public static final String TABLE = "cred";
public static final int CACHE_SEG = 0x40; // yields segment 0x0-0x3F
public static final int RAW = -1;
- public static final int FQI = 0;
+ public static final int NONE = 0;
+ public static final int FQI = 10;
public static final int BASIC_AUTH = 1;
public static final int BASIC_AUTH_SHA256 = 2;
public static final int CERT_SHA256_RSA =200;
import java.util.List;
import java.util.Map;
import java.util.Set;
+import java.util.TreeMap;
import java.util.TreeSet;
import org.onap.aaf.auth.dao.cass.PermDAO;
*
*/
// Package on purpose
-class PermLookup {
+public class PermLookup {
private AuthzTrans trans;
private String user;
private Question q;
private PermLookup() {}
- static PermLookup get(AuthzTrans trans, Question q, String user) {
+ public static PermLookup get(AuthzTrans trans, Question q, String user) {
PermLookup lp=null;
Map<String, PermLookup> permMap = trans.get(Question.PERMS, null);
if (permMap == null) {
List<PermDAO.Data> lpdd = new ArrayList<>();
for (String perm : rss.value) {
if (lookup) {
+ Map<String,PermDAO.Data> mspdd = new TreeMap<>();
Result<String[]> ap = PermDAO.Data.decodeToArray(trans, q, perm);
if (ap.isOK()) {
Result<List<PermDAO.Data>> rlpd = q.permDAO().read(perm,trans,ap.value);
if (rlpd.isOKhasData()) {
for (PermDAO.Data pData : rlpd.value) {
- lpdd.add(pData);
+ // ONLY add perms/roles which are related to this lookup
+ for(String pdr : pData.roles(false)) {
+ for(RoleDAO.Data r : roles.value) {
+ if(pdr.equals(r.encode())) {
+ PermDAO.Data pdd = mspdd.get(pData.fullPerm());
+ if(pdd==null) {
+ pdd = new PermDAO.Data();
+ pdd.ns = pData.ns;
+ pdd.type = pData.type;
+ pdd.instance = pData.instance;
+ pdd.action = pData.action;
+ pdd.description = pData.description;
+ lpdd.add(pdd);
+ }
+ pdd.roles(true).add(pdr);
+ break;
+ }
+ }
+ }
}
}
} else {
return Result.ok(Hash.compareTo(orig.cred.array(),Hash.hashSHA256(bb.array()))==0);
case CredDAO.BASIC_AUTH:
return Result.ok( Hash.compareTo(orig.cred.array(), Hash.hashMD5(raw))==0);
+ case CredDAO.FQI:
default:
return Result.ok(false);
}
case 0: return "NoCrd";
case 1: return "U/P";
case 2: return "U/P2";
- case 10: return "Cert";
+ case 10: return "FQI";
case 200: return "x509";
default:
return "n/a";
if (roles==null || roles.getRole().isEmpty()) {
pw().println("<No Roles Found>");
} else if (aafcli.isDetailed()){
- if (aafcli.isDetailed() && str[0].toLowerCase().contains(LIST_ROLES_BY_NAME)) {
+ if (str[0].toLowerCase().contains(LIST_ROLES_BY_NAME)) {
String description = roles.getRole().get(0).getDescription();
if (description == null) description = "";
reportColHead("%-80s\n","Description: " + description);
pw().format(roleFormat, "["+ns+"]"+roleName.substring(ns.length()),XXXX_XX_XX);
}
} else {
- UserRole ur = get(roleName,urs);
+ String fullname;
+ if(ns==null) {
+ fullname = roleName;
+ } else {
+ fullname = ns+'.'+roleName;
+ }
+ UserRole ur = get(fullname,urs);
if (ur!=null && now.compare(ur.getExpires().normalize())>0) {
if (ns==null) {
pw().format(roleExpiredFormat, roleName,Chrono.dateOnlyStamp(ur.getExpires()));
} else {
- pw().format(roleExpiredFormat, "["+ns+"]"+roleName.substring(ns.length()),Chrono.dateOnlyStamp(ur.getExpires()));
+ pw().format(roleExpiredFormat, "["+ns+"]."+roleName,Chrono.dateOnlyStamp(ur.getExpires()));
}
} else {
if (ns==null) {
pw().format(roleFormat, roleName,ur!=null?Chrono.dateOnlyStamp(ur.getExpires()):"");
} else {
- pw().format(roleFormat, "["+ns+"]"+roleName.substring(ns.length()),ur!=null?Chrono.dateOnlyStamp(ur.getExpires()):"");
+ pw().format(roleFormat, "["+ns+"]."+roleName,ur!=null?Chrono.dateOnlyStamp(ur.getExpires()):"");
}
}
}
package org.onap.aaf.auth.cmd.role;
+import java.util.Map;
+import java.util.TreeMap;
+
import org.onap.aaf.auth.cmd.AAFcli;
import org.onap.aaf.auth.cmd.Cmd;
import org.onap.aaf.auth.cmd.Param;
import org.onap.aaf.cadi.client.Future;
import org.onap.aaf.cadi.client.Rcli;
import org.onap.aaf.cadi.client.Retryable;
+import org.onap.aaf.cadi.util.Split;
import org.onap.aaf.misc.env.APIException;
+import aaf.v2_0.Perm;
import aaf.v2_0.Perms;
+import aaf.v2_0.Role;
import aaf.v2_0.Roles;
+import aaf.v2_0.UserRole;
import aaf.v2_0.UserRoles;
/**
public Integer code(Rcli<?> client) throws CadiException, APIException {
Perms perms=null;
UserRoles urs=null;
- Future<Roles> fr = client.read(
- "/authz/roles/user/"+user+(aafcli.isDetailed()?"?ns":""),
- getDF(Roles.class)
- );
+ Roles roles = null;
+ int code;
Future<UserRoles> fur = client.read(
"/authz/userRoles/user/"+user,
getDF(UserRoles.class)
);
- if (fr.get(AAFcli.timeout())) {
- if (aafcli.isDetailed()) {
- Future<Perms> fp = client.read(
- "/authz/perms/user/"+user+(aafcli.isDetailed()?"?ns":""),
- getDF(Perms.class)
- );
- if (fp.get(AAFcli.timeout())) {
- perms = fp.value;
+ if (fur.get(AAFcli.timeout())) {
+ urs = fur.value;
+ code = fur.code();
+ } else {
+ error(fur);
+ return fur.code();
+ }
+
+ if (aafcli.isDetailed()) {
+ roles = new Roles();
+ Future<Perms> fp = client.read(
+ "/authz/perms/user/"+user+"?ns&force",
+ getDF(Perms.class)
+ );
+ if (fp.get(AAFcli.timeout())) {
+ Map<String, Role> rs = new TreeMap<>();
+ perms = fp.value;
+ for( Perm p : perms.getPerm()) {
+ for(String sr : p.getRoles()) {
+ Role r = rs.get(sr);
+ if(r==null) {
+ r = new Role();
+ String[] split = Split.split('|', sr);
+ if(split.length>1) {
+ r.setNs(split[0]);
+ r.setName(split[1]);
+ } else {
+ r.setName(sr);
+ }
+ rs.put(sr, r);
+ roles.getRole().add(r);
+ }
+ r.getPerms().add(p);
+ }
}
- }
- if (fur.get(AAFcli.timeout())) {
- urs = fur.value;
- }
-
- ((List)parent).report(fr.value,perms,urs,HEADER,user);
+ }
+ code = fp.code();
} else {
- error(fr);
+ roles = new Roles();
+ java.util.List<Role> lr = roles.getRole();
+ Role r;
+ for(UserRole ur : urs.getUserRole()) {
+ r = new Role();
+ r.setName(ur.getRole());
+ lr.add(r);
+ }
}
- return fr.code();
+
+
+ ((List)parent).report(roles,perms,urs,HEADER,user);
+ return code;
}
});
}
pw().println(text);
} else if (fp.code()==406 && option==1) {
pw().println("You cannot delete this Credential");
+ } else if (fp.code()==409 && option==0) {
+ pw().println("You cannot add two Passwords for same day");
} else {
pw().println(ATTEMPT_FAILED_SPECIFICS_WITHELD);
}
final CredRequest cr = new CredRequest();
cr.setId(args[idx++]);
- cr.setType(0);
+ cr.setType(10);
if (args.length>idx)
cr.setEntry(args[idx]);
pw().print(cr.getId());
pw().println(']');
} else if (fp.code()==202) {
- pw().println("ID Action Accepted, but requires Approvals before actualizing");
+ pw().println("ID Action Accepted, but requires Approvals before actualizing");
+ } else if (fp.code()==409 && option==0) {
+ pw().println("FQI already exists");
} else if (fp.code()==406 && option==1) {
- pw().println("You cannot delete this ID");
+ pw().println("FQI does not exist");
} else {
pw().println(ATTEMPT_FAILED_SPECIFICS_WITHELD);
}
user.setType(2);
Assert.assertEquals("U/P2", list.getType(user));
user.setType(10);
- Assert.assertEquals("Cert", list.getType(user));
+ Assert.assertEquals("FQI", list.getType(user));
user.setType(200);
Assert.assertEquals("x509", list.getType(user));
}
import org.onap.aaf.auth.dao.hl.Function.FUTURE_OP;
import org.onap.aaf.auth.dao.hl.Function.Lookup;
import org.onap.aaf.auth.dao.hl.Function.OP_STATUS;
+import org.onap.aaf.auth.dao.hl.PermLookup;
import org.onap.aaf.auth.dao.hl.Question;
import org.onap.aaf.auth.dao.hl.Question.Access;
import org.onap.aaf.auth.env.AuthzTrans;
return Result.err(Status.ERR_BadData,v.errs());
}
- Result<List<PermDAO.Data>> rlpd = ques.getPermsByUser(trans, user,
- trans.requested(force));
+ PermLookup pl = PermLookup.get(trans,ques,user);
+ Result<List<PermDAO.Data>> rlpd = pl.getPerms(trans.requested(force));
if (rlpd.notOK()) {
return Result.err(rlpd);
}
}
//////////////
- Result<List<PermDAO.Data>> rlpd = ques.getPermsByUser(trans, user,trans.requested(force));
+ PermLookup pl = PermLookup.get(trans,ques,user);
+ Result<List<PermDAO.Data>> rlpd = pl.getPerms(trans.requested(force));
if (rlpd.notOK()) {
return Result.err(rlpd);
}
// Note: ASPR specifies character differences, but we don't actually store the
// password to validate char differences.
-// byte[] rawCred = rcred.value.type==CredDAO.RAW?null:;
-
- rb = ques.userCredCheck(trans, curr, rcred.value.cred.array());
- if (rb.notOK()) {
- return Result.err(rb);
- } else if (rb.value){
- return Result.err(Status.ERR_Policy, "Credential content cannot be reused.");
- } else if (Chrono.dateOnlyStamp(curr.expires).equals(Chrono.dateOnlyStamp(rcred.value.expires)) && curr.type==rcred.value.type) {
- return Result.err(Status.ERR_ConflictAlreadyExists, "Credential with same Expiration Date exists, use 'reset'");
- }
+// byte[] rawCred = rcred.value.type==CredDAO.RAW?null:; return Result.err(Status.ERR_ConflictAlreadyExists, "Credential with same Expiration Date exists");
+ if(rcred.value.type==CredDAO.FQI ) {
+ if(curr.type==CredDAO.FQI) {
+ return Result.err(Status.ERR_ConflictAlreadyExists, "Credential with same Expiration Date exists");
+ }
+ } else {
+
+ rb = ques.userCredCheck(trans, curr, rcred.value.cred!=null?rcred.value.cred.array():null);
+ if (rb.notOK()) {
+ return Result.err(rb);
+ } else if (rb.value){
+ return Result.err(Status.ERR_Policy, "Credential content cannot be reused.");
+ } else if ((Chrono.dateOnlyStamp(curr.expires).equals(Chrono.dateOnlyStamp(rcred.value.expires)) && curr.type==rcred.value.type)) {
+ return Result.err(Status.ERR_ConflictAlreadyExists, "Credential with same Expiration Date exists");
+ }
+ }
}
} else {
try {
if (rmc.notOK()) {
return Result.err(rmc);
}
-
+
+ boolean doForce = trans.requested(force);
Result<List<CredDAO.Data>> rlcd = ques.credDAO().readID(trans, cred.value.id);
if (rlcd.notOKorIsEmpty()) {
- // Empty Creds should have no user_roles.
+ // Empty Creds should not have user_roles.
Result<List<UserRoleDAO.Data>> rlurd = ques.userRoleDAO().readByUser(trans, cred.value.id);
- if (rlurd.isOK()) {
+ if (rlurd.isOKhasData()) {
for (UserRoleDAO.Data data : rlurd.value) {
ques.userRoleDAO().delete(trans, data, false);
}
- }
+ }
return Result.err(Status.ERR_UserNotFound, "Credential does not exist");
}
boolean isLastCred = rlcd.value.size()==1;
-
- int entry = 0;
- if (!trans.requested(force)) {
- if (rlcd.value.size() > 1) {
- CredRequest cr = (CredRequest)from;
- String inputOption = cr.getEntry();
- if (inputOption == null) {
- List<CredDAO.Data> list = filterList(rlcd.value,CredDAO.BASIC_AUTH,CredDAO.BASIC_AUTH_SHA256,CredDAO.CERT_SHA256_RSA);
- String message = selectCredFromList(list, MayChangeCred.DELETE);
- Object[] variables = buildVariables(list);
- return Result.err(Status.ERR_ChoiceNeeded, message, variables);
- } else {
- try {
- if (inputOption.length()>5) { // should be a date
- Date d = Chrono.xmlDatatypeFactory.newXMLGregorianCalendar(inputOption).toGregorianCalendar().getTime();
- entry = 0;
- for (CredDAO.Data cd : rlcd.value) {
- if (cd.type.equals(cr.getType()) && cd.expires.equals(d)) {
- break;
- }
- ++entry;
- }
- } else {
- entry = Integer.parseInt(inputOption) - 1;
- }
- } catch (NullPointerException e) {
- return Result.err(Status.ERR_BadData, "Invalid Date Format for Entry");
- } catch (NumberFormatException e) {
- return Result.err(Status.ERR_BadData, "User chose invalid credential selection");
- }
- }
- isLastCred = (entry==-1)?true:false;
- } else {
- isLastCred = true;
- }
- if (entry < -1 || entry >= rlcd.value.size()) {
- return Result.err(Status.ERR_BadData, "User chose invalid credential selection");
- }
+ int entry = -1;
+ int fentry = entry;
+ if(cred.value.type==CredDAO.FQI) {
+ entry = -1;
+ for(CredDAO.Data cdd : rlcd.value) {
+ ++fentry;
+ if(cdd.type == CredDAO.FQI) {
+ entry = fentry;
+ break;
+ }
+ }
+ } else {
+ if (!doForce) {
+ if (rlcd.value.size() > 1) {
+ CredRequest cr = (CredRequest)from;
+ String inputOption = cr.getEntry();
+ if (inputOption == null) {
+ List<CredDAO.Data> list = filterList(rlcd.value,CredDAO.BASIC_AUTH,CredDAO.BASIC_AUTH_SHA256,CredDAO.CERT_SHA256_RSA);
+ String message = selectCredFromList(list, MayChangeCred.DELETE);
+ Object[] variables = buildVariables(list);
+ return Result.err(Status.ERR_ChoiceNeeded, message, variables);
+ } else {
+ try {
+ if (inputOption.length()>5) { // should be a date
+ Date d = Chrono.xmlDatatypeFactory.newXMLGregorianCalendar(inputOption).toGregorianCalendar().getTime();
+ for (CredDAO.Data cd : rlcd.value) {
+ ++fentry;
+ if (cd.type.equals(cr.getType()) && cd.expires.equals(d)) {
+ entry = fentry;
+ break;
+ }
+ }
+ } else {
+ entry = Integer.parseInt(inputOption) - 1;
+ int count = 0;
+ for (CredDAO.Data cd : rlcd.value) {
+ if(cd.type!=CredDAO.BASIC_AUTH && cd.type!=CredDAO.BASIC_AUTH_SHA256 && cd.type!=CredDAO.CERT_SHA256_RSA) {
+ ++entry;
+ }
+ if(++count>entry) {
+ break;
+ }
+ }
+ }
+ } catch (NullPointerException e) {
+ return Result.err(Status.ERR_BadData, "Invalid Date Format for Entry");
+ } catch (NumberFormatException e) {
+ return Result.err(Status.ERR_BadData, "User chose invalid credential selection");
+ }
+ }
+ isLastCred = (entry==-1)?true:false;
+ } else {
+ isLastCred = true;
+ }
+ if (entry < -1 || entry >= rlcd.value.size()) {
+ return Result.err(Status.ERR_BadData, "User chose invalid credential selection");
+ }
+ }
}
Result<FutureDAO.Data> fd = mapper.future(trans,CredDAO.TABLE,from,cred.value,false,
Result<?>udr = null;
if (!trans.requested(force)) {
if (entry<0 || entry >= rlcd.value.size()) {
- return Result.err(Status.ERR_BadData,"Invalid Choice [" + entry + "] chosen for Delete [%s] is saved for future processing",cred.value.id);
+ if(cred.value.type==CredDAO.FQI) {
+ return Result.err(Status.ERR_BadData,"FQI does not exist");
+ } else {
+ return Result.err(Status.ERR_BadData,"Invalid Choice [" + entry + "] chosen for Delete [%s] is saved for future processing",cred.value.id);
+ }
}
udr = ques.credDAO().delete(trans, rlcd.value.get(entry),false);
} else {
Collections.sort(value, (cred1, cred2) ->
cred1.type==cred2.type?cred2.expires.compareTo(cred1.expires):
cred1.type<cred2.type?-1:1);
- String [] vars = new String[value.size()+1];
- vars[0]="Choice";
+ String [] vars = new String[value.size()];
CredDAO.Data cdd;
+
for (int i = 0; i < value.size(); i++) {
cdd = value.get(i);
- vars[i+1] = cdd.id + TWO_SPACE + cdd.type + TWO_SPACE + (cdd.type<10?TWO_SPACE:"")+ cdd.expires + TWO_SPACE + cdd.tag;
+ vars[i] = cdd.id + TWO_SPACE + cdd.type + TWO_SPACE + (cdd.type<10?TWO_SPACE:"")+ cdd.expires + TWO_SPACE + cdd.tag;
}
return vars;
}
String msgId;
String[] detail;
boolean hidemsg = false;
- if (result.variables==null) {
+ if (result.variables==null || result.variables.length<1) {
detail = new String[1];
} else {
List<String> dlist = new ArrayList<String>();
+ dlist.add(null);
String os;
for(Object s : result.variables) {
if(s!=null && (os=s.toString()).length()>0) {
break;
case ERR_ChoiceNeeded:
msgId = "SVC1300";
+ detail[0] = "Choice Needed";
response.setStatus(/*httpstatus=*/300);
break;
case ERR_Backend:
if (ok.length()>0) {
return Result.err(Status.ERR_BadData,ok);
}
- } else {
- to.type=0;
}
if (passwd != null) {
to.cred = ByteBuffer.wrap(passwd.getBytes());
to.type = CredDAO.RAW;
} else {
- to.type = CredDAO.FQI;
+ to.type = CredDAO.NONE;
}
}
@Override
public User<AAFPermission> code(Rcli<?> client) throws CadiException, ConnectException, APIException {
final long remoteStart = System.nanoTime();
- Future<Perms> fp = client.read("/authz/perms/user/"+name,aaf.permsDF);
+ StringBuilder sb = new StringBuilder("/authz/perms/user/");
+ sb.append(name);
+ if(details) {
+ sb.append("?force");
+ }
+ Future<Perms> fp = client.read(sb.toString(),aaf.permsDF);
// In the meantime, lookup User, create if necessary
User<AAFPermission> user = getUser(principal);
public AAFCon<?> aaf;
public Lur preemptiveLur=null; // Initial Use is for OAuth2, preemptive Lur
private String[] supports;
+ protected boolean details;
public AbsAAFLur(AAFCon<?> con) throws APIException {
super(con.access, con.cleanInterval, con.highCount, con.usageRefreshTriggerCount);
public void setDebug(String ids) {
this.debug = ids==null?null:Split.split(',', ids);
}
+
+ public void details(boolean on) {
+ details = on;
+ }
+
public void setPreemptiveLur(Lur preemptive) {
this.preemptiveLur = preemptive;
}
protected synchronized void init(Properties p) {
// Make sure these two are set before any changes in Logging
name = "cadi";
- level=DEFAULT.maskOf();
props = new Properties();
// First, load related System Properties
// Preset LogLevel
String sLevel = props.getProperty(Config.CADI_LOGLEVEL);
- if (sLevel!=null) {
- level=Level.valueOf(sLevel).maskOf();
- }
-
// Third, load any Chained Property Files
load(props.getProperty(Config.CADI_PROP_FILES));
if(sLevel==null) { // if LogLev wasn't set before, check again after Chained Load
sLevel = props.getProperty(Config.CADI_LOGLEVEL);
- if (sLevel!=null) {
+ if (sLevel==null) {
+ level=DEFAULT.maskOf();
+ } else {
level=Level.valueOf(sLevel).maskOf();
}
}
@SuppressWarnings("unused")
GetAccess getAccess = new GetAccess(accessGet);
String[] lines = outStream.toString().split(System.lineSeparator());
- assertThat(lines.length, is(6));
+ assertThat(lines.length, is(5));
output = lines[0].split(" ", 2)[1];
}
Code Review / aaf / authz.git / commitdiff