return Result.err(Status.ERR_BadData,
"[%s] cannot be a delegate for self", dd.user);
}
- if (!isUser && !isGranted(trans, trans.user(), ROOT_NS,DELG,
- org.getDomain(), Question.CREATE)) {
- return Result.err(Status.ERR_Denied,
+ if (!isUser) {
+ String supportedDomain = org.supportedDomain(dd.user);
+ if(supportedDomain==null) {
+ return Result.err(Status.ERR_Denied,
+ "[%s] may not create a delegate for the domain for [%s]",
+ trans.user(), dd.user);
+ } else if(!isGranted(trans, trans.user(), ROOT_NS,DELG,supportedDomain,Question.CREATE)) {
+ return Result.err(Status.ERR_Denied,
"[%s] may not create a delegate for [%s]",
trans.user(), dd.user);
+ }
}
break;
case read:
// IMPORTANT! We do this backward, because it is looking for string
// %1 or %13. If we replace %1 first, that messes up %13
+ String var;
for(int i=vars.size()-1;i>0;--i) {
- text = text.replace("%"+(i+1), (i<10?" ":"") + i+") " + vars.get(i));
+ var = vars.get(i);
+ if(aafcli.isTest()) {
+ int type = var.indexOf("U/P");
+ if(type>0) {
+ var = var.substring(0,type+4) + " XXXX/XX/XX XX:XX UTC XXXXXXXXXXXXXXXXXX";
+ }
+ }
+ text = text.replace("%"+(i+1), (i<10?" ":"") + i+") " + var);
}
text = text.replace("%1",vars.get(0));
+ if(aafcli.isTest()) {
+
+ }
pw().println(text);
} else if (fp.code()==406 && option==1) {
pw().println("You cannot delete this Credential");
public void addSupportedRealm(String r);
- public String getDomain();
+ /**
+ * If Supported, returns Realm, ex: org.onap
+ * ELSE returns null
+ *
+ * @param user
+ * @return
+ */
+ public String supportedDomain(String user);
+
+ public String getDomain();
/**
* Get Identity information based on userID
@Override
public void addSupportedRealm(String r) {
}
+
+ @Override
+ public String supportedDomain(String r) {
+ return null;
+ }
@Override
public String getDomain() {
}
return false;
}
+
+ @Override
+ public String supportedDomain(String user) {
+ if(user!=null) {
+ int after_at = user.indexOf('@')+1;
+ if(after_at<user.length()) {
+ String ud = FQI.reverseDomain(user);
+ if(ud.startsWith(getDomain())) {
+ return getDomain();
+ }
+ for(String s : supportedRealms) {
+ if(ud.startsWith(s)) {
+ return FQI.reverseDomain(s);
+ }
+ }
+ }
+ }
+ return null;
+ }
@Override
public synchronized void addSupportedRealm(final String r) {
}
switch(action) {
case DELETE:
+ String why;
if(ques.isOwner(trans, user,ns) ||
- ques.isAdmin(trans, user,ns) ||
- ques.isGranted(trans, user, ROOT_NS,"password",company,DELETE)) {
- return Result.ok();
+ ques.isAdmin(trans, user,ns) ||
+ ques.isGranted(trans, user, ROOT_NS,"password",company,DELETE)) {
+ return Result.ok();
}
break;
case RESET:
try {
if (firstID) {
// OK, it's a first ID, and not by NS Owner
- if(!ques.isOwner(trans,trans.user(),cdd.ns)) {
+ String user = trans.user();
+ if(!ques.isOwner(trans,user,cdd.ns)) {
// Admins are not allowed to set first Cred, but Org has already
// said entity MAY create, typically by Permission
// We can't know which reason they are allowed here, so we
// have to assume that any with Special Permission would not be
// an Admin.
- if(ques.isAdmin(trans, trans.user(), cdd.ns)) {
+ String domain = org.supportedDomain(user);
+ if((domain!=null && !ques.isGranted(trans, user, ROOT_NS, "mechid", domain, Question.CREATE)) &&
+ ques.isAdmin(trans, user, cdd.ns)) {
return Result.err(Result.ERR_Denied,
"Only Owners may create first passwords in their Namespace. Admins may modify after one exists" );
} else {
}
final DelegateDAO.Data dd = rd.value;
+
+ if(dd.user.contentEquals(dd.delegate) && !trans.requested(force)) {
+ return Result.err(Status.ERR_InvalidDelegate,dd.user + " cannot delegate to self");
+ }
Result<List<DelegateDAO.Data>> ddr = ques.delegateDAO().read(trans, dd);
if (access==Access.create && ddr.isOKhasData()) {
import java.net.URL;
import java.util.ArrayList;
+import javax.net.ssl.SSLException;
+import javax.net.ssl.SSLHandshakeException;
import javax.servlet.http.HttpServletResponse;
import org.onap.aaf.cadi.CadiException;
String value = es.getValue().toString();
props.put(key, value);
if(key.contains("pass")) {
- value = "XXXXXXX";
+ value = "vi XX";
}
printf(Level.DEBUG," %s=%s",key,value);
}
Code Review / aaf / authz.git / commitdiff