Result<List<Data>> cresp = certDAO.read(trans, ByteBuffer.wrap(fingerprint));
if(cresp.isOKhasData()) {
Data cdata = cresp.value.get(0);
- return new X509Principal(cdata.id,cert,certBytes);
+ return new X509Principal(cdata.id,cert,certBytes,null);
}
return null;
}
}
// Policy 2: MechID must have valid Organization Owner
- Identity ouser = muser.responsibleTo();
- if(ouser == null) {
- return Result.err(Result.ERR_Denied,"%s is not a valid Sponsor for %s at %s",
- trans.user(),add.mechid,trans.org().getName());
+ Identity emailUser;
+ if(muser.isPerson()) {
+ emailUser = muser;
+ } else {
+ Identity ouser = muser.responsibleTo();
+ if(ouser == null) {
+ return Result.err(Result.ERR_Denied,"%s is not a valid Sponsor for %s at %s",
+ trans.user(),add.mechid,trans.org().getName());
+ }
+
+ // Policy 3: Calling ID must be MechID Owner
+ if(!trans.user().equals(ouser.fullID())) {
+ return Result.err(Result.ERR_Denied,"%s is not the Sponsor for %s at %s",
+ trans.user(),add.mechid,trans.org().getName());
+ }
+ emailUser = ouser;
}
- // Policy 3: Calling ID must be MechID Owner
- if(!trans.user().equals(ouser.fullID())) {
- return Result.err(Result.ERR_Denied,"%s is not the Sponsor for %s at %s",
- trans.user(),add.mechid,trans.org().getName());
- }
// Policy 4: Renewal Days are between 10 and 60 (constants, may be parameterized)
if(add.renewDays<MIN_RENEWAL) {
// Policy 5: If Notify is blank, set to Owner's Email
if(add.notify==null || add.notify.length()==0) {
- add.notify = "mailto:"+ouser.email();
+ add.notify = "mailto:"+emailUser.email();
}
// Policy 6: Only do Domain by Exception
}
// Set Sponsor from Golden Source
- add.sponsor = ouser.fullID();
+ add.sponsor = emailUser.fullID();
} catch (OrganizationException e) {
try {
Object[] atl=new Object[additionalTafLurs.length+2];
atl[0]=new DirectAAFLur(env,question); // Note, this will be assigned by AuthzTransFilter to TrustChecker
- atl[1]=new BasicHttpTaf(env, directAAFUserPass,
- domain,Long.parseLong(env.getProperty(Config.AAF_CLEAN_INTERVAL, Config.AAF_CLEAN_INTERVAL_DEF)),
- false);
+ atl[1]= new BasicHttpTaf(env, directAAFUserPass,
+ domain,Long.parseLong(env.getProperty(Config.AAF_CLEAN_INTERVAL, Config.AAF_CLEAN_INTERVAL_DEF)),
+ false);
if(additionalTafLurs.length>0) {
System.arraycopy(additionalTafLurs, 0, atl, 2, additionalTafLurs.length);
NSS nss = mapper.newInstance(API.NSS);
// Note: "loadNamespace" already validates view of Namespace
return mapper.nss(trans, rn.value, nss);
-
}
@ApiDoc(
import org.onap.aaf.auth.service.facade.AuthzFacade;
import org.onap.aaf.auth.service.mapper.Mapper.API;
import org.onap.aaf.cadi.CredVal;
+import org.onap.aaf.cadi.CredVal.Type;
import org.onap.aaf.cadi.Symm;
import org.onap.aaf.cadi.principal.BasicPrincipal;
import org.onap.aaf.cadi.principal.X509Principal;
+import org.onap.aaf.cadi.taf.basic.BasicHttpTaf;
import org.onap.aaf.misc.env.Env;
import org.onap.aaf.misc.env.TimeTaken;
// have to check Basic Auth here, because it might be CSP.
String authz = req.getHeader("Authorization");
if(authz.startsWith("Basic ")) {
- String decoded = Symm.base64noSplit.decode(authz.substring(6));
- int colon = decoded.indexOf(':');
- TimeTaken tt = trans.start("Direct Validation", Env.REMOTE);
- try {
- if(directAAFUserPass.validate(
- decoded.substring(0,colon),
- CredVal.Type.PASSWORD ,
- decoded.substring(colon+1).getBytes(),trans)) {
-
- resp.setStatus(HttpStatus.OK_200);
- } else {
- // DME2 at this version crashes without some sort of response
- resp.getOutputStream().print("");
- resp.setStatus(HttpStatus.FORBIDDEN_403);
+ BasicHttpTaf bht = ((X509Principal)p).getBasicHttpTaf();
+ if(bht!=null) {
+ BasicPrincipal bp = new BasicPrincipal(authz,"");
+ CredVal cv = bht.getCredVal(bp.getDomain());
+ if(cv!=null) {
+ if(cv.validate(bp.getName(), Type.PASSWORD, bp.getCred(), null) ) {
+ resp.setStatus(HttpStatus.OK_200);
+ } else {
+ resp.setStatus(HttpStatus.FORBIDDEN_403);
+ }
+ }
+ } else {
+ String decoded = Symm.base64noSplit.decode(authz.substring(6));
+ int colon = decoded.indexOf(':');
+ TimeTaken tt = trans.start("Direct Validation", Env.REMOTE);
+ try {
+ if(directAAFUserPass.validate(
+ decoded.substring(0,colon),
+ CredVal.Type.PASSWORD ,
+ decoded.substring(colon+1).getBytes(),trans)) {
+
+ resp.setStatus(HttpStatus.OK_200);
+ } else {
+ // DME2 at this version crashes without some sort of response
+ resp.getOutputStream().print("");
+ resp.setStatus(HttpStatus.FORBIDDEN_403);
+ }
+ } finally {
+ tt.done();
}
- } finally {
- tt.done();
}
}
} else if(p == null) {
byte[] fingerprint = X509Taf.getFingerPrint(certBytes);
String id = certs.get(new ByteArrayHolder(fingerprint));
if(id!=null) { // Caller is Validated
- return new X509Principal(id,cert,certBytes);
+ return new X509Principal(id,cert,certBytes,null);
}
return null;
}
char[] password = cons.readPassword("Password for %s: ", appID);
String app_pass = access.encrypt(new String(password));
access.setProperty(Config.AAF_APPPASS,app_pass);
+ diskprops.setProperty(Config.AAF_APPPASS, app_pass);
}
String keystore=access.getProperty(Config.CADI_KEYSTORE);
--- /dev/null
+/**
+ * ============LICENSE_START====================================================
+ * org.onap.aaf
+ * ===========================================================================
+ * Copyright (c) 2018 AT&T Intellectual Property. All rights reserved.
+ * ===========================================================================
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ * ============LICENSE_END====================================================
+ *
+ */
+package org.onap.aaf.cadi;
+
+public interface CredValDomain extends CredVal {
+ public String domain();
+}
import org.onap.aaf.cadi.CadiException;
import org.onap.aaf.cadi.Connector;
import org.onap.aaf.cadi.CredVal;
+import org.onap.aaf.cadi.CredValDomain;
import org.onap.aaf.cadi.Locator;
import org.onap.aaf.cadi.LocatorException;
import org.onap.aaf.cadi.Lur;
public static final String CADI_OAUTH2_URL="cadi_oauth2_url";
public static final String CADI_TOKEN_DIR = "cadi_token_dir";
- public static final String CSP_DOMAIN = "csp_domain";
- public static final String CSP_HOSTNAME = "csp_hostname";
- public static final String CSP_DEVL_LOCALHOST = "csp_devl_localhost";
- public static final String CSP_USER_HEADER = "CSP_USER";
- public static final String CSP_SYSTEMS_CONF = "CSPSystems.conf";
- public static final String CSP_SYSTEMS_CONF_FILE = "csp_systems_conf_file";
-
public static final String HTTPS_PROTOCOLS = "https.protocols";
public static final String HTTPS_CIPHER_SUITES = "https.cipherSuites";
public static final String HTTPS_CLIENT_PROTOCOLS="jdk.tls.client.protocols";
/////////////////////////////////////////////////////
// Configure Client Cert TAF
/////////////////////////////////////////////////////
-
+ X509Taf x509TAF = null;
String truststore = logProp(access, CADI_TRUSTSTORE,null);
if(truststore!=null) {
String truststore_pwd = access.getProperty(CADI_TRUSTSTORE_PASSWORD,null);
}
}
try {
- htlist.add(new X509Taf(access,lur));
+ htlist.add(x509TAF=new X509Taf(access,lur));
access.log(Level.INIT,"Certificate Authorization enabled");
} catch (SecurityException e) {
access.log(Level.INIT,"AAFListedCertIdentity cannot be instantiated. Certificate Authorization is now disabled",e);
if(!basic_warn)access.log(Level.INIT,"WARNING! The basic_warn property has been set to false.",
" There will be no additional warning if Basic Auth is used on an insecure channel"
);
- htlist.add(new BasicHttpTaf(access, up, basic_realm, userExp, basic_warn));
+ BasicHttpTaf bht = new BasicHttpTaf(access, up, basic_realm, userExp, basic_warn);
+ for(Object o : additionalTafLurs) {
+ if(o instanceof CredValDomain) {
+ bht.add((CredValDomain)o);
+ }
+ }
+ if(x509TAF!=null) {
+ x509TAF.add(bht);
+ }
+ htlist.add(bht);
access.log(Level.INIT,"Basic Authorization is enabled");
}
} else {
/////////////////////////////////////////////////////
if(additionalTafLurs!=null) {
for(Object additional : additionalTafLurs) {
- if(additional instanceof HttpTaf) {
- htlist.add((HttpTaf)additional);
+ if(additional instanceof BasicHttpTaf) {
+ BasicHttpTaf ht = (BasicHttpTaf)additional;
+ for(Object cv : additionalTafLurs) {
+ if(cv instanceof CredValDomain) {
+ ht.add((CredValDomain)cv);
+ access.printf(Level.INIT,"%s Authentication is enabled",cv);
+ }
+ }
+ htlist.add(ht);
+ } else if(additional instanceof HttpTaf) {
+ HttpTaf ht = (HttpTaf)additional;
+ htlist.add(ht);
access.printf(Level.INIT,"%s Authentication is enabled",additional.getClass().getSimpleName());
} else if(hasOAuthDirectTAF) {
Class<?> daupCls;
private String name = null;
private String shortName = null;
+ private String domain;
private byte[] cred = null;
-
private long created;
- public BasicPrincipal(String content,String domain) throws IOException {
+
+ public BasicPrincipal(String content,String defaultDomain) throws IOException {
created = System.currentTimeMillis();
ByteArrayInputStream bis = new ByteArrayInputStream(content.getBytes());
// Read past "Basic ", ensuring it starts with it.
shortName=name.substring(0, at);
} else {
shortName = name;
- name = name + '@' + domain;
+ domain=defaultDomain;
+ name = name + '@' + defaultDomain;
}
}
public BasicPrincipal(BasicCred bc, String domain) {
name = bc.getUser();
cred = bc.getCred();
+ this.domain = domain;
}
private class BasicOS extends OutputStream {
return shortName;
}
+ public String getDomain() {
+ return domain;
+ }
+
public byte[] getCred() {
return cred;
}
import java.security.cert.X509Certificate;
import java.util.regex.Pattern;
-import org.onap.aaf.cadi.CadiException;
import org.onap.aaf.cadi.GetCred;
+import org.onap.aaf.cadi.taf.basic.BasicHttpTaf;
public class X509Principal extends BearerPrincipal implements GetCred {
private static final Pattern pattern = Pattern.compile("[a-zA-Z0-9]*\\@[a-zA-Z0-9.]*");
private final X509Certificate cert;
private final String name;
- private TagLookup tagLookup;
- private byte[] content;
+ private byte[] content;
+ private BasicHttpTaf bht;
public X509Principal(String identity, X509Certificate cert) {
name = identity;
content = null;
this.cert = cert;
- tagLookup = null;
}
- public X509Principal(String identity, X509Certificate cert, byte[] content) {
+ public X509Principal(String identity, X509Certificate cert, byte[] content, BasicHttpTaf bht) {
name = identity;
this.content = content;
this.cert = cert;
- tagLookup = null;
+ this.bht = bht;
}
- public X509Principal(X509Certificate cert, byte[] content) throws IOException {
+ public X509Principal(X509Certificate cert, byte[] content, BasicHttpTaf bht) throws IOException {
this.content=content;
this.cert = cert;
String _name = null;
throw new IOException("X509 does not have Identity as CN");
}
name = _name;
- tagLookup = null;
+ this.bht = bht;
}
public String getAsHeader() throws IOException {
return "x509";
}
+ public BasicHttpTaf getBasicHttpTaf() {
+ return bht;
+ }
+
}
import java.io.IOException;
import java.security.Principal;
+import java.util.Map;
+import java.util.TreeMap;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import org.onap.aaf.cadi.Access;
+import org.onap.aaf.cadi.Access.Level;
import org.onap.aaf.cadi.BasicCred;
import org.onap.aaf.cadi.CachedPrincipal;
-import org.onap.aaf.cadi.CredVal;
-import org.onap.aaf.cadi.Taf;
-import org.onap.aaf.cadi.Access.Level;
import org.onap.aaf.cadi.CachedPrincipal.Resp;
+import org.onap.aaf.cadi.CredVal;
import org.onap.aaf.cadi.CredVal.Type;
+import org.onap.aaf.cadi.CredValDomain;
+import org.onap.aaf.cadi.Taf;
import org.onap.aaf.cadi.principal.BasicPrincipal;
import org.onap.aaf.cadi.principal.CachedBasicPrincipal;
import org.onap.aaf.cadi.taf.HttpTaf;
private Access access;
private String realm;
private CredVal rbac;
+ private Map<String,CredVal> rbacs = new TreeMap<>();
private boolean warn;
private long timeToLive;
this.timeToLive = timeToLive;
}
+ public void add(final CredValDomain cvd) {
+ rbacs.put(cvd.domain(), cvd);
+ }
+
/**
* Note: BasicHttp works for either Carbon Based (Humans) or Silicon Based (machine) Lifeforms.
* @see Taf
return DenialOfServiceTaf.respDenyID(access,bc.getUser());
}
CachedBasicPrincipal bp = new CachedBasicPrincipal(this,bc,realm,timeToLive);
+
+ // Be able to do Organizational specific lookups by Domain
+ CredVal cv = rbacs.get(bp.getDomain());
+ if(cv==null) {
+ cv = rbac;
+ }
+
// ONLY FOR Last Ditch DEBUGGING...
// access.log(Level.WARN,bp.getName() + ":" + new String(bp.getCred()));
-
- if(rbac.validate(bp.getName(),Type.PASSWORD,bp.getCred(),req)) {
+ if(cv.validate(bp.getName(),Type.PASSWORD,bp.getCred(),req)) {
return new BasicHttpTafResp(access,bp,bp.getName()+" authenticated by password",RESP.IS_AUTHENTICATED,resp,realm,false);
} else {
//TODO may need timed retries in a given time period
if(DenialOfServiceTaf.isDeniedID(ba.getName())!=null) {
return DenialOfServiceTaf.respDenyID(access,ba.getName());
}
+
+ final int at = ba.getName().indexOf('@');
+ CredVal cv = rbacs.get(ba.getName().substring(at+1));
+ if(cv==null) {
+ cv = rbac; // default
+ }
// ONLY FOR Last Ditch DEBUGGING...
// access.log(Level.WARN,ba.getName() + ":" + new String(ba.getCred()));
- if(rbac.validate(ba.getName(), Type.PASSWORD, ba.getCred(), req)) {
+ if(cv.validate(ba.getShortName(), Type.PASSWORD, ba.getCred(), req)) {
return new BasicHttpTafResp(access,ba, ba.getName()+" authenticated by BasicAuth password",RESP.IS_AUTHENTICATED,resp,realm,false);
} else {
//TODO may need timed retries in a given time period
}
return sb.toString();
}
+
+ public void addCredVal(final String realm, final CredVal cv) {
+ rbacs.put(realm, cv);
+ }
+ public CredVal getCredVal(String key) {
+ CredVal cv = rbacs.get(key);
+ if(cv==null) {
+ cv = rbac;
+ }
+ return cv;
+ }
+
@Override
public Resp revalidate(CachedPrincipal prin, Object state) {
if(prin instanceof BasicPrincipal) {
public String toString() {
return "Basic Auth enabled on realm: " + realm;
}
+
}
import javax.servlet.http.HttpServletResponse;
import org.onap.aaf.cadi.Access;
+import org.onap.aaf.cadi.Access.Level;
import org.onap.aaf.cadi.CachedPrincipal;
+import org.onap.aaf.cadi.CachedPrincipal.Resp;
import org.onap.aaf.cadi.CadiException;
+import org.onap.aaf.cadi.CredVal;
import org.onap.aaf.cadi.Lur;
import org.onap.aaf.cadi.Symm;
-import org.onap.aaf.cadi.Access.Level;
-import org.onap.aaf.cadi.CachedPrincipal.Resp;
import org.onap.aaf.cadi.Taf.LifeForm;
import org.onap.aaf.cadi.config.Config;
import org.onap.aaf.cadi.config.SecurityInfo;
import org.onap.aaf.cadi.taf.HttpTaf;
import org.onap.aaf.cadi.taf.TafResp;
import org.onap.aaf.cadi.taf.TafResp.RESP;
+import org.onap.aaf.cadi.taf.basic.BasicHttpTaf;
import org.onap.aaf.cadi.util.Split;
public class X509Taf implements HttpTaf {
private ArrayList<String> cadiIssuers;
private String env;
private SecurityInfo si;
+ private BasicHttpTaf bht;
static {
try {
String[] sa = Split.splitTrim(':', subject, temp+3,end);
if(sa.length==1 || (sa.length>1 && env!=null && env.equals(sa[1]))) { // Check Environment
return new X509HttpTafResp(access,
- new X509Principal(sa[0], certarr[0],(byte[])null),
+ new X509Principal(sa[0], certarr[0],(byte[])null,bht),
"X509Taf validated " + sa[0] + (sa.length<2?"":" for aaf_env " + env ), RESP.IS_AUTHENTICATED);
}
}
return null;
}
+ public void add(BasicHttpTaf bht) {
+ this.bht = bht;
+ }
+
+ public CredVal getCredVal(final String key) {
+ if(bht==null) {
+ return null;
+ } else {
+ return bht.getCredVal(key);
+ }
+ }
+
}
@Test
public void constructor2Test() throws IOException {
- X509Principal x509 = new X509Principal(name, cert, cred);
+ X509Principal x509 = new X509Principal(name, cert, cred,null);
// Call twice to hit both branches
assertThat(x509.getAsHeader(), is("X509 " + cred));
assertThat(x509.toString(), is("X509 Authentication for " + name));
final String longName = "name@domain";
when(subject.getName()).thenReturn("OU=" + longName + ",extra");
when(cert.getSubjectDN()).thenReturn(subject);
- X509Principal x509 = new X509Principal(cert, cred);
+ X509Principal x509 = new X509Principal(cert, cred,null);
// Call twice to hit both branches
assertThat(x509.getAsHeader(), is("X509 " + cred));
assertThat(x509.toString(), is("X509 Authentication for " + longName));
when(subject.getName()).thenReturn(longName + ",extra");
when(cert.getSubjectDN()).thenReturn(subject);
try {
- x509 = new X509Principal(cert, cred);
+ x509 = new X509Principal(cert, cred, null);
fail("Should have thrown an Exception");
} catch(IOException e) {
assertThat(e.getMessage(), is("X509 does not have Identity as CN"));
when(subject.getName()).thenReturn("OU=" + longName);
when(cert.getSubjectDN()).thenReturn(subject);
try {
- x509 = new X509Principal(cert, cred);
+ x509 = new X509Principal(cert, cred, null);
fail("Should have thrown an Exception");
} catch(IOException e) {
assertThat(e.getMessage(), is("X509 does not have Identity as CN"));
when(subject.getName()).thenReturn("OU=" + name + ",exta");
when(cert.getSubjectDN()).thenReturn(subject);
try {
- x509 = new X509Principal(cert, cred);
+ x509 = new X509Principal(cert, cred, null);
fail("Should have thrown an Exception");
} catch(IOException e) {
assertThat(e.getMessage(), is("X509 does not have Identity as CN"));