* org.onap.aaf
* ===========================================================================
* Copyright (c) 2018 AT&T Intellectual Property. All rights reserved.
+ * Modifications Copyright (C) 2018 IBM.
* ===========================================================================
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
- *
+ *
* http://www.apache.org/licenses/LICENSE-2.0
- *
+ *
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
private final CertDAO certDAO;
private final CredDAO credDAO;
private final ArtiDAO artiDAO;
- private AAF_CM certman;
+ private AAF_CM certManager;
// @SuppressWarnings("unchecked")
public CMService(final AuthzTrans trans, AAF_CM certman) throws APIException, IOException {
credDAO = new CredDAO(trans, hd, cid);
artiDAO = new ArtiDAO(trans, hd, cid);
- this.certman = certman;
-
+ this.certManager = certman;
+
root_read_permission=new AAFPermission(
- trans.getProperty(Config.AAF_ROOT_NS, Config.AAF_ROOT_NS_DEF),
- "access",
- "*",
- "read"
+ trans.getProperty(Config.AAF_ROOT_NS, Config.AAF_ROOT_NS_DEF),
+ ACCESS,
+ "*",
+ "read"
);
}
"Domain based Authorizations (" + fqdns.get(0) + ") requires Exception");
}
- // TODO check for Permission in Add Artifact?
+ // check for Permission in Add Artifact?
String domain = fqdns.get(0).substring(1);
fqdns.remove(0);
if (fqdns.isEmpty()) {
}
}
} catch (UnknownHostException e1) {
+ trans.debug().log(e1);
return Result.err(Result.ERR_BadData, "There is no DNS lookup for %s", cn);
}
}
}
}
} catch (Exception e) {
- e.printStackTrace();
- trans.error().log(e);
+ trans.debug().log(e);
return Result.err(Status.ERR_Denied,
"AppID Sponsorship cannot be determined at this time. Try later.");
}
CertResp cr = new CertResp(trans, ca, x509, csrMeta, x509ac.getTrustChain(), compileNotes(notes));
return Result.ok(cr);
} catch (Exception e) {
- trans.error().log(e);
+ trans.debug().log(e);
return Result.err(Result.ERR_ActionNotCompleted, e.getMessage());
}
} else {
try {
ouser = org.getIdentity(trans, trans.user());
} catch (OrganizationException e1) {
- trans.error().log(e1);
+ trans.debug().log(e1);
ouser = null;
}
if (ouser == null) {
CertResp cr = new CertResp(trans, ca, x509, csrMeta, x509ac.getTrustChain(), compileNotes(null));
return Result.ok(cr);
} catch (Exception e) {
- trans.error().log(e);
+ trans.debug().log(e);
return Result.err(Result.ERR_ActionNotCompleted, e.getMessage());
}
} else {
// Policy 6: Only do Domain by Exception
if (add.machine.startsWith("*")) { // Domain set
- CA ca = certman.getCA(add.ca);
+ CA ca = certManager.getCA(add.ca);
if (!trans.fish(new AAFPermission(ca.getPermNS(),ca.getPermType(), add.ca, DOMAIN))) {
return Result.err(Result.ERR_Denied, "Domain Artifacts (%s) requires specific Permission",
}
// Add to DB
Result<ArtiDAO.Data> rv = artiDAO.create(trans, add);
- // TODO come up with Partial Reporting Scheme, or allow only one at a time.
+ // come up with Partial Reporting Scheme, or allow only one at a time.
if (rv.notOK()) {
return Result.err(rv);
}
return data;
}
add = data.value.get(0);
- if (trans.user().equals(add.mechid)
+ if (trans.user().equals(add.mechid)
|| trans.fish(root_read_permission,
- new AAFPermission(add.ns,ACCESS, "*", "read"),
- new AAFPermission(add.ns,CERTMAN, add.ca, "read"),
- new AAFPermission(add.ns,CERTMAN, add.ca, "request"))
+ new AAFPermission(add.ns,ACCESS, "*", "read"),
+ new AAFPermission(add.ns,CERTMAN, add.ca, "read"),
+ new AAFPermission(add.ns,CERTMAN, add.ca, REQUEST))
|| (trans.org().validate(trans, Organization.Policy.OWNS_MECHID, null, add.mechid)) == null) {
return data;
} else {
return Result.err(Result.ERR_Denied,
"%s is not %s, is not the sponsor, and doesn't have delegated permission.", trans.user(),
add.mechid, add.ns + ".certman|" + add.ca + "|read or ...|request"); // note: reason is set by 2nd
- // case, if 1st case misses
+ // case, if 1st case misses
}
}
return Result.err(Result.ERR_BadData, v.errs());
}
- // TODO do some checks?
+ // do some checks?
- Result<List<ArtiDAO.Data>> rv = artiDAO.readByMachine(trans, machine);
- return rv;
+ return artiDAO.readByMachine(trans, machine);
}
public Result<List<ArtiDAO.Data>> readArtifactsByNs(AuthzTrans trans, String ns) {
return Result.err(Result.ERR_BadData, v.errs());
}
- // TODO do some checks?
-
+ // do some checks?
return artiDAO.readByNs(trans, ns);
}
}
// Check if requesting User is Sponsor
- // TODO - Shall we do one, or multiples?
+ // Shall we do one, or multiples?
for (ArtiDAO.Data add : list) {
// Policy 1: MechID must exist in Org
Identity muser = trans.org().getIdentity(trans, add.mechid);
}
// Policy 6: Only do Domain by Exception
if (add.machine.startsWith("*")) { // Domain set
- CA ca = certman.getCA(add.ca);
+ CA ca = certManager.getCA(add.ca);
if (ca == null) {
return Result.err(Result.ERR_BadData, "CA is required in Artifact");
}
byte[] hash = Hash.hashSHA256(bb.array());
return ByteBuffer.wrap(hash);
}
-}
+}
\ No newline at end of file
Code Review / aaf / authz.git / commitdiff