From ba989d05eca8d2a98c51ed9d38c4c3345db23349 Mon Sep 17 00:00:00 2001 From: Instrumental Date: Wed, 26 Jun 2019 07:05:51 -0500 Subject: [PATCH] Changes from Onsite Tests Issue-ID: AAF-857 Change-Id: I3fbed32ff5b2bb8f05f4f932c8dc2f4012c8b429 Signed-off-by: Instrumental --- .../java/org/onap/aaf/auth/dao/cass/RoleDAO.java | 35 +++++++++++------ .../java/org/onap/aaf/auth/dao/hl/Question.java | 43 +++++++++++++-------- .../src/main/java/org/onap/aaf/auth/cm/ca/CA.java | 8 ++++ .../org/onap/aaf/auth/cm/service/CMService.java | 1 + .../main/java/org/onap/aaf/auth/cache/Cache.java | 3 +- .../org/onap/aaf/auth/rserv/CachingFileAccess.java | 6 +++ .../org/onap/aaf/auth/validation/Validator.java | 35 +++++++++++++++++ .../src/main/java/org/onap/aaf/auth/gui/Page.java | 2 +- .../java/org/onap/aaf/auth/gui/pages/ApiDocs.java | 3 +- .../org/onap/aaf/auth/gui/pages/PermDetail.java | 2 +- .../org/onap/aaf/auth/gui/pages/RoleDetail.java | 6 ++- .../aaf/auth/service/AuthzCassServiceImpl.java | 45 +++++++++++++++------- .../auth/service/validation/ServiceValidator.java | 12 +++++- .../org/onap/aaf/cadi/aaf/TestConnectivity.java | 2 +- .../java/org/onap/aaf/cadi/configure/Agent.java | 9 +++-- .../main/java/org/onap/aaf/cadi/PropAccess.java | 8 +++- .../main/java/org/onap/aaf/cadi/config/Config.java | 2 +- 17 files changed, 167 insertions(+), 55 deletions(-) diff --git a/auth/auth-cass/src/main/java/org/onap/aaf/auth/dao/cass/RoleDAO.java b/auth/auth-cass/src/main/java/org/onap/aaf/auth/dao/cass/RoleDAO.java index e31e1e6a..a5fa7a77 100644 --- a/auth/auth-cass/src/main/java/org/onap/aaf/auth/dao/cass/RoleDAO.java +++ b/auth/auth-cass/src/main/java/org/onap/aaf/auth/dao/cass/RoleDAO.java @@ -110,6 +110,7 @@ public class RoleDAO extends CassDAOImpl { if(ns==null) { sb.append('.'); } else { + sb.append(ns); sb.append(ns.indexOf('@')<0?'.':':'); } sb.append(name); @@ -129,19 +130,29 @@ public class RoleDAO extends CassDAOImpl { * @return */ public static Result decode(AuthzTrans trans, Question q, String r) { - String[] ss = Split.splitTrim('|', r,2); Data data = new Data(); - if (ss[1]==null) { // older 1 part encoding must be evaluated for NS - Result nss = q.deriveNsSplit(trans, ss[0]); - if (nss.notOK()) { - return Result.err(nss); - } - data.ns=nss.value.ns; - data.name=nss.value.name; - } else { // new 4 part encoding - data.ns=ss[0]; - data.name=ss[1]; - } + if(r.indexOf('@')>=0) { + int colon = r.indexOf(':'); + if(colon<0) { + return Result.err(Result.ERR_BadData, "%s is not a valid Role",r); + } else { + data.ns=r.substring(0, colon); + data.name=r.substring(++colon); + } + } else { + String[] ss = Split.splitTrim('|', r,2); + if (ss[1]==null) { // older 1 part encoding must be evaluated for NS + Result nss = q.deriveNsSplit(trans, ss[0]); + if (nss.notOK()) { + return Result.err(nss); + } + data.ns=nss.value.ns; + data.name=nss.value.name; + } else { // new 4 part encoding + data.ns=ss[0]; + data.name=ss[1]; + } + } return Result.ok(data); } diff --git a/auth/auth-cass/src/main/java/org/onap/aaf/auth/dao/hl/Question.java b/auth/auth-cass/src/main/java/org/onap/aaf/auth/dao/hl/Question.java index d40c2ea0..ae6f371b 100644 --- a/auth/auth-cass/src/main/java/org/onap/aaf/auth/dao/hl/Question.java +++ b/auth/auth-cass/src/main/java/org/onap/aaf/auth/dao/hl/Question.java @@ -325,13 +325,22 @@ public class Question { return permDAO.readByType(trans, nss.value.ns, nss.value.name); } - public Result> getPermsByName(AuthzTrans trans, - String type, String instance, String action) { - Result nss = deriveNsSplit(trans, type); - if (nss.notOK()) { - return Result.err(nss); - } - return permDAO.read(trans, nss.value.ns, nss.value.name, instance,action); + public Result> getPermsByName(AuthzTrans trans, String type, String instance, String action) { + if(type.indexOf('@') >= 0) { + int colon = type.indexOf(':'); + if(colon>=0) { + return permDAO.read(trans, type.substring(0, colon),type.substring(colon+1), instance,action); + } else { + return Result.err(Result.ERR_BadData, "%s is malformed",type); + } + } else { + Result nss = deriveNsSplit(trans, type); + if (nss.notOK()) { + return Result.err(nss); + } + + return permDAO.read(trans, nss.value.ns, nss.value.name, instance,action); + } } public Result> getPermsByRole(AuthzTrans trans, String role, boolean lookup) { @@ -377,8 +386,14 @@ public class Question { return Result.ok(perms); } - public Result> getRolesByName(AuthzTrans trans, - String role) { + public Result> getRolesByName(AuthzTrans trans, String role) { + if(role.startsWith(trans.user()) ) { + if(role.endsWith(":user")) { + return roleDAO.read(trans,trans.user(), "user"); + } else { + return Result.err(Result.ERR_BadData,"%s is a badly formatted role",role); + } + } Result nss = deriveNsSplit(trans, role); if (nss.notOK()) { return Result.err(nss); @@ -415,12 +430,7 @@ public class Question { if (r.isOKhasData()) { return Result.ok(r.value.get(0)); } else { - int dot; - if (child==null) { - return Result.err(Status.ERR_NsNotFound, "No Namespace"); - } else { - dot = child.lastIndexOf('.'); - } + int dot = child.lastIndexOf('.'); if (dot < 0) { return Result.err(Status.ERR_NsNotFound, "No Namespace for [%s]", child); } else { @@ -561,6 +571,9 @@ public class Question { } public Result mayUser(AuthzTrans trans, String user, RoleDAO.Data rdd, Access access) { + if(trans.user().equals(rdd.ns)) { + return Result.ok((NsDAO.Data)null); + } Result rnsd = deriveNs(trans, rdd.ns); if (rnsd.isOK()) { return mayUser(trans, user, rnsd.value, rdd, access); diff --git a/auth/auth-certman/src/main/java/org/onap/aaf/auth/cm/ca/CA.java b/auth/auth-certman/src/main/java/org/onap/aaf/auth/cm/ca/CA.java index 881c9bea..10da10d9 100644 --- a/auth/auth-certman/src/main/java/org/onap/aaf/auth/cm/ca/CA.java +++ b/auth/auth-certman/src/main/java/org/onap/aaf/auth/cm/ca/CA.java @@ -47,6 +47,7 @@ public abstract class CA { public static final String ISSUING_CA = "Issuing CA"; public static final String CM_CA_PREFIX = "cm_ca."; public static final String CM_CA_BASE_SUBJECT = ".baseSubject"; + public static final String CM_CA_ENV_TAG = ".env_tag"; protected static final String CM_PUBLIC_DIR = "cm_public_dir"; private static final String CM_TRUST_CAS = "cm_trust_cas"; protected static final String CM_BACKUP_CAS = "cm_backup_cas"; @@ -63,12 +64,15 @@ public abstract class CA { private String[] trustedCAs; private String[] caIssuerDNs; private List rdns; + private final boolean env_tag; protected CA(Access access, String caName, String env) throws IOException, CertException { trustedCAs = new String[4]; // starting array this.name = caName; this.env = env; + this.env_tag = env==null || env.isEmpty()?false: + Boolean.parseBoolean(access.getProperty(CM_CA_ENV_TAG, Boolean.FALSE.toString())); permNS = CM_CA_PREFIX + name; permType = access.getProperty(permNS + ".perm_type",null); if (permType==null) { @@ -189,6 +193,10 @@ public abstract class CA { return trustedCAs; } + public boolean shouldAddEnvTag() { + return env_tag; + } + public String getEnv() { return env; } diff --git a/auth/auth-certman/src/main/java/org/onap/aaf/auth/cm/service/CMService.java b/auth/auth-certman/src/main/java/org/onap/aaf/auth/cm/service/CMService.java index 1f2ee645..1f2b0880 100644 --- a/auth/auth-certman/src/main/java/org/onap/aaf/auth/cm/service/CMService.java +++ b/auth/auth-certman/src/main/java/org/onap/aaf/auth/cm/service/CMService.java @@ -297,6 +297,7 @@ public class CMService { CSRMeta csrMeta; try { csrMeta = BCFactory.createCSRMeta(ca, req.value.mechid, email, fqdns); + csrMeta.environment(ca.getEnv()); X509andChain x509ac = ca.sign(trans, csrMeta); if (x509ac == null) { return Result.err(Result.ERR_ActionNotCompleted, "x509 Certificate not signed by CA"); diff --git a/auth/auth-core/src/main/java/org/onap/aaf/auth/cache/Cache.java b/auth/auth-core/src/main/java/org/onap/aaf/auth/cache/Cache.java index 9393e143..6a8ccf1e 100644 --- a/auth/auth-core/src/main/java/org/onap/aaf/auth/cache/Cache.java +++ b/auth/auth-core/src/main/java/org/onap/aaf/auth/cache/Cache.java @@ -31,7 +31,6 @@ import java.util.Set; import java.util.Timer; import java.util.TimerTask; import java.util.concurrent.ConcurrentHashMap; -import java.util.logging.Level; import org.onap.aaf.misc.env.Env; import org.onap.aaf.misc.env.Trans; @@ -153,7 +152,7 @@ public class Cache { } if (count>0) { - env.info().log(Level.INFO, "Cache removed",count,"expired Cached Elements out of", total); + env.debug().log("Cache removed",count,"expired Cached Elements out of", total); } // If High (total) is reached during this period, increase the number of expired services removed for next time. diff --git a/auth/auth-core/src/main/java/org/onap/aaf/auth/rserv/CachingFileAccess.java b/auth/auth-core/src/main/java/org/onap/aaf/auth/rserv/CachingFileAccess.java index a269f24b..37f3b088 100644 --- a/auth/auth-core/src/main/java/org/onap/aaf/auth/rserv/CachingFileAccess.java +++ b/auth/auth-core/src/main/java/org/onap/aaf/auth/rserv/CachingFileAccess.java @@ -131,6 +131,12 @@ public class CachingFileAccess extends HttpCode cache, final HTMLGen hgen) { final String pRole = trans.get(sRoleName, null); Validator v = new Validator(); - v.role(pRole); + if(!v.isNull("Role",pRole).err()) { + if(!pRole.startsWith(trans.user())) { + v.role(pRole); + } + } if (v.err()) { trans.warn().printf("Error in PermDetail Request: %s", v.errs()); return; diff --git a/auth/auth-service/src/main/java/org/onap/aaf/auth/service/AuthzCassServiceImpl.java b/auth/auth-service/src/main/java/org/onap/aaf/auth/service/AuthzCassServiceImpl.java index 1d201f9a..8fc2ad52 100644 --- a/auth/auth-service/src/main/java/org/onap/aaf/auth/service/AuthzCassServiceImpl.java +++ b/auth/auth-service/src/main/java/org/onap/aaf/auth/service/AuthzCassServiceImpl.java @@ -826,7 +826,7 @@ public class AuthzCassServiceImpl rpdd = permDAO.create(trans, pdd); if(rpdd.notOK()) { return Result.err(rpdd); @@ -3087,7 +3087,7 @@ public class AuthzCassServiceImpl nsd; @Override public Result mayChange() { + if(urr.value.role.startsWith(urr.value.user)) { + return Result.ok((NsDAO.Data)null); + } if (nsd==null) { RoleDAO.Data r = RoleDAO.Data.decode(userRole); nsd = ques.mayUser(trans, trans.user(), r, Access.write); @@ -3110,15 +3113,24 @@ public class AuthzCassServiceImpl nsr = ques.deriveNs(trans, userRole.role); - if (nsr.notOKorIsEmpty()) { - return Result.err(nsr); + + NsDAO.Data ndd; + if(userRole.role.startsWith(userRole.user)) { + userRole.ns=userRole.user; + userRole.rname="user"; + ndd = null; + } else { + Result nsr = ques.deriveNs(trans, userRole.role); + if (nsr.notOK()) { + return Result.err(nsr); + } + ndd = nsr.value; } switch(fd.status) { case OK: Result rfc = func.createFuture(trans, fd.value, userRole.user+'|'+userRole.ns + '.' + userRole.rname, - userRole.user, nsr.value, FUTURE_OP.C); + userRole.user, ndd, FUTURE_OP.C); if (rfc.isOK()) { return Result.err(Status.ACC_Future, "UserRole [%s - %s.%s] is saved for future processing", userRole.user, @@ -3658,16 +3670,21 @@ public class AuthzCassServiceImpl rnd = ques.deriveNs(trans,type); - if (rnd.notOK()) { - return Result.err(rnd); + Result> resp; + if(type.startsWith(trans.user())) { + resp = ques.historyDAO().readBySubject(trans, type, "perm", yyyymm); + } else { + Result rnd = ques.deriveNs(trans,type); + if (rnd.notOK()) { + return Result.err(rnd); + } + rnd = ques.mayUser(trans, trans.user(), rnd.value, Access.read); + if (rnd.notOK()) { + return Result.err(rnd); + } + resp = ques.historyDAO().readBySubject(trans, type, "perm", yyyymm); } - rnd = ques.mayUser(trans, trans.user(), rnd.value, Access.read); - if (rnd.notOK()) { - return Result.err(rnd); - } - Result> resp = ques.historyDAO().readBySubject(trans, type, "perm", yyyymm); if (resp.notOK()) { return Result.err(resp); } diff --git a/auth/auth-service/src/main/java/org/onap/aaf/auth/service/validation/ServiceValidator.java b/auth/auth-service/src/main/java/org/onap/aaf/auth/service/validation/ServiceValidator.java index fb7556ed..df8bde8b 100644 --- a/auth/auth-service/src/main/java/org/onap/aaf/auth/service/validation/ServiceValidator.java +++ b/auth/auth-service/src/main/java/org/onap/aaf/auth/service/validation/ServiceValidator.java @@ -86,7 +86,7 @@ public class ServiceValidator extends Validator { } return this; } - + public ServiceValidator role(RoleDAO.Data pd) { if (pd==null) { msg("Role Data is null."); @@ -219,6 +219,16 @@ public class ServiceValidator extends Validator { return this; } + public ServiceValidator user_role(String user, UserRoleDAO.Data urdd) { + role(user,urdd.role); + if(!urdd.role.startsWith(user)) { + nullOrBlank("UserRole.ns",urdd.ns); + nullOrBlank("UserRole.rname",urdd.rname); + } + return this; + } + + public ServiceValidator user_role(UserRoleDAO.Data urdd) { if (urdd==null) { msg("UserRole is null"); diff --git a/cadi/aaf/src/main/java/org/onap/aaf/cadi/aaf/TestConnectivity.java b/cadi/aaf/src/main/java/org/onap/aaf/cadi/aaf/TestConnectivity.java index e5a0a28c..f02c17f8 100644 --- a/cadi/aaf/src/main/java/org/onap/aaf/cadi/aaf/TestConnectivity.java +++ b/cadi/aaf/src/main/java/org/onap/aaf/cadi/aaf/TestConnectivity.java @@ -76,7 +76,7 @@ public class TestConnectivity { List> lss = loadSetters(access,si); ///////// String directAAFURL = aaf_urls.get(Config.AAF_URL); - if(directAAFURL!=null && !directAAFURL.contains("/locate/")) { + if(directAAFURL!=null && !directAAFURL.contains("/locate/") || !directAAFURL.contains("AAF_LOCATE_URL")) { print(true,"Test Connections by non-located aaf_url"); Locator locator = new SingleEndpointLocator(directAAFURL); connectTest(locator,new URI(directAAFURL)); diff --git a/cadi/aaf/src/main/java/org/onap/aaf/cadi/configure/Agent.java b/cadi/aaf/src/main/java/org/onap/aaf/cadi/configure/Agent.java index 4dd86fe0..49bab49c 100644 --- a/cadi/aaf/src/main/java/org/onap/aaf/cadi/configure/Agent.java +++ b/cadi/aaf/src/main/java/org/onap/aaf/cadi/configure/Agent.java @@ -86,7 +86,8 @@ import locate.v1_1.Configuration; import locate.v1_1.Configuration.Props; public class Agent { - private static final String HASHES = "################################################################"; + private static final String AGENT_LOAD_URLS = "Agent:loadURLs"; + private static final String HASHES = "################################################################"; private static final String PRINT = "print"; private static final String FILE = "file"; public static final String PKCS12 = "pkcs12"; @@ -311,7 +312,7 @@ public class Agent { String dot_le = access.getProperty(Config.AAF_LOCATOR_CONTAINER,null); dot_le=dot_le==null?"":'.'+dot_le; String version = access.getProperty(Config.AAF_API_VERSION,Config.AAF_DEFAULT_API_VERSION); - for(String u : new String[] {"aaf","locate","oauth","cm","gui","fs","hello","token","introspect"}) { + for(String u : new String[] {"locate","aaf","oauth","cm","gui","fs","hello","token","introspect"}) { String tag; String append=null; switch(u) { @@ -336,12 +337,14 @@ public class Agent { } else { lhost=Config.AAF_LOCATE_URL_TAG; } - value = rph.replacements("Agent:loadURLs", + value = rph.replacements(AGENT_LOAD_URLS, proto + lhost + "/%CNS.%AAF_NS." + ("aaf".equals(u)?"service":u) + ':' + version, null,dot_le); if(append!=null) { value+=append; } + } else { + value = rph.replacements(AGENT_LOAD_URLS, value,null,dot_le); } rv.put(tag, value); }; diff --git a/cadi/core/src/main/java/org/onap/aaf/cadi/PropAccess.java b/cadi/core/src/main/java/org/onap/aaf/cadi/PropAccess.java index d6b8d56d..4737880e 100644 --- a/cadi/core/src/main/java/org/onap/aaf/cadi/PropAccess.java +++ b/cadi/core/src/main/java/org/onap/aaf/cadi/PropAccess.java @@ -42,7 +42,7 @@ import org.onap.aaf.cadi.util.Split; public class PropAccess implements Access { // Sonar says cannot be static... it's ok. not too many PropAccesses created. - private final SimpleDateFormat iso8601 = new SimpleDateFormat("yyyy-MM-dd'T'HH:mm:ss.SSSZ"); + private final static SimpleDateFormat iso8601 = new SimpleDateFormat("yyyy-MM-dd'T'HH:mm:ss.SSSZ"); public static final Level DEFAULT = Level.AUDIT; @@ -101,7 +101,7 @@ public class PropAccess implements Access { init(nprops); } - protected void init(Properties p) { + protected synchronized void init(Properties p) { // Make sure these two are set before any changes in Logging name = "cadi"; level=DEFAULT.maskOf(); @@ -262,6 +262,10 @@ public class PropAccess implements Access { return buildMsg(name,iso8601,level,elements); } + public static StringBuilder buildMsg(final String name, Level level, Object[] elements) { + return buildMsg(name,iso8601,level,elements); + } + public static StringBuilder buildMsg(final String name, final DateFormat sdf, Level level, Object[] elements) { final StringBuilder sb; int end = elements.length; diff --git a/cadi/core/src/main/java/org/onap/aaf/cadi/config/Config.java b/cadi/core/src/main/java/org/onap/aaf/cadi/config/Config.java index 38afa629..f74f194b 100644 --- a/cadi/core/src/main/java/org/onap/aaf/cadi/config/Config.java +++ b/cadi/core/src/main/java/org/onap/aaf/cadi/config/Config.java @@ -878,7 +878,7 @@ public class Config { Method meth = lcls.getMethod("create",Access.class,String.class); locator = (Locator)meth.invoke(null,access,url); } catch (Exception e) { - access.log(Level.TRACE, "(Not fatal) Cannot load by create(String)", e); + access.log(Level.NONE, "(Not fatal) Cannot load by create(String)", e); } if (locator==null) { URI locatorURI = new URI(url); -- 2.16.6