if(ns==null) {
sb.append('.');
} else {
+ sb.append(ns);
sb.append(ns.indexOf('@')<0?'.':':');
}
sb.append(name);
* @return
*/
public static Result<Data> decode(AuthzTrans trans, Question q, String r) {
- String[] ss = Split.splitTrim('|', r,2);
Data data = new Data();
- if (ss[1]==null) { // older 1 part encoding must be evaluated for NS
- Result<NsSplit> nss = q.deriveNsSplit(trans, ss[0]);
- if (nss.notOK()) {
- return Result.err(nss);
- }
- data.ns=nss.value.ns;
- data.name=nss.value.name;
- } else { // new 4 part encoding
- data.ns=ss[0];
- data.name=ss[1];
- }
+ if(r.indexOf('@')>=0) {
+ int colon = r.indexOf(':');
+ if(colon<0) {
+ return Result.err(Result.ERR_BadData, "%s is not a valid Role",r);
+ } else {
+ data.ns=r.substring(0, colon);
+ data.name=r.substring(++colon);
+ }
+ } else {
+ String[] ss = Split.splitTrim('|', r,2);
+ if (ss[1]==null) { // older 1 part encoding must be evaluated for NS
+ Result<NsSplit> nss = q.deriveNsSplit(trans, ss[0]);
+ if (nss.notOK()) {
+ return Result.err(nss);
+ }
+ data.ns=nss.value.ns;
+ data.name=nss.value.name;
+ } else { // new 4 part encoding
+ data.ns=ss[0];
+ data.name=ss[1];
+ }
+ }
return Result.ok(data);
}
return permDAO.readByType(trans, nss.value.ns, nss.value.name);
}
- public Result<List<PermDAO.Data>> getPermsByName(AuthzTrans trans,
- String type, String instance, String action) {
- Result<NsSplit> nss = deriveNsSplit(trans, type);
- if (nss.notOK()) {
- return Result.err(nss);
- }
- return permDAO.read(trans, nss.value.ns, nss.value.name, instance,action);
+ public Result<List<PermDAO.Data>> getPermsByName(AuthzTrans trans, String type, String instance, String action) {
+ if(type.indexOf('@') >= 0) {
+ int colon = type.indexOf(':');
+ if(colon>=0) {
+ return permDAO.read(trans, type.substring(0, colon),type.substring(colon+1), instance,action);
+ } else {
+ return Result.err(Result.ERR_BadData, "%s is malformed",type);
+ }
+ } else {
+ Result<NsSplit> nss = deriveNsSplit(trans, type);
+ if (nss.notOK()) {
+ return Result.err(nss);
+ }
+
+ return permDAO.read(trans, nss.value.ns, nss.value.name, instance,action);
+ }
}
public Result<List<PermDAO.Data>> getPermsByRole(AuthzTrans trans, String role, boolean lookup) {
return Result.ok(perms);
}
- public Result<List<RoleDAO.Data>> getRolesByName(AuthzTrans trans,
- String role) {
+ public Result<List<RoleDAO.Data>> getRolesByName(AuthzTrans trans, String role) {
+ if(role.startsWith(trans.user()) ) {
+ if(role.endsWith(":user")) {
+ return roleDAO.read(trans,trans.user(), "user");
+ } else {
+ return Result.err(Result.ERR_BadData,"%s is a badly formatted role",role);
+ }
+ }
Result<NsSplit> nss = deriveNsSplit(trans, role);
if (nss.notOK()) {
return Result.err(nss);
if (r.isOKhasData()) {
return Result.ok(r.value.get(0));
} else {
- int dot;
- if (child==null) {
- return Result.err(Status.ERR_NsNotFound, "No Namespace");
- } else {
- dot = child.lastIndexOf('.');
- }
+ int dot = child.lastIndexOf('.');
if (dot < 0) {
return Result.err(Status.ERR_NsNotFound, "No Namespace for [%s]", child);
} else {
}
public Result<NsDAO.Data> mayUser(AuthzTrans trans, String user, RoleDAO.Data rdd, Access access) {
+ if(trans.user().equals(rdd.ns)) {
+ return Result.ok((NsDAO.Data)null);
+ }
Result<NsDAO.Data> rnsd = deriveNs(trans, rdd.ns);
if (rnsd.isOK()) {
return mayUser(trans, user, rnsd.value, rdd, access);
public static final String ISSUING_CA = "Issuing CA";
public static final String CM_CA_PREFIX = "cm_ca.";
public static final String CM_CA_BASE_SUBJECT = ".baseSubject";
+ public static final String CM_CA_ENV_TAG = ".env_tag";
protected static final String CM_PUBLIC_DIR = "cm_public_dir";
private static final String CM_TRUST_CAS = "cm_trust_cas";
protected static final String CM_BACKUP_CAS = "cm_backup_cas";
private String[] trustedCAs;
private String[] caIssuerDNs;
private List<RDN> rdns;
+ private final boolean env_tag;
protected CA(Access access, String caName, String env) throws IOException, CertException {
trustedCAs = new String[4]; // starting array
this.name = caName;
this.env = env;
+ this.env_tag = env==null || env.isEmpty()?false:
+ Boolean.parseBoolean(access.getProperty(CM_CA_ENV_TAG, Boolean.FALSE.toString()));
permNS = CM_CA_PREFIX + name;
permType = access.getProperty(permNS + ".perm_type",null);
if (permType==null) {
return trustedCAs;
}
+ public boolean shouldAddEnvTag() {
+ return env_tag;
+ }
+
public String getEnv() {
return env;
}
CSRMeta csrMeta;
try {
csrMeta = BCFactory.createCSRMeta(ca, req.value.mechid, email, fqdns);
+ csrMeta.environment(ca.getEnv());
X509andChain x509ac = ca.sign(trans, csrMeta);
if (x509ac == null) {
return Result.err(Result.ERR_ActionNotCompleted, "x509 Certificate not signed by CA");
import java.util.Timer;
import java.util.TimerTask;
import java.util.concurrent.ConcurrentHashMap;
-import java.util.logging.Level;
import org.onap.aaf.misc.env.Env;
import org.onap.aaf.misc.env.Trans;
}
if (count>0) {
- env.info().log(Level.INFO, "Cache removed",count,"expired Cached Elements out of", total);
+ env.debug().log("Cache removed",count,"expired Cached Elements out of", total);
}
// If High (total) is reached during this period, increase the number of expired services removed for next time.
typeMap.put("props", "text/plain");
typeMap.put("jks", "application/octet-stream");
+ // Fonts
+ typeMap.put("ttf","font/ttf");
+ typeMap.put("woff","font/woff");
+ typeMap.put("woff2","font/woff2");
+
+
timer = new Timer("Caching Cleanup",true);
timer.schedule(new Cleanup(content,500),60000,60000);
return this;
}
+ public final Validator permTypeWithUser(String user, String type) {
+ if (type==null) {
+ msg("Perm Type is null");
+ } else if (user==null) {
+ msg("User is null");
+ } else {
+ if(!(type.startsWith(user) && type.endsWith(":id"))) {
+ if(nob(type,NAME_CHARS)) {
+ msg("Perm Type [" + type + "] is invalid.");
+ }
+ }
+ }
+ return this;
+ }
+
public final Validator permType(String type, String ns) {
if (type==null) {
msg("Perm Type is null");
return this;
}
+ public final Validator role(String user, String role) {
+ if(role==null) {
+ msg("Role is null");
+ }
+ if(user==null) {
+ msg("User is null");
+ }
+ if(!err()) {
+ if(role.startsWith(user) && role.endsWith(":user")) {
+ if(!(role.length() == user.length() + 5)) {
+ msg("Role [" + role + "] is invalid.");
+ }
+ } else if (nob(role, NAME_CHARS)) {
+ msg("Role [" + role + "] is invalid.");
+ }
+ }
+ return this;
+ }
+
+
public final Validator role(String role) {
if (nob(role, NAME_CHARS)) {
msg("Role [" + role + "] is invalid.");
selected = false;
}
xgen.incr(HTMLGen.LI,selected?"class=selected":"")
- .incr(HTMLGen.A, "href="+mi[0])
+ .incr(HTMLGen.A, "href="+mi[2])
.text(mi[1])
.end(2);
}
import org.onap.aaf.cadi.client.Future;
import org.onap.aaf.cadi.client.Rcli;
import org.onap.aaf.cadi.client.Retryable;
+import org.onap.aaf.cadi.config.Config;
import org.onap.aaf.misc.env.APIException;
import org.onap.aaf.misc.env.Env;
import org.onap.aaf.misc.env.TimeTaken;
public Preamble(AAF_GUI gui) {
super(false, "preamble");
- fsUrl = gui.access.getProperty("fs_url", "");
+ fsUrl = gui.access.getProperty(Config.AAF_URL_FS, "/theme");
}
@Override
final String pInstance = trans.get(instance, null);
final String pAction = trans.get(action, null);
Validator v = new Validator();
- v.permType(pType)
+ v.permTypeWithUser(trans.user(),pType)
.permInstance(pInstance)
.permAction(pAction);
public void prefix(final AAF_GUI gui, final AuthzTrans trans, final Cache<HTMLGen> cache, final HTMLGen hgen) {
final String pRole = trans.get(sRoleName, null);
Validator v = new Validator();
- v.role(pRole);
+ if(!v.isNull("Role",pRole).err()) {
+ if(!pRole.startsWith(trans.user())) {
+ v.role(pRole);
+ }
+ }
if (v.err()) {
trans.warn().printf("Error in PermDetail Request: %s", v.errs());
return;
rdd.ns = pdd.ns;
rdd.name = "user";
- pdd.roles(true).add(rdd.encode());
+ pdd.roles(true).add(rdd.fullName());
Result<PermDAO.Data> rpdd = permDAO.create(trans, pdd);
if(rpdd.notOK()) {
return Result.err(rpdd);
final UserRoleDAO.Data userRole = urr.value;
final ServiceValidator v = new ServiceValidator();
- if (v.user_role(userRole).err() ||
+ if (v.user_role(trans.user(),userRole).err() ||
v.user(trans.org(), userRole.user).err()) {
return Result.err(Status.ERR_BadData,v.errs());
}
private Result<NsDAO.Data> nsd;
@Override
public Result<?> mayChange() {
+ if(urr.value.role.startsWith(urr.value.user)) {
+ return Result.ok((NsDAO.Data)null);
+ }
if (nsd==null) {
RoleDAO.Data r = RoleDAO.Data.decode(userRole);
nsd = ques.mayUser(trans, trans.user(), r, Access.write);
return nsd;
}
});
- Result<NsDAO.Data> nsr = ques.deriveNs(trans, userRole.role);
- if (nsr.notOKorIsEmpty()) {
- return Result.err(nsr);
+
+ NsDAO.Data ndd;
+ if(userRole.role.startsWith(userRole.user)) {
+ userRole.ns=userRole.user;
+ userRole.rname="user";
+ ndd = null;
+ } else {
+ Result<NsDAO.Data> nsr = ques.deriveNs(trans, userRole.role);
+ if (nsr.notOK()) {
+ return Result.err(nsr);
+ }
+ ndd = nsr.value;
}
switch(fd.status) {
case OK:
Result<String> rfc = func.createFuture(trans, fd.value, userRole.user+'|'+userRole.ns + '.' + userRole.rname,
- userRole.user, nsr.value, FUTURE_OP.C);
+ userRole.user, ndd, FUTURE_OP.C);
if (rfc.isOK()) {
return Result.err(Status.ACC_Future, "UserRole [%s - %s.%s] is saved for future processing",
userRole.user,
}
// May user see Namespace of Permission (since it's only one piece... we can't check for "is permission part of")
- Result<NsDAO.Data> rnd = ques.deriveNs(trans,type);
- if (rnd.notOK()) {
- return Result.err(rnd);
+ Result<List<HistoryDAO.Data>> resp;
+ if(type.startsWith(trans.user())) {
+ resp = ques.historyDAO().readBySubject(trans, type, "perm", yyyymm);
+ } else {
+ Result<NsDAO.Data> rnd = ques.deriveNs(trans,type);
+ if (rnd.notOK()) {
+ return Result.err(rnd);
+ }
+ rnd = ques.mayUser(trans, trans.user(), rnd.value, Access.read);
+ if (rnd.notOK()) {
+ return Result.err(rnd);
+ }
+ resp = ques.historyDAO().readBySubject(trans, type, "perm", yyyymm);
}
- rnd = ques.mayUser(trans, trans.user(), rnd.value, Access.read);
- if (rnd.notOK()) {
- return Result.err(rnd);
- }
- Result<List<HistoryDAO.Data>> resp = ques.historyDAO().readBySubject(trans, type, "perm", yyyymm);
if (resp.notOK()) {
return Result.err(resp);
}
}
return this;
}
-
+
public ServiceValidator role(RoleDAO.Data pd) {
if (pd==null) {
msg("Role Data is null.");
return this;
}
+ public ServiceValidator user_role(String user, UserRoleDAO.Data urdd) {
+ role(user,urdd.role);
+ if(!urdd.role.startsWith(user)) {
+ nullOrBlank("UserRole.ns",urdd.ns);
+ nullOrBlank("UserRole.rname",urdd.rname);
+ }
+ return this;
+ }
+
+
public ServiceValidator user_role(UserRoleDAO.Data urdd) {
if (urdd==null) {
msg("UserRole is null");
List<SecuritySetter<HttpURLConnection>> lss = loadSetters(access,si);
/////////
String directAAFURL = aaf_urls.get(Config.AAF_URL);
- if(directAAFURL!=null && !directAAFURL.contains("/locate/")) {
+ if(directAAFURL!=null && !directAAFURL.contains("/locate/") || !directAAFURL.contains("AAF_LOCATE_URL")) {
print(true,"Test Connections by non-located aaf_url");
Locator<URI> locator = new SingleEndpointLocator(directAAFURL);
connectTest(locator,new URI(directAAFURL));
import locate.v1_1.Configuration.Props;
public class Agent {
- private static final String HASHES = "################################################################";
+ private static final String AGENT_LOAD_URLS = "Agent:loadURLs";
+ private static final String HASHES = "################################################################";
private static final String PRINT = "print";
private static final String FILE = "file";
public static final String PKCS12 = "pkcs12";
String dot_le = access.getProperty(Config.AAF_LOCATOR_CONTAINER,null);
dot_le=dot_le==null?"":'.'+dot_le;
String version = access.getProperty(Config.AAF_API_VERSION,Config.AAF_DEFAULT_API_VERSION);
- for(String u : new String[] {"aaf","locate","oauth","cm","gui","fs","hello","token","introspect"}) {
+ for(String u : new String[] {"locate","aaf","oauth","cm","gui","fs","hello","token","introspect"}) {
String tag;
String append=null;
switch(u) {
} else {
lhost=Config.AAF_LOCATE_URL_TAG;
}
- value = rph.replacements("Agent:loadURLs",
+ value = rph.replacements(AGENT_LOAD_URLS,
proto + lhost + "/%CNS.%AAF_NS." + ("aaf".equals(u)?"service":u) + ':' + version,
null,dot_le);
if(append!=null) {
value+=append;
}
+ } else {
+ value = rph.replacements(AGENT_LOAD_URLS, value,null,dot_le);
}
rv.put(tag, value);
};
public class PropAccess implements Access {
// Sonar says cannot be static... it's ok. not too many PropAccesses created.
- private final SimpleDateFormat iso8601 = new SimpleDateFormat("yyyy-MM-dd'T'HH:mm:ss.SSSZ");
+ private final static SimpleDateFormat iso8601 = new SimpleDateFormat("yyyy-MM-dd'T'HH:mm:ss.SSSZ");
public static final Level DEFAULT = Level.AUDIT;
init(nprops);
}
- protected void init(Properties p) {
+ protected synchronized void init(Properties p) {
// Make sure these two are set before any changes in Logging
name = "cadi";
level=DEFAULT.maskOf();
return buildMsg(name,iso8601,level,elements);
}
+ public static StringBuilder buildMsg(final String name, Level level, Object[] elements) {
+ return buildMsg(name,iso8601,level,elements);
+ }
+
public static StringBuilder buildMsg(final String name, final DateFormat sdf, Level level, Object[] elements) {
final StringBuilder sb;
int end = elements.length;
Method meth = lcls.getMethod("create",Access.class,String.class);
locator = (Locator<URI>)meth.invoke(null,access,url);
} catch (Exception e) {
- access.log(Level.TRACE, "(Not fatal) Cannot load by create(String)", e);
+ access.log(Level.NONE, "(Not fatal) Cannot load by create(String)", e);
}
if (locator==null) {
URI locatorURI = new URI(url);
Code Review / aaf / authz.git / commitdiff