendar().getTime().toString()),
userCell,
- new TextCell(i.getMemo())
+ new TextCell(memo)
});
}
} finally {
@Override
public Cells get(final AuthzTrans trans, final AAF_GUI gui) {
- ArrayList<AbsCell[]> rv = new ArrayList<AbsCell[]>();
+ ArrayList<AbsCell[]> rv = new ArrayList<>();
List<Ns> nss = trans.get(sNssByUser, null);
if(nss==null) {
TimeTaken tt = trans.start("AAF Nss by User for " + privilege,Env.REMOTE);
@Override
public Cells get(final AuthzTrans trans, final AAF_GUI gui) {
- final ArrayList<AbsCell[]> rv = new ArrayList<AbsCell[]>();
+ final ArrayList<AbsCell[]> rv = new ArrayList<>();
try {
gui.clientAsUser(trans.getUserPrincipal(), new Retryable<Void>() {
@Override
trans.warn().printf("Error in PermDetail Request: %s", v.errs());
return Cells.EMPTY;
}
- final ArrayList<AbsCell[]> rv = new ArrayList<AbsCell[]>();
+ final ArrayList<AbsCell[]> rv = new ArrayList<>();
rv.add(new AbsCell[]{new TextCell("Type:"),new TextCell(pType)});
rv.add(new AbsCell[]{new TextCell("Instance:"),new TextCell(pInstance)});
rv.add(new AbsCell[]{new TextCell("Action:"),new TextCell(pAction)});
}
private static List<String> getMyRoles(final AAF_GUI gui, final AuthzTrans trans) {
- final List<String> myRoles = new ArrayList<String>();
+ final List<String> myRoles = new ArrayList<>();
try {
gui.clientAsUser(trans.getUserPrincipal(), new Retryable<Void>() {
@Override
return Cells.EMPTY;
}
- final ArrayList<AbsCell[]> rv = new ArrayList<AbsCell[]>();
+ final ArrayList<AbsCell[]> rv = new ArrayList<>();
String msg = null;
try {
gui.clientAsUser(trans.getUserPrincipal(), new Retryable<Void>() {
for (Item i : histItems) {
String user = i.getUser();
AbsCell userCell = new TextCell(user);
-
+ String memo = i.getMemo().replace("<script>", "<script>").replace("</script>", "</script>");
rv.add(new AbsCell[] {
new TextCell(i.getTimestamp().toGregorianCalendar().getTime().toString()),
userCell,
- new TextCell(i.getMemo())
+ new TextCell(memo)
});
}
@Override
public Cells get(final AuthzTrans trans, final AAF_GUI gui) {
- final ArrayList<AbsCell[]> rv = new ArrayList<AbsCell[]>();
+ final ArrayList<AbsCell[]> rv = new ArrayList<>();
TimeTaken tt = trans.start("AAF Perms by User",Env.REMOTE);
try {
gui.clientAsUser(trans.getUserPrincipal(), new Retryable<Void>() {
@Override
public Cells code(Rcli<?> client) throws CadiException, ConnectException, APIException {
TimeTaken tt = trans.start("AAF Approval Details",Env.REMOTE);
- ArrayList<AbsCell[]> rv = new ArrayList<AbsCell[]>();
+ ArrayList<AbsCell[]> rv = new ArrayList<>();
try {
Future<Approvals> fa = client.read(
"/authz/approval/ticket/"+ticket,
Future<Roles> fr = client.read("/authz/roles/"+pRole+"?ns",gui.getDF(Roles.class));
Future<UserRoles> fur = client.read("/authz/userRoles/role/"+pRole,gui.getDF(UserRoles.class));
if(fr.get(AAF_GUI.TIMEOUT)) {
- Role role = fr.value.getRole().get(0);
- trans.put(sRole, role);
- Boolean mayWrite = trans.fish(new AAFPermission(role.getNs()+".access",":role:"+role.getName(),"write"));
- trans.put(sMayWrite,mayWrite);
- Boolean mayApprove = trans.fish(new AAFPermission(role.getNs()+".access",":role:"+role.getName(),"approve"));
- trans.put(sMayApprove, mayApprove);
-
- if(mayWrite || mayApprove) {
- Mark js = new Mark();
- Mark fn = new Mark();
- hgen.js(js)
- .function(fn,"touchedDesc")
- .li("d=document.getElementById('descText');",
- "if (d.orig == undefined ) {",
- " d.orig = d.value;",
- " d.addEventListener('keyup',changedDesc);",
- " d.removeEventListener('keypress',touchedDesc);",
- "}").end(fn)
- .function(fn,"changedDesc")
- .li(
- "dcb=document.getElementById('descCB');",
- "d=document.getElementById('descText');",
- "dcb.checked= (d.orig != d.value)"
- ).end(fn)
- .end(js);
-
- Mark mark = new Mark();
- hgen.incr(mark,"form","method=post");
- trans.put(sMark, mark);
+ List<Role> roles = fr.value.getRole();
+ if(!roles.isEmpty()) {
+ Role role = fr.value.getRole().get(0);
+ trans.put(sRole, role);
+ Boolean mayWrite = trans.fish(new AAFPermission(role.getNs()+".access",":role:"+role.getName(),"write"));
+ trans.put(sMayWrite,mayWrite);
+ Boolean mayApprove = trans.fish(new AAFPermission(role.getNs()+".access",":role:"+role.getName(),"approve"));
+ trans.put(sMayApprove, mayApprove);
+
+ if(mayWrite || mayApprove) {
+ Mark js = new Mark();
+ Mark fn = new Mark();
+ hgen.js(js)
+ .function(fn,"touchedDesc")
+ .li("d=document.getElementById('descText');",
+ "if (d.orig == undefined ) {",
+ " d.orig = d.value;",
+ " d.addEventListener('keyup',changedDesc);",
+ " d.removeEventListener('keypress',touchedDesc);",
+ "}").end(fn)
+ .function(fn,"changedDesc")
+ .li(
+ "dcb=document.getElementById('descCB');",
+ "d=document.getElementById('descText');",
+ "dcb.checked= (d.orig != d.value)"
+ ).end(fn)
+ .end(js);
+
+ Mark mark = new Mark();
+ hgen.incr(mark,"form","method=post");
+ trans.put(sMark, mark);
+ }
}
} else {
trans.error().printf("Error calling AAF for Roles in GUI, Role Detail %d: %s",fr.code(),fr.body());
public Cells get(final AuthzTrans trans, final AAF_GUI gui) {
final String pRole = trans.get(sRoleName, null);
final Role role = trans.get(sRole,null);
- ArrayList<AbsCell[]> rv = new ArrayList<AbsCell[]>();
+ ArrayList<AbsCell[]> rv = new ArrayList<>();
if(role!=null) {
boolean mayWrite = trans.get(sMayWrite, false);
/*fail =*/ gui.clientAsUser(trans.getUserPrincipal(), new Retryable<Boolean>() {
@Override
public Boolean code(Rcli<?> client) throws CadiException, ConnectException, APIException {
- List<TypedFuture> ltf = new ArrayList<TypedFuture>();
+ List<TypedFuture> ltf = new ArrayList<>();
String text;
Map<String, String[]> pm = (Map<String, String[]>)req.getParameterMap();
for(final Entry<String, String[]> es : pm.entrySet()) {
import org.onap.aaf.auth.gui.Table;
import org.onap.aaf.auth.gui.Table.Cells;
import org.onap.aaf.auth.gui.table.AbsCell;
-import org.onap.aaf.auth.gui.table.RefCell;
import org.onap.aaf.auth.gui.table.TableData;
import org.onap.aaf.auth.gui.table.TextCell;
import org.onap.aaf.cadi.CadiException;
rv = gui.clientAsUser(trans.getUserPrincipal(), new Retryable<Cells>() {
@Override
public Cells code(Rcli<?> client) throws CadiException, ConnectException, APIException {
- ArrayList<AbsCell[]> rv = new ArrayList<AbsCell[]>();
+ ArrayList<AbsCell[]> rv = new ArrayList<>();
TimeTaken tt = trans.start("AAF Get History for Namespace ["+oName+"]",Env.REMOTE);
String msg = null;
try {
for (Item i : histItems) {
String user = i.getUser();
AbsCell userCell = new TextCell(user);
-
+
+ String memo = i.getMemo().replace("<script>", "<script>").replace("</script>", "</script>");
rv.add(new AbsCell[] {
new TextCell(i.getTimestamp().toGregorianCalendar().getTime().toString()),
userCell,
- new TextCell(i.getMemo())
+ new TextCell(memo)
});
}
} else {
*/
private static class Model extends TableData<AAF_GUI,AuthzTrans> {
private static final String[] headers = new String[] {"Role","Expires","Remediation","Actions"};
+ private static final String ROLE = "&role=";
+ private static final String USER = "?user=";
+ private static final String CLASS_EXPIRED = "class=expired";
@Override
public String[] headers() {
rv = gui.clientAsUser(trans.getUserPrincipal(), new Retryable<Cells>() {
@Override
public Cells code(Rcli<?> client) throws CadiException, ConnectException, APIException {
- ArrayList<AbsCell[]> rv = new ArrayList<AbsCell[]>();
+ ArrayList<AbsCell[]> rv = new ArrayList<>();
TimeTaken tt = trans.start("AAF Roles by User",Env.REMOTE);
try {
Future<UserRoles> fur = client.read("/authz/userRoles/user/"+trans.user(),gui.getDF(UserRoles.class));
- if (fur.get(5000)) {
- if(fur.value != null) for (UserRole u : fur.value.getUserRole()) {
+ if (fur.get(5000) && fur.value != null) for (UserRole u : fur.value.getUserRole()) {
if(u.getExpires().compare(Chrono.timeStamp()) < 0) {
AbsCell[] sa = new AbsCell[] {
- new TextCell(u.getRole() + "*", "class=expired"),
- new TextCell(new SimpleDateFormat(DATE_TIME_FORMAT).format(u.getExpires().toGregorianCalendar().getTime()),"class=expired"),
+ new TextCell(u.getRole() + "*", CLASS_EXPIRED),
+ new TextCell(new SimpleDateFormat(DATE_TIME_FORMAT).format(u.getExpires().toGregorianCalendar().getTime()),CLASS_EXPIRED),
new RefCell("Extend",
- UserRoleExtend.HREF + "?user="+trans.user()+"&role="+u.getRole(),
+ UserRoleExtend.HREF+USER+trans.user()+ROLE+u.getRole(),
false,
- new String[]{"class=expired"}),
+ new String[]{CLASS_EXPIRED}),
new RefCell("Remove",
- UserRoleRemove.HREF + "?user="+trans.user()+"&role="+u.getRole(),
+ UserRoleRemove.HREF+USER +trans.user()+ROLE+u.getRole(),
false,
- new String[]{"class=expired"})
+ new String[]{CLASS_EXPIRED})
};
rv.add(sa);
new TextCell(new SimpleDateFormat(DATE_TIME_FORMAT).format(u.getExpires().toGregorianCalendar().getTime())),
AbsCell.Null,
new RefCell("Remove",
- UserRoleRemove.HREF + "?user="+trans.user()+"&role="+u.getRole(),
+ UserRoleRemove.HREF+USER+trans.user()+ROLE+u.getRole(),
false)
};
rv.add(sa);
}
- }
}
} finally {
gui.clientAsUser(trans.getUserPrincipal(), new Retryable<Void>() {
@Override
public Void code(Rcli<?> client)throws CadiException, ConnectException, APIException {
- Future<Void> fv = client.setQueryParams("request=true").update("/authz/userRole/extend/"+user+"/"+role);
+ Future<Void> fv = client.update("/authz/userRole/extend/"+user+"/"+role+"?request=true");
if(fv.get(5000)) {
// not sure if we'll ever hit this
hgen.p("Extended User ["+ user+"] in Role [" +role+"]");
gui.clientAsUser(trans.getUserPrincipal(), new Retryable<Void>() {
@Override
public Void code(Rcli<?> client) throws CadiException, ConnectException, APIException {
- Future<Void> fv = client.setQueryParams("request=true").delete(
- "/authz/userRole/"+user+"/"+role,Void.class);
+ Future<Void> fv = client.delete(
+ "/authz/userRole/"+user+"/"+role+"?request=true",Void.class);
if(fv.get(5000)) {
// not sure if we'll ever hit this
<parent>
<groupId>org.onap.aaf.authz</groupId>
<artifactId>authparent</artifactId>
- <version>2.1.0-SNAPSHOT</version>
+ <version>2.1.2-SNAPSHOT</version>
<relativePath>../pom.xml</relativePath>
</parent>
}
@Override
- public Filter[] filters() throws CadiException, LocatorException {
+ public Filter[] _filters(Object ... additionalTafLurs) throws CadiException, LocatorException {
try {
return new Filter[] {
new AuthzTransFilter(env,aafCon(),
- new AAFTrustChecker((Env)env))
+ new AAFTrustChecker((Env)env),
+ additionalTafLurs)
};
} catch (NumberFormatException e) {
throw new CadiException("Invalid Property information", e);
*/
public static void init(final AAF_Hello oauthHello) throws Exception {
////////
- // Overall APIs
+ // Simple "GET" API
///////
+
oauthHello.route(HttpMethods.GET,"/hello/:perm*",API.TOKEN,new HttpCode<AuthzTrans, AAF_Hello>(oauthHello,"Hello OAuth"){
@Override
public void handle(AuthzTrans trans, HttpServletRequest req, HttpServletResponse resp) throws Exception {
}
});
+ ////////
+ // REST APIs
+ ///////
+ oauthHello.route(oauthHello.env,HttpMethods.GET,"/resthello/:perm*",new HttpCode<AuthzTrans, AAF_Hello>(oauthHello,"REST Hello OAuth") {
+ @Override
+ public void handle(AuthzTrans trans, HttpServletRequest req, HttpServletResponse resp) throws Exception {
+ resp.setStatus(200 /* OK */);
+ StringBuilder sb = new StringBuilder("{\"resp\": \"Hello REST AAF\",\"principal\": \"");
+ sb.append(req.getUserPrincipal().getName());
+ sb.append('"');
+ String perm = pathParam(req, "perm");
+ if(perm!=null && perm.length()>0) {
+ TimeTaken tt = trans.start("Authorize perm", Env.REMOTE);
+ try {
+ sb.append(",\"validation\": { \"permission\" : \"");
+ sb.append(perm);
+ sb.append("\",\"has\" : \"");
+ sb.append(req.isUserInRole(perm));
+ sb.append("\"}");
+ } finally {
+ tt.done();
+ }
+ }
+ sb.append("}");
+ ServletOutputStream os = resp.getOutputStream();
+ os.println(sb.toString());
+ trans.info().printf("Said 'RESTful Hello' to %s, Authentication type: %s",trans.getUserPrincipal().getName(),trans.getUserPrincipal().getClass().getSimpleName());
+ }
+ },"application/json");
+
+
+
}
}
<parent>
<groupId>org.onap.aaf.authz</groupId>
<artifactId>authparent</artifactId>
- <version>2.1.0-SNAPSHOT</version>
+ <version>2.1.2-SNAPSHOT</version>
<relativePath>../pom.xml</relativePath>
</parent>
</properties>
<dependencies>
+ <dependency>
+ <groupId>org.onap.aaf.authz</groupId>
+ <artifactId>aaf-auth-client</artifactId>
+ </dependency>
+
<dependency>
<groupId>org.onap.aaf.authz</groupId>
<artifactId>aaf-auth-core</artifactId>
- <version>${project.version}</version>
</dependency>
<dependency>
<groupId>org.onap.aaf.authz</groupId>
<artifactId>aaf-auth-cass</artifactId>
- <version>${project.version}</version>
</dependency>
<dependency>
<groupId>org.onap.aaf.authz</groupId>
<artifactId>aaf-cadi-aaf</artifactId>
- <version>${project.version}</version>
+ </dependency>
+
+ <dependency>
+ <groupId>org.onap.aaf.authz</groupId>
+ <artifactId>aaf-misc-rosetta</artifactId>
</dependency>
</dependencies>
</configuration>
</plugin>
-
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-deploy-plugin</artifactId>
<plugin>
<groupId>org.sonatype.plugins</groupId>
<artifactId>nexus-staging-maven-plugin</artifactId>
- <version>1.6.7</version>
<extensions>true</extensions>
<configuration>
<nexusUrl>${nexusproxy}</nexusUrl>
<plugin>
<groupId>org.jacoco</groupId>
<artifactId>jacoco-maven-plugin</artifactId>
- <version>${jacoco.version}</version>
<configuration>
<excludes>
<exclude>**/gen/**</exclude>
import org.onap.aaf.auth.cache.Cache;
import org.onap.aaf.auth.cache.Cache.Dated;
import org.onap.aaf.auth.dao.CassAccess;
+import org.onap.aaf.auth.dao.cass.ConfigDAO;
import org.onap.aaf.auth.dao.cass.LocateDAO;
import org.onap.aaf.auth.direct.DirectLocatorCreator;
import org.onap.aaf.auth.direct.DirectRegistrar;
import org.onap.aaf.auth.locate.api.API_Find;
import org.onap.aaf.auth.locate.api.API_Proxy;
import org.onap.aaf.auth.locate.facade.LocateFacadeFactory;
-import org.onap.aaf.auth.locate.facade.LocateFacade_1_0;
+import org.onap.aaf.auth.locate.facade.LocateFacade_1_1;
import org.onap.aaf.auth.locate.mapper.Mapper.API;
import org.onap.aaf.auth.rserv.HttpMethods;
import org.onap.aaf.auth.server.AbsService;
import org.onap.aaf.misc.env.APIException;
import org.onap.aaf.misc.env.Data;
import org.onap.aaf.misc.env.Env;
+import org.onap.aaf.misc.rosetta.env.RosettaEnv;
import com.datastax.driver.core.Cluster;
private static final String DOT_LOCATOR = ".locator";
private static final String USER_PERMS = "userPerms";
- private LocateFacade_1_0 facade; // this is the default Facade
- private LocateFacade_1_0 facade_1_0_XML;
+ private LocateFacade_1_1 facade; // this is the default Facade
+ private LocateFacade_1_1 facade_1_1_XML;
public Map<String, Dated> cacheUser;
public final AAFAuthn<?> aafAuthn;
public final AAFLurPerm aafLurPerm;
public final long expireIn;
private final Cluster cluster;
public final LocateDAO locateDAO;
+ public final ConfigDAO configDAO;
private Locator<URI> dal;
private final String aaf_service_name;
private final String aaf_gui_name;
cluster = org.onap.aaf.auth.dao.CassAccess.cluster(env,null);
locateDAO = new LocateDAO(trans,cluster,CassAccess.KEYSPACE);
+ configDAO = new ConfigDAO(trans,locateDAO); // same stuff
// Have AAFLocator object Create DirectLocators for Location needs
AbsAAFLocator.setCreator(new DirectLocatorCreator(env, locateDAO));
aafAuthn = aafCon().newAuthn(aafLurPerm);
- facade = LocateFacadeFactory.v1_0(env,locateDAO,trans,Data.TYPE.JSON); // Default Facade
- facade_1_0_XML = LocateFacadeFactory.v1_0(env,locateDAO,trans,Data.TYPE.XML);
+ facade = LocateFacadeFactory.v1_1(env,this,trans,Data.TYPE.JSON); // Default Facade
+ facade_1_1_XML = LocateFacadeFactory.v1_1(env,this,trans,Data.TYPE.XML);
synchronized(env) {
if(cacheUser == null) {
// setup Application API HTML ContentTypes for XML and Route
application = applicationXML(respCls, version);
- route(env,meth,path,code.clone(facade_1_0_XML,false),application,"text/xml;version="+version);
+ route(env,meth,path,code.clone(facade_1_1_XML,false),application,"text/xml;version="+version);
// Add other Supported APIs here as created
}
@Override
- public Filter[] filters() throws CadiException, LocatorException {
+ public Filter[] _filters(Object ... additionalTafLurs) throws CadiException, LocatorException {
try {
return new Filter[] {
new AuthzTransFilter(env, aafCon(),
new AAFTrustChecker((Env)env)
+ ,additionalTafLurs
)};
} catch (NumberFormatException e) {
throw new CadiException("Invalid Property information", e);
package org.onap.aaf.auth.locate.api;
+import static org.onap.aaf.auth.layer.Result.OK;
+
import java.io.IOException;
import java.net.ConnectException;
import java.net.URI;
}
}
});
+
+ /**
+ * Configuration
+ */
+ gwAPI.route(HttpMethods.GET,"/configure/:id/:type",API.CONFIG,new LocateCode(facade,"Deliver Configuration Properties to AAF", true) {
+ @Override
+ public void handle(AuthzTrans trans, HttpServletRequest req, HttpServletResponse resp) throws Exception {
+ try {
+ Result<Void> r = facade.getConfig(trans, req, resp, pathParam(req, ":id"),pathParam(req,":type"));
+ switch(r.status) {
+ case OK:
+ resp.setStatus(HttpStatus.OK_200);
+ break;
+ default:
+ context.error(trans,resp,r);
+ }
+
+ } catch (Exception e) {
+ context.error(trans, resp, Result.ERR_General, e.getMessage());
+ }
+ }
+ });
}
private static void redirect(AuthzTrans trans, HttpServletRequest req, HttpServletResponse resp, LocateFacade context, Locator<URI> loc, String path) throws IOException {
*/
public abstract Result<Void> removeMgmtEndpoints(AuthzTrans trans, HttpServletRequest req, HttpServletResponse resp);
+ /**
+ *
+ * @param trans
+ * @param req
+ * @param resp
+ * @return
+ */
+ public Result<Void> getConfig(AuthzTrans trans, HttpServletRequest req, HttpServletResponse resp, String id, String type);
+
}
\ No newline at end of file
/**
- * ============LICENSE_START====================================================
+\\ * ============LICENSE_START====================================================
* org.onap.aaf
* ===========================================================================
* Copyright (c) 2018 AT&T Intellectual Property. All rights reserved.
package org.onap.aaf.auth.locate.facade;
-import org.onap.aaf.auth.dao.cass.LocateDAO;
import org.onap.aaf.auth.env.AuthzEnv;
import org.onap.aaf.auth.env.AuthzTrans;
-import org.onap.aaf.auth.locate.mapper.Mapper_1_0;
+import org.onap.aaf.auth.locate.AAF_Locate;
+import org.onap.aaf.auth.locate.mapper.Mapper_1_1;
import org.onap.aaf.auth.locate.service.LocateServiceImpl;
import org.onap.aaf.misc.env.APIException;
import org.onap.aaf.misc.env.Data;
-import locate_local.v1_0.Error;
import locate_local.v1_0.InRequest;
import locate_local.v1_0.Out;
+import locate_local.v1_0.Error;;
+
public class LocateFacadeFactory {
- public static LocateFacade_1_0 v1_0(AuthzEnv env, LocateDAO locateDAO, AuthzTrans trans, Data.TYPE type) throws APIException {
- return new LocateFacade_1_0(
+ public static LocateFacade_1_1 v1_1(AuthzEnv env, AAF_Locate locate, AuthzTrans trans, Data.TYPE type) throws APIException {
+ return new LocateFacade_1_1(
env,
new LocateServiceImpl<
InRequest,
Out,
- Error>(trans,locateDAO,new Mapper_1_0()),
+ Error>(trans,locate,new Mapper_1_1()),
type);
}
import org.onap.aaf.cadi.aaf.client.Examples;
import org.onap.aaf.misc.env.APIException;
import org.onap.aaf.misc.env.Data;
+import org.onap.aaf.misc.env.Data.TYPE;
import org.onap.aaf.misc.env.Env;
import org.onap.aaf.misc.env.TimeTaken;
-import org.onap.aaf.misc.env.Data.TYPE;
import org.onap.aaf.misc.rosetta.env.RosettaDF;
import org.onap.aaf.misc.rosetta.env.RosettaData;
import locate_local.v1_0.Api;
+
/**
* AuthzFacade
*
* @author Jonathan
*
*/
-public abstract class LocateFacadeImpl<IN,OUT,ENDPOINTS,MGMT_ENDPOINTS,ERROR> extends FacadeImpl implements LocateFacade
+public abstract class LocateFacadeImpl<IN,OUT,ENDPOINTS,MGMT_ENDPOINTS,CONFIGURATION,ERROR> extends FacadeImpl implements LocateFacade
{
- private LocateService<IN,OUT,ENDPOINTS,MGMT_ENDPOINTS,ERROR> service;
+ private LocateService<IN,OUT,ENDPOINTS,MGMT_ENDPOINTS,CONFIGURATION,ERROR> service;
private final RosettaDF<ERROR> errDF;
private final RosettaDF<Api> apiDF;
private final RosettaDF<ENDPOINTS> epDF;
private final RosettaDF<MGMT_ENDPOINTS> mepDF;
+ private final RosettaDF<CONFIGURATION> confDF;
private static long cacheClear = 0L, emptyCheck=0L;
- private final static Map<String,String> epsCache = new HashMap<String, String>(); // protected manually, in getEndpoints
+ private final static Map<String,String> epsCache = new HashMap<>(); // protected manually, in getEndpoints
- public LocateFacadeImpl(AuthzEnv env, LocateService<IN,OUT,ENDPOINTS,MGMT_ENDPOINTS,ERROR> service, Data.TYPE dataType) throws APIException {
+ public LocateFacadeImpl(AuthzEnv env, LocateService<IN,OUT,ENDPOINTS,MGMT_ENDPOINTS,CONFIGURATION,ERROR> service, Data.TYPE dataType) throws APIException {
this.service = service;
(errDF = env.newDataFactory(mapper().getClass(API.ERROR))).in(dataType).out(dataType);
(apiDF = env.newDataFactory(Api.class)).in(dataType).out(dataType);
(epDF = env.newDataFactory(mapper().getClass(API.ENDPOINTS))).in(dataType).out(dataType);
(mepDF = env.newDataFactory(mapper().getClass(API.MGMT_ENDPOINTS))).in(dataType).out(dataType);
+ (confDF = env.newDataFactory(mapper().getClass(API.CONFIG))).in(dataType).out(dataType);
}
- public Mapper<IN,OUT,ENDPOINTS,MGMT_ENDPOINTS,ERROR> mapper() {
+ public Mapper<IN,OUT,ENDPOINTS,MGMT_ENDPOINTS,CONFIGURATION,ERROR> mapper() {
return service.mapper();
}
}
}
+ private static final String GET_CONFIG = "Get Configuration";
+ @Override
+ public Result<Void> getConfig(AuthzTrans trans, HttpServletRequest req, HttpServletResponse resp, final String id, final String type) {
+ TimeTaken tt = trans.start(GET_CONFIG, Env.SUB|Env.ALWAYS);
+ try {
+ Result<CONFIGURATION> rp = service.getConfig(trans, id, type);
+ switch(rp.status) {
+ case OK:
+ setContentType(resp,mepDF.getOutType());
+ confDF.newData(trans).load(rp.value).to(resp.getOutputStream());
+ return Result.ok();
+ default:
+ return Result.err(rp);
+ }
+ } catch (Exception e) {
+ trans.error().log(e,IN,GET_CONFIG);
+ return Result.err(e);
+ } finally {
+ tt.done();
+ }
+ }
+
}
\ No newline at end of file
import locate.v1_0.Endpoints;
import locate.v1_0.MgmtEndpoints;
+import locate.v1_1.Configuration;
import locate_local.v1_0.InRequest;
import locate_local.v1_0.Out;
import locate_local.v1_0.Error;
-public class LocateFacade_1_0 extends LocateFacadeImpl<InRequest,Out,Endpoints,MgmtEndpoints,Error>
+
+public class LocateFacade_1_1 extends LocateFacadeImpl<InRequest,Out,Endpoints,MgmtEndpoints,Configuration,Error>
{
- public LocateFacade_1_0(AuthzEnv env, LocateService<InRequest,Out,Endpoints,MgmtEndpoints,Error> service, Data.TYPE type) throws APIException {
+ public LocateFacade_1_1(AuthzEnv env, LocateService<InRequest,Out,Endpoints,MgmtEndpoints,Configuration,Error> service, Data.TYPE type) throws APIException {
super(env, service, type);
}
}
import locate.v1_0.MgmtEndpoint;
-public interface Mapper<IN,OUT,ENDPOINTS,MGMT_ENDPOINTS,ERROR>
+public interface Mapper<IN,OUT,ENDPOINTS,MGMT_ENDPOINTS,CONFIG,ERROR>
{
- public enum API{IN_REQ,OUT,ENDPOINTS,MGMT_ENDPOINTS,ERROR,VOID};
+ public enum API{IN_REQ,OUT,ENDPOINTS,MGMT_ENDPOINTS,CONFIG,ERROR,VOID};
public Class<?> getClass(API api);
public<A> A newInstance(API api);
import locate.v1_0.Endpoints;
import locate.v1_0.MgmtEndpoint;
import locate.v1_0.MgmtEndpoints;
+import locate.v1_1.Configuration;
import locate_local.v1_0.Error;
import locate_local.v1_0.InRequest;
import locate_local.v1_0.Out;
-public class Mapper_1_0 implements Mapper<InRequest,Out,Endpoints,MgmtEndpoints,Error> {
+public class Mapper_1_1 implements Mapper<InRequest,Out,Endpoints,MgmtEndpoints,Configuration,Error> {
@Override
public Class<?> getClass(API api) {
case VOID: return Void.class;
case ENDPOINTS: return Endpoints.class;
case MGMT_ENDPOINTS: return MgmtEndpoints.class;
+ case CONFIG: return Configuration.class;
}
return null;
}
case ERROR: return (A)new Error();
case ENDPOINTS: return (A) new Endpoints();
case MGMT_ENDPOINTS: return (A) new MgmtEndpoints();
+ case CONFIG: return (A) new Configuration();
case VOID: return null;
}
return null;
import org.onap.aaf.auth.layer.Result;
import org.onap.aaf.auth.locate.mapper.Mapper;
-public interface LocateService<IN,OUT,ENDPOINTS,MGMT_ENDPOINTS,ERROR> {
- public Mapper<IN,OUT,ENDPOINTS,MGMT_ENDPOINTS,ERROR> mapper();
+public interface LocateService<IN,OUT,ENDPOINTS,MGMT_ENDPOINTS,CONFIG,ERROR> {
+ public Mapper<IN,OUT,ENDPOINTS,MGMT_ENDPOINTS,CONFIG,ERROR> mapper();
public Result<ENDPOINTS> getEndPoints(AuthzTrans trans, String service, String version, String other);
public Result<Void> putMgmtEndPoints(AuthzTrans trans, MGMT_ENDPOINTS meps);
public Result<Void> removeMgmtEndPoints(AuthzTrans trans, MGMT_ENDPOINTS meps);
+ public Result<CONFIG> getConfig(AuthzTrans trans, String id, String type);
}
package org.onap.aaf.auth.locate.service;
+import java.util.List;
import java.util.UUID;
+import org.onap.aaf.auth.dao.cass.ConfigDAO;
+import org.onap.aaf.auth.dao.cass.ConfigDAO.Data;
import org.onap.aaf.auth.dao.cass.LocateDAO;
import org.onap.aaf.auth.env.AuthzTrans;
import org.onap.aaf.auth.layer.Result;
+import org.onap.aaf.auth.locate.AAF_Locate;
import org.onap.aaf.auth.locate.mapper.Mapper;
import org.onap.aaf.auth.locate.validation.LocateValidator;
import org.onap.aaf.cadi.aaf.AAFPermission;
import locate.v1_0.Endpoints;
import locate.v1_0.MgmtEndpoint;
import locate.v1_0.MgmtEndpoints;
+import locate.v1_1.Configuration;
+import locate.v1_1.Configuration.Props;
public class LocateServiceImpl<IN,OUT,ERROR>
- implements LocateService<IN,OUT,Endpoints,MgmtEndpoints,ERROR> {
- private Mapper<IN,OUT,Endpoints,MgmtEndpoints,ERROR> mapper;
- private LocateDAO locateDAO;
+ implements LocateService<IN,OUT,Endpoints,MgmtEndpoints,Configuration,ERROR> {
+ private Mapper<IN,OUT,Endpoints,MgmtEndpoints,Configuration,ERROR> mapper;
+ protected LocateDAO locateDAO;
+ private ConfigDAO configDAO;
private boolean permToRegister;
- public LocateServiceImpl(AuthzTrans trans, LocateDAO locateDAO, Mapper<IN,OUT,Endpoints,MgmtEndpoints,ERROR> mapper) throws APIException {
+ public LocateServiceImpl(AuthzTrans trans, AAF_Locate locate, Mapper<IN,OUT,Endpoints,MgmtEndpoints,Configuration,ERROR> mapper) throws APIException {
this.mapper = mapper;
- this.locateDAO = locateDAO;
+ this.locateDAO = locate.locateDAO;
+ this.configDAO = locate.configDAO;
permToRegister = false; //TODO Setup a Configuration for this
}
- public Mapper<IN,OUT,Endpoints,MgmtEndpoints,ERROR> mapper() {return mapper;}
+ public Mapper<IN,OUT,Endpoints,MgmtEndpoints,Configuration,ERROR> mapper() {return mapper;}
@Override
public Result<Endpoints> getEndPoints(AuthzTrans trans, String service, String version, String other) {
}
}
+ ///// ADDED v1_1
+ /* (non-Javadoc)
+ * @see org.onap.aaf.auth.locate.service.LocateService#getConfig(org.onap.aaf.auth.env.AuthzTrans, java.lang.String, java.lang.String)
+ */
+ @Override
+ public Result<Configuration> getConfig(AuthzTrans trans, String id, String type) {
+ Result<List<Data>> dr = configDAO.readName(trans, type);
+ Configuration c = new Configuration();
+ c.setName(type);
+ Props p;
+
+ if(dr.isOKhasData()) {
+ for(ConfigDAO.Data data : dr.value) {
+ p = new Props();
+ p.setTag(data.tag);
+ p.setValue(data.value);
+ c.getProps().add(p);
+ }
+ }
+ return Result.ok(c);
+ //return Result.err(Result.ERR_NotImplemented,"not done yet");
+ }
+
//////////////// APIs ///////////////////
};
\r
@Test\r
public void testGetClasses() {\r
- Mapper_1_0 mapper = new Mapper_1_0();\r
+ Mapper_1_1 mapper = new Mapper_1_1();\r
assertEquals(InRequest.class, mapper.getClass(API.IN_REQ));\r
assertEquals(Out.class, mapper.getClass(API.OUT));\r
assertEquals(Error.class, mapper.getClass(API.ERROR));\r
\r
@Test\r
public void testNewInstance() {\r
- Mapper_1_0 mapper = new Mapper_1_0();\r
+ Mapper_1_1 mapper = new Mapper_1_1();\r
assertTrue(mapper.newInstance(API.IN_REQ) instanceof InRequest);\r
assertTrue(mapper.newInstance(API.OUT) instanceof Out);\r
assertTrue(mapper.newInstance(API.ERROR) instanceof Error);\r
--- /dev/null
+/**\r
+ * ============LICENSE_START====================================================\r
+ * org.onap.aaf\r
+ * ===========================================================================\r
+ * Copyright (c) 2018 AT&T Intellectual Property. All rights reserved.\r
+ * ===========================================================================\r
+ * Licensed under the Apache License, Version 2.0 (the "License");\r
+ * you may not use this file except in compliance with the License.\r
+ * You may obtain a copy of the License at\r
+ * \r
+ * http://www.apache.org/licenses/LICENSE-2.0\r
+ * \r
+ * Unless required by applicable law or agreed to in writing, software\r
+ * distributed under the License is distributed on an "AS IS" BASIS,\r
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\r
+ * See the License for the specific language governing permissions and\r
+ * limitations under the License.\r
+ * ============LICENSE_END====================================================\r
+ *\r
+ */\r
+package org.onap.aaf.auth.locate.service;\r
+\r
+import static org.junit.Assert.assertEquals;\r
+import static org.mockito.Matchers.any;\r
+import static org.mockito.Mockito.when;\r
+\r
+import java.util.ArrayList;\r
+import java.util.List;\r
+\r
+import org.junit.Before;\r
+import org.junit.Test;\r
+import org.mockito.Mock;\r
+import org.mockito.MockitoAnnotations;\r
+import org.onap.aaf.auth.dao.cass.LocateDAO;\r
+import org.onap.aaf.auth.dao.cass.LocateDAO.Data;\r
+import org.onap.aaf.auth.env.AuthzTrans;\r
+import org.onap.aaf.auth.layer.Result;\r
+import org.onap.aaf.auth.locate.AAF_Locate;\r
+import org.onap.aaf.auth.locate.mapper.Mapper;\r
+import org.onap.aaf.misc.env.APIException;\r
+\r
+import locate.v1_0.MgmtEndpoint;\r
+import locate.v1_0.MgmtEndpoints;\r
+\r
+public class JU_LocateServiceImplTest {\r
+\r
+ // Extend, because I don't want a "setter" in the original. Compromised with a protected...\r
+ private final class LocateServiceImplExtension extends LocateServiceImpl {\r
+ private LocateServiceImplExtension(AuthzTrans trans, AAF_Locate locate, Mapper mapper) throws APIException {\r
+ super(trans, locate, mapper);\r
+ }\r
+ public void set(LocateDAO ld) {\r
+ locateDAO=ld;\r
+ }\r
+ }\r
+\r
+ @Mock\r
+ private AuthzTrans trans;\r
+ @Mock\r
+ private AAF_Locate aaf_locate;\r
+ @Mock\r
+ private LocateDAO locateDAO;\r
+ @Mock\r
+ private Mapper mapper;\r
+ @Mock\r
+ private Result<List<Data>> result;\r
+ @Mock\r
+ private Result endPointResult;\r
+ @Mock\r
+ private MgmtEndpoints meps;\r
+ @Mock\r
+ private MgmtEndpoint mgmtEndPoint;\r
+\r
+ @Before\r
+ public void setup() {\r
+ MockitoAnnotations.initMocks(this);\r
+ }\r
+\r
+ @Test\r
+ public void test() throws APIException {\r
+ LocateServiceImplExtension locateServiceImpl = new LocateServiceImplExtension(trans, aaf_locate, mapper);\r
+ locateServiceImpl.set(locateDAO);\r
+\r
+ assertEquals(mapper, locateServiceImpl.mapper());\r
+\r
+ when(locateDAO.readByName(trans, "http")).thenReturn(result);\r
+ when(mapper.endpoints(result, "1.0", "other")).thenReturn(endPointResult);\r
+\r
+ Result output = locateServiceImpl.getEndPoints(trans, "http", "1.0", "other");\r
+\r
+ assertEquals(endPointResult, output);\r
+\r
+ List<MgmtEndpoint> mgmtEndPoints = new ArrayList<>();\r
+ mgmtEndPoints.add(mgmtEndPoint);\r
+\r
+ when(mgmtEndPoint.getName()).thenReturn("http.Endpoint1");\r
+ when(mgmtEndPoint.getHostname()).thenReturn("HOST1");\r
+ when(mgmtEndPoint.getPort()).thenReturn(9090);\r
+ when(mgmtEndPoint.getProtocol()).thenReturn("HTTP");\r
+\r
+ when(meps.getMgmtEndpoint()).thenReturn(mgmtEndPoints);\r
+ output = locateServiceImpl.putMgmtEndPoints(trans, meps);\r
+\r
+ assertEquals(output.toString(), Result.ok().toString());\r
+\r
+ when(trans.fish(any())).thenReturn(true);\r
+ Data data = new LocateDAO.Data();\r
+ when(mapper.locateData(mgmtEndPoint)).thenReturn(data);\r
+ output = locateServiceImpl.removeMgmtEndPoints(trans, meps);\r
+\r
+ assertEquals(output.toString(), Result.ok().toString());\r
+ }\r
+\r
+}\r
--- /dev/null
+/**\r
+ * ============LICENSE_START====================================================\r
+ * org.onap.aaf\r
+ * ===========================================================================\r
+ * Copyright (c) 2018 AT&T Intellectual Property. All rights reserved.\r
+ * ===========================================================================\r
+ * Licensed under the Apache License, Version 2.0 (the "License");\r
+ * you may not use this file except in compliance with the License.\r
+ * You may obtain a copy of the License at\r
+ * \r
+ * http://www.apache.org/licenses/LICENSE-2.0\r
+ * \r
+ * Unless required by applicable law or agreed to in writing, software\r
+ * distributed under the License is distributed on an "AS IS" BASIS,\r
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\r
+ * See the License for the specific language governing permissions and\r
+ * limitations under the License.\r
+ * ============LICENSE_END====================================================\r
+ *\r
+ */\r
+package org.onap.aaf.auth.locate.validation;\r
+\r
+import static org.junit.Assert.assertEquals;\r
+import static org.mockito.Mockito.when;\r
+\r
+import java.util.ArrayList;\r
+import java.util.List;\r
+\r
+import org.junit.Before;\r
+import org.junit.Test;\r
+import org.mockito.Answers;\r
+import org.mockito.Mock;\r
+import org.mockito.MockitoAnnotations;\r
+\r
+import locate.v1_0.Endpoint;\r
+import locate.v1_0.Endpoints;\r
+import locate.v1_0.MgmtEndpoint;\r
+import locate.v1_0.MgmtEndpoint.SpecialPorts;\r
+import locate.v1_0.MgmtEndpoints;\r
+\r
+public class JU_LocateValidatorTest {\r
+\r
+ @Mock\r
+ private Endpoint endpoint;\r
+\r
+ @Mock(answer = Answers.RETURNS_DEEP_STUBS)\r
+ private Endpoints endpoints;\r
+ @Mock(answer = Answers.RETURNS_DEEP_STUBS)\r
+ private MgmtEndpoints me;\r
+ @Mock(answer = Answers.RETURNS_DEEP_STUBS)\r
+ private MgmtEndpoint mgmtEndpoint;\r
+ @Mock(answer = Answers.RETURNS_DEEP_STUBS)\r
+ private SpecialPorts specialPort;\r
+\r
+ @Before\r
+ public void setup() {\r
+ MockitoAnnotations.initMocks(this);\r
+ }\r
+\r
+ @Test\r
+ public void testNullEndPoint() {\r
+ LocateValidator validator = new LocateValidator();\r
+\r
+ validator.endpoint(null);\r
+ assertEquals("Endpoint Data is null.\n", validator.errs());\r
+ }\r
+\r
+ @Test\r
+ public void testEndPoint() {\r
+ LocateValidator validator = new LocateValidator();\r
+\r
+ when(endpoint.getName()).thenReturn("Endpoint1");\r
+ when(endpoint.getHostname()).thenReturn("HOST1");\r
+ when(endpoint.getPort()).thenReturn(9090);\r
+ when(endpoint.getProtocol()).thenReturn("HTTP");\r
+\r
+ validator.endpoint(endpoint);\r
+\r
+ assertEquals("Endpoint Name must prefixed by Namespace\n", validator.errs());\r
+ }\r
+\r
+ @Test\r
+ public void testSubProtoCol() {\r
+ LocateValidator validator = new LocateValidator();\r
+\r
+ List<String> subProtocol = new ArrayList<>();\r
+ subProtocol.add(null);\r
+\r
+ when(endpoint.getName()).thenReturn("EndPoint.Endpoint1");\r
+ when(endpoint.getHostname()).thenReturn("HOST1");\r
+ when(endpoint.getPort()).thenReturn(9090);\r
+ when(endpoint.getProtocol()).thenReturn("HTTP");\r
+ when(endpoint.getSubprotocol()).thenReturn(subProtocol);\r
+\r
+ validator.endpoint(endpoint);\r
+\r
+ assertEquals("Endpoint Subprotocol is null.\n", validator.errs());\r
+ }\r
+\r
+ @Test\r
+ public void testNullEndpoints() {\r
+ LocateValidator validator = new LocateValidator();\r
+\r
+ validator.endpoints(null, false);\r
+ validator.mgmt_endpoint_key(null);\r
+ validator.mgmt_endpoints(null, false);\r
+ assertEquals("Endpoints Data is null.\n" + "MgmtEndpoints Data is null.\n" + "MgmtEndpoints Data is null.\n",\r
+ validator.errs());\r
+ }\r
+\r
+ @Test\r
+ public void testEndpointsWithListContaingNull() {\r
+ LocateValidator validator = new LocateValidator();\r
+ when(endpoints.getEndpoint().size()).thenReturn(0);\r
+ when(me.getMgmtEndpoint().size()).thenReturn(0);\r
+\r
+ validator.endpoints(endpoints, true);\r
+ validator.mgmt_endpoints(me, false);\r
+ assertEquals("Endpoints contains no endpoints\n" + "MgmtEndpoints contains no data\n", validator.errs());\r
+ }\r
+\r
+ @Test\r
+ public void testEndpointsWithSpecialPortsNull() {\r
+ LocateValidator validator = new LocateValidator();\r
+\r
+ when(endpoint.getName()).thenReturn("EndPoint.Endpoint1");\r
+ when(endpoint.getHostname()).thenReturn("HOST1");\r
+ when(endpoint.getPort()).thenReturn(9090);\r
+ when(endpoint.getProtocol()).thenReturn("HTTP");\r
+ List<String> subprotocol = new ArrayList<>();\r
+ when(endpoint.getSubprotocol()).thenReturn(subprotocol);\r
+\r
+ List<Endpoint> endpointList = new ArrayList<>();\r
+ endpointList.add(endpoint);\r
+\r
+ when(mgmtEndpoint.getName()).thenReturn("EndPoint.Endpoint1");\r
+ when(mgmtEndpoint.getHostname()).thenReturn("HOST1");\r
+ when(mgmtEndpoint.getPort()).thenReturn(9090);\r
+ when(mgmtEndpoint.getProtocol()).thenReturn("HTTP");\r
+ List<SpecialPorts> specialPorts = new ArrayList<>();\r
+ specialPorts.add(null);\r
+ when(mgmtEndpoint.getSpecialPorts()).thenReturn(specialPorts);\r
+ List<MgmtEndpoint> mgmtEndpoints = new ArrayList<>();\r
+ mgmtEndpoints.add(mgmtEndpoint);\r
+\r
+ when(endpoints.getEndpoint()).thenReturn(endpointList);\r
+ when(me.getMgmtEndpoint()).thenReturn(mgmtEndpoints);\r
+\r
+ validator.endpoints(endpoints, false);\r
+ validator.mgmt_endpoints(me, true);\r
+ assertEquals("Special Ports is null.\n", validator.errs());\r
+ }\r
+\r
+ @Test\r
+ public void testEndpointsWithSpecialPorts() {\r
+ LocateValidator validator = new LocateValidator();\r
+\r
+ when(mgmtEndpoint.getName()).thenReturn("EndPoint.Endpoint1");\r
+ when(mgmtEndpoint.getHostname()).thenReturn("HOST1");\r
+ when(mgmtEndpoint.getPort()).thenReturn(9090);\r
+ when(mgmtEndpoint.getProtocol()).thenReturn("HTTP");\r
+\r
+ List<SpecialPorts> specialPorts = new ArrayList<>();\r
+ specialPorts.add(specialPort);\r
+\r
+ when(specialPort.getName()).thenReturn("Port1");\r
+ when(specialPort.getProtocol()).thenReturn("HTTP");\r
+ when(specialPort.getPort()).thenReturn(9090);\r
+\r
+ List<String> versions = new ArrayList<>();\r
+ versions.add("1");\r
+\r
+ when(specialPort.getProtocolVersions()).thenReturn(versions);\r
+\r
+ when(mgmtEndpoint.getSpecialPorts()).thenReturn(specialPorts);\r
+ List<MgmtEndpoint> mgmtEndpoints = new ArrayList<>();\r
+ mgmtEndpoints.add(mgmtEndpoint);\r
+\r
+ when(me.getMgmtEndpoint()).thenReturn(mgmtEndpoints);\r
+\r
+ validator.endpoints(endpoints, false);\r
+ validator.mgmt_endpoints(me, true);\r
+ validator.mgmt_endpoint_key(me);\r
+ assertEquals(false, validator.err());\r
+\r
+ }\r
+}\r
<parent>
<groupId>org.onap.aaf.authz</groupId>
<artifactId>authparent</artifactId>
- <version>2.1.0-SNAPSHOT</version>
+ <version>2.1.2-SNAPSHOT</version>
<relativePath>../pom.xml</relativePath>
</parent>
<dependency>
<groupId>org.onap.aaf.authz</groupId>
<artifactId>aaf-auth-core</artifactId>
- <version>${project.version}</version>
</dependency>
<dependency>
<groupId>org.onap.aaf.authz</groupId>
<artifactId>aaf-auth-cass</artifactId>
- <version>${project.version}</version>
</dependency>
<dependency>
<groupId>org.onap.aaf.authz</groupId>
<artifactId>aaf-cadi-aaf</artifactId>
- <version>${project.version}</version>
</dependency>
</dependencies>
<plugin>
<groupId>org.sonatype.plugins</groupId>
<artifactId>nexus-staging-maven-plugin</artifactId>
- <version>1.6.7</version>
<extensions>true</extensions>
<configuration>
<nexusUrl>${nexusproxy}</nexusUrl>
<plugin>
<groupId>org.jacoco</groupId>
<artifactId>jacoco-maven-plugin</artifactId>
- <version>${jacoco.version}</version>
<configuration>
<excludes>
<exclude>**/gen/**</exclude>
}
@Override
- public Filter[] filters() throws CadiException, LocatorException {
+ public Filter[] _filters(Object ... additionalTafLurs) throws CadiException, LocatorException {
try {
- DirectOAuthTAF doat;
- return new Filter[] {new AuthzTransFilter(env,aafCon(),
+ DirectOAuthTAF doat = new DirectOAuthTAF(env,question,facade1_0);
+ Object[] atl=new Object[additionalTafLurs.length+2];
+ atl[0] = doat;
+ atl[1] = doat.directUserPass();
+
+ if(additionalTafLurs.length>0) {
+ System.arraycopy(additionalTafLurs, 0, atl, 2, additionalTafLurs.length);
+ }
+
+ return new Filter[] {
+ new AuthzTransFilter(env,aafCon(),
new AAFTrustChecker((Env)env),
- doat = new DirectOAuthTAF(env,question,facade1_0),
- doat.directUserPass()
- )};
+ atl
+ )};
} catch (NumberFormatException | APIException e) {
throw new CadiException("Invalid Property information", e);
}
}
-
@SuppressWarnings("unchecked")
@Override
}
if("application/x-www-form-urlencoded".equals(req.getContentType())) {
- @SuppressWarnings("unchecked")
Map<String, String[]> map = req.getParameterMap();
String client_id=null,client_secret=null,username=null,password=null;
for(Map.Entry<String, String[]> es : map.entrySet()) {
public TokenRequest tokenReqFromParams(HttpServletRequest req) {
TokenRequest tr = new TokenRequest();
boolean data = false;
- @SuppressWarnings("unchecked")
Map<String, String[]> map = req.getParameterMap();
for(Entry<String, String[]> es : map.entrySet()) {
switch(es.getKey()) {
<parent>
<groupId>org.onap.aaf.authz</groupId>
<artifactId>authparent</artifactId>
- <version>2.1.0-SNAPSHOT</version>
+ <version>2.1.2-SNAPSHOT</version>
<relativePath>../pom.xml</relativePath>
</parent>
<dependency>
<groupId>org.onap.aaf.authz</groupId>
<artifactId>aaf-auth-client</artifactId>
- <version>${project.version}</version>
</dependency>
<dependency>
<groupId>org.onap.aaf.authz</groupId>
<artifactId>aaf-auth-core</artifactId>
- <version>${project.version}</version>
</dependency>
<!-- Add the Organizations you wish to support. You can delete ONAP if
<dependency>
<groupId>org.onap.aaf.authz</groupId>
<artifactId>aaf-auth-deforg</artifactId>
- <version>${project.version}</version>
</dependency>
<dependency>
<groupId>org.onap.aaf.authz</groupId>
<artifactId>aaf-auth-cass</artifactId>
- <version>${project.version}</version>
</dependency>
<dependency>
<groupId>org.onap.aaf.authz</groupId>
<artifactId>aaf-auth-oauth</artifactId>
- <version>${project.version}</version>
</dependency>
<dependency>
<groupId>org.onap.aaf.authz</groupId>
<artifactId>aaf-misc-rosetta</artifactId>
- <version>${project.version}</version>
</dependency>
<dependency>
<groupId>org.onap.aaf.authz</groupId>
<artifactId>aaf-cadi-aaf</artifactId>
- <version>${project.version}</version>
</dependency>
<dependency>
<plugin>
<groupId>org.sonatype.plugins</groupId>
<artifactId>nexus-staging-maven-plugin</artifactId>
- <version>1.6.7</version>
<extensions>true</extensions>
<configuration>
<nexusUrl>${nexusproxy}</nexusUrl>
<plugin>
<groupId>org.jacoco</groupId>
<artifactId>jacoco-maven-plugin</artifactId>
- <version>${jacoco.version}</version>
<configuration>
<excludes>
<exclude>**/gen/**</exclude>
import org.onap.aaf.auth.service.facade.AuthzFacade_2_0;
import org.onap.aaf.auth.service.mapper.Mapper.API;
import org.onap.aaf.cadi.CadiException;
+import org.onap.aaf.cadi.LocatorException;
import org.onap.aaf.cadi.PropAccess;
import org.onap.aaf.cadi.aaf.v2_0.AAFTrustChecker;
import org.onap.aaf.cadi.aaf.v2_0.AbsAAFLocator;
}
@Override
- public Filter[] filters() throws CadiException {
- final String domain = FQI.reverseDomain(access.getProperty("aaf_root_ns","org.osaaf.aaf"));
+ public Filter[] _filters(Object ... additionalTafLurs) throws CadiException, LocatorException {
+ final String domain = FQI.reverseDomain(access.getProperty(Config.AAF_ROOT_NS,Config.AAF_ROOT_NS_DEF));
try {
- return new Filter[] {new AuthzTransFilter(env, null /* no connection to AAF... it is AAF */,
- new AAFTrustChecker((Env)env),
- new DirectAAFLur(env,question), // Note, this will be assigned by AuthzTransFilter to TrustChecker
- //new DirectOAuthTAF(env,question,OAFacadeFactory.directV1_0(oauthService)),
- new BasicHttpTaf(env, directAAFUserPass,
- domain,Long.parseLong(env.getProperty(Config.AAF_CLEAN_INTERVAL, Config.AAF_CLEAN_INTERVAL_DEF)),
- false)
- )};
+ Object[] atl=new Object[additionalTafLurs.length+2];
+ atl[0]=new DirectAAFLur(env,question); // Note, this will be assigned by AuthzTransFilter to TrustChecker
+ atl[1]= new BasicHttpTaf(env, directAAFUserPass,
+ domain,Long.parseLong(env.getProperty(Config.AAF_CLEAN_INTERVAL, Config.AAF_CLEAN_INTERVAL_DEF)),
+ false);
+
+ if(additionalTafLurs.length>0) {
+ System.arraycopy(additionalTafLurs, 0, atl, 2, additionalTafLurs.length);
+ }
+
+ return new Filter[] {
+ new AuthzTransFilter(env,aafCon(),
+ new AAFTrustChecker((Env)env),
+ atl
+ )};
} catch (NumberFormatException e) {
throw new CadiException("Invalid Property information", e);
}
}
+
+
@SuppressWarnings("unchecked")
@Override
public Registrant<AuthzEnv>[] registrants(final int port) throws CadiException {
NSS nss = mapper.newInstance(API.NSS);
// Note: "loadNamespace" already validates view of Namespace
return mapper.nss(trans, rn.value, nss);
-
}
@ApiDoc(
if(urd.notOKorIsEmpty()) {
return Result.err(urd);
}
- Map<String, Namespace> lm = new HashMap<String,Namespace>();
- Map<String, Namespace> other = full || endsWith==null?null:new TreeMap<String,Namespace>();
+ Map<String, Namespace> lm = new HashMap<>();
+ Map<String, Namespace> other = full || endsWith==null?null:new TreeMap<>();
for(UserRoleDAO.Data urdd : urd.value) {
if(full) {
if(endsWith==null || urdd.role.endsWith(endsWith)) {
}
if(namespace==null) {
namespace = new Namespace(nsd.value);
- namespace.admin=new ArrayList<String>();
- namespace.owner=new ArrayList<String>();
+ namespace.admin=new ArrayList<>();
+ namespace.owner=new ArrayList<>();
}
if(endsWith==null || urdd.role.endsWith(endsWith)) {
lm.put(namespace.name,namespace);
return Result.err(rnd);
}
- Set<Namespace> lm = new HashSet<Namespace>();
+ Set<Namespace> lm = new HashSet<>();
Result<List<NsDAO.Data>> rlnd = ques.nsDAO.dao().getChildren(trans, parent);
if(rlnd.isOK()) {
if(rlnd.isEmpty()) {
}
// Create a set of Update Roles, which are in Internal Format
- Set<String> updtRoles = new HashSet<String>();
+ Set<String> updtRoles = new HashSet<>();
Result<NsSplit> nss;
for(String role : updt.value.roles(false)) {
nss = ques.deriveNsSplit(trans, role);
}
// Look up data
- Result<List<RoleDAO.Data>> rlrd = ques.getRolesByName(trans, role);
+ int query = role.indexOf('?');
+ Result<List<RoleDAO.Data>> rlrd = ques.getRolesByName(trans, query<0?role:role.substring(0, query));
if(rlrd.isOK()) {
// Note: Mapper will restrict what can be viewed
ROLES roles = mapper.newInstance(API.ROLES);
// filter = false;
// Get list of roles per user, then add to Roles as we go
- HashSet<UserRoleDAO.Data> userSet = new HashSet<UserRoleDAO.Data>();
+ HashSet<UserRoleDAO.Data> userSet = new HashSet<>();
Result<List<UserRoleDAO.Data>> rlurd = ques.userRoleDAO.readByRole(trans, role);
if(rlurd.isOK()) {
for(UserRoleDAO.Data data : rlurd.value) {
List<UserRoleDAO.Data> content;
if(mustFilter) {
- content = new ArrayList<UserRoleDAO.Data>(rlurd.value.size()); // avoid multi-memory redos
+ content = new ArrayList<>(rlurd.value.size()); // avoid multi-memory redos
for(UserRoleDAO.Data data : rlurd.value) {
ndd.name=data.ns;
return Result.err(Status.ERR_BadData,v.errs());
}
- Set<String> currRoles = new HashSet<String>();
+ Set<String> currRoles = new HashSet<>();
Result<List<UserRoleDAO.Data>> rlurd = ques.userRoleDAO.readByUser(trans, rurdd.value.user);
if(rlurd.isOK()) {
for(UserRoleDAO.Data data : rlurd.value) {
return Result.err(nsr);
}
- Set<String> currUsers = new HashSet<String>();
+ Set<String> currUsers = new HashSet<>();
Result<List<UserRoleDAO.Data>> rlurd = ques.userRoleDAO.readByRole(trans, rurdd.value.role);
if(rlurd.isOK()) {
for(UserRoleDAO.Data data : rlurd.value) {
return Result.err(rnd);
}
- HashSet<UserRoleDAO.Data> userSet = new HashSet<UserRoleDAO.Data>();
+ HashSet<UserRoleDAO.Data> userSet = new HashSet<>();
Result<List<UserRoleDAO.Data>> rlurd = ques.userRoleDAO.readUserInRole(trans, user, role);
if(rlurd.isOK()) {
for(UserRoleDAO.Data data : rlurd.value) {
}
}
- HashSet<UserRoleDAO.Data> userSet = new HashSet<UserRoleDAO.Data>();
+ HashSet<UserRoleDAO.Data> userSet = new HashSet<>();
Result<List<UserRoleDAO.Data>> rlurd = ques.userRoleDAO.readByRole(trans, role);
if(rlurd.isOK()) {
for(UserRoleDAO.Data data : rlurd.value) {
// Get list of roles per Permission,
// Then loop through Roles to get Users
// Note: Use Sets to avoid processing or responding with Duplicates
- Set<String> roleUsed = new HashSet<String>();
- Set<UserRoleDAO.Data> userSet = new HashSet<UserRoleDAO.Data>();
+ Set<String> roleUsed = new HashSet<>();
+ Set<UserRoleDAO.Data> userSet = new HashSet<>();
if(!nss.isEmpty()) {
Result<List<PermDAO.Data>> rlp = ques.permDAO.readByType(trans, nss.value.ns, nss.value.name);
}
if(curr.isOKhasData()) {
- Map<String, Result<List<DelegateDAO.Data>>> delegateCache = new HashMap<String, Result<List<DelegateDAO.Data>>>();
- Map<UUID, FutureDAO.Data> futureCache = new HashMap<UUID, FutureDAO.Data>();
+ Map<String, Result<List<DelegateDAO.Data>>> delegateCache = new HashMap<>();
+ Map<UUID, FutureDAO.Data> futureCache = new HashMap<>();
FutureDAO.Data hasDeleted = new FutureDAO.Data();
for(ApprovalDAO.Data cd : curr.value) {
return Result.err(Status.ERR_BadData,v.errs());
}
- List<ApprovalDAO.Data> listRapds = new ArrayList<ApprovalDAO.Data>();
+ List<ApprovalDAO.Data> listRapds = new ArrayList<>();
Result<List<ApprovalDAO.Data>> myRapd = ques.approvalDAO.readByApprover(trans, approver);
if(myRapd.notOK()) {
import org.onap.aaf.auth.service.facade.AuthzFacade;
import org.onap.aaf.auth.service.mapper.Mapper.API;
import org.onap.aaf.cadi.CredVal;
+import org.onap.aaf.cadi.CredVal.Type;
import org.onap.aaf.cadi.Symm;
import org.onap.aaf.cadi.principal.BasicPrincipal;
import org.onap.aaf.cadi.principal.X509Principal;
+import org.onap.aaf.cadi.taf.basic.BasicHttpTaf;
import org.onap.aaf.misc.env.Env;
import org.onap.aaf.misc.env.TimeTaken;
// have to check Basic Auth here, because it might be CSP.
String authz = req.getHeader("Authorization");
if(authz.startsWith("Basic ")) {
- String decoded = Symm.base64noSplit.decode(authz.substring(6));
- int colon = decoded.indexOf(':');
- TimeTaken tt = trans.start("Direct Validation", Env.REMOTE);
- try {
- if(directAAFUserPass.validate(
- decoded.substring(0,colon),
- CredVal.Type.PASSWORD ,
- decoded.substring(colon+1).getBytes(),trans)) {
-
- resp.setStatus(HttpStatus.OK_200);
- } else {
- // DME2 at this version crashes without some sort of response
- resp.getOutputStream().print("");
- resp.setStatus(HttpStatus.FORBIDDEN_403);
+ BasicHttpTaf bht = ((X509Principal)p).getBasicHttpTaf();
+ if(bht!=null) {
+ BasicPrincipal bp = new BasicPrincipal(authz,"");
+ CredVal cv = bht.getCredVal(bp.getDomain());
+ if(cv!=null) {
+ if(cv.validate(bp.getName(), Type.PASSWORD, bp.getCred(), null) ) {
+ resp.setStatus(HttpStatus.OK_200);
+ } else {
+ resp.setStatus(HttpStatus.FORBIDDEN_403);
+ }
+ }
+ } else {
+ String decoded = Symm.base64noSplit.decode(authz.substring(6));
+ int colon = decoded.indexOf(':');
+ TimeTaken tt = trans.start("Direct Validation", Env.REMOTE);
+ try {
+ if(directAAFUserPass.validate(
+ decoded.substring(0,colon),
+ CredVal.Type.PASSWORD ,
+ decoded.substring(colon+1).getBytes(),trans)) {
+
+ resp.setStatus(HttpStatus.OK_200);
+ } else {
+ // DME2 at this version crashes without some sort of response
+ resp.getOutputStream().print("");
+ resp.setStatus(HttpStatus.FORBIDDEN_403);
+ }
+ } finally {
+ tt.done();
}
- } finally {
- tt.done();
}
}
} else if(p == null) {
// Sonar says threading issues.
SimpleDateFormat FMT = new SimpleDateFormat("yyyyMM");
String yyyymm = req.getParameter("yyyymm");
- ArrayList<Integer> ai= new ArrayList<Integer>();
+ ArrayList<Integer> ai= new ArrayList<>();
if(yyyymm==null) {
GregorianCalendar gc = new GregorianCalendar();
// three months is the default
@Override
public Result<List<PermDAO.Data>> perms(AuthzTrans trans, Perms perms) {
- List<PermDAO.Data> lpd = new ArrayList<PermDAO.Data>();
+ List<PermDAO.Data> lpd = new ArrayList<>();
for (Perm p : perms.getPerm()) {
Result<NsSplit> nss = q.deriveNsSplit(trans, p.getType());
PermDAO.Data pd = new PermDAO.Data();
if(ok.length()>0) {
return Result.err(Status.ERR_BadData,ok);
}
-
} else {
to.type=0;
}
@Override
public Result<List<ApprovalDAO.Data>> approvals(Approvals apprs) {
- List<ApprovalDAO.Data> lappr = new ArrayList<ApprovalDAO.Data>();
+ List<ApprovalDAO.Data> lappr = new ArrayList<>();
for(Approval a : apprs.getApprovals()) {
ApprovalDAO.Data ad = new ApprovalDAO.Data();
String str = a.getId();
}
if(org.supportsRealm(cd.id)) {
- if(isNew && (str=org.isValidID(trans, str)).length()>0) {
+ String resp = org.isValidID(trans, str);
+ if(isNew && (resp!=null && resp.length()>0)) {
msg(cd.id,str);
}
}
to.ns = "namespace";
to.name = "name";
to.description = "description";
- Set<String> permissions = new HashSet<String>();
+ Set<String> permissions = new HashSet<>();
permissions.add("perm1");
to.perms = permissions;
-FROM rmannfv/aaf-base:openjdk8
+FROM rmannfv/aaf-base:xenial
MAINTAINER AAF Team, AT&T 2018
ENV VERSION=${AAF_VERSION}
ORG=onap
PROJECT=aaf
DOCKER_REPOSITORY=nexus3.onap.org:10003
-VERSION=2.1.0-SNAPSHOT
+OLD_VERSION=2.1.0-SNAPSHOT
+NEW_VERSION=2.1.1
+VERSION=2.1.1-SNAPSHOT
CONF_ROOT_DIR=/opt/app/osaaf
# Local Env info
sed -e 's/${AAF_VERSION}/'${VERSION}'/g' -e 's/${AAF_COMPONENT}/'${AAF_COMPONENT}'/g' Dockerfile > ../aaf_${VERSION}/Dockerfile
cd ..
docker build -t ${DOCKER_REPOSITORY}/${ORG}/${PROJECT}/aaf_${AAF_COMPONENT}:${VERSION} aaf_${VERSION}
+ docker tag ${DOCKER_REPOSITORY}/${ORG}/${PROJECT}/aaf_${AAF_COMPONENT}:${VERSION} ${DOCKER_REPOSITORY}/${ORG}/${PROJECT}/aaf_${AAF_COMPONENT}:${OLD_VERSION}
+ docker tag ${DOCKER_REPOSITORY}/${ORG}/${PROJECT}/aaf_${AAF_COMPONENT}:${VERSION} ${DOCKER_REPOSITORY}/${ORG}/${PROJECT}/aaf_${AAF_COMPONENT}:${NEW_VERSION}
rm aaf_${VERSION}/Dockerfile
cd -
done
fi
for AAF_COMPONENT in ${AAF_COMPONENTS}; do
- docker push ${DOCKER_REPOSITORY}/${ORG}/${PROJECT}/aaf_${AAF_COMPONENT}:${VERSION}
+ docker push ${DOCKER_REPOSITORY}/${ORG}/${PROJECT}/aaf_${AAF_COMPONENT}:${OLD_VERSION}
+ docker push ${DOCKER_REPOSITORY}/${ORG}/${PROJECT}/aaf_${AAF_COMPONENT}:${VERSION}
+ docker push ${DOCKER_REPOSITORY}/${ORG}/${PROJECT}/aaf_${AAF_COMPONENT}:${NEW_VERSION}
done
<parent>
<groupId>org.onap.aaf.authz</groupId>
<artifactId>parent</artifactId>
- <version>2.1.0-SNAPSHOT</version>
+ <version>2.1.2-SNAPSHOT</version>
</parent>
<artifactId>authparent</artifactId>
<name>AAF Auth Parent</name>
<properties>
<project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
- <project.interfaceVersion>2.1.0-SNAPSHOT</project.interfaceVersion>
+ <project.interfaceVersion>2.1.1-SNAPSHOT</project.interfaceVersion>
<!-- >project.jettyVersion>9.3.22.v20171030</project.jettyVersion -->
- <project.jettyVersion>9.4.8.v20171121</project.jettyVersion>
+ <project.jettyVersion>9.4.11.v20180605</project.jettyVersion>
<powermock.version>1.5.1</powermock.version>
<project.ext_root_dir>/opt/app/osaaf</project.ext_root_dir>
<!-- SONAR -->
<artifactId>aaf-auth-client</artifactId>
<version>${project.version}</version>
</dependency>
-
+
<dependency>
<groupId>org.onap.aaf.authz</groupId>
<artifactId>aaf-auth-core</artifactId>
<parent>
<groupId>org.onap.aaf.authz</groupId>
<artifactId>cadiparent</artifactId>
- <version>2.1.0-SNAPSHOT</version>
+ <version>2.1.2-SNAPSHOT</version>
<relativePath>..</relativePath>
</parent>
private List<String> roles;
static {
- NO_ROLES = new ArrayList<String>();
+ NO_ROLES = new ArrayList<>();
}
protected AAFPermission() {roles=NO_ROLES;}
PropAccess access = new PropAccess(args);
String aaflocate;
if(args.length>1) {
- aaflocate = "https://" + args[1] + "/locate";
+ aaflocate = "https://" + args[1];
access.setProperty(Config.AAF_LOCATE_URL, "https://" + args[1]);
} else {
aaflocate = access.getProperty(Config.AAF_LOCATE_URL);
if(aaflocate==null) {
print(true,"Properties must contain ",Config.AAF_LOCATE_URL);
- } else if (!aaflocate.endsWith("/locate")) {
- aaflocate += "/locate";
}
}
List<SecuritySetter<HttpURLConnection>> lss = loadSetters(access,si);
/////////
print(true,"Test Connections driven by AAFLocator");
- URI serviceURI = new URI(aaflocate+"/AAF_NS.service/2.0");
+ URI serviceURI = new URI(aaflocate+"/locate/AAF_NS.service:2.0");
for(URI uri : new URI[] {
serviceURI,
- new URI(aaflocate+"/AAF_NS.service:2.0"),
- new URI(aaflocate+"/AAF_NS.service"),
- new URI(aaflocate+"/AAF_NS.gw:2.0"),
- new URI(aaflocate+"/AAF_NS.token:2.0"),
- new URI(aaflocate+"/AAF_NS.certman:2.0"),
- new URI(aaflocate+"/AAF_NS.hello")
+ new URI(aaflocate+"/locate/AAF_NS.service:2.0"),
+ new URI(aaflocate+"/locate/AAF_NS.locate:2.0"),
+ new URI(aaflocate+"/locate/AAF_NS.token:2.0"),
+ new URI(aaflocate+"/locate/AAF_NS.certman:2.0"),
+ new URI(aaflocate+"/locate/AAF_NS.hello")
}) {
Locator<URI> locator = new AAFLocator(si, uri);
try {
}
/////////
- print(true,"Test Service driven by AAFLocator");
- Locator<URI> locator = new AAFLocator(si,new URI(aaflocate+"/AAF_NS.service:2.0"));
+ print(true,"Test Service for Perms driven by AAFLocator");
+ Locator<URI> locator = new AAFLocator(si,serviceURI);
for(SecuritySetter<HttpURLConnection> ss : lss) {
permTest(locator,ss);
}
print(true,"Test essential BasicAuth Service call, driven by AAFLocator");
for(SecuritySetter<HttpURLConnection> ss : lss) {
if(ss instanceof HBasicAuthSS) {
- basicAuthTest(new AAFLocator(si, new URI(aaflocate+"/AAF_NS.service:2.0")),ss);
+ basicAuthTest(new AAFLocator(si, serviceURI),ss);
}
}
print(true,"Load Security Setters from Configuration Information");
String user = access.getProperty(Config.AAF_APPID);
- ArrayList<SecuritySetter<HttpURLConnection>> lss = new ArrayList<SecuritySetter<HttpURLConnection>>();
+ ArrayList<SecuritySetter<HttpURLConnection>> lss = new ArrayList<>();
try {
byte[] fingerprint = X509Taf.getFingerPrint(certBytes);
String id = certs.get(new ByteArrayHolder(fingerprint));
if(id!=null) { // Caller is Validated
- return new X509Principal(id,cert,certBytes);
+ return new X509Principal(id,cert,certBytes,null);
}
return null;
}
@Override
public void run() {
try {
- TreeMap<ByteArrayHolder, String> newCertsMap = new TreeMap<ByteArrayHolder,String>();
- Map<String,Set<String>> newTrustMap = new TreeMap<String,Set<String>>();
- Set<String> userLookup = new HashSet<String>();
+ TreeMap<ByteArrayHolder, String> newCertsMap = new TreeMap<>();
+ Map<String,Set<String>> newTrustMap = new TreeMap<>();
+ Set<String> userLookup = new HashSet<>();
for(String s : certIDs) {
userLookup.add(s);
}
aafcon.access.log(Level.WARN, "AAF Lookup-No IDs in Role com.att.aaf.trustForID <> "+authMech);
} else {
aafcon.access.log(Level.INFO,"Loading Trust Authentication Info for",authMech);
- Set<String> hsUser = new HashSet<String>();
+ Set<String> hsUser = new HashSet<>();
for(User u : users) {
userLookup.add(u.getId());
hsUser.add(u.getId());
// Package access
final public int timeout, cleanInterval, connTimeout;
final public int highCount, userExpires, usageRefreshTriggerCount;
- private Map<String,Rcli<CLIENT>> clients = new ConcurrentHashMap<String,Rcli<CLIENT>>();
+ private Map<String,Rcli<CLIENT>> clients = new ConcurrentHashMap<>();
final public RosettaDF<Perms> permsDF;
final public RosettaDF<Certs> certsDF;
final public RosettaDF<Users> usersDF;
final public RosettaDF<Error> errDF;
private String realm;
public final String app;
- protected SecuritySetter<CLIENT> ss;
protected SecurityInfoC<CLIENT> si;
private AAFLurPerm lur;
final public RosettaEnv env;
protected abstract URI initURI();
protected abstract void setInitURI(String uriString) throws CadiException;
-
+ protected abstract SecuritySetter<CLIENT> bestSS(SecurityInfoC<CLIENT> si) throws CadiException;
+
/**
* Use this call to get the appropriate client based on configuration (HTTP, future)
*
public Rcli<CLIENT> client(String apiVersion) throws CadiException {
Rcli<CLIENT> client = clients.get(apiVersion);
if(client==null) {
- client = rclient(initURI(),ss);
+ client = rclient(initURI(),si.defSS);
client.apiVersion(apiVersion)
.readTimeout(connTimeout);
clients.put(apiVersion, client);
}
public Rcli<CLIENT> client(URI uri) throws CadiException {
- return rclient(uri,ss).readTimeout(connTimeout);
+ return rclient(uri,si.defSS).readTimeout(connTimeout);
}
/**
usersDF = copy.usersDF;
errDF = copy.errDF;
app = copy.app;
- ss = copy.ss;
si = copy.si;
env = copy.env;
realm = copy.realm;
if(tag==null) {
throw new CadiException("AAFCon cannot be constructed without a property tag or URL");
} else {
+ si.defSS = bestSS(si);
String str = access.getProperty(tag,null);
if(str==null) {
if(tag.contains("://")) { // assume a URL
try {
this.access = access;
this.si = si;
- this.ss = si.defSS;
- if(ss.getID().equals(SecurityInfoC.DEF_ID)) { // it's the Preliminary SS, try to get a better one
+ if(si.defSS.getID().equals(SecurityInfoC.DEF_ID)) { // it's the Preliminary SS, try to get a better one
String mechid = access.getProperty(Config.AAF_APPID, null);
if(mechid==null) {
mechid=access.getProperty(Config.OAUTH_CLIENT_ID,null);
userExpires = Integer.parseInt(access.getProperty(Config.AAF_USER_EXPIRES, Config.AAF_USER_EXPIRES_DEF).trim());
usageRefreshTriggerCount = Integer.parseInt(access.getProperty(Config.AAF_USER_EXPIRES, Config.AAF_USER_EXPIRES_DEF).trim())-1; // zero based
- app=FQI.reverseDomain(ss.getID());
+ app=FQI.reverseDomain(si.defSS.getID());
//TODO Get Realm from AAF
realm="people.osaaf.org";
public abstract Rcli<CLIENT> rclient(Locator<URI> loc, SecuritySetter<CLIENT> ss) throws CadiException;
public Rcli<CLIENT> client(Locator<URI> locator) throws CadiException {
- return rclient(locator,ss);
+ return rclient(locator,si.defSS);
}
public abstract<RET> RET best(Retryable<RET> retryable) throws LocatorException, CadiException, APIException;
}
public SecuritySetter<CLIENT> set(final SecuritySetter<CLIENT> ss) {
- this.ss = ss;
+ si.set(ss);
for(Rcli<CLIENT> client : clients.values()) {
client.setSecuritySetter(ss);
}
}
public String defID() {
- if(ss!=null) {
- return ss.getID();
+ if(si!=null) {
+ return si.defSS.getID();
}
return "unknown";
}
hman = new HMangr(access,Config.loadLocator(si, access.getProperty(Config.AAF_URL,null)));
}
- public static SecuritySetter<HttpURLConnection> bestSS(SecurityInfoC<HttpURLConnection> si) throws APIException, CadiException {
+ protected SecuritySetter<HttpURLConnection> bestSS(SecurityInfoC<HttpURLConnection> si) throws CadiException {
Access access = si.access;
String s;
if((s = access.getProperty(Config.CADI_ALIAS, null))!=null) {
- return new HX509SS(s,si,true);
+ try {
+ return new HX509SS(s,si,true);
+ } catch (APIException e) {
+ throw new CadiException(e);
+ }
} else if((s = access.getProperty(Config.AAF_APPID, null))!=null){
try {
return new HBasicAuthSS(si,true);
} catch (IOException /*| GeneralSecurityException*/ e) {
throw new CadiException(e);
}
+ } else {
+ throw new CadiException("No IDs (" + Config.CADI_ALIAS + " or " + Config.AAF_APPID + ") have been identified.");
}
- return null;
}
public AAFConHttp(Access access, String tag) throws APIException, CadiException, LocatorException {
hman = new HMangr(access,locator);
}
- public AAFConHttp(Access access, Locator<URI> locator, SecurityInfoC<HttpURLConnection> si) throws CadiException, LocatorException {
+ public AAFConHttp(Access access, Locator<URI> locator, SecurityInfoC<HttpURLConnection> si) throws CadiException, LocatorException, APIException {
super(access,Config.AAF_URL,si);
+ bestSS(si);
hman = new HMangr(access,locator);
}
- public AAFConHttp(Access access, Locator<URI> locator, SecurityInfoC<HttpURLConnection> si, String tag) throws CadiException, LocatorException {
+ public AAFConHttp(Access access, Locator<URI> locator, SecurityInfoC<HttpURLConnection> si, String tag) throws CadiException, LocatorException, APIException {
super(access,tag,si);
+ bestSS(si);
hman = new HMangr(access, locator);
}
private AAFConHttp(AAFCon<HttpURLConnection> aafcon, String url) throws LocatorException {
super(aafcon);
+ si=aafcon.si;
hman = new HMangr(aafcon.access,Config.loadLocator(si, url));
}
@Override
public <RET> RET best(Retryable<RET> retryable) throws LocatorException, CadiException, APIException {
- return hman.best(ss, (Retryable<RET>)retryable);
+ return hman.best(si.defSS, (Retryable<RET>)retryable);
}
/* (non-Javadoc)
protected void setInitURI(String uriString) throws CadiException {
// Using Locator, not URLString, which is mostly for DME2
}
-
+
}
public AAFLocator(SecurityInfoC<HttpURLConnection> si, URI locatorURI) throws LocatorException {
super(si.access, nameFromLocatorURI(locatorURI), 10000L /* Wait at least 10 seconds between refreshes */);
- SecuritySetter<HttpURLConnection> ss;
- try {
- ss=AAFConHttp.bestSS(si);
- } catch (APIException | CadiException e1) {
- throw new LocatorException(e1);
- }
synchronized(sr) {
if(env==null) {
env = new RosettaEnv(access.getProperties());
int connectTimeout = Integer.parseInt(si.access.getProperty(Config.AAF_CONN_TIMEOUT, Config.AAF_CONN_TIMEOUT_DEF));
try {
String[] path = Split.split('/',locatorURI.getPath());
- if(path.length>2 && "locate".equals(path[1])) {
+ String host = locatorURI.getHost();
+ if(host==null) {
+ host = locatorURI.getAuthority(); // this happens when no port
+ }
+ if("AAF_LOCATE_URL".equals(host)) {
+ URI uri = new URI(
+ locatorURI.getScheme(),
+ locatorURI.getUserInfo(),
+ aaf_locator_uri.getHost(),
+ aaf_locator_uri.getPort(),
+ "/locate"+locatorURI.getPath(),
+ null,
+ null
+ );
+ client = createClient(si.defSS, uri, connectTimeout);
+ } else if(path.length>1 && "locate".equals(path[1])) {
StringBuilder sb = new StringBuilder();
for(int i=3;i<path.length;++i) {
sb.append('/');
sb.append(path[i]);
}
setPathInfo(sb.toString());
- String host = locatorURI.getHost();
- if(aaf_locator_host!=null && (host==null || "AAF_LOCATOR_URL".equals(host))) {
- int slash = aaf_locator_host.lastIndexOf("//");
- host = aaf_locator_host.substring(slash+2);
- }
URI uri = new URI(
locatorURI.getScheme(),
locatorURI.getUserInfo(),
- host,
+ locatorURI.getHost(),
locatorURI.getPort(),
- "/locate/"+name + '/' + version,
+ "/locate/"+name + ':' + version,
null,
null
);
- client = createClient(ss, uri, connectTimeout);
+ client = createClient(si.defSS, uri, connectTimeout);
} else {
- client = new HClient(ss, locatorURI, connectTimeout);
+ client = new HClient(si.defSS, locatorURI, connectTimeout);
}
epsDF = env.newDataFactory(Endpoints.class);
- refresh();
} catch (APIException | URISyntaxException e) {
throw new LocatorException(e);
}
client.send();
Future<Endpoints> fr = client.futureRead(epsDF, TYPE.JSON);
if(fr.get(client.timeout())) {
- List<EP> epl = new LinkedList<EP>();
+ List<EP> epl = new LinkedList<>();
for(Endpoint endpoint : fr.value.getEndpoint()) {
epl.add(new EP(endpoint,latitude,longitude));
}
protected String myhostname;
protected int myport;
protected final String aaf_locator_host;
+ protected final URI aaf_locator_uri;
private long earliest;
private final long refreshWait;
public AbsAAFLocator(Access access, String name, final long refreshMin) throws LocatorException {
aaf_locator_host = access.getProperty(Config.AAF_LOCATE_URL, null);
+ if(aaf_locator_host==null) {
+ aaf_locator_uri = null;
+ } else {
+ try {
+ aaf_locator_uri = new URI(aaf_locator_host);
+ } catch (URISyntaxException e) {
+ throw new LocatorException(e);
+ }
+ }
- epList = new LinkedList<EP>();
+ epList = new LinkedList<>();
refreshWait = refreshMin;
this.access = access;
if(!hasItems()) {
throw new LocatorException("No Entries found" + (pathInfo==null?"":(" for " + pathInfo)));
}
- List<EP> lep = new ArrayList<EP>();
+ List<EP> lep = new ArrayList<>();
EP first = null;
// Note: Deque is sorted on the way by closest distance
Iterator<EP> iter = getIterator();
} else {
sb.append("\n\tUser does not contain ");
sb.append(pond.getKey());
- List<Permission> perms = new ArrayList<Permission>();
+ List<Permission> perms = new ArrayList<>();
user.copyPermsTo(perms);
for(Permission p : perms) {
sb.append("\n\t\t");
*
*/
-package org.onap.aaf.cadi.cm;
+package org.onap.aaf.cadi.configure;
import java.io.File;
import java.io.FileInputStream;
import java.io.FileOutputStream;
+import java.io.PrintStream;
+import java.net.ConnectException;
+import java.net.HttpURLConnection;
import java.net.InetAddress;
import java.net.UnknownHostException;
+import java.nio.file.Files;
import java.security.KeyStore;
import java.security.cert.X509Certificate;
import java.util.ArrayDeque;
+import java.util.Date;
import java.util.Deque;
import java.util.GregorianCalendar;
import java.util.HashMap;
import java.util.Iterator;
import java.util.Map;
import java.util.Map.Entry;
+import java.util.Properties;
+import org.onap.aaf.cadi.CadiException;
+import org.onap.aaf.cadi.CmdLine;
+import org.onap.aaf.cadi.LocatorException;
import org.onap.aaf.cadi.PropAccess;
import org.onap.aaf.cadi.Symm;
import org.onap.aaf.cadi.aaf.client.ErrMessage;
import org.onap.aaf.cadi.aaf.v2_0.AAFCon;
import org.onap.aaf.cadi.aaf.v2_0.AAFConHttp;
import org.onap.aaf.cadi.client.Future;
+import org.onap.aaf.cadi.client.Rcli;
+import org.onap.aaf.cadi.client.Retryable;
import org.onap.aaf.cadi.config.Config;
+import org.onap.aaf.cadi.config.SecurityInfoC;
import org.onap.aaf.cadi.http.HBasicAuthSS;
+import org.onap.aaf.cadi.locator.SingleEndpointLocator;
import org.onap.aaf.cadi.sso.AAFSSO;
import org.onap.aaf.cadi.util.FQI;
+import org.onap.aaf.misc.env.APIException;
+import org.onap.aaf.misc.env.Data.TYPE;
import org.onap.aaf.misc.env.Env;
import org.onap.aaf.misc.env.TimeTaken;
import org.onap.aaf.misc.env.Trans;
-import org.onap.aaf.misc.env.Data.TYPE;
import org.onap.aaf.misc.env.util.Chrono;
import org.onap.aaf.misc.env.util.Split;
import org.onap.aaf.misc.rosetta.env.RosettaDF;
import org.onap.aaf.misc.rosetta.env.RosettaEnv;
-import java.util.Properties;
-
+import aaf.v2_0.Perm;
+import aaf.v2_0.Perms;
import certman.v1_0.Artifacts;
import certman.v1_0.Artifacts.Artifact;
import certman.v1_0.CertInfo;
import certman.v1_0.CertificateRequest;
+import locate.v1_1.Configuration;
+import locate.v1_1.Configuration.Props;
-public class CmAgent {
+public class Agent {
+ private static final String HASHES = "################################################################";
private static final String PRINT = "print";
private static final String FILE = "file";
private static final String PKCS12 = "pkcs12";
private static RosettaDF<CertificateRequest> reqDF;
private static RosettaDF<CertInfo> certDF;
private static RosettaDF<Artifacts> artifactsDF;
+ private static RosettaDF<Configuration> configDF;
+ private static RosettaDF<Perms> permDF;
private static ErrMessage errMsg;
private static Map<String,PlaceArtifact> placeArtifact;
private static RosettaEnv env;
+
+ private static boolean doExit;
public static void main(String[] args) {
int exitCode = 0;
+ doExit = true;
try {
- AAFSSO aafsso = new AAFSSO(args);
- if(aafsso.loginOnly()) {
+ AAFSSO aafsso=null;
+ PropAccess access;
+
+ if(args.length>0 && args[0].equals("validate")) {
+ int idx = args[1].indexOf('=');
+ aafsso = null;
+ access = new PropAccess(
+ (idx<0?Config.CADI_PROP_FILES:args[1].substring(0, idx))+
+ '='+
+ (idx<0?args[1]:args[1].substring(idx+1)));
+ } else {
+ aafsso= new AAFSSO(args, new AAFSSO.ProcessArgs() {
+ @Override
+ public Properties process(String[] args, Properties props) {
+ if(args.length>1) {
+ if (!args[0].equals("genkeypair")) {
+ props.put("aaf_id", args[1]);
+ }
+ }
+ return props;
+ }
+ });
+ access = aafsso.access();
+ }
+
+ if(aafsso!=null && aafsso.loginOnly()) {
aafsso.setLogDefault();
aafsso.writeFiles();
System.out.println("AAF SSO information created in ~/.aaf");
} else {
- PropAccess access = aafsso.access();
env = new RosettaEnv(access.getProperties());
Deque<String> cmds = new ArrayDeque<String>();
for(String p : args) {
- if(p.indexOf('=')<0) {
+ if("-noexit".equalsIgnoreCase(p)) {
+ doExit = false;
+ } else if(p.indexOf('=') < 0) {
cmds.add(p);
}
}
if(cmds.size()==0) {
- aafsso.setLogDefault();
+ if(aafsso!=null) {
+ aafsso.setLogDefault();
+ }
+ // NOTE: CHANGE IN CMDS should be reflected in AAFSSO constructor, to get FQI->aaf-id or not
System.out.println("Usage: java -jar <cadi-aaf-*-full.jar> cmd [<tag=value>]*");
- System.out.println(" create <mechID> [<machine>]");
- System.out.println(" read <mechID> [<machine>]");
- System.out.println(" update <mechID> [<machine>]");
- System.out.println(" delete <mechID> [<machine>]");
- System.out.println(" copy <mechID> <machine> <newmachine>[,<newmachine>]*");
- System.out.println(" place <mechID> [<machine>]");
- System.out.println(" showpass <mechID> [<machine>]");
- System.out.println(" check <mechID> [<machine>]");
+ System.out.println(" create <FQI> [<machine>]");
+ System.out.println(" read <FQI> [<machine>]");
+ System.out.println(" update <FQI> [<machine>]");
+ System.out.println(" delete <FQI> [<machine>]");
+ System.out.println(" copy <FQI> <machine> <newmachine>[,<newmachine>]*");
+ System.out.println(" place <FQI> [<machine>]");
+ System.out.println(" showpass <FQI> [<machine>]");
+ System.out.println(" check <FQI> [<machine>]");
+ System.out.println(" config <FQI>");
+ System.out.println(" validate <FQI>.props>");
System.out.println(" genkeypair");
- System.exit(1);
+ if (doExit) {
+ System.exit(1);
+ }
}
TIMEOUT = Integer.parseInt(env.getProperty(Config.AAF_CONN_TIMEOUT, "5000"));
reqDF = env.newDataFactory(CertificateRequest.class);
artifactsDF = env.newDataFactory(Artifacts.class);
certDF = env.newDataFactory(CertInfo.class);
+ configDF = env.newDataFactory(Configuration.class);
+ permDF = env.newDataFactory(Perms.class);
errMsg = new ErrMessage(env);
- placeArtifact = new HashMap<String,PlaceArtifact>();
+ placeArtifact = new HashMap<>();
placeArtifact.put(JKS, new PlaceArtifactInKeystore(JKS));
placeArtifact.put(PKCS12, new PlaceArtifactInKeystore(PKCS12));
placeArtifact.put(FILE, new PlaceArtifactInFiles());
trans.setProperty("oauth_token", token);
}
try {
+ if(aafsso!=null) {
// show Std out again
- aafsso.setLogDefault();
- aafsso.setStdErrDefault();
-
- // if CM_URL can be obtained, add to sso.props, if written
- String cm_url = getProperty(access,env,false, Config.CM_URL,Config.CM_URL+": ");
- if(cm_url!=null) {
- aafsso.addProp(Config.CM_URL, cm_url);
+ aafsso.setLogDefault();
+ aafsso.setStdErrDefault();
+
+ // if CM_URL can be obtained, add to sso.props, if written
+ String cm_url = getProperty(access,env,false, Config.CM_URL,Config.CM_URL+": ");
+ if(cm_url!=null) {
+ aafsso.addProp(Config.CM_URL, cm_url);
+ }
+ aafsso.writeFiles();
}
- aafsso.writeFiles();
AAFCon<?> aafcon = new AAFConHttp(access,Config.CM_URL);
String cmd = cmds.removeFirst();
- if("place".equals(cmd)) {
- placeCerts(trans,aafcon,cmds);
- } else if("create".equals(cmd)) {
- createArtifact(trans, aafcon,cmds);
- } else if("read".equals(cmd)) {
- readArtifact(trans, aafcon, cmds);
- } else if("copy".equals(cmd)) {
- copyArtifact(trans, aafcon, cmds);
- } else if("update".equals(cmd)) {
- updateArtifact(trans, aafcon, cmds);
- } else if("delete".equals(cmd)) {
- deleteArtifact(trans, aafcon, cmds);
- } else if("showpass".equals(cmd)) {
- showPass(trans,aafcon,cmds);
- } else if("check".equals(cmd)) {
- try {
- exitCode = check(trans,aafcon,cmds);
- } catch (Exception e) {
- exitCode = 1;
- throw e;
- }
- } else {
- AAFSSO.cons.printf("Unknown command \"%s\"\n", cmd);
+ switch(cmd) {
+ case "place":
+ placeCerts(trans,aafcon,cmds);
+ break;
+ case "create":
+ createArtifact(trans, aafcon,cmds);
+ break;
+ case "read":
+ readArtifact(trans, aafcon, cmds);
+ break;
+ case "copy":
+ copyArtifact(trans, aafcon, cmds);
+ break;
+ case "update":
+ updateArtifact(trans, aafcon, cmds);
+ break;
+ case "delete":
+ deleteArtifact(trans, aafcon, cmds);
+ break;
+ case "showpass":
+ showPass(trans, aafcon, cmds);
+ break;
+ case "config":
+ initConfig(trans,access,aafcon,cmds);
+ break;
+ case "validate":
+ validate(access);
+ break;
+ case "check":
+ try {
+ exitCode = check(trans,aafcon,cmds);
+ } catch (Exception e) {
+ exitCode = 1;
+ throw e;
+ }
+ break;
+ default:
+ AAFSSO.cons.printf("Unknown command \"%s\"\n", cmd);
}
} finally {
StringBuilder sb = new StringBuilder();
trans.info().log("Trans Info\n",sb);
}
}
- aafsso.close();
+ if(aafsso!=null) {
+ aafsso.close();
+ }
}
} catch (Exception e) {
e.printStackTrace();
}
- if(exitCode!=0) {
+ if(exitCode != 0 && doExit) {
System.exit(exitCode);
}
}
return value;
}
- private static String mechID(Deque<String> cmds) {
+ private static String fqi(Deque<String> cmds) {
if(cmds.size()<1) {
String alias = env.getProperty(Config.CADI_ALIAS);
return alias!=null?alias:AAFSSO.cons.readLine("MechID: ");
}
private static void createArtifact(Trans trans, AAFCon<?> aafcon, Deque<String> cmds) throws Exception {
- String mechID = mechID(cmds);
+ String mechID = fqi(cmds);
String machine = machine(cmds);
Artifacts artifacts = new Artifacts();
private static void readArtifact(Trans trans, AAFCon<?> aafcon, Deque<String> cmds) throws Exception {
- String mechID = mechID(cmds);
+ String mechID = fqi(cmds);
String machine = machine(cmds);
TimeTaken tt = trans.start("Read Artifact", Env.SUB);
}
private static void copyArtifact(Trans trans, AAFCon<?> aafcon, Deque<String> cmds) throws Exception {
- String mechID = mechID(cmds);
+ String mechID = fqi(cmds);
String machine = machine(cmds);
String[] newmachs = machines(cmds);
if(machine==null || newmachs == null) {
}
private static void updateArtifact(Trans trans, AAFCon<?> aafcon, Deque<String> cmds) throws Exception {
- String mechID = mechID(cmds);
+ String mechID = fqi(cmds);
String machine = machine(cmds);
TimeTaken tt = trans.start("Update Artifact", Env.REMOTE);
}
private static void deleteArtifact(Trans trans, AAFCon<?> aafcon, Deque<String> cmds) throws Exception {
- String mechid = mechID(cmds);
+ String mechid = fqi(cmds);
String machine = machine(cmds);
TimeTaken tt = trans.start("Delete Artifact", Env.REMOTE);
private static boolean placeCerts(Trans trans, AAFCon<?> aafcon, Deque<String> cmds) throws Exception {
boolean rv = false;
- String mechID = mechID(cmds);
+ String mechID = fqi(cmds);
String machine = machine(cmds);
String[] fqdns = Split.split(':', machine);
String key;
cr.getFqdns().add(fqdns[i]);
}
Future<String> f = aafcon.client(CM_VER)
- .setQueryParams("withTrust")
- .updateRespondString("/cert/" + a.getCa(),reqDF, cr);
+ .updateRespondString("/cert/" + a.getCa()+"?withTrust",reqDF, cr);
if(f.get(TIMEOUT)) {
CertInfo capi = certDF.newData().in(TYPE.JSON).load(f.body()).asObject();
for(String type : a.getType()) {
}
private static void showPass(Trans trans, AAFCon<?> aafcon, Deque<String> cmds) throws Exception {
- String mechID = mechID(cmds);
+ String mechID = fqi(cmds);
String machine = machine(cmds);
TimeTaken tt = trans.start("Show Password", Env.REMOTE);
if(allowed) {
File dir = new File(a.getDir());
Properties props = new Properties();
- FileInputStream fis = new FileInputStream(new File(dir,a.getNs()+".props"));
+ FileInputStream fis = new FileInputStream(new File(dir,a.getNs()+".cred.props"));
try {
props.load(fis);
fis.close();
}
+ private static void initConfig(Trans trans, PropAccess pa, AAFCon<?> aafcon, Deque<String> cmds) throws Exception {
+ final String fqi = fqi(cmds);
+ final String locator = getProperty(pa,aafcon.env,false,Config.AAF_LOCATE_URL,"AAF Locator URL: ");
+ final String rootFile = FQI.reverseDomain(fqi);
+ final File dir = new File(pa.getProperty(Config.CADI_ETCDIR, "."));
+ if(dir.exists()) {
+ System.out.println("Writing to " + dir.getCanonicalFile());
+ } else if(dir.mkdirs()) {
+ System.out.println("Created directory " + dir.getCanonicalFile());
+ } else {
+ System.err.println("Unable to create or write to " + dir.getCanonicalPath());
+ return;
+ }
+
+ TimeTaken tt = trans.start("Get Configuration", Env.REMOTE);
+ try {
+ boolean ok=false;
+ File fProps = File.createTempFile(rootFile, ".tmp",dir);
+ File fSecureTempProps = File.createTempFile(rootFile, ".cred.tmp",dir);
+ File fSecureProps = new File(dir,rootFile+".cred.props");
+ PrintStream psProps;
+
+ File fLocProps = new File(dir,rootFile + ".location.props");
+ if(!fLocProps.exists()) {
+ psProps = new PrintStream(new FileOutputStream(fLocProps));
+ try {
+ psProps.println(HASHES);
+ psProps.print("# Configuration File generated on ");
+ psProps.println(new Date().toString());
+ psProps.println(HASHES);
+ for(String tag : new String[] {Config.CADI_LATITUDE,Config.CADI_LONGITUDE}) {
+ psProps.print(tag);
+ psProps.print('=');
+ psProps.println(getProperty(pa, trans, false, tag, "%s: ",tag));
+ }
+ } finally {
+ psProps.close();
+ }
+ }
+
+ psProps = new PrintStream(new FileOutputStream(fProps));
+ try {
+ PrintStream psCredProps = new PrintStream(new FileOutputStream(fSecureTempProps));
+ try {
+ psCredProps.println(HASHES);
+ psCredProps.print("# Configuration File generated on ");
+ psCredProps.println(new Date().toString());
+ psCredProps.println(HASHES);
+
+ psProps.println(HASHES);
+ psProps.print("# Configuration File generated on ");
+ psProps.println(new Date().toString());
+ psProps.println(HASHES);
+
+ psProps.print(Config.CADI_PROP_FILES);
+ psProps.print('=');
+ psProps.print(fSecureProps.getCanonicalPath());
+ psProps.print(File.pathSeparatorChar);
+ psProps.println(fLocProps.getCanonicalPath());
+
+ File fkf = new File(dir,rootFile+".keyfile");
+ if(!fkf.exists()) {
+ CmdLine.main(new String[] {"keygen",fkf.toString()});
+ }
+ psCredProps.print("cadi_keyfile=");
+ psCredProps.println(fkf.getCanonicalPath());
+
+ psCredProps.print(Config.AAF_APPID);
+ psCredProps.print('=');
+ psCredProps.println(fqi);
+
+ Symm filesymm = Symm.obtain(fkf);
+ psCredProps.print(Config.AAF_APPPASS);
+ psCredProps.print("=enc:");
+ String ps = pa.decrypt(pa.getProperty(Config.AAF_APPPASS), false);
+ ps = filesymm.enpass(ps);
+ psCredProps.println(ps);
+
+ psCredProps.print(Config.CADI_TRUSTSTORE);
+ psCredProps.print("=");
+ File origTruststore = new File(pa.getProperty(Config.CADI_TRUSTSTORE));
+ File newTruststore = new File(dir,origTruststore.getName());
+ if(!newTruststore.exists()) {
+ Files.copy(origTruststore.toPath(), newTruststore.toPath());
+ }
+ psCredProps.println(newTruststore.getCanonicalPath());
+
+ psCredProps.print(Config.CADI_TRUSTSTORE_PASSWORD);
+ psCredProps.print("=enc:");
+ ps = pa.decrypt(pa.getProperty(Config.CADI_TRUSTSTORE_PASSWORD), false);
+ ps = filesymm.enpass(ps);
+ psCredProps.println(ps);
+
+ try {
+ Future<Configuration> acf = aafcon.client(new SingleEndpointLocator(locator))
+ .read("/configure/"+fqi+"/aaf", configDF);
+ if(acf.get(TIMEOUT)) {
+ // out.println(acf.value.getName());
+ for(Props props : acf.value.getProps()) {
+ psProps.println(props.getTag() + '=' + props.getValue());
+ }
+ ok = true;
+ } else if(acf.code()==401){
+ trans.error().log("Bad Password sent to AAF");
+ } else {
+ trans.error().log(errMsg.toMsg(acf));
+ }
+ } finally {
+ psProps.close();
+ }
+ if(ok) {
+ File newFile = new File(dir,rootFile+".props");
+ fProps.renameTo(newFile);
+ System.out.println("Created " + newFile.getCanonicalPath());
+ fProps = newFile;
+
+ fSecureTempProps.renameTo(fSecureProps);
+ System.out.println("Created " + fSecureProps.getCanonicalPath());
+ fProps = newFile;
+ } else {
+ fProps.delete();
+ fSecureTempProps.delete();
+ }
+ } finally {
+ psCredProps.close();
+ }
+ } finally {
+ psProps.close();
+ }
+ } finally {
+ tt.done();
+ }
+ }
+
+ private static void validate(final PropAccess pa) throws LocatorException, CadiException, APIException {
+ System.out.println("Validating Configuration...");
+ final AAFCon<?> aafcon = new AAFConHttp(pa,Config.AAF_URL,new SecurityInfoC<HttpURLConnection>(pa));
+ aafcon.best(new Retryable<Void>() {
+ @Override
+ public Void code(Rcli<?> client) throws CadiException, ConnectException, APIException {
+ Future<Perms> fc = client.read("/authz/perms/user/"+aafcon.defID(),permDF);
+ if(fc.get(aafcon.timeout)) {
+ System.out.print("Success connecting to ");
+ System.out.println(client.getURI());
+ System.out.print(" Permissions for ");
+ System.out.println(aafcon.defID());
+ for(Perm p : fc.value.getPerm()) {
+ System.out.print('\t');
+ System.out.print(p.getType());
+ System.out.print('|');
+ System.out.print(p.getInstance());
+ System.out.print('|');
+ System.out.println(p.getAction());
+ }
+ } else {
+ System.err.println("Error: " + fc.code() + ' ' + fc.body());
+ }
+ return null;
+ }
+ });
+ }
+
/**
* Check returns Error Codes, so that Scripts can know what to do
*
*/
private static int check(Trans trans, AAFCon<?> aafcon, Deque<String> cmds) throws Exception {
int exitCode=1;
- String mechID = mechID(cmds);
+ String mechID = fqi(cmds);
String machine = machine(cmds);
TimeTaken tt = trans.start("Check Certificate", Env.REMOTE);
*
*/
-package org.onap.aaf.cadi.cm;
+package org.onap.aaf.cadi.configure;
import java.io.File;
import java.io.FileOutputStream;
import java.io.PrintWriter;
import java.security.KeyStore;
import java.util.ArrayList;
+import java.util.Date;
import java.util.HashMap;
import java.util.List;
import java.util.Map;
protected static final String C_R = "\n";
protected File dir;
- private List<String> encodeds = new ArrayList<String>();
+ private List<String> encodeds = new ArrayList<>();
private Symm symm;
// This checks for multiple passes of Dir on the same objects. Run clear after done.
- protected static Map<String,Object> processed = new HashMap<String,Object>();
+ protected static Map<String,Object> processed = new HashMap<>();
/**
// Also place cm_url and Host Name
addProperty(Config.CM_URL,trans.getProperty(Config.CM_URL));
- addProperty(Config.HOSTNAME,machine);
- addProperty(Config.AAF_ENV,certInfo.getEnv());
+// addProperty(Config.HOSTNAME,machine);
+// addProperty(Config.AAF_ENV,certInfo.getEnv());
// Obtain Issuers
boolean first = true;
StringBuilder issuers = new StringBuilder();
}
boolean first=processed.get("dir")==null;
try {
- File f = new File(dir,arti.getNs()+".props");
+ File f = new File(dir,arti.getNs()+".cred.props");
if(f.exists()) {
if(first) {
- f.delete();
+ File backup = File.createTempFile(f.getName()+'.', ".backup",dir);
+ f.renameTo(backup);
} else {
f.setWritable(true);
}
*
*/
-package org.onap.aaf.cadi.cm;
+package org.onap.aaf.cadi.configure;
public class CertException extends Exception {
*
*/
-package org.onap.aaf.cadi.cm;
+package org.onap.aaf.cadi.configure;
import java.io.BufferedReader;
import java.io.ByteArrayInputStream;
import javax.crypto.NoSuchPaddingException;
import org.onap.aaf.cadi.Symm;
+import org.onap.aaf.cadi.client.Holder;
import org.onap.aaf.misc.env.Env;
import org.onap.aaf.misc.env.TimeTaken;
import org.onap.aaf.misc.env.Trans;
}
public static PrivateKey toPrivateKey(Trans trans, String pk) throws IOException, CertException {
- byte[] bytes = decode(new StringReader(pk));
+ byte[] bytes = decode(new StringReader(pk), null);
return toPrivateKey(trans, bytes);
}
-
+
public static PrivateKey toPrivateKey(Trans trans, byte[] bytes) throws IOException, CertException {
TimeTaken tt=trans.start("Reconstitute Private Key", Env.SUB);
try {
tt.done();
}
}
-
+
public static PrivateKey toPrivateKey(Trans trans, File file) throws IOException, CertException {
TimeTaken tt = trans.start("Decode Private Key File", Env.SUB);
try {
- return toPrivateKey(trans,decode(file));
+ Holder<String> firstLine = new Holder<String>(null);
+ return toPrivateKey(trans,decode(file,firstLine));
}finally {
tt.done();
}
try {
ByteArrayInputStream bais = new ByteArrayInputStream(pk.getBytes());
ByteArrayOutputStream baos = new ByteArrayOutputStream();
- Symm.base64noSplit.decode(bais, baos);
+ Symm.base64noSplit.decode(new StripperInputStream(bais), baos);
return keyFactory.generatePublic(new X509EncodedKeySpec(baos.toByteArray()));
} catch (InvalidKeySpecException e) {
}
public static byte[] strip(Reader rdr) throws IOException {
+ return strip(rdr,null);
+ }
+
+ public static byte[] strip(Reader rdr, Holder<String> hs) throws IOException {
BufferedReader br = new BufferedReader(rdr);
ByteArrayOutputStream baos = new ByteArrayOutputStream();
String line;
+ boolean notStarted = true;
while((line=br.readLine())!=null) {
+ if(notStarted) {
+ if(line.startsWith("-----")) {
+ notStarted = false;
+ if(hs!=null) {
+ hs.set(line);
+ }
+ } else {
+ continue;
+ }
+ }
if(line.length()>0 &&
!line.startsWith("-----") &&
line.indexOf(':')<0) { // Header elements
}
return baos.toByteArray();
}
-
+
public static class StripperInputStream extends InputStream {
private Reader created;
private BufferedReader br;
return baos.toByteArray();
}
- public static byte[] decode(File f) throws IOException {
+ public static byte[] decode(File f, Holder<String> hs) throws IOException {
FileReader fr = new FileReader(f);
try {
- return Factory.decode(fr);
+ return Factory.decode(fr,hs);
} finally {
fr.close();
}
-
}
- public static byte[] decode(Reader rdr) throws IOException {
- return decode(strip(rdr));
+
+
+ public static byte[] decode(Reader rdr,Holder<String> hs) throws IOException {
+ return decode(strip(rdr,hs));
}
*
*/
-package org.onap.aaf.cadi.cm;
+package org.onap.aaf.cadi.configure;
import certman.v1_0.Artifacts.Artifact;
import certman.v1_0.CertInfo;
*
*/
-package org.onap.aaf.cadi.cm;
+package org.onap.aaf.cadi.configure;
import java.io.File;
try {
// Setup Public Cert
File f = new File(dir,arti.getNs()+".crt");
+ // In Version 1.0, App Cert is first
write(f,Chmod.to644,certInfo.getCerts().get(0),C_R);
// Setup Private Key
*
*/
-package org.onap.aaf.cadi.cm;
+package org.onap.aaf.cadi.configure;
import java.io.File;
import java.security.KeyStore;
import java.security.cert.X509Certificate;
import java.util.ArrayList;
import java.util.Collection;
+import java.util.Collections;
+import java.util.HashSet;
import java.util.List;
+import java.util.Set;
import org.onap.aaf.cadi.CadiException;
import org.onap.aaf.cadi.Symm;
try {
KeyStore jks = KeyStore.getInstance(kst);
if(fks.exists()) {
- fks.delete();
+ File backup = File.createTempFile(fks.getName()+'.', ".backup",dir);
+ fks.renameTo(backup);
}
// Get the Cert(s)... Might include Trust store
// find where the trusts end in 1.0 API
X509Certificate x509;
- List<X509Certificate> certList = new ArrayList<X509Certificate>();
- Certificate[] trustChain = null;
- Certificate[] trustCAs;
+ List<X509Certificate> chainList = new ArrayList<>();
+ Set<X509Certificate> caSet = new HashSet<>();
for(Certificate c : certColl) {
x509 = (X509Certificate)c;
- if(trustChain==null && x509.getSubjectDN().equals(x509.getIssuerDN())) {
- trustChain = new Certificate[certList.size()];
- certList.toArray(trustChain);
- certList.clear(); // reuse
+ // Is a Root (self-signed, anyway)
+ if(x509.getSubjectDN().equals(x509.getIssuerDN())) {
+ caSet.add(x509);
+ } else {
+ chainList.add(x509);
}
- certList.add(x509);
}
-
- // remainder should be Trust CAs
- trustCAs = new Certificate[certList.size()];
- certList.toArray(trustCAs);
+// chainList.addAll(caSet);
+ //Collections.reverse(chainList);
// Properties, etc
// Add CADI Keyfile Entry to Properties
addProperty(Config.CADI_KEYFILE,arti.getDir()+'/'+arti.getNs() + ".keyfile");
// Set Keystore Password
addProperty(Config.CADI_KEYSTORE,fks.getAbsolutePath());
- String keystorePass = Symm.randomGen(CmAgent.PASS_SIZE);
+ String keystorePass = Symm.randomGen(Agent.PASS_SIZE);
addEncProperty(Config.CADI_KEYSTORE_PASSWORD,keystorePass);
char[] keystorePassArray = keystorePass.toCharArray();
jks.load(null,keystorePassArray); // load in
PrivateKey pk = Factory.toPrivateKey(trans, certInfo.getPrivatekey());
addEncProperty(Config.CADI_KEY_PASSWORD, keyPass);
addProperty(Config.CADI_ALIAS, arti.getMechid());
-// Set<Attribute> attribs = new HashSet<Attribute>();
+// Set<Attribute> attribs = new HashSet<>();
// if(kst.equals("pkcs12")) {
// // Friendly Name
// attribs.add(new PKCS12Attribute("1.2.840.113549.1.9.20", arti.getNs()));
KeyStore.ProtectionParameter protParam =
new KeyStore.PasswordProtection(keyPass.toCharArray());
+ Certificate[] trustChain = new Certificate[chainList.size()];
+ chainList.toArray(trustChain);
KeyStore.PrivateKeyEntry pkEntry =
new KeyStore.PrivateKeyEntry(pk, trustChain);
jks.setEntry(arti.getMechid(),
// Change out to TrustStore
fks = new File(dir,arti.getNs()+".trust."+kst);
+ if(fks.exists()) {
+ File backup = File.createTempFile(fks.getName()+'.', ".backup",dir);
+ fks.renameTo(backup);
+ }
+
jks = KeyStore.getInstance(kst);
// Set Truststore Password
addProperty(Config.CADI_TRUSTSTORE,fks.getAbsolutePath());
- String trustStorePass = Symm.randomGen(CmAgent.PASS_SIZE);
+ String trustStorePass = Symm.randomGen(Agent.PASS_SIZE);
addEncProperty(Config.CADI_TRUSTSTORE_PASSWORD,trustStorePass);
char[] truststorePassArray = trustStorePass.toCharArray();
jks.load(null,truststorePassArray); // load in
// Add Trusted Certificates, but PKCS12 doesn't support
+ Certificate[] trustCAs = new Certificate[caSet.size()];
+ caSet.toArray(trustCAs);
for(int i=0; i<trustCAs.length;++i) {
jks.setCertificateEntry("ca_" + arti.getCa() + '_' + i, trustCAs[i]);
}
*
*/
-package org.onap.aaf.cadi.cm;
+package org.onap.aaf.cadi.configure;
import java.io.PrintStream;
*
*/
-package org.onap.aaf.cadi.cm;
+package org.onap.aaf.cadi.configure;
import java.io.File;
" fi\n" +
"}\n\n" +
javaHome() + "/bin/" +"java -cp $CP " +
- CmAgent.class.getName() +
+ Agent.class.getName() +
" cadi_prop_files=$DIR/$APP.props check 2> $DIR/$APP.STDERR > $DIR/$APP.STDOUT\n" +
"case \"$?\" in\n" +
" 0)\n" +
protected AbsOTafLur(final PropAccess access, final String token_url, final String introspect_url) throws CadiException {
this.access = access;
- if((client_id = access.getProperty(Config.AAF_APPID,null))==null) {
- throw new CadiException(Config.AAF_APPID + REQUIRED_FOR_OAUTH2);
+ String ci;
+ if((ci = access.getProperty(Config.AAF_APPID,null))==null) {
+ if((ci = access.getProperty(Config.CADI_ALIAS,null))==null) {
+ throw new CadiException(Config.AAF_APPID + REQUIRED_FOR_OAUTH2);
+ }
}
+ client_id = ci;
synchronized(access) {
if(tokenClientPool==null) {
public void client_creds(Access access) throws CadiException {
if(okind=='A') {
- client_creds(access.getProperty(Config.AAF_APPID, null),access.getProperty(Config.AAF_APPPASS, null));
+ String alias = access.getProperty(Config.CADI_ALIAS, null);
+ if(alias == null) {
+ client_creds(access.getProperty(Config.AAF_APPID, null),access.getProperty(Config.AAF_APPPASS, null));
+ } else {
+ client_creds(alias,null);
+ }
} else {
client_creds(access.getProperty(Config.AAF_ALT_CLIENT_ID, null),access.getProperty(Config.AAF_ALT_CLIENT_SECRET, null));
}
*/
public void client_creds(final String client_id, final String client_secret) throws CadiException {
if(client_id==null) {
- throw new CadiException(Config.AAF_ALT_CLIENT_ID + " is null");
+ throw new CadiException("client_creds:client_id is null");
}
this.client_id = client_id;
default_scope = FQI.reverseDomain(client_id);
} catch(IOException | NoSuchAlgorithmException e) {
throw new CadiException(e);
}
+ } else {
+ ss = new GetSetter() {
+ @Override
+ public <CLIENT> SecuritySetter<CLIENT> get(AAFCon<CLIENT> con) throws CadiException {
+ try {
+ return con.x509Alias(client_id);// no password, assume Cert
+ } catch (APIException e) {
+ throw new CadiException(e);
+ }
+ }
+ };
+ authn_method = AUTHN_METHOD.client_credentials;
}
}
Result<TimedToken> rtt = factory.get(key,hash,new Loader<TimedToken>() {
@Override
public Result<TimedToken> load(final String key) throws APIException, CadiException, LocatorException {
- final List<String> params = new ArrayList<String>();
+ final List<String> params = new ArrayList<>();
params.add(scope);
addSecurity(params,authn_method);
if(ss==null) {
throw new APIException("client_creds(...) must be set before obtaining Access Tokens");
}
- final List<String> params = new ArrayList<String>();
+ final List<String> params = new ArrayList<>();
params.add("refresh_token="+token.getRefreshToken());
addSecurity(params,AUTHN_METHOD.refresh_token);
final String scope="scope="+token.getScope().replace(' ', '+');
return tkCon.best(new Retryable<Result<Introspect>>() {
@Override
public Result<Introspect> code(Rcli<?> client) throws CadiException, ConnectException, APIException {
- final List<String> params = new ArrayList<String>();
+ final List<String> params = new ArrayList<>();
params.add("token="+token);
addSecurity(params,AUTHN_METHOD.client_credentials);
final String paramsa[] = new String[params.size()];
import org.onap.aaf.cadi.config.Config;
import org.onap.aaf.cadi.config.SecurityInfoC;
import org.onap.aaf.cadi.locator.PropertyLocator;
+import org.onap.aaf.cadi.locator.SingleEndpointLocator;
import org.onap.aaf.cadi.oauth.TokenClient.AUTHN_METHOD;
import org.onap.aaf.cadi.persist.Persist;
import org.onap.aaf.cadi.principal.Kind;
public class TokenClientFactory extends Persist<Token,TimedToken> {
private static TokenClientFactory instance;
- private Map<String,AAFConHttp> aafcons = new ConcurrentHashMap<String, AAFConHttp>();
+ private Map<String,AAFConHttp> aafcons = new ConcurrentHashMap<>();
private SecurityInfoC<HttpURLConnection> hsi;
// Package on purpose
- final Symm symm;
+ final Symm symm;
private TokenClientFactory(Access pa) throws APIException, GeneralSecurityException, IOException, CadiException {
super(pa, new RosettaEnv(pa.getProperties()),Token.class,"outgoing");
+
+ if(access.getProperty(Config.AAF_OAUTH2_TOKEN_URL,null)==null) {
+ access.getProperties().put(Config.AAF_OAUTH2_TOKEN_URL, "https://AAF_LOCATE_URL/AAF_NS.token:2.0"); // Default to AAF
+ }
+ if(access.getProperty(Config.AAF_OAUTH2_INTROSPECT_URL,null)==null) {
+ access.getProperties().put(Config.AAF_OAUTH2_INTROSPECT_URL, "https://AAF_LOCATE_URL/AAF_NS.introspect:2.0"); // Default to AAF);
+ }
+
symm = Symm.encrypt.obtain();
hsi = SecurityInfoC.instance(access, HttpURLConnection.class);
}
}
return instance;
}
-
+
/**
* Pickup Timeout from Properties
*
}
}
char okind;
- if(Config.AAF_OAUTH2_TOKEN_URL.equals(tagOrURL) ||
- tagOrURL.equals(access.getProperty(Config.AAF_OAUTH2_TOKEN_URL, null))) {
+ if( Config.AAF_OAUTH2_TOKEN_URL.equals(tagOrURL) ||
+ Config.AAF_OAUTH2_INTROSPECT_URL.equals(tagOrURL) ||
+ tagOrURL.equals(access.getProperty(Config.AAF_OAUTH2_TOKEN_URL, null)) ||
+ tagOrURL.equals(access.getProperty(Config.AAF_OAUTH2_INTROSPECT_URL, null))
+ ) {
okind = Kind.AAF_OAUTH;
} else {
okind = Kind.OAUTH;
}
- return new TokenClient(
+ TokenClient tci = new TokenClient(
okind,
this,
ach,
timeout,
AUTHN_METHOD.none);
+ tci.client_creds(access);
+ return tci;
}
public TzClient newTzClient(final String locatorURL) throws CadiException, LocatorException {
if(locatorURL==null) {
throw new LocatorException("Cannot have a null locatorURL in bestLocator");
}
- if(locatePattern.matcher(locatorURL).matches()) {
+ if(locatorURL.startsWith("https://AAF_LOCATE_URL/") || locatePattern.matcher(locatorURL).matches()) {
return new AAFLocator(hsi,new URI(locatorURL));
- } else if(locatorURL.contains("//DME2RESOLVE/")) {
- throw new LocatorException("DME2Locator doesn't exist. Use DME2 specific Clients");
- } else {
+ } else if(locatorURL.indexOf(',')>0) { // multiple URLs is a Property Locator
return new PropertyLocator(locatorURL);
+ } else {
+ return new SingleEndpointLocator(locatorURL);
}
// Note: Removed DME2Locator... If DME2 client is needed, use DME2Clients
}
import aafoauth.v2_0.Introspect;
public class TokenMgr extends Persist<Introspect, TokenPerm> {
- protected static Map<String,TokenPerm> tpmap = new ConcurrentHashMap<String, TokenPerm>();
- protected static Map<String,TokenMgr> tmmap = new HashMap<String, TokenMgr>(); // synchronized in getInstance
- protected static Map<String,String> currentToken = new HashMap<String,String>(); // synchronized in getTP
+ protected static Map<String,TokenPerm> tpmap = new ConcurrentHashMap<>();
+ protected static Map<String,TokenMgr> tmmap = new HashMap<>(); // synchronized in getInstance
+ protected static Map<String,String> currentToken = new HashMap<>(); // synchronized in getTP
public static RosettaDF<Perms> permsDF;
public static RosettaDF<Introspect> introspectDF;
import aafoauth.v2_0.Introspect;
public class TokenPerm extends Persisting<Introspect>{
- private static final List<AAFPermission> NULL_PERMS = new ArrayList<AAFPermission>();
+ private static final List<AAFPermission> NULL_PERMS = new ArrayList<>();
private Introspect introspect;
private List<AAFPermission> perms;
private String scopes;
while((pd = ij.parse(r,pd.reuse())).valid()) {
switch(pd.event) {
case Parse.START_DOC:
- perms = new ArrayList<AAFPermission>();
+ perms = new ArrayList<>();
break;
case Parse.START_ARRAY:
inPerms = "perm".equals(pd.name);
super(access, sub_dir);
this.env = env;
df = env.newDataFactory(cls);
- tmap = new ConcurrentHashMap<String, CT>();
+ tmap = new ConcurrentHashMap<>();
synchronized(Persist.class) {
if(clean==null) {
clean = new Timer(true);
import java.net.HttpURLConnection;
import java.net.Inet4Address;
import java.net.URI;
+import java.net.URISyntaxException;
import java.net.UnknownHostException;
import org.onap.aaf.cadi.Access;
import org.onap.aaf.cadi.client.Result;
import org.onap.aaf.cadi.config.Config;
import org.onap.aaf.cadi.locator.PropertyLocator;
+import org.onap.aaf.cadi.locator.SingleEndpointLocator;
import org.onap.aaf.cadi.util.Split;
import org.onap.aaf.misc.env.APIException;
import org.onap.aaf.misc.env.impl.BasicEnv;
if(aaf_locate==null) {
throw new CadiException(Config.AAF_LOCATE_URL + " is required.");
} else {
- // Note: want Property Locator, not AAFLocator, because we want the core service, not what it can find
- locator = new PropertyLocator(aaf_locate);
+ // Note: want Property Locator or Single, not AAFLocator, because we want the core service, not what it can find
+ try {
+ if(aaf_locate.indexOf(',')>=0) {
+ locator = new PropertyLocator(aaf_locate);
+ } else {
+ locator = new SingleEndpointLocator(aaf_locate);
+ }
+ } catch (URISyntaxException e) {
+ throw new CadiException(e);
+ }
}
mep = new MgmtEndpoint();
import java.io.FileInputStream;
import java.io.FileOutputStream;
import java.io.IOException;
+import java.io.InputStream;
import java.io.PrintStream;
import java.lang.reflect.InvocationTargetException;
import java.lang.reflect.Method;
import java.util.ArrayList;
import java.util.List;
+import java.util.Map.Entry;
import java.util.Properties;
+import org.onap.aaf.cadi.Access.Level;
import org.onap.aaf.cadi.CadiException;
import org.onap.aaf.cadi.PropAccess;
import org.onap.aaf.cadi.Symm;
-import org.onap.aaf.cadi.Access.Level;
import org.onap.aaf.cadi.config.Config;
import org.onap.aaf.cadi.util.MyConsole;
import org.onap.aaf.cadi.util.SubStandardConsole;
public class AAFSSO {
public static final MyConsole cons = TheConsole.implemented() ? new TheConsole() : new SubStandardConsole();
- private static final int EIGHT_HOURS = 8 * 60 * 60 * 1000;
+// private static final int EIGHT_HOURS = 8 * 60 * 60 * 1000;
- private Properties diskprops = null; // use for temp storing User/Password on disk
+ private Properties diskprops;
+ private boolean touchDiskprops;
private File dot_aaf = null;
private File sso = null; // instantiated, if ever, with diskprops
private PrintStream os;
private Method close;
+ private final PrintStream stdOutOrig;
+ private final PrintStream stdErrOrig;
+ private boolean ok;
public AAFSSO(String[] args) throws IOException, CadiException {
- String[] nargs = parseArgs(args);
+ this(args,new Properties());
+ }
+
+ public AAFSSO(String[] args, ProcessArgs pa) throws IOException, CadiException {
+ this(args,pa.process(args, new Properties()));
+ }
+
+ public AAFSSO(String[] args, Properties dp) throws IOException, CadiException {
+ stdOutOrig = System.out;
+ stdErrOrig = System.err;
+ ok = true;
+ List<String> nargs = parseArgs(args);
+ diskprops = dp;
+ touchDiskprops = false;
dot_aaf = new File(System.getProperty("user.home") + "/.aaf");
if (!dot_aaf.exists()) {
}
File f = new File(dot_aaf, "sso.out");
os = new PrintStream(new FileOutputStream(f, true));
- System.setOut(os);
+ //System.setOut(os);
System.setErr(os);
- access = new PropAccess(os, nargs);
- Config.setDefaultRealm(access);
-
- user = access.getProperty(Config.AAF_APPID);
- encrypted_pass = access.getProperty(Config.AAF_APPPASS);
-
+ sso = new File(dot_aaf, "sso.props");
+ if(sso.exists()) {
+ InputStream propStream = new FileInputStream(sso);
+ try {
+ diskprops.load(propStream);
+ } finally {
+ propStream.close();
+ }
+ }
+
File dot_aaf_kf = new File(dot_aaf, "keyfile");
- sso = new File(dot_aaf, "sso.props");
if (removeSSO) {
if (dot_aaf_kf.exists()) {
dot_aaf_kf.setWritable(true, true);
dot_aaf_kf.delete();
}
if (sso.exists()) {
- sso.delete();
+ Properties temp = new Properties();
+ // Keep only these
+ for(Entry<Object, Object> es : diskprops.entrySet()) {
+ if(Config.CADI_LATITUDE.equals(es.getKey()) ||
+ Config.CADI_LONGITUDE.equals(es.getKey()) ||
+ Config.AAF_DEFAULT_REALM.equals(es.getKey())) {
+ temp.setProperty(es.getKey().toString(), es.getValue().toString());
+ }
+ }
+ diskprops = temp;
+ touchDiskprops = true;
}
+ String[] naargs = new String[nargs.size()];
+ nargs.toArray(naargs);
+ access = new PropAccess(os, naargs);
+ ok = false;
+ setLogDefault();
System.out.println("AAF SSO information removed");
- if (doExit) {
- System.exit(0);
+ } else {
+ // Config.setDefaultRealm(access);
+
+ if (!dot_aaf_kf.exists()) {
+ FileOutputStream fos = new FileOutputStream(dot_aaf_kf);
+ try {
+ fos.write(Symm.keygen());
+ setReadonly(dot_aaf_kf);
+ } finally {
+ fos.close();
+ }
}
- }
- if (!dot_aaf_kf.exists()) {
- FileOutputStream fos = new FileOutputStream(dot_aaf_kf);
- try {
- fos.write(Symm.keygen());
- setReadonly(dot_aaf_kf);
- } finally {
- fos.close();
+ for(Entry<Object, Object> es : diskprops.entrySet()) {
+ nargs.add(es.getKey().toString() + '=' + es.getValue().toString());
}
- }
-
- String keyfile = access.getProperty(Config.CADI_KEYFILE); // in case it's CertificateMan props
- if (keyfile == null) {
- access.setProperty(Config.CADI_KEYFILE, dot_aaf_kf.getAbsolutePath());
- }
-
- String alias = access.getProperty(Config.CADI_ALIAS);
- if ((user == null) && (alias != null) && (access.getProperty(Config.CADI_KEYSTORE_PASSWORD) != null)) {
- user = alias;
- access.setProperty(Config.AAF_APPID, user);
- use_X509 = true;
- } else {
- use_X509 = false;
- Symm decryptor = Symm.obtain(dot_aaf_kf);
- if (user == null) {
- if (sso.exists() && (sso.lastModified() > (System.currentTimeMillis() - EIGHT_HOURS))) {
- String cm_url = access.getProperty(Config.CM_URL); // SSO might overwrite...
- FileInputStream fos = new FileInputStream(sso);
- try {
- access.load(fos);
- user = access.getProperty(Config.AAF_APPID);
- encrypted_pass = access.getProperty(Config.AAF_APPPASS);
- // decrypt with .aaf, and re-encrypt with regular Keyfile
- access.setProperty(Config.AAF_APPPASS,
- access.encrypt(decryptor.depass(encrypted_pass)));
- if (cm_url != null) { //Command line CM_URL Overwrites ssofile.
- access.setProperty(Config.CM_URL, cm_url);
+ String[] naargs = new String[nargs.size()];
+ nargs.toArray(naargs);
+ access = new PropAccess(os, naargs);
+
+ if(loginOnly) {
+ for(String tag : new String[] {Config.AAF_APPID, Config.AAF_APPPASS,
+ Config.CADI_ALIAS, Config.CADI_KEYSTORE,Config.CADI_KEYSTORE_PASSWORD,Config.CADI_KEY_PASSWORD}) {
+ access.getProperties().remove(tag);
+ diskprops.remove(tag);
+ }
+ touchDiskprops=true;
+// TODO Do we want to require reset of Passwords at least every Eight Hours.
+// } else if (sso.lastModified() > (System.currentTimeMillis() - EIGHT_HOURS)) {
+// for(String tag : new String[] {Config.AAF_APPPASS,Config.CADI_KEYSTORE_PASSWORD,Config.CADI_KEY_PASSWORD}) {
+// access.getProperties().remove(tag);
+// diskprops.remove(tag);
+// }
+// touchDiskprops=true;
+ }
+
+ String keyfile = access.getProperty(Config.CADI_KEYFILE); // in case its CertificateMan props
+ if (keyfile == null) {
+ access.setProperty(Config.CADI_KEYFILE, dot_aaf_kf.getAbsolutePath());
+ addProp(Config.CADI_KEYFILE,dot_aaf_kf.getAbsolutePath());
+ }
+
+
+ String alias, appID;
+ alias = access.getProperty(Config.CADI_ALIAS);
+ if(alias==null) {
+ appID = access.getProperty(Config.AAF_APPID);
+ user=appID;
+ } else {
+ user=alias;
+ appID=null;
+ }
+
+ if(appID!=null && access.getProperty(Config.AAF_APPPASS)==null) {
+ char[] password = cons.readPassword("Password for %s: ", appID);
+ String app_pass = access.encrypt(new String(password));
+ access.setProperty(Config.AAF_APPPASS,app_pass);
+ diskprops.setProperty(Config.AAF_APPPASS, app_pass);
+ }
+
+ String keystore=access.getProperty(Config.CADI_KEYSTORE);
+ String keystore_pass=access.getProperty(Config.CADI_KEYSTORE_PASSWORD);
+
+ if(user==null || (alias!=null && (keystore==null || keystore_pass==null))) {
+ String select = null;
+ String name;
+ for (File tsf : dot_aaf.listFiles()) {
+ name = tsf.getName();
+ if (!name.contains("trust") && (name.endsWith(".jks") || name.endsWith(".p12"))) {
+ setLogDefault();
+ select = cons.readLine("Use %s for Identity? (y/n): ",tsf.getName());
+ if("y".equalsIgnoreCase(select)) {
+ keystore = tsf.getCanonicalPath();
+ access.setProperty(Config.CADI_KEYSTORE, keystore);
+ addProp(Config.CADI_KEYSTORE, keystore);
+ char[] password = cons.readPassword("Keystore Password: ");
+ encrypted_pass= access.encrypt(new String(password));
+ access.setProperty(Config.CADI_KEYSTORE_PASSWORD, encrypted_pass);
+ addProp(Config.CADI_KEYSTORE_PASSWORD, encrypted_pass);
+
+ // TODO READ Aliases out of Keystore?
+ user = alias = cons.readLine("Keystore alias: ");
+ access.setProperty(Config.CADI_ALIAS, user);
+ addProp(Config.CADI_ALIAS, user);
+ break;
}
- } finally {
- fos.close();
- }
- } else {
- diskprops = new Properties();
- String realm = Config.getDefaultRealm();
- // Turn on Console Sysout
- System.setOut(System.out);
- user = cons.readLine("aaf_id(%s@%s): ", System.getProperty("user.name"), realm);
- if (user == null) {
- user = System.getProperty("user.name") + '@' + realm;
- } else if (user.length() == 0) { //
- user = System.getProperty("user.name") + '@' + realm;
- } else if ((user.indexOf('@') < 0) && (realm != null)) {
- user = user + '@' + realm;
}
- access.setProperty(Config.AAF_APPID, user);
- diskprops.setProperty(Config.AAF_APPID, user);
- encrypted_pass = new String(cons.readPassword("aaf_password: "));
- System.setOut(os);
- encrypted_pass = Symm.ENC + decryptor.enpass(encrypted_pass);
+ }
+ if(alias==null) {
+ user = appID = cons.readLine(Config.AAF_APPID + ": ");
+ access.setProperty(Config.AAF_APPID, appID);
+ addProp(Config.AAF_APPID, appID);
+ char[] password = cons.readPassword(Config.AAF_APPPASS + ": ");
+ encrypted_pass= access.encrypt(new String(password));
access.setProperty(Config.AAF_APPPASS, encrypted_pass);
- diskprops.setProperty(Config.AAF_APPPASS, encrypted_pass);
- diskprops.setProperty(Config.CADI_KEYFILE, access.getProperty(Config.CADI_KEYFILE));
+ addProp(Config.AAF_APPPASS, encrypted_pass);
+ }
+ } else {
+ encrypted_pass = access.getProperty(Config.CADI_KEYSTORE_PASSWORD);
+ if(encrypted_pass == null) {
+ keystore_pass = null;
+ encrypted_pass = access.getProperty(Config.AAF_APPPASS);
+ } else {
+ keystore_pass = encrypted_pass;
}
}
- }
- if (user == null) {
- err = new StringBuilder("Add -D" + Config.AAF_APPID + "=<id> ");
- }
-
- if (encrypted_pass == null && alias == null) {
- if (err == null) {
- err = new StringBuilder();
+
+
+ if (alias!=null) {
+ use_X509 = true;
} else {
- err.append("and ");
+ use_X509 = false;
+ Symm decryptor = Symm.obtain(dot_aaf_kf);
+ if (user == null) {
+ if (sso.exists()) {
+ String cm_url = access.getProperty(Config.CM_URL); // SSO might overwrite...
+ FileInputStream fos = new FileInputStream(sso);
+ try {
+ access.load(fos);
+ user = access.getProperty(Config.AAF_APPID);
+ encrypted_pass = access.getProperty(Config.AAF_APPPASS);
+ // decrypt with .aaf, and re-encrypt with regular Keyfile
+ access.setProperty(Config.AAF_APPPASS,
+ access.encrypt(decryptor.depass(encrypted_pass)));
+ if (cm_url != null) { //Command line CM_URL Overwrites ssofile.
+ access.setProperty(Config.CM_URL, cm_url);
+ }
+ } finally {
+ fos.close();
+ }
+ } else {
+ diskprops = new Properties();
+ String realm = Config.getDefaultRealm();
+ // Turn on Console Sysout
+ System.setOut(System.out);
+ user = cons.readLine("aaf_id(%s@%s): ", System.getProperty("user.name"), realm);
+ if (user == null) {
+ user = System.getProperty("user.name") + '@' + realm;
+ } else if (user.length() == 0) { //
+ user = System.getProperty("user.name") + '@' + realm;
+ } else if ((user.indexOf('@') < 0) && (realm != null)) {
+ user = user + '@' + realm;
+ }
+ access.setProperty(Config.AAF_APPID, user);
+ diskprops.setProperty(Config.AAF_APPID, user);
+ encrypted_pass = new String(cons.readPassword("aaf_password: "));
+ System.setOut(os);
+ encrypted_pass = Symm.ENC + decryptor.enpass(encrypted_pass);
+ access.setProperty(Config.AAF_APPPASS, encrypted_pass);
+ diskprops.setProperty(Config.AAF_APPPASS, encrypted_pass);
+ diskprops.setProperty(Config.CADI_KEYFILE, access.getProperty(Config.CADI_KEYFILE));
+ }
+ }
+ }
+ if (user == null) {
+ err = new StringBuilder("Add -D" + Config.AAF_APPID + "=<id> ");
+ }
+
+ if (encrypted_pass == null && alias == null) {
+ if (err == null) {
+ err = new StringBuilder();
+ } else {
+ err.append("and ");
+ }
+ err.append("-D" + Config.AAF_APPPASS + "=<passwd> ");
+ }
+
+ String locateUrl = access.getProperty(Config.AAF_LOCATE_URL);
+ if(locateUrl==null) {
+ locateUrl=AAFSSO.cons.readLine("AAF Locator URL=https://");
+ if(locateUrl==null || locateUrl.length()==0) {
+ err = new StringBuilder(Config.AAF_LOCATE_URL);
+ err.append(" is required.");
+ ok = false;
+ return;
+ } else {
+ locateUrl="https://"+locateUrl;
+ }
+ access.setProperty(Config.AAF_LOCATE_URL, locateUrl);
+ addProp(Config.AAF_LOCATE_URL, locateUrl);
+ }
+
+ String aafUrl = "https://AAF_LOCATE_URL/AAF_NS.service:2.0";
+ access.setProperty(Config.AAF_URL, aafUrl);
+ access.setProperty(Config.CM_URL, "https://AAF_LOCATE_URL/AAF_NS.cm:2.0");
+ String cadiLatitude = access.getProperty(Config.CADI_LATITUDE);
+ if(cadiLatitude==null) {
+ System.out.println("# If you do not know your Global Coordinates, we suggest bing.com/maps");
+ cadiLatitude=AAFSSO.cons.readLine("cadi_latitude[0.000]=");
+ if(cadiLatitude==null || cadiLatitude.isEmpty()) {
+ cadiLatitude="0.000";
+ }
+ access.setProperty(Config.CADI_LATITUDE, cadiLatitude);
+ addProp(Config.CADI_LATITUDE, cadiLatitude);
+
}
- err.append("-D" + Config.AAF_APPPASS + "=<passwd> ");
+ String cadiLongitude = access.getProperty(Config.CADI_LONGITUDE);
+ if(cadiLongitude==null) {
+ cadiLongitude=AAFSSO.cons.readLine("cadi_longitude[0.000]=");
+ if(cadiLongitude==null || cadiLongitude.isEmpty()) {
+ cadiLongitude="0.000";
+ }
+ access.setProperty(Config.CADI_LONGITUDE, cadiLongitude);
+ addProp(Config.CADI_LONGITUDE, cadiLongitude);
+ }
+
+ String cadi_truststore = access.getProperty(Config.CADI_TRUSTSTORE);
+ if(cadi_truststore==null) {
+ String name;
+ String select;
+ for (File tsf : dot_aaf.listFiles()) {
+ name = tsf.getName();
+ if (name.contains("trust") &&
+ (name.endsWith(".jks") || name.endsWith(".p12"))) {
+ select = cons.readLine("Use %s for TrustStore? (y/n):",tsf.getName());
+ if("y".equalsIgnoreCase(select)) {
+ cadi_truststore=tsf.getCanonicalPath();
+ access.setProperty(Config.CADI_TRUSTSTORE, cadi_truststore);
+ addProp(Config.CADI_TRUSTSTORE, cadi_truststore);
+ break;
+ }
+ }
+ }
+ }
+ if(cadi_truststore!=null) {
+ if(cadi_truststore.indexOf(File.separatorChar)<0) {
+ cadi_truststore=dot_aaf.getPath()+File.separator+cadi_truststore;
+ }
+ String cadi_truststore_password = access.getProperty(Config.CADI_TRUSTSTORE_PASSWORD);
+ if(cadi_truststore_password==null) {
+ cadi_truststore_password=AAFSSO.cons.readLine("cadi_truststore_password[%s]=","changeit");
+ cadi_truststore_password = access.encrypt(cadi_truststore_password);
+ access.setProperty(Config.CADI_TRUSTSTORE_PASSWORD, cadi_truststore_password);
+ addProp(Config.CADI_TRUSTSTORE_PASSWORD, cadi_truststore_password);
+ }
+ }
+ ok = err==null;
}
+ writeFiles();
}
public void setLogDefault() {
this.setLogDefault(PropAccess.DEFAULT);
+ System.setOut(stdOutOrig);
}
public void setStdErrDefault() {
access.setLogLevel(PropAccess.DEFAULT);
- System.setErr(System.err);
+ System.setErr(stdErrOrig);
}
public void setLogDefault(Level level) {
- access.setLogLevel(level);
- System.setOut(System.out);
+ if(access!=null) {
+ access.setLogLevel(level);
+ }
+ System.setOut(stdOutOrig);
}
public boolean loginOnly() {
}
public void addProp(String key, String value) {
- if (diskprops != null) {
- diskprops.setProperty(key, value);
+ if(key==null || value==null) {
+ return;
}
+ touchDiskprops=true;
+ diskprops.setProperty(key, value);
}
public void writeFiles() throws IOException {
- // Store Creds, if they work
- if (diskprops != null) {
- if (!dot_aaf.exists()) {
- dot_aaf.mkdirs();
+ if(touchDiskprops) {
+ // Store Creds, if they work
+ if (diskprops != null) {
+ if (!dot_aaf.exists()) {
+ dot_aaf.mkdirs();
+ }
+ FileOutputStream fos = new FileOutputStream(sso);
+ try {
+ diskprops.store(fos, "AAF Single Signon");
+ } finally {
+ fos.close();
+ setReadonly(sso);
+ }
}
- FileOutputStream fos = new FileOutputStream(sso);
- try {
- diskprops.store(fos, "AAF Single Signon");
- } finally {
- fos.close();
+ if (sso != null) {
setReadonly(sso);
+ sso.setWritable(true, true);
}
}
- if (sso != null) {
- setReadonly(sso);
- sso.setWritable(true, true);
- }
}
public PropAccess access() {
}
}
- private String[] parseArgs(String[] args)
+ private List<String> parseArgs(String[] args)
{
- List<String> larg = new ArrayList<String>(args.length);
+ List<String> larg = new ArrayList<>(args.length);
// Cover for bash's need to escape *.. (\\*)
// also, remove SSO if required
larg.add(args[i]);
}
}
- String[] nargs = new String[larg.size()];
- larg.toArray(nargs);
- return nargs;
+ return larg;
}
private void setReadonly(File file) {
file.setReadable(false, false);
file.setReadable(true, true);
}
+
+ public boolean ok() {
+ return ok;
+ }
+
+ public static interface ProcessArgs {
+ public Properties process(final String[] args, final Properties props);
+ }
}
@Before
public void setup() {
- roles = new ArrayList<String>();
+ roles = new ArrayList<>();
roles.add(role);
}
public static void tearDownAfterClass() throws Exception {
Field field = SecurityInfoC.class.getDeclaredField("sicMap");
field.setAccessible(true);
- field.set(null, new HashMap<Class<?>,SecurityInfoC<?>>());
+ field.set(null, new HashMap<>());
}
@Test
access.setProperty(Config.CADI_LATITUDE, "38.62"); // St Louis approx lat
access.setProperty(Config.CADI_LONGITUDE, "90.19"); // St Louis approx lon
SecurityInfoC<HttpURLConnection> si = SecurityInfoC.instance(access, HttpURLConnection.class);
- String alu = access.getProperty(Config.AAF_LOCATE_URL,"https://mithrilcsp.sbc.com:8095/locate");
- URI locatorURI = new URI(alu+"/com.att.aaf.service/2.0");
+ URI locatorURI = new URI("https://somemachine.moc:10/com.att.aaf.service:2.0");
AbsAAFLocator<BasicTrans> al = new AAFLocator(si, locatorURI) {
@Override
protected HClient createClient(SecuritySetter<HttpURLConnection> ss, URI uri, int connectTimeout) throws LocatorException {
return clientMock;
}
};
- assertThat(al.refresh(), is(true));
- when(futureMock.get(1)).thenReturn(false);
- assertThat(al.refresh(), is(false));
- String errorMessage = errStream.toString().split(": ", 2)[1];
- assertThat(errorMessage, is("Error reading location information from " + uriString + ": 0 null\n \n"));
+ // Start over: This was originally calling a developer machine.
+// assertThat(al.refresh(), is(true));
+// when(futureMock.get(1)).thenReturn(false);
+// assertThat(al.refresh(), is(false));
+// String errorMessage = errStream.toString().split(": ", 2)[1];
+// assertThat(errorMessage, is("Error reading location information from " + uriString + ": 0 null\n \n"));
}
}
--- /dev/null
+/JU_CmAgentCreate.java
import org.mockito.Mock;
import org.mockito.MockitoAnnotations;
import org.onap.aaf.cadi.CadiException;
-import org.onap.aaf.cadi.cm.ArtifactDir;
+import org.onap.aaf.cadi.configure.ArtifactDir;
import org.onap.aaf.cadi.util.Chmod;
import org.onap.aaf.misc.env.Trans;
import static org.junit.Assert.*;
import static org.hamcrest.CoreMatchers.*;
import org.junit.*;
-
-import org.onap.aaf.cadi.cm.CertException;
+import org.onap.aaf.cadi.configure.CertException;
public class JU_CertException {
import org.junit.After;
import org.junit.Before;
import org.junit.Test;
-import org.onap.aaf.cadi.cm.CmAgent;
+import org.onap.aaf.cadi.configure.Agent;
public class JU_CmAgent {
String[] args;
args = new String[] {
"-login",
- "-noexit",
+ "-noExit",
};
- CmAgent.main(args);
+ Agent.main(args);
inStream.reset();
args = new String[] {
- "noexit=true",
+ "-noExit",
};
- CmAgent.main(args);
+ Agent.main(args);
inStream.reset();
args = new String[] {
"place",
+ "-noExit",
};
- CmAgent.main(args);
+ Agent.main(args);
inStream.reset();
args = new String[] {
+ "-noExit",
"create"
};
- CmAgent.main(args);
+ Agent.main(args);
inStream.reset();
args = new String[] {
+ "-noExit",
"read"
};
- CmAgent.main(args);
+ Agent.main(args);
inStream.reset();
args = new String[] {
+ "-noExit",
"copy"
};
- CmAgent.main(args);
+ Agent.main(args);
inStream.reset();
args = new String[] {
+ "-noExit",
"update"
};
- CmAgent.main(args);
+ Agent.main(args);
inStream.reset();
args = new String[] {
+ "-noExit",
"delete"
};
- CmAgent.main(args);
+ Agent.main(args);
inStream.reset();
args = new String[] {
+ "-noExit",
"showpass"
};
- CmAgent.main(args);
+ Agent.main(args);
}
import javax.crypto.Cipher;
-import org.onap.aaf.cadi.cm.CertException;
-import org.onap.aaf.cadi.cm.Factory;
-import org.onap.aaf.cadi.cm.Factory.Base64InputStream;
-import org.onap.aaf.cadi.cm.Factory.StripperInputStream;
-
+import org.onap.aaf.cadi.configure.CertException;
+import org.onap.aaf.cadi.configure.Factory;
+import org.onap.aaf.cadi.configure.Factory.Base64InputStream;
+import org.onap.aaf.cadi.configure.Factory.StripperInputStream;
import org.onap.aaf.misc.env.Env;
import org.onap.aaf.misc.env.LogTarget;
import org.onap.aaf.misc.env.TimeTaken;
assertThat(privateKeyString.startsWith("-----BEGIN PRIVATE KEY-----"), is(true));
assertThat(privateKeyString.endsWith("-----END PRIVATE KEY-----\n"), is(true));
- PublicKey publicKey = Factory.toPublicKey(transMock, cleanupString(publicKeyString));
- PrivateKey privateKey = Factory.toPrivateKey(transMock, cleanupString(privateKeyString));
+ PublicKey publicKey = Factory.toPublicKey(transMock, publicKeyString);
+ PrivateKey privateKey = Factory.toPrivateKey(transMock, privateKeyString);
Cipher encryptor = Factory.pkCipher(publicKey, true);
Cipher decryptor = Factory.pkCipher(privateKey, false);
output = Factory.toString(transMock, certs.toArray(new Certificate[0])[0]);
assertThat(output, is(certString));
- List<String> certStrings = new ArrayList<String>();
+ List<String> certStrings = new ArrayList<>();
certStrings.add(certString);
certStrings.add(certString);
certs = Factory.toX509Certificate(certStrings);
private String cleanupString(String str) {
String[] lines = str.split("\n", 0);
- List<String> rawLines = new ArrayList<String>();
+ List<String> rawLines = new ArrayList<>();
for (int i = 0; i < lines.length - 2; i++) {
rawLines.add(lines[i + 1]);
}
import org.junit.*;
import org.mockito.*;
import org.onap.aaf.cadi.CadiException;
-import org.onap.aaf.cadi.cm.PlaceArtifactInFiles;
+import org.onap.aaf.cadi.configure.PlaceArtifactInFiles;
import org.onap.aaf.misc.env.Trans;
import certman.v1_0.Artifacts.Artifact;
import org.junit.*;
import org.mockito.*;
import org.onap.aaf.cadi.CadiException;
-import org.onap.aaf.cadi.cm.PlaceArtifactInKeystore;
+import org.onap.aaf.cadi.configure.PlaceArtifactInKeystore;
import org.onap.aaf.misc.env.Env;
import org.onap.aaf.misc.env.TimeTaken;
import org.onap.aaf.misc.env.Trans;
certs.add(x509String);
certs.add(x509Chain);
assertThat(placer.place(transMock, certInfoMock, artiMock, "machine"), is(true));
- for (String ext : new String[] {"chal", "keyfile", "jks", "props", "trust.jks"}) {
- assertThat(new File(dirName + '/' + nsName + '.' + ext).exists(), is(true));
+ for (String ext : new String[] {"chal", "keyfile", "jks", "trust.jks", "cred.props"}) {
+ File f = new File(dirName + '/' + nsName + '.' + ext);
+ assertThat(f.exists(), is(true));
}
// coverage
import org.junit.*;
import org.mockito.*;
-
-import org.onap.aaf.cadi.cm.PlaceArtifactOnStream;
+import org.onap.aaf.cadi.configure.PlaceArtifactOnStream;
import org.onap.aaf.misc.env.LogTarget;
import org.onap.aaf.misc.env.Trans;
import org.junit.*;
import org.mockito.*;
import org.onap.aaf.cadi.CadiException;
-import org.onap.aaf.cadi.cm.PlaceArtifactScripts;
+import org.onap.aaf.cadi.configure.PlaceArtifactScripts;
import org.onap.aaf.misc.env.Trans;
import certman.v1_0.Artifacts.Artifact;
+++ /dev/null
-/*******************************************************************************
- * ============LICENSE_START====================================================
- * * org.onap.aaf
- * * ===========================================================================
- * * Copyright © 2017 AT&T Intellectual Property. All rights reserved.
- * * ===========================================================================
- * * Licensed under the Apache License, Version 2.0 (the "License");
- * * you may not use this file except in compliance with the License.
- * * You may obtain a copy of the License at
- * *
- * * http://www.apache.org/licenses/LICENSE-2.0
- * *
- * * Unless required by applicable law or agreed to in writing, software
- * * distributed under the License is distributed on an "AS IS" BASIS,
- * * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * * See the License for the specific language governing permissions and
- * * limitations under the License.
- * * ============LICENSE_END====================================================
- * *
- * *
- ******************************************************************************/
-package org.onap.aaf.cadi.lur.aaf.test;
-
-import org.junit.*;
-
-import java.io.BufferedReader;
-import java.io.ByteArrayOutputStream;
-import java.io.File;
-import java.io.FileReader;
-import java.io.PrintStream;
-import java.io.PrintWriter;
-import java.io.StringWriter;
-import java.lang.reflect.Field;
-import java.net.HttpURLConnection;
-import java.security.Principal;
-import java.util.ArrayList;
-import java.util.HashMap;
-import java.util.List;
-import java.util.Properties;
-
-import org.onap.aaf.cadi.Permission;
-import org.onap.aaf.cadi.PropAccess;
-import org.onap.aaf.cadi.aaf.v2_0.AAFAuthn;
-import org.onap.aaf.cadi.aaf.v2_0.AAFConHttp;
-import org.onap.aaf.cadi.aaf.v2_0.AAFLurPerm;
-import org.onap.aaf.cadi.aaf.v2_0.AAFTaf;
-import org.onap.aaf.cadi.config.Config;
-import org.onap.aaf.cadi.config.SecurityInfoC;
-import org.onap.aaf.cadi.locator.DNSLocator;
-import org.onap.aaf.cadi.principal.CachedBasicPrincipal;
-
-import junit.framework.Assert;
-
-public class JU_JMeter {
- private static AAFConHttp aaf;
- private static AAFAuthn<HttpURLConnection> aafAuthn;
- private static AAFLurPerm aafLur;
- private static ArrayList<Principal> perfIDs;
-
- private static AAFTaf<HttpURLConnection> aafTaf;
- private static PropAccess access;
-
- private static ByteArrayOutputStream outStream;
- private static ByteArrayOutputStream errStream;
-
- @BeforeClass
- public static void before() throws Exception {
- outStream = new ByteArrayOutputStream();
- errStream = new ByteArrayOutputStream();
-
- System.setOut(new PrintStream(outStream));
- System.setErr(new PrintStream(errStream));
-
- if(aafLur==null) {
- Properties props = System.getProperties();
- props.setProperty("AFT_LATITUDE", "32.780140");
- props.setProperty("AFT_LONGITUDE", "-96.800451");
- props.setProperty("DME2_EP_REGISTRY_CLASS","DME2FS");
- props.setProperty("AFT_DME2_EP_REGISTRY_FS_DIR","/Volumes/Data/src/authz/dme2reg");
- props.setProperty("AFT_ENVIRONMENT", "AFTUAT");
- props.setProperty("SCLD_PLATFORM", "NON-PROD");
- props.setProperty(Config.AAF_URL,"https://DME2RESOLVE/service=com.att.authz.AuthorizationService/version=2.0/envContext=DEV/routeOffer=BAU_SE");
- props.setProperty(Config.AAF_CALL_TIMEOUT, "2000");
- int timeToLive = 3000;
- props.setProperty(Config.AAF_CLEAN_INTERVAL, Integer.toString(timeToLive));
- props.setProperty(Config.AAF_HIGH_COUNT, "4");
-
- String aafPerfIDs = props.getProperty("AAF_PERF_IDS");
- perfIDs = new ArrayList<Principal>();
- File perfFile = null;
- if(aafPerfIDs!=null) {
- perfFile = new File(aafPerfIDs);
- }
-
- access = new PropAccess();
- aaf = new AAFConHttp(access, new DNSLocator(access,"https","localhost","8100"));
- aafTaf = new AAFTaf<HttpURLConnection>(aaf,false);
- aafLur = aaf.newLur(aafTaf);
- aafAuthn = aaf.newAuthn(aafTaf);
- aaf.basicAuth("testid@aaf.att.com", "whatever");
-
- if(perfFile==null||!perfFile.exists()) {
- perfIDs.add(new CachedBasicPrincipal(aafTaf,
- "Basic dGVzdGlkOndoYXRldmVy",
- "aaf.att.com",timeToLive));
- perfIDs.add(new Princ("ab1234@aaf.att.com")); // Example of Local ID, which isn't looked up
- } else {
- BufferedReader ir = new BufferedReader(new FileReader(perfFile));
- try {
- String line;
- while((line = ir.readLine())!=null) {
- if((line=line.trim()).length()>0)
- perfIDs.add(new Princ(line));
- }
- } finally {
- ir.close();
- }
- }
- Assert.assertNotNull(aafLur);
- }
- }
-
- @Before
- public void setup() {
- outStream = new ByteArrayOutputStream();
- errStream = new ByteArrayOutputStream();
-
- System.setOut(new PrintStream(outStream));
- System.setErr(new PrintStream(errStream));
- }
-
- @After
- public void tearDown() {
- System.setOut(System.out);
- System.setErr(System.err);
- }
-
- private static class Princ implements Principal {
- private String name;
- public Princ(String name) {
- this.name = name;
- }
- public String getName() {
- return name;
- }
-
- };
-
- @AfterClass
- public static void tearDownAfterClass() throws Exception {
- Field field = SecurityInfoC.class.getDeclaredField("sicMap");
- field.setAccessible(true);
- field.set(null, new HashMap<Class<?>,SecurityInfoC<?>>());
- }
-
- private static int index = -1;
-
- private synchronized Principal getIndex() {
- if(perfIDs.size()<=++index)index=0;
- return perfIDs.get(index);
- }
- @Test
- public void test() {
- try {
- aafAuthn.validate("testid@aaf.att.com", "whatever");
- List<Permission> perms = new ArrayList<Permission>();
- aafLur.fishAll(getIndex(), perms);
-// Assert.assertFalse(perms.isEmpty());
-// for(Permission p : perms) {
-// //access.log(Access.Level.AUDIT, p.permType());
-// }
- } catch (Exception e) {
- StringWriter sw = new StringWriter();
- e.printStackTrace(new PrintWriter(sw));
- Assert.fail(sw.toString());
- }
- }
-
-}
+++ /dev/null
-/*******************************************************************************
- * ============LICENSE_START====================================================
- * * org.onap.aaf
- * * ===========================================================================
- * * Copyright © 2017 AT&T Intellectual Property. All rights reserved.
- * * ===========================================================================
- * * Licensed under the Apache License, Version 2.0 (the "License");
- * * you may not use this file except in compliance with the License.
- * * You may obtain a copy of the License at
- * *
- * * http://www.apache.org/licenses/LICENSE-2.0
- * *
- * * Unless required by applicable law or agreed to in writing, software
- * * distributed under the License is distributed on an "AS IS" BASIS,
- * * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * * See the License for the specific language governing permissions and
- * * limitations under the License.
- * * ============LICENSE_END====================================================
- * *
- * *
- ******************************************************************************/
-package org.onap.aaf.cadi.lur.aaf.test;
-
-import java.security.Principal;
-import java.util.ArrayList;
-import java.util.List;
-
-import org.onap.aaf.cadi.Permission;
-import org.onap.aaf.cadi.PropAccess;
-import org.onap.aaf.cadi.aaf.AAFPermission;
-import org.onap.aaf.cadi.aaf.v2_0.AAFAuthn;
-import org.onap.aaf.cadi.aaf.v2_0.AAFConHttp;
-import org.onap.aaf.cadi.aaf.v2_0.AAFLurPerm;
-import org.onap.aaf.cadi.config.Config;
-import org.onap.aaf.cadi.locator.PropertyLocator;
-import org.onap.aaf.stillNeed.TestPrincipal;
-
-public class JU_MultiThreadPermHit {
- public static void main(String args[]) {
- // Link or reuse to your Logging mechanism
- PropAccess myAccess = new PropAccess(); //
-
- //
- try {
- AAFConHttp con = new AAFConHttp(myAccess,new PropertyLocator("https://mithrilcsp.sbc.com:8100"));
-
- // AAFLur has pool of DME clients as needed, and Caches Client lookups
- final AAFLurPerm aafLur = con.newLur();
- aafLur.setDebug("m12345@aaf.att.com");
-
- // Note: If you need both Authn and Authz construct the following:
- AAFAuthn<?> aafAuthn = con.newAuthn(aafLur);
-
- // Do not set Mech ID until after you construct AAFAuthn,
- // because we initiate "401" info to determine the Realm of
- // of the service we're after.
- final String id = myAccess.getProperty(Config.AAF_APPID,null);
- final String pass = myAccess.decrypt(myAccess.getProperty(Config.AAF_APPPASS,null),false);
- if(id!=null && pass!=null) {
- try {
-
- // Normally, you obtain Principal from Authentication System.
- // // For J2EE, you can ask the HttpServletRequest for getUserPrincipal()
- // // If you use CADI as Authenticator, it will get you these Principals from
- // // CSP or BasicAuth mechanisms.
- // String id = "cluster_admin@gridcore.att.com";
- //
- // // If Validate succeeds, you will get a Null, otherwise, you will a String for the reason.
- String ok;
- ok = aafAuthn.validate(id, pass);
- if(ok!=null) {
- System.out.println(ok);
- }
-
- List<Permission> pond = new ArrayList<Permission>();
- for(int i=0;i<20;++i) {
- pond.clear();
- Principal p = new TestPrincipal(i+id);
- aafLur.fishAll(p, pond);
- if(ok!=null && i%1000==0) {
- System.out.println(i + " " + ok);
- }
- }
-
- for(int i=0;i<1000000;++i) {
- ok = aafAuthn.validate( i+ id, "wrongPass");
- if(ok!=null && i%1000==0) {
- System.out.println(i + " " + ok);
- }
- }
-
- final AAFPermission perm = new AAFPermission("org.osaaf.aaf.access","*","*");
-
- // Now you can ask the LUR (Local Representative of the User Repository about Authorization
- // With CADI, in J2EE, you can call isUserInRole("org.osaaf.mygroup|mytype|write") on the Request Object
- // instead of creating your own LUR
- for(int i=0;i<4;++i) {
- Principal p = new TestPrincipal(i+id);
-
- if(aafLur.fish(p, perm)) {
- System.out.println("Yes, " + id + " has permission for " + perm.getKey());
- } else {
- System.out.println("No, " + id + " does not have permission for " + perm.getKey());
- }
- }
-
-
- // Or you can all for all the Permissions available
- List<Permission> perms = new ArrayList<Permission>();
-
- Principal p = new TestPrincipal(id);
- aafLur.fishAll(p,perms);
- System.out.println("Perms for " + id);
- for(Permission prm : perms) {
- System.out.println(prm.getKey());
- }
-
- System.out.println("Press any key to continue");
- System.in.read();
-
- for(int j=0;j<5;++j) {
- new Thread(new Runnable() {
- @Override
- public void run() {
- for(int i=0;i<20;++i) {
- Principal p = new TestPrincipal(id);
- if(aafLur.fish(p, perm)) {
- System.out.println("Yes, " + id + " has permission for " + perm.getKey());
- } else {
- System.out.println("No, " + id + " does not have permission for " + perm.getKey());
- }
- }
- }
- }).start();
- }
-
-
- } finally {
- aafLur.destroy();
- }
- } else { // checked on IDs
- System.err.println(Config.AAF_APPID + " and/or " + Config.AAF_APPPASS + " are not set.");
- }
- } catch (Exception e) {
- e.printStackTrace();
- }
- }
-}
+++ /dev/null
-/**
- * ============LICENSE_START====================================================
- * org.onap.aaf
- * ===========================================================================
- * Copyright (c) 2018 AT&T Intellectual Property. All rights reserved.
- * ===========================================================================
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- * ============LICENSE_END====================================================
- *
- */
-
-package org.onap.aaf.cadi.lur.aaf.test1;
-
-import java.security.Principal;
-import java.util.ArrayList;
-import java.util.List;
-
-import org.onap.aaf.cadi.Permission;
-import org.onap.aaf.cadi.PropAccess;
-import org.onap.aaf.cadi.aaf.AAFPermission;
-import org.onap.aaf.cadi.aaf.v2_0.AAFAuthn;
-import org.onap.aaf.cadi.aaf.v2_0.AAFConHttp;
-import org.onap.aaf.cadi.aaf.v2_0.AAFLurPerm;
-import org.onap.aaf.cadi.config.Config;
-import org.onap.aaf.cadi.locator.PropertyLocator;
-import org.onap.aaf.cadi.principal.UnAuthPrincipal;
-import org.onap.aaf.stillNeed.TestPrincipal;
-
-public class MultiThreadPermHit {
- public static void main(String args[]) {
- // Link or reuse to your Logging mechanism
- PropAccess myAccess = new PropAccess(args); //
-
- //
- try {
- AAFConHttp con = new AAFConHttp(myAccess,new PropertyLocator("https://mithrilcsp.sbc.com:8100"));
-
- // AAFLur has pool of DME clients as needed, and Caches Client lookups
- final AAFLurPerm aafLur = con.newLur();
- aafLur.setDebug("m12345@aaf.att.com");
-
- // Note: If you need both Authn and Authz construct the following:
- AAFAuthn<?> aafAuthn = con.newAuthn(aafLur);
-
- // Do not set Mech ID until after you construct AAFAuthn,
- // because we initiate "401" info to determine the Realm of
- // of the service we're after.
- final String id = myAccess.getProperty(Config.AAF_APPID,null);
- final String pass = myAccess.decrypt(myAccess.getProperty(Config.AAF_APPPASS,null),false);
- if(id!=null && pass!=null) {
- try {
-
- // Normally, you obtain Principal from Authentication System.
- // // For J2EE, you can ask the HttpServletRequest for getUserPrincipal()
- // // If you use CADI as Authenticator, it will get you these Principals from
- // // CSP or BasicAuth mechanisms.
- // String id = "cluster_admin@gridcore.att.com";
- //
- // // If Validate succeeds, you will get a Null, otherwise, you will a String for the reason.
- String ok;
- ok = aafAuthn.validate(id, pass,null /* use AuthzTrans or HttpServlet, if you have it */);
- if(ok!=null) {
- System.out.println(ok);
- }
-
- List<Permission> pond = new ArrayList<Permission>();
- for(int i=0;i<20;++i) {
- pond.clear();
- aafLur.fishAll(new TestPrincipal(i+id), pond);
- if(ok!=null && i%1000==0) {
- System.out.println(i + " " + ok);
- }
- }
-
- for(int i=0;i<1000000;++i) {
- ok = aafAuthn.validate( i+ id, "wrongPass",null /* use AuthzTrans or HttpServlet, if you have it */);
- if(ok!=null && i%1000==0) {
- System.out.println(i + " " + ok);
- }
- }
-
- final AAFPermission perm = new AAFPermission("org.osaaf.aaf.access","*","*");
-
- // Now you can ask the LUR (Local Representative of the User Repository about Authorization
- // With CADI, in J2EE, you can call isUserInRole("org.osaaf.mygroup|mytype|write") on the Request Object
- // instead of creating your own LUR
- //
- // If possible, use the Principal provided by the Authentication Call. If that is not possible
- // because of separation Classes by tooling, or other such reason, you can use "UnAuthPrincipal"
- final Principal p = new UnAuthPrincipal(id);
- for(int i=0;i<4;++i) {
- if(aafLur.fish(p, perm)) {
- System.out.println("Yes, " + id + " has permission for " + perm.getKey());
- } else {
- System.out.println("No, " + id + " does not have permission for " + perm.getKey());
- }
- }
-
-
- // Or you can all for all the Permissions available
- List<Permission> perms = new ArrayList<Permission>();
-
-
- aafLur.fishAll(p,perms);
- System.out.println("Perms for " + id);
- for(Permission prm : perms) {
- System.out.println(prm.getKey());
- }
-
- System.out.println("Press any key to continue");
- System.in.read();
-
- for(int j=0;j<5;++j) {
- new Thread(new Runnable() {
- @Override
- public void run() {
- for(int i=0;i<20;++i) {
- if(aafLur.fish(p, perm)) {
- System.out.println("Yes, " + id + " has permission for " + perm.getKey());
- } else {
- System.out.println("No, " + id + " does not have permission for " + perm.getKey());
- }
- }
- }
- }).start();
- }
-
-
- } finally {
- aafLur.destroy();
- }
- } else { // checked on IDs
- System.err.println(Config.AAF_APPID + " and/or " + Config.AAF_APPPASS + " are not set.");
- }
- } catch (Exception e) {
- e.printStackTrace();
- }
- }
-}
public static void tearDownAfterClass() throws Exception {
Field field = SecurityInfoC.class.getDeclaredField("sicMap");
field.setAccessible(true);
- field.set(null, new HashMap<Class<?>,SecurityInfoC<?>>());
+ field.set(null, new HashMap<>());
}
@Before
--- /dev/null
+/**
+ * ============LICENSE_START====================================================
+ * org.onap.aaf
+ * ===========================================================================
+ * Copyright (c) 2018 AT&T Intellectual Property. All rights reserved.
+ * ===========================================================================
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ * ============LICENSE_END====================================================
+ *
+ */
+
+package org.onap.aaf.cadi.oauth.test;
+
+import java.io.IOException;
+import java.net.URISyntaxException;
+import java.security.GeneralSecurityException;
+
+import org.junit.Test;
+import org.onap.aaf.cadi.CadiException;
+import org.onap.aaf.cadi.LocatorException;
+import org.onap.aaf.cadi.PropAccess;
+import org.onap.aaf.cadi.aaf.v2_0.AAFLocator;
+import org.onap.aaf.cadi.config.Config;
+import org.onap.aaf.cadi.locator.PropertyLocator;
+import org.onap.aaf.cadi.oauth.TokenClientFactory;
+import org.onap.aaf.misc.env.APIException;
+
+import junit.framework.Assert;
+
+public class JU_TokenClientFactoryTest {
+
+ /**
+ * Acceptable Locator Patterns for choosing AAFLocator over others
+ */
+ @Test
+ public void testLocatorString() {
+ /*
+ PropAccess access = new PropAccess();
+ access.setProperty(Config.AAF_LOCATE_URL, "https://xytz.sbbc.dd:8095/locate");
+ access.setProperty(Config.CADI_LATITUDE, "39.000");
+ access.setProperty(Config.CADI_LONGITUDE, "-72.000");
+ TokenClientFactory tcf;
+ try {
+ System.out.println("one");
+ tcf = TokenClientFactory.instance(access);
+ System.out.println("two");
+ Assert.assertEquals(true, tcf.bestLocator("https://xytz.sbbc.dd/locate/hello") instanceof AAFLocator);
+ System.out.println("three");
+ Assert.assertEquals(true, tcf.bestLocator("https://xytz.sbbc.dd:8234/locate/hello") instanceof AAFLocator);
+ System.out.println("four");
+ Assert.assertEquals(true, tcf.bestLocator("https://AAF_LOCATE_URL/hello") instanceof AAFLocator);
+ System.out.println("five");
+ Assert.assertEquals(true, tcf.bestLocator("https://AAF_LOCATE_URL/AAF_FS.hello/2.0") instanceof AAFLocator);
+ System.out.println("six");
+ Assert.assertEquals(true, tcf.bestLocator("https://xytz.sbbc.dd:8234/locate") instanceof PropertyLocator);
+ System.out.println("seven");
+ Assert.assertEquals(true, tcf.bestLocator("https://xytz.sbbc.dd:8234/Something") instanceof PropertyLocator);
+ } catch (APIException | GeneralSecurityException | IOException | CadiException | LocatorException | URISyntaxException e) {
+ e.printStackTrace();
+ Assert.fail();
+ }
+ */
+ }
+
+}
@Test
public void test() throws CadiException, LocatorException, APIException, IOException {
- TzHClient client = new TzHClient(access, "tag");
+ TzHClient client;
+ try {
+ client = new TzHClient(access, "tag");
+ } catch (Exception e) {
+ throw e;
+ }
try {
client.best(retryableMock);
fail("Should've thrown an exception");
assertThat(new File(aafDir + "/.aaf/keyfile").exists(), is(true));
assertThat(new File(aafDir + "/.aaf/sso.out").exists(), is(true));
assertThat(sso.loginOnly(), is(true));
-
- assertThat(new File(aafDir + "/.aaf/sso.props").exists(), is(false));
- sso.writeFiles();
- assertThat(new File(aafDir + "/.aaf/sso.props").exists(), is(true));
+
+// Not necessarily true
+// assertThat(new File(aafDir + "/.aaf/sso.props").exists(), is(true));
sso.setLogDefault();
sso.setStdErrDefault();
assertThat(new File(aafDir).exists(), is(true));
assertThat(new File(aafDir + "/.aaf").exists(), is(true));
- assertThat(new File(aafDir + "/.aaf/keyfile").exists(), is(true));
+ assertThat(new File(aafDir + "/.aaf/keyfile").exists(), is(false));
assertThat(new File(aafDir + "/.aaf/sso.out").exists(), is(true));
assertThat(sso.loginOnly(), is(false));
assertThat(sso.useX509(), is(false));
sso.close();
- sso.close();
}
private void recursiveDelete(File file) {
}
public List<Permission> allAuthorization(Principal fqi) {
- List<Permission> pond = new ArrayList<Permission>();
+ List<Permission> pond = new ArrayList<>();
aafLur.fishAll(fqi, pond);
return pond;
}
<parent>
<groupId>org.onap.aaf.authz</groupId>
<artifactId>cadiparent</artifactId>
- <version>2.1.0-SNAPSHOT</version>
+ <version>2.1.2-SNAPSHOT</version>
<relativePath>..</relativePath>
</parent>
<dependency>
<groupId>org.onap.aaf.authz</groupId>
<artifactId>aaf-misc-rosetta</artifactId>
- <version>${project.version}</version>
-
</dependency>
<dependency>
<groupId>org.onap.aaf.authz</groupId>
<artifactId>aaf-cadi-core</artifactId>
- <version>${project.version}</version>
</dependency>
<dependency>
<plugin>
<groupId>org.sonatype.plugins</groupId>
<artifactId>nexus-staging-maven-plugin</artifactId>
- <version>1.6.7</version>
<extensions>true</extensions>
<configuration>
<nexusUrl>${nexusproxy}</nexusUrl>
<plugin>
<groupId>org.jacoco</groupId>
<artifactId>jacoco-maven-plugin</artifactId>
- <version>${jacoco.version}</version>
<configuration>
<excludes>
<exclude>**/gen/**</exclude>
protected int readTimeout = 5000;
protected int connectionTimeout = 3000;
protected URI uri;
- private String queryParams, fragment;
+ private String oneCallQueryParams;
public static Pool<byte[]> buffPool = new Pool<byte[]>(new Pool.Creator<byte[]>() {
@Override
public byte[] create() throws APIException {
protected abstract EClient<CT> client() throws CadiException;
- public<T> Future<T> create(String pathinfo, String contentType, final RosettaDF<T> df, final T t) throws APIException, CadiException {
- final String qp = setupParams(pathinfo);
+ public<T> Future<T> create(final String pathinfo, final String contentType, final RosettaDF<T> df, final T t) throws APIException, CadiException {
+ final ParsePath pp = new ParsePath(pathinfo);
EClient<CT> client = client();
client.setMethod(POST);
client.addHeader(CONTENT_TYPE,contentType);
- client.setPathInfo(pathinfo);
- client.setQueryParams(qp);
- client.setFragment(fragment);
+ client.setPathInfo(pp.path());
+ client.setQueryParams(pp.query());
+ client.setFragment(pp.frag());
client.setPayload(new EClient.Transfer() {
@Override
public void transfer(OutputStream os) throws IOException, APIException {
}
});
client.send();
- queryParams = fragment = null;
return client.futureCreate(df.getTypeClass());
}
public<T> Future<T> create(String pathinfo, final RosettaDF<T> df, final T t) throws APIException, CadiException {
- final String qp = setupParams(pathinfo);
+ final ParsePath pp = new ParsePath(pathinfo);
EClient<CT> client = client();
client.setMethod(POST);
client.addHeader(CONTENT_TYPE,typeString(df.getTypeClass()));
- client.setPathInfo(pathinfo);
- client.setQueryParams(qp);
- client.setFragment(fragment);
+ client.setPathInfo(pp.path());
+ client.setQueryParams(pp.query());
+ client.setFragment(pp.frag());
client.setPayload(new EClient.Transfer() {
@Override
public void transfer(OutputStream os) throws IOException, APIException {
}
});
client.send();
- queryParams = fragment = null;
return client.futureCreate(df.getTypeClass());
}
public<T> Future<T> create(String pathinfo, Class<?> cls, final RosettaDF<T> df, final T t) throws APIException, CadiException {
- final String qp = setupParams(pathinfo);
+ final ParsePath pp = new ParsePath(pathinfo);
EClient<CT> client = client();
client.setMethod(POST);
client.addHeader(CONTENT_TYPE,typeString(cls));
- client.setPathInfo(pathinfo);
- client.setQueryParams(qp);
- client.setFragment(fragment);
+ client.setPathInfo(pp.path());
+ client.setQueryParams(pp.query());
+ client.setFragment(pp.frag());
client.setPayload(new EClient.Transfer() {
@Override
public void transfer(OutputStream os) throws IOException, APIException {
}
});
client.send();
- queryParams = fragment = null;
return client.futureCreate(df.getTypeClass());
}
public<T> Future<T> create(String pathinfo, Class<T> cls) throws APIException, CadiException {
- final String qp = setupParams(pathinfo);
+ final ParsePath pp = new ParsePath(pathinfo);
EClient<CT> client = client();
client.setMethod(POST);
client.addHeader(CONTENT_TYPE,typeString(cls));
- client.setPathInfo(pathinfo);
- client.setQueryParams(qp);
- client.setFragment(fragment);
+ client.setPathInfo(pp.path());
+ client.setQueryParams(pp.query());
+ client.setFragment(pp.frag());
client.setPayload(null);
client.send();
- queryParams = fragment = null;
return client.futureCreate(cls);
}
public Future<Void> create(String pathinfo, String contentType) throws APIException, CadiException {
- final String qp = setupParams(pathinfo);
+ final ParsePath pp = new ParsePath(pathinfo);
EClient<CT> client = client();
client.setMethod(POST);
client.addHeader(CONTENT_TYPE,contentType);
- client.setPathInfo(pathinfo);
- client.setQueryParams(qp);
- client.setFragment(fragment);
+ client.setPathInfo(pp.path());
+ client.setQueryParams(pp.query());
+ client.setFragment(pp.frag());
client.setPayload(null);
client.send();
- queryParams = fragment = null;
return client.futureCreate(Void.class);
}
* @throws CadiException
*/
public <T> Future<T> postForm(String pathinfo, final RosettaDF<T> df, final String ... formParam) throws APIException, CadiException {
- final String qp = setupParams(pathinfo);
+ final ParsePath pp = new ParsePath(pathinfo);
EClient<CT> client = client();
client.setMethod(POST);
default:
break;
}
- client.setPathInfo(pathinfo);
- client.setQueryParams(qp);
- client.setFragment(fragment);
+ client.setPathInfo(pp.path());
+ client.setQueryParams(pp.query());
+ client.setFragment(pp.frag());
client.setPayload(new Transfer() {
@Override
public void transfer(OutputStream os) throws IOException, APIException {
}
}});
client.send();
- queryParams = fragment = null;
return client.futureRead(df,TYPE.JSON);
}
* @throws CadiException
*/
public<T> Future<String> readPost(String pathinfo, final RosettaDF<T> df, final T t) throws APIException, CadiException {
- final String qp = setupParams(pathinfo);
+ final ParsePath pp = new ParsePath(pathinfo);
EClient<CT> client = client();
client.setMethod(POST);
client.addHeader(CONTENT_TYPE,typeString(df.getTypeClass()));
- client.setPathInfo(pathinfo);
- client.setQueryParams(qp);
- client.setFragment(fragment);
+ client.setPathInfo(pp.path());
+ client.setQueryParams(pp.query());
+ client.setFragment(pp.frag());
client.setPayload(new EClient.Transfer() {
@Override
public void transfer(OutputStream os) throws IOException, APIException {
}
});
client.send();
- queryParams = fragment = null;
return client.futureReadString();
}
* @throws CadiException
*/
public<T,R> Future<R> readPost(String pathinfo, final RosettaDF<T> df, final T t, final RosettaDF<R> resp) throws APIException, CadiException {
- final String qp = setupParams(pathinfo);
-
+ final ParsePath pp = new ParsePath(pathinfo);
+
EClient<CT> client = client();
client.setMethod(POST);
client.addHeader(CONTENT_TYPE,typeString(df.getTypeClass()));
- client.setPathInfo(pathinfo);
- client.setQueryParams(qp);
- client.setFragment(fragment);
+ client.setPathInfo(pp.path());
+ client.setQueryParams(pp.query());
+ client.setFragment(pp.frag());
client.setPayload(new EClient.Transfer() {
@Override
public void transfer(OutputStream os) throws IOException, APIException {
}
});
client.send();
- queryParams = fragment = null;
return client.futureRead(resp,resp.getOutType());
}
public Future<String> readPost(String pathinfo, String contentType, String ... headers) throws CadiException, APIException {
- final String qp = setupParams(pathinfo);
+ final ParsePath pp = new ParsePath(pathinfo);
EClient<CT> client = client();
client.setMethod(POST);
client.addHeader(CONTENT_TYPE,contentType);
- client.setPathInfo(pathinfo);
- client.setQueryParams(qp);
- client.setFragment(fragment);
+ client.setPathInfo(pp.path());
+ client.setQueryParams(pp.query());
+ client.setFragment(pp.frag());
client.setPayload(new EClient.Transfer() {
@Override
public void transfer(OutputStream os) throws IOException, APIException {
}});
client.send();
- queryParams = fragment = null;
return client.futureReadString();
}
public Future<String> read(String pathinfo, String accept, String ... headers) throws APIException, CadiException {
- final String qp = setupParams(pathinfo);
+ final ParsePath pp = new ParsePath(pathinfo);
EClient<CT> client = client();
client.setMethod(GET);
for(int i=1;i<headers.length;i=i+2) {
client.addHeader(headers[i-1],headers[i]);
}
- client.setQueryParams(qp);
- client.setFragment(fragment);
-
- client.setPathInfo(pathinfo);
-
+ client.setPathInfo(pp.path());
+ client.setQueryParams(pp.query());
+ client.setFragment(pp.frag());
client.setPayload(null);
client.send();
- queryParams = fragment = null;
return client.futureReadString();
}
public<T> Future<T> read(String pathinfo, String accept, RosettaDF<T> df, String ... headers) throws APIException, CadiException {
- final String qp = setupParams(pathinfo);
+ final ParsePath pp = new ParsePath(pathinfo);
EClient<CT> client = client();
client.setMethod(GET);
for(int i=1;i<headers.length;i=i+2) {
client.addHeader(headers[i-1],headers[i]);
}
- client.setQueryParams(qp);
- client.setFragment(fragment);
- client.setPathInfo(pathinfo);
-
+ client.setPathInfo(pp.path());
+ client.setQueryParams(pp.query());
+ client.setFragment(pp.frag());
client.setPayload(null);
client.send();
- queryParams = fragment = null;
return client.futureRead(df,type);
}
public<T> Future<T> read(String pathinfo, RosettaDF<T> df,String ... headers) throws APIException, CadiException {
- final String qp = setupParams(pathinfo);
+ final ParsePath pp = new ParsePath(pathinfo);
EClient<CT> client = client();
client.setMethod(GET);
for(int i=1;i<headers.length;i=i+2) {
client.addHeader(headers[i-1],headers[i]);
}
- client.setQueryParams(qp);
- client.setFragment(fragment);
- client.setPathInfo(pathinfo);
+ client.setPathInfo(pp.path());
+ client.setQueryParams(pp.query());
+ client.setFragment(pp.frag());
client.setPayload(null);
client.send();
- queryParams = fragment = null;
return client.futureRead(df,type);
}
public<T> Future<T> read(String pathinfo, Class<?> cls, RosettaDF<T> df) throws APIException, CadiException {
- final String qp = setupParams(pathinfo);
+ final ParsePath pp = new ParsePath(pathinfo);
EClient<CT> client = client();
client.setMethod(GET);
client.addHeader(ACCEPT, typeString(cls));
- client.setQueryParams(qp);
- client.setFragment(fragment);
- client.setPathInfo(pathinfo);
-
+ client.setPathInfo(pp.path());
+ client.setQueryParams(pp.query());
+ client.setFragment(pp.frag());
+
client.setPayload(null);
client.send();
- queryParams = fragment = null;
return client.futureRead(df,type);
}
public<T> Future<T> update(String pathinfo, String contentType, final RosettaDF<T> df, final T t) throws APIException, CadiException {
- final String qp = setupParams(pathinfo);
+ final ParsePath pp = new ParsePath(pathinfo);
EClient<CT> client = client();
client.setMethod(PUT);
client.addHeader(CONTENT_TYPE,contentType);
- client.setQueryParams(qp);
- client.setFragment(fragment);
- client.setPathInfo(pathinfo);
+ client.setPathInfo(pp.path());
+ client.setQueryParams(pp.query());
+ client.setFragment(pp.frag());
client.setPayload(new EClient.Transfer() {
@Override
public void transfer(OutputStream os) throws IOException, APIException {
}
});
client.send();
- queryParams = fragment = null;
return client.future(t);
}
public<T> Future<String> updateRespondString(String pathinfo, final RosettaDF<T> df, final T t) throws APIException, CadiException {
- final String qp = setupParams(pathinfo);
-
+ final ParsePath pp = new ParsePath(pathinfo);
+
EClient<CT> client = client();
client.setMethod(PUT);
client.addHeader(CONTENT_TYPE, typeString(df.getTypeClass()));
- client.setQueryParams(qp);
- client.setFragment(fragment);
- client.setPathInfo(pathinfo);
+ client.setPathInfo(pp.path());
+ client.setQueryParams(pp.query());
+ client.setFragment(pp.frag());
+
client.setPayload(new EClient.Transfer() {
@Override
public void transfer(OutputStream os) throws IOException, APIException {
}
});
client.send();
- queryParams = fragment = null;
return client.futureReadString();
}
public<T> Future<T> update(String pathinfo, final RosettaDF<T> df, final T t) throws APIException, CadiException {
- final String qp = setupParams(pathinfo);
+ final ParsePath pp = new ParsePath(pathinfo);
EClient<CT> client = client();
client.setMethod(PUT);
client.addHeader(CONTENT_TYPE, typeString(df.getTypeClass()));
- client.setQueryParams(qp);
- client.setFragment(fragment);
- client.setPathInfo(pathinfo);
+ client.setPathInfo(pp.path());
+ client.setQueryParams(pp.query());
+ client.setFragment(pp.frag());
+
client.setPayload(new EClient.Transfer() {
@Override
public void transfer(OutputStream os) throws IOException, APIException {
}
});
client.send();
- queryParams = fragment = null;
return client.future(t);
}
public<T> Future<T> update(String pathinfo, Class<?> cls, final RosettaDF<T> df, final T t) throws APIException, CadiException {
- final String qp = setupParams(pathinfo);
-
+ final ParsePath pp = new ParsePath(pathinfo);
+
EClient<CT> client = client();
client.setMethod(PUT);
client.addHeader(CONTENT_TYPE, typeString(cls));
- client.setQueryParams(qp);
- client.setFragment(fragment);
- client.setPathInfo(pathinfo);
+ client.setPathInfo(pp.path());
+ client.setQueryParams(pp.query());
+ client.setFragment(pp.frag());
+
client.setPayload(new EClient.Transfer() {
@Override
public void transfer(OutputStream os) throws IOException, APIException {
}
});
client.send();
- queryParams = fragment = null;
return client.future(t);
}
* @throws CadiException
*/
public<T> Future<Void> update(String pathinfo) throws APIException, CadiException {
- final String qp = setupParams(pathinfo);
+ final ParsePath pp = new ParsePath(pathinfo);
EClient<CT> client = client();
client.setMethod(PUT);
client.addHeader(CONTENT_TYPE, typeString(Void.class));
- client.setQueryParams(qp);
- client.setFragment(fragment);
- client.setPathInfo(pathinfo);
+ client.setPathInfo(pp.path());
+ client.setQueryParams(pp.query());
+ client.setFragment(pp.frag());
+
// client.setPayload(new EClient.Transfer() {
// @Override
// public void transfer(OutputStream os) throws IOException, APIException {
// }
// });
client.send();
- queryParams = fragment = null;
return client.future(null);
}
public<T> Future<T> delete(String pathinfo, String contentType, final RosettaDF<T> df, final T t) throws APIException, CadiException {
- final String qp = setupParams(pathinfo);
+ final ParsePath pp = new ParsePath(pathinfo);
EClient<CT> client = client();
client.setMethod(DELETE);
client.addHeader(CONTENT_TYPE, contentType);
- client.setQueryParams(qp);
- client.setFragment(fragment);
- client.setPathInfo(pathinfo);
+ client.setPathInfo(pp.path());
+ client.setQueryParams(pp.query());
+ client.setFragment(pp.frag());
+
client.setPayload(new EClient.Transfer() {
@Override
public void transfer(OutputStream os) throws IOException, APIException {
}
});
client.send();
- queryParams = fragment = null;
return client.future(t);
}
public<T> Future<T> delete(String pathinfo, Class<?> cls, final RosettaDF<T> df, final T t) throws APIException, CadiException {
- final String qp = setupParams(pathinfo);
+ final ParsePath pp = new ParsePath(pathinfo);
EClient<CT> client = client();
client.setMethod(DELETE);
client.addHeader(CONTENT_TYPE, typeString(cls));
- client.setQueryParams(qp);
- client.setFragment(fragment);
- client.setPathInfo(pathinfo);
+ client.setPathInfo(pp.path());
+ client.setQueryParams(pp.query());
+ client.setFragment(pp.frag());
client.setPayload(new EClient.Transfer() {
@Override
public void transfer(OutputStream os) throws IOException, APIException {
}
});
client.send();
- queryParams = fragment = null;
return client.future(t);
}
public<T> Future<T> delete(String pathinfo, final RosettaDF<T> df, final T t) throws APIException, CadiException {
- final String qp = setupParams(pathinfo);
+ final ParsePath pp = new ParsePath(pathinfo);
EClient<CT> client = client();
client.setMethod(DELETE);
client.addHeader(CONTENT_TYPE, typeString(df.getTypeClass()));
- client.setQueryParams(qp);
- client.setFragment(fragment);
- client.setPathInfo(pathinfo);
+ client.setPathInfo(pp.path());
+ client.setQueryParams(pp.query());
+ client.setFragment(pp.frag());
client.setPayload(new EClient.Transfer() {
@Override
public void transfer(OutputStream os) throws IOException, APIException {
});
client.send();
- queryParams = fragment = null;
return client.future(t);
}
public<T> Future<T> delete(String pathinfo, Class<T> cls) throws APIException, CadiException {
- final String qp = setupParams(pathinfo);
+ final ParsePath pp = new ParsePath(pathinfo);
EClient<CT> client = client();
client.setMethod(DELETE);
client.addHeader(CONTENT_TYPE, typeString(cls));
- client.setQueryParams(qp);
- client.setFragment(fragment);
- client.setPathInfo(pathinfo);
+ client.setPathInfo(pp.path());
+ client.setQueryParams(pp.query());
+ client.setFragment(pp.frag());
+
client.setPayload(null);
client.send();
- queryParams = fragment = null;
return client.future((T)null);
}
public Future<Void> delete(String pathinfo, String contentType) throws APIException, CadiException {
- final String qp = setupParams(pathinfo);
+ final ParsePath pp = new ParsePath(pathinfo);
EClient<CT> client = client();
client.setMethod(DELETE);
client.addHeader(CONTENT_TYPE, contentType);
- client.setQueryParams(qp);
- client.setFragment(fragment);
- client.setPathInfo(pathinfo);
+ client.setPathInfo(pp.path());
+ client.setQueryParams(pp.query());
+ client.setFragment(pp.frag());
+
client.setPayload(null);
client.send();
- queryParams = fragment = null;
return client.future(null);
}
return client.future(resp, expected);
}
- private String setupParams(String pathinfo) {
- final String qp;
- if(pathinfo==null) {
- qp=queryParams;
- } else {
- final int idx = pathinfo.indexOf('?');
- if(idx>=0) {
- qp=pathinfo.substring(idx+1);
- pathinfo=pathinfo.substring(0,idx);
+ private class ParsePath {
+ private final String path;
+ private final int query;
+ private final int queryEnd;
+ private final int pound;
+ private final String queryParams;
+
+ public ParsePath(final String origPath) {
+ path = origPath;
+ if(origPath==null) {
+ query=queryEnd=pound=-1;
+ queryParams=null;
} else {
- qp=queryParams;
+ query = origPath.indexOf('?');
+ pound = origPath.indexOf('#');
+ queryEnd = pound>=0?pound:path.length();
+ if(oneCallQueryParams==null) {
+ if(query>=0) {
+ queryParams = path.substring(query+1,queryEnd);
+ } else {
+ queryParams=null;
+ }
+ } else {
+ if(query>=0) {
+ queryParams = oneCallQueryParams + '&' + path.substring(query+1,queryEnd);
+ } else {
+ queryParams = oneCallQueryParams;
+ }
+ oneCallQueryParams = null;
+ }
+ }
+ }
+
+ public String path() {
+ if(query>=0) {
+ if(pound>=0) {
+ return path.substring(pound+1);
+ }
+ return path.substring(0,query);
+ } else if(pound>=0) {
+ return path.substring(0,pound);
+ } else {
+ return path;
+ }
+ }
+
+ public String query() {
+ return queryParams;
+ }
+
+ public String frag() {
+ if(pound>=0) {
+ return path.substring(pound+1);
+ } else {
+ return null;
}
}
- return qp;
}
public String toString() {
return uri.toString();
}
- /**
- * @param queryParams the queryParams to set
- * @return
- */
- public Rcli<CT> setQueryParams(String queryParams) {
- this.queryParams = queryParams;
- return this;
- }
-
-
- /**
- * @param fragment the fragment to set
- * @return
- */
- public Rcli<CT> setFragment(String fragment) {
- this.fragment = fragment;
- return this;
- }
-
public URI getURI() {
return uri;
}
+ public void setQueryParams(final String queryParams) {
+ oneCallQueryParams=queryParams;
+ }
+
}
\ No newline at end of file
@Override
public void addHeader(String tag, String value) {
if (headers == null)
- headers = new ArrayList<Header>();
+ headers = new ArrayList<>();
headers.add(new Header(tag, value));
}
}
pi.append(pathinfo);
}
- pathinfo=null;
- query=null;
- fragment=null;
- //huc = (HttpURLConnection) url.openConnection();
- huc = getConnection(uri, pi);
+ URI sendURI = new URI(
+ uri.getScheme(),
+ uri.getUserInfo(),
+ uri.getHost(),
+ uri.getPort(),
+ pi==null?uri.getPath():pi.toString(),
+ query==null?uri.getQuery():query,
+ fragment==null?uri.getFragment():fragment
+ );
+ huc = getConnection(sendURI, pi);
huc.setRequestMethod(meth);
if(ss!=null) {
ss.setSecurity(huc);
public HX509SS(final String sendAlias, SecurityInfoC<HttpURLConnection> si, boolean asDefault) throws APIException, CadiException {
securityInfo = si;
if((alias=sendAlias) == null) {
- if(si.default_alias == null) {
+ if(si.defaultAlias == null) {
throw new APIException("JKS Alias is required to use X509SS Security. Use " + Config.CADI_ALIAS +" to set default alias");
} else {
- alias = si.default_alias;
+ alias = si.defaultAlias;
}
}
throw new LocatorException("No Location List given for PropertyLocator");
}
String[] locarray = Split.split(',',locList);
- List<URI> uriList = new ArrayList<URI>();
+ List<URI> uriList = new ArrayList<>();
random = new SecureRandom();
public synchronized boolean refresh() {
if(System.currentTimeMillis()>lastRefreshed) {
// Build up list
- List<URI> resolve = new ArrayList<URI>();
+ List<URI> resolve = new ArrayList<>();
String realname;
for(int i = 0; i < orig.length ; ++i) {
try {
--- /dev/null
+/**
+ * ============LICENSE_START====================================================
+ * org.onap.aaf
+ * ===========================================================================
+ * Copyright (c) 2018 AT&T Intellectual Property. All rights reserved.
+ * ===========================================================================
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ * ============LICENSE_END====================================================
+ *
+ */
+package org.onap.aaf.cadi.locator;
+
+import java.net.URI;
+import java.net.URISyntaxException;
+
+import org.onap.aaf.cadi.Locator;
+import org.onap.aaf.cadi.LocatorException;
+
+public class SingleEndpointLocator implements Locator<URI> {
+ private final URI uri;
+ private final static Item item = new Item() {};
+
+ public SingleEndpointLocator(final URI uri) {
+ this.uri = uri;
+ }
+
+ public SingleEndpointLocator(final String endpoint) throws URISyntaxException {
+ this.uri = new URI(endpoint);
+ }
+
+ @Override
+ public URI get(Item item) throws LocatorException {
+ return uri;
+ }
+
+ @Override
+ public boolean hasItems() {
+ return true;
+ }
+
+ @Override
+ public void invalidate(Item item) throws LocatorException {
+ // Endpoints cannot be invalidated
+ }
+
+ @Override
+ public Item best() throws LocatorException {
+ return item;
+ }
+
+ @Override
+ public Item first() throws LocatorException {
+ return item;
+ }
+
+ @Override
+ public Item next(Item inItem) throws LocatorException {
+ // only one item
+ return null;
+ }
+
+ @Override
+ public boolean refresh() {
+ // Never refreshed
+ return true;
+ }
+
+ @Override
+ public void destroy() {
+ // Nothing to do here
+ }
+}
package org.onap.aaf.cadi.client.test;
-import static org.junit.Assert.*;
-import static org.mockito.Mockito.*;
-import static org.hamcrest.CoreMatchers.*;
-import org.junit.*;
-import org.mockito.*;
-
-import org.onap.aaf.cadi.CadiException;
-import org.onap.aaf.cadi.SecuritySetter;
-import org.onap.aaf.cadi.client.EClient;
-import org.onap.aaf.cadi.client.Future;
-import org.onap.aaf.cadi.client.Rcli;
-import org.onap.aaf.misc.env.APIException;
-import org.onap.aaf.misc.env.Data;
-import org.onap.aaf.misc.env.Data.TYPE;
-import org.onap.aaf.misc.rosetta.env.RosettaDF;
-import org.onap.aaf.misc.rosetta.env.RosettaData;
+import static org.hamcrest.CoreMatchers.is;
+import static org.junit.Assert.assertThat;
+import static org.mockito.Matchers.any;
+import static org.mockito.Mockito.when;
import java.io.ByteArrayOutputStream;
import java.io.IOException;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
+import org.junit.Before;
+import org.junit.Test;
+import org.mockito.Mock;
+import org.mockito.MockitoAnnotations;
+import org.onap.aaf.cadi.CadiException;
+import org.onap.aaf.cadi.SecuritySetter;
+import org.onap.aaf.cadi.client.EClient;
+import org.onap.aaf.cadi.client.Future;
+import org.onap.aaf.cadi.client.Rcli;
+import org.onap.aaf.misc.env.APIException;
+import org.onap.aaf.misc.env.Data;
+import org.onap.aaf.misc.env.Data.TYPE;
+import org.onap.aaf.misc.rosetta.env.RosettaDF;
+import org.onap.aaf.misc.rosetta.env.RosettaData;
+
public class JU_Rcli {
@Mock RosettaDF<HttpURLConnection> dfMock;
private final static String uriString = "example.com";
private final static String apiVersion = "v1.0";
- private final static String fragment = "framgent";
- private final static String queryParams = "queryParams";
private final static String contentType = "contentType";
private static URI uri;
rcli.apiVersion(null);
assertThat(rcli.typeString(HttpURLConnection.class), is("application/HttpURLConnection+xml"));
- rcli.setFragment(fragment);
- rcli.setQueryParams(queryParams);
-
rcliClone = rcli.forUser(null);
assertThat(rcliClone.toString(), is(uriString));
}
pl.destroy();
pl = new PropertyLocator(uris);
+
}
@Test(expected=LocatorException.class)
<groupId>org.onap.aaf.authz</groupId>
<artifactId>cadiparent</artifactId>
<relativePath>..</relativePath>
- <version>2.1.0-SNAPSHOT</version>
+ <version>2.1.2-SNAPSHOT</version>
</parent>
<modelVersion>4.0.0</modelVersion>
private static Timer timer;
// Map of userName to User
private final Map<String, User<PERM>> userMap;
- private static final Map<String, Miss> missMap = new TreeMap<String,Miss>();
+ private static final Map<String, Miss> missMap = new TreeMap<>();
private final Symm missEncrypt;
private Clean clean;
}
missEncrypt = s;
- userMap = new ConcurrentHashMap<String, User<PERM>>();
+ userMap = new ConcurrentHashMap<>();
if(cleanInterval>0) {
}
public final List<DumpInfo> dumpInfo() {
- List<DumpInfo> rv = new ArrayList<DumpInfo>();
+ List<DumpInfo> rv = new ArrayList<>();
for(User<PERM> user : userMap.values()) {
rv.add(new DumpInfo(user));
}
// Simple map of Group name to a set of User Names
- // private Map<String, Set<String>> groupMap = new HashMap<String, Set<String>>();
+ // private Map<String, Set<String>> groupMap = new HashMap<>();
/**
* Class to hold a small subset of the data, because we don't want to expose actual Permission or User Objects
public DumpInfo(User<PERM> user) {
this.user = user.principal.getName();
- perms = new ArrayList<String>(user.perms.keySet());
+ perms = new ArrayList<>(user.perms.keySet());
}
}
int total = 0;
try {
// look at now. If we need to expire more by increasing "now" by "advance"
- ArrayList<User<PERM>> al = new ArrayList<User<PERM>>(userMap.values().size());
+ ArrayList<User<PERM>> al = new ArrayList<>(userMap.values().size());
al.addAll(0, userMap.values());
long now = System.currentTimeMillis() + advance;
for(User<PERM> user : al) {
int missTotal = missMap.keySet().size();
int miss = 0;
if(missTotal>0) {
- ArrayList<String> keys = new ArrayList<String>(missTotal);
+ ArrayList<String> keys = new ArrayList<>(missTotal);
keys.addAll(missMap.keySet());
for(String key : keys) {
Miss m = missMap.get(key);
* To utilize, the Request must be a "CadiWrap" object, then call.
*/
public List<Permission> getPermissions(Principal p) {
- List<Permission> perms = new ArrayList<Permission>();
+ List<Permission> perms = new ArrayList<>();
lur.fishAll(p, perms);
return perms;
}
*/
public class Capacitor {
private static final int DEFAULT_CHUNK = 256;
- private ArrayList<ByteBuffer> bbs = new ArrayList<ByteBuffer>();
+ private ArrayList<ByteBuffer> bbs = new ArrayList<>();
private ByteBuffer curr = null;
private int idx;
* ============LICENSE_END====================================================
*
*/
-package org.onap.aaf.cadi.shiro;
-
-import org.apache.shiro.authz.Permission;
-
-public class AAFShiroPermission implements Permission {
- private org.onap.aaf.cadi.Permission perm;
- public AAFShiroPermission(org.onap.aaf.cadi.Permission perm) {
- this.perm = perm;
- }
- @Override
- public boolean implies(Permission sp) {
- if(sp instanceof AAFShiroPermission) {
- if(perm.match(((AAFShiroPermission)sp).perm)){
- return true;
- }
- }
- return false;
- }
-
- @Override
- public String toString() {
- return perm.toString();
- }
+package org.onap.aaf.cadi;
+public interface CredValDomain extends CredVal {
+ public String domain();
}
String chainProp = props.getProperty(Config.CADI_PROP_FILES);
if(chainProp!=null) {
if(recursionProtection==null) {
- recursionProtection = new ArrayList<String>();
+ recursionProtection = new ArrayList<>();
recursionProtection.add(cadi_prop_files);
}
if(!recursionProtection.contains(chainProp)) {
private static char passChars[] = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+!@#$%^&*(){}[]?:;,.".toCharArray();
-
+ private static Symm internalOnly = null;
+
/**
* Use this to create special case Case Sets and/or Line breaks
*
// There can be time efficiencies gained when the underlying keyset consists mainly of ordered
// data (i.e. abcde...). Therefore, we'll quickly analyze the keyset. If it proves to have
// too much entropy, the "Unordered" algorithm, which is faster in such cases is used.
- ArrayList<int[]> la = new ArrayList<int[]>();
+ ArrayList<int[]> la = new ArrayList<>();
for(int i=0;i<codeset.length;++i) {
curr = codeset[i];
if(prev+1==curr) { // is next character in set
this.range = range;
}
public int convert(int read) throws IOException {
+ // System.out.print((char)read);
switch(read) {
case -1:
case '=':
+ case ' ':
case '\n':
case '\r':
return -1;
* @throws CadiException
*/
public static Symm obtain(Access access) throws CadiException {
- Symm symm = Symm.baseCrypt();
-
String keyfile = access.getProperty(Config.CADI_KEYFILE,null);
if(keyfile!=null) {
+ Symm symm = Symm.baseCrypt();
+
File file = new File(keyfile);
try {
access.log(Level.INIT, Config.CADI_KEYFILE,"points to",file.getCanonicalPath());
}
throw new CadiException("ERROR: " + filename + " does not exist!");
}
+ return symm;
+ } else {
+ try {
+ return internalOnly();
+ } catch (IOException e) {
+ throw new CadiException(e);
+ }
}
- return symm;
}
/**
* Create a new random key
return newSymm;
}
+
+ /**
+ * This Symm is generated for internal JVM use. It has no external keyfile, but can be used
+ * for securing Memory, as it remains the same ONLY of the current JVM
+ * @return
+ * @throws IOException
+ */
+ public static synchronized Symm internalOnly() throws IOException {
+ if(internalOnly==null) {
+ ByteArrayInputStream baos = new ByteArrayInputStream(keygen());
+ try {
+ internalOnly = Symm.obtain(baos);
+ } finally {
+ baos.close();
+ }
+ }
+ return internalOnly;
+ }
}
*
*/
public final class User<PERM extends Permission> {
- private static final Map<String,Permission> NULL_MAP = new HashMap<String,Permission>();
+ private static final Map<String,Permission> NULL_MAP = new HashMap<>();
public String name;
private byte[] cred;
public Principal principal;
}
public Map<String,Permission> newMap() {
- return new ConcurrentHashMap<String,Permission>();
+ return new ConcurrentHashMap<>();
}
public void add(LocalPermission permission) {
import org.onap.aaf.cadi.CadiException;
import org.onap.aaf.cadi.Connector;
import org.onap.aaf.cadi.CredVal;
+import org.onap.aaf.cadi.CredValDomain;
import org.onap.aaf.cadi.Locator;
+import org.onap.aaf.cadi.LocatorException;
import org.onap.aaf.cadi.Lur;
import org.onap.aaf.cadi.PropAccess;
import org.onap.aaf.cadi.Symm;
public static final String CADI_OAUTH2_URL="cadi_oauth2_url";
public static final String CADI_TOKEN_DIR = "cadi_token_dir";
- public static final String CSP_DOMAIN = "csp_domain";
- public static final String CSP_HOSTNAME = "csp_hostname";
- public static final String CSP_DEVL_LOCALHOST = "csp_devl_localhost";
- public static final String CSP_USER_HEADER = "CSP_USER";
- public static final String CSP_SYSTEMS_CONF = "CSPSystems.conf";
- public static final String CSP_SYSTEMS_CONF_FILE = "csp_systems_conf_file";
-
public static final String HTTPS_PROTOCOLS = "https.protocols";
public static final String HTTPS_CIPHER_SUITES = "https.cipherSuites";
public static final String HTTPS_CLIENT_PROTOCOLS="jdk.tls.client.protocols";
public static final String AAF_ENV = "aaf_env";
public static final String AAF_URL = "aaf_url"; //URL for AAF... Use to trigger AAF configuration
public static final String AAF_ROOT_NS = "aaf_root_ns";
+ public static final String AAF_ROOT_NS_DEF = "org.osaaf.aaf";
public static final String AAF_ROOT_COMPANY = "aaf_root_company";
public static final String AAF_LOCATE_URL = "aaf_locate_url"; //URL for AAF locator
private static final String AAF_LOCATE_URL_TAG = "AAF_LOCATE_URL"; // Name of Above for use in Config Variables.
}
}
- public static HttpTaf configHttpTaf(Connector con, SecurityInfoC<HttpURLConnection> si, TrustChecker tc, CredVal up, Lur lur, Object ... additionalTafLurs) throws CadiException {
+ public static HttpTaf configHttpTaf(Connector con, SecurityInfoC<HttpURLConnection> si, TrustChecker tc, CredVal up, Lur lur, Object ... additionalTafLurs) throws CadiException, LocatorException {
Access access = si.access;
/////////////////////////////////////////////////////
// Setup AAFCon for any following
access.log(Level.INIT, "Hostname set to",hostname);
// Get appropriate TAFs
- ArrayList<HttpTaf> htlist = new ArrayList<HttpTaf>();
+ ArrayList<HttpTaf> htlist = new ArrayList<>();
/////////////////////////////////////////////////////
// Add a Denial of Service TAF
/////////////////////////////////////////////////////
// Configure Client Cert TAF
/////////////////////////////////////////////////////
-
+ X509Taf x509TAF = null;
String truststore = logProp(access, CADI_TRUSTSTORE,null);
if(truststore!=null) {
String truststore_pwd = access.getProperty(CADI_TRUSTSTORE_PASSWORD,null);
}
}
try {
- htlist.add(new X509Taf(access,lur));
+ htlist.add(x509TAF=new X509Taf(access,lur));
access.log(Level.INIT,"Certificate Authorization enabled");
} catch (SecurityException e) {
access.log(Level.INIT,"AAFListedCertIdentity cannot be instantiated. Certificate Authorization is now disabled",e);
if(!basic_warn)access.log(Level.INIT,"WARNING! The basic_warn property has been set to false.",
" There will be no additional warning if Basic Auth is used on an insecure channel"
);
- htlist.add(new BasicHttpTaf(access, up, basic_realm, userExp, basic_warn));
+ BasicHttpTaf bht = new BasicHttpTaf(access, up, basic_realm, userExp, basic_warn);
+ for(Object o : additionalTafLurs) {
+ if(o instanceof CredValDomain) {
+ bht.add((CredValDomain)o);
+ }
+ }
+ if(x509TAF!=null) {
+ x509TAF.add(bht);
+ }
+ htlist.add(bht);
access.log(Level.INIT,"Basic Authorization is enabled");
}
} else {
/////////////////////////////////////////////////////
if(additionalTafLurs!=null) {
for(Object additional : additionalTafLurs) {
- if(additional instanceof HttpTaf) {
- htlist.add((HttpTaf)additional);
+ if(additional instanceof BasicHttpTaf) {
+ BasicHttpTaf ht = (BasicHttpTaf)additional;
+ for(Object cv : additionalTafLurs) {
+ if(cv instanceof CredValDomain) {
+ ht.add((CredValDomain)cv);
+ access.printf(Level.INIT,"%s Authentication is enabled",cv);
+ }
+ }
+ htlist.add(ht);
+ } else if(additional instanceof HttpTaf) {
+ HttpTaf ht = (HttpTaf)additional;
+ htlist.add(ht);
access.printf(Level.INIT,"%s Authentication is enabled",additional.getClass().getSimpleName());
} else if(hasOAuthDirectTAF) {
Class<?> daupCls;
}
}
+ // Add BasicAuth, if any, to x509Taf
+ if(x509TAF!=null) {
+ for( HttpTaf ht : htlist) {
+ if(ht instanceof BasicHttpTaf) {
+ x509TAF.add((BasicHttpTaf)ht);
+ }
+ }
+ }
/////////////////////////////////////////////////////
// Create EpiTaf from configured TAFs
/////////////////////////////////////////////////////
public static Lur configLur(SecurityInfoC<HttpURLConnection> si, Connector con, Object ... additionalTafLurs) throws CadiException {
Access access = si.access;
- List<Lur> lurs = new ArrayList<Lur>();
+ List<Lur> lurs = new ArrayList<>();
/////////////////////////////////////////////////////
// Configure a Local Property Based RBAC/LUR
access.log(Level.INIT,"AAF/OAuth LUR plugin is not available.");
}
} catch (NoSuchMethodException| SecurityException | InstantiationException | IllegalAccessException | IllegalArgumentException | InvocationTargetException e) {
- access.log(e,"AAF/OAuth LUR could not be constructed with given Constructors.");
+ String msg = e.getMessage();
+ if(msg==null && e.getCause()!=null) {
+ msg = e.getCause().getMessage();
+ }
+ access.log(Level.INIT,"AAF/OAuth LUR is not instantiated.",msg);
}
} else {
access.log(Level.INIT, "OAuth2 Lur disabled");
aafConClass = loadClass(access, AAF_V2_0_AAF_CON_HTTP);
if (aafConClass != null) {
for (Constructor<?> c : aafConClass.getConstructors()) {
- List<Object> lo = new ArrayList<Object>();
+ List<Object> lo = new ArrayList<>();
for (Class<?> pc : c.getParameterTypes()) {
if (pc.equals(Access.class)) {
lo.add(access);
@SuppressWarnings("unchecked")
- public static Locator<URI> loadLocator(SecurityInfoC<HttpURLConnection> si, final String _url) {
+ public static Locator<URI> loadLocator(SecurityInfoC<HttpURLConnection> si, final String _url) throws LocatorException {
Access access = si.access;
Locator<URI> locator = null;
if(_url==null) {
String url = _url, replacement;
int idxAAF_LOCATE_URL;
if((idxAAF_LOCATE_URL=_url.indexOf(AAF_LOCATE_URL_TAG))>0 && ((replacement=access.getProperty(AAF_LOCATE_URL, null))!=null)) {
- url = replacement + "/locate" + _url.substring(idxAAF_LOCATE_URL+AAF_LOCATE_URL_TAG.length());
+ StringBuilder sb = new StringBuilder(replacement);
+ if(!replacement.endsWith("/locate")) {
+ sb.append("/locate");
+ }
+ sb.append(_url,idxAAF_LOCATE_URL+AAF_LOCATE_URL_TAG.length(),_url.length());
+ url = sb.toString();
}
try {
access.log(Level.INFO, "AAFLocator enabled using preloaded " + locator.getClass().getSimpleName());
}
} catch (InvocationTargetException e) {
+ if(e.getTargetException() instanceof LocatorException) {
+ throw (LocatorException)e.getTargetException();
+ }
access.log(Level.INIT,e.getTargetException().getMessage(),"AAFLocator for",url,"could not be created.",e);
} catch (Exception e) {
access.log(Level.INIT,"AAFLocator for",url,"could not be created.",e);
public static final String HTTPS_PROTOCOLS_DEFAULT = "TLSv1.1,TLSv1.2";
public static final String REGEX_COMMA = "\\s*,\\s*";
- public static final String SslKeyManagerFactoryAlgorithm;
+ public static final String SSL_KEY_MANAGER_FACTORY_ALGORITHM;
- private SSLSocketFactory scf;
- private X509KeyManager[] km;
- private X509TrustManager[] tm;
- public final String default_alias;
+ private SSLSocketFactory socketFactory;
+ private X509KeyManager[] x509KeyManager;
+ private X509TrustManager[] x509TrustManager;
+ public final String defaultAlias;
private NetMask[] trustMasks;
- private SSLContext ctx;
+ private SSLContext context;
private HostnameVerifier maskHV;
public final Access access;
// Change Key Algorithms for IBM's VM. Could put in others, if needed.
static {
- if(System.getProperty("java.vm.vendor").equalsIgnoreCase("IBM Corporation")) {
- SslKeyManagerFactoryAlgorithm = "IbmX509";
+ if ("IBM Corporation".equalsIgnoreCase(System.getProperty("java.vm.vendor"))) {
+ SSL_KEY_MANAGER_FACTORY_ALGORITHM = "IbmX509";
} else {
- SslKeyManagerFactoryAlgorithm = "SunX509";
+ SSL_KEY_MANAGER_FACTORY_ALGORITHM = "SunX509";
}
}
initializeTrustManager();
- default_alias = access.getProperty(Config.CADI_ALIAS, null);
+ defaultAlias = access.getProperty(Config.CADI_ALIAS, null);
initializeTrustMasks();
- String https_protocols = Config.logProp(access, Config.CADI_PROTOCOLS,
+ String httpsProtocols = Config.logProp(access, Config.CADI_PROTOCOLS,
access.getProperty(HTTPS_PROTOCOLS, HTTPS_PROTOCOLS_DEFAULT)
);
- System.setProperty(HTTPS_PROTOCOLS, https_protocols);
- System.setProperty(JDK_TLS_CLIENT_PROTOCOLS, https_protocols);
- if("1.7".equals(System.getProperty("java.specification.version")) && https_protocols.contains("TLSv1.2")) {
+ System.setProperty(HTTPS_PROTOCOLS, httpsProtocols);
+ System.setProperty(JDK_TLS_CLIENT_PROTOCOLS, httpsProtocols);
+ if ("1.7".equals(System.getProperty("java.specification.version")) && httpsProtocols.contains("TLSv1.2")) {
System.setProperty(Config.HTTPS_CIPHER_SUITES, Config.HTTPS_CIPHER_SUITES_DEFAULT);
}
- ctx = SSLContext.getInstance("TLS");
- ctx.init(km, tm, null);
- SSLContext.setDefault(ctx);
- scf = ctx.getSocketFactory();
+ context = SSLContext.getInstance("TLS");
+ context.init(x509KeyManager, x509TrustManager, null);
+ SSLContext.setDefault(context);
+ socketFactory = context.getSocketFactory();
} catch (NoSuchAlgorithmException | KeyManagementException | KeyStoreException | CertificateException | UnrecoverableKeyException | IOException e) {
throw new CadiException(e);
}
* @return the scf
*/
public SSLSocketFactory getSSLSocketFactory() {
- return scf;
+ return socketFactory;
}
public SSLContext getSSLContext() {
- return ctx;
+ return context;
}
/**
* @return the km
*/
public X509KeyManager[] getKeyManagers() {
- return km;
+ return x509KeyManager;
}
public void checkClientTrusted(X509Certificate[] certarr) throws CertificateException {
- for(X509TrustManager xtm : tm) {
+ for (X509TrustManager xtm : x509TrustManager) {
xtm.checkClientTrusted(certarr, SECURITY_ALGO);
}
}
public void checkServerTrusted(X509Certificate[] certarr) throws CertificateException {
- for(X509TrustManager xtm : tm) {
+ for (X509TrustManager xtm : x509TrustManager) {
xtm.checkServerTrusted(certarr, SECURITY_ALGO);
}
}
public void setSocketFactoryOn(HttpsURLConnection hsuc) {
- hsuc.setSSLSocketFactory(scf);
- if(maskHV != null && !maskHV.equals(hsuc.getHostnameVerifier())) {
+ hsuc.setSSLSocketFactory(socketFactory);
+ if (maskHV != null && !maskHV.equals(hsuc.getHostnameVerifier())) {
hsuc.setHostnameVerifier(maskHV);
}
}
protected void initializeKeyManager() throws CadiException, IOException, NoSuchAlgorithmException, KeyStoreException, CertificateException, UnrecoverableKeyException {
String keyStore = access.getProperty(Config.CADI_KEYSTORE, null);
- if(keyStore != null && !new File(keyStore).exists()) {
+ if (keyStore != null && !new File(keyStore).exists()) {
throw new CadiException(keyStore + " does not exist");
}
String keyStorePasswd = access.getProperty(Config.CADI_KEYSTORE_PASSWORD, null);
keyStorePasswd = (keyStorePasswd == null) ? null : access.decrypt(keyStorePasswd, false);
+ if (keyStore == null || keyStorePasswd == null) {
+ x509KeyManager = new X509KeyManager[0];
+ return;
+ }
String keyPasswd = access.getProperty(Config.CADI_KEY_PASSWORD, null);
keyPasswd = (keyPasswd == null) ? keyStorePasswd : access.decrypt(keyPasswd, false);
- KeyManagerFactory kmf = KeyManagerFactory.getInstance(SslKeyManagerFactoryAlgorithm);
- if(keyStore == null || keyStorePasswd == null) {
- km = new X509KeyManager[0];
- } else {
- ArrayList<X509KeyManager> kmal = new ArrayList<X509KeyManager>();
- File file;
- for(String ksname : keyStore.split(REGEX_COMMA)) {
- file = new File(ksname);
- String keystoreFormat;
- if(ksname.endsWith(".p12") || ksname.endsWith(".pkcs12")) {
- keystoreFormat = "PKCS12";
- } else {
- keystoreFormat = "JKS";
- }
- if(file.exists()) {
- FileInputStream fis = new FileInputStream(file);
- try {
- KeyStore ks = KeyStore.getInstance(keystoreFormat);
- ks.load(fis, keyStorePasswd.toCharArray());
- kmf.init(ks, keyPasswd.toCharArray());
- } finally {
- fis.close();
- }
- }
+ KeyManagerFactory keyManagerFactory = KeyManagerFactory.getInstance(SSL_KEY_MANAGER_FACTORY_ALGORITHM);
+
+ ArrayList<X509KeyManager> keyManagers = new ArrayList<>();
+ File file;
+ for (String ksname : keyStore.split(REGEX_COMMA)) {
+ String keystoreFormat;
+ if (ksname.endsWith(".p12") || ksname.endsWith(".pkcs12")) {
+ keystoreFormat = "PKCS12";
+ } else {
+ keystoreFormat = "JKS";
}
- for(KeyManager km : kmf.getKeyManagers()) {
- if(km instanceof X509KeyManager) {
- kmal.add((X509KeyManager)km);
+
+ file = new File(ksname);
+ if (file.exists()) {
+ FileInputStream fis = new FileInputStream(file);
+ try {
+ KeyStore ks = KeyStore.getInstance(keystoreFormat);
+ ks.load(fis, keyStorePasswd.toCharArray());
+ keyManagerFactory.init(ks, keyPasswd.toCharArray());
+ } finally {
+ fis.close();
}
}
- km = new X509KeyManager[kmal.size()];
- kmal.toArray(km);
}
+ for (KeyManager keyManager : keyManagerFactory.getKeyManagers()) {
+ if (keyManager instanceof X509KeyManager) {
+ keyManagers.add((X509KeyManager)keyManager);
+ }
+ }
+ x509KeyManager = new X509KeyManager[keyManagers.size()];
+ keyManagers.toArray(x509KeyManager);
}
protected void initializeTrustManager() throws NoSuchAlgorithmException, CertificateException, IOException, KeyStoreException, CadiException {
String trustStore = access.getProperty(Config.CADI_TRUSTSTORE, null);
- if(trustStore != null && !new File(trustStore).exists()) {
+ if (trustStore != null && !new File(trustStore).exists()) {
throw new CadiException(trustStore + " does not exist");
}
+ if (trustStore == null) {
+ return;
+ }
+
String trustStorePasswd = access.getProperty(Config.CADI_TRUSTSTORE_PASSWORD, null);
trustStorePasswd = (trustStorePasswd == null) ? "changeit"/*defacto Java Trust Pass*/ : access.decrypt(trustStorePasswd, false);
- TrustManagerFactory tmf = TrustManagerFactory.getInstance(SslKeyManagerFactoryAlgorithm);
- if(trustStore != null) {
- File file;
- for(String tsname : trustStore.split(REGEX_COMMA)) {
- file = new File(tsname);
- if(file.exists()) {
- FileInputStream fis = new FileInputStream(file);
- try {
- KeyStore ts = KeyStore.getInstance("JKS");
- ts.load(fis, trustStorePasswd.toCharArray());
- tmf.init(ts);
- } finally {
- fis.close();
- }
+ TrustManagerFactory trustManagerFactory = TrustManagerFactory.getInstance(SSL_KEY_MANAGER_FACTORY_ALGORITHM);
+ File file;
+ for (String trustStoreName : trustStore.split(REGEX_COMMA)) {
+ file = new File(trustStoreName);
+ if (file.exists()) {
+ FileInputStream fis = new FileInputStream(file);
+ try {
+ KeyStore ts = KeyStore.getInstance("JKS");
+ ts.load(fis, trustStorePasswd.toCharArray());
+ trustManagerFactory.init(ts);
+ } finally {
+ fis.close();
}
}
+ }
- TrustManager tms[] = tmf.getTrustManagers();
- if(tms != null && tms.length>0) {
- tm = new X509TrustManager[tms.length];
- for(int i = 0; i < tms.length; ++i) {
- try {
- tm[i] = (X509TrustManager)tms[i];
- } catch (ClassCastException e) {
- access.log(Level.WARN, "Non X509 TrustManager", tm[i].getClass().getName(), "skipped in SecurityInfo");
- }
- }
- }
+ TrustManager trustManagers[] = trustManagerFactory.getTrustManagers();
+ if (trustManagers == null || trustManagers.length == 0) {
+ return;
}
+ x509TrustManager = new X509TrustManager[trustManagers.length];
+ for (int i = 0; i < trustManagers.length; ++i) {
+ try {
+ x509TrustManager[i] = (X509TrustManager)trustManagers[i];
+ } catch (ClassCastException e) {
+ access.log(Level.WARN, "Non X509 TrustManager", x509TrustManager[i].getClass().getName(), "skipped in SecurityInfo");
+ }
+ }
}
protected void initializeTrustMasks() throws AccessException {
String tips = access.getProperty(Config.CADI_TRUST_MASKS, null);
- if(tips != null) {
- access.log(Level.INIT, "Explicitly accepting valid X509s from", tips);
- String[] ipsplit = tips.split(REGEX_COMMA);
- trustMasks = new NetMask[ipsplit.length];
- for(int i = 0; i < ipsplit.length; ++i) {
- try {
- trustMasks[i] = new NetMask(ipsplit[i]);
- } catch (MaskFormatException e) {
- throw new AccessException("Invalid IP Mask in " + Config.CADI_TRUST_MASKS, e);
- }
+ if (tips == null) {
+ return;
+ }
+
+ access.log(Level.INIT, "Explicitly accepting valid X509s from", tips);
+ String[] ipsplit = tips.split(REGEX_COMMA);
+ trustMasks = new NetMask[ipsplit.length];
+ for (int i = 0; i < ipsplit.length; ++i) {
+ try {
+ trustMasks[i] = new NetMask(ipsplit[i]);
+ } catch (MaskFormatException e) {
+ throw new AccessException("Invalid IP Mask in " + Config.CADI_TRUST_MASKS, e);
}
}
-
- if(trustMasks != null) {
- final HostnameVerifier origHV = HttpsURLConnection.getDefaultHostnameVerifier();
- HttpsURLConnection.setDefaultHostnameVerifier(maskHV = new HostnameVerifier() {
- @Override
- public boolean verify(final String urlHostName, final SSLSession session) {
- try {
- // This will pick up /etc/host entries as well as DNS
- InetAddress ia = InetAddress.getByName(session.getPeerHost());
- for(NetMask tmask : trustMasks) {
- if(tmask.isInNet(ia.getHostAddress())) {
- return true;
- }
+
+ final HostnameVerifier origHV = HttpsURLConnection.getDefaultHostnameVerifier();
+ maskHV = new HostnameVerifier() {
+ @Override
+ public boolean verify(final String urlHostName, final SSLSession session) {
+ try {
+ // This will pick up /etc/host entries as well as DNS
+ InetAddress ia = InetAddress.getByName(session.getPeerHost());
+ for (NetMask tmask : trustMasks) {
+ if (tmask.isInNet(ia.getHostAddress())) {
+ return true;
}
- } catch (UnknownHostException e) {
- // It's ok. do normal Verify
}
- return origHV.verify(urlHostName, session);
- };
- });
- }
+ } catch (UnknownHostException e) {
+ // It's ok. do normal Verify
+ }
+ return origHV.verify(urlHostName, session);
+ };
+ };
+ HttpsURLConnection.setDefaultHostnameVerifier(maskHV);
}
}
public class SecurityInfoC<CLIENT> extends SecurityInfo {
public static final String DEF_ID = "ID not Set";
- private static Map<Class<?>,SecurityInfoC<?>> sicMap = new HashMap<Class<?>,SecurityInfoC<?>>();
+ private static Map<Class<?>,SecurityInfoC<?>> sicMap = new HashMap<>();
public SecuritySetter<CLIENT> defSS;
- private SecurityInfoC(Access access) throws CadiException {
+ public SecurityInfoC(Access access) throws CadiException {
super(access);
defSS = new SecuritySetter<CLIENT>() {
@Override
};
}
- @SuppressWarnings("unchecked")
public static synchronized <CLIENT> SecurityInfoC<CLIENT> instance(Access access, Class<CLIENT> cls) throws CadiException {
- SecurityInfoC<?> sic = sicMap.get(cls);
+ @SuppressWarnings("unchecked")
+ SecurityInfoC<CLIENT> sic = (SecurityInfoC<CLIENT>) sicMap.get(cls);
if(sic==null) {
sic = new SecurityInfoC<CLIENT>(access);
sicMap.put(cls, sic);
}
- return (SecurityInfoC<CLIENT>)sic;
+ return sic;
}
public SecurityInfoC<CLIENT> set(SecuritySetter<CLIENT> defSS) {
StringBuilder sb = new StringBuilder();
// Obtain all unique role names
- HashSet<String> groups = new HashSet<String>();
+ HashSet<String> groups = new HashSet<>();
for(AbsUserCache<?>.DumpInfo di : lur.dumpInfo()) {
sb.append("\n <user username=\"");
sb.append(di.user);
ps.println("</tomcat-users>");
ps.flush();
- } catch (Throwable t) {
+ } catch (Exception t) {
t.printStackTrace(ps);
return false;
}
import org.onap.aaf.cadi.Access;
import org.onap.aaf.cadi.CadiException;
import org.onap.aaf.cadi.CadiWrap;
+import org.onap.aaf.cadi.LocatorException;
import org.onap.aaf.cadi.Lur;
import org.onap.aaf.cadi.PropAccess;
import org.onap.aaf.cadi.ServletContextAccess;
}
try {
httpChecker = new CadiHTTPManip(access,null /*reuseable Con*/,tc, additionalTafLurs);
- } catch (CadiException e1) {
+ } catch (CadiException | LocatorException e1) {
throw new ServletException(e1);
}
} else if(access==null) {
if(map.length>0) {
MapPermConverter mpc=null;
int idx;
- mapPairs = new ArrayList<Pair>();
+ mapPairs = new ArrayList<>();
for(String entry : map) {
if((idx=entry.indexOf('='))<0) { // it's a Path, so create a new converter
access.log(Level.INIT,"Loading Perm Conversions for:",entry);
import org.onap.aaf.cadi.CadiWrap;
import org.onap.aaf.cadi.Connector;
import org.onap.aaf.cadi.CredVal;
+import org.onap.aaf.cadi.LocatorException;
import org.onap.aaf.cadi.Lur;
import org.onap.aaf.cadi.Taf;
import org.onap.aaf.cadi.TrustChecker;
public static final Object[] noAdditional = new Object[0]; // CadiFilter can be created each call in some systems
- public CadiHTTPManip(Access access, Connector con, TrustChecker tc, Object ... additionalTafLurs) throws CadiException {
+ public CadiHTTPManip(Access access, Connector con, TrustChecker tc, Object ... additionalTafLurs) throws CadiException, LocatorException {
synchronized(LOCK) {
this.access = access;
// Get getter = new AccessGetter(access);
private String name = null;
private String shortName = null;
+ private String domain;
private byte[] cred = null;
-
private long created;
- public BasicPrincipal(String content,String domain) throws IOException {
+
+ public BasicPrincipal(String content,String defaultDomain) throws IOException {
created = System.currentTimeMillis();
ByteArrayInputStream bis = new ByteArrayInputStream(content.getBytes());
// Read past "Basic ", ensuring it starts with it.
shortName=name.substring(0, at);
} else {
shortName = name;
- name = name + '@' + domain;
+ domain=defaultDomain;
+ name = name + '@' + defaultDomain;
}
}
public BasicPrincipal(BasicCred bc, String domain) {
name = bc.getUser();
cred = bc.getCred();
+ this.domain = domain;
}
private class BasicOS extends OutputStream {
return shortName;
}
+ public String getDomain() {
+ return domain;
+ }
+
public byte[] getCred() {
return cred;
}
import java.security.cert.X509Certificate;
import java.util.regex.Pattern;
-import org.onap.aaf.cadi.CadiException;
import org.onap.aaf.cadi.GetCred;
+import org.onap.aaf.cadi.taf.basic.BasicHttpTaf;
public class X509Principal extends BearerPrincipal implements GetCred {
private static final Pattern pattern = Pattern.compile("[a-zA-Z0-9]*\\@[a-zA-Z0-9.]*");
private final X509Certificate cert;
private final String name;
- private TagLookup tagLookup;
- private byte[] content;
+ private byte[] content;
+ private BasicHttpTaf bht;
public X509Principal(String identity, X509Certificate cert) {
name = identity;
content = null;
this.cert = cert;
- tagLookup = null;
}
- public X509Principal(String identity, X509Certificate cert, byte[] content) {
+ public X509Principal(String identity, X509Certificate cert, byte[] content, BasicHttpTaf bht) {
name = identity;
this.content = content;
this.cert = cert;
- tagLookup = null;
+ this.bht = bht;
}
- public X509Principal(X509Certificate cert, byte[] content) throws IOException {
+ public X509Principal(X509Certificate cert, byte[] content, BasicHttpTaf bht) throws IOException {
this.content=content;
this.cert = cert;
String _name = null;
throw new IOException("X509 does not have Identity as CN");
}
name = _name;
- tagLookup = null;
+ this.bht = bht;
}
public String getAsHeader() throws IOException {
return "x509";
}
+ public BasicHttpTaf getBasicHttpTaf() {
+ return bht;
+ }
+
}
TafResp tresp = null;
TafResp firstTry = null;
List<Redirectable> redirectables = null;
- List<TafResp> log = (access.willLog(Level.DEBUG)) ? new ArrayList<TafResp>() : null;
+ List<TafResp> log;
+ if(access.willLog(Level.DEBUG)) {
+ log = new ArrayList<>();
+ } else {
+ log = null;
+ }
try {
for (HttpTaf taf : tafs) {
tresp = taf.validate(reading, req, resp);
import java.io.IOException;
import java.security.Principal;
+import java.util.Map;
+import java.util.TreeMap;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import org.onap.aaf.cadi.Access;
+import org.onap.aaf.cadi.Access.Level;
import org.onap.aaf.cadi.BasicCred;
import org.onap.aaf.cadi.CachedPrincipal;
-import org.onap.aaf.cadi.CredVal;
-import org.onap.aaf.cadi.Taf;
-import org.onap.aaf.cadi.Access.Level;
import org.onap.aaf.cadi.CachedPrincipal.Resp;
+import org.onap.aaf.cadi.CredVal;
import org.onap.aaf.cadi.CredVal.Type;
+import org.onap.aaf.cadi.CredValDomain;
+import org.onap.aaf.cadi.Taf;
import org.onap.aaf.cadi.principal.BasicPrincipal;
import org.onap.aaf.cadi.principal.CachedBasicPrincipal;
import org.onap.aaf.cadi.taf.HttpTaf;
private Access access;
private String realm;
private CredVal rbac;
+ private Map<String,CredVal> rbacs = new TreeMap<>();
private boolean warn;
private long timeToLive;
this.timeToLive = timeToLive;
}
+ public void add(final CredValDomain cvd) {
+ rbacs.put(cvd.domain(), cvd);
+ }
+
/**
* Note: BasicHttp works for either Carbon Based (Humans) or Silicon Based (machine) Lifeforms.
* @see Taf
return DenialOfServiceTaf.respDenyID(access,bc.getUser());
}
CachedBasicPrincipal bp = new CachedBasicPrincipal(this,bc,realm,timeToLive);
+
+ // Be able to do Organizational specific lookups by Domain
+ CredVal cv = rbacs.get(bp.getDomain());
+ if(cv==null) {
+ cv = rbac;
+ }
+
// ONLY FOR Last Ditch DEBUGGING...
// access.log(Level.WARN,bp.getName() + ":" + new String(bp.getCred()));
-
- if(rbac.validate(bp.getName(),Type.PASSWORD,bp.getCred(),req)) {
+ if(cv.validate(bp.getName(),Type.PASSWORD,bp.getCred(),req)) {
return new BasicHttpTafResp(access,bp,bp.getName()+" authenticated by password",RESP.IS_AUTHENTICATED,resp,realm,false);
} else {
//TODO may need timed retries in a given time period
if(DenialOfServiceTaf.isDeniedID(ba.getName())!=null) {
return DenialOfServiceTaf.respDenyID(access,ba.getName());
}
+
+ final int at = ba.getName().indexOf('@');
+ CredVal cv = rbacs.get(ba.getName().substring(at+1));
+ if(cv==null) {
+ cv = rbac; // default
+ }
// ONLY FOR Last Ditch DEBUGGING...
// access.log(Level.WARN,ba.getName() + ":" + new String(ba.getCred()));
- if(rbac.validate(ba.getName(), Type.PASSWORD, ba.getCred(), req)) {
+ if(cv.validate(ba.getName(), Type.PASSWORD, ba.getCred(), req)) {
return new BasicHttpTafResp(access,ba, ba.getName()+" authenticated by BasicAuth password",RESP.IS_AUTHENTICATED,resp,realm,false);
} else {
//TODO may need timed retries in a given time period
}
return sb.toString();
}
+
+ public void addCredVal(final String realm, final CredVal cv) {
+ rbacs.put(realm, cv);
+ }
+ public CredVal getCredVal(String key) {
+ CredVal cv = rbacs.get(key);
+ if(cv==null) {
+ cv = rbac;
+ }
+ return cv;
+ }
+
@Override
public Resp revalidate(CachedPrincipal prin, Object state) {
if(prin instanceof BasicPrincipal) {
public String toString() {
return "Basic Auth enabled on realm: " + realm;
}
+
}
import javax.servlet.http.HttpServletResponse;
import org.onap.aaf.cadi.Access;
+import org.onap.aaf.cadi.Access.Level;
import org.onap.aaf.cadi.CachedPrincipal;
+import org.onap.aaf.cadi.CachedPrincipal.Resp;
import org.onap.aaf.cadi.CadiException;
+import org.onap.aaf.cadi.CredVal;
import org.onap.aaf.cadi.Lur;
import org.onap.aaf.cadi.Symm;
-import org.onap.aaf.cadi.Access.Level;
-import org.onap.aaf.cadi.CachedPrincipal.Resp;
import org.onap.aaf.cadi.Taf.LifeForm;
import org.onap.aaf.cadi.config.Config;
import org.onap.aaf.cadi.config.SecurityInfo;
import org.onap.aaf.cadi.taf.HttpTaf;
import org.onap.aaf.cadi.taf.TafResp;
import org.onap.aaf.cadi.taf.TafResp.RESP;
+import org.onap.aaf.cadi.taf.basic.BasicHttpTaf;
import org.onap.aaf.cadi.util.Split;
public class X509Taf implements HttpTaf {
private ArrayList<String> cadiIssuers;
private String env;
private SecurityInfo si;
+ private BasicHttpTaf bht;
static {
try {
certFactory = CertificateFactory.getInstance("X.509");
messageDigest = MessageDigest.getInstance("SHA-256"); // use this to clone
- tmf = TrustManagerFactory.getInstance(SecurityInfoC.SslKeyManagerFactoryAlgorithm);
+ tmf = TrustManagerFactory.getInstance(SecurityInfoC.SSL_KEY_MANAGER_FACTORY_ALGORITHM);
} catch (Exception e) {
throw new RuntimeException("X.509 and SHA-256 are required for X509Taf",e);
}
throw new CadiException("X509Taf requires Environment ("+Config.AAF_ENV+") to be set.");
}
// this.lur = lur;
- this.cadiIssuers = new ArrayList<String>();
+ this.cadiIssuers = new ArrayList<>();
for(String ci : access.getProperty(Config.CADI_X509_ISSUERS, "").split(":")) {
access.printf(Level.INIT, "Trusting Identity for Certificates signed by \"%s\"",ci);
cadiIssuers.add(ci);
String[] sa = Split.splitTrim(':', subject, temp+3,end);
if(sa.length==1 || (sa.length>1 && env!=null && env.equals(sa[1]))) { // Check Environment
return new X509HttpTafResp(access,
- new X509Principal(sa[0], certarr[0],(byte[])null),
+ new X509Principal(sa[0], certarr[0],(byte[])null,bht),
"X509Taf validated " + sa[0] + (sa.length<2?"":" for aaf_env " + env ), RESP.IS_AUTHENTICATED);
}
}
return null;
}
+ public void add(BasicHttpTaf bht) {
+ this.bht = bht;
+ }
+
+ public CredVal getCredVal(final String key) {
+ if(bht==null) {
+ return null;
+ } else {
+ return bht.getCredVal(key);
+ }
+ }
+
}
public static synchronized boolean denyIP(String ip) {
boolean rv = false;
if(deniedIP==null) {
- deniedIP = new HashMap<String,Counter>();
+ deniedIP = new HashMap<>();
deniedIP.put(ip, new Counter(ip)); // Noted duplicated for minimum time spent
rv= true;
} else if(deniedIP.get(ip)==null) {
br = new BufferedReader(new FileReader(dosIP));
try {
if(deniedIP==null) {
- deniedIP=new HashMap<String,Counter>();
+ deniedIP=new HashMap<>();
}
String line;
public static synchronized boolean denyID(String id) {
boolean rv = false;
if(deniedID==null) {
- deniedID = new HashMap<String,Counter>();
+ deniedID = new HashMap<>();
deniedID.put(id, new Counter(id)); // Noted duplicated for minimum time spent
rv = true;
} else if(deniedID.get(id)==null) {
br = new BufferedReader(new FileReader(dosID));
try {
if(deniedID==null) {
- deniedID=new HashMap<String,Counter>();
+ deniedID=new HashMap<>();
}
String line;
int initSize = 0;
if(deniedIP!=null)initSize+=deniedIP.size();
if(deniedID!=null)initSize+=deniedID.size();
- ArrayList<String> al = new ArrayList<String>(initSize);
+ ArrayList<String> al = new ArrayList<>(initSize);
if(deniedID!=null) {
for(Counter c : deniedID.values()) {
al.add(c.toString());
public Pool(Creator<T> creator) {
count = spares = 0;
this.creator = creator;
- list = new LinkedList<Pooled<T>>();
+ list = new LinkedList<>();
logger = Log.NULL;
}
// Substandard, because System.in doesn't do Passwords..
public class SubStandardConsole implements MyConsole {
- BufferedReader br = new BufferedReader(new InputStreamReader(System.in));
+ private final static char[] BLANK = new char[0];
+ private final BufferedReader br;
+
+ public SubStandardConsole() {
+ br = new BufferedReader(new InputStreamReader(System.in));
+ }
+
@Override
public String readLine(String fmt, Object... args) {
String rv;
public char[] readPassword(String fmt, Object... args) {
try {
System.out.printf(fmt,args);
- return br.readLine().toCharArray();
+ String response = br.readLine();
+ return response==null?BLANK:response.toCharArray();
+
} catch (IOException e) {
System.err.println("uh oh...");
- return new char[0];
+ return BLANK;
}
}
for(Tag tag : t.attribs) {
if("xmlns".equals(tag.prefix)) {
if(newnss==null) {
- newnss = new HashMap<String,String>();
+ newnss = new HashMap<>();
if(nss!=null)newnss.putAll(nss);
}
newnss.put(tag.name, tag.value);
}
}
}
- return newnss==null?(nss==null?new HashMap<String,String>():nss):newnss;
+ //return newnss==null?(nss==null?new HashMap<String,String>():nss):newnss;
+ if(newnss==null) {
+ if(nss==null) {
+ newnss = new HashMap<>();
+ } else {
+ newnss = nss;
+ }
+ }
+ return newnss;
}
/**
*/
public void add(Tag attrib) {
if(attribs == null) {
- attribs = new ArrayList<Tag>();
+ attribs = new ArrayList<>();
}
attribs.add(attrib);
}
assertNotNull(si.getSSLSocketFactory());
assertNotNull(si.getSSLContext());
assertNotNull(si.getKeyManagers());
+
+ access.setProperty(Config.CADI_TRUST_MASKS, "123.123.123.123");
+ si = new SecurityInfo(access);
}
@Test(expected = CadiException.class)
@SuppressWarnings("unused")
SecurityInfo si = new SecurityInfo(access);
}
+
+
+ @Test(expected = NumberFormatException.class)
+ public void badTrustMaskTest() throws CadiException {
+ access.setProperty(Config.CADI_TRUST_MASKS, "trustMask");
+ @SuppressWarnings("unused")
+ SecurityInfo si = new SecurityInfo(access);
+ }
@Test
public void coverageTest() throws CadiException {
public class JU_LocalLur {
- private static final String password = "<pass>";
- private String encrypted;
-
private PropAccess access;
private ByteArrayOutputStream outStream;
public void setup() throws IOException {
MockitoAnnotations.initMocks(this);
- encrypted = rot13(password);
-
outStream = new ByteArrayOutputStream();
access = new PropAccess(new PrintStream(outStream), new String[0]) {
@Override public String decrypt(String encrypted, boolean anytext) throws IOException {
@Test
public void test() throws IOException {
+ final String password = "<pass>";
+ final String encrypted = rot13(password);
+
LocalLur lur;
List<AbsUserCache<LocalPermission>.DumpInfo> info;
@Test
public void constructor2Test() throws IOException {
- X509Principal x509 = new X509Principal(name, cert, cred);
+ X509Principal x509 = new X509Principal(name, cert, cred,null);
// Call twice to hit both branches
assertThat(x509.getAsHeader(), is("X509 " + cred));
assertThat(x509.toString(), is("X509 Authentication for " + name));
final String longName = "name@domain";
when(subject.getName()).thenReturn("OU=" + longName + ",extra");
when(cert.getSubjectDN()).thenReturn(subject);
- X509Principal x509 = new X509Principal(cert, cred);
+ X509Principal x509 = new X509Principal(cert, cred,null);
// Call twice to hit both branches
assertThat(x509.getAsHeader(), is("X509 " + cred));
assertThat(x509.toString(), is("X509 Authentication for " + longName));
when(subject.getName()).thenReturn(longName + ",extra");
when(cert.getSubjectDN()).thenReturn(subject);
try {
- x509 = new X509Principal(cert, cred);
+ x509 = new X509Principal(cert, cred, null);
fail("Should have thrown an Exception");
} catch(IOException e) {
assertThat(e.getMessage(), is("X509 does not have Identity as CN"));
when(subject.getName()).thenReturn("OU=" + longName);
when(cert.getSubjectDN()).thenReturn(subject);
try {
- x509 = new X509Principal(cert, cred);
+ x509 = new X509Principal(cert, cred, null);
fail("Should have thrown an Exception");
} catch(IOException e) {
assertThat(e.getMessage(), is("X509 does not have Identity as CN"));
when(subject.getName()).thenReturn("OU=" + name + ",exta");
when(cert.getSubjectDN()).thenReturn(subject);
try {
- x509 = new X509Principal(cert, cred);
+ x509 = new X509Principal(cert, cred, null);
fail("Should have thrown an Exception");
} catch(IOException e) {
assertThat(e.getMessage(), is("X509 does not have Identity as CN"));
assertThat(dumpInfo.size(), is(2));
// Utility lists
- List<String> names = new ArrayList<String>();
+ List<String> names = new ArrayList<>();
names.add(name1);
names.add(name2);
- List<String> permissions = new ArrayList<String>();
+ List<String> permissions = new ArrayList<>();
permissions.add("NewKey1");
permissions.add("NewKey2");
@Test
public void addValuesToNewMapTest() {
User<Permission> user = new User<Permission>(principal);
- Map<String, Permission> newMap = new HashMap<String,Permission>();
+ Map<String, Permission> newMap = new HashMap<>();
assertFalse(user.contains(permission));
assertTrue(user.contains(permission));
- List<Permission> sink = new ArrayList<Permission>();
+ List<Permission> sink = new ArrayList<>();
user.copyPermsTo(sink);
assertThat(sink.size(), is(1));
public void getTest() throws CadiException {
Pool<Integer> intPool = new Pool<Integer>(new IntegerCreator());
- List<Pooled<Integer>> gotten = new ArrayList<Pooled<Integer>>();
+ List<Pooled<Integer>> gotten = new ArrayList<>();
for (int i = 0; i < 10; i++) {
gotten.add(intPool.get());
assertThat(gotten.get(i).content, is(i));
@Test
public void convert() {
String test = "test";
- List<String> list = new ArrayList<String>();
+ List<String> list = new ArrayList<>();
list.add("method");
assertEquals(Vars.convert(test, list), test);
}
@Test
public void convertTest1() {
- List<String> list = new ArrayList<String>();
+ List<String> list = new ArrayList<>();
list.add("method");
assertEquals(Vars.convert("test", list), "test");
}
@Test
public void convertTest2() {
- List<String> list = new ArrayList<String>();
+ List<String> list = new ArrayList<>();
list.add("method");
assertEquals(Vars.convert("test", list), "test");
}
/.settings/
/target/
/.project
+tokens/
<parent>
<groupId>org.onap.aaf.authz</groupId>
<artifactId>cadiparent</artifactId>
- <version>2.1.0-SNAPSHOT</version>
+ <version>2.1.2-SNAPSHOT</version>
<relativePath>..</relativePath>
</parent>
<name>AAF CADI Sample OAuth EndUser</name>
- <groupId>org.onap.aaf.authz</groupId>
- <version>2.1.0-SNAPSHOT</version>
<artifactId>aaf-cadi-oauth-enduser</artifactId>
<packaging>jar</packaging>
<dependency>
<groupId>org.onap.aaf.authz</groupId>
<artifactId>aaf-cadi-core</artifactId>
- <version>${project.version}</version>
</dependency>
<dependency>
<groupId>org.onap.aaf.authz</groupId>
<artifactId>aaf-cadi-aaf</artifactId>
- <version>${project.version}</version>
</dependency>
</dependencies>
--- /dev/null
+/**
+ * ============LICENSE_START====================================================
+ * org.onap.aaf
+ * ===========================================================================
+ * Copyright (c) 2018 AT&T Intellectual Property. All rights reserved.
+ * ===========================================================================
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ * ============LICENSE_END====================================================
+ *
+ */
+package org.onap.aaf.cadi.enduser;
+
+import java.io.IOException;
+import java.net.URISyntaxException;
+import java.security.GeneralSecurityException;
+
+import org.onap.aaf.cadi.Access;
+import org.onap.aaf.cadi.CadiException;
+import org.onap.aaf.cadi.LocatorException;
+import org.onap.aaf.cadi.PropAccess;
+import org.onap.aaf.cadi.config.Config;
+import org.onap.aaf.cadi.oauth.TokenClientFactory;
+import org.onap.aaf.misc.env.APIException;
+
+public class ClientFactory {
+ private final TokenClientFactory tcf;
+ public ClientFactory(final PropAccess access) throws APIException, CadiException {
+ try {
+ tcf = TokenClientFactory.instance(access);
+ } catch (GeneralSecurityException | IOException e) {
+ throw new CadiException(e);
+ }
+ }
+
+ public ClientFactory(String[] args) throws APIException, CadiException {
+ this(new PropAccess(args));
+ }
+
+ public SimpleRESTClient simpleRESTClient(final String endpoint, final String ... scopes) throws URISyntaxException, LocatorException, CadiException, APIException {
+ return new SimpleRESTClient(tcf, Config.AAF_OAUTH2_TOKEN_URL, endpoint, scopes);
+ }
+
+ public Access getAccess() {
+ return tcf.access;
+ }
+}
--- /dev/null
+/**
+ * ============LICENSE_START====================================================
+ * org.onap.aaf
+ * ===========================================================================
+ * Copyright (c) 2018 AT&T Intellectual Property. All rights reserved.
+ * ===========================================================================
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ * ============LICENSE_END====================================================
+ *
+ */
+package org.onap.aaf.cadi.enduser;
+
+import java.io.IOException;
+import java.net.ConnectException;
+import java.security.Principal;
+
+import org.onap.aaf.cadi.CadiException;
+import org.onap.aaf.cadi.LocatorException;
+import org.onap.aaf.cadi.client.Future;
+import org.onap.aaf.cadi.client.Rcli;
+import org.onap.aaf.cadi.client.Result;
+import org.onap.aaf.cadi.client.Retryable;
+import org.onap.aaf.cadi.config.Config;
+import org.onap.aaf.cadi.oauth.TimedToken;
+import org.onap.aaf.cadi.oauth.TokenClient;
+import org.onap.aaf.cadi.oauth.TokenClientFactory;
+import org.onap.aaf.cadi.oauth.TzClient;
+import org.onap.aaf.cadi.principal.TaggedPrincipal;
+import org.onap.aaf.misc.env.APIException;
+
+public class SimpleRESTClient {
+ private static final String[] EMPTY = new String[0];
+ private final TokenClient tokenClient;
+ private final TzClient restClient;
+ private int callTimeout;
+ private String client_id;
+ private String app;
+ private String chain;
+ private Headers headers = new Headers() {
+ @Override
+ public String[] headers() {
+ return EMPTY;
+ }};
+
+ public SimpleRESTClient(final TokenClientFactory tcf, final String tokenURL, final String endpoint, final String[] scope) throws CadiException, LocatorException, APIException {
+ callTimeout = Integer.parseInt(tcf.access.getProperty(Config.AAF_CALL_TIMEOUT,Config.AAF_CALL_TIMEOUT_DEF));
+ tokenClient = tcf.newClient(tokenURL);
+ Result<TimedToken> rtt = tokenClient.getToken(scope);
+ if(rtt.isOK()) {
+ restClient = tcf.newTzClient(endpoint);
+
+ if((client_id = tcf.access.getProperty(Config.AAF_APPID, null))==null) {
+ if((client_id = tcf.access.getProperty(Config.CADI_ALIAS, null))==null) {
+ throw new CadiException(Config.AAF_APPID + " or " + Config.CADI_ALIAS + " needs to be defined");
+ }
+ }
+ try {
+ restClient.setToken(client_id,rtt.value);
+ } catch (IOException e) {
+ throw new CadiException(e);
+ }
+ } else {
+ throw new CadiException(rtt.error);
+ }
+ }
+
+ public SimpleRESTClient timeout(int newTimeout) {
+ callTimeout = newTimeout;
+ return this;
+ }
+
+ //Format:<ID>:<APP>:<protocol>[:AS][,<ID>:<APP>:<protocol>]*
+ public SimpleRESTClient as(Principal principal) {
+ if(principal==null) {
+ chain = null;
+ } else {
+ if(principal instanceof TaggedPrincipal) {
+ TaggedPrincipal tp = (TaggedPrincipal)principal;
+ chain = tp.getName() + ':' + (app==null?"":app) + ':' + tp.tag() + ":AS";
+ } else {
+ chain = principal.getName() + (app==null?"":':'+app);
+ }
+ }
+ return this;
+ }
+
+ public String get(final String path) throws CadiException, LocatorException, APIException {
+ return get(path,"application/json");
+ }
+
+ public String get(final String path, final String accepts) throws CadiException, LocatorException, APIException {
+ return restClient.best(new Retryable<String>() {
+ @Override
+ public String code(Rcli<?> client) throws CadiException, ConnectException, APIException {
+ Future<String> future = client.read(path,accepts, headers());
+ if(future.get(callTimeout)) {
+ return future.value;
+ } else {
+ throw new APIException(future.code() + future.body());
+ }
+ }
+ });
+ }
+
+ public interface Headers {
+ String[] headers();
+ }
+
+ public String[] headers() {
+ if(chain==null) {
+ return headers.headers();
+ } else {
+ String[] strs = headers.headers();
+ String[] rv = new String[strs.length+2];
+ rv[0]=Config.CADI_USER_CHAIN;
+ rv[1]=chain;
+ for(int i = 0;i<strs.length;++i) {
+ rv[i+2]=strs[i];
+ }
+ return rv;
+ }
+ }
+}
*
*/
-package com.att.cadi.enduser;
+package org.onap.aaf.cadi.enduser.test;
import java.io.IOException;
import java.net.ConnectException;
// Obtain Endpoints for OAuth2 from Properties. Expected is "cadi.properties" file, pointed to by "cadi_prop_files"
- String tokenServiceURL = access.getProperty(Config.AAF_OAUTH2_TOKEN_URL);
- String tokenIntrospectURL = access.getProperty(Config.AAF_OAUTH2_INTROSPECT_URL);
-
-
- // Get Properties
- final String endServicesURL = access.getProperty(Config.AAF_OAUTH2_HELLO_URL);
+ String tokenServiceURL = access.getProperty(Config.AAF_OAUTH2_TOKEN_URL,
+ "https://AAF_LOCATE_URL/AAF_NS.token:2.0"); // Default to AAF
+ String tokenIntrospectURL = access.getProperty(Config.AAF_OAUTH2_INTROSPECT_URL,
+ "https://AAF_LOCATE_URL/AAF_NS.introspect:2.0"); // Default to AAF);
+ // Get Hello Service
+ final String endServicesURL = access.getProperty(Config.AAF_OAUTH2_HELLO_URL,
+ "https://AAF_LOCATE_URL/AAF_NS.hello:2.0");
final int CALL_TIMEOUT = Integer.parseInt(access.getProperty(Config.AAF_CALL_TIMEOUT,Config.AAF_CALL_TIMEOUT_DEF));
// If AAF Token server, then its just the same as your other AAF MechID creds
// If it is the Alternate OAUTH, you'll need THOSE credentials. See that tool's Onboarding procedures.
String client_id = access.getProperty(Config.AAF_APPID);
+ if(client_id==null) {
+ // For AAF, client_id CAN be Certificate. This is not necessarily true elsewhere
+ client_id = access.getProperty(Config.CADI_ALIAS);
+ }
String client_secret = access.getProperty(Config.AAF_APPPASS);
tc.client_creds(client_id, client_secret);
String rv = helloClient.best(new Retryable<String>() {
@Override
public String code(Rcli<?> client) throws CadiException, ConnectException, APIException {
- Future<String> future = client.read(null,"text/plain");
+ Future<String> future = client.read("hello","text/plain");
// The "future" calling method allows you to do other processing, such as call more than one backend
// client before picking up the result
// If "get" matches the HTTP Code for the method (i.e. read HTTP Return value is 200), then
+ "\tUserName:\t%s\n"
+ "\tExpires: \t%d (%s)\n"
+ "\tScope:\t\t%s\n"
- + "\tContent:\t\t%s\n",
+ + "\tContent:\t%s\n",
ti.getAccessToken(),
ti.getClientId(),
ti.getClientType(),
--- /dev/null
+/**
+ * ============LICENSE_START====================================================
+ * org.onap.aaf
+ * ===========================================================================
+ * Copyright (c) 2018 AT&T Intellectual Property. All rights reserved.
+ * ===========================================================================
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ * ============LICENSE_END====================================================
+ *
+ */
+
+package org.onap.aaf.cadi.enduser.test;
+
+import java.io.IOException;
+import java.net.ConnectException;
+import java.security.GeneralSecurityException;
+import java.util.Date;
+import java.util.GregorianCalendar;
+
+import org.onap.aaf.cadi.Access.Level;
+import org.onap.aaf.cadi.CadiException;
+import org.onap.aaf.cadi.LocatorException;
+import org.onap.aaf.cadi.PropAccess;
+import org.onap.aaf.cadi.client.Future;
+import org.onap.aaf.cadi.client.Rcli;
+import org.onap.aaf.cadi.client.Result;
+import org.onap.aaf.cadi.client.Retryable;
+import org.onap.aaf.cadi.config.Config;
+import org.onap.aaf.cadi.oauth.TimedToken;
+import org.onap.aaf.cadi.oauth.TokenClient;
+import org.onap.aaf.cadi.oauth.TokenClientFactory;
+import org.onap.aaf.cadi.oauth.TzClient;
+import org.onap.aaf.cadi.util.FQI;
+import org.onap.aaf.misc.env.APIException;
+import org.onap.aaf.misc.env.util.Chrono;
+
+import aafoauth.v2_0.Introspect;
+import aafoauth.v2_0.Token;
+
+
+public class OnapClientExample {
+ private static TokenClientFactory tcf;
+ private static PropAccess access;
+
+ public final static void main(final String args[]) {
+ // These Objects are expected to be Long-Lived... Construct once
+
+ // Property Access
+ // This method will allow you to set "cadi_prop_files" (or any other property) on Command line
+ access = new PropAccess(args);
+
+ // access = PropAccess();
+ // Note: This style will load "cadi_prop_files" from VM Args
+
+ // Token aware Client Factory
+ try {
+ tcf = TokenClientFactory.instance(access);
+ } catch (APIException | GeneralSecurityException | IOException | CadiException e1) {
+ access.log(e1, "Unable to setup OAuth Client Factory, Fail Fast");
+ System.exit(1);
+ }
+
+ final int CALL_TIMEOUT = Integer.parseInt(access.getProperty(Config.AAF_CALL_TIMEOUT,Config.AAF_CALL_TIMEOUT_DEF));
+
+ try {
+ //////////////////////////////////////////////////////////////////////
+ // Scenario 1:
+ // Get and use an OAuth Client, which understands Token Management
+ //////////////////////////////////////////////////////////////////////
+ // Create a Token Client, that gets its tokens from expected OAuth Server
+ // In this example, it is AAF, but it can be the Alternate OAuth
+
+ TokenClient tc = tcf.newClient(Config.AAF_OAUTH2_TOKEN_URL); // can set your own timeout here (url, timeoutMilliseconds)
+
+ // Here's a trick to get the namespace out of a Fully Qualified AAF Identity (your MechID)
+ String ns = FQI.reverseDomain(tc.client_id());
+ System.out.printf("\nNote: The AAF Namespace of FQI (Fully Qualified Identity) %s is %s\n\n",tc.client_id(), ns);
+
+ // Now, we can get a Token. Note: for "scope", use AAF Namespaces to get AAF Permissions embedded in
+ // Note: getToken checks if Token is expired, if so, then refreshes before handing back.
+ Result<TimedToken> rtt = tc.getToken(ns,"org.onap.test"); // get multiple scopes
+
+ // Note: you can clear a Token's Disk/Memory presence by
+ // 1) removing the Token from the "token/outgoing" directory on the O/S
+ // 2) programmatically by calling "clearToken" with exact params as "getToken", when it has the same credentials set
+ // tc.clearToken("org.onap.aaf","org.onap.test");
+
+ // Result Object can be queried for success
+ if(rtt.isOK()) {
+ TimedToken token = rtt.value;
+ print(token); // Take a look at what's in a Token
+
+ // Use this Token in your client calls with "Tokenized Client" (TzClient)
+ // These should NOT be used cross thread.
+ // Get Hello Service URL... roll your own in your own world.
+ final String endServicesURL = access.getProperty(Config.AAF_OAUTH2_HELLO_URL,
+ "https://AAF_LOCATE_URL/AAF_NS.hello:2.0");
+
+
+ TzClient helloClient = tcf.newTzClient(endServicesURL);
+ helloClient.setToken(tc.client_id(), token);
+
+ // This client call style, "best" call with "Retryable" inner class covers finding an available Service
+ // (when Multi-services exist) for the best service, based (currently) on distance.
+ //
+ // the "Generic" in Type gives a Return Value for the Code, which you can set on the "best" method
+ // Note that variables used in the inner class from this part of the code must be "final", see "CALL_TIMEOUT"
+ String rv = helloClient.best(new Retryable<String>() {
+ @Override
+ public String code(Rcli<?> client) throws CadiException, ConnectException, APIException {
+ Future<String> future = client.read("hello","text/plain");
+ // The "future" calling method allows you to do other processing, such as call more than one backend
+ // client before picking up the result
+ // If "get" matches the HTTP Code for the method (i.e. read HTTP Return value is 200), then
+ if(future.get(CALL_TIMEOUT)) {
+ // Client Returned expected value
+ return future.value;
+ } else {
+ throw new APIException(future.code() + future.body());
+ }
+ }
+ });
+
+ // You want to do something with returned value. Here, we say "hello"
+ System.out.printf("\nPositive Response from Hello: %s\n",rv);
+
+
+ //////////////////////////////////////////////////////////////////////
+ // Scenario 2:
+ // As a Service, read Introspection information as proof of Authenticated Authorization
+ //////////////////////////////////////////////////////////////////////
+ // CADI Framework (i.e. CadiFilter) works with the Introspection to drive the J2EE interfaces (
+ // i.e. if(isUserInRole("ns.perm|instance|action")) {...
+ //
+ // Here, however, is a way to introspect via Java
+ //
+ // now, call Introspect (making sure right URLs are set in properties)
+ // We need a Different Introspect TokenClient, because different Endpoint (and usually different Services)
+ TokenClient tci = tcf.newClient(Config.AAF_OAUTH2_INTROSPECT_URL);
+ Result<Introspect> is = tci.introspect(token.getAccessToken());
+ if(is.isOK()) {
+ // Note that AAF will add JSON set of Permissions as part of "Content:", legitimate extension of OAuth Structure
+ print(is.value); // do something with Introspect Object
+ } else {
+ access.printf(Level.ERROR, "Unable to introspect OAuth Token %s: %d %s\n",
+ token.getAccessToken(),rtt.code,rtt.error);
+ }
+ } else {
+ access.printf(Level.ERROR, "Unable to obtain OAuth Token: %d %s\n",rtt.code,rtt.error);
+ }
+
+ } catch (CadiException | LocatorException | APIException | IOException e) {
+ e.printStackTrace();
+ }
+ }
+
+ /////////////////////////////////////////////////////////////
+ // Examples of Object Access
+ /////////////////////////////////////////////////////////////
+ private static void print(Token t) {
+ GregorianCalendar exp_date = new GregorianCalendar();
+ exp_date.add(GregorianCalendar.SECOND, t.getExpiresIn());
+ System.out.printf("Access Token\n\tToken:\t\t%s\n\tToken Type:\t%s\n\tExpires In:\t%d (%s)\n\tScope:\t\t%s\n\tRefresh Token:\t%s\n",
+ t.getAccessToken(),
+ t.getTokenType(),
+ t.getExpiresIn(),
+ Chrono.timeStamp(new Date(System.currentTimeMillis()+(t.getExpiresIn()*1000))),
+ t.getScope(),
+ t.getRefreshToken());
+ }
+
+ private static void print(Introspect ti) {
+ if(ti==null || ti.getClientId()==null) {
+ System.out.println("Empty Introspect");
+ return;
+ }
+ Date exp = new Date(ti.getExp()*1000); // seconds
+ System.out.printf("Introspect\n"
+ + "\tAccessToken:\t%s\n"
+ + "\tClient-id:\t%s\n"
+ + "\tClient Type:\t%s\n"
+ + "\tActive: \t%s\n"
+ + "\tUserName:\t%s\n"
+ + "\tExpires: \t%d (%s)\n"
+ + "\tScope:\t\t%s\n"
+ + "\tContent:\t%s\n",
+ ti.getAccessToken(),
+ ti.getClientId(),
+ ti.getClientType(),
+ ti.isActive()?Boolean.TRUE.toString():Boolean.FALSE.toString(),
+ ti.getUsername(),
+ ti.getExp(),
+ Chrono.timeStamp(exp),
+ ti.getScope(),
+ ti.getContent()==null?"":ti.getContent());
+
+ System.out.println();
+ }
+
+}
--- /dev/null
+/**
+ * ============LICENSE_START====================================================
+ * org.onap.aaf
+ * ===========================================================================
+ * Copyright (c) 2018 AT&T Intellectual Property. All rights reserved.
+ * ===========================================================================
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ * ============LICENSE_END====================================================
+ *
+ */
+
+package org.onap.aaf.cadi.enduser.test;
+
+import java.net.URISyntaxException;
+import java.security.Principal;
+
+import org.onap.aaf.cadi.CadiException;
+import org.onap.aaf.cadi.LocatorException;
+import org.onap.aaf.cadi.enduser.ClientFactory;
+import org.onap.aaf.cadi.enduser.SimpleRESTClient;
+import org.onap.aaf.misc.env.APIException;
+
+
+public class SimpleRestClientExample {
+ public final static void main(final String args[]) throws URISyntaxException, LocatorException {
+ try {
+ // Note: Expect ClientFactory to be long-lived... do NOT create more than once.
+ ClientFactory cf = new ClientFactory(args);
+
+
+ String urlString = cf.getAccess().getProperty("myurl", null);
+ if(urlString==null) {
+ System.out.println("Note: In your startup, add \"myurl=https://<aaf hello machine>:8130\" to command line\n\t"
+ + "OR\n\t"
+ + " add -Dmyurl=https://<aaf hello machine>:8130 to VM Args\n\t"
+ + "where \"aaf hello machine\" is an aaf Installation you know about.");
+ } else {
+ SimpleRESTClient restClient = cf.simpleRESTClient(urlString,"org.osaaf.aaf");
+
+ // Make some calls
+
+ // Call with no Queries
+ String rv = restClient.get("resthello");
+ System.out.println(rv);
+
+ // Call with Queries
+ rv = restClient.get("resthello?perm=org.osaaf.people|*|read");
+ System.out.println(rv);
+
+ // Call setting ID from principal coming from Trans
+ // Pretend Transaction
+ HRequest req = new HRequest("demo@people.osaaf.org"); // Pretend Trans has Jonathan as Identity
+
+ rv = restClient.as(req.userPrincipal()).get("resthello?perm=org.osaaf.people|*|read");
+ System.out.println(rv);
+ }
+ } catch (CadiException | APIException e) {
+ e.printStackTrace();
+ }
+ }
+
+ private static class HRequest {
+
+ public HRequest(String fqi) {
+ name = fqi;
+ }
+ protected final String name;
+
+ // fake out HttpServletRequest, only for get Principal
+ public Principal userPrincipal() {
+ return new Principal() {
+
+ @Override
+ public String getName() {
+ return name;
+ }
+
+ };
+ }
+ }
+}
<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
<modelVersion>4.0.0</modelVersion>
<parent>
- <groupId>org.onap.aaf.authz</groupId>
- <artifactId>parent</artifactId>
- <version>2.1.0-SNAPSHOT</version>
+ <groupId>org.onap.aaf.authz</groupId>
+
<artifactId>parent</artifactId>
+ <version>2.1.2-SNAPSHOT</version>
</parent>
- <groupId>org.onap.aaf.authz</groupId>
<artifactId>cadiparent</artifactId>
<name>AAF CADI Parent (Code, Access, Data, Identity)</name>
- <version>2.1.0-SNAPSHOT</version>
<inceptionYear>2015-07-20</inceptionYear>
<organization>
<name>ONAP</name>
<module>client</module>
<module>aaf</module>
<module>oauth-enduser</module>
- <module>shiro</module>
- <module>shiro-osgi-bundle</module>
</modules>
<!-- ============================================================== -->
+++ /dev/null
-/target
-/bin/
-/.classpath
-/.settings
-/.project
+++ /dev/null
-<?xml version="1.0" encoding="UTF-8"?>\r
-<!--\r
- * ============LICENSE_START====================================================\r
- * org.onap.aaf\r
- * ===========================================================================\r
- * Copyright (c) 2017 AT&T Intellectual Property. All rights reserved.\r
- * ===========================================================================\r
- * Licensed under the Apache License, Version 2.0 (the "License");\r
- * you may not use this file except in compliance with the License.\r
- * You may obtain a copy of the License at\r
- *\r
- * http://www.apache.org/licenses/LICENSE-2.0\r
- *\r
- * Unless required by applicable law or agreed to in writing, software\r
- * distributed under the License is distributed on an "AS IS" BASIS,\r
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\r
- * See the License for the specific language governing permissions and\r
- * limitations under the License.\r
- * ============LICENSE_END====================================================\r
- *\r
--->\r
-<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"\r
- xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">\r
-\r
- <parent>\r
- <groupId>org.onap.aaf.authz</groupId>\r
- <artifactId>cadiparent</artifactId>\r
- <version>2.1.0-SNAPSHOT</version>\r
- <relativePath>..</relativePath>\r
- </parent>\r
- <modelVersion>4.0.0</modelVersion>\r
-\r
- <artifactId>aaf-shiro-aafrealm-osgi-bundle</artifactId>\r
- <packaging>bundle</packaging>\r
-\r
- <properties>\r
- <sonar.skip>true</sonar.skip>\r
- <cadi.shiro.version>2.1.0</cadi.shiro.version>\r
- </properties>\r
-\r
- <build>\r
- <plugins>\r
- <plugin>\r
- <groupId>org.apache.felix</groupId>\r
- <artifactId>maven-bundle-plugin</artifactId>\r
- <version>2.5.4</version>\r
- <extensions>true</extensions>\r
- <configuration>\r
- <instructions>\r
- <Bundle-SymbolicName>${project.artifactId}</Bundle-SymbolicName>\r
- <Bundle-Version>${project.version}</Bundle-Version>\r
- <Export-Package>\r
- org.onap.aaf.cadi.shiro*;version=${cadi.shiro.version}\r
- </Export-Package>\r
- <Import-Package>\r
- javax.servlet,\r
- javax.servlet.http,\r
- org.osgi.service.blueprint;version="[1.0.0,2.0.0)",\r
- javax.net.ssl,\r
- javax.crypto,\r
- javax.crypto.spec,\r
- javax.xml.bind.annotation,\r
- javax.xml.bind,\r
- javax.xml.transform,\r
- javax.xml.datatype,\r
- javax.management,\r
- javax.security.auth,\r
- javax.security.auth.login,\r
- javax.security.auth.callback,\r
- javax.xml.soap,\r
- javax.xml.parsers,\r
- javax.xml.namespace,\r
- org.w3c.dom,\r
- org.xml.sax,\r
- javax.xml.transform.stream\r
- </Import-Package>\r
- <Embed-Dependency>*;scope=compile|runtime;inline=false</Embed-Dependency>\r
- <!-- <Embed-Dependency>*;scope=compile|runtime;artifactId=!shiro-core;inline=false</Embed-Dependency> -->\r
- <Embed-Transitive>true</Embed-Transitive>\r
- <Fragment-Host>org.apache.shiro.core</Fragment-Host>\r
- </instructions>\r
- </configuration>\r
- </plugin>\r
- </plugins>\r
-\r
-\r
- </build>\r
-\r
- <dependencies>\r
- <dependency>\r
- <groupId>org.onap.aaf.authz</groupId>\r
- <artifactId>aaf-cadi-shiro</artifactId>\r
- <version>2.1.0</version>\r
- </dependency>\r
- </dependencies>\r
-</project>
\ No newline at end of file
+++ /dev/null
-/.classpath
-/.settings/
-/target/
-/.project
+++ /dev/null
-<?xml version="1.0" encoding="UTF-8"?>
-<!--
- * ============LICENSE_START====================================================
- * org.onap.aaf
- * ===========================================================================
- * Copyright (c) 2017 AT&T Intellectual Property. All rights reserved.
- * ===========================================================================
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- * ============LICENSE_END====================================================
- *
--->
-<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
- xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
- <parent>
- <groupId>org.onap.aaf.authz</groupId>
- <artifactId>cadiparent</artifactId>
- <version>2.1.0-SNAPSHOT</version>
- <relativePath>..</relativePath>
- </parent>
-
- <modelVersion>4.0.0</modelVersion>
- <name>AAF CADI Shiro Plugin</name>
- <packaging>jar</packaging>
- <artifactId>aaf-cadi-shiro</artifactId>
-
- <properties>
- <!-- SONAR -->
- <sonar.skip>true</sonar.skip>
- <jacoco.version>0.7.7.201606060606</jacoco.version>
- <sonar-jacoco-listeners.version>3.2</sonar-jacoco-listeners.version>
- <sonar.core.codeCoveragePlugin>jacoco</sonar.core.codeCoveragePlugin>
- <!-- Default Sonar configuration -->
- <sonar.jacoco.reportPaths>target/code-coverage/jacoco-ut.exec</sonar.jacoco.reportPaths>
- <sonar.jacoco.itReportPaths>target/code-coverage/jacoco-it.exec</sonar.jacoco.itReportPaths>
- <!-- Note: This list should match jacoco-maven-plugin's exclusion list below -->
- <sonar.exclusions>**/gen/**,**/generated-sources/**,**/yang-gen**,**/pax/**</sonar.exclusions>
- <nexusproxy>https://nexus.onap.org</nexusproxy>
- <snapshotNexusPath>/content/repositories/snapshots/</snapshotNexusPath>
- <releaseNexusPath>/content/repositories/releases/</releaseNexusPath>
- <stagingNexusPath>/content/repositories/staging/</stagingNexusPath>
- <sitePath>/content/sites/site/org/onap/aaf/authz/${project.artifactId}/${project.version}</sitePath>
- </properties>
-
- <developers>
- <developer>
- <name>Jonathan Gathman</name>
- <email>jonathan.gathman@att.com</email>
- <organization>ATT</organization>
- <roles>
- <role>Architect</role>
- <role>Lead Developer</role>
- </roles>
- </developer>
- <developer>
- <name>Gabe Maurer</name>
- <email>gabe.maurer@att.com</email>
- <organization>ATT</organization>
- <roles>
- <role>Developer</role>
- </roles>
- </developer>
- <developer>
- <name>Ian Howell</name>
- <email>ian.howell@att.com</email>
- <organization>ATT</organization>
- <roles>
- <role>Developer</role>
- </roles>
- </developer>
- <developer>
- <name>Sai Gandham</name>
- <email>sai.gandham@att.com</email>
- <organization>ATT</organization>
- <roles>
- <role>Developer</role>
- </roles>
- </developer>
- </developers>
-
- <dependencies>
- <dependency>
- <groupId>org.onap.aaf.authz</groupId>
- <artifactId>aaf-cadi-aaf</artifactId>
- </dependency>
- <!--<dependency>
- <groupId>org.apache.shiro</groupId>
- <artifactId>shiro-core</artifactId>
- <version>1.4.0</version>
- </dependency> -->
-
- <dependency>
- <groupId>org.apache.shiro</groupId>
- <artifactId>shiro-core</artifactId>
- <version>1.3.2</version>
- </dependency>
-
- </dependencies>
- <build>
- <plugins>
- <plugin>
- <groupId>org.sonatype.plugins</groupId>
- <artifactId>nexus-staging-maven-plugin</artifactId>
- <extensions>true</extensions>
- <configuration>
- <nexusUrl>${nexusproxy}</nexusUrl>
- <stagingProfileId>176c31dfe190a</stagingProfileId>
- <serverId>ecomp-staging</serverId>
- </configuration>
- </plugin>
- <plugin>
- <groupId>org.apache.maven.plugins</groupId>
- <artifactId>maven-deploy-plugin</artifactId>
- <configuration>
- <skip>false</skip>
- </configuration>
- </plugin>
- <plugin>
- <groupId>org.jacoco</groupId>
- <artifactId>jacoco-maven-plugin</artifactId>
- <configuration>
- <excludes>
- <exclude>**/gen/**</exclude>
- <exclude>**/generated-sources/**</exclude>
- <exclude>**/yang-gen/**</exclude>
- <exclude>**/pax/**</exclude>
- </excludes>
- </configuration>
- <executions>
- <execution>
- <id>pre-unit-test</id>
- <goals>
- <goal>prepare-agent</goal>
- </goals>
- <configuration>
- <destFile>${project.build.directory}/code-coverage/jacoco-ut.exec</destFile>
- <propertyName>surefireArgLine</propertyName>
- </configuration>
- </execution>
- <execution>
- <id>post-unit-test</id>
- <phase>test</phase>
- <goals>
- <goal>report</goal>
- </goals>
- <configuration>
- <dataFile>${project.build.directory}/code-coverage/jacoco-ut.exec</dataFile>
- <outputDirectory>${project.reporting.outputDirectory}/jacoco-ut</outputDirectory>
- </configuration>
- </execution>
- <execution>
- <id>pre-integration-test</id>
- <phase>pre-integration-test</phase>
- <goals>
- <goal>prepare-agent</goal>
- </goals>
- <configuration>
- <destFile>${project.build.directory}/code-coverage/jacoco-it.exec</destFile>
- <propertyName>failsafeArgLine</propertyName>
- </configuration>
- </execution>
- <execution>
- <id>post-integration-test</id>
- <phase>post-integration-test</phase>
- <goals>
- <goal>report</goal>
- </goals>
- <configuration>
- <dataFile>${project.build.directory}/code-coverage/jacoco-it.exec</dataFile>
- <outputDirectory>${project.reporting.outputDirectory}/jacoco-it</outputDirectory>
- </configuration>
- </execution>
- </executions>
- </plugin>
- </plugins>
-
- </build>
-
- <distributionManagement>
- <repository>
- <id>ecomp-releases</id>
- <name>AAF Release Repository</name>
- <url>${nexusproxy}${releaseNexusPath}</url>
- </repository>
- <snapshotRepository>
- <id>ecomp-snapshots</id>
- <name>AAF Snapshot Repository</name>
- <url>${nexusproxy}${snapshotNexusPath}</url>
- </snapshotRepository>
- <site>
- <id>ecomp-site</id>
- <url>dav:${nexusproxy}${sitePath}</url>
- </site>
- </distributionManagement>
-</project>
+++ /dev/null
-/**
- * ============LICENSE_START====================================================
- * org.onap.aaf
- * ===========================================================================
- * Copyright (c) 2018 AT&T Intellectual Property. All rights reserved.
- * ===========================================================================
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- * ============LICENSE_END====================================================
- *
- */
-package org.onap.aaf.cadi.shiro;
-
-import java.nio.ByteBuffer;
-import java.security.NoSuchAlgorithmException;
-import java.security.SecureRandom;
-
-import org.apache.shiro.authc.AuthenticationInfo;
-import org.apache.shiro.authc.AuthenticationToken;
-import org.apache.shiro.authc.UsernamePasswordToken;
-import org.apache.shiro.subject.PrincipalCollection;
-import org.onap.aaf.cadi.Access;
-import org.onap.aaf.cadi.Hash;
-import org.onap.aaf.cadi.Access.Level;
-
-public class AAFAuthenticationInfo implements AuthenticationInfo {
- private static final long serialVersionUID = -1502704556864321020L;
- // We assume that Shiro is doing Memory Only, and this salt is not needed cross process
- private final static int salt = new SecureRandom().nextInt();
-
- private final AAFPrincipalCollection apc;
- private final byte[] hash;
- private Access access;
-
- public AAFAuthenticationInfo(Access access, String username, String password) {
- this.access = access;
- apc = new AAFPrincipalCollection(username);
- hash = getSaltedCred(password);
- }
- @Override
- public byte[] getCredentials() {
- access.log(Level.DEBUG, "AAFAuthenticationInfo.getCredentials");
- return hash;
- }
-
- @Override
- public PrincipalCollection getPrincipals() {
- access.log(Level.DEBUG, "AAFAuthenticationInfo.getPrincipals");
- return apc;
- }
-
- public boolean matches(AuthenticationToken atoken) {
- if(atoken instanceof UsernamePasswordToken) {
- UsernamePasswordToken upt = (UsernamePasswordToken)atoken;
- if(apc.getPrimaryPrincipal().getName().equals(upt.getPrincipal())) {
- byte[] newhash = getSaltedCred(new String(upt.getPassword()));
- if(newhash.length==hash.length) {
- for(int i=0;i<hash.length;++i) {
- if(hash[i]!=newhash[i]) {
- return false;
- }
- }
- return true;
- }
- }
- }
- return false;
- }
-
- private byte[] getSaltedCred(String password) {
- byte[] pbytes = password.getBytes();
- ByteBuffer bb = ByteBuffer.allocate(pbytes.length+Integer.SIZE/8);
- bb.asIntBuffer().put(salt);
- bb.put(password.getBytes());
- try {
- return Hash.hashSHA256(bb.array());
- } catch (NoSuchAlgorithmException e) {
- return new byte[0]; // should never get here
- }
- }
-}
+++ /dev/null
-/**
- * ============LICENSE_START====================================================
- * org.onap.aaf
- * ===========================================================================
- * Copyright (c) 2018 AT&T Intellectual Property. All rights reserved.
- * ===========================================================================
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- * ============LICENSE_END====================================================
- *
- */
-package org.onap.aaf.cadi.shiro;
-
-import java.security.Principal;
-import java.util.ArrayList;
-import java.util.Collection;
-import java.util.List;
-
-import org.apache.shiro.authz.AuthorizationInfo;
-import org.apache.shiro.authz.Permission;
-import org.onap.aaf.cadi.Access;
-import org.onap.aaf.cadi.Access.Level;
-
-/**
- * We treat "roles" and "permissions" in a similar way for first pass.
- *
- * @author JonathanGathman
- *
- */
-public class AAFAuthorizationInfo implements AuthorizationInfo {
- private static final long serialVersionUID = -4805388954462426018L;
- private Access access;
- private Principal bait;
- private List<org.onap.aaf.cadi.Permission> pond;
- private ArrayList<String> sPerms;
- private ArrayList<Permission> oPerms;
-
- public AAFAuthorizationInfo(Access access, Principal bait, List<org.onap.aaf.cadi.Permission> pond) {
- this.access = access;
- this.bait = bait;
- this.pond = pond;
- sPerms=null;
- oPerms=null;
- }
-
- public Principal principal() {
- return bait;
- }
-
- @Override
- public Collection<Permission> getObjectPermissions() {
- access.log(Level.DEBUG, "AAFAuthorizationInfo.getObjectPermissions");
- synchronized(bait) {
- if(oPerms == null) {
- oPerms = new ArrayList<Permission>();
- for(final org.onap.aaf.cadi.Permission p : pond) {
- oPerms.add(new AAFShiroPermission(p));
- }
- }
- }
- return oPerms;
- }
-
- @Override
- public Collection<String> getRoles() {
- access.log(Level.DEBUG, "AAFAuthorizationInfo.getRoles");
- // Until we decide to make Roles available, tie into String based permissions.
- return getStringPermissions();
- }
-
- @Override
- public Collection<String> getStringPermissions() {
- access.log(Level.DEBUG, "AAFAuthorizationInfo.getStringPermissions");
- synchronized(bait) {
- if(sPerms == null) {
- sPerms = new ArrayList<String>();
- for(org.onap.aaf.cadi.Permission p : pond) {
- sPerms.add(p.getKey());
- }
- }
- }
- return sPerms;
- }
-
-}
+++ /dev/null
-/**
- * ============LICENSE_START====================================================
- * org.onap.aaf
- * ===========================================================================
- * Copyright (c) 2018 AT&T Intellectual Property. All rights reserved.
- * ===========================================================================
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- * ============LICENSE_END====================================================
- *
- */
-package org.onap.aaf.cadi.shiro;
-
-import java.security.Principal;
-import java.util.ArrayList;
-import java.util.Collection;
-import java.util.HashSet;
-import java.util.Iterator;
-import java.util.List;
-import java.util.Set;
-
-import org.apache.shiro.subject.PrincipalCollection;
-
-public class AAFPrincipalCollection implements PrincipalCollection {
- private static final long serialVersionUID = 558246013419818831L;
- private static final Set<String> realmSet;
- private final Principal principal;
- private List<Principal> list=null;
- private Set<Principal> set=null;
-
- static {
- realmSet = new HashSet<String>();
- realmSet.add(AAFRealm.AAF_REALM);
- }
-
- public AAFPrincipalCollection(Principal p) {
- principal = p;
- }
-
- public AAFPrincipalCollection(final String principalName) {
- principal = new Principal() {
- private final String name = principalName;
- @Override
- public String getName() {
- return name;
- }
- };
- }
-
- @Override
- public Iterator<Principal> iterator() {
- return null;
- }
-
- @Override
- public List<Principal> asList() {
- if(list==null) {
- list = new ArrayList<Principal>();
- }
- list.add(principal);
- return list;
- }
-
- @Override
- public Set<Principal> asSet() {
- if(set==null) {
- set = new HashSet<Principal>();
- }
- set.add(principal);
- return set;
- }
-
- @SuppressWarnings("unchecked")
- @Override
- public <T> Collection<T> byType(Class<T> cls) {
- Collection<T> coll = new ArrayList<T>();
- if(cls.isAssignableFrom(Principal.class)) {
- coll.add((T)principal);
- }
- return coll;
- }
-
- @Override
- public Collection<Principal> fromRealm(String realm) {
- if(AAFRealm.AAF_REALM.equals(realm)) {
- return asList();
- } else {
- return new ArrayList<Principal>();
- }
- }
-
- @Override
- public Principal getPrimaryPrincipal() {
- return principal;
- }
-
- @Override
- public Set<String> getRealmNames() {
- return realmSet;
- }
-
- @Override
- public boolean isEmpty() {
- return principal==null;
- }
-
- @SuppressWarnings("unchecked")
- @Override
- public <T> T oneByType(Class<T> cls) {
- if(cls.isAssignableFrom(Principal.class)) {
- return (T)principal;
- }
- return null;
- }
-
-}
+++ /dev/null
-/**
- * ============LICENSE_START====================================================
- * org.onap.aaf
- * ===========================================================================
- * Copyright (c) 2018 AT&T Intellectual Property. All rights reserved.
- * ===========================================================================
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- * ============LICENSE_END====================================================
- *
- */
-package org.onap.aaf.cadi.shiro;
-
-import java.io.IOException;
-import java.security.Principal;
-import java.util.ArrayList;
-import java.util.HashSet;
-import java.util.List;
-
-import org.apache.shiro.authc.AuthenticationException;
-import org.apache.shiro.authc.AuthenticationInfo;
-import org.apache.shiro.authc.AuthenticationToken;
-import org.apache.shiro.authc.UsernamePasswordToken;
-import org.apache.shiro.realm.AuthorizingRealm;
-import org.apache.shiro.subject.PrincipalCollection;
-import org.onap.aaf.cadi.Access.Level;
-import org.onap.aaf.cadi.CadiException;
-import org.onap.aaf.cadi.LocatorException;
-import org.onap.aaf.cadi.Permission;
-import org.onap.aaf.cadi.PropAccess;
-import org.onap.aaf.cadi.aaf.v2_0.AAFAuthn;
-import org.onap.aaf.cadi.aaf.v2_0.AAFCon;
-import org.onap.aaf.cadi.aaf.v2_0.AAFLurPerm;
-import org.onap.aaf.cadi.config.Config;
-import org.onap.aaf.misc.env.APIException;
-
-public class AAFRealm extends AuthorizingRealm {
- public static final String AAF_REALM = "AAFRealm";
-
- private PropAccess access;
- private AAFCon<?> acon;
- private AAFAuthn<?> authn;
- private HashSet<Class<? extends AuthenticationToken>> supports;
- private AAFLurPerm authz;
-
-
- /**
- *
- * There appears to be no configuration objects or references available for CADI to start with.
- *
- */
- public AAFRealm () {
- access = new PropAccess(); // pick up cadi_prop_files from VM_Args
- String cadi_prop_files = access.getProperty(Config.CADI_PROP_FILES);
- if(cadi_prop_files==null) {
- String msg = Config.CADI_PROP_FILES + " in VM Args is required to initialize AAFRealm.";
- access.log(Level.INIT,msg);
- throw new RuntimeException(msg);
- } else {
- try {
- acon = AAFCon.newInstance(access);
- authn = acon.newAuthn();
- authz = acon.newLur(authn);
- } catch (APIException | CadiException | LocatorException e) {
- String msg = "Cannot initiate AAFRealm";
- access.log(Level.INIT,msg,e.getMessage());
- throw new RuntimeException(msg,e);
- }
- }
- supports = new HashSet<Class<? extends AuthenticationToken>>();
- supports.add(UsernamePasswordToken.class);
- }
-
- @Override
- protected AuthenticationInfo doGetAuthenticationInfo(AuthenticationToken token) throws AuthenticationException {
- access.log(Level.DEBUG, "AAFRealm.doGetAuthenticationInfo",token);
-
- final UsernamePasswordToken upt = (UsernamePasswordToken)token;
- String password=new String(upt.getPassword());
- String err;
- try {
- err = authn.validate(upt.getUsername(),password);
- } catch (IOException|CadiException e) {
- err = "Credential cannot be validated";
- access.log(e, err);
- }
-
- if(err != null) {
- access.log(Level.DEBUG, err);
- throw new AuthenticationException(err);
- }
-
- return new AAFAuthenticationInfo(
- access,
- upt.getUsername(),
- password
- );
- }
-
- @Override
- protected void assertCredentialsMatch(AuthenticationToken atoken, AuthenticationInfo ai)throws AuthenticationException {
- if(ai instanceof AAFAuthenticationInfo) {
- if(!((AAFAuthenticationInfo)ai).matches(atoken)) {
- throw new AuthenticationException("Credentials do not match");
- }
- } else {
- throw new AuthenticationException("AuthenticationInfo is not an AAFAuthenticationInfo");
- }
- }
-
-
- @Override
- protected AAFAuthorizationInfo doGetAuthorizationInfo(PrincipalCollection principals) {
- access.log(Level.DEBUG, "AAFRealm.doGetAuthenthorizationInfo");
- Principal bait = (Principal)principals.getPrimaryPrincipal();
- List<Permission> pond = new ArrayList<Permission>();
- authz.fishAll(bait,pond);
-
- return new AAFAuthorizationInfo(access,bait,pond);
-
- }
-
- @Override
- public boolean supports(AuthenticationToken token) {
- return supports.contains(token.getClass());
- }
-
- @Override
- public String getName() {
- return AAF_REALM;
- }
-
-}
+++ /dev/null
-/**
- * ============LICENSE_START====================================================
- * org.onap.aaf
- * ===========================================================================
- * Copyright (c) 2018 AT&T Intellectual Property. All rights reserved.
- * ===========================================================================
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- * ============LICENSE_END====================================================
- *
- */
-package org.onap.aaf.cadi.shiro.test;
-
-import java.util.ArrayList;
-
-import org.apache.shiro.authc.AuthenticationInfo;
-import org.apache.shiro.authc.UsernamePasswordToken;
-import org.apache.shiro.authz.AuthorizationInfo;
-import org.apache.shiro.authz.Permission;
-import org.apache.shiro.subject.PrincipalCollection;
-import org.junit.Test;
-import org.onap.aaf.cadi.aaf.AAFPermission;
-import org.onap.aaf.cadi.config.Config;
-import org.onap.aaf.cadi.shiro.AAFRealm;
-import org.onap.aaf.cadi.shiro.AAFShiroPermission;
-
-import junit.framework.Assert;
-
-public class JU_AAFRealm {
-
- // TODO: Ian - fix this test
- // @Test
- // public void test() {
- // // NOTE This is a live test. This JUnit needs to be built with "Mock"
- // try {
- // System.setProperty(Config.CADI_PROP_FILES, "/opt/app/osaaf/etc/org.osaaf.common.props");
- // TestAAFRealm ar = new TestAAFRealm();
-
- // UsernamePasswordToken upt = new UsernamePasswordToken("jonathan@people.osaaf.org", "new2You!");
- // AuthenticationInfo ani = ar.authn(upt);
-
- // AuthorizationInfo azi = ar.authz(ani.getPrincipals());
- // // Change this to something YOU have, Sai...
-
- // testAPerm(true,azi,"org.access","something","*");
- // testAPerm(false,azi,"org.accessX","something","*");
- // } catch (Throwable t) {
- // t.printStackTrace();
- // Assert.fail();
- // }
- // }
-
- private void testAPerm(boolean expect,AuthorizationInfo azi, String type, String instance, String action) {
-
- AAFShiroPermission testPerm = new AAFShiroPermission(new AAFPermission(type,instance,action,new ArrayList<String>()));
-
- boolean any = false;
- for(Permission p : azi.getObjectPermissions()) {
- if(p.implies(testPerm)) {
- any = true;
- }
- }
- if(expect) {
- Assert.assertTrue(any);
- } else {
- Assert.assertFalse(any);
- }
-
-
- }
-
- /**
- * Note, have to create a derived class, because "doGet"... are protected
- */
- private class TestAAFRealm extends AAFRealm {
- public AuthenticationInfo authn(UsernamePasswordToken upt) {
- return doGetAuthenticationInfo(upt);
- }
- public AuthorizationInfo authz(PrincipalCollection pc) {
- return doGetAuthorizationInfo(pc);
- }
-
- }
-}
+++ /dev/null
-#
-# Initialize a manual Cert. This is NOT entered in Certman Records
-#
- if [ -e intermediate.serial ]; then
- ((SERIAL=`cat intermediate.serial` + 1))
- else
- SERIAL=1
- fi
- echo $SERIAL > intermediate.serial
-DIR=intermediate_$SERIAL
-
-mkdir -p $DIR/private $DIR/certs $DIR/newcerts
-chmod 700 $DIR/private
-chmod 755 $DIR/certs $DIR/newcerts
-touch $DIR/index.txt
-if [ ! -e $DIR/serial ]; then
- echo '01' > $DIR/serial
-fi
-cp manual.sh p12.sh subject.aaf $DIR
-
-if [ "$1" == "" ]; then
- CN=intermediateCA_$SERIAL
-else
- CN=$1
-fi
-
-SUBJECT="/CN=$CN`cat subject.aaf`"
-echo $SUBJECT
- echo "IMPORTANT: If for any reason, you kill this process, type 'stty sane'"
- echo "Enter the PassPhrase for the Key for $CN: "
- `stty -echo`
- read PASSPHRASE
- `stty echo`
-
- # Create a regaular rsa encrypted key
- openssl req -new -newkey rsa:4096 -sha256 -keyout $DIR/private/ca.key \
- -out $DIR/$CN.csr -outform PEM -subj "$SUBJECT" \
- -passout stdin << EOF
-$PASSPHRASE
-EOF
-
- chmod 400 $DIR/private/$CN.key
- openssl req -verify -text -noout -in $DIR/$CN.csr
-
- # Sign it
- openssl ca -config openssl.conf -extensions v3_intermediate_ca \
- -cert certs/ca.crt -keyfile private/ca.key -out $DIR/certs/ca.crt \
- -infiles $DIR/$CN.csr
-
- openssl x509 -text -noout -in $DIR/certs/ca.crt
-
-
- openssl verify -CAfile certs/ca.crt $DIR/certs/ca.crt
-
-
-
-
# Sign it
openssl ca -config openssl.conf -extensions v3_intermediate_ca \
- -cert certs/ca.crt -keyfile private/ca.key -out $DIR/certs/ca.crt \
+ -days 1826 \
+ -cert certs/ca.crt -keyfile private/ca.key -out $DIR/certs/ca.crt \
-infiles $DIR/$CN.csr
openssl x509 -text -noout -in $DIR/certs/ca.crt
--- /dev/null
+/_static/
+/etc/
+/.tox/
+/conf.py
+/tox.ini
To be effective during a computer transaction, Security must not only be secure, but very fast. Given that each transaction must be checked and validated for Authorization and Authentication, it is critical that all elements on this path perform optimally.
+Sections
+++++++++
.. toctree::
- :maxdepth: 3
-
-
+ :maxdepth: 1
+ :glob:
+
+ sections/architecture/index
+ sections/installation/index
+ sections/configuration/index
+ sections/logging
+ sections/release-notes
Introduction
------------
|image0|
-.. |image0| image:: aaf-object-model.jpg
+.. |image0| image:: sections/architecture/images/aaf-object-model.jpg
:height: 600px
:width: 800px
-CADI (A Framework for providing Enterprise Class Authentication and Authorization with minimal configuration to Containers and Standalone Services)
-Cassandra (GRID Core)
-
--Hadoop Plugin (a plugin via Hadoop Group Mapper mechanism)
--- /dev/null
+.. This work is licensed under a Creative Commons Attribution 4.0 International License.
+.. http://creativecommons.org/licenses/by/4.0
+
+AAF Architecture
+================
+AAF is designed to cover Fine-Grained Authorization, meaning that the Authorizations provided are able to used an Application’s detailed authorizations, such as whether a user may be on a particular page, or has access to a particular Pub-SUB topic controlled within the App.
+
+This is a critical function for Cloud environments, as Services need to be able to be installed and running in a very short time, and should not be encumbered with local configurations of Users, Permissions and Passwords.
+
+To be effective during a computer transaction, Security must not only be secure, but very fast. Given that each transaction must be checked and validated for Authorization and Authentication, it is critical that all elements on this path perform optimally.
+
+|image0|
+
+.. |image0| image:: images/aaf-object-model.jpg
+ :height: 600px
+ :width: 800px
+
+Certificate Manager
+===================
+
+Overview
+--------
+Every secure transaction requires 1) Encryption 2) Authentication 3) Authorization.
+
+ - HTTP/S provides the core Encryption whenever used, so all of AAF Components require HTTP/S to the current protocol standards (current is TLS 1.1+ as of Nov 2016)
+ - HTTP/S requires X.509 certificates at least on the Server at minimum. (in this mode, 1 way, a client Certificate is generated)
+ - Certificate Manager can generate certificates signed by the AT&T Internal Certificate Authority, which is secure and cost effective if external access are not needed
+ - These same certificates can be used for identifying the Application during the HTTP/S transaction, making a separate UserID/Password unnecessary for Authentication.
+ - Authentication - In order to tie generated certificates to a specific Application Identity, AAF Certificate Manager embeds a ILM AppID in the Subject. These are created by AT&T specific Internal Certificate Authority, which only generates certificates for AAF Certman. Since AAF Certman validates the Sponsorship of the AppID with requests (automatically), the end user can depend on the AppID embedded in the Subject to be valid without resorting to external calls or passwords.
+
+ - ex:
+ - Authorization - AAF Certman utilizes AAF's Fine-grained authorizations to ensure that only the right entities perform functions, thus ensuring the integrity of the entire Certificate Process
+
+|image1|
+
+.. |image1| image:: images/aaf-cm.png
+ :height: 768px
+ :width: 1024px
--- /dev/null
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd">
+<svg version="1.1" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" x="0" y="0" width="210.566" height="286.166" viewBox="0, 0, 210.566, 286.166">
+ <g id="AAF" transform="translate(-283.488, -41.5)">
+ <g>
+ <path d="M360.277,242.79 L448.072,242.79 C452.228,242.79 455.597,244.074 455.597,245.659 L455.597,276.982 C455.597,278.567 452.228,279.851 448.072,279.851 L360.277,279.851 C356.12,279.851 352.751,278.567 352.751,276.982 L352.751,245.659 C352.751,244.074 356.12,242.79 360.277,242.79 z" fill="#D65F15" fill-opacity="0.87"/>
+ <text transform="matrix(1, 0, 0, 1, 404.174, 264.314)">
+ <tspan x="-16.57" y="-0.264" font-family="HelveticaNeue" font-size="10" fill="#FFFFFF" fill-opacity="0.87">Service</tspan>
+ </text>
+ </g>
+ <g>
+ <path d="M371.153,79.5 L428.002,79.5 C430.693,79.5 432.875,80.785 432.875,82.369 L432.875,113.692 C432.875,115.277 430.693,116.562 428.002,116.562 L371.153,116.562 C368.462,116.562 366.281,115.277 366.281,113.692 L366.281,82.369 C366.281,80.785 368.462,79.5 371.153,79.5 z" fill="#D65F15" fill-opacity="0.87"/>
+ <text transform="matrix(1, 0, 0, 1, 399.578, 101.024)">
+ <tspan x="-20.745" y="-0.264" font-family="HelveticaNeue" font-size="10" fill="#FFFFFF" fill-opacity="0.87">Cert Man</tspan>
+ </text>
+ </g>
+ <g>
+ <path d="M371.153,201.967 L428.002,201.967 C430.693,201.967 432.874,203.252 432.874,204.837 L432.874,236.16 C432.874,237.744 430.693,239.029 428.002,239.029 L371.153,239.029 C368.462,239.029 366.28,237.744 366.28,236.16 L366.28,204.837 C366.28,203.252 368.462,201.967 371.153,201.967 z" fill="#D65F15" fill-opacity="0.87"/>
+ <text transform="matrix(1, 0, 0, 1, 399.577, 223.491)">
+ <tspan x="-14.175" y="-0.264" font-family="HelveticaNeue" font-size="10" fill="#FFFFFF" fill-opacity="0.87">OAuth</tspan>
+ </text>
+ </g>
+ <path d="M305.139,73 L493.554,73 L493.554,327.166 L305.139,327.166 L305.139,73 z" fill-opacity="0" stroke="#000000" stroke-width="1"/>
+ <text transform="matrix(1, 0, 0, 1, 380.99, 60.5)">
+ <tspan x="-12.155" y="-7" font-family="HelveticaNeue" font-size="13" fill="#000000" fill-opacity="0.87">AAF</tspan>
+ <tspan x="12.155" y="-7" font-family="HelveticaNeue" font-size="11" fill="#000000" fill-opacity="0.87"> </tspan>
+ <tspan x="-76.495" y="5" font-family="HelveticaNeue" font-size="9" fill="#000000" fill-opacity="0.87">(Application Authorization Framework)</tspan>
+ </text>
+ <g>
+ <path d="M355.161,279.851 L383.272,279.851 C384.603,279.851 385.682,280.931 385.682,282.263 L385.682,308.589 C385.682,309.92 384.603,311 383.272,311 L355.161,311 C353.83,311 352.751,309.92 352.751,308.589 L352.751,282.263 C352.751,280.931 353.83,279.851 355.161,279.851 z" fill="#15C6D6" fill-opacity="0.87"/>
+ <text transform="matrix(1, 0, 0, 1, 369.216, 297.941)">
+ <tspan x="-13.155" y="1.374" font-family="HelveticaNeue" font-size="10" fill="#FFFFFF" fill-opacity="0.87">Authn</tspan>
+ </text>
+ </g>
+ <g>
+ <path d="M390.797,278.605 L450.482,278.605 C453.307,278.605 455.597,279.728 455.597,281.113 L455.597,308.492 C455.597,309.877 453.307,311 450.482,311 L390.797,311 C387.972,311 385.682,309.877 385.682,308.492 L385.682,281.113 C385.682,279.728 387.972,278.605 390.797,278.605 z" fill="#D6AF15" fill-opacity="0.87"/>
+ <text transform="matrix(1, 0, 0, 1, 420.639, 297.419)">
+ <tspan x="-12.775" y="1.029" font-family="HelveticaNeue" font-size="10" fill="#FFFFFF" fill-opacity="0.87">Authz</tspan>
+ </text>
+ </g>
+ <g>
+ <path d="M371.153,161.145 L428.002,161.145 C430.693,161.145 432.875,162.43 432.875,164.014 L432.875,195.337 C432.875,196.922 430.693,198.207 428.002,198.207 L371.153,198.207 C368.462,198.207 366.281,196.922 366.281,195.337 L366.281,164.014 C366.281,162.43 368.462,161.145 371.153,161.145 z" fill="#D65F15" fill-opacity="0.87"/>
+ <text transform="matrix(1, 0, 0, 1, 399.578, 182.669)">
+ <tspan x="-17.13" y="-0.264" font-family="HelveticaNeue" font-size="10" fill="#FFFFFF" fill-opacity="0.87">Locator</tspan>
+ </text>
+ </g>
+ <g>
+ <path d="M371.153,120.322 L428.002,120.322 C430.693,120.322 432.875,121.607 432.875,123.192 L432.875,154.515 C432.875,156.099 430.693,157.384 428.002,157.384 L371.153,157.384 C368.462,157.384 366.281,156.099 366.281,154.515 L366.281,123.192 C366.281,121.607 368.462,120.322 371.153,120.322 z" fill="#D65F15" fill-opacity="0.87"/>
+ <text transform="matrix(1, 0, 0, 1, 399.578, 138.083)">
+ <tspan x="-8.7" y="-1.5" font-family="HelveticaNeue" font-size="10" fill="#FFFFFF" fill-opacity="0.87">GUI </tspan>
+ <tspan x="-25.564" y="8.5" font-family="HelveticaNeue" font-size="8" fill="#FFFFFF" fill-opacity="0.87">(Management)</tspan>
+ </text>
+ </g>
+ </g>
+</svg>
--- /dev/null
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd">
+<svg version="1.1" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" x="0" y="0" width="427.813" height="340" viewBox="0, 0, 427.813, 340">
+ <g id="Connections" transform="translate(-66.241, -41.5)">
+ <g>
+ <path d="M366.78,98.146 L209.158,119.643" fill-opacity="0" stroke="#000000" stroke-width="1"/>
+ <path d="M208.753,116.671 L201.232,120.724 L209.564,122.616 z" fill="#000000" fill-opacity="1" stroke="#000000" stroke-width="1" stroke-opacity="1"/>
+ </g>
+ <g>
+ <path d="M353.251,291.445 L206.695,276.655" fill-opacity="0" stroke="#000000" stroke-width="1"/>
+ <path d="M206.996,273.67 L198.736,275.852 L206.394,279.64 z" fill="#000000" fill-opacity="1" stroke="#000000" stroke-width="1" stroke-opacity="1"/>
+ </g>
+ <text transform="matrix(0.991, -0.136, 0.136, 0.991, 269.475, 112.33)">
+ <tspan x="-11" y="-7.49" font-family="HelveticaNeue" font-size="11" fill="#000000" fill-opacity="0.87">Sign</tspan>
+ <tspan x="-14.052" y="9.31" font-family="HelveticaNeue" font-size="11" fill="#000000" fill-opacity="0.87">CSRs</tspan>
+ </text>
+ <text transform="matrix(0.996, 0.095, -0.095, 0.996, 260.93, 287.412)">
+ <tspan x="-21.796" y="-9.522" font-family="HelveticaNeue" font-size="11" fill="#000000" fill-opacity="0.87">Delegate</tspan>
+ <tspan x="-26.493" y="6.078" font-family="HelveticaNeue" font-size="11" fill="#000000" fill-opacity="0.87">by Domain</tspan>
+ </text>
+ <g>
+ <path d="M353.251,263.072 L211.399,240.185" fill-opacity="0" stroke="#000000" stroke-width="1"/>
+ <path d="M211.877,237.223 L203.501,238.911 L210.921,243.147 z" fill="#000000" fill-opacity="1" stroke="#000000" stroke-width="1" stroke-opacity="1"/>
+ </g>
+ </g>
+ <g id="AAF" transform="translate(-66.241, -41.5)">
+ <g>
+ <path d="M360.277,242.79 L448.072,242.79 C452.228,242.79 455.597,244.074 455.597,245.659 L455.597,276.982 C455.597,278.567 452.228,279.851 448.072,279.851 L360.277,279.851 C356.12,279.851 352.751,278.567 352.751,276.982 L352.751,245.659 C352.751,244.074 356.12,242.79 360.277,242.79 z" fill="#D65F15" fill-opacity="0.87"/>
+ <text transform="matrix(1, 0, 0, 1, 404.174, 264.314)">
+ <tspan x="-16.57" y="-0.264" font-family="HelveticaNeue" font-size="10" fill="#FFFFFF" fill-opacity="0.87">Service</tspan>
+ </text>
+ </g>
+ <g>
+ <path d="M371.153,79.5 L428.002,79.5 C430.693,79.5 432.875,80.785 432.875,82.369 L432.875,113.692 C432.875,115.277 430.693,116.562 428.002,116.562 L371.153,116.562 C368.462,116.562 366.281,115.277 366.281,113.692 L366.281,82.369 C366.281,80.785 368.462,79.5 371.153,79.5 z" fill="#D65F15" fill-opacity="0.87"/>
+ <text transform="matrix(1, 0, 0, 1, 399.578, 101.024)">
+ <tspan x="-20.745" y="-0.264" font-family="HelveticaNeue" font-size="10" fill="#FFFFFF" fill-opacity="0.87">Cert Man</tspan>
+ </text>
+ </g>
+ <g>
+ <path d="M371.153,201.967 L428.002,201.967 C430.693,201.967 432.874,203.252 432.874,204.837 L432.874,236.16 C432.874,237.744 430.693,239.029 428.002,239.029 L371.153,239.029 C368.462,239.029 366.28,237.744 366.28,236.16 L366.28,204.837 C366.28,203.252 368.462,201.967 371.153,201.967 z" fill="#D65F15" fill-opacity="0.87"/>
+ <text transform="matrix(1, 0, 0, 1, 399.577, 223.491)">
+ <tspan x="-14.175" y="-0.264" font-family="HelveticaNeue" font-size="10" fill="#FFFFFF" fill-opacity="0.87">OAuth</tspan>
+ </text>
+ </g>
+ <path d="M305.139,73 L493.554,73 L493.554,327.166 L305.139,327.166 L305.139,73 z" fill-opacity="0" stroke="#000000" stroke-width="1"/>
+ <text transform="matrix(1, 0, 0, 1, 380.99, 60.5)">
+ <tspan x="-12.155" y="-7" font-family="HelveticaNeue" font-size="13" fill="#000000" fill-opacity="0.87">AAF</tspan>
+ <tspan x="12.155" y="-7" font-family="HelveticaNeue" font-size="11" fill="#000000" fill-opacity="0.87"> </tspan>
+ <tspan x="-76.495" y="5" font-family="HelveticaNeue" font-size="9" fill="#000000" fill-opacity="0.87">(Application Authorization Framework)</tspan>
+ </text>
+ <g>
+ <path d="M355.161,279.851 L383.272,279.851 C384.603,279.851 385.682,280.931 385.682,282.263 L385.682,308.589 C385.682,309.92 384.603,311 383.272,311 L355.161,311 C353.83,311 352.751,309.92 352.751,308.589 L352.751,282.263 C352.751,280.931 353.83,279.851 355.161,279.851 z" fill="#15C6D6" fill-opacity="0.87"/>
+ <text transform="matrix(1, 0, 0, 1, 369.216, 297.941)">
+ <tspan x="-13.155" y="1.374" font-family="HelveticaNeue" font-size="10" fill="#FFFFFF" fill-opacity="0.87">Authn</tspan>
+ </text>
+ </g>
+ <g>
+ <path d="M390.797,278.605 L450.482,278.605 C453.307,278.605 455.597,279.728 455.597,281.113 L455.597,308.492 C455.597,309.877 453.307,311 450.482,311 L390.797,311 C387.972,311 385.682,309.877 385.682,308.492 L385.682,281.113 C385.682,279.728 387.972,278.605 390.797,278.605 z" fill="#D6AF15" fill-opacity="0.87"/>
+ <text transform="matrix(1, 0, 0, 1, 420.639, 297.419)">
+ <tspan x="-12.775" y="1.029" font-family="HelveticaNeue" font-size="10" fill="#FFFFFF" fill-opacity="0.87">Authz</tspan>
+ </text>
+ </g>
+ <g>
+ <path d="M371.153,161.145 L428.002,161.145 C430.693,161.145 432.875,162.43 432.875,164.014 L432.875,195.337 C432.875,196.922 430.693,198.207 428.002,198.207 L371.153,198.207 C368.462,198.207 366.281,196.922 366.281,195.337 L366.281,164.014 C366.281,162.43 368.462,161.145 371.153,161.145 z" fill="#D65F15" fill-opacity="0.87"/>
+ <text transform="matrix(1, 0, 0, 1, 399.578, 182.669)">
+ <tspan x="-17.13" y="-0.264" font-family="HelveticaNeue" font-size="10" fill="#FFFFFF" fill-opacity="0.87">Locator</tspan>
+ </text>
+ </g>
+ <g>
+ <path d="M371.153,120.322 L428.002,120.322 C430.693,120.322 432.875,121.607 432.875,123.192 L432.875,154.515 C432.875,156.099 430.693,157.384 428.002,157.384 L371.153,157.384 C368.462,157.384 366.281,156.099 366.281,154.515 L366.281,123.192 C366.281,121.607 368.462,120.322 371.153,120.322 z" fill="#D65F15" fill-opacity="0.87"/>
+ <text transform="matrix(1, 0, 0, 1, 399.578, 138.083)">
+ <tspan x="-8.7" y="-1.5" font-family="HelveticaNeue" font-size="10" fill="#FFFFFF" fill-opacity="0.87">GUI </tspan>
+ <tspan x="-25.564" y="8.5" font-family="HelveticaNeue" font-size="8" fill="#FFFFFF" fill-opacity="0.87">(Management)</tspan>
+ </text>
+ </g>
+ </g>
+ <g id="Organization" transform="translate(-66.241, -41.5)">
+ <g>
+ <path d="M89.448,90 L191.034,90 C195.843,90 199.741,92.149 199.741,94.8 L199.741,147.2 C199.741,149.851 195.843,152 191.034,152 L89.448,152 C84.639,152 80.741,149.851 80.741,147.2 L80.741,94.8 C80.741,92.149 84.639,90 89.448,90 z" fill="#4D9BAF" fill-opacity="0.87"/>
+ <text transform="matrix(1, 0, 0, 1, 139.612, 119)">
+ <tspan x="-38.87" y="-4.5" font-family="HelveticaNeue" font-size="17" fill="#FFFFFF" fill-opacity="0.87">Certificate</tspan>
+ <tspan x="-34.161" y="15.5" font-family="HelveticaNeue" font-size="17" fill="#FFFFFF" fill-opacity="0.87">Authority</tspan>
+ </text>
+ </g>
+ <g>
+ <path d="M89.448,299 L191.034,299 C195.843,299 199.741,301.149 199.741,303.8 L199.741,356.2 C199.741,358.851 195.843,361 191.034,361 L89.448,361 C84.639,361 80.741,358.851 80.741,356.2 L80.741,303.8 C80.741,301.149 84.639,299 89.448,299 z" fill="#4D9BAF" fill-opacity="0.87"/>
+ <text transform="matrix(1, 0, 0, 1, 139.612, 330.5)">
+ <tspan x="-17.629" y="-7" font-family="HelveticaNeue" font-size="17" fill="#FFFFFF" fill-opacity="0.87">DNS</tspan>
+ <tspan x="-25.454" y="7" font-family="HelveticaNeue" font-size="11" fill="#FFFFFF" fill-opacity="0.87">(Externally </tspan>
+ <tspan x="-17.314" y="19" font-family="HelveticaNeue" font-size="11" fill="#FFFFFF" fill-opacity="0.87">Visible)</tspan>
+ </text>
+ </g>
+ <path d="M67.741,73 L213.741,73 L213.741,381 L67.741,381 L67.741,73 z" fill-opacity="0" stroke="#000000" stroke-width="1"/>
+ <g>
+ <g>
+ <path d="M89.448,157.75 L191.034,157.75 C195.843,157.75 199.741,162.447 199.741,168.24 L199.741,282.76 C199.741,288.553 195.843,293.25 191.034,293.25 L89.448,293.25 C84.639,293.25 80.741,288.553 80.741,282.76 L80.741,168.24 C80.741,162.447 84.639,157.75 89.448,157.75 z" fill="#4D9BAF" fill-opacity="0.87"/>
+ <text transform="matrix(-0, -1, 1, -0, 140.241, 211.015)">
+ <tspan x="-24.744" y="-34.173" font-family="HelveticaNeue" font-size="16" fill="#FFFFFF" fill-opacity="0.87">Formal</tspan>
+ <tspan x="-45.104" y="-16.173" font-family="HelveticaNeue" font-size="16" fill="#FFFFFF" fill-opacity="0.87">Organization</tspan>
+ </text>
+ </g>
+ <g>
+ <path d="M142.278,176.934 L195.204,176.934 C197.71,176.934 199.741,178.038 199.741,179.401 L199.741,206.325 C199.741,207.687 197.71,208.792 195.204,208.792 L142.278,208.792 C139.772,208.792 137.741,207.687 137.741,206.325 L137.741,179.401 C137.741,178.038 139.772,176.934 142.278,176.934 z" fill="#438596" fill-opacity="0.87"/>
+ <text transform="matrix(1, 0, 0, 1, 168.741, 192.863)">
+ <tspan x="-22.914" y="-2.5" font-family="HelveticaNeue" font-size="9" fill="#FFFFFF" fill-opacity="0.87">Notification</tspan>
+ <tspan x="-15.089" y="8.5" font-family="HelveticaNeue" font-size="9" fill="#FFFFFF" fill-opacity="0.87">System</tspan>
+ </text>
+ </g>
+ <g>
+ <path d="M142.278,216.731 L195.204,216.731 C197.71,216.731 199.741,217.835 199.741,219.197 L199.741,246.122 C199.741,247.484 197.71,248.588 195.204,248.588 L142.278,248.588 C139.772,248.588 137.741,247.484 137.741,246.122 L137.741,219.197 C137.741,217.835 139.772,216.731 142.278,216.731 z" fill="#438596" fill-opacity="0.87"/>
+ <text transform="matrix(1, 0, 0, 1, 168.741, 232.978)">
+ <tspan x="-16.335" y="-2.818" font-family="HelveticaNeue" font-size="9" fill="#FFFFFF" fill-opacity="0.87">Identity/</tspan>
+ <tspan x="-19.166" y="8.182" font-family="HelveticaNeue" font-size="9" fill="#FFFFFF" fill-opacity="0.87">Hierarchy</tspan>
+ </text>
+ </g>
+ <g>
+ <path d="M142.278,255.89 L195.204,255.89 C197.71,255.89 199.741,256.994 199.741,258.356 L199.741,285.281 C199.741,286.643 197.71,287.747 195.204,287.747 L142.278,287.747 C139.772,287.747 137.741,286.643 137.741,285.281 L137.741,258.356 C137.741,256.994 139.772,255.89 142.278,255.89 z" fill="#438596" fill-opacity="0.87"/>
+ <text transform="matrix(1, 0, 0, 1, 168.741, 272.137)">
+ <tspan x="-19.507" y="-2.818" font-family="HelveticaNeue" font-size="9" fill="#FFFFFF" fill-opacity="0.87">Company </tspan>
+ <tspan x="-16.42" y="8.182" font-family="HelveticaNeue" font-size="9" fill="#FFFFFF" fill-opacity="0.87">Authn(s)</tspan>
+ </text>
+ </g>
+ </g>
+ <text transform="matrix(1, 0, 0, 1, 126.872, 60.5)">
+ <tspan x="-59.631" y="3" font-family="HelveticaNeue" font-size="11" fill="#000000" fill-opacity="0.87">Organizationally Defined</tspan>
+ </text>
+ </g>
+</svg>
--- /dev/null
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd">
+<svg version="1.1" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" x="0" y="0" width="516.973" height="313.5" viewBox="0, 0, 516.973, 313.5">
+ <g id="Basics" transform="translate(-175.969, -237)">
+ <path d="M186.675,488.5 L303.255,488.5 C308.773,488.5 313.247,490.649 313.247,493.3 L313.247,545.7 C313.247,548.351 308.773,550.5 303.255,550.5 L186.675,550.5 C181.156,550.5 176.682,548.351 176.682,545.7 L176.682,493.3 C176.682,490.649 181.156,488.5 186.675,488.5 z" fill="#38AB4E"/>
+ <text transform="matrix(1, 0, 0, 1, 244.965, 519.497)">
+ <tspan x="-42.661" y="-4.5" font-family="HelveticaNeue" font-size="17" fill="#FFFFFF">Application</tspan>
+ <tspan x="-15.257" y="15.5" font-family="HelveticaNeue" font-size="17" fill="#FFFFFF">Two</tspan>
+ </text>
+ <path d="M581.936,464.5 L683.521,464.5 C688.33,464.5 692.229,467.481 692.229,471.158 L692.229,543.841 C692.229,547.519 688.33,550.5 683.521,550.5 L581.936,550.5 C577.127,550.5 573.229,547.519 573.229,543.841 L573.229,471.158 C573.229,467.481 577.127,464.5 581.936,464.5 z" fill="#38AB4E"/>
+ <g>
+ <path d="M582.649,237 L684.234,237 C689.043,237 692.942,239.149 692.942,241.8 L692.942,294.2 C692.942,296.851 689.043,299 684.234,299 L582.649,299 C577.84,299 573.942,296.851 573.942,294.2 L573.942,241.8 C573.942,239.149 577.84,237 582.649,237 z" fill="#7A40CA" fill-opacity="0.87"/>
+ <text transform="matrix(1, 0, 0, 1, 635.812, 266)">
+ <tspan x="-35.896" y="-4.5" font-family="HelveticaNeue" font-size="17" fill="#FFFFFF" fill-opacity="0.87">User One</tspan>
+ <tspan x="-31.161" y="15.5" font-family="HelveticaNeue" font-size="17" fill="#FFFFFF" fill-opacity="0.87">(Person)</tspan>
+ </text>
+ </g>
+ <g>
+ <path d="M631.441,299.5 L633.285,442" fill-opacity="0" stroke="#000000" stroke-width="1"/>
+ <path d="M630.285,442.039 L633.388,450 L636.285,441.962 z" fill="#000000" fill-opacity="1" stroke="#000000" stroke-width="1" stroke-opacity="1"/>
+ </g>
+ <g>
+ <path d="M574.31,520.114 L335.202,521.06" fill-opacity="0" stroke="#000000" stroke-width="1"/>
+ <path d="M335.19,518.06 L327.202,521.091 L335.214,524.06 z" fill="#000000" fill-opacity="1" stroke="#000000" stroke-width="1" stroke-opacity="1"/>
+ </g>
+ <text transform="matrix(1, 0, 0, 1, 632.729, 504.138)">
+ <tspan x="-42.661" y="-6.219" font-family="HelveticaNeue" font-size="17" fill="#FFFFFF" fill-opacity="0.87">Application</tspan>
+ <tspan x="-15.75" y="13.781" font-family="HelveticaNeue" font-size="17" fill="#FFFFFF" fill-opacity="0.87">One</tspan>
+ </text>
+ <path d="M185.961,488.5 L302.541,488.5 C308.06,488.5 312.534,490.649 312.534,493.3 L312.534,545.7 C312.534,548.351 308.06,550.5 302.541,550.5 L185.961,550.5 C180.442,550.5 175.969,548.351 175.969,545.7 L175.969,493.3 C175.969,490.649 180.442,488.5 185.961,488.5 z" fill="#38AB4E"/>
+ <text transform="matrix(1, 0, 0, 1, 244.251, 519.498)">
+ <tspan x="-42.661" y="-4.5" font-family="HelveticaNeue" font-size="17" fill="#FFFFFF">Application</tspan>
+ <tspan x="-15.257" y="15.5" font-family="HelveticaNeue" font-size="17" fill="#FFFFFF">Two</tspan>
+ </text>
+ <path d="M581.222,464.5 L682.808,464.5 C687.617,464.5 691.515,467.481 691.515,471.158 L691.515,543.842 C691.515,547.519 687.617,550.5 682.808,550.5 L581.222,550.5 C576.413,550.5 572.515,547.519 572.515,543.842 L572.515,471.158 C572.515,467.481 576.413,464.5 581.222,464.5 z" fill="#38AB4E"/>
+ <g>
+ <path d="M581.936,237 L683.521,237 C688.33,237 692.229,239.149 692.229,241.8 L692.229,294.2 C692.229,296.851 688.33,299 683.521,299 L581.936,299 C577.127,299 573.229,296.851 573.229,294.2 L573.229,241.8 C573.229,239.149 577.127,237 581.936,237 z" fill="#7A40CA" fill-opacity="0.87"/>
+ <text transform="matrix(1, 0, 0, 1, 635.099, 266)">
+ <tspan x="-35.896" y="-4.5" font-family="HelveticaNeue" font-size="17" fill="#FFFFFF" fill-opacity="0.87">User One</tspan>
+ <tspan x="-31.161" y="15.5" font-family="HelveticaNeue" font-size="17" fill="#FFFFFF" fill-opacity="0.87">(Person)</tspan>
+ </text>
+ </g>
+ <text transform="matrix(1, 0, 0, 1, 632.015, 504.139)">
+ <tspan x="-42.661" y="-6.219" font-family="HelveticaNeue" font-size="17" fill="#FFFFFF" fill-opacity="0.87">Application</tspan>
+ <tspan x="-15.75" y="13.781" font-family="HelveticaNeue" font-size="17" fill="#FFFFFF" fill-opacity="0.87">One</tspan>
+ </text>
+ </g>
+</svg>
--- /dev/null
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd">
+<svg version="1.1" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" x="0" y="0" width="517.817" height="313.5" viewBox="0, 0, 517.817, 313.5">
+ <g id="TLS" transform="translate(-175.969, -237)">
+ <text transform="matrix(-0, 1, -1, -0, 639.901, 366.492)">
+ <tspan x="-22.253" y="3" font-family="HelveticaNeue" font-size="11" fill="#000000" fill-opacity="0.87">TLS 1.2+</tspan>
+ </text>
+ <text transform="matrix(1, -0, 0, 1, 439.736, 509.201)">
+ <tspan x="-22.253" y="3" font-family="HelveticaNeue" font-size="11" fill="#000000" fill-opacity="0.87">TLS 1.2+</tspan>
+ </text>
+ <text transform="matrix(1, 0, 0, 1, 634.155, 457.499)">
+ <tspan x="-19.244" y="3" font-family="HelveticaNeue" font-size="11" fill="#000000" fill-opacity="0.87">HTTP/S</tspan>
+ </text>
+ <text transform="matrix(-0, 1, -1, -0, 320.012, 516.681)">
+ <tspan x="-19.244" y="3.235" font-family="HelveticaNeue" font-size="11" fill="#000000" fill-opacity="0.87">HTTP/S</tspan>
+ </text>
+ </g>
+ <g id="Basics" transform="translate(-175.969, -237)">
+ <path d="M186.675,488.5 L303.255,488.5 C308.773,488.5 313.247,490.649 313.247,493.3 L313.247,545.7 C313.247,548.351 308.773,550.5 303.255,550.5 L186.675,550.5 C181.156,550.5 176.682,548.351 176.682,545.7 L176.682,493.3 C176.682,490.649 181.156,488.5 186.675,488.5 z" fill="#38AB4E"/>
+ <text transform="matrix(1, 0, 0, 1, 244.965, 519.497)">
+ <tspan x="-42.661" y="-4.5" font-family="HelveticaNeue" font-size="17" fill="#FFFFFF">Application</tspan>
+ <tspan x="-15.257" y="15.5" font-family="HelveticaNeue" font-size="17" fill="#FFFFFF">Two</tspan>
+ </text>
+ <path d="M581.936,464.5 L683.521,464.5 C688.33,464.5 692.229,467.481 692.229,471.158 L692.229,543.841 C692.229,547.519 688.33,550.5 683.521,550.5 L581.936,550.5 C577.127,550.5 573.229,547.519 573.229,543.841 L573.229,471.158 C573.229,467.481 577.127,464.5 581.936,464.5 z" fill="#38AB4E"/>
+ <g>
+ <path d="M582.649,237 L684.234,237 C689.043,237 692.942,239.149 692.942,241.8 L692.942,294.2 C692.942,296.851 689.043,299 684.234,299 L582.649,299 C577.84,299 573.942,296.851 573.942,294.2 L573.942,241.8 C573.942,239.149 577.84,237 582.649,237 z" fill="#7A40CA" fill-opacity="0.87"/>
+ <text transform="matrix(1, 0, 0, 1, 635.812, 266)">
+ <tspan x="-35.896" y="-4.5" font-family="HelveticaNeue" font-size="17" fill="#FFFFFF" fill-opacity="0.87">User One</tspan>
+ <tspan x="-31.161" y="15.5" font-family="HelveticaNeue" font-size="17" fill="#FFFFFF" fill-opacity="0.87">(Person)</tspan>
+ </text>
+ </g>
+ <g>
+ <path d="M631.441,299.5 L633.285,442" fill-opacity="0" stroke="#000000" stroke-width="1"/>
+ <path d="M630.285,442.039 L633.388,450 L636.285,441.962 z" fill="#000000" fill-opacity="1" stroke="#000000" stroke-width="1" stroke-opacity="1"/>
+ </g>
+ <g>
+ <path d="M574.31,520.114 L335.202,521.06" fill-opacity="0" stroke="#000000" stroke-width="1"/>
+ <path d="M335.19,518.06 L327.202,521.091 L335.214,524.06 z" fill="#000000" fill-opacity="1" stroke="#000000" stroke-width="1" stroke-opacity="1"/>
+ </g>
+ <text transform="matrix(1, 0, 0, 1, 632.729, 504.138)">
+ <tspan x="-42.661" y="-6.219" font-family="HelveticaNeue" font-size="17" fill="#FFFFFF" fill-opacity="0.87">Application</tspan>
+ <tspan x="-15.75" y="13.781" font-family="HelveticaNeue" font-size="17" fill="#FFFFFF" fill-opacity="0.87">One</tspan>
+ </text>
+ <path d="M185.961,488.5 L302.541,488.5 C308.06,488.5 312.534,490.649 312.534,493.3 L312.534,545.7 C312.534,548.351 308.06,550.5 302.541,550.5 L185.961,550.5 C180.442,550.5 175.969,548.351 175.969,545.7 L175.969,493.3 C175.969,490.649 180.442,488.5 185.961,488.5 z" fill="#38AB4E"/>
+ <text transform="matrix(1, 0, 0, 1, 244.251, 519.498)">
+ <tspan x="-42.661" y="-4.5" font-family="HelveticaNeue" font-size="17" fill="#FFFFFF">Application</tspan>
+ <tspan x="-15.257" y="15.5" font-family="HelveticaNeue" font-size="17" fill="#FFFFFF">Two</tspan>
+ </text>
+ <path d="M581.222,464.5 L682.808,464.5 C687.617,464.5 691.515,467.481 691.515,471.158 L691.515,543.842 C691.515,547.519 687.617,550.5 682.808,550.5 L581.222,550.5 C576.413,550.5 572.515,547.519 572.515,543.842 L572.515,471.158 C572.515,467.481 576.413,464.5 581.222,464.5 z" fill="#38AB4E"/>
+ <g>
+ <path d="M581.936,237 L683.521,237 C688.33,237 692.229,239.149 692.229,241.8 L692.229,294.2 C692.229,296.851 688.33,299 683.521,299 L581.936,299 C577.127,299 573.229,296.851 573.229,294.2 L573.229,241.8 C573.229,239.149 577.127,237 581.936,237 z" fill="#7A40CA" fill-opacity="0.87"/>
+ <text transform="matrix(1, 0, 0, 1, 635.099, 266)">
+ <tspan x="-35.896" y="-4.5" font-family="HelveticaNeue" font-size="17" fill="#FFFFFF" fill-opacity="0.87">User One</tspan>
+ <tspan x="-31.161" y="15.5" font-family="HelveticaNeue" font-size="17" fill="#FFFFFF" fill-opacity="0.87">(Person)</tspan>
+ </text>
+ </g>
+ <text transform="matrix(1, 0, 0, 1, 632.015, 504.139)">
+ <tspan x="-42.661" y="-6.219" font-family="HelveticaNeue" font-size="17" fill="#FFFFFF" fill-opacity="0.87">Application</tspan>
+ <tspan x="-15.75" y="13.781" font-family="HelveticaNeue" font-size="17" fill="#FFFFFF" fill-opacity="0.87">One</tspan>
+ </text>
+ </g>
+</svg>
--- /dev/null
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd">
+<svg version="1.1" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" x="0" y="0" width="517.259" height="323.537" viewBox="0, 0, 517.259, 323.537">
+ <g id="CADI" transform="translate(-176.682, -236.872)">
+ <text transform="matrix(0, 1, -1, 0, 565.177, 521.164)">
+ <tspan x="-28.221" y="1.366" font-family="HelveticaNeue" font-size="11" fill="#000000" fill-opacity="0.87">X509 Client</tspan>
+ </text>
+ <text transform="matrix(1, -0, 0, 1, 632.729, 307.083)">
+ <tspan x="-28.221" y="1.917" font-family="HelveticaNeue" font-size="11" fill="#000000" fill-opacity="0.87">X509 Client</tspan>
+ </text>
+ <text transform="matrix(1, 0, -0, 1, 650.783, 318.583)">
+ <tspan x="-31.576" y="1.922" font-family="HelveticaNeue" font-size="11" fill="#000000" fill-opacity="0.87">or BasicAuth</tspan>
+ </text>
+ <g>
+ <g>
+ <path d="M583.149,441 L684.734,441 C689.543,441 693.442,441.832 693.442,442.858 L693.442,463.142 C693.442,464.168 689.543,465 684.734,465 L583.149,465 C578.34,465 574.442,464.168 574.442,463.142 L574.442,442.858 C574.442,441.832 578.34,441 583.149,441 z" fill="#CA3F3F" fill-opacity="0.862"/>
+ <path d="M583.149,441 L684.734,441 C689.543,441 693.442,441.832 693.442,442.858 L693.442,463.142 C693.442,464.168 689.543,465 684.734,465 L583.149,465 C578.34,465 574.442,464.168 574.442,463.142 L574.442,442.858 C574.442,441.832 578.34,441 583.149,441 z" fill-opacity="0" stroke="#000000" stroke-width="1"/>
+ </g>
+ <text transform="matrix(1, 0, 0, 1, 633.442, 452.5)">
+ <tspan x="-26.477" y="2.25" font-family="HelveticaNeue" font-size="11" fill="#FFFFFF" fill-opacity="0.87">CADI Filter</tspan>
+ </text>
+ </g>
+ <g>
+ <g>
+ <path d="M331.312,493.536 L331.312,546.463 C331.312,548.969 330.703,551 329.952,551 L315.107,551 C314.356,551 313.747,548.969 313.747,546.463 L313.747,493.536 C313.747,491.031 314.356,489 315.107,489 L329.952,489 C330.703,489 331.312,491.031 331.312,493.536 z" fill="#CA3F3F"/>
+ <path d="M331.312,493.536 L331.312,546.463 C331.312,548.969 330.703,551 329.952,551 L315.107,551 C314.356,551 313.747,548.969 313.747,546.463 L313.747,493.536 C313.747,491.031 314.356,489 315.107,489 L329.952,489 C330.703,489 331.312,491.031 331.312,493.536 z" fill-opacity="0" stroke="#000000" stroke-width="1"/>
+ </g>
+ <text transform="matrix(-0, 1, -1, -0, 319.997, 519.5)">
+ <tspan x="-19.256" y="1.25" font-family="HelveticaNeue" font-size="8" fill="#FFFFFF" fill-opacity="0.87">CADI Filter</tspan>
+ </text>
+ </g>
+ <path d="M186.675,488.372 L303.255,488.372 C308.774,488.372 313.248,490.521 313.248,493.172 L313.248,545.572 C313.248,548.223 308.774,550.372 303.255,550.372 L186.675,550.372 C181.156,550.372 176.682,548.223 176.682,545.572 L176.682,493.172 C176.682,490.521 181.156,488.372 186.675,488.372 z" fill="#38AB4E"/>
+ <text transform="matrix(1, 0, 0, 1, 244.965, 519.37)">
+ <tspan x="-42.661" y="-4.5" font-family="HelveticaNeue" font-size="17" fill="#FFFFFF">Application</tspan>
+ <tspan x="-15.257" y="15.5" font-family="HelveticaNeue" font-size="17" fill="#FFFFFF">Two</tspan>
+ </text>
+ <path d="M581.936,464.372 L683.522,464.372 C688.331,464.372 692.229,467.353 692.229,471.03 L692.229,543.714 C692.229,547.391 688.331,550.372 683.522,550.372 L581.936,550.372 C577.127,550.372 573.229,547.391 573.229,543.714 L573.229,471.03 C573.229,467.353 577.127,464.372 581.936,464.372 z" fill="#38AB4E"/>
+ <g>
+ <path d="M582.649,236.872 L684.234,236.872 C689.043,236.872 692.942,239.021 692.942,241.672 L692.942,294.072 C692.942,296.723 689.043,298.872 684.234,298.872 L582.649,298.872 C577.84,298.872 573.942,296.723 573.942,294.072 L573.942,241.672 C573.942,239.021 577.84,236.872 582.649,236.872 z" fill="#7A40CA" fill-opacity="0.87"/>
+ <text transform="matrix(1, 0, 0, 1, 635.812, 265.872)">
+ <tspan x="-35.896" y="-4.5" font-family="HelveticaNeue" font-size="17" fill="#FFFFFF" fill-opacity="0.87">User One</tspan>
+ <tspan x="-31.161" y="15.5" font-family="HelveticaNeue" font-size="17" fill="#FFFFFF" fill-opacity="0.87">(Person)</tspan>
+ </text>
+ </g>
+ <text transform="matrix(1, 0, 0, 1, 631.212, 433.373)">
+ <tspan x="-19.244" y="3" font-family="HelveticaNeue" font-size="11" fill="#000000" fill-opacity="0.87">HTTP/S</tspan>
+ </text>
+ <g>
+ <path d="M631.442,299.373 L631.943,414.772" fill-opacity="0" stroke="#000000" stroke-width="1"/>
+ <path d="M628.943,414.785 L631.978,422.772 L634.943,414.759 z" fill="#000000" fill-opacity="1" stroke="#000000" stroke-width="1" stroke-opacity="1"/>
+ </g>
+ <g>
+ <path d="M574.311,519.987 L353.842,519.762" fill-opacity="0" stroke="#000000" stroke-width="1"/>
+ <path d="M353.845,516.762 L345.842,519.754 L353.839,522.762 z" fill="#000000" fill-opacity="1" stroke="#000000" stroke-width="1" stroke-opacity="1"/>
+ </g>
+ <text transform="matrix(1, 0, 0, 1, 632.729, 504.011)">
+ <tspan x="-42.661" y="-6.219" font-family="HelveticaNeue" font-size="17" fill="#FFFFFF" fill-opacity="0.87">Application</tspan>
+ <tspan x="-15.75" y="13.781" font-family="HelveticaNeue" font-size="17" fill="#FFFFFF" fill-opacity="0.87">One</tspan>
+ </text>
+ <text transform="matrix(-0, 1, -1, -0, 337.577, 519.5)">
+ <tspan x="-19.244" y="3.235" font-family="HelveticaNeue" font-size="11" fill="#000000" fill-opacity="0.87">HTTP/S</tspan>
+ </text>
+ </g>
+</svg>
--- /dev/null
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd">
+<svg version="1.1" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" x="0" y="0" width="517.259" height="330.354" viewBox="0, 0, 517.259, 330.354">
+ <g id="CADI" transform="translate(-176.682, -236.872)">
+ <text transform="matrix(0, 1, -1, 0, 565.177, 521.164)">
+ <tspan x="-28.221" y="1.366" font-family="HelveticaNeue" font-size="11" fill="#000000" fill-opacity="0.87">X509 Client</tspan>
+ </text>
+ <text transform="matrix(1, -0, 0, 1, 632.729, 307.083)">
+ <tspan x="-28.221" y="1.917" font-family="HelveticaNeue" font-size="11" fill="#000000" fill-opacity="0.87">X509 Client</tspan>
+ </text>
+ <text transform="matrix(1, 0, -0, 1, 650.783, 318.583)">
+ <tspan x="-31.576" y="1.922" font-family="HelveticaNeue" font-size="11" fill="#000000" fill-opacity="0.87">or BasicAuth</tspan>
+ </text>
+ <g>
+ <g>
+ <path d="M583.149,441 L684.734,441 C689.543,441 693.442,441.832 693.442,442.858 L693.442,463.142 C693.442,464.168 689.543,465 684.734,465 L583.149,465 C578.34,465 574.442,464.168 574.442,463.142 L574.442,442.858 C574.442,441.832 578.34,441 583.149,441 z" fill="#CA3F3F" fill-opacity="0.862"/>
+ <path d="M583.149,441 L684.734,441 C689.543,441 693.442,441.832 693.442,442.858 L693.442,463.142 C693.442,464.168 689.543,465 684.734,465 L583.149,465 C578.34,465 574.442,464.168 574.442,463.142 L574.442,442.858 C574.442,441.832 578.34,441 583.149,441 z" fill-opacity="0" stroke="#000000" stroke-width="1"/>
+ </g>
+ <text transform="matrix(1, 0, 0, 1, 633.442, 452.5)">
+ <tspan x="-26.477" y="2.25" font-family="HelveticaNeue" font-size="11" fill="#FFFFFF" fill-opacity="0.87">CADI Filter</tspan>
+ </text>
+ </g>
+ <g>
+ <g>
+ <path d="M331.312,493.536 L331.312,546.463 C331.312,548.969 330.703,551 329.952,551 L315.107,551 C314.356,551 313.747,548.969 313.747,546.463 L313.747,493.536 C313.747,491.031 314.356,489 315.107,489 L329.952,489 C330.703,489 331.312,491.031 331.312,493.536 z" fill="#CA3F3F"/>
+ <path d="M331.312,493.536 L331.312,546.463 C331.312,548.969 330.703,551 329.952,551 L315.107,551 C314.356,551 313.747,548.969 313.747,546.463 L313.747,493.536 C313.747,491.031 314.356,489 315.107,489 L329.952,489 C330.703,489 331.312,491.031 331.312,493.536 z" fill-opacity="0" stroke="#000000" stroke-width="1"/>
+ </g>
+ <text transform="matrix(-0, 1, -1, -0, 319.997, 519.5)">
+ <tspan x="-19.256" y="1.25" font-family="HelveticaNeue" font-size="8" fill="#FFFFFF" fill-opacity="0.87">CADI Filter</tspan>
+ </text>
+ </g>
+ <path d="M186.675,488.372 L303.255,488.372 C308.774,488.372 313.248,490.521 313.248,493.172 L313.248,545.572 C313.248,548.223 308.774,550.372 303.255,550.372 L186.675,550.372 C181.156,550.372 176.682,548.223 176.682,545.572 L176.682,493.172 C176.682,490.521 181.156,488.372 186.675,488.372 z" fill="#38AB4E"/>
+ <text transform="matrix(1, 0, 0, 1, 244.965, 519.37)">
+ <tspan x="-42.661" y="-4.5" font-family="HelveticaNeue" font-size="17" fill="#FFFFFF">Application</tspan>
+ <tspan x="-15.257" y="15.5" font-family="HelveticaNeue" font-size="17" fill="#FFFFFF">Two</tspan>
+ </text>
+ <path d="M581.936,464.372 L683.522,464.372 C688.331,464.372 692.229,467.353 692.229,471.03 L692.229,543.714 C692.229,547.391 688.331,550.372 683.522,550.372 L581.936,550.372 C577.127,550.372 573.229,547.391 573.229,543.714 L573.229,471.03 C573.229,467.353 577.127,464.372 581.936,464.372 z" fill="#38AB4E"/>
+ <g>
+ <path d="M582.649,236.872 L684.234,236.872 C689.043,236.872 692.942,239.021 692.942,241.672 L692.942,294.072 C692.942,296.723 689.043,298.872 684.234,298.872 L582.649,298.872 C577.84,298.872 573.942,296.723 573.942,294.072 L573.942,241.672 C573.942,239.021 577.84,236.872 582.649,236.872 z" fill="#7A40CA" fill-opacity="0.87"/>
+ <text transform="matrix(1, 0, 0, 1, 635.812, 265.872)">
+ <tspan x="-35.896" y="-4.5" font-family="HelveticaNeue" font-size="17" fill="#FFFFFF" fill-opacity="0.87">User One</tspan>
+ <tspan x="-31.161" y="15.5" font-family="HelveticaNeue" font-size="17" fill="#FFFFFF" fill-opacity="0.87">(Person)</tspan>
+ </text>
+ </g>
+ <text transform="matrix(1, 0, 0, 1, 631.212, 433.373)">
+ <tspan x="-19.244" y="3" font-family="HelveticaNeue" font-size="11" fill="#000000" fill-opacity="0.87">HTTP/S</tspan>
+ </text>
+ <g>
+ <path d="M631.442,299.373 L631.943,414.772" fill-opacity="0" stroke="#000000" stroke-width="1"/>
+ <path d="M628.943,414.785 L631.978,422.772 L634.943,414.759 z" fill="#000000" fill-opacity="1" stroke="#000000" stroke-width="1" stroke-opacity="1"/>
+ </g>
+ <g>
+ <path d="M574.311,519.987 L353.842,519.762" fill-opacity="0" stroke="#000000" stroke-width="1"/>
+ <path d="M353.845,516.762 L345.842,519.754 L353.839,522.762 z" fill="#000000" fill-opacity="1" stroke="#000000" stroke-width="1" stroke-opacity="1"/>
+ </g>
+ <text transform="matrix(1, 0, 0, 1, 632.729, 504.011)">
+ <tspan x="-42.661" y="-6.219" font-family="HelveticaNeue" font-size="17" fill="#FFFFFF" fill-opacity="0.87">Application</tspan>
+ <tspan x="-15.75" y="13.781" font-family="HelveticaNeue" font-size="17" fill="#FFFFFF" fill-opacity="0.87">One</tspan>
+ </text>
+ <text transform="matrix(-0, 1, -1, -0, 337.577, 519.5)">
+ <tspan x="-19.244" y="3.235" font-family="HelveticaNeue" font-size="11" fill="#000000" fill-opacity="0.87">HTTP/S</tspan>
+ </text>
+ </g>
+ <g id="CADI_Client" transform="translate(-176.682, -236.872)">
+ <text transform="matrix(1, -0, 0, 1, 459.076, 543.239)">
+ <tspan x="-89.025" y="-13.986" font-family="HelveticaNeue" font-size="11" fill="#000000" fill-opacity="0.87">Utilize CADI Client REST client (auto </tspan>
+ <tspan x="-89.025" y="-1.986" font-family="HelveticaNeue" font-size="11" fill="#000000" fill-opacity="0.87">loads credentials, Contexts, etc)</tspan>
+ </text>
+ </g>
+</svg>
--- /dev/null
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd">
+<svg version="1.1" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" x="0" y="0" width="627.701" height="525.726" viewBox="0, 0, 627.701, 525.726">
+ <g id="Direct_AAF" transform="translate(-66.241, -41.5)">
+ <g>
+ <path d="M572.081,454.632 L395.909,317.04" fill-opacity="0" stroke="#000000" stroke-width="1"/>
+ <path d="M397.756,314.675 L389.604,312.116 L394.062,319.404 z" fill="#000000" fill-opacity="1" stroke="#000000" stroke-width="1" stroke-opacity="1"/>
+ </g>
+ <g>
+ <path d="M606.551,441 L445.662,316.508" fill-opacity="0" stroke="#000000" stroke-width="1"/>
+ <path d="M447.498,314.135 L439.335,311.612 L443.826,318.88 z" fill="#000000" fill-opacity="1" stroke="#000000" stroke-width="1" stroke-opacity="1"/>
+ </g>
+ <text transform="matrix(0.79, 0.613, -0.613, 0.79, 497.62, 402.334)">
+ <tspan x="-43.687" y="-9.685" font-family="HelveticaNeue" font-size="11" fill="#000000" fill-opacity="0.87">1) User/Password</tspan>
+ <tspan x="-58.872" y="8.315" font-family="HelveticaNeue" font-size="11" fill="#000000" fill-opacity="0.87">validation (if Basic Auth)</tspan>
+ </text>
+ <text transform="matrix(0.79, 0.613, -0.613, 0.79, 531.051, 387.658)">
+ <tspan x="-22.418" y="-9.685" font-family="HelveticaNeue" font-size="11" fill="#000000" fill-opacity="0.87">2) Obtain</tspan>
+ <tspan x="-41.762" y="8.315" font-family="HelveticaNeue" font-size="11" fill="#000000" fill-opacity="0.87">AAF Permissions</tspan>
+ </text>
+ </g>
+ <g id="AAF_Batch" transform="translate(-66.241, -41.5)">
+ <g>
+ <path d="M351.193,158.06 L351.024,222.389 C351.016,225.434 349.725,227.899 348.14,227.893 L316.818,227.788 C315.233,227.783 313.955,225.31 313.963,222.265 L314.132,157.936 C314.14,154.89 315.431,152.426 317.015,152.431 L348.338,152.537 C349.923,152.542 351.201,155.015 351.193,158.06 z" fill="#D65E15" fill-opacity="0.52"/>
+ <text transform="matrix(-0.003, 1, -1, -0.003, 332.578, 190.162)">
+ <tspan x="-13.15" y="-3.013" font-family="HelveticaNeue" font-size="10" fill="#FFFFFF" fill-opacity="0.87">Batch </tspan>
+ <tspan x="-28.805" y="8.987" font-family="HelveticaNeue" font-size="10" fill="#FFFFFF" fill-opacity="0.87">Maintenance</tspan>
+ </text>
+ </g>
+ <g>
+ <path d="M314.463,190.662 L209.956,190.662" fill-opacity="0" stroke="#000000" stroke-width="1"/>
+ <path d="M209.956,187.662 L201.956,190.662 L209.956,193.662 z" fill="#000000" fill-opacity="1" stroke="#000000" stroke-width="1" stroke-opacity="1"/>
+ </g>
+ <text transform="matrix(1, 0, -0, 1, 259.372, 193.06)">
+ <tspan x="-19.959" y="-6.244" font-family="HelveticaNeue" font-size="11" fill="#000000" fill-opacity="0.87">Expiring</tspan>
+ <tspan x="-16.604" y="9.356" font-family="HelveticaNeue" font-size="11" fill="#000000" fill-opacity="0.87">Events</tspan>
+ </text>
+ <g>
+ <path d="M200.956,198.706 L229.109,198.706 L229.109,224.632 L209.956,224.632" fill-opacity="0" stroke="#000000" stroke-width="1"/>
+ <path d="M209.956,221.632 L201.956,224.632 L209.956,227.632 z" fill="#000000" fill-opacity="1" stroke="#000000" stroke-width="1" stroke-opacity="1"/>
+ </g>
+ <g>
+ <path d="M351.693,200.083 L437.888,200.083" fill-opacity="0" stroke="#000000" stroke-width="1" stroke-dasharray="3,2"/>
+ <path d="M437.888,203.083 L445.888,200.083 L437.888,197.083 z" fill-opacity="0" stroke="#000000" stroke-width="1" stroke-opacity="1"/>
+ </g>
+ </g>
+ <g id="AAF_Cassandra" transform="translate(-66.241, -41.5)">
+ <g>
+ <path d="M485.176,158.06 L485.007,222.389 C484.999,225.434 483.708,227.899 482.123,227.893 L450.8,227.788 C449.216,227.783 447.938,225.31 447.946,222.265 L448.114,157.936 C448.122,154.89 449.414,152.426 450.998,152.431 L482.321,152.537 C483.906,152.542 485.184,155.015 485.176,158.06 z" fill="#1715D6" fill-opacity="0.52"/>
+ <text transform="matrix(-0.003, 1, -1, -0.003, 463.496, 190.162)">
+ <tspan x="-24.075" y="-3.013" font-family="HelveticaNeue" font-size="10" fill="#FFFFFF" fill-opacity="0.87">Cassandra</tspan>
+ </text>
+ </g>
+ <g>
+ <path d="M433.476,96.895 L462.989,144.836" fill-opacity="0" stroke="#000000" stroke-width="1" stroke-dasharray="3,2"/>
+ <path d="M460.434,146.409 L467.183,151.648 L465.544,143.263 z" fill-opacity="0" stroke="#000000" stroke-width="1" stroke-opacity="1"/>
+ </g>
+ <g>
+ <path d="M433.476,180.993 L439.445,180.993" fill-opacity="0" stroke="#000000" stroke-width="1" stroke-dasharray="3,2"/>
+ <path d="M439.445,183.993 L447.445,180.993 L439.445,177.993 z" fill-opacity="0" stroke="#000000" stroke-width="1" stroke-opacity="1"/>
+ </g>
+ <g>
+ <path d="M433.476,219.752 L441.331,213.665" fill-opacity="0" stroke="#000000" stroke-width="1" stroke-dasharray="3,2"/>
+ <path d="M443.169,216.036 L447.655,208.765 L439.494,211.294 z" fill-opacity="0" stroke="#000000" stroke-width="1" stroke-opacity="1"/>
+ </g>
+ <g>
+ <path d="M448.674,243.29 L460.62,233.94" fill-opacity="0" stroke="#000000" stroke-width="1" stroke-dasharray="3,2"/>
+ <path d="M462.469,236.303 L466.919,229.01 L458.771,231.578 z" fill-opacity="0" stroke="#000000" stroke-width="1" stroke-opacity="1"/>
+ </g>
+ </g>
+ <g id="Connections" transform="translate(-66.241, -41.5)">
+ <g>
+ <path d="M366.78,98.146 L209.158,119.643" fill-opacity="0" stroke="#000000" stroke-width="1"/>
+ <path d="M208.753,116.671 L201.232,120.724 L209.564,122.616 z" fill="#000000" fill-opacity="1" stroke="#000000" stroke-width="1" stroke-opacity="1"/>
+ </g>
+ <g>
+ <path d="M353.251,291.445 L206.695,276.655" fill-opacity="0" stroke="#000000" stroke-width="1"/>
+ <path d="M206.996,273.67 L198.736,275.852 L206.394,279.64 z" fill="#000000" fill-opacity="1" stroke="#000000" stroke-width="1" stroke-opacity="1"/>
+ </g>
+ <text transform="matrix(0.991, -0.136, 0.136, 0.991, 269.475, 112.33)">
+ <tspan x="-11" y="-7.49" font-family="HelveticaNeue" font-size="11" fill="#000000" fill-opacity="0.87">Sign</tspan>
+ <tspan x="-14.052" y="9.31" font-family="HelveticaNeue" font-size="11" fill="#000000" fill-opacity="0.87">CSRs</tspan>
+ </text>
+ <text transform="matrix(0.996, 0.095, -0.095, 0.996, 260.93, 287.412)">
+ <tspan x="-21.796" y="-9.522" font-family="HelveticaNeue" font-size="11" fill="#000000" fill-opacity="0.87">Delegate</tspan>
+ <tspan x="-26.493" y="6.078" font-family="HelveticaNeue" font-size="11" fill="#000000" fill-opacity="0.87">by Domain</tspan>
+ </text>
+ <g>
+ <path d="M353.251,263.072 L211.399,240.185" fill-opacity="0" stroke="#000000" stroke-width="1"/>
+ <path d="M211.877,237.223 L203.501,238.911 L210.921,243.147 z" fill="#000000" fill-opacity="1" stroke="#000000" stroke-width="1" stroke-opacity="1"/>
+ </g>
+ </g>
+ <g id="AAF" transform="translate(-66.241, -41.5)">
+ <g>
+ <path d="M360.277,242.79 L448.072,242.79 C452.228,242.79 455.597,244.074 455.597,245.659 L455.597,276.982 C455.597,278.567 452.228,279.851 448.072,279.851 L360.277,279.851 C356.12,279.851 352.751,278.567 352.751,276.982 L352.751,245.659 C352.751,244.074 356.12,242.79 360.277,242.79 z" fill="#D65F15" fill-opacity="0.87"/>
+ <text transform="matrix(1, 0, 0, 1, 404.174, 264.314)">
+ <tspan x="-16.57" y="-0.264" font-family="HelveticaNeue" font-size="10" fill="#FFFFFF" fill-opacity="0.87">Service</tspan>
+ </text>
+ </g>
+ <g>
+ <path d="M371.153,79.5 L428.002,79.5 C430.693,79.5 432.875,80.785 432.875,82.369 L432.875,113.692 C432.875,115.277 430.693,116.562 428.002,116.562 L371.153,116.562 C368.462,116.562 366.281,115.277 366.281,113.692 L366.281,82.369 C366.281,80.785 368.462,79.5 371.153,79.5 z" fill="#D65F15" fill-opacity="0.87"/>
+ <text transform="matrix(1, 0, 0, 1, 399.578, 101.024)">
+ <tspan x="-20.745" y="-0.264" font-family="HelveticaNeue" font-size="10" fill="#FFFFFF" fill-opacity="0.87">Cert Man</tspan>
+ </text>
+ </g>
+ <g>
+ <path d="M371.153,201.967 L428.002,201.967 C430.693,201.967 432.874,203.252 432.874,204.837 L432.874,236.16 C432.874,237.744 430.693,239.029 428.002,239.029 L371.153,239.029 C368.462,239.029 366.28,237.744 366.28,236.16 L366.28,204.837 C366.28,203.252 368.462,201.967 371.153,201.967 z" fill="#D65F15" fill-opacity="0.87"/>
+ <text transform="matrix(1, 0, 0, 1, 399.577, 223.491)">
+ <tspan x="-14.175" y="-0.264" font-family="HelveticaNeue" font-size="10" fill="#FFFFFF" fill-opacity="0.87">OAuth</tspan>
+ </text>
+ </g>
+ <path d="M305.139,73 L493.554,73 L493.554,327.166 L305.139,327.166 L305.139,73 z" fill-opacity="0" stroke="#000000" stroke-width="1"/>
+ <text transform="matrix(1, 0, 0, 1, 380.99, 60.5)">
+ <tspan x="-12.155" y="-7" font-family="HelveticaNeue" font-size="13" fill="#000000" fill-opacity="0.87">AAF</tspan>
+ <tspan x="12.155" y="-7" font-family="HelveticaNeue" font-size="11" fill="#000000" fill-opacity="0.87"> </tspan>
+ <tspan x="-76.495" y="5" font-family="HelveticaNeue" font-size="9" fill="#000000" fill-opacity="0.87">(Application Authorization Framework)</tspan>
+ </text>
+ <g>
+ <path d="M355.161,279.851 L383.272,279.851 C384.603,279.851 385.682,280.931 385.682,282.263 L385.682,308.589 C385.682,309.92 384.603,311 383.272,311 L355.161,311 C353.83,311 352.751,309.92 352.751,308.589 L352.751,282.263 C352.751,280.931 353.83,279.851 355.161,279.851 z" fill="#15C6D6" fill-opacity="0.87"/>
+ <text transform="matrix(1, 0, 0, 1, 369.216, 297.941)">
+ <tspan x="-13.155" y="1.374" font-family="HelveticaNeue" font-size="10" fill="#FFFFFF" fill-opacity="0.87">Authn</tspan>
+ </text>
+ </g>
+ <g>
+ <path d="M390.797,278.605 L450.482,278.605 C453.307,278.605 455.597,279.728 455.597,281.113 L455.597,308.492 C455.597,309.877 453.307,311 450.482,311 L390.797,311 C387.972,311 385.682,309.877 385.682,308.492 L385.682,281.113 C385.682,279.728 387.972,278.605 390.797,278.605 z" fill="#D6AF15" fill-opacity="0.87"/>
+ <text transform="matrix(1, 0, 0, 1, 420.639, 297.419)">
+ <tspan x="-12.775" y="1.029" font-family="HelveticaNeue" font-size="10" fill="#FFFFFF" fill-opacity="0.87">Authz</tspan>
+ </text>
+ </g>
+ <g>
+ <path d="M371.153,161.145 L428.002,161.145 C430.693,161.145 432.875,162.43 432.875,164.014 L432.875,195.337 C432.875,196.922 430.693,198.207 428.002,198.207 L371.153,198.207 C368.462,198.207 366.281,196.922 366.281,195.337 L366.281,164.014 C366.281,162.43 368.462,161.145 371.153,161.145 z" fill="#D65F15" fill-opacity="0.87"/>
+ <text transform="matrix(1, 0, 0, 1, 399.578, 182.669)">
+ <tspan x="-17.13" y="-0.264" font-family="HelveticaNeue" font-size="10" fill="#FFFFFF" fill-opacity="0.87">Locator</tspan>
+ </text>
+ </g>
+ <g>
+ <path d="M371.153,120.322 L428.002,120.322 C430.693,120.322 432.875,121.607 432.875,123.192 L432.875,154.515 C432.875,156.099 430.693,157.384 428.002,157.384 L371.153,157.384 C368.462,157.384 366.281,156.099 366.281,154.515 L366.281,123.192 C366.281,121.607 368.462,120.322 371.153,120.322 z" fill="#D65F15" fill-opacity="0.87"/>
+ <text transform="matrix(1, 0, 0, 1, 399.578, 138.083)">
+ <tspan x="-8.7" y="-1.5" font-family="HelveticaNeue" font-size="10" fill="#FFFFFF" fill-opacity="0.87">GUI </tspan>
+ <tspan x="-25.564" y="8.5" font-family="HelveticaNeue" font-size="8" fill="#FFFFFF" fill-opacity="0.87">(Management)</tspan>
+ </text>
+ </g>
+ </g>
+ <g id="Organization" transform="translate(-66.241, -41.5)">
+ <g>
+ <path d="M89.448,90 L191.034,90 C195.843,90 199.741,92.149 199.741,94.8 L199.741,147.2 C199.741,149.851 195.843,152 191.034,152 L89.448,152 C84.639,152 80.741,149.851 80.741,147.2 L80.741,94.8 C80.741,92.149 84.639,90 89.448,90 z" fill="#4D9BAF" fill-opacity="0.87"/>
+ <text transform="matrix(1, 0, 0, 1, 139.612, 119)">
+ <tspan x="-38.87" y="-4.5" font-family="HelveticaNeue" font-size="17" fill="#FFFFFF" fill-opacity="0.87">Certificate</tspan>
+ <tspan x="-34.161" y="15.5" font-family="HelveticaNeue" font-size="17" fill="#FFFFFF" fill-opacity="0.87">Authority</tspan>
+ </text>
+ </g>
+ <g>
+ <path d="M89.448,299 L191.034,299 C195.843,299 199.741,301.149 199.741,303.8 L199.741,356.2 C199.741,358.851 195.843,361 191.034,361 L89.448,361 C84.639,361 80.741,358.851 80.741,356.2 L80.741,303.8 C80.741,301.149 84.639,299 89.448,299 z" fill="#4D9BAF" fill-opacity="0.87"/>
+ <text transform="matrix(1, 0, 0, 1, 139.612, 330.5)">
+ <tspan x="-17.629" y="-7" font-family="HelveticaNeue" font-size="17" fill="#FFFFFF" fill-opacity="0.87">DNS</tspan>
+ <tspan x="-25.454" y="7" font-family="HelveticaNeue" font-size="11" fill="#FFFFFF" fill-opacity="0.87">(Externally </tspan>
+ <tspan x="-17.314" y="19" font-family="HelveticaNeue" font-size="11" fill="#FFFFFF" fill-opacity="0.87">Visible)</tspan>
+ </text>
+ </g>
+ <path d="M67.741,73 L213.741,73 L213.741,381 L67.741,381 L67.741,73 z" fill-opacity="0" stroke="#000000" stroke-width="1"/>
+ <g>
+ <g>
+ <path d="M89.448,157.75 L191.034,157.75 C195.843,157.75 199.741,162.447 199.741,168.24 L199.741,282.76 C199.741,288.553 195.843,293.25 191.034,293.25 L89.448,293.25 C84.639,293.25 80.741,288.553 80.741,282.76 L80.741,168.24 C80.741,162.447 84.639,157.75 89.448,157.75 z" fill="#4D9BAF" fill-opacity="0.87"/>
+ <text transform="matrix(-0, -1, 1, -0, 140.241, 211.015)">
+ <tspan x="-24.744" y="-34.173" font-family="HelveticaNeue" font-size="16" fill="#FFFFFF" fill-opacity="0.87">Formal</tspan>
+ <tspan x="-45.104" y="-16.173" font-family="HelveticaNeue" font-size="16" fill="#FFFFFF" fill-opacity="0.87">Organization</tspan>
+ </text>
+ </g>
+ <g>
+ <path d="M142.278,176.934 L195.204,176.934 C197.71,176.934 199.741,178.038 199.741,179.401 L199.741,206.325 C199.741,207.687 197.71,208.792 195.204,208.792 L142.278,208.792 C139.772,208.792 137.741,207.687 137.741,206.325 L137.741,179.401 C137.741,178.038 139.772,176.934 142.278,176.934 z" fill="#438596" fill-opacity="0.87"/>
+ <text transform="matrix(1, 0, 0, 1, 168.741, 192.863)">
+ <tspan x="-22.914" y="-2.5" font-family="HelveticaNeue" font-size="9" fill="#FFFFFF" fill-opacity="0.87">Notification</tspan>
+ <tspan x="-15.089" y="8.5" font-family="HelveticaNeue" font-size="9" fill="#FFFFFF" fill-opacity="0.87">System</tspan>
+ </text>
+ </g>
+ <g>
+ <path d="M142.278,216.731 L195.204,216.731 C197.71,216.731 199.741,217.835 199.741,219.197 L199.741,246.122 C199.741,247.484 197.71,248.588 195.204,248.588 L142.278,248.588 C139.772,248.588 137.741,247.484 137.741,246.122 L137.741,219.197 C137.741,217.835 139.772,216.731 142.278,216.731 z" fill="#438596" fill-opacity="0.87"/>
+ <text transform="matrix(1, 0, 0, 1, 168.741, 232.978)">
+ <tspan x="-16.335" y="-2.818" font-family="HelveticaNeue" font-size="9" fill="#FFFFFF" fill-opacity="0.87">Identity/</tspan>
+ <tspan x="-19.166" y="8.182" font-family="HelveticaNeue" font-size="9" fill="#FFFFFF" fill-opacity="0.87">Hierarchy</tspan>
+ </text>
+ </g>
+ <g>
+ <path d="M142.278,255.89 L195.204,255.89 C197.71,255.89 199.741,256.994 199.741,258.356 L199.741,285.281 C199.741,286.643 197.71,287.747 195.204,287.747 L142.278,287.747 C139.772,287.747 137.741,286.643 137.741,285.281 L137.741,258.356 C137.741,256.994 139.772,255.89 142.278,255.89 z" fill="#438596" fill-opacity="0.87"/>
+ <text transform="matrix(1, 0, 0, 1, 168.741, 272.137)">
+ <tspan x="-19.507" y="-2.818" font-family="HelveticaNeue" font-size="9" fill="#FFFFFF" fill-opacity="0.87">Company </tspan>
+ <tspan x="-16.42" y="8.182" font-family="HelveticaNeue" font-size="9" fill="#FFFFFF" fill-opacity="0.87">Authn(s)</tspan>
+ </text>
+ </g>
+ </g>
+ <text transform="matrix(1, 0, 0, 1, 126.872, 60.5)">
+ <tspan x="-59.631" y="3" font-family="HelveticaNeue" font-size="11" fill="#000000" fill-opacity="0.87">Organizationally Defined</tspan>
+ </text>
+ </g>
+ <g id="TLS" transform="translate(-66.241, -41.5)">
+ <text transform="matrix(-0, 1, -1, -0, 639.901, 366.492)">
+ <tspan x="-22.253" y="3" font-family="HelveticaNeue" font-size="11" fill="#000000" fill-opacity="0.87">TLS 1.2+</tspan>
+ </text>
+ <text transform="matrix(1, -0, 0, 1, 439.736, 509.201)">
+ <tspan x="-22.253" y="3" font-family="HelveticaNeue" font-size="11" fill="#000000" fill-opacity="0.87">TLS 1.2+</tspan>
+ </text>
+ <text transform="matrix(1, 0, 0, 1, 634.155, 457.499)">
+ <tspan x="-19.244" y="3" font-family="HelveticaNeue" font-size="11" fill="#000000" fill-opacity="0.87">HTTP/S</tspan>
+ </text>
+ <text transform="matrix(-0, 1, -1, -0, 320.012, 516.681)">
+ <tspan x="-19.244" y="3.235" font-family="HelveticaNeue" font-size="11" fill="#000000" fill-opacity="0.87">HTTP/S</tspan>
+ </text>
+ </g>
+ <g id="CADI" transform="translate(-66.241, -41.5)">
+ <text transform="matrix(0, 1, -1, 0, 565.177, 521.164)">
+ <tspan x="-28.221" y="1.366" font-family="HelveticaNeue" font-size="11" fill="#000000" fill-opacity="0.87">X509 Client</tspan>
+ </text>
+ <text transform="matrix(1, -0, 0, 1, 632.729, 307.083)">
+ <tspan x="-28.221" y="1.917" font-family="HelveticaNeue" font-size="11" fill="#000000" fill-opacity="0.87">X509 Client</tspan>
+ </text>
+ <text transform="matrix(1, 0, -0, 1, 650.783, 318.583)">
+ <tspan x="-31.576" y="1.922" font-family="HelveticaNeue" font-size="11" fill="#000000" fill-opacity="0.87">or BasicAuth</tspan>
+ </text>
+ <g>
+ <g>
+ <path d="M583.149,441 L684.734,441 C689.543,441 693.442,441.832 693.442,442.858 L693.442,463.142 C693.442,464.168 689.543,465 684.734,465 L583.149,465 C578.34,465 574.442,464.168 574.442,463.142 L574.442,442.858 C574.442,441.832 578.34,441 583.149,441 z" fill="#CA3F3F" fill-opacity="0.862"/>
+ <path d="M583.149,441 L684.734,441 C689.543,441 693.442,441.832 693.442,442.858 L693.442,463.142 C693.442,464.168 689.543,465 684.734,465 L583.149,465 C578.34,465 574.442,464.168 574.442,463.142 L574.442,442.858 C574.442,441.832 578.34,441 583.149,441 z" fill-opacity="0" stroke="#000000" stroke-width="1"/>
+ </g>
+ <text transform="matrix(1, 0, 0, 1, 633.442, 452.5)">
+ <tspan x="-26.477" y="2.25" font-family="HelveticaNeue" font-size="11" fill="#FFFFFF" fill-opacity="0.87">CADI Filter</tspan>
+ </text>
+ </g>
+ <g>
+ <g>
+ <path d="M331.312,493.536 L331.312,546.463 C331.312,548.969 330.703,551 329.952,551 L315.107,551 C314.356,551 313.747,548.969 313.747,546.463 L313.747,493.536 C313.747,491.031 314.356,489 315.107,489 L329.952,489 C330.703,489 331.312,491.031 331.312,493.536 z" fill="#CA3F3F"/>
+ <path d="M331.312,493.536 L331.312,546.463 C331.312,548.969 330.703,551 329.952,551 L315.107,551 C314.356,551 313.747,548.969 313.747,546.463 L313.747,493.536 C313.747,491.031 314.356,489 315.107,489 L329.952,489 C330.703,489 331.312,491.031 331.312,493.536 z" fill-opacity="0" stroke="#000000" stroke-width="1"/>
+ </g>
+ <text transform="matrix(-0, 1, -1, -0, 319.997, 519.5)">
+ <tspan x="-19.256" y="1.25" font-family="HelveticaNeue" font-size="8" fill="#FFFFFF" fill-opacity="0.87">CADI Filter</tspan>
+ </text>
+ </g>
+ <path d="M186.675,488.372 L303.255,488.372 C308.774,488.372 313.248,490.521 313.248,493.172 L313.248,545.572 C313.248,548.223 308.774,550.372 303.255,550.372 L186.675,550.372 C181.156,550.372 176.682,548.223 176.682,545.572 L176.682,493.172 C176.682,490.521 181.156,488.372 186.675,488.372 z" fill="#38AB4E"/>
+ <text transform="matrix(1, 0, 0, 1, 244.965, 519.37)">
+ <tspan x="-42.661" y="-4.5" font-family="HelveticaNeue" font-size="17" fill="#FFFFFF">Application</tspan>
+ <tspan x="-15.257" y="15.5" font-family="HelveticaNeue" font-size="17" fill="#FFFFFF">Two</tspan>
+ </text>
+ <path d="M581.936,464.372 L683.522,464.372 C688.331,464.372 692.229,467.353 692.229,471.03 L692.229,543.714 C692.229,547.391 688.331,550.372 683.522,550.372 L581.936,550.372 C577.127,550.372 573.229,547.391 573.229,543.714 L573.229,471.03 C573.229,467.353 577.127,464.372 581.936,464.372 z" fill="#38AB4E"/>
+ <g>
+ <path d="M582.649,236.872 L684.234,236.872 C689.043,236.872 692.942,239.021 692.942,241.672 L692.942,294.072 C692.942,296.723 689.043,298.872 684.234,298.872 L582.649,298.872 C577.84,298.872 573.942,296.723 573.942,294.072 L573.942,241.672 C573.942,239.021 577.84,236.872 582.649,236.872 z" fill="#7A40CA" fill-opacity="0.87"/>
+ <text transform="matrix(1, 0, 0, 1, 635.812, 265.872)">
+ <tspan x="-35.896" y="-4.5" font-family="HelveticaNeue" font-size="17" fill="#FFFFFF" fill-opacity="0.87">User One</tspan>
+ <tspan x="-31.161" y="15.5" font-family="HelveticaNeue" font-size="17" fill="#FFFFFF" fill-opacity="0.87">(Person)</tspan>
+ </text>
+ </g>
+ <text transform="matrix(1, 0, 0, 1, 631.212, 433.373)">
+ <tspan x="-19.244" y="3" font-family="HelveticaNeue" font-size="11" fill="#000000" fill-opacity="0.87">HTTP/S</tspan>
+ </text>
+ <g>
+ <path d="M631.442,299.373 L631.943,414.772" fill-opacity="0" stroke="#000000" stroke-width="1"/>
+ <path d="M628.943,414.785 L631.978,422.772 L634.943,414.759 z" fill="#000000" fill-opacity="1" stroke="#000000" stroke-width="1" stroke-opacity="1"/>
+ </g>
+ <g>
+ <path d="M574.311,519.987 L353.842,519.762" fill-opacity="0" stroke="#000000" stroke-width="1"/>
+ <path d="M353.845,516.762 L345.842,519.754 L353.839,522.762 z" fill="#000000" fill-opacity="1" stroke="#000000" stroke-width="1" stroke-opacity="1"/>
+ </g>
+ <text transform="matrix(1, 0, 0, 1, 632.729, 504.011)">
+ <tspan x="-42.661" y="-6.219" font-family="HelveticaNeue" font-size="17" fill="#FFFFFF" fill-opacity="0.87">Application</tspan>
+ <tspan x="-15.75" y="13.781" font-family="HelveticaNeue" font-size="17" fill="#FFFFFF" fill-opacity="0.87">One</tspan>
+ </text>
+ <text transform="matrix(-0, 1, -1, -0, 337.577, 519.5)">
+ <tspan x="-19.244" y="3.235" font-family="HelveticaNeue" font-size="11" fill="#000000" fill-opacity="0.87">HTTP/S</tspan>
+ </text>
+ </g>
+ <g id="CADI_Client" transform="translate(-66.241, -41.5)">
+ <text transform="matrix(1, -0, 0, 1, 459.076, 543.239)">
+ <tspan x="-89.025" y="-13.986" font-family="HelveticaNeue" font-size="11" fill="#000000" fill-opacity="0.87">Utilize CADI Client REST client (auto </tspan>
+ <tspan x="-89.025" y="-1.986" font-family="HelveticaNeue" font-size="11" fill="#000000" fill-opacity="0.87">loads credentials, Contexts, etc)</tspan>
+ </text>
+ </g>
+</svg>
--- /dev/null
+.. This work is licensed under a Creative Commons Attribution 4.0 International License.
+.. http://creativecommons.org/licenses/by/4.0
+.. Copyright © 2017 AT&T Intellectual Property. All rights reserved.
+
+Architecture
+============
+.. toctree::
+ :maxdepth: 2
+ :glob:
+
+ *
+
--- /dev/null
+.. This work is licensed under a Creative Commons Attribution 4.0 International License.
+.. http://creativecommons.org/licenses/by/4.0
+.. Copyright © 2017 AT&T Intellectual Property. All rights reserved.
+
+Security Architecture
+=====================
+Communicating
+-------------
+When one compute process needs to communicate to another, it does so with networking.
+
+The service side is always compute process, but the client can be of two types:
+ * People (via browser, or perhaps command line tool)
+ * Compute process talking to another computer process.
+
+In larger systems, it is atypical to have just one connection, but will the call initiated by the initial actor will cause additional calls after it. Thus, we demonstrate both a client call, and a subsequent call in the following:
+
+Thus, the essential building blocks of any networked system is made up of a caller and any subsquent calls.
+
+.. image:: images/SecurityArchBasic_1.svg
+ :width: 70%
+ :align: center
+
+
+Communicating *Securely*
+------------------------
+Whenever two processing entities exist that need to communicate securely, it is *essential* that
+ * The communications between the two are encrypted
+ * The identities of the caller and callee are established (authentication)
+ * The caller must be allowed to do what it is asking to do (authorization)
+
+
+**Encryption**
+
+Encryption is provided by HTTP/S with the TLS 1.2+ protocol. Lesser protocols can also be added, but it is highly recommended that the protocol go no lower than TLS 1.1
+
+.. image:: images/SecurityArchBasic_TLS.svg
+ :width: 70%
+ :align: center
+
+**Establishing Identity**
+
+*Client Side*
+
+In order to be secure of the Server Identity, the client will:
+ * Carefully select the Endpoint for the server (URL)
+ * The Service side Certificate chain obtained by TLS must ultimately be signed by a Certificate Authority that is trusted.
+
+*Server Side*
+
+The server side is a little harder to accomplish, because, while a client can choose carefully whom he contacts, the server, ultimately, might be contacted by literally anyone.
+
+To solve this difficult problem, the CADI Framework Filter is attached to the incoming transaction before any code by Application 1 or Application 2 is invoked. The CADI Framework does the following:
+ A) Establishes the claimed Identity (this differs by Protocol)
+
+ i) The Identity needs to be a Fully Qualified Identity (FQI), meaning it has
+
+ #) An ID approved by Organization (such as bob)
+ #) A Domain establishing where the Credential is defined (ex: @bobs.garage.com)
+ #) FQI Example: bob@bobs.garage.com
+
+ B) Validates the credential of the FQI ( *Authentication* )
+
+ i) Basic Auth (User/Password) is validated against the system supporting the domain
+ ii) AAF Certman can create a fine-grained X509 certificate, which can derive FQI
+ iii) If the FQI fails the Credential test in any way, the transaction is terminated
+
+ C) Obtain *Authorization* information
+
+ i) This might include a call to AAF which will return all the Permissions of the User per Application Context
+ ii) This might involve pulling these from Cache
+ iii) This also might be pulled from Token
+
+.. image:: images/SecurityArchCADI.svg
+ :width: 70%
+ :align: center
+
+Enabling the Client to Send Securely
+------------------------------------
+
+Once a secure scenario is in place, the client must provide more information, or he will be rejected by the secured server.
+
+ * FQI (Fully Qualified Identity)
+ * Credential
+ * If User/Password, then the client must send via "BasicAuth" Protocol
+ * If two-way X509 identity, then the client must load the Cert and Private Key into the Client Software outside of the calling process.
+ * If Token based Identity, such as OAuth2, the token must be placed on the call in just the right way.
+ * Upstream Identity
+ * Application Two might well want to process Authorizations based on the *end-user*, not the current caller. In this scenario, Application One must provide the End User FQI in addition to its own before Application Two will accept.
+
+In order to do this efficiently, ONAP services will use the CADI Client, which includes
+ * Connection Information by Configuration
+ * Encryption of any sensitive information in Configuration, such as Password, so that Configuration files will have no clear-text secrets.
+ * Highly scalable Endpoint information (at the very least, of AAF components)
+ * The ability to propogate the Identity of originating Caller (User One)
+
+.. image:: images/SecurityArchCADIClient.svg
+ :width: 70%
+ :align: center
+
+
+Obtaining Security Information
+------------------------------
+
+In order for the client and server to perform securely, the need information they can trust, including
+ * TLS needs X509 Certificate for the Server and any Client wishing to authenticate using Certificates
+ * Any User/Password Credentials need to be validated real time
+ * The server needs comprehensible Authorization information, preferably at the Application Scope
+ * The client needs to find a server, even if the server must be massively geo-scaled
+
+The AAF Suite provides the following elements:
+ * AAF Service
+ This service provides fine-grained Authorization information, and can, if required, also provide specialized Passwords for Applications (that allow for configuration migrations without a maintainance window)
+ * OAuth
+ AAF provides Token and Introspection service, but can also delegate to Organizatinally defined OAuth Services as well.
+ * Locator
+ Provides machine and port information by geo-location for massively scalable services. This is optional for ONAP services, but required for AAF as part of its reliability and scalability solution.
+ * GUI
+ AAF provides a GUI for managing Namespaces (for Applications), Roles, Permissions and Credentials.
+ * Certificate Manager
+ Since AAF has fine-grained information about Identities, it can provide Certificates with FQIs embedded. CADI Framework understands when and how to trust these FQIs. When used, these Certificates provide enhanced speed and additional resiliency to the system, as they do not require network connections to validate.
+
+.. image:: images/SecurityArchAAF.svg
+ :width: 30%
+ :align: center
+
+The Organization
+----------------
+
+AAF is only a tool to reflect the Organization it is setup for. AAF does not, for instance, know what IDs are acceptable to a particular company. Every Organization (or Company) will also likely have its own Certificate Authority and DNS. Most importantly, each Organzation will have a hierarchy of who is responsible for any give person or application.
+
+ * AAF's Certman connects to the Organization's CA via SCEP protocol (Others can be created as well)
+ * AAF ties into the Organizational hierarchy. Currently, this is through a feed of IDs and relationships.
+ * AAF can process some Passwords, but delegate off others based on domain.
+
+.. image:: images/SecurityArchAAFOrg.svg
+ :width: 70%
+ :align: center
+
+The Whole Picture
+-----------------
+
+CADI is a framework that enforces validations of Identities, and uses those Identities to obtain Authorization information for the Server. The CADI client ensures that the right information is passed during secure connections.
+
+AAF provides essential information based on the Organization to services in order to enable secure transactions between components. It also provides sustaining processing capabilities to ensure that Credentials and Authorization relationships are maintained.
+
+.. image:: images/SecurityArchFull.svg
+ :width: 90%
+ :align: center
+
+
--- /dev/null
+.. This work is licensed under a Creative Commons Attribution 4.0 International License.
+.. http://creativecommons.org/licenses/by/4.0
+
+Client Configuration
+====================
+
+TEST version of "cadi.properties"
+---------------------------------
+These properties point you to the ONAP TEST environment.
+
+Properties are separated into
+
+ * etc
+ * main Property file which provides Client specific info. As a client, this could be put in container, or placed on Host Box
+ * The important thing is to LINK the property with Location and Certificate Properties, see "local"
+ * local
+ * where there is Machine specific information (i.e. GEO Location (Latitude/Longitude)
+ * where this is Machine specific Certificates (for running services)
+ * This is because the certificates used must match the Endpoint that the Container is running on
+ * Note Certificate Manager can Place all these components together in one place.
+ * For April, 2018, please write Jonathan.gathman@att.com for credentials until TEST Env with Certificate Manager is fully tested. Include
+ 1. AAF Namespace (you MUST be the owner for the request to be accepted)
+ 2. Fully Qualified App ID (ID + Namespace)
+ 3. Machine to be deployed on.
+
+Client Credentials
+------------------
+For Beijing, full TLS is expected among all components. AAF provides the "Certificate Manager" which can "Place" Certificate information
+
+Example Source Code
+-------------------
+Note the FULL class is available in the authz repo, cadi_aaf/org/onap/aaf/client/sample/Sample.java
+
+.. code-block:: java
+
+
+ /**
+ * ============LICENSE_START====================================================
+ * org.onap.aaf
+ * ===========================================================================
+ * Copyright (c) 2018 AT&T Intellectual Property. All rights reserved.
+ * ===========================================================================
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ * ============LICENSE_END====================================================
+ *
+ */
+
+ package org.onap.aaf.client.sample;
+
+ import java.io.IOException;
+ import java.security.Principal;
+ import java.util.ArrayList;
+ import java.util.List;
+
+ import org.onap.aaf.cadi.Access;
+ import org.onap.aaf.cadi.CadiException;
+ import org.onap.aaf.cadi.LocatorException;
+ import org.onap.aaf.cadi.Permission;
+ import org.onap.aaf.cadi.PropAccess;
+ import org.onap.aaf.cadi.aaf.AAFPermission;
+ import org.onap.aaf.cadi.aaf.v2_0.AAFAuthn;
+ import org.onap.aaf.cadi.aaf.v2_0.AAFConHttp;
+ import org.onap.aaf.cadi.aaf.v2_0.AAFLurPerm;
+ import org.onap.aaf.cadi.principal.UnAuthPrincipal;
+ import org.onap.aaf.cadi.util.Split;
+ import org.onap.aaf.misc.env.APIException;
+
+ public class Sample {
+ private static Sample singleton;
+ final private AAFConHttp aafcon;
+ final private AAFLurPerm aafLur;
+ final private AAFAuthn<?> aafAuthn;
+
+ /**
+ * This method is to emphasize the importance of not creating the AAFObjects over and over again.
+ * @return
+ */
+ public static Sample singleton() {
+ return singleton;
+ }
+
+ public Sample(Access myAccess) throws APIException, CadiException, LocatorException {
+ aafcon = new AAFConHttp(myAccess);
+ aafLur = aafcon.newLur();
+ aafAuthn = aafcon.newAuthn(aafLur);
+ }
+
+ /**
+ * Checking credentials outside of HTTP/S presents fewer options initially. There is not, for instance,
+ * the option of using 2-way TLS HTTP/S.
+ *
+ * However, Password Checks are still useful, and, if the Client Certificate could be obtained in other ways, the
+ * Interface can be expanded in the future to include Certificates.
+ * @throws CadiException
+ * @throws IOException
+ */
+ public Principal checkUserPass(String fqi, String pass) throws IOException, CadiException {
+ String ok = aafAuthn.validate(fqi, pass);
+ if(ok==null) {
+ System.out.println("Success!");
+ /*
+ UnAuthPrincipal means that it is not coming from the official Authorization chain.
+ This is useful for Security Plugins which don't use Principal as the tie between
+ Authentication and Authorization
+
+ You can also use this if you want to check Authorization without actually Authenticating, as may
+ be the case with certain Onboarding Tooling.
+ */
+ return new UnAuthPrincipal(fqi);
+ } else {
+ System.out.printf("Failure: %s\n",ok);
+ return null;
+ }
+
+
+ }
+
+ /**
+ * An example of looking for One Permission within all the permissions user has. CADI does cache these,
+ * so the call is not expensive.
+ *
+ * Note: If you are using "J2EE" (Servlets), CADI ties this function to the method:
+ * HttpServletRequest.isUserInRole(String user)
+ *
+ * The J2EE user can expect that his servlet will NOT be called without a Validated Principal, and that
+ * "isUserInRole()" will validate if the user has the Permission designated.
+ *
+ */
+ public boolean oneAuthorization(Principal fqi, Permission p) {
+ return aafLur.fish(fqi, p);
+ }
+
+ public List<Permission> allAuthorization(Principal fqi) {
+ List<Permission> pond = new ArrayList<Permission>();
+ aafLur.fishAll(fqi, pond);
+ return pond;
+ }
+
+
+ public static void main(String[] args) {
+ // Note: you can pick up Properties from Command line as well as VM Properties
+ // Code "user_fqi=... user_pass=..." (where user_pass can be encrypted) in the command line for this sample.
+ // Also code "perm=<perm type>|<instance>|<action>" to test a specific Permission
+ PropAccess myAccess = new PropAccess(args);
+ try {
+ /*
+ * NOTE: Do NOT CREATE new aafcon, aafLur and aafAuthn each transaction. They are built to be
+ * reused!
+ *
+ * This is why this code demonstrates "Sample" as a singleton.
+ */
+ singleton = new Sample(myAccess);
+ String user = myAccess.getProperty("user_fqi");
+ String pass= myAccess.getProperty("user_pass");
+
+ if(user==null || pass==null) {
+ System.err.println("This Sample class requires properties user_fqi and user_pass");
+ } else {
+ pass = myAccess.decrypt(pass, false); // Note, with "false", decryption will only happen if starts with "enc:"
+ // See the CODE for Java Methods used
+ Principal fqi = Sample.singleton().checkUserPass(user,pass);
+
+ if(fqi==null) {
+ System.out.println("OK, normally, you would cease processing for an "
+ + "unauthenticated user, but for the purpose of Sample, we'll keep going.\n");
+ fqi=new UnAuthPrincipal(user);
+ }
+
+ // AGAIN, NOTE: If your client fails Authentication, the right behavior 99.9%
+ // of the time is to drop the transaction. We continue for sample only.
+
+ // note, default String for perm
+ String permS = myAccess.getProperty("perm","org.osaaf.aaf.access|*|read");
+ String[] permA = Split.splitTrim('|', permS);
+ if(permA.length>2) {
+ final Permission perm = new AAFPermission(permA[0],permA[1],permA[2]);
+ // See the CODE for Java Methods used
+ if(singleton().oneAuthorization(fqi, perm)) {
+ System.out.printf("Success: %s has %s\n",fqi.getName(),permS);
+ } else {
+ System.out.printf("%s does NOT have %s\n",fqi.getName(),permS);
+ }
+ }
+
+
+ // Another form, you can get ALL permissions in a list
+ // See the CODE for Java Methods used
+ List<Permission> permL = singleton().allAuthorization(fqi);
+ if(permL.size()==0) {
+ System.out.printf("User %s has no Permissions THAT THE CALLER CAN SEE",fqi.getName());
+ } else {
+ System.out.print("Success:\n");
+ for(Permission p : permL) {
+ System.out.printf("\t%s has %s\n",fqi.getName(),p.getKey());
+ }
+ }
+ }
+ } catch (APIException | CadiException | LocatorException | IOException e) {
+ e.printStackTrace();
+ }
+ }
+ }
\ No newline at end of file
--- /dev/null
+.. This work is licensed under a Creative Commons Attribution 4.0 International License.
+.. http://creativecommons.org/licenses/by/4.0
+.. Copyright © 2017 AT&T Intellectual Property. All rights reserved.
+
+Configuration
+=============
+.. toctree::
+ :maxdepth: 2
+ :glob:
+
+ *
+
--- /dev/null
+.. This work is licensed under a Creative Commons Attribution 4.0 International License.
+.. http://creativecommons.org/licenses/by/4.0
+
+Service Configuration - Connecting to AAF
+==========================================
+
+
+
+Methods to Connect
+==================
+
+• If you are a Servlet in a Container, use CADI Framework with AAF Plugin. It's very easy, and includes BasicAuth for Services.
+• Java Technologies
+• Technologies using Servlet Filters
+• DME2 (and other Servlet Containers) can use Servlet Filters
+• Any WebApp can plug in CADI as a Servlet Filter
+• Jetty can attach a Servlet Filter with Code, or as WebApp
+• Tomcat 7 has a "Valve" plugin, which is similar and supported
+• Use the AAFLur Code directly (shown)
+• All Java Technologies utilize Configuration to set what Security elements are required
+• example: Global Login can be turned on/off, AAF Client needs information to connect to AAF Service
+• There are several specialty cases, which AAF can work with, including embedding all properties in a Web.xml, but the essentials needed are:
+• CADI Jars
+• cadi.properties file (configured the same for all technologies)
+• Encrypt passwords with included CADI technology, so that there are no Clear Text Passwords in Config Files (ASPR)
+• See CADI Deployment on how to perform this with several different technologies.
+• AAF Restfully (see RESTFul APIS)
+
+IMPORTANT: If Direct RESTFul API is used, then it is the Client's responsibility to Cache and avoid making an AAF Service Calls too often
+Example: A Tool like Cassandra will ask for Authentication hundreds of times a second for the same identity during a transaction. Calling the AAF Service for each would be slow for the client, and wasteful of Network and AAF Service Capacities.
+Rogue Clients can and will be denied access to AAF.
+
+
+J2EE (Servlet Filter) Method
+============================
+
+1. Per J2EE design, the Filter will deny any unauthenticated HTTP/S call; the Servlet will not even be invoked.
+a. Therefore, the Servlet can depend on any transaction making it to their code set is Authenticated.
+b. Identity can be viewed based on the HttpServletRequest Object (request.getUserPrincipal() )
+2. Per J2EE design, AAF Filter overloads the HttpServletRequest for a String related to "Role". (request.isUserInRole("...") )
+a. For AAF, do not put in "Role", but the three parts of requested "Permission", separated by "|", i.e. "org.onap.aaf.myapp.myperm|myInstance|myAction".
+3. NOT REQUIRED: An added benefit, but not required, is a JASPI like interface, where you can add an Annotation to your Servlet.
+a. When used, no transaction will come into your code if the listed Permissions are not Granted to the Incoming Transaction.
+b. This might be helpful for covering separate Management Servlet implementations.
+
+
+
+Servlet Code Snippet
+=========================
+
+.. code-block:: java
+
+ public void service(ServletRequest req, ServletResponse res) throws ServletException, IOException {
+ HttpServletRequest request;
+ try {
+ request = (HttpServletRequest)req;
+ } catch (ClassCastException e) {
+ throw new ServletException("Only serving HTTP today",e);
+ }
+
+ // Note: CADI is OVERLOADING the concept of "isUserInRole".. You need to think "doesUserHavePermssion()"
+ // Assume that you have CREATED and GRANTED An AAF Permission in YOUR Namespace
+ // Example Permission: "org.onap.aaf.myapp.myPerm * write"
+
+ // Think in your head, "Does user have write permission on any instance of org.onap.aaf.myapp.myPerm
+ if(request.isUserInRole("org.onap.aaf.myapp.myPerm|*|write")) {
+ // *** Do something here that someone with "myPerm write" permissions is allowed to do
+ } else {
+ // *** Do something reasonable if user is denied, like an Error Message
+ }
+
+ }
+
+Here is a working TestServlet, where you can play with different Permissions that you own on the URL, i.e.:
+https://<your machine:port>/caditest/testme?PERM=org.onap.aaf.myapp.myPerm|*|write
+
+Sample Servlet (Working example)
+================================
+
+.. code-block:: java
+
+ package org.onap.aaf.cadi.debug;
+ import java.io.FileInputStream;
+ import java.io.IOException;
+ import java.net.InetAddress;
+ import java.net.UnknownHostException;
+ import java.util.HashMap;
+ import java.util.Map;
+ import java.util.Map.Entry;
+ import java.util.Properties;
+ import javax.servlet.Servlet;
+ import javax.servlet.ServletConfig;
+ import javax.servlet.ServletException;
+ import javax.servlet.ServletRequest;
+ import javax.servlet.ServletResponse;
+ import javax.servlet.http.HttpServletRequest;
+ import org.eclipse.jetty.server.Server;
+ import org.eclipse.jetty.server.ServerConnector;
+ import org.eclipse.jetty.server.handler.ContextHandler;
+ import org.eclipse.jetty.servlet.FilterHolder;
+ import org.eclipse.jetty.servlet.FilterMapping;
+ import org.eclipse.jetty.servlet.ServletContextHandler;
+ import org.eclipse.jetty.servlet.ServletHandler;
+ import org.onap.aaf.cadi.filter.CadiFilter;
+ import org.onap.aaf.cadi.filter.RolesAllowed;
+ import org.onap.aaf.cadi.jetty.MiniJASPIWrap;
+
+ public class CSPServletTest {
+ public static void main(String[] args) {
+ // Go ahead and print Test reports in cadi-core first
+ Test.main(args);
+ String hostname=null;
+ try {
+ hostname = InetAddress.getLocalHost().getHostName();
+ } catch (UnknownHostException e) {
+ e.printStackTrace();
+ System.exit(1);
+ }
+ Properties props = new Properties();
+ Map<String,String> map = new HashMap<String,String>();
+ try {
+ FileInputStream fis = new FileInputStream("run/cadi.properties");
+ try {
+ props.load(fis);
+ String key,value;
+ for( Entry<Object, Object> es : props.entrySet()) {
+ key = es.getKey().toString();
+ value = es.getValue().toString();
+ map.put(key,value);
+ if(key.startsWith("AFT_") || key.startsWith("DME2")) {
+ System.setProperty(key,value);
+ }
+ }
+ } finally {
+ fis.close();
+ }
+ } catch(IOException e) {
+ System.err.println("Cannot load run/cadi.properties");
+ System.exit(1);
+ }
+ String portStr = System.getProperty("port");
+ int port = portStr==null?8080:Integer.parseInt(portStr);
+ try {
+ // Add ServletHolder(s) and Filter(s) to a ServletHandler
+ ServletHandler shand = new ServletHandler();
+
+ FilterHolder cfh = new FilterHolder(CadiFilter.class);
+ cfh.setInitParameters(map);
+
+ shand.addFilterWithMapping(cfh, "/*", FilterMapping.ALL);
+ shand.addServletWithMapping(new MiniJASPIWrap(MyServlet.class),"/*");
+ // call initialize after start
+
+ ContextHandler ch = new ServletContextHandler();
+ ch.setContextPath("/caditest");
+ ch.setHandler(shand);
+ for( Entry<Object,Object> es : props.entrySet()) {
+ ch.getInitParams().put(es.getKey().toString(), es.getValue().toString());
+ }
+ //ch.setErrorHandler(new MyErrorHandler());
+
+ // Create Server and Add Context Handler
+ final Server server = new Server();
+ ServerConnector http = new ServerConnector(server);
+ http.setPort(port);
+ server.addConnector(http);
+ server.setHandler(ch);
+
+ // Start
+ server.start();
+ shand.initialize();
+
+ System.out.println("To test, put http://"+ hostname + ':' + port + "/caditest/testme in a browser or 'curl'");
+ // if we were really a server, we'd block the main thread with this join...
+ // server.join();
+ // But... since we're a test service, we'll block on StdIn
+ System.out.println("Press <Return> to end service...");
+ System.in.read();
+ server.stop();
+ System.out.println("All done, have a good day!");
+ } catch (Exception e) {
+ e.printStackTrace();
+ System.exit(1);
+ }
+ }
+ @RolesAllowed({"org.onap.aaf.myapp.myPerm|myInstance|myAction"})
+ public static class MyServlet implements Servlet {
+ private ServletConfig servletConfig;
+
+ public void init(ServletConfig config) throws ServletException {
+ servletConfig = config;
+ }
+
+ public ServletConfig getServletConfig() {
+ return servletConfig;
+ }
+
+ public void service(ServletRequest req, ServletResponse res) throws ServletException, IOException {
+ HttpServletRequest request;
+ try {
+ request = (HttpServletRequest)req;
+ } catch (ClassCastException e) {
+ throw new ServletException("Only serving HTTP today",e);
+ }
+
+ res.getOutputStream().print("<html><header><title>CSP Servlet Test</title></header><body><h1>You're good to go!</h1><pre>" +
+ request.getUserPrincipal());
+
+ String perm = request.getParameter("PERM");
+ if(perm!=null)
+ if(request.isUserInRole(perm)) {
+ if(perm.indexOf('|')<0)
+ res.getOutputStream().print("\nCongrats!, You are in Role " + perm);
+ else
+ res.getOutputStream().print("\nCongrats!, You have Permission " + perm);
+ } else {
+ if(perm.indexOf('|')<0)
+ res.getOutputStream().print("\nSorry, you are NOT in Role " + perm);
+ else
+ res.getOutputStream().print("\nSorry, you do NOT have Permission " + perm);
+ }
+
+ res.getOutputStream().print("</pre></body></html>");
+
+ }
+
+ public String getServletInfo() {
+ return "MyServlet";
+ }
+
+ public void destroy() {
+ }
+ }
+ }
+
+Java Direct (AAFLur) Method
+===========================
+The AAFLur is the exact component used within all the Plugins mentioned above. It is written so that it can be called standalone as well, see the Example as follows
+
+.. code-block:: java
+
+ package org.onap.aaf.example;
+
+ import java.util.ArrayList;
+ import java.util.List;
+ import java.util.Properties;
+
+ import org.onap.aaf.cadi.Access;
+ import org.onap.aaf.cadi.Permission;
+ import org.onap.aaf.cadi.aaf.v2_0.AAFAuthn;
+ import org.onap.aaf.cadi.aaf.v2_0.AAFCon;
+ import org.onap.aaf.cadi.aaf.v2_0.AAFLurPerm;
+ import org.onap.aaf.cadi.config.Config;
+ import org.onap.aaf.cadi.lur.aaf.AAFPermission;
+ import org.onap.aaf.cadi.lur.aaf.test.TestAccess;
+
+ public class ExamplePerm2_0 {
+ public static void main(String args[]) {
+ // Normally, these should be set in environment. Setting here for clarity
+ Properties props = System.getProperties();
+ props.setProperty("AFT_LATITUDE", "32.780140");
+ props.setProperty("AFT_LONGITUDE", "-96.800451");
+ props.setProperty("AFT_ENVIRONMENT", "AFTUAT");
+ props.setProperty(Config.AAF_URL,
+ "https://DME2RESOLVE/service=org.onap.aaf.authz.AuthorizationService/version=2.0/envContext=TEST/routeOffer=BAU_SE"
+ );
+ props.setProperty(Config.AAF_USER_EXPIRES,Integer.toString(5*60000)); // 5 minutes for found items to live in cache
+ props.setProperty(Config.AAF_HIGH_COUNT,Integer.toString(400)); // Maximum number of items in Cache);
+ props.setProperty(Config.CADI_KEYFILE,"keyfile"); //Note: Be sure to generate with java -jar <cadi_path>/lib/cadi-core*.jar keygen keyfile
+ // props.setProperty("DME2_EP_REGISTRY_CLASS","DME2FS");
+ // props.setProperty("AFT_DME2_EP_REGISTRY_FS_DIR","../../authz/dme2reg");
+
+
+ // Link or reuse to your Logging mechanism
+ Access myAccess = new TestAccess(); //
+
+ //
+ try {
+ AAFCon<?> con = new AAFConDME2(myAccess);
+
+ // AAFLur has pool of DME clients as needed, and Caches Client lookups
+ AAFLurPerm aafLur = con.newLur();
+ // Note: If you need both Authn and Authz construct the following:
+ AAFAuthn<?> aafAuthn = con.newAuthn(aafLur);
+
+ // Do not set Mech ID until after you construct AAFAuthn,
+ // because we initiate "401" info to determine the Realm of
+ // of the service we're after.
+ con.basicAuth("xxxx@aaf.abc.com", "XXXXXX");
+
+ try {
+
+ // Normally, you obtain Principal from Authentication System.
+ // For J2EE, you can ask the HttpServletRequest for getUserPrincipal()
+ // If you use CADI as Authenticator, it will get you these Principals from
+ // CSP or BasicAuth mechanisms.
+ String id = "xxxx@aaf.abc.com"; //"cluster_admin@gridcore.abc.com";
+
+ // If Validate succeeds, you will get a Null, otherwise, you will a String for the reason.
+ String ok = aafAuthn.validate(id, "XXXXXX");
+ if(ok!=null)System.out.println(ok);
+
+ ok = aafAuthn.validate(id, "wrongPass");
+ if(ok!=null)System.out.println(ok);
+
+
+ // AAF Style permissions are in the form
+ // Type, Instance, Action
+ AAFPermission perm = new AAFPermission("org.onap.aaf.grid.core.coh",":dev_cluster", "WRITE");
+
+ // Now you can ask the LUR (Local Representative of the User Repository about Authorization
+ // With CADI, in J2EE, you can call isUserInRole("org.onap.aaf.mygroup|mytype|write") on the Request Object
+ // instead of creating your own LUR
+ System.out.println("Does " + id + " have " + perm);
+ if(aafLur.fish(id, perm)) {
+ System.out.println("Yes, you have permission");
+ } else {
+ System.out.println("No, you don't have permission");
+ }
+
+ System.out.println("Does Bogus have " + perm);
+ if(aafLur.fish("Bogus", perm)) {
+ System.out.println("Yes, you have permission");
+ } else {
+ System.out.println("No, you don't have permission");
+ }
+
+ // Or you can all for all the Permissions available
+ List<Permission> perms = new ArrayList<Permission>();
+
+ aafLur.fishAll(id,perms);
+ for(Permission prm : perms) {
+ System.out.println(prm.getKey());
+ }
+
+ // It might be helpful in some cases to clear the User's identity from the Cache
+ aafLur.remove(id);
+ } finally {
+ aafLur.destroy();
+ }
+ } catch (Exception e) {
+ e.printStackTrace();
+ }
+
+ }
+ }
+
+
+There are two current AAF Lurs which you can utilize:
+• Org.onap.aaf.cadi.aaf.v2_0.AAFLurPerm is the default, and will fish based on the Three-fold "Permission" standard in AAF
+To run this code, you will need from a SWM deployment (org.onap.aaf.cadi:cadi, then soft link to jars needed):
+• cadi-core-<version>.jar
+• cadi-aaf-<version>-full.jar
+ or by Maven
+<dependency>
+<groupId>org.onap.aaf.cadi</groupId>
+<artifactId>aaf-cadi-aaf</artifactId>
+<version>THE_LATEST_VERSION</version>
+<classifier>full</classifier>
+</dependency>
+
+
--- /dev/null
+.. This work is licensed under a Creative Commons Attribution 4.0 International License.
+.. http://creativecommons.org/licenses/by/4.0
+.. Copyright © 2017 AT&T Intellectual Property. All rights reserved.
+
+.. This work is licensed under a Creative Commons Attribution 4.0 International License.
+.. http://creativecommons.org/licenses/by/4.0
+.. Copyright © 2017 AT&T Intellectual Property. All rights reserved.
+
+AAF Integration Guide
+============================
+.. code:: bash
+
+ cadi.properties Template
+ # This is a normal Java Properties File
+ # Comments are with Pound Signs at beginning of lines,
+ # and multi-line expression of properties can be obtained by backslash at end of line
+ #hostname=
+
+ cadi_loglevel=WARN
+ cadi_keyfile=conf/keyfile
+
+
+ # Configure AAF
+ aaf_url=http://172.18.0.2:8101
+ #if you are running aaf service from a docker image you have to use aaf service IP and port number
+ aaf_id=<yourAPPID>@onap.org
+ aaf_password=enc:<encrypt>
+
+ aaf_dme_timeout=5000
+ # Note, User Expires for not Unit Test should be something like 900000 (15 mins) default is 10 mins
+ # 15 seconds is so that Unit Tests don't delay compiles, etc
+ aaf_user_expires=15000
+ # High count... Rough top number of objects held in Cache per cycle. If high is reached, more are
+ # recycled next time. Depending on Memory usage, 2000 is probably decent. 1000 is default
+ aaf_high_count=100
+
+
+How to create CADI Keyfile & Encrypt Password
+---------------------------------------------
+
+Password Encryption
+-------------------
+CADI provides a method to encrypt data so that Passwords and other sensitive data can be stored safely.
+
+Keygen (Generate local Symmetrical Key)
+A Keyfile is created by Cadi Utility.
+
+.. code:: bash
+
+ java -jar cadi-core-<version>.jar keygen <keyfile>
+Given this key file unlocks any passwords created, it should be stored in your configuration directory and protected with appropriate access permissions. For instance, if your container is Tomcat, and runs with a "tomcat" id, then you should:
+
+.. code:: bash
+
+ java -jar cadi-core-<version>.jar keygen keyfile
+ chmod 400 keyfile
+ chown tomcat:tomcat keyfile
+
+Digest - Encrypt a Password
+---------------------------
+The password is obtained by using the Cadi digest Utility (contained in the cadi-core-<version>.jar).
+
+.. code:: bash
+
+ java -jar cadi-core-<version>.jar digest <your_password> <keyfile>
+ • "<keyfile>" is created by Cadi Utility, #keygen
+ • Understand that if you change the keyfile, then you need to rerun "digest" on passwords used in the users/groups definitions.
+ • Note: You cannot mix versions of cadi; the version used to digest your password must be the same version used at runtime.
+
+CADI PROPERTIES
+ CADI properties, typically named "cadi.properties", must have passwords encrypted.
+ 1. Take the results of the "Digest" command and prepend "enc:"
+ 2. Use this as the value of your property
+
+Example: aaf_password=enc:fMKMBfKHlRWL68cxD5XSIWNKRNYi5dih2LEHRFMIsut
+
--- /dev/null
+AAF Environment - Beijing
+=========================
+
+Access
+~~~~~~
+
+You must be connected to the WindRiver "pod-onap-01" VPN to gain access
+to AAF Beijing
+
+DNS (/etc/hosts)
+~~~~~~~~~~~~~~~~
+
+At this time, there is no known DNS available for ONAP Entities. Â It is
+recommended that you add the following entry into your "/etc/hosts" on
+your accessing machine:
+
+ /etc/hosts:
+
+ 10.12.6.214 aaf-onap-beijing-test aaf-onap-beijing-test.osaaf.org
+
+Environment Artifacts (AAF FS)
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+ AAF has an HTTP Fileserver to gain access to needed public info.
+
+ http://aaf-onap-beijing-test.osaaf.org/-
+
+Credentials
+~~~~~~~~~~~
+
+ AAF does support User/Password, and allows additional plugins as it
+ did in Amsterdam, however, User/Password credentials are inferior to
+ PKI technology, and does not match the ONAP Design goal of TLS and
+ PKI Identity across the board. Â Therefore, while an individual
+ organization might avail themselves of the User/Password facilities
+ within AAF, for ONAP, we are avoiding.
+
+ THEREFORE: **GO WITH CERTIFICATE IDENTITY**
+
+Certificates
+~~~~~~~~~~~~
+
+Root Certificate
+^^^^^^^^^^^^^^^^
+
+ `AAF\_RootCA.cer <http://aaf-onap-beijing-test.osaaf.org/AAF_RootCA.cer>`__
+
+AAF CA
+^^^^^^
+
+ At time of Beijing, an official Certificate Authority for ONAP was
+ not declared, installed or operationalized. Â Secure TLS requires
+ certificates, so for the time being, the Certificate Authority is
+ being run by AAF Team.
+
+Root Certificate
+''''''''''''''''
+
+ | The Root Certificate for ONAP Certificate Authority used by AAF
+ is \ `AAF\_RootCA.cer <http://aaf-onap-beijing-test.osaaf.org/AAF_RootCA.cer>`__
+ | Depending on your Browser/ Operating System, clicking on this link
+ will allow you to install this Cert into your Browser for GUI
+ access (see next)
+
+ This Root Certificate is also available in "truststore" form, ready
+ to be used by Java or other processes:
+
+-
+
+ -
+
+ - `truststoreONAP.p12 <http://aaf-onap-beijing-test.osaaf.org/truststoreONAP.p12>`__Â
+ - Â This Truststore has ONLY the ONAP AAF\_RootCA in it.
+
+ - `truststoreONAPall.jks <http://aaf-onap-beijing-test.osaaf.org/truststoreONAPall.jks>`__
+ - This Truststore has the ONAP AAF\_RootCA in it PLUS all
+ the Public CA Certs that are in Java 1.8.131 (note: this is
+ in jks format, because the original JAVA truststore was in
+ jks format)
+
+ Note: as of Java 8, pkcs12 format is recommended, rather than jks.
+ Â Java's "keytool" utility provides a conversion for .jks for Java 7
+ and previous.
+
+Identity
+''''''''
+
+ Certificates certify nothing if there is no identity or process to
+ verify the Identity. Â Typically, for a company, an HR department
+ will establish the formal organization, specifically, who reports to
+ whom. Â For ONAP, at time of Beijing, no such formalized "Org Chart"
+ existed, so we'll be building this up as we go along.
+
+ Therefore, with each Certificate Request, we'll need identity
+ information as well, that will be entered into an ONAP Identity
+ file. Â Again, as a real company, this can be derived or accessed
+ real-time (if available) as an "Organization Plugin". Â Again, as
+ there appears to be no such central formal system in ONAP, though,
+ of course, Linux Foundation logins have some of this information for
+ ALL LF projects. Â Until ONAP declares such a system or decides how
+ we might integrate with LF for Identity and we have time to create
+ an Integration strategy, AAF will control this data.
+
+ For each Identity, we'll need:
+
+Â People
+
+
+ | # 0 - unique ID (for Apps, just make sure it is unique, for
+ People, one might consider your LinuxFoundation ID)
+ | # 1 - full name (for App, name of the APP)
+ | # 2 - first name (for App,Â
+ | # 3 - last name
+ | # 4 - phone
+ | # 5 - official email
+ | # 6 - type - person
+ | #Â 7 - reports to: If you are working as part of a Project, list
+ the PTL of your Project. Â If you are PTL, just declare you are the
+ PTLÂ
+
+Â Applications
+
+
+ | # 0 - unique ID - For ONAP Test, this will be the same a the App
+ Acronym.
+ | # 1 - full name of the App
+ | # 2 - App Acronym
+ | # 3 - App Description, or just "Application"
+ | # 5 - official email - a Distribution list for the Application, or
+ the Email of the Owner
+ | # 6 - type - application
+ | #Â 7 - reports to: give the Application Owner's Unique ID. Â Note,
+ this should also be the Owner in AAF Namespace
+
+Obtaining a Certificate
+'''''''''''''''''''''''
+
+ There are 3 types of Certificates available for AAF and ONAP
+ community through AAF. Â People, App Client-only, and App Service
+ (can be used for both Client and Service)
+
+Process (This process may fluctuate, or move to iTrack, so revisit this page for each certificate you request)
+
+
+1.
+
+ 1.
+
+ 1.
+
+ 1. Email the AAF Team
+ (jonathan.gathman@`att.com <http://att.com>`__, for now)
+
+ 2. Put "REQUEST ONAP CERTIFICATE" in the Subject Line
+
+ 3. If you have NOT established an Identity, see above, put the
+ Identity information in first
+
+ 4. Then declare which of the three kinds of Certificates you
+ want.
+
+ 1. **People** and **App Client-only** certificates will be
+ Manual
+
+ 1. You will receive a reply email with instructions on
+ creating and signing a CSR, with a specific Subject.
+
+ 2. Reply back with the CSR attached. DO NOT CHANGE the
+ Subject. Â
+
+ 1. Subject is NOT NEGOTIABLE. If it does not match the
+ original Email, you will be rejected, and will
+ waste everyone's time.
+
+ 3. You will receive back the certificate itself, and some
+ openssl instructions to build a .p12 file (or maybe a
+ ready-to-run Shell Script)
+
+ 2. *App Service Certificate* is supported by AAF's Certman
+
+ 1. However, this requires the establishment of Deployer
+ Identities, as no Certificate is deployed without
+ Authorization.
+
+ 2. Therefore, for now, follow the "Manual" method,
+ described in 4.a, but include the Machine to be the
+ "cn="
+
+People
+
+
+ People Certificates can be used for browsers, curl, etc.
+
+ Automation and tracking of People Certificates will be proposed for
+ Casablanca.
+
+ In the meantime, for testing purposes, you may request a certificate
+ from AAF team, see process.
+
+Application Client-only
+
+
+ Application Client-only certificates are not tied to a specific
+ machine. Â They function just like people, only it is expected that
+ they are used within "keystores" as identity when talking to AAF
+ enabled components.
+
+ PLEASE USE your APP NAME IN CI/CD (OOM, etc) in your request. Â That
+ makes the most sense for identity.
+
+ Automation and tracking of Application Certificates will be proposed
+ for Casablanca.Â
+
+ In the meantime, for testing purposes, you may request a certificate
+ from AAF team, see process.
+
+Application ServiceÂ
+
+
+ This kind of Certificate must have the Machine Name in the "CN="
+ position. Â
+
+ AAF supports Automated Certificate Deployment, but this has not been
+ integrated with OOM at this time (April 12, 2018). Â
+
+-
+
+ - Please request Manual Certificate, but specify the Machine as
+ well. Â Machine should be a name, so you might need to provide
+ your Clients with instructions on adding to /etc/hosts until
+ ONAP address Name Services for ONAP Environments (i.e. DNS)
+
+ **GUI**
+
+ https://aaf-onap-beijing-test.osaaf.org
+
+ Note: this link is actually to the AAF Locator, which redirects you
+ to an available GUI
+
+ The GUI uses the ONAP AAF Certificate Authority (private). Â Before
+ you can use the Browser, you will need to
+
+-
+
+ - Accept the `Root
+ Certificate <#AAFEnvironment-Beijing-RootCertificate>`__
+
+ - Obtain a Personal Certificate above
+
+ - Add the Personal Certificate/Private key to your Browser.
+ Typically, this is done by having it packaged in a
+ P\ https://zoom.us/j/793296315
--- /dev/null
+.. contents::
+ :depth: 3
+.. This work is licensed under a Creative Commons Attribution 4.0 International License.
+.. http://creativecommons.org/licenses/by/4.0
+.. Copyright © 2017 AT&T Intellectual Property. All rights reserved.
+
+Summary
+Essentials
+Technologies required to run AAF
+Optional Technologies for special cases
+Data Definitions
+AAF Data Definitions
+ILM (Identity Lifecycle Management)
+Initializing Default Implementation
+Extract Sample Configuration
+Certificate Authority
+Creating your own Certificate Authority (if desired)
+Create your Intermediate CAs
+Use the Intermediate CA for creating Service/Identity Certs (can be utilized by Certman with LocalCA)
+Copy initializations to Host Machine
+Load Data and/or Meta-Data into Cassandra
+Build Source
+Run Java
+
+Summary
+-------
+
+AAF Components are all Java(tm) HTTP/S based RESTful services, with the following exceptions:
+
+ - AAF GUI component is an HTTP/S HTML5 generating component. It uses the same code base, but isn't strictly RESTful according to definition.
+ - AAF FS component is a FileServer, and is HTTP only (not TLS), so it can deliver publicly accessible artifacts without Authentication.
+
+Essentials
+==========
+
+Technologies required to run AAF
+--------------------------------
+
+ - Java(tm). Version 8.121+
+ - Oracle Java previous to Oracle Java SE 8 to version 8 Update 121 is vulnerable to "SWEET32" attack.
+
+ 1369383 - CVE-2016-2183 SSL/TLS: Birthday attack against 64-bit block ciphers (SWEET32)
+
+ - Cassandra, Version 2.1.14+
+ - X509 Certificates (at minimum to support HTTP/S TLS transactions (TLS1.1 and TLS1.2 are default, but can be configured).
+
+Optional Technologies for special cases
+---------------------------------------
+
+ - Build your own Certificate Authority for Bootstrapping and/or Certificate Manager component.
+ - openssl
+ - bash
+
+Data Definitions
+----------------
+
+AAF Data Definitions
+
+ - AAF is Data Driven, and therefore, needs to have some structure around the Initial Data so that it can function. You will need to define:
+
+Your Organization:
+ - Example: Are you a company? Do you already have a well known internet URL?
+ - If so, you should set up AAF Namespaces with this in mind. Example:
+
+ - for "Kumquat Industries, LTD", with internet presence "kumquats4you.com" (currently, a fictitious name), you would want all your AAF Namespaces to start with:
+
+"com.kumquats4you"
+The examples all use
+
+"org.osaaf"
+
+However it is recommended that you change this once you figure out your organizations' structure.
+Your AAF Root Namespace
+This can be within your company namespace, i.e.
+
+"com.kumquats4you.aaf"
+
+but you might consider putting it under different root structure.
+Again, the bootstrapping examples use:
+
+"org.osaaf.aaf"
+
+While creating these, recognize that
+2nd position of the Namespace indicates company/organization
+3rd+ position are applications within that company/organization
+
+"com.kumquats4you.dmaap"
+
+Following this "positional" structure is required for expected Authorization behavior.
+
+
+ILM (Identity Lifecycle Management)
+Neither Authentication nor Authorization make any sense outside the context of Identity within your Organization.
+
+Some organizations or companies will have their own ILM managers.
+
+If so you may write your own implementation of "Organization"
+Ensure the ILM of choice can be access real-time, or consider exporting the data into File Based mechanism (see entry)
+AAF comes with a "DefaultOrganization", which implements a file based localization of ILM in a simple text file
+
+Each line represents an identity in the organization, including essential contact information, and reporting structure
+This file can be updated by bringing in the entire file via ftp or other file transfer protocol, HOWEVER
+Provide a process that
+Validates no corruption has occurred
+Pulls the ENTIRE file down before moving into the place where AAF Components will see it.
+Take advantage of UNIX File System behaviors, by MOVING the file into place (mv), rather than copying while AAF is Active
+Note: This file-based methodology has been shown to be extremely effective for a 1 million+ Identity organization
+TBA-how to add an entry
+
+TBA-what does "sponsorship mean"
+
+Initializing Default Implementation
+This is recommended for learning/testing AAF. You can modify and save off this information for your Organizational use at your discretion.
+
+Extract Sample Configuration
+On your Linux box (creating/setting permissions as required)
+
+mkdir -p /opt/app/osaaf
+
+cd /opt/app/osaaf
+
+# Download AAF_sample_config_v1.zip (TBA)
+
+jar -xvf AAF_sample_config_v1.zip
+
+Certificate Authority
+You need to identify a SAFE AND SECURE machine when working with your own Certificate Authority. Realize that if a hacker gets the private keys of your CA or Intermediate CAs, you will be TOTALLY Compromised.
+
+For that reason, many large companies will isolate any machines dealing with Certificates, and that is the recommendation here as well... However, this page cannot explain what works best for you. JSCEP is an option if you have this setup already.
+
+If you choose to make your own CA, at the very least, once you create your private key for your Root Cert, and your Intermediate Certs, you might consider saving your Private Keys off line and removing from the exposed box. Again, this is YOUR responsibility, and must follow your policy.
+
+
+
+IMPORTANT! As you create Certificates for Identities, the Identities you use MUST be identities in your ILM. See /opt/app/aaf/osaaf/data/identities.dat
+
+Creating your own Certificate Authority (if desired)
+1) Obtain all the Shell Scripts from the "conf/CA" directory which you can get the from the git repo.
+
+For this example, we'll put everything in /opt/app/osaaf
+
+mkdir /opt/app/osaaf/CA, if required
+
+$ cd /opt/app/osaaf/CA
+
+view README.txt for last minute info
+
+view an/or change "subject.aaf" for your needs. This format will be used on all generated certs from the CA.
+
+$ cat subject.aaf
+
+If you will be using PKCS11 option, review the "cfg.pkcs11" file as well
+
+$ cat cfg.pkcs11
+
+$ bash newca.sh
+
+Obviously, save off your passphrase in an encrypted place... how you do this is your procedure
+
+At this point, your Root CA information has been created. If you want to start over, you may use "bash clean.sh"
+
+Create your Intermediate CAs
+2) You do NOT sign regular Cert requests with your Root. You only sign with Intermediate CA. The "intermediate.sh" will create a NEW Intermediate CA Directory and copy appropriate Shell scripts over. Do this for as many Intermediate CAs as you need.
+
+$ bash newIntermediate.sh
+
+creates directories in order, intermediate_1, intermediate_2, etc.
+
+Use the Intermediate CA for creating Service/Identity Certs (can be utilized by Certman with LocalCA)
+3) When creating a Manual Certificate, DO THIS from the Intermediate CA needed
+
+$ cd intermediate_1
+
+4) Create initial Certificate for AAF
+
+IMPORTANT! As you create Certificates for Identities, the Identities you use MUST be identities in your ILM. See /opt/app/aaf/osaaf/data/identities.dat
+
+To create LOCALLY, meaning create the CSR, and submit immediately, do the following
+
+$ bash manual.sh <machine-name> -local
+
+FQI (Fully Qualified Identity):
+
+<identity from identities.dat>@<domain, ex: aaf.osaaf.org>
+
+To create Information suitable for Emailing, and signing the returned CSR
+
+$ bash manual.sh <machine-name>
+
+FQI (Fully Qualified Identity):
+
+<identity from identities.dat>@<domain, ex: aaf.osaaf.org>
+
+5) Create p12 file for AAF
+
+REMAIN in the intermediate directory...
+
+$ bash p12.sh <machine-name>
+
+Copy initializations to Host Machine
+AAF is setup so it can run
+
+On the O/S, using Java
+On Docker
+On K8
+In each case, even for Docker/K8, we utilize the File O/S for host specific information. This is because
+
+Many things are Host Specific
+The Hostname required for TLS interactions
+Cassandra specific information (when external/clustered)
+Logging (if logging is done in container, it will be lost if container goes down)
+To make things simpler, we are assuming that the file structure will be "/opt/app/osaaf". The code supports changing this, but documentation will wait until use cases arises for ONAP.
+
+Steps:
+
+1) Copy "osaaf.zip" to your Host Machine, where osaaf.zip is provided by AAF SME. // TODO POST SAMPLE HERE
+
+2) Copy your "p12" file generated by your CA (see above), and place in your "certs" directory
+
+3) SSH (or otherwise login) to your Docker/K8 Host Machine
+
+4) setup your directories (you might need to be root, then adjust what you need for O/S File Permissions
+
+$ mkdir /opt/app/osaaf
+
+$ cd /opt/app/osaaf
+
+$ mkdir cred logs
+
+$ unzip ~/osaaf.zip
+
+$ mv ~/<p12 file from CA above> cred
+
+$
+
+Unzip the "osaaf.zip" so it goes into the /opt/app/osaaf directory (should have "etc", "data", "public" and "certs" directories)
+
+4) Modify "org.osaaf.props" to have
+
+
+
+Load Data and/or Meta-Data into Cassandra
+Setting this initial Data can be done directly onto Cassadra using "cqlsh" using the following "cql" files:
+
+init<version>.cql (whatever is latest in the "zip" file)
+osaaf.cql
+ This file contains initial Authorization Structures, see AAF Data Structures.
+ This is where you would modify your own initial Structures.
+Build Source
+(if not done already)
+
+Run Java
+Note: If you have a Kubernets requirement (support), it is STILL RECOMMENDED you run AAF as stand-alone Java Components on your system, and work out any modifications required BEFORE trying to run in Kubernetes.
+
+TBA <java -Dcadi_prop_files=/opt/app/osaaf/etc/org.osaaf.locator.props -cp <path> File>
+
--- /dev/null
+.. This work is licensed under a Creative Commons Attribution 4.0 International License.\r
+.. http://creativecommons.org/licenses/by/4.0\r
+\r
+Installation\r
+============\r
+This document will illustrates how to build and deploy all AAF components.\r
+\r
+Clone AAF Code:\r
+Build AAF with settings.xml:\r
+Build Docker Images:\r
+Modify the properties file:\r
+Mount the sample to /opt/app/osaaf:\r
+Run the docker containers:\r
+Clone AAF Code:\r
+bharath@bharath:~$ git clone https://git.onap.org/aaf/authz\r
+\r
+\r
+Build AAF with settings.xml:\r
+---------------------------\r
+Copy the settings.xml from here and paste in ~/.m2/settings.xml\r
+\r
+Then run the following command\r
+\r
+.. code:: bash\r
+\r
+ bharath@bharath:~$ cd authz && mvn clean install -DskipTests\r
+\r
+\r
+If the build is successful, then you can see a folder in "authz/auth" called "aaf_VERSION-SNAPSHOT" which contains all binaries of the components\r
+\r
+.. code:: bash\r
+\r
+ bharath@bharath:~/authz/auth$ ls\r
+aaf_2.1.1-SNAPSHOT auth-cass auth-cmd auth-deforg auth-gui auth-locate auth-service pom.xml target\r
+auth-batch auth-certman auth-core auth-fs auth-hello auth-oauth docker sample\r
+\r
+Build Docker Images:\r
+-------------------\r
+Now after building binaries, the next step is to build docker images for each aaf component.\r
+\r
+.. code:: bash\r
+\r
+ bharath@bharath:~/authz/auth/docker$ chmod +x *.sh\r
+ bharath@bharath:~/authz/auth/docker$ ./dbuild.sh\r
+ \r
+The above command will build the following images:\r
+\r
+aaf_service\r
+aaf_oauth\r
+aaf_locate\r
+aaf_hello\r
+aaf_gui\r
+aaf_fs\r
+aaf_cm\r
+Modify the properties file:\r
+Modify the contents of the "authz/auth/docker/d.props\r
+\r
+.. code:: bash\r
+\r
+ bharath@bharath:~/authz/auth/docker$ cat d.props\r
+ \r
+# Variables for building Docker entities\r
+ORG=onap\r
+PROJECT=aaf\r
+DOCKER_REPOSITORY=nexus3.onap.org:10003\r
+OLD_VERSION=2.1.0-SNAPSHOT\r
+VERSION=2.1.1-SNAPSHOT\r
+CONF_ROOT_DIR=/opt/app/osaaf\r
+\r
+\r
+# Local Env info\r
+HOSTNAME="<HOSTNAME>"\r
+HOST_IP="<HOST_IP>"\r
+CASS_HOST="cass"\r
+\r
+Replace the <HOSTNAME> with your hostname and HOST_IP with your host IP.\r
+\r
+Add the following entry to your /etc/hosts file\r
+\r
+\r
+\r
+127.0.0.1 aaf.osaaf.org\r
+Mount the sample to /opt/app/osaaf:\r
+As you can see there is a parameter "CONF_ROOT_DIR" which is set to "/opt/app/osaaf". So we have to create a folder "/opt/app/osaaf" and copy the contents of authz/auth/sample to /opt/app/osaaf\r
+\r
+.. code:: bash\r
+\r
+ bharath@bharath:~/authz/auth$ mkdir -p /opt/app/osaaf\r
+ bharath@bharath:~/authz/auth$ cp -r sample/* /opt/app/osaaf/\r
+\r
+Run the docker containers:\r
+--------------------------\r
+.. code:: bash\r
+\r
+ bharath@bharath:~/authz/auth/docker$ ls\r
+ dbash.sh dbuild.sh dclean.sh Dockerfile d.props dpush.sh drun.sh dstart.sh dstop.sh\r
+ bharath@bharath:~/authz/auth/docker$ ./drun.sh\r
+\r
+\r
+\r
+\r
+\r
+\r
--- /dev/null
+.. This work is licensed under a Creative Commons Attribution 4.0 International License.
+.. http://creativecommons.org/licenses/by/4.0
+.. Copyright © 2017 AT&T Intellectual Property. All rights reserved.
+
+AAF From Source Code
+====================
+
+Example Source Code
+-------------------
+Note the FULL class is available in the authz repo, cadi_aaf/org/onap/aaf/client/sample/Sample.java
+
+.. code-block:: java
+
+
+ /**
+ * ============LICENSE_START====================================================
+ * org.onap.aaf
+ * ===========================================================================
+ * Copyright (c) 2018 AT&T Intellectual Property. All rights reserved.
+ * ===========================================================================
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ * ============LICENSE_END====================================================
+ *
+ */
+
+ package org.onap.aaf.client.sample;
+
+ import java.io.IOException;
+ import java.security.Principal;
+ import java.util.ArrayList;
+ import java.util.List;
+
+ import org.onap.aaf.cadi.Access;
+ import org.onap.aaf.cadi.CadiException;
+ import org.onap.aaf.cadi.LocatorException;
+ import org.onap.aaf.cadi.Permission;
+ import org.onap.aaf.cadi.PropAccess;
+ import org.onap.aaf.cadi.aaf.AAFPermission;
+ import org.onap.aaf.cadi.aaf.v2_0.AAFAuthn;
+ import org.onap.aaf.cadi.aaf.v2_0.AAFConHttp;
+ import org.onap.aaf.cadi.aaf.v2_0.AAFLurPerm;
+ import org.onap.aaf.cadi.principal.UnAuthPrincipal;
+ import org.onap.aaf.cadi.util.Split;
+ import org.onap.aaf.misc.env.APIException;
+
+ public class Sample {
+ private static Sample singleton;
+ final private AAFConHttp aafcon;
+ final private AAFLurPerm aafLur;
+ final private AAFAuthn<?> aafAuthn;
+
+ /**
+ * This method is to emphasize the importance of not creating the AAFObjects over and over again.
+ * @return
+ */
+ public static Sample singleton() {
+ return singleton;
+ }
+
+ public Sample(Access myAccess) throws APIException, CadiException, LocatorException {
+ aafcon = new AAFConHttp(myAccess);
+ aafLur = aafcon.newLur();
+ aafAuthn = aafcon.newAuthn(aafLur);
+ }
+
+ /**
+ * Checking credentials outside of HTTP/S presents fewer options initially. There is not, for instance,
+ * the option of using 2-way TLS HTTP/S.
+ *
+ * However, Password Checks are still useful, and, if the Client Certificate could be obtained in other ways, the
+ * Interface can be expanded in the future to include Certificates.
+ * @throws CadiException
+ * @throws IOException
+ */
+ public Principal checkUserPass(String fqi, String pass) throws IOException, CadiException {
+ String ok = aafAuthn.validate(fqi, pass);
+ if(ok==null) {
+ System.out.println("Success!");
+ /*
+ UnAuthPrincipal means that it is not coming from the official Authorization chain.
+ This is useful for Security Plugins which don't use Principal as the tie between
+ Authentication and Authorization
+
+ You can also use this if you want to check Authorization without actually Authenticating, as may
+ be the case with certain Onboarding Tooling.
+ */
+ return new UnAuthPrincipal(fqi);
+ } else {
+ System.out.printf("Failure: %s\n",ok);
+ return null;
+ }
+
+
+ }
+
+ /**
+ * An example of looking for One Permission within all the permissions user has. CADI does cache these,
+ * so the call is not expensive.
+ *
+ * Note: If you are using "J2EE" (Servlets), CADI ties this function to the method:
+ * HttpServletRequest.isUserInRole(String user)
+ *
+ * The J2EE user can expect that his servlet will NOT be called without a Validated Principal, and that
+ * "isUserInRole()" will validate if the user has the Permission designated.
+ *
+ */
+ public boolean oneAuthorization(Principal fqi, Permission p) {
+ return aafLur.fish(fqi, p);
+ }
+
+ public List<Permission> allAuthorization(Principal fqi) {
+ List<Permission> pond = new ArrayList<Permission>();
+ aafLur.fishAll(fqi, pond);
+ return pond;
+ }
+
+
+ public static void main(String[] args) {
+ // Note: you can pick up Properties from Command line as well as VM Properties
+ // Code "user_fqi=... user_pass=..." (where user_pass can be encrypted) in the command line for this sample.
+ // Also code "perm=<perm type>|<instance>|<action>" to test a specific Permission
+ PropAccess myAccess = new PropAccess(args);
+ try {
+ /*
+ * NOTE: Do NOT CREATE new aafcon, aafLur and aafAuthn each transaction. They are built to be
+ * reused!
+ *
+ * This is why this code demonstrates "Sample" as a singleton.
+ */
+ singleton = new Sample(myAccess);
+ String user = myAccess.getProperty("user_fqi");
+ String pass= myAccess.getProperty("user_pass");
+
+ if(user==null || pass==null) {
+ System.err.println("This Sample class requires properties user_fqi and user_pass");
+ } else {
+ pass = myAccess.decrypt(pass, false); // Note, with "false", decryption will only happen if starts with "enc:"
+ // See the CODE for Java Methods used
+ Principal fqi = Sample.singleton().checkUserPass(user,pass);
+
+ if(fqi==null) {
+ System.out.println("OK, normally, you would cease processing for an "
+ + "unauthenticated user, but for the purpose of Sample, we'll keep going.\n");
+ fqi=new UnAuthPrincipal(user);
+ }
+
+ // AGAIN, NOTE: If your client fails Authentication, the right behavior 99.9%
+ // of the time is to drop the transaction. We continue for sample only.
+
+ // note, default String for perm
+ String permS = myAccess.getProperty("perm","org.osaaf.aaf.access|*|read");
+ String[] permA = Split.splitTrim('|', permS);
+ if(permA.length>2) {
+ final Permission perm = new AAFPermission(permA[0],permA[1],permA[2]);
+ // See the CODE for Java Methods used
+ if(singleton().oneAuthorization(fqi, perm)) {
+ System.out.printf("Success: %s has %s\n",fqi.getName(),permS);
+ } else {
+ System.out.printf("%s does NOT have %s\n",fqi.getName(),permS);
+ }
+ }
+
+
+ // Another form, you can get ALL permissions in a list
+ // See the CODE for Java Methods used
+ List<Permission> permL = singleton().allAuthorization(fqi);
+ if(permL.size()==0) {
+ System.out.printf("User %s has no Permissions THAT THE CALLER CAN SEE",fqi.getName());
+ } else {
+ System.out.print("Success:\n");
+ for(Permission p : permL) {
+ System.out.printf("\t%s has %s\n",fqi.getName(),p.getKey());
+ }
+ }
+ }
+ } catch (APIException | CadiException | LocatorException | IOException e) {
+ e.printStackTrace();
+ }
+ }
+ }
\ No newline at end of file
--- /dev/null
+.. This work is licensed under a Creative Commons Attribution 4.0 International License.
+.. http://creativecommons.org/licenses/by/4.0
+.. Copyright © 2017 AT&T Intellectual Property. All rights reserved.
+
+Installation
+============
+.. toctree::
+ :maxdepth: 2
+ :glob:
+
+ *
+
--- /dev/null
+.. This work is licensed under a Creative Commons Attribution 4.0 International License.
+.. http://creativecommons.org/licenses/by/4.0
+
+Logging
+=======
+
+.. note::
+ * This section is used to describe the informational or diagnostic messages emitted from
+ a software component and the methods or collecting them.
+
+ * This section is typically: provided for a platform-component and sdk; and
+ referenced in developer and user guides
+
+ * This note must be removed after content has been added.
+
+
+Where to Access Information
+---------------------------
+AAF uses log4j framework to generate logs and all the logs are stored in a persistent volume.
+
+Error / Warning Messages
+------------------------
+Following are the error codes
+
+| Create a Permission - Expected=201, Explicit=403, 404, 406, 409
+| Set Description for Permission - Expected=200, Explicit=404, 406
+| Delete a Permission Expected=200, Explicit=404, 406
+| Update a Permission - Expected=200, Explicit==04, 406, 409
+| Get Permissions by Type - Expected=200, Explicit=404, 406
+| Get Permissions by Key - Expected=200, Explicit=404, 406
+| Get PermsByNS - Expected=200, Explicit==404, 406
+| Get Permissions by Role - Expected=200, Explicit=404, 406
+| Get Permissions by User, Query AAF Perms - Expected=200, Explicit=404, 406
+| Get Permissions by User - Expected=200, Explicit=404, 406
+| Create Role - Expected=201, Explicit=403, 404, 406, 409
+| Set Description for role= - Expected=200, Explicit=404, 406
+| Delete Role - Expected=200, Explicit==404, 406
+| Delete Permission from Role - Expected=200, Explicit=404, 406
+| Add Permission to Role - Expected=201, Explicit=403, 404, 406, 409
+| Set a Permission's Roles - Expected=201, Explicit=403, 404, 406, 409
+| GetRolesByFullName - Expected=200, Explicit=404, 406
+| GetRolesByNameOnly - Expected=200, Explicit=404, 406
+| GetRolesByNS - Expected=200, Explicit=404, 406
+| GetRolesByPerm - Expected=200, Explicit=404, 406
+| GetRolesByUser - Expected=200, Explicit=404, 406
+| Request User Role Access - Expected=201, Explicit=403, 404, 406, 409
+| Get if User is In Role - Expected=200, Explicit=403, 404, 406
+| Delete User Role - Expected=200, Explicit=403, 404, 406
+| Update Users for a role - Expected=200, Explicit=403, 404, 406
+| Update Roles for a user - Expected=200, Explicit=403, 404, 406
+| Get UserRoles by Role - Expected=200, Explicit=404, 406
+| Get UserRoles by User - Expected=200, Explicit=404, 406
+| Create a Namespace - Expected=201, Explicit=403, 404, 406, 409
+| Set a Description for a Namespace - Expected=200, Explicit=403, 404, 406
+| Delete a Namespace - Expected=200, Explicit=403, 404, 424
+| Add an Admin to a Namespace - Expected=201, Explicit=403, 404, 406, 409
+| Remove an Admin from a Namespace - Expected=200, Explicit=403, 404
+| Delete an Attribute from a Namespace - Expected=200, Explicit=403, 404
+| Add an Attribute from a Namespace - Expected=201, Explicit=403, 404, 406, 409
+| update an Attribute from a Namespace - Expected=200, Explicit=403, 404
+| Add a Responsible Identity to a Namespace - Expected=201, Explicit=403, 404, 406, 409
+| Remove a Responsible Identity from Namespace - Expected=200, Explicit=403, 404
+| get Ns Key List From Attribute - Expected=200, Explicit=403, 404
+| Return Information about Namespaces - Expected=200, Explicit=404, 406
+| Return Child Namespaces - Expected=200, Explicit=403, 404
+| Get Users By Permission - Expected=200, Explicit=404, 406
+| Get Users By Role - Expected=200, Explicit=403, 404, 406
+| Is given BasicAuth valid? - Expected=200, Explicit=403
+| Is given Credential valid? - Expected=200, Explicit=403
+
--- /dev/null
+.. This work is licensed under a Creative Commons Attribution 4.0 International License.
+.. http://creativecommons.org/licenses/by/4.0
+
+
+Release Notes
+=============
+
+
+
+Version: 2.1.0
+--------------
+
+
+:Release Date: 2018-06-07
+
+
+
+**New Features**
+
+This release fixes the packaging and security issues.
+
+**Bug Fixes**
+ NA
+**Known Issues**
+ NA
+
+**Security Notes**
+
+AAF code has been formally scanned during build time using NexusIQ and all Critical vulnerabilities have been addressed, items that remain open have been assessed for risk and determined to be false positive. The AAF open Critical security vulnerabilities and their risk assessment have been documented as part of the `project <https://wiki.onap.org/pages/viewpage.action?pageId=28380057>`_.
+
+Quick Links:
+ - `AAF project page <https://wiki.onap.org/display/DW/Application+Authorization+Framework+Project>`_
+
+ - `Passing Badge information for AAF <https://bestpractices.coreinfrastructure.org/en/projects/1758>`_
+
+ - `Project Vulnerability Review Table for AAF <https://wiki.onap.org/pages/viewpage.action?pageId=28380057>`_
+
+**Upgrade Notes**
+ NA
+
+**Deprecation Notes**
+
+Version: 1.0.1
+
+Release Date: 2017-11-16
+
+
+New Features:
+
+ - Service (primary) – All the Authorization information (more on that in a bit)
+ - Locate – how to find ANY OR ALL AAF instances across any geographic distribution
+ - OAuth 2.0 – new component providing Tokens and Introspection (no time to discuss here)
+ - GUI – Tool to view and manage Authorization Information, and create Credentials
+ - Certman – Certificate Manger, create and renew X509 with Fine-Grained Identity
+ - FS – File Server to provide access to distributable elements (like well known certs)
+ - Hello - Test your client access (certs, OAuth 2.0, etc)
+
+
+
+
+Bug Fixes
+ - `AAF-290 <https://jira.onap.org/browse/AAF-290>`_ Fix aaf trusrstore
+ - `AAF-270 <https://jira.onap.org/browse/AAF-270>`_ AAF fails health check on HEAT deployment
+ - `AAF-286 <https://jira.onap.org/browse/AAF-286>`_ SMS fails health check on OOM deployment
+ - `AAF-273 <https://jira.onap.org/browse/AAF-273>`_ Cassandra pod running over 8G heap - or 10% of ONAP ram (for 135 other pods on 256G 4 node cluster)
+
+
+Known Issues
+ -
+
+Other
+
<parent>
<groupId>org.onap.aaf.authz</groupId>
<artifactId>miscparent</artifactId>
- <version>2.1.0-SNAPSHOT</version>
+ <version>2.1.2-SNAPSHOT</version>
<relativePath>..</relativePath>
</parent>
\r
public StoreImpl() {\r
staticState = new Object[growSize];\r
- staticMap = new HashMap<String,StaticSlot>();\r
- localMap = new HashMap<String,Slot>();\r
+ staticMap = new HashMap<>();\r
+ localMap = new HashMap<>();\r
}\r
\r
public StoreImpl(String tag) {\r
staticState = new Object[growSize];\r
- staticMap = new HashMap<String,StaticSlot>();\r
- localMap = new HashMap<String,Slot>();\r
+ staticMap = new HashMap<>();\r
+ localMap = new HashMap<>();\r
}\r
\r
\r
public StoreImpl(String tag, String[] args) {\r
staticState = new Object[growSize];\r
- staticMap = new HashMap<String,StaticSlot>();\r
- localMap = new HashMap<String,Slot>();\r
+ staticMap = new HashMap<>();\r
+ localMap = new HashMap<>();\r
\r
if(tag!=null) {\r
String tequals = tag + '=';\r
\r
public StoreImpl(String tag, Properties props) {\r
staticState = new Object[growSize];\r
- staticMap = new HashMap<String,StaticSlot>();\r
- localMap = new HashMap<String,Slot>();\r
+ staticMap = new HashMap<>();\r
+ localMap = new HashMap<>();\r
\r
if(tag!=null) {\r
String fname = props.getProperty(tag);\r
* @see com.att.env.Store#existingSlotNames()\r
*/\r
public List<String> existingSlotNames() {\r
- return new ArrayList<String>(localMap.keySet());\r
+ return new ArrayList<>(localMap.keySet());\r
}\r
\r
/* (non-Javadoc)\r
}\r
\r
public List<String> existingStaticSlotNames() {\r
- return new ArrayList<String>(staticMap.keySet());\r
+ return new ArrayList<>(staticMap.keySet());\r
}\r
}\r
\r
private static final Object[] EMPTYO = new Object[0];\r
\r
protected ENV delegate;\r
- protected List<TimeTaken> trail = new ArrayList<TimeTaken>(30);\r
+ protected List<TimeTaken> trail = new ArrayList<>(30);\r
private Object[] state;\r
\r
\r
*/\r
public BasicEnv(Applet applet, String ... tags) {\r
super(null, tags);\r
-// props = new HashMap<String, String>();\r
+// props = new HashMap<>();\r
// String value;\r
// for(int i=0;i<tags.length;++i) {\r
// value = applet.getParameter(tags[i]);\r
*/\r
public class JAXBmar {\r
// Need to store off possible JAXBContexts based on Class, which will be stored in Creator\r
- private static Map<Class<?>[],Pool<PMarshaller>> pools = new HashMap<Class<?>[], Pool<PMarshaller>>();\r
+ private static Map<Class<?>[],Pool<PMarshaller>> pools = new HashMap<>();\r
\r
// Handle Marshaller class setting of properties only when needed\r
private class PMarshaller {\r
*/\r
public class JAXBumar {\r
// Need to store off possible JAXBContexts based on Class, which will be stored in Creator\r
- private static Map<Class<?>[],Pool<SUnmarshaller>> pools = new HashMap<Class<?>[], Pool<SUnmarshaller>>();\r
+ private static Map<Class<?>[],Pool<SUnmarshaller>> pools = new HashMap<>();\r
\r
private Class<?> cls;\r
private Schema schema;\r
public Pool(Creator<T> creator) {\r
count = spares = 0;\r
this.creator = creator;\r
- list = new LinkedList<Pooled<T>>();\r
+ list = new LinkedList<>();\r
}\r
\r
/**\r
* @throws APIException\r
*/\r
public RefreshableThreadObject(Class<T> clss) throws APIException {\r
- objs = new ConcurrentHashMap<Thread,T>();\r
+ objs = new ConcurrentHashMap<>();\r
try {\r
cnst = clss.getConstructor(new Class[]{Env.class} );\r
} catch (Exception e) {\r
*/\r
\r
public class Split {\r
+ private static final String[] BLANK = new String[0];\r
+ \r
public static String[] split(char c, String value) {\r
+ if(value==null) {\r
+ return BLANK;\r
+ }\r
+\r
// Count items to preallocate Array (memory alloc is more expensive than counting twice)\r
int count,idx;\r
for(count=1,idx=value.indexOf(c);idx>=0;idx=value.indexOf(c,++idx),++count);\r
}\r
\r
public static String[] splitTrim(char c, String value) {\r
+ if(value==null) {\r
+ return BLANK;\r
+ }\r
// Count items to preallocate Array (memory alloc is more expensive than counting twice)\r
int count,idx;\r
for(count=1,idx=value.indexOf(c);idx>=0;idx=value.indexOf(c,++idx),++count);\r
}\r
\r
public static String[] splitTrim(char c, String value, int size) {\r
+ if(value==null) {\r
+ return BLANK;\r
+ }\r
+\r
int idx;\r
String[] rv = new String[size];\r
if(size==1) {\r
<parent>
<groupId>org.onap.aaf.authz</groupId>
<artifactId>miscparent</artifactId>
- <version>2.1.0-SNAPSHOT</version>
+ <version>2.1.2-SNAPSHOT</version>
<relativePath>..</relativePath>
</parent>
* @throws IOException\r
*/\r
public String setAppender(String appender) throws IOException {\r
- String filename;\r
int i = 0;\r
File f;\r
- while ((f = new File(filename = String.format(FILE_FORMAT_STR, dir, root, appender, ending, i))).exists()) {\r
+ while ((f = new File(String.format(FILE_FORMAT_STR, dir, root, appender, ending, i))).exists()) {\r
++i;\r
}\r
- ;\r
+ \r
f.createNewFile();\r
- System.setProperty("LOG4J_FILENAME_" + appender, filename);\r
+ System.setProperty("LOG4J_FILENAME_" + appender, f.getCanonicalPath());\r
return appender;\r
}\r
\r
import org.junit.Test;\r
\r
public class JU_LogFileNamerTest {\r
+ private File dir = new File(".");\r
\r
private String ending = new SimpleDateFormat("YYYYMMdd").format(new Date());\r
\r
\r
@Test\r
public void test() throws IOException {\r
- LogFileNamer logFileNamer = new LogFileNamer(".", "log");\r
+ LogFileNamer logFileNamer = new LogFileNamer(dir.getCanonicalPath(), "log");\r
assertEquals(logFileNamer, logFileNamer.noPID());\r
\r
logFileNamer.setAppender("Append");\r
- assertEquals(System.getProperty("LOG4J_FILENAME_Append"), "./log-Append" + ending + "_0.log");\r
+ assertEquals(System.getProperty("LOG4J_FILENAME_Append"), dir.getCanonicalFile()+"/log-Append" + ending + "_0.log");\r
\r
logFileNamer.setAppender("Append");\r
- assertEquals(System.getProperty("LOG4J_FILENAME_Append"), "./log-Append" + ending + "_1.log");\r
+ assertEquals(System.getProperty("LOG4J_FILENAME_Append"), dir.getCanonicalFile()+"/log-Append" + ending + "_1.log");\r
}\r
\r
@Test\r
public void testBlankRoot() throws IOException {\r
- LogFileNamer logFileNamer = new LogFileNamer(".", "");\r
+ LogFileNamer logFileNamer = new LogFileNamer(dir.getCanonicalPath(), "");\r
assertEquals(logFileNamer, logFileNamer.noPID());\r
\r
logFileNamer.setAppender("Append");\r
- assertEquals(System.getProperty("LOG4J_FILENAME_Append"), "./Append" + ending + "_0.log");\r
+ assertEquals(System.getProperty("LOG4J_FILENAME_Append"), dir.getCanonicalPath()+"/Append" + ending + "_0.log");\r
\r
logFileNamer.setAppender("Append");\r
- assertEquals(System.getProperty("LOG4J_FILENAME_Append"), "./Append" + ending + "_1.log");\r
+ assertEquals(System.getProperty("LOG4J_FILENAME_Append"), dir.getCanonicalPath()+"/Append" + ending + "_1.log");\r
}\r
\r
@After\r
<parent>
<groupId>org.onap.aaf.authz</groupId>
<artifactId>parent</artifactId>
- <version>2.1.0-SNAPSHOT</version>
+ <version>2.1.2-SNAPSHOT</version>
</parent>
<groupId>org.onap.aaf.authz</groupId>
<artifactId>miscparent</artifactId>
<name>AAF Misc Parent</name>
- <version>2.1.0-SNAPSHOT</version>
+ <version>2.1.2-SNAPSHOT</version>
<packaging>pom</packaging>
<parent>
<groupId>org.onap.aaf.authz</groupId>
<artifactId>miscparent</artifactId>
- <version>2.1.0-SNAPSHOT</version>
+ <version>2.1.2-SNAPSHOT</version>
<relativePath>..</relativePath>
</parent>
<inherited>true</inherited>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-compiler-plugin</artifactId>
- <version>2.3.2</version>
<configuration>
<source>1.7</source>
<target>1.7</target>
<plugin>
<groupId>org.apache.maven.plugins</groupId>
- <version>2.4</version>
<artifactId>maven-jar-plugin</artifactId>
<configuration>
<outputDirectory>target</outputDirectory>
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-javadoc-plugin</artifactId>
- <version>2.10</version>
<configuration>
<excludePackageNames>org.opendaylight.*</excludePackageNames>
</configuration>
<plugin>
<artifactId>maven-release-plugin</artifactId>
- <version>2.5.2</version>
<configuration>
<goals>-s ${mvn.settings} deploy</goals>
</configuration>
<plugin>
<artifactId>maven-assembly-plugin</artifactId>
- <version>2.5.5</version>
</plugin>
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-deploy-plugin</artifactId>
- <version>2.8.1</version>
<configuration>
<skip>false</skip>
</configuration>
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-dependency-plugin</artifactId>
- <version>2.10</version>
</plugin>
<!-- Maven surefire plugin for testing -->
<plugin>
<artifactId>maven-surefire-plugin</artifactId>
- <version>2.17</version>
<configuration>
<skipTests>false</skipTests>
<includes>
<plugin>
<groupId>org.eclipse.m2e</groupId>
<artifactId>lifecycle-mapping</artifactId>
- <version>1.0.0</version>
<configuration>
<lifecycleMappingMetadata>
<pluginExecutions>
<plugin>
<groupId>org.sonatype.plugins</groupId>
<artifactId>nexus-staging-maven-plugin</artifactId>
- <version>1.6.7</version>
<extensions>true</extensions>
<configuration>
<nexusUrl>${nexusproxy}</nexusUrl>
<plugin>
<groupId>org.jacoco</groupId>
<artifactId>jacoco-maven-plugin</artifactId>
- <version>${jacoco.version}</version>
<configuration>
<excludes>
<exclude>**/gen/**</exclude>
String value = sb.toString();
sb.setLength(0);
if(tag !=null && value != null) {
- if(props==null)props = new ArrayList<Prop>();
+ if(props==null)props = new ArrayList<>();
props.add(new Prop(tag,value));
}
}
public void push(Prop prop) {
if(attribs==null) {
- attribs = new ArrayList<Prop>();
+ attribs = new ArrayList<>();
idx = 0;
}
attribs.add(prop);
private void addNS(Prop prop) {
Map<String,String> existingNS = getNS();
- if(ns==null)ns = new HashMap<String,String>();
+ if(ns==null)ns = new HashMap<>();
// First make a copy of previous NSs so that we have everything we need, but can overwrite, if necessary
if(existingNS!=null && ns!=existingNS) {
ns.putAll(ns);
JaxInfo derived;
// Lazy Instantiation
if(extensions == null) {
- extensions = new HashMap<String,JaxInfo>();
+ extensions = new HashMap<>();
derived = null;
} else {
derived = extensions.get(derivedName);
// Build up Method names from JAXB Annotations
XmlType xt;
while((xt = cls.getAnnotation(XmlType.class))!=null) {
- if(fields==null)fields = new ArrayList<JaxInfo>();
+ if(fields==null)fields = new ArrayList<>();
for(String field : xt.propOrder()) {
if("".equals(field)) break; // odd bug. "" returned when no fields exist, rather than empty array
Field rf = cls.getDeclaredField(field);
* @param <T>
*/
public class JaxSet<T> {
- private static Map<Class<?>,JaxSet<?>> jsets = new HashMap<Class<?>,JaxSet<?>>();
+ private static Map<Class<?>,JaxSet<?>> jsets = new HashMap<>();
private Map<String,Setter<T>> members;
private JaxSet(Class<?> cls) {
- members = new TreeMap<String, Setter<T>>();
+ members = new TreeMap<>();
XmlType xmltype = cls.getAnnotation(XmlType.class);
Class<?> paramType[] = new Class[] {String.class};
for(String str : xmltype.propOrder()) {
@SuppressWarnings("unchecked")
JaxSet<X> js = (JaxSet<X>)jsets.get(cls);
if(js == null) {
- jsets.put(cls, js = new JaxSet<X>(cls));
+ jsets.put(cls, js = new JaxSet<>(cls));
}
return js;
}
public OutXML(String root, String ... params) {
this.root = root;
- props = new ArrayList<Prop>();
+ props = new ArrayList<>();
for(String p : params) {
String[] tv=p.split("=");
if(tv.length==2)
}
if(create && !rv) {
- if(nses == null) nses = new HashMap<String,String>();
+ if(nses == null) nses = new HashMap<>();
nses.put(ns, value);
}
return rv;
}
static {
- charMap = new TreeMap<String, Integer>();
- intMap = new TreeMap<Integer,String>();
+ charMap = new TreeMap<>();
+ intMap = new TreeMap<>();
charMap.put("quot", 34);
charMap.put("amp",38);
charMap.put("apos",39);
<parent>
<groupId>org.onap.aaf.authz</groupId>
<artifactId>miscparent</artifactId>
- <version>2.1.0-SNAPSHOT</version>
+ <version>2.1.2-SNAPSHOT</version>
<relativePath>..</relativePath>
</parent>
public final static int HTML5 = 0x8;\r
\r
\r
- private ArrayList<Section<G>> sections = new ArrayList<Section<G>>();\r
+ private ArrayList<Section<G>> sections = new ArrayList<>();\r
private int flags;\r
private final Thematic thematic;\r
\r
import java.util.List;\r
\r
public class Imports implements Thematic{\r
- List<String> css,js;\r
+ List<String> css;\r
+ List<String> js;\r
public final int backdots;\r
-// public final File webDir;\r
private String theme;\r
\r
public Imports(int backdots) {\r
-// this.webDir = webDir;\r
\r
- css = new ArrayList<String>();\r
- js = new ArrayList<String>();\r
+ css = new ArrayList<>();\r
+ js = new ArrayList<>();\r
this.backdots = backdots;\r
theme = "";\r
}\r
\r
gen.html("attributes");\r
\r
- Map<Character, Integer> map = new TreeMap<Character, Integer>();\r
+ Map<Character, Integer> map = new TreeMap<>();\r
for (char ch : DOCTYPE.toCharArray()) {\r
Integer times = map.get(ch);\r
map.put(ch, (times == null ? 0 : times) + 1);\r
\r
gen.head();\r
\r
- Map<Character, Integer> map = new TreeMap<Character, Integer>();\r
+ Map<Character, Integer> map = new TreeMap<>();\r
\r
for (char ch : "head".toCharArray()) {\r
Integer times = map.get(ch);\r
\r
gen.body("attributes");\r
\r
- Map<Character, Integer> map = new TreeMap<Character, Integer>();\r
+ Map<Character, Integer> map = new TreeMap<>();\r
\r
for (char ch : "body".toCharArray()) {\r
Integer times = map.get(ch);\r
\r
gen.charset(charset);\r
\r
- Map<Character, Integer> map = new TreeMap<Character, Integer>();\r
+ Map<Character, Integer> map = new TreeMap<>();\r
\r
for (char ch : CHARSET_LINE.toCharArray()) {\r
Integer times = map.get(ch);\r
\r
gen.header("attributes");\r
\r
- Map<Character, Integer> map = new TreeMap<Character, Integer>();\r
+ Map<Character, Integer> map = new TreeMap<>();\r
\r
for (char ch : "header".toCharArray()) {\r
Integer times = map.get(ch);\r
\r
gen.footer("attributes");\r
\r
- Map<Character, Integer> map = new TreeMap<Character, Integer>();\r
+ Map<Character, Integer> map = new TreeMap<>();\r
\r
for (char ch : "footer".toCharArray()) {\r
Integer times = map.get(ch);\r
\r
gen.section("attributes");\r
\r
- Map<Character, Integer> map = new TreeMap<Character, Integer>();\r
+ Map<Character, Integer> map = new TreeMap<>();\r
\r
for (char ch : "section".toCharArray()) {\r
Integer times = map.get(ch);\r
\r
gen.article("attributes");\r
\r
- Map<Character, Integer> map = new TreeMap<Character, Integer>();\r
+ Map<Character, Integer> map = new TreeMap<>();\r
\r
for (char ch : "attrib".toCharArray()) {\r
Integer times = map.get(ch);\r
\r
gen.aside("attributes");\r
\r
- Map<Character, Integer> map = new TreeMap<Character, Integer>();\r
+ Map<Character, Integer> map = new TreeMap<>();\r
\r
for (char ch : "aside".toCharArray()) {\r
Integer times = map.get(ch);\r
\r
gen.nav("attributes");\r
\r
- Map<Character, Integer> map = new TreeMap<Character, Integer>();\r
+ Map<Character, Integer> map = new TreeMap<>();\r
\r
for (char ch : "nav".toCharArray()) {\r
Integer times = map.get(ch);\r
\r
public class JU_HTML5GenTest {\r
\r
- private final static String DOCTYPE = "<!DOCTYPE html PUBLIC \"-//W3C//DTD XHTML 1.0 Strict//EN\""\r
- + " \"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd\">";\r
+// private final static String DOCTYPE = "<!DOCTYPE html PUBLIC \"-//W3C//DTD XHTML 1.0 Strict//EN\""\r
+// + " \"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd\">";\r
\r
private String charset = "utf-8";\r
\r
\r
gen.html("attributes");\r
\r
- Map<Character, Integer> map = new TreeMap<Character, Integer>();\r
+ Map<Character, Integer> map = new TreeMap<>();\r
\r
for (char ch : "html".toCharArray()) {\r
Integer times = map.get(ch);\r
\r
gen.head();\r
\r
- Map<Character, Integer> map = new TreeMap<Character, Integer>();\r
+ Map<Character, Integer> map = new TreeMap<>();\r
\r
for (char ch : "head".toCharArray()) {\r
Integer times = map.get(ch);\r
\r
gen.body("attributes");\r
\r
- Map<Character, Integer> map = new TreeMap<Character, Integer>();\r
+ Map<Character, Integer> map = new TreeMap<>();\r
\r
for (char ch : "body".toCharArray()) {\r
Integer times = map.get(ch);\r
\r
gen.charset(charset);\r
\r
- Map<Character, Integer> map = new TreeMap<Character, Integer>();\r
+ Map<Character, Integer> map = new TreeMap<>();\r
\r
for (char ch : CHARSET_LINE.toCharArray()) {\r
Integer times = map.get(ch);\r
\r
String XML_TAG = "<?xml version=\"1.0\" encoding=\"UTF-8\" standalone=\"yes\"?>";\r
\r
- Map<Character, Integer> map = new TreeMap<Character, Integer>();\r
+ Map<Character, Integer> map = new TreeMap<>();\r
\r
@Before\r
public void setUp() throws Exception {\r
<modelVersion>4.0.0</modelVersion>
<groupId>org.onap.aaf.authz</groupId>
<artifactId>parent</artifactId>
- <version>2.1.0-SNAPSHOT</version>
+ <version>2.1.2-SNAPSHOT</version>
<name>AAF Overall Parent</name>
<packaging>pom</packaging>
<plugin>
<groupId>org.sonatype.plugins</groupId>
<artifactId>nexus-staging-maven-plugin</artifactId>
- <version>1.6.7</version>
<extensions>true</extensions>
<configuration>
<nexusUrl>${nexusproxy}</nexusUrl>
<plugin>
<groupId>org.sonarsource.scanner.maven</groupId>
<artifactId>sonar-maven-plugin</artifactId>
- <version>3.2</version>
</plugin>
<plugin>
<groupId>org.jacoco</groupId>
<artifactId>jacoco-maven-plugin</artifactId>
- <version>${jacoco.version}</version>
<configuration>
<excludes>
<exclude>**/gen/**</exclude>
major=2
minor=1
-patch=0
+patch=2
base_version=${major}.${minor}.${patch}
# Release must be completed with git revision # in Jenkins
release_version=${base_version}
-snapshot_version=${base_version}-SNAPSHOT
\ No newline at end of file
+snapshot_version=${base_version}-SNAPSHOT
Code Review / aaf / authz.git / commitdiff
