From ca76fbda94492f1b0c895ff0f4070381f17472f0 Mon Sep 17 00:00:00 2001
From: Instrumental <jonathan.gathman@att.com>
Date: Mon, 2 Jul 2018 21:41:55 -0500
Subject: [PATCH] Add ability for BAuth by domain

Issue-ID: AAF-361
Change-Id: I6f437ffcfef5555f44acfb32fd6020f86f8cf403
Signed-off-by: Instrumental <jonathan.gathman@att.com>
---
 .../onap/aaf/auth/direct/DirectCertIdentity.java   |  2 +-
 .../org/onap/aaf/auth/cm/service/CMService.java    | 29 ++++++++-----
 .../java/org/onap/aaf/auth/server/AbsService.java  |  1 +
 .../org/onap/aaf/auth/service/AAF_Service.java     |  6 +--
 .../aaf/auth/service/AuthzCassServiceImpl.java     |  1 -
 .../org/onap/aaf/auth/service/api/API_Creds.java   | 47 ++++++++++++++--------
 .../aaf/cadi/aaf/cert/AAFListedCertIdentity.java   |  2 +-
 .../main/java/org/onap/aaf/cadi/sso/AAFSSO.java    |  1 +
 .../main/java/org/onap/aaf/cadi/CredValDomain.java | 25 ++++++++++++
 .../main/java/org/onap/aaf/cadi/config/Config.java | 37 +++++++++++------
 .../onap/aaf/cadi/principal/BasicPrincipal.java    | 13 ++++--
 .../org/onap/aaf/cadi/principal/X509Principal.java | 19 +++++----
 .../org/onap/aaf/cadi/taf/basic/BasicHttpTaf.java  | 45 ++++++++++++++++++---
 .../java/org/onap/aaf/cadi/taf/cert/X509Taf.java   | 21 ++++++++--
 .../aaf/cadi/principal/test/JU_X509Principal.java  | 10 ++---
 15 files changed, 189 insertions(+), 70 deletions(-)
 create mode 100644 cadi/core/src/main/java/org/onap/aaf/cadi/CredValDomain.java

diff --git a/auth/auth-cass/src/main/java/org/onap/aaf/auth/direct/DirectCertIdentity.java b/auth/auth-cass/src/main/java/org/onap/aaf/auth/direct/DirectCertIdentity.java
index b5fcd690..2c0c054b 100644
--- a/auth/auth-cass/src/main/java/org/onap/aaf/auth/direct/DirectCertIdentity.java
+++ b/auth/auth-cass/src/main/java/org/onap/aaf/auth/direct/DirectCertIdentity.java
@@ -66,7 +66,7 @@ public class DirectCertIdentity implements CertIdentity {
 		Result<List<Data>> cresp = certDAO.read(trans, ByteBuffer.wrap(fingerprint));
 		if(cresp.isOKhasData()) {
 			Data cdata = cresp.value.get(0);
-			return new X509Principal(cdata.id,cert,certBytes);
+			return new X509Principal(cdata.id,cert,certBytes,null);
 		}
 		return null;
 	}
diff --git a/auth/auth-certman/src/main/java/org/onap/aaf/auth/cm/service/CMService.java b/auth/auth-certman/src/main/java/org/onap/aaf/auth/cm/service/CMService.java
index 8d39f540..ea65659a 100644
--- a/auth/auth-certman/src/main/java/org/onap/aaf/auth/cm/service/CMService.java
+++ b/auth/auth-certman/src/main/java/org/onap/aaf/auth/cm/service/CMService.java
@@ -426,17 +426,24 @@ public class CMService {
 				}
 				
 				// Policy 2: MechID must have valid Organization Owner
-				Identity ouser = muser.responsibleTo();
-				if(ouser == null) {
-					return Result.err(Result.ERR_Denied,"%s is not a valid Sponsor for %s at %s",
-							trans.user(),add.mechid,trans.org().getName());
+				Identity emailUser;
+				if(muser.isPerson()) {
+					emailUser = muser;
+				} else {
+					Identity ouser = muser.responsibleTo();
+					if(ouser == null) {
+						return Result.err(Result.ERR_Denied,"%s is not a valid Sponsor for %s at %s",
+								trans.user(),add.mechid,trans.org().getName());
+					}
+
+					// Policy 3: Calling ID must be MechID Owner
+					if(!trans.user().equals(ouser.fullID())) {
+						return Result.err(Result.ERR_Denied,"%s is not the Sponsor for %s at %s",
+								trans.user(),add.mechid,trans.org().getName());
+					}
+					emailUser = ouser;
 				}
 				
-				// Policy 3: Calling ID must be MechID Owner
-				if(!trans.user().equals(ouser.fullID())) {
-					return Result.err(Result.ERR_Denied,"%s is not the Sponsor for %s at %s",
-							trans.user(),add.mechid,trans.org().getName());
-				}
 
 				// Policy 4: Renewal Days are between 10 and 60 (constants, may be parameterized)
 				if(add.renewDays<MIN_RENEWAL) {
@@ -447,7 +454,7 @@ public class CMService {
 				
 				// Policy 5: If Notify is blank, set to Owner's Email
 				if(add.notify==null || add.notify.length()==0) {
-					add.notify = "mailto:"+ouser.email();
+					add.notify = "mailto:"+emailUser.email();
 				}
 				
 				// Policy 6: Only do Domain by Exception
@@ -462,7 +469,7 @@ public class CMService {
 				}
 
 				// Set Sponsor from Golden Source
-				add.sponsor = ouser.fullID();
+				add.sponsor = emailUser.fullID();
 				
 				
 			} catch (OrganizationException e) {
diff --git a/auth/auth-core/src/main/java/org/onap/aaf/auth/server/AbsService.java b/auth/auth-core/src/main/java/org/onap/aaf/auth/server/AbsService.java
index af6c88dc..0c28c7ca 100644
--- a/auth/auth-core/src/main/java/org/onap/aaf/auth/server/AbsService.java
+++ b/auth/auth-core/src/main/java/org/onap/aaf/auth/server/AbsService.java
@@ -186,4 +186,5 @@ public abstract class AbsService<ENV extends BasicEnv, TRANS extends Trans> exte
 		}
 		return def;
 	}
+
 }
diff --git a/auth/auth-service/src/main/java/org/onap/aaf/auth/service/AAF_Service.java b/auth/auth-service/src/main/java/org/onap/aaf/auth/service/AAF_Service.java
index 3ae2fbfb..40640007 100644
--- a/auth/auth-service/src/main/java/org/onap/aaf/auth/service/AAF_Service.java
+++ b/auth/auth-service/src/main/java/org/onap/aaf/auth/service/AAF_Service.java
@@ -163,9 +163,9 @@ public class AAF_Service extends AbsService<AuthzEnv,AuthzTrans> {
 		try {
         	Object[] atl=new Object[additionalTafLurs.length+2];
         	atl[0]=new DirectAAFLur(env,question); // Note, this will be assigned by AuthzTransFilter to TrustChecker
-			atl[1]=new BasicHttpTaf(env, directAAFUserPass,
-				domain,Long.parseLong(env.getProperty(Config.AAF_CLEAN_INTERVAL, Config.AAF_CLEAN_INTERVAL_DEF)),
-				false);
+			atl[1]= new BasicHttpTaf(env, directAAFUserPass,
+					domain,Long.parseLong(env.getProperty(Config.AAF_CLEAN_INTERVAL, Config.AAF_CLEAN_INTERVAL_DEF)),
+					false);
 
 	        if(additionalTafLurs.length>0) {
 	        	System.arraycopy(additionalTafLurs, 0, atl, 2, additionalTafLurs.length);
diff --git a/auth/auth-service/src/main/java/org/onap/aaf/auth/service/AuthzCassServiceImpl.java b/auth/auth-service/src/main/java/org/onap/aaf/auth/service/AuthzCassServiceImpl.java
index 519721ce..f3207798 100644
--- a/auth/auth-service/src/main/java/org/onap/aaf/auth/service/AuthzCassServiceImpl.java
+++ b/auth/auth-service/src/main/java/org/onap/aaf/auth/service/AuthzCassServiceImpl.java
@@ -532,7 +532,6 @@ public class AuthzCassServiceImpl	<NSS,PERMS,PERMKEY,ROLES,USERS,USERROLES,DELGS
 		NSS nss = mapper.newInstance(API.NSS);
 		// Note: "loadNamespace" already validates view of Namespace
 		return mapper.nss(trans, rn.value, nss);
-
 	}
 
 	@ApiDoc(
diff --git a/auth/auth-service/src/main/java/org/onap/aaf/auth/service/api/API_Creds.java b/auth/auth-service/src/main/java/org/onap/aaf/auth/service/api/API_Creds.java
index d31c9d01..390c3089 100644
--- a/auth/auth-service/src/main/java/org/onap/aaf/auth/service/api/API_Creds.java
+++ b/auth/auth-service/src/main/java/org/onap/aaf/auth/service/api/API_Creds.java
@@ -42,9 +42,11 @@ import org.onap.aaf.auth.service.Code;
 import org.onap.aaf.auth.service.facade.AuthzFacade;
 import org.onap.aaf.auth.service.mapper.Mapper.API;
 import org.onap.aaf.cadi.CredVal;
+import org.onap.aaf.cadi.CredVal.Type;
 import org.onap.aaf.cadi.Symm;
 import org.onap.aaf.cadi.principal.BasicPrincipal;
 import org.onap.aaf.cadi.principal.X509Principal;
+import org.onap.aaf.cadi.taf.basic.BasicHttpTaf;
 import org.onap.aaf.misc.env.Env;
 import org.onap.aaf.misc.env.TimeTaken;
 
@@ -90,23 +92,36 @@ public class API_Creds {
 					// have to check Basic Auth here, because it might be CSP.
 					String authz = req.getHeader("Authorization");
 					if(authz.startsWith("Basic ")) {
-						String decoded = Symm.base64noSplit.decode(authz.substring(6));
-						int colon = decoded.indexOf(':');
-						TimeTaken tt = trans.start("Direct Validation", Env.REMOTE);
-						try {
-							if(directAAFUserPass.validate(
-									decoded.substring(0,colon), 
-									CredVal.Type.PASSWORD , 
-									decoded.substring(colon+1).getBytes(),trans)) {
-								
-								resp.setStatus(HttpStatus.OK_200);
-							} else {
-								// DME2 at this version crashes without some sort of response
-								resp.getOutputStream().print("");
-								resp.setStatus(HttpStatus.FORBIDDEN_403);
+						BasicHttpTaf bht = ((X509Principal)p).getBasicHttpTaf(); 
+						if(bht!=null) {
+							BasicPrincipal bp = new BasicPrincipal(authz,"");
+							CredVal cv = bht.getCredVal(bp.getDomain());
+							if(cv!=null) {
+								if(cv.validate(bp.getName(), Type.PASSWORD, bp.getCred(), null) ) {
+									resp.setStatus(HttpStatus.OK_200);
+								} else {
+									resp.setStatus(HttpStatus.FORBIDDEN_403);
+								}
+							}
+						} else {
+							String decoded = Symm.base64noSplit.decode(authz.substring(6));
+							int colon = decoded.indexOf(':');
+							TimeTaken tt = trans.start("Direct Validation", Env.REMOTE);
+							try {
+								if(directAAFUserPass.validate(
+										decoded.substring(0,colon), 
+										CredVal.Type.PASSWORD , 
+										decoded.substring(colon+1).getBytes(),trans)) {
+									
+									resp.setStatus(HttpStatus.OK_200);
+								} else {
+									// DME2 at this version crashes without some sort of response
+									resp.getOutputStream().print("");
+									resp.setStatus(HttpStatus.FORBIDDEN_403);
+								}
+							} finally {
+								tt.done();
 							}
-						} finally {
-							tt.done();
 						}
 					}
 				} else if(p == null) {
diff --git a/cadi/aaf/src/main/java/org/onap/aaf/cadi/aaf/cert/AAFListedCertIdentity.java b/cadi/aaf/src/main/java/org/onap/aaf/cadi/aaf/cert/AAFListedCertIdentity.java
index e336042a..bc1f94d9 100644
--- a/cadi/aaf/src/main/java/org/onap/aaf/cadi/aaf/cert/AAFListedCertIdentity.java
+++ b/cadi/aaf/src/main/java/org/onap/aaf/cadi/aaf/cert/AAFListedCertIdentity.java
@@ -93,7 +93,7 @@ public class AAFListedCertIdentity implements CertIdentity {
 		byte[] fingerprint = X509Taf.getFingerPrint(certBytes);
 		String id = certs.get(new ByteArrayHolder(fingerprint));
 		if(id!=null) { // Caller is Validated
-			return new X509Principal(id,cert,certBytes);
+			return new X509Principal(id,cert,certBytes,null);
 		}
 		return null;
 	}
diff --git a/cadi/aaf/src/main/java/org/onap/aaf/cadi/sso/AAFSSO.java b/cadi/aaf/src/main/java/org/onap/aaf/cadi/sso/AAFSSO.java
index c197be26..f2fb7057 100644
--- a/cadi/aaf/src/main/java/org/onap/aaf/cadi/sso/AAFSSO.java
+++ b/cadi/aaf/src/main/java/org/onap/aaf/cadi/sso/AAFSSO.java
@@ -186,6 +186,7 @@ public class AAFSSO {
 				char[] password = cons.readPassword("Password for %s: ", appID);
 				String app_pass = access.encrypt(new String(password));
 				access.setProperty(Config.AAF_APPPASS,app_pass);
+				diskprops.setProperty(Config.AAF_APPPASS, app_pass);
 			}
 			
 			String keystore=access.getProperty(Config.CADI_KEYSTORE);
diff --git a/cadi/core/src/main/java/org/onap/aaf/cadi/CredValDomain.java b/cadi/core/src/main/java/org/onap/aaf/cadi/CredValDomain.java
new file mode 100644
index 00000000..e8a5c54b
--- /dev/null
+++ b/cadi/core/src/main/java/org/onap/aaf/cadi/CredValDomain.java
@@ -0,0 +1,25 @@
+/**
+ * ============LICENSE_START====================================================
+ * org.onap.aaf
+ * ===========================================================================
+ * Copyright (c) 2018 AT&T Intellectual Property. All rights reserved.
+ * ===========================================================================
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ * 
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ * 
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ * ============LICENSE_END====================================================
+ *
+ */
+package org.onap.aaf.cadi;
+
+public interface CredValDomain extends CredVal {
+	public String domain();
+}
diff --git a/cadi/core/src/main/java/org/onap/aaf/cadi/config/Config.java b/cadi/core/src/main/java/org/onap/aaf/cadi/config/Config.java
index 9a0a53cf..b74ccb36 100644
--- a/cadi/core/src/main/java/org/onap/aaf/cadi/config/Config.java
+++ b/cadi/core/src/main/java/org/onap/aaf/cadi/config/Config.java
@@ -42,6 +42,7 @@ import org.onap.aaf.cadi.CachingLur;
 import org.onap.aaf.cadi.CadiException;
 import org.onap.aaf.cadi.Connector;
 import org.onap.aaf.cadi.CredVal;
+import org.onap.aaf.cadi.CredValDomain;
 import org.onap.aaf.cadi.Locator;
 import org.onap.aaf.cadi.LocatorException;
 import org.onap.aaf.cadi.Lur;
@@ -111,13 +112,6 @@ public class Config {
 	public static final String CADI_OAUTH2_URL="cadi_oauth2_url";
 	public static final String CADI_TOKEN_DIR = "cadi_token_dir";
 
-	public static final String CSP_DOMAIN = "csp_domain";
-	public static final String CSP_HOSTNAME = "csp_hostname";
-	public static final String CSP_DEVL_LOCALHOST = "csp_devl_localhost";
-	public static final String CSP_USER_HEADER = "CSP_USER";
-	public static final String CSP_SYSTEMS_CONF = "CSPSystems.conf";
-    public static final String CSP_SYSTEMS_CONF_FILE = "csp_systems_conf_file";
-    
     public static final String HTTPS_PROTOCOLS = "https.protocols";
     public static final String HTTPS_CIPHER_SUITES = "https.cipherSuites";
     public static final String HTTPS_CLIENT_PROTOCOLS="jdk.tls.client.protocols";
@@ -277,7 +271,7 @@ public class Config {
 		/////////////////////////////////////////////////////
 		// Configure Client Cert TAF
 		/////////////////////////////////////////////////////
-		
+		X509Taf x509TAF = null;
 		String truststore = logProp(access, CADI_TRUSTSTORE,null);
 		if(truststore!=null) {
 			String truststore_pwd = access.getProperty(CADI_TRUSTSTORE_PASSWORD,null);
@@ -290,7 +284,7 @@ public class Config {
 					}
 				}
 				try {
-					htlist.add(new X509Taf(access,lur));
+					htlist.add(x509TAF=new X509Taf(access,lur));
 					access.log(Level.INIT,"Certificate Authorization enabled");
 				} catch (SecurityException e) {
 					access.log(Level.INIT,"AAFListedCertIdentity cannot be instantiated. Certificate Authorization is now disabled",e);
@@ -339,7 +333,16 @@ public class Config {
 						if(!basic_warn)access.log(Level.INIT,"WARNING! The basic_warn property has been set to false.",
 								" There will be no additional warning if Basic Auth is used on an insecure channel"
 								);
-						htlist.add(new BasicHttpTaf(access, up, basic_realm, userExp, basic_warn));
+						BasicHttpTaf bht = new BasicHttpTaf(access, up, basic_realm, userExp, basic_warn);
+						for(Object o : additionalTafLurs) {
+							if(o instanceof CredValDomain) {
+								bht.add((CredValDomain)o);
+							}
+						}
+						if(x509TAF!=null) {
+							x509TAF.add(bht);
+						}
+						htlist.add(bht);
 						access.log(Level.INIT,"Basic Authorization is enabled");
 					}
 				} else {
@@ -443,8 +446,18 @@ public class Config {
 		/////////////////////////////////////////////////////
 		if(additionalTafLurs!=null) {
 			for(Object additional : additionalTafLurs) {
-				if(additional instanceof HttpTaf) {
-					htlist.add((HttpTaf)additional);
+				if(additional instanceof BasicHttpTaf) {
+					BasicHttpTaf ht = (BasicHttpTaf)additional;
+					for(Object cv : additionalTafLurs) {
+						if(cv instanceof CredValDomain) {
+							ht.add((CredValDomain)cv);
+							access.printf(Level.INIT,"%s Authentication is enabled",cv);
+						}
+					}
+					htlist.add(ht);
+				} else if(additional instanceof HttpTaf) {
+					HttpTaf ht = (HttpTaf)additional;
+					htlist.add(ht);
 					access.printf(Level.INIT,"%s Authentication is enabled",additional.getClass().getSimpleName());
 				} else if(hasOAuthDirectTAF) {
 					Class<?> daupCls;
diff --git a/cadi/core/src/main/java/org/onap/aaf/cadi/principal/BasicPrincipal.java b/cadi/core/src/main/java/org/onap/aaf/cadi/principal/BasicPrincipal.java
index 22ba702c..a235f1d4 100644
--- a/cadi/core/src/main/java/org/onap/aaf/cadi/principal/BasicPrincipal.java
+++ b/cadi/core/src/main/java/org/onap/aaf/cadi/principal/BasicPrincipal.java
@@ -36,11 +36,12 @@ public class BasicPrincipal extends BearerPrincipal implements GetCred {
 
 	private String name = null;
 	private String shortName = null;
+	private String domain;
 	private byte[] cred = null;
-	
 	private long created;
 
-	public BasicPrincipal(String content,String domain) throws IOException {
+
+	public BasicPrincipal(String content,String defaultDomain) throws IOException {
 		created = System.currentTimeMillis();
 		ByteArrayInputStream bis = new ByteArrayInputStream(content.getBytes());
 		// Read past "Basic ", ensuring it starts with it.
@@ -61,13 +62,15 @@ public class BasicPrincipal extends BearerPrincipal implements GetCred {
 			shortName=name.substring(0, at);
 		} else {
 			shortName = name;
-			name = name + '@' + domain;
+			domain=defaultDomain;
+			name = name + '@' + defaultDomain;
 		}
 	}
 	
 	public BasicPrincipal(BasicCred bc, String domain) {
 		name = bc.getUser();
 		cred = bc.getCred();
+		this.domain = domain;
 	}
 
 	private class BasicOS extends OutputStream {
@@ -102,6 +105,10 @@ public class BasicPrincipal extends BearerPrincipal implements GetCred {
 		return shortName;
 	}
 	
+	public String getDomain() {
+		return domain;
+	}
+	
 	public byte[] getCred() {
 		return cred;
 	}
diff --git a/cadi/core/src/main/java/org/onap/aaf/cadi/principal/X509Principal.java b/cadi/core/src/main/java/org/onap/aaf/cadi/principal/X509Principal.java
index 16f62171..200b8174 100644
--- a/cadi/core/src/main/java/org/onap/aaf/cadi/principal/X509Principal.java
+++ b/cadi/core/src/main/java/org/onap/aaf/cadi/principal/X509Principal.java
@@ -26,31 +26,30 @@ import java.security.cert.CertificateEncodingException;
 import java.security.cert.X509Certificate;
 import java.util.regex.Pattern;
 
-import org.onap.aaf.cadi.CadiException;
 import org.onap.aaf.cadi.GetCred;
+import org.onap.aaf.cadi.taf.basic.BasicHttpTaf;
 
 public class X509Principal extends BearerPrincipal implements GetCred {
 	private static final Pattern pattern = Pattern.compile("[a-zA-Z0-9]*\\@[a-zA-Z0-9.]*");
 	private final X509Certificate cert;
 	private final String name;
-	private TagLookup tagLookup;
-	private byte[] content;  
+	private byte[] content;
+	private BasicHttpTaf bht;  
 
 	public X509Principal(String identity, X509Certificate cert) {
 		name = identity;
 		content = null;
 		this.cert = cert;
-		tagLookup = null;
 	}
 
-	public X509Principal(String identity, X509Certificate cert, byte[] content) {
+	public X509Principal(String identity, X509Certificate cert, byte[] content, BasicHttpTaf bht) {
 		name = identity;
 		this.content = content;
 		this.cert = cert;
-		tagLookup = null;
+		this.bht = bht;
 	}
 
-	public X509Principal(X509Certificate cert, byte[] content) throws IOException {
+	public X509Principal(X509Certificate cert, byte[] content, BasicHttpTaf bht) throws IOException {
 		this.content=content;
 		this.cert = cert;
 		String _name = null;
@@ -70,7 +69,7 @@ public class X509Principal extends BearerPrincipal implements GetCred {
 			throw new IOException("X509 does not have Identity as CN");
 		}
 		name = _name;
-		tagLookup = null;
+		this.bht = bht;
 	}
 	
 	public String getAsHeader() throws IOException {
@@ -106,4 +105,8 @@ public class X509Principal extends BearerPrincipal implements GetCred {
 		return "x509";
 	}
 
+	public BasicHttpTaf getBasicHttpTaf() {
+		return bht;
+	}
+
 }
diff --git a/cadi/core/src/main/java/org/onap/aaf/cadi/taf/basic/BasicHttpTaf.java b/cadi/core/src/main/java/org/onap/aaf/cadi/taf/basic/BasicHttpTaf.java
index 6d516f00..ac824d0a 100644
--- a/cadi/core/src/main/java/org/onap/aaf/cadi/taf/basic/BasicHttpTaf.java
+++ b/cadi/core/src/main/java/org/onap/aaf/cadi/taf/basic/BasicHttpTaf.java
@@ -23,18 +23,21 @@ package org.onap.aaf.cadi.taf.basic;
 
 import java.io.IOException;
 import java.security.Principal;
+import java.util.Map;
+import java.util.TreeMap;
 
 import javax.servlet.http.HttpServletRequest;
 import javax.servlet.http.HttpServletResponse;
 
 import org.onap.aaf.cadi.Access;
+import org.onap.aaf.cadi.Access.Level;
 import org.onap.aaf.cadi.BasicCred;
 import org.onap.aaf.cadi.CachedPrincipal;
-import org.onap.aaf.cadi.CredVal;
-import org.onap.aaf.cadi.Taf;
-import org.onap.aaf.cadi.Access.Level;
 import org.onap.aaf.cadi.CachedPrincipal.Resp;
+import org.onap.aaf.cadi.CredVal;
 import org.onap.aaf.cadi.CredVal.Type;
+import org.onap.aaf.cadi.CredValDomain;
+import org.onap.aaf.cadi.Taf;
 import org.onap.aaf.cadi.principal.BasicPrincipal;
 import org.onap.aaf.cadi.principal.CachedBasicPrincipal;
 import org.onap.aaf.cadi.taf.HttpTaf;
@@ -60,6 +63,7 @@ public class BasicHttpTaf implements HttpTaf {
 	private Access access;
 	private String realm;
 	private CredVal rbac;
+	private Map<String,CredVal> rbacs = new TreeMap<>();
 	private boolean warn;
 	private long timeToLive;
 	
@@ -71,6 +75,10 @@ public class BasicHttpTaf implements HttpTaf {
 		this.timeToLive = timeToLive;
 	}
 
+	public void add(final CredValDomain cvd) {
+		rbacs.put(cvd.domain(), cvd);
+	}
+	
 	/**
 	 * Note: BasicHttp works for either Carbon Based (Humans) or Silicon Based (machine) Lifeforms.  
 	 * @see Taf
@@ -84,10 +92,16 @@ public class BasicHttpTaf implements HttpTaf {
 					return DenialOfServiceTaf.respDenyID(access,bc.getUser());
 				}
 				CachedBasicPrincipal bp = new CachedBasicPrincipal(this,bc,realm,timeToLive);
+				
+				// Be able to do Organizational specific lookups by Domain
+				CredVal cv = rbacs.get(bp.getDomain());
+				if(cv==null) {
+					cv = rbac;
+				}
+				
 				// ONLY FOR Last Ditch DEBUGGING... 
 				// access.log(Level.WARN,bp.getName() + ":" + new String(bp.getCred()));
-				
-				if(rbac.validate(bp.getName(),Type.PASSWORD,bp.getCred(),req)) {
+				if(cv.validate(bp.getName(),Type.PASSWORD,bp.getCred(),req)) {
 					return new BasicHttpTafResp(access,bp,bp.getName()+" authenticated by password",RESP.IS_AUTHENTICATED,resp,realm,false);
 				} else {
 					//TODO may need timed retries in a given time period
@@ -107,10 +121,16 @@ public class BasicHttpTaf implements HttpTaf {
 				if(DenialOfServiceTaf.isDeniedID(ba.getName())!=null) {
 					return DenialOfServiceTaf.respDenyID(access,ba.getName());
 				}
+				
+				final int at = ba.getName().indexOf('@');
+				CredVal cv = rbacs.get(ba.getName().substring(at+1));
+				if(cv==null) { 
+					cv = rbac; // default
+				}
 
 				// ONLY FOR Last Ditch DEBUGGING... 
 				// access.log(Level.WARN,ba.getName() + ":" + new String(ba.getCred()));
-				if(rbac.validate(ba.getName(), Type.PASSWORD, ba.getCred(), req)) {
+				if(cv.validate(ba.getShortName(), Type.PASSWORD, ba.getCred(), req)) {
 					return new BasicHttpTafResp(access,ba, ba.getName()+" authenticated by BasicAuth password",RESP.IS_AUTHENTICATED,resp,realm,false);
 				} else {
 					//TODO may need timed retries in a given time period
@@ -146,7 +166,19 @@ public class BasicHttpTaf implements HttpTaf {
 		}
 		return sb.toString();
 	}
+	
+	public void addCredVal(final String realm, final CredVal cv) {
+		rbacs.put(realm, cv);
+	}
 
+	public CredVal getCredVal(String key) {
+		CredVal cv = rbacs.get(key);
+		if(cv==null) {
+			cv = rbac;
+		}
+		return cv;
+	}
+	
 	@Override
 	public Resp revalidate(CachedPrincipal prin, Object state) {
 		if(prin instanceof BasicPrincipal) {
@@ -162,4 +194,5 @@ public class BasicHttpTaf implements HttpTaf {
 	public String toString() {
 		return "Basic Auth enabled on realm: " + realm;
 	}
+
 }
diff --git a/cadi/core/src/main/java/org/onap/aaf/cadi/taf/cert/X509Taf.java b/cadi/core/src/main/java/org/onap/aaf/cadi/taf/cert/X509Taf.java
index 66683dcd..dc07bb90 100644
--- a/cadi/core/src/main/java/org/onap/aaf/cadi/taf/cert/X509Taf.java
+++ b/cadi/core/src/main/java/org/onap/aaf/cadi/taf/cert/X509Taf.java
@@ -36,12 +36,13 @@ import javax.servlet.http.HttpServletRequest;
 import javax.servlet.http.HttpServletResponse;
 
 import org.onap.aaf.cadi.Access;
+import org.onap.aaf.cadi.Access.Level;
 import org.onap.aaf.cadi.CachedPrincipal;
+import org.onap.aaf.cadi.CachedPrincipal.Resp;
 import org.onap.aaf.cadi.CadiException;
+import org.onap.aaf.cadi.CredVal;
 import org.onap.aaf.cadi.Lur;
 import org.onap.aaf.cadi.Symm;
-import org.onap.aaf.cadi.Access.Level;
-import org.onap.aaf.cadi.CachedPrincipal.Resp;
 import org.onap.aaf.cadi.Taf.LifeForm;
 import org.onap.aaf.cadi.config.Config;
 import org.onap.aaf.cadi.config.SecurityInfo;
@@ -51,6 +52,7 @@ import org.onap.aaf.cadi.principal.X509Principal;
 import org.onap.aaf.cadi.taf.HttpTaf;
 import org.onap.aaf.cadi.taf.TafResp;
 import org.onap.aaf.cadi.taf.TafResp.RESP;
+import org.onap.aaf.cadi.taf.basic.BasicHttpTaf;
 import org.onap.aaf.cadi.util.Split;
 
 public class X509Taf implements HttpTaf {
@@ -65,6 +67,7 @@ public class X509Taf implements HttpTaf {
 	private ArrayList<String> cadiIssuers;
 	private String env;
 	private SecurityInfo si;
+	private BasicHttpTaf bht;
 
 	static {
 		try {
@@ -150,7 +153,7 @@ public class X509Taf implements HttpTaf {
 							String[] sa = Split.splitTrim(':', subject, temp+3,end);
 							if(sa.length==1 || (sa.length>1 && env!=null && env.equals(sa[1]))) { // Check Environment 
 								return new X509HttpTafResp(access, 
-										new X509Principal(sa[0], certarr[0],(byte[])null), 
+										new X509Principal(sa[0], certarr[0],(byte[])null,bht), 
 										"X509Taf validated " + sa[0] + (sa.length<2?"":" for aaf_env " + env ), RESP.IS_AUTHENTICATED);
 							}
 						}
@@ -259,4 +262,16 @@ public class X509Taf implements HttpTaf {
 		return null;
 	}
 
+	public void add(BasicHttpTaf bht) {
+		this.bht = bht;
+	}
+	
+	public CredVal getCredVal(final String key) {
+		if(bht==null) {
+			return null;
+		} else {
+			return bht.getCredVal(key);
+		}
+	}
+	
 }
diff --git a/cadi/core/src/test/java/org/onap/aaf/cadi/principal/test/JU_X509Principal.java b/cadi/core/src/test/java/org/onap/aaf/cadi/principal/test/JU_X509Principal.java
index e62dda4f..0857a870 100644
--- a/cadi/core/src/test/java/org/onap/aaf/cadi/principal/test/JU_X509Principal.java
+++ b/cadi/core/src/test/java/org/onap/aaf/cadi/principal/test/JU_X509Principal.java
@@ -67,7 +67,7 @@ public class JU_X509Principal {
 
 	@Test
 	public void constructor2Test() throws IOException {
-		X509Principal x509 = new X509Principal(name, cert, cred);
+		X509Principal x509 = new X509Principal(name, cert, cred,null);
 		// Call twice to hit both branches
 		assertThat(x509.getAsHeader(), is("X509 " + cred));
 		assertThat(x509.toString(), is("X509 Authentication for " + name));
@@ -81,7 +81,7 @@ public class JU_X509Principal {
 		final String longName = "name@domain";
 		when(subject.getName()).thenReturn("OU=" + longName + ",extra");
 		when(cert.getSubjectDN()).thenReturn(subject);
-		X509Principal x509 = new X509Principal(cert, cred);
+		X509Principal x509 = new X509Principal(cert, cred,null);
 		// Call twice to hit both branches
 		assertThat(x509.getAsHeader(), is("X509 " + cred));
 		assertThat(x509.toString(), is("X509 Authentication for " + longName));
@@ -91,7 +91,7 @@ public class JU_X509Principal {
 		when(subject.getName()).thenReturn(longName + ",extra");
 		when(cert.getSubjectDN()).thenReturn(subject);
 		try {
-			x509 = new X509Principal(cert, cred);
+			x509 = new X509Principal(cert, cred, null);
 			fail("Should have thrown an Exception");
 		} catch(IOException e) {
 			assertThat(e.getMessage(), is("X509 does not have Identity as CN"));
@@ -100,7 +100,7 @@ public class JU_X509Principal {
 		when(subject.getName()).thenReturn("OU=" + longName);
 		when(cert.getSubjectDN()).thenReturn(subject);
 		try {
-			x509 = new X509Principal(cert, cred);
+			x509 = new X509Principal(cert, cred, null);
 			fail("Should have thrown an Exception");
 		} catch(IOException e) {
 			assertThat(e.getMessage(), is("X509 does not have Identity as CN"));
@@ -109,7 +109,7 @@ public class JU_X509Principal {
 		when(subject.getName()).thenReturn("OU=" + name + ",exta");
 		when(cert.getSubjectDN()).thenReturn(subject);
 		try {
-			x509 = new X509Principal(cert, cred);
+			x509 = new X509Principal(cert, cred, null);
 			fail("Should have thrown an Exception");
 		} catch(IOException e) {
 			assertThat(e.getMessage(), is("X509 does not have Identity as CN"));
-- 
2.16.6