From: Instrumental <jgonap@stl.gathman.org>
Date: Fri, 24 Jan 2020 20:47:48 +0000 (-0600)
Subject: Fix Agent and CM Issues
X-Git-Tag: 2.1.17~8
X-Git-Url: https://gerrit.onap.org/r/gitweb?p=aaf%2Fauthz.git;a=commitdiff_plain;h=be1edcb6830745015f5de72e820f40f36dd571ad

Fix Agent and CM Issues

Issue-ID: AAF-1067
Signed-off-by: Instrumental <jgonap@stl.gathman.org>
Change-Id: I5508edec3d63b4831d0caddd8303126956bd05a0
---

diff --git a/auth/auth-certman/src/main/java/org/onap/aaf/auth/cm/AAF_CM.java b/auth/auth-certman/src/main/java/org/onap/aaf/auth/cm/AAF_CM.java
index 8bb0441b..024d9f96 100644
--- a/auth/auth-certman/src/main/java/org/onap/aaf/auth/cm/AAF_CM.java
+++ b/auth/auth-certman/src/main/java/org/onap/aaf/auth/cm/AAF_CM.java
@@ -154,7 +154,11 @@ public class AAF_CM extends AbsService<AuthzEnv, AuthzTrans> {
                             CA ca = cons.newInstance(pinst);
                             certAuths.put(ca.getName(),ca);
                         } catch (InvocationTargetException e) {
-                            access.log(e, "Loading", segs[0]);
+                        	if(e.getLocalizedMessage()==null) {
+                        		access.log((Exception)e.getTargetException(), "Loading", segs[0]);
+                        	} else {
+                        		access.log(e, "Loading", segs[0]);
+                        	}
                         }
                     }
                 }
diff --git a/auth/auth-certman/src/main/java/org/onap/aaf/auth/cm/ca/CA.java b/auth/auth-certman/src/main/java/org/onap/aaf/auth/cm/ca/CA.java
index 13876b14..275ad549 100644
--- a/auth/auth-certman/src/main/java/org/onap/aaf/auth/cm/ca/CA.java
+++ b/auth/auth-certman/src/main/java/org/onap/aaf/auth/cm/ca/CA.java
@@ -30,6 +30,7 @@ import java.util.Collections;
 import java.util.HashSet;
 import java.util.List;
 import java.util.Set;
+import java.util.regex.Pattern;
 
 import org.bouncycastle.asn1.x500.style.BCStyle;
 import org.onap.aaf.auth.cm.cert.CSRMeta;
@@ -42,6 +43,10 @@ import org.onap.aaf.misc.env.Trans;
 import org.onap.aaf.misc.env.util.Split;
 
 public abstract class CA {
+    public static final Pattern IPV4_PATTERN = Pattern.compile("\\A(25[0-5]|2[0-4]\\d|[0-1]?\\d?\\d)(\\.(25[0-5]|2[0-4]\\d|[0-1]?\\d?\\d)){3}\\z");
+    public static final Pattern IPV6_PATTERN = Pattern.compile("\\A(?:[0-9a-fA-F]{1,4}:){7}[0-9a-fA-F]{1,4}\\z");
+    
+
     private static final String MUST_EXIST_TO_CREATE_CSRS_FOR = " must exist to create CSRs for ";
     //TODO figuring out what is an Issuing CA is a matter of convention.  Consider SubClassing for Open Source
     public static final String ISSUING_CA = "Issuing CA";
diff --git a/auth/auth-certman/src/main/java/org/onap/aaf/auth/cm/ca/LocalCA.java b/auth/auth-certman/src/main/java/org/onap/aaf/auth/cm/ca/LocalCA.java
index c2d6701a..f7de90ea 100644
--- a/auth/auth-certman/src/main/java/org/onap/aaf/auth/cm/ca/LocalCA.java
+++ b/auth/auth-certman/src/main/java/org/onap/aaf/auth/cm/ca/LocalCA.java
@@ -72,7 +72,6 @@ import org.onap.aaf.misc.env.TimeTaken;
 import org.onap.aaf.misc.env.Trans;
 
 public class LocalCA extends CA {
-
     private final static BigInteger ONE = new BigInteger("1");
     // Extensions
     private static final KeyPurposeId[] ASN_WebUsage = new KeyPurposeId[] {
@@ -226,8 +225,14 @@ public class LocalCA extends CA {
 //                    new SubjectPublicKeyInfo(ASN1Sequence.getInstance(caCert.getPublicKey().getEncoded()))
                     );
             List<GeneralName> lsan = new ArrayList<>();
+            // Email
+            lsan.add(new GeneralName(GeneralName.rfc822Name,csrmeta.email()));
             for (String s : csrmeta.sans()) {
-                lsan.add(new GeneralName(GeneralName.dNSName,s));
+        		if(IPV4_PATTERN.matcher(s).matches() || IPV6_PATTERN.matcher(s).matches()) {
+            		lsan.add(new GeneralName(GeneralName.iPAddress,s));
+        		} else {            	
+        			lsan.add(new GeneralName(GeneralName.dNSName,s));
+        		}
             }
             GeneralName[] sans = new GeneralName[lsan.size()];
             lsan.toArray(sans);
diff --git a/auth/auth-certman/src/main/java/org/onap/aaf/auth/cm/cert/CSRMeta.java b/auth/auth-certman/src/main/java/org/onap/aaf/auth/cm/cert/CSRMeta.java
index 04ba0b89..e0ee0365 100644
--- a/auth/auth-certman/src/main/java/org/onap/aaf/auth/cm/cert/CSRMeta.java
+++ b/auth/auth-certman/src/main/java/org/onap/aaf/auth/cm/cert/CSRMeta.java
@@ -75,7 +75,8 @@ public class CSRMeta {
         if (name==null) {
             X500NameBuilder xnb = new X500NameBuilder();
             xnb.addRDN(BCStyle.CN,cn);
-            xnb.addRDN(BCStyle.E,email);
+            // Add as Subject Alternate Name, email
+            // xnb.addRDN(BCStyle.E,email);
             if (mechID!=null) {
                 if (environment==null) {
                     xnb.addRDN(BCStyle.OU,mechID);
diff --git a/auth/auth-certman/src/main/java/org/onap/aaf/auth/cm/service/CMService.java b/auth/auth-certman/src/main/java/org/onap/aaf/auth/cm/service/CMService.java
index 3130e5b2..900df8a7 100644
--- a/auth/auth-certman/src/main/java/org/onap/aaf/auth/cm/service/CMService.java
+++ b/auth/auth-certman/src/main/java/org/onap/aaf/auth/cm/service/CMService.java
@@ -93,6 +93,8 @@ public class CMService {
 
     private static final String[] NO_NOTES = new String[0];
     private final Permission root_read_permission;
+	private final String aaf_ns;
+
     private final CertDAO certDAO;
     private final CredDAO credDAO;
     private final ArtiDAO artiDAO;
@@ -114,8 +116,9 @@ public class CMService {
 
         this.certManager = certman;
 
+        aaf_ns = trans.getProperty(Config.AAF_ROOT_NS, Config.AAF_ROOT_NS_DEF);
         root_read_permission=new AAFPermission(
-                trans.getProperty(Config.AAF_ROOT_NS, Config.AAF_ROOT_NS_DEF),
+                aaf_ns,
                 ACCESS,
                 "*",
                 "read"
@@ -149,11 +152,15 @@ public class CMService {
 
             List<String> notes = null;
             List<String> fqdns;
+            boolean dynamic_sans = trans.fish(new AAFPermission(null, ca.getPermType(), ca.getName(),DYNAMIC_SANS));
+            boolean ignoreIPs = trans.fish(new AAFPermission(mechNS,CERTMAN, ca.getName(), IGNORE_IPS));
             boolean domain_based = false;
-            boolean dynamic_sans = false;
 
+            // Note: Many Cert Impls require FQDN in "CN=" to be in the SANS as well.  Therefore, the "fqdn" variable
+            // includes main ID plus ADDITIONAL SANS at all times.
             if(req.value.fqdns.isEmpty()) {
                 fqdns = new ArrayList<>();
+                fqdns.add(key);
             } else {
                 // Only Template or Dynamic permitted to pass in FQDNs
                 if (req.value.fqdns.get(0).startsWith("*")) { // Domain set
@@ -163,13 +170,6 @@ public class CMService {
                         return Result.err(Result.ERR_Denied,
                               "Domain based Authorizations (" + req.value.fqdns.get(0) + ") requires Exception");
                     }
-                } else {
-                    if(trans.fish(new AAFPermission(null, ca.getPermType(), ca.getName(),DYNAMIC_SANS))) {
-                        dynamic_sans = true;
-                    } else {
-                        return Result.err(Result.ERR_Denied,
-                            "Dynamic SANs for (" + req.value.mechid + ") requires Permission");
-                    }
                 }
                 fqdns = new ArrayList<>(req.value.fqdns);
             }
@@ -178,15 +178,6 @@ public class CMService {
 
             try {
                 Organization org = trans.org();
-
-                boolean ignoreIPs;
-                if(allowIgnoreIPs) {
-                    ignoreIPs = trans.fish(new AAFPermission(mechNS,CERTMAN, ca.getName(), IGNORE_IPS));
-                } else {
-                    ignoreIPs = false;
-                }
-
-
                 InetAddress primary = null;
                 // Organize incoming information to get to appropriate Artifact
                 if (!fqdns.isEmpty()) { // Passed in FQDNS, validated above
@@ -220,7 +211,8 @@ public class CMService {
                                     Set<String> potentialSanNames = new HashSet<>();
                                     for (InetAddress ia1 : ias) {
                                         InetAddress ia2 = InetAddress.getByAddress(ia1.getAddress());
-                                        if (primary == null && ias.length == 1 && trans.ip().equals(ia1.getHostAddress())) {
+                                        String ip = trans.ip();
+                                        if (primary == null && ip.equals(ia1.getHostAddress())) {
                                             primary = ia1;
                                         } else if (!cn.equals(ia1.getHostName())
                                                 && !ia2.getHostName().equals(ia2.getHostAddress())) {
@@ -296,16 +288,16 @@ public class CMService {
 
                 // Policy 3: MechID must be current
                 Identity muser = org.getIdentity(trans, add.mechid);
-                if (muser == null) {
-                    return Result.err(Result.ERR_Policy, "MechID must exist in %s", org.getName());
+                if (muser == null || !muser.isFound()) {
+                    return Result.err(Result.ERR_Policy, "AppID '%s' must exist in %s",add.mechid,org.getName());
                 }
 
                 // Policy 4: Sponsor must be current
                 Identity ouser = muser.responsibleTo();
-                if (ouser == null) {
+                if (ouser == null || !ouser.isFound()) {
                     return Result.err(Result.ERR_Policy, "%s does not have a current sponsor at %s", add.mechid,
                             org.getName());
-                } else if (!ouser.isFound() || ouser.mayOwn() != null) {
+                } else if (ouser.mayOwn() != null) {
                     return Result.err(Result.ERR_Policy, "%s reports that %s cannot be responsible for %s",
                             org.getName(), trans.user());
                 }
@@ -327,7 +319,18 @@ public class CMService {
                             trans.user(), mechNS);
                 }
 
+                // Policy 8: IP Addresses allowed in Certs only by Permission
+                if(!trans.fish(new AAFPermission(aaf_ns,CERTMAN, ca.getName(), "ip"))) {
+                	for(String fqdn : fqdns) {
+                    	if(CA.IPV4_PATTERN.matcher(fqdn).matches() || CA.IPV6_PATTERN.matcher(fqdn).matches()) {
+                            return Result.err(Status.ERR_Denied,
+                                    "Machines include a IP Address.  IP Addresses are not allowed except by Permission");
+                    	}
+                	}
+                }
+
                 // Make sure Primary is the first in fqdns
+
                 if (fqdns.size() > 1) {
                     for (int i = 0; i < fqdns.size(); ++i) {
                         if (primary==null && !ignoreIPs) {
diff --git a/auth/auth-certman/src/main/java/org/onap/aaf/auth/cm/LocalCAImpl.java b/auth/auth-certman/src/test/java/org/onap/aaf/auth/cm/LocalCAImpl.java
similarity index 100%
rename from auth/auth-certman/src/main/java/org/onap/aaf/auth/cm/LocalCAImpl.java
rename to auth/auth-certman/src/test/java/org/onap/aaf/auth/cm/LocalCAImpl.java
diff --git a/auth/auth-deforg/src/main/java/org/onap/aaf/org/DefaultOrgIdentity.java b/auth/auth-deforg/src/main/java/org/onap/aaf/org/DefaultOrgIdentity.java
index f1576c4f..eaa44830 100644
--- a/auth/auth-deforg/src/main/java/org/onap/aaf/org/DefaultOrgIdentity.java
+++ b/auth/auth-deforg/src/main/java/org/onap/aaf/org/DefaultOrgIdentity.java
@@ -120,10 +120,14 @@ public class DefaultOrgIdentity implements Identity {
 
     @Override
     public Identity responsibleTo() throws OrganizationException {
-        if ("".equals(identity.responsibleTo) && isFound()) { // cover the situation of Top Dog... reports to no-one.
-            return this;
+    	if(isFound()) {
+	        if ("".equals(identity.responsibleTo)) { // cover the situation of Top Dog... reports to no-one.
+	            return this;
+	        } else {
+	            return org.getIdentity(trans, identity.responsibleTo);
+	        }
         } else {
-            return org.getIdentity(trans, identity.responsibleTo);
+        	throw new OrganizationException("Identity doesn't exist");
         }
     }
 
diff --git a/auth/docker/Dockerfile.base b/auth/docker/Dockerfile.base
index 4874f1aa..4ba4dfab 100644
--- a/auth/docker/Dockerfile.base
+++ b/auth/docker/Dockerfile.base
@@ -18,7 +18,8 @@
 #  ============LICENSE_END====================================================
 #
 # Use dbuild.sh input parameter to set registry
-FROM ${REGISTRY}/openjdk:8-jre-alpine
+#FROM ${REGISTRY}/openjdk:11.0.5-jre-slim
+FROM ${REGISTRY}/openjdk:8-jdk-alpine
 #FROM openjdk:12-jdk-alpine
 #FROM openjdk:13-jdk-alpine
 
diff --git a/cadi/aaf/src/main/java/org/onap/aaf/cadi/aaf/v2_0/AbsAAFLocator.java b/cadi/aaf/src/main/java/org/onap/aaf/cadi/aaf/v2_0/AbsAAFLocator.java
index 06e2c62d..a6b7da80 100644
--- a/cadi/aaf/src/main/java/org/onap/aaf/cadi/aaf/v2_0/AbsAAFLocator.java
+++ b/cadi/aaf/src/main/java/org/onap/aaf/cadi/aaf/v2_0/AbsAAFLocator.java
@@ -237,7 +237,7 @@ public abstract class AbsAAFLocator<TRANS extends Trans> implements Locator<URI>
     public Item best() throws LocatorException {
         if (!hasItems()) {
             throw new LocatorException(String.format("No Entries found for '%s/%s:%s'",
-                    (aaf_locator_uri==null?aaf_locator_host:aaf_locator_uri.toString()),
+                    (aaf_locator_uri==null?(aaf_locator_host+"/locate"):aaf_locator_uri.toString()),
                     name,
                     version));
         }
diff --git a/cadi/aaf/src/main/java/org/onap/aaf/cadi/configure/Agent.java b/cadi/aaf/src/main/java/org/onap/aaf/cadi/configure/Agent.java
index 48109e47..74f0916d 100644
--- a/cadi/aaf/src/main/java/org/onap/aaf/cadi/configure/Agent.java
+++ b/cadi/aaf/src/main/java/org/onap/aaf/cadi/configure/Agent.java
@@ -28,7 +28,6 @@ import java.io.IOException;
 import java.net.ConnectException;
 import java.net.HttpURLConnection;
 import java.net.InetAddress;
-import java.net.URISyntaxException;
 import java.net.UnknownHostException;
 import java.nio.file.Files;
 import java.security.KeyPair;
@@ -251,7 +250,7 @@ public class Agent {
                         System.out.println("   update       <FQI> [<machine>]");
                         System.out.println("   delete       <FQI> [<machine>]");
                         System.out.println("   copy         <FQI> <machine> <newmachine>[,<newmachine>]*");
-                        System.out.println("   place        <FQI> [<machine>]");
+                        System.out.println("   place        <FQI> [<machine>[,<san>]*");
                         System.out.println("   showpass     <FQI> [<machine>]");
                         System.out.println("   check        <FQI> [<machine>]");
                         System.out.println("   keypairgen   <FQI>");
@@ -712,6 +711,7 @@ public class Agent {
             machine = fqdns[1];
         } else {
             key = machine;
+            fqdns = machines(cmds);
         }
 
         TimeTaken tt = trans.start("Place Artifact", Env.REMOTE);
@@ -728,8 +728,11 @@ public class Agent {
                             CertificateRequest cr = new CertificateRequest();
                             cr.setMechid(a.getMechid());
                             cr.setSponsor(a.getSponsor());
+                            cr.getFqdns().add(machine);
                             for (int i=0;i<fqdns.length;++i) {
-                                cr.getFqdns().add(fqdns[i]);
+                            	if(!machine.equals(fqdns[i])) {
+                            		cr.getFqdns().add(fqdns[i]);
+                            	}
                             }
                             Future<String> f = aafcon.client(CM_VER)
                                     .updateRespondString("/cert/" + a.getCa()+"?withTrust",reqDF, cr);
diff --git a/pom.xml b/pom.xml
index a7530708..f1846665 100644
--- a/pom.xml
+++ b/pom.xml
@@ -29,12 +29,12 @@
     <parent>
         <groupId>org.onap.oparent</groupId>
         <artifactId>oparent</artifactId>
-        <!-- Official Released Version
         <version>2.1.0</version>
+        <!-- Official Released Version
 
         Frankfurt working Version
-    -->
         <version>3.0.0-SNAPSHOT</version>
+    -->
     </parent>
 
     <properties>