From: Instrumental <jonathan.gathman@att.com>
Date: Wed, 3 Apr 2019 17:12:19 +0000 (-0500)
Subject: Add OneWeekCred notice
X-Git-Tag: 2.1.11~12
X-Git-Url: https://gerrit.onap.org/r/gitweb?p=aaf%2Fauthz.git;a=commitdiff_plain;h=08755cae37030d74d8fcadf38f9919c9d9fd21c0

Add OneWeekCred notice

Issue-ID: AAF-789
Change-Id: Ib52310e9376f057d04a7158995db53b7df3224c6
Signed-off-by: Instrumental <jonathan.gathman@att.com>
---

diff --git a/auth/auth-batch/src/main/java/org/onap/aaf/auth/batch/reports/Analyze.java b/auth/auth-batch/src/main/java/org/onap/aaf/auth/batch/reports/Analyze.java
index 60902f1e..a49fc943 100644
--- a/auth/auth-batch/src/main/java/org/onap/aaf/auth/batch/reports/Analyze.java
+++ b/auth/auth-batch/src/main/java/org/onap/aaf/auth/batch/reports/Analyze.java
@@ -207,8 +207,19 @@ public class Analyze extends Batch {
 						deleteCW.comment("Approval is Orphaned");
 						Approval.row(deleteCW, appr);
 					} else {
-						ticket.approvals.add(appr); // add to found Ticket
-						approvers.add(appr.getApprover());
+						// for users and approvers still valid
+						String user = appr.getUser();
+						
+						if(org.isRevoked(trans, appr.getApprover())) {
+							deleteCW.comment("Approver ID is revoked");
+							Approval.row(deleteCW, appr);
+						} else if(user!=null && !user.isEmpty() && org.isRevoked(trans, user)) {
+							deleteCW.comment("USER ID is revoked");
+							Approval.row(deleteCW, appr);
+						} else {
+							ticket.approvals.add(appr); // add to found Ticket
+							approvers.add(appr.getApprover());
+						}
 					}
 				}
 	    	} finally {
diff --git a/auth/auth-batch/src/main/java/org/onap/aaf/auth/batch/reports/NotInOrg.java b/auth/auth-batch/src/main/java/org/onap/aaf/auth/batch/reports/NotInOrg.java
index 9cd0baee..fb562b24 100644
--- a/auth/auth-batch/src/main/java/org/onap/aaf/auth/batch/reports/NotInOrg.java
+++ b/auth/auth-batch/src/main/java/org/onap/aaf/auth/batch/reports/NotInOrg.java
@@ -125,27 +125,6 @@ public class NotInOrg extends Batch {
 				}
 			}
 			
-			/* 
-			 * Do we delete now?  Or work on Revocation semantics 
-			 * 
-			trans.info().log("Checking for X509s without IDs");
-			X509.load(trans, session, new Visitor<X509>() {
-				@Override
-				public void visit(X509 x509) {
-					try {
-						for(Certificate cert : Factory.toX509Certificate(x509.x509)) {
-							X509Certificate xc = (X509Certificate)cert;
-							xc.getSubjectDN();
-							if(!check(transNoAvg,checked, (X))) {
-								x509.row(notInOrgW,);
-							}
-						}
-					} catch (CertificateException | IOException e) {
-						trans.error().log(e, "Error Decrypting X509");
-					}					
-				}
-			});
-			 */
 		} catch (OrganizationException e) {
 			trans.info().log(e);
 		}
@@ -155,7 +134,7 @@ public class NotInOrg extends Batch {
 	private Writer whichWriter(AuthzTrans transNoAvg, String id) {
 		Writer w = whichWriter.get(id);
 		if(w==null) {
-			w = org.mayAutoDelete(transNoAvg, id)?
+			w = org.isRevoked(transNoAvg, id)?
 					notInOrgDeleteW:
 					notInOrgW;
 			whichWriter.put(id,w);
diff --git a/auth/auth-batch/src/main/java/org/onap/aaf/auth/batch/reports/bodies/OneWeekNotifyCredBody.java b/auth/auth-batch/src/main/java/org/onap/aaf/auth/batch/reports/bodies/OneWeekNotifyCredBody.java
new file mode 100644
index 00000000..e28388d5
--- /dev/null
+++ b/auth/auth-batch/src/main/java/org/onap/aaf/auth/batch/reports/bodies/OneWeekNotifyCredBody.java
@@ -0,0 +1,45 @@
+/**
+ * ============LICENSE_START====================================================
+ * org.onap.aaf
+ * ===========================================================================
+ * Copyright (c) 2018 AT&T Intellectual Property. All rights reserved.
+ * ===========================================================================
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ * 
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ * 
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ * ============LICENSE_END====================================================
+ *
+ */
+package org.onap.aaf.auth.batch.reports.bodies;
+
+import java.io.IOException;
+
+import org.onap.aaf.auth.batch.helpers.ExpireRange;
+import org.onap.aaf.cadi.Access;
+
+public class OneWeekNotifyCredBody extends NotifyCredBody {
+	public OneWeekNotifyCredBody(Access access) throws IOException {
+		super(access, ExpireRange.ONE_WEEK);
+	}
+
+	@Override
+	public String subject() {
+		return String.format("AAF Final Week Credential Notification (ENV: %s)",env);
+	}
+	
+	/* (non-Javadoc)
+	 * @see org.onap.aaf.auth.batch.reports.bodies.NotifyCredBody#dynamic()
+	 */
+	@Override
+	protected String dynamic() {
+		return "Failure for your App is <b><i>IMMINENT</i></b>. This email is escalated to your superior and General Manager. " + super.dynamic();
+	}
+}
diff --git a/auth/auth-core/src/main/java/org/onap/aaf/auth/org/Organization.java b/auth/auth-core/src/main/java/org/onap/aaf/auth/org/Organization.java
index 597f2696..539b9369 100644
--- a/auth/auth-core/src/main/java/org/onap/aaf/auth/org/Organization.java
+++ b/auth/auth-core/src/main/java/org/onap/aaf/auth/org/Organization.java
@@ -106,18 +106,16 @@ public interface Organization {
     public Identity getIdentity(AuthzTrans trans, String id) throws OrganizationException;
     
     /**
-     * May AutoDelete
+     * Is Revoked
      * 
      * Deletion of an Identity that has been removed from an Organization can be dangerous.  Mistakes may have been made 
      * in the Organization side, a Feed might be corrupted, an API might not be quite right.  
      * 
-     * The implementation of this method can use a double check of some sort, such as comparsion of missing ID in Organization
+     * The implementation of this method can use a double check of some sort, such as comparison of missing ID in Organization
      * feed with a "Deleted ID" feed.  
      * 
-     * The failure to be in Organization will still be reported, if returned "false", but if true, it is taken as an 
-     * ok to proceed with deletion. 
      */
-	public boolean mayAutoDelete(AuthzTrans trans, String id);
+	public boolean isRevoked(AuthzTrans trans, String id);
 
 
     /**
@@ -562,7 +560,7 @@ public interface Organization {
         }
         
     	@Override
-    	public boolean mayAutoDelete(AuthzTrans trans, String id) {
+    	public boolean isRevoked(AuthzTrans trans, String id) {
     		// provide a corresponding feed that indicates that an ID has been intentionally removed from identities.dat table.
     		return false;
     	}
diff --git a/auth/auth-core/src/main/java/org/onap/aaf/auth/server/AbsServiceStarter.java b/auth/auth-core/src/main/java/org/onap/aaf/auth/server/AbsServiceStarter.java
index ee92540b..b3e2883d 100644
--- a/auth/auth-core/src/main/java/org/onap/aaf/auth/server/AbsServiceStarter.java
+++ b/auth/auth-core/src/main/java/org/onap/aaf/auth/server/AbsServiceStarter.java
@@ -148,7 +148,7 @@ public abstract class AbsServiceStarter<ENV extends RosettaEnv, TRANS extends Tr
     			}
     			status = new File(status, fname);
     			if(status.exists()) {
-    				status.delete();
+    				deleted=status.delete();
     			}
     		}
     		if(deleted) {
diff --git a/auth/auth-deforg/src/main/java/org/onap/aaf/org/DefaultOrg.java b/auth/auth-deforg/src/main/java/org/onap/aaf/org/DefaultOrg.java
index 92db4694..50b65ffe 100644
--- a/auth/auth-deforg/src/main/java/org/onap/aaf/org/DefaultOrg.java
+++ b/auth/auth-deforg/src/main/java/org/onap/aaf/org/DefaultOrg.java
@@ -32,6 +32,7 @@ import java.util.Set;
 import java.util.regex.Pattern;
 
 import org.onap.aaf.auth.env.AuthzTrans;
+import org.onap.aaf.auth.local.AbsData.Reuse;
 import org.onap.aaf.auth.org.EmailWarnings;
 import org.onap.aaf.auth.org.Executor;
 import org.onap.aaf.auth.org.Mailer;
@@ -83,6 +84,7 @@ public class DefaultOrg implements Organization {
                         }
                         fIdentities.createNewFile();
                     }
+                    
                 }
             } else {
                 fIdentities = new File(temp);
@@ -103,6 +105,24 @@ public class DefaultOrg implements Organization {
                     throw new OrganizationException(fIdentities.getCanonicalPath() + " does not exist.");
                 }
             }
+
+            File fRevoked=null;
+            temp=env.getProperty(getClass().getName()+".file.revoked");
+            if(temp==null) {
+                temp = env.getProperty(AAF_DATA_DIR);
+                if (temp!=null) {
+                    File dir = new File(temp);
+                	fRevoked=new File(dir,"revoked.dat");
+                }
+            } else {
+            	fRevoked = new File(temp);
+            }
+            if (fRevoked!=null && fRevoked.exists()) {
+                revoked = new Identities(fRevoked);
+            } else {
+            	revoked = null;
+            }
+            
         } catch (IOException e) {
             throw new OrganizationException(e);
         }
@@ -112,6 +132,7 @@ public class DefaultOrg implements Organization {
     static final List<String> NULL_DELEGATES = new ArrayList<>();
 
     public Identities identities;
+    public Identities revoked;
     private boolean dryRun;
     private Mailer mailer;
     public enum Types {Employee, Contractor, Application, NotActive};
@@ -147,7 +168,35 @@ public class DefaultOrg implements Organization {
         return new DefaultOrgIdentity(trans,at<0?id:id.substring(0, at),this);
     }
 
-    /* (non-Javadoc)
+    /**
+     * If the ID isn't in the revoked file, if it exists, it is revoked.
+     */
+    @Override
+	public boolean isRevoked(AuthzTrans trans, String key) {
+    	if(revoked!=null) {
+            try {
+            	revoked.open(trans, DefaultOrgIdentity.TIMEOUT);
+            	try {
+	                Reuse r = revoked.reuse();
+	                int at = key.indexOf(domain);
+	                String search;
+	                if (at>=0) {
+	                    search = key.substring(0,at);
+	                } else {
+	                    search = key;
+	                }
+	                return revoked.find(search, r)!=null;
+                } finally {
+                    revoked.close(trans);
+                }
+			} catch (IOException e) {
+				trans.error().log(e);
+            }
+    	}
+		return false;
+	}
+
+	/* (non-Javadoc)
 	 * @see org.onap.aaf.auth.org.Organization#getEsclaations(org.onap.aaf.auth.env.AuthzTrans, java.lang.String, int)
 	 */
 	@Override
@@ -632,10 +681,4 @@ public class DefaultOrg implements Organization {
             return 0;
         }
     }
-
-	@Override
-	public boolean mayAutoDelete(AuthzTrans trans, String user) {
-		// provide a corresponding feed that indicates that an ID has been intentionally removed from identities.dat table.
-		return false;
-	}
 }
diff --git a/auth/auth-deforg/src/main/java/org/onap/aaf/org/DefaultOrgIdentity.java b/auth/auth-deforg/src/main/java/org/onap/aaf/org/DefaultOrgIdentity.java
index ba616ade..f2b9d8c9 100644
--- a/auth/auth-deforg/src/main/java/org/onap/aaf/org/DefaultOrgIdentity.java
+++ b/auth/auth-deforg/src/main/java/org/onap/aaf/org/DefaultOrgIdentity.java
@@ -45,7 +45,7 @@ public class DefaultOrgIdentity implements Identity {
     private static final String APPLICATION = "a";
     private static final String NON_ACTIVE = "n";
 
-    private final static int TIMEOUT = Integer.parseInt(Config.AAF_CONN_TIMEOUT_DEF);
+    final static int TIMEOUT = Integer.parseInt(Config.AAF_CONN_TIMEOUT_DEF);
 
     private DefaultOrg org;
     //package on purpose