From 87da9feacd0abb0d60b98cc00c4755121fc73bbb Mon Sep 17 00:00:00 2001 From: Instrumental Date: Thu, 19 Jul 2018 16:44:02 -0500 Subject: [PATCH] add check and showpass Issue-ID: AAF-378 Change-Id: If06c33ffd45eb61ab881cdb89f9689dae951f82c Signed-off-by: Instrumental --- .../main/java/org/onap/aaf/auth/cm/ca/LocalCA.java | 2 +- auth/docker/.gitignore | 1 + auth/docker/aaf.props | 15 ++++++-------- auth/docker/dbuild.sh | 1 - auth/sample/bin/client.sh | 9 +++++++- .../java/org/onap/aaf/cadi/aaf/AAFPermission.java | 22 +++++++++++++++++--- .../org/onap/aaf/cadi/aaf/TestConnectivity.java | 2 +- .../org/onap/aaf/cadi/aaf/v2_0/AAFLurPerm.java | 8 +------- .../java/org/onap/aaf/cadi/configure/Agent.java | 24 +++++++++++----------- .../cadi/configure/PlaceArtifactInKeystore.java | 5 ++--- .../org/onap/aaf/cadi/cm/test/JU_ArtifactDir.java | 3 ++- .../cadi/cm/test/JU_PlaceArtifactInKeystore.java | 23 +++++++++++++-------- 12 files changed, 67 insertions(+), 48 deletions(-) diff --git a/auth/auth-certman/src/main/java/org/onap/aaf/auth/cm/ca/LocalCA.java b/auth/auth-certman/src/main/java/org/onap/aaf/auth/cm/ca/LocalCA.java index af2d2f6b..893e9f32 100644 --- a/auth/auth-certman/src/main/java/org/onap/aaf/auth/cm/ca/LocalCA.java +++ b/auth/auth-certman/src/main/java/org/onap/aaf/auth/cm/ca/LocalCA.java @@ -203,7 +203,7 @@ public class LocalCA extends CA { public X509andChain sign(Trans trans, CSRMeta csrmeta) throws IOException, CertException { GregorianCalendar gc = new GregorianCalendar(); Date start = gc.getTime(); - gc.add(GregorianCalendar.MONTH, 2); + gc.add(GregorianCalendar.MONTH, 6); Date end = gc.getTime(); X509Certificate x509; TimeTaken tt = trans.start("Create/Sign Cert",Env.SUB); diff --git a/auth/docker/.gitignore b/auth/docker/.gitignore index a03737d0..c058b043 100644 --- a/auth/docker/.gitignore +++ b/auth/docker/.gitignore @@ -1,2 +1,3 @@ local d.props +aaf.props diff --git a/auth/docker/aaf.props b/auth/docker/aaf.props index 8d18f55d..5c654806 100644 --- a/auth/docker/aaf.props +++ b/auth/docker/aaf.props @@ -1,14 +1,11 @@ -FQI=clamp@clamp.onap.org -VOLUME=clamp_aaf -LONGITUDE=-92 -FQDN=meriadoc.mithril.sbc.com VERSION=2.1.2-SNAPSHOT -DRIVER=local -LATITUDE=38 -FQDN_IP=192.168.99.100 AAF_FQDN=meriadoc.mithril.sbc.com -AAF_AAF_FQDN_IP=192.168.99.100 DEPLOY_FQI=deployer@people.osaaf.org -DEPLOY_PASSWORD=demo123456! APP_FQDN=meriadoc.mithril.sbc.com APP_FQI=clamp@clamp.onap.org +VOLUME=clamp_aaf +DRIVER=local +LATITUDE=38.432899 +LONGITUDE=-90.43248 +AAF_AAF_FQDN_IP=192.168.99.100 +DEPLOY_PASSWORD=demo123456! diff --git a/auth/docker/dbuild.sh b/auth/docker/dbuild.sh index 10ca9d95..da0b9b64 100755 --- a/auth/docker/dbuild.sh +++ b/auth/docker/dbuild.sh @@ -24,7 +24,6 @@ docker build -t ${ORG}/${PROJECT}/aaf_agent:${VERSION} sample # Clean up rm sample/Dockerfile sample/bin/aaf-cadi-aaf-${VERSION}-full.jar cd - - ######## # Second, build a core Docker Image echo Building aaf_$AAF_COMPONENT... diff --git a/auth/sample/bin/client.sh b/auth/sample/bin/client.sh index 2c736142..46c85be9 100644 --- a/auth/sample/bin/client.sh +++ b/auth/sample/bin/client.sh @@ -87,9 +87,16 @@ if [ ! "$CMD" = "" ]; then rsync -uh --exclude=.gitignore /opt/app/aaf_config/$D/* /opt/app/osaaf/$D done ;; + showpass) + echo "## Show Passwords" + $JAVA -jar /opt/app/aaf_config/bin/aaf-cadi-aaf-*-full.jar showpass ${APP_FQI} ${APP_FQDN} + ;; + check) + $JAVA -Dcadi_prop_files=/opt/app/osaaf/local/${NS}.props -jar /opt/app/aaf_config/bin/aaf-cadi-aaf-*-full.jar check ${APP_FQI} ${APP_FQDN} + ;; validate) echo "## validate requested" - $JAVA -jar /opt/app/aaf_config/bin/aaf-cadi-aaf-*-full.jar validate cadi_prop_files=/opt/app/osaaf/local/${NS}.props + $JAVA -jar /opt/app/aaf_config/bin/aaf-cadi-aaf-*-full.jar validate /opt/app/osaaf/local/${NS}.props ;; bash) if [ ! -e ~/.bash_aliases ]; then diff --git a/cadi/aaf/src/main/java/org/onap/aaf/cadi/aaf/AAFPermission.java b/cadi/aaf/src/main/java/org/onap/aaf/cadi/aaf/AAFPermission.java index 6b69f790..c4ca8082 100644 --- a/cadi/aaf/src/main/java/org/onap/aaf/cadi/aaf/AAFPermission.java +++ b/cadi/aaf/src/main/java/org/onap/aaf/cadi/aaf/AAFPermission.java @@ -50,7 +50,11 @@ public class AAFPermission implements Permission { type = name; this.instance = instance; this.action = action; - key = ns + '|' + type + '|' + instance + '|' + action; + if(ns==null) { + key = type + '|' + instance + '|' + action; + } else { + key = ns + '|' + type + '|' + instance + '|' + action; + } this.roles = NO_ROLES; } @@ -60,7 +64,11 @@ public class AAFPermission implements Permission { type = name; this.instance = instance; this.action = action; - key = ns + '|' + type + '|' + instance + '|' + action; + if(ns==null) { + key = type + '|' + instance + '|' + action; + } else { + key = ns + '|' + type + '|' + instance + '|' + action; + } this.roles = roles==null?NO_ROLES:roles; } @@ -117,7 +125,15 @@ public class AAFPermission implements Permission { } } boolean typeMatches; - if(aafNS.length() == ns.length()) { + if(aafNS==null) { + if(ns==null) { + typeMatches = aafType.equals(type); + } else { + typeMatches = aafType.equals(ns+'.'+type); + } + } else if(ns==null) { + typeMatches = type.equals(aafNS+'.'+aafType); + } else if(aafNS.length() == ns.length()) { typeMatches = aafNS.equals(ns) && aafType.equals(type); } else { // Allow for restructuring of NS/Perm structure typeMatches = (aafNS+'.'+aafType).equals(ns+'.'+type); diff --git a/cadi/aaf/src/main/java/org/onap/aaf/cadi/aaf/TestConnectivity.java b/cadi/aaf/src/main/java/org/onap/aaf/cadi/aaf/TestConnectivity.java index 3e90087c..df2ad4f8 100644 --- a/cadi/aaf/src/main/java/org/onap/aaf/cadi/aaf/TestConnectivity.java +++ b/cadi/aaf/src/main/java/org/onap/aaf/cadi/aaf/TestConnectivity.java @@ -55,7 +55,7 @@ public class TestConnectivity { System.out.println("Usage: ConnectivityTester []"); } else { print(true,"START OF CONNECTIVITY TESTS",new Date().toString(),System.getProperty("user.name"), - "Note: All API Calls are /authz/perms/user/"); + "Note: All API Calls are /authz/perms/user/"); if(!args[0].contains(Config.CADI_PROP_FILES+'=')) { args[0]=Config.CADI_PROP_FILES+'='+args[0]; diff --git a/cadi/aaf/src/main/java/org/onap/aaf/cadi/aaf/v2_0/AAFLurPerm.java b/cadi/aaf/src/main/java/org/onap/aaf/cadi/aaf/v2_0/AAFLurPerm.java index b7cf62cd..a5ef6d14 100644 --- a/cadi/aaf/src/main/java/org/onap/aaf/cadi/aaf/v2_0/AAFLurPerm.java +++ b/cadi/aaf/src/main/java/org/onap/aaf/cadi/aaf/v2_0/AAFLurPerm.java @@ -62,7 +62,7 @@ public class AAFLurPerm extends AbsAAFLur { private static final String ORG_OSAAF_CADI_OAUTH_O_AUTH2_LUR = "org.osaaf.cadi.oauth.OAuth2Lur"; /** - * Need to be able to transmutate a Principal into either ATTUID or MechID, which are the only ones accepted at this + * Need to be able to transmutate a Principal into either Person or AppID, which are the only ones accepted at this * point by AAF. There is no "domain", aka, no "@att.com" in "ab1234@att.com". * * The only thing that matters here for AAF is that we don't waste calls with IDs that obviously aren't valid. @@ -107,12 +107,6 @@ public class AAFLurPerm extends AbsAAFLur { protected User loadUser(final Principal principal) { final String name = principal.getName(); -// // Note: The rules for AAF is that it only stores permissions for ATTUID and MechIDs, which don't -// // have domains. We are going to make the Transitive Class (see this.transmutative) to convert -// final Principal tp = principal; //transmutate.mutate(principal); -// if(tp==null) { -// return null; // if not a valid Transmutated credential, don't bother calling... -// } // TODO Create a dynamic way to declare domains supported. final long start = System.nanoTime(); final boolean[] success = new boolean[]{false}; diff --git a/cadi/aaf/src/main/java/org/onap/aaf/cadi/configure/Agent.java b/cadi/aaf/src/main/java/org/onap/aaf/cadi/configure/Agent.java index b3de9754..ef73adaa 100644 --- a/cadi/aaf/src/main/java/org/onap/aaf/cadi/configure/Agent.java +++ b/cadi/aaf/src/main/java/org/onap/aaf/cadi/configure/Agent.java @@ -89,8 +89,8 @@ public class Agent { private static final String HASHES = "################################################################"; private static final String PRINT = "print"; private static final String FILE = "file"; - private static final String PKCS12 = "pkcs12"; - private static final String JKS = "jks"; + public static final String PKCS12 = "pkcs12"; + public static final String JKS = "jks"; private static final String SCRIPT="script"; private static final String CM_VER = "1.0"; @@ -127,7 +127,7 @@ public class Agent { AAFSSO aafsso=null; PropAccess access; - if(args.length>1 && args[0].equals("validate")) { + if(args.length>1 && args[0].equals("validate") ) { int idx = args[1].indexOf('='); aafsso = null; access = new PropAccess( @@ -329,7 +329,7 @@ public class Agent { private static String fqi(Deque cmds) { if(cmds.size()<1) { String alias = env.getProperty(Config.CADI_ALIAS); - return alias!=null?alias:AAFSSO.cons.readLine("MechID: "); + return alias!=null?alias:AAFSSO.cons.readLine("AppID: "); } return cmds.removeFirst(); } @@ -360,11 +360,11 @@ public class Agent { Artifacts artifacts = new Artifacts(); Artifact arti = new Artifact(); artifacts.getArtifact().add(arti); - arti.setMechid(mechID!=null?mechID:AAFSSO.cons.readLine("MechID: ")); + arti.setMechid(mechID!=null?mechID:AAFSSO.cons.readLine("AppID: ")); arti.setMachine(machine!=null?machine:AAFSSO.cons.readLine("Machine (%s): ",InetAddress.getLocalHost().getHostName())); arti.setCa(AAFSSO.cons.readLine("CA: (%s): ","aaf")); - String resp = AAFSSO.cons.readLine("Types [file,jks,script] (%s): ", "jks"); + String resp = AAFSSO.cons.readLine("Types [file,pkcs12,jks,script] (%s): ", PKCS12); for(String s : Split.splitTrim(',', resp)) { arti.getType().add(s); } @@ -419,7 +419,7 @@ public class Agent { if(future.get(TIMEOUT)) { boolean printed = false; for(Artifact a : future.value.getArtifact()) { - AAFSSO.cons.printf("MechID: %s\n",a.getMechid()); + AAFSSO.cons.printf("AppID: %s\n",a.getMechid()); AAFSSO.cons.printf(" Sponsor: %s\n",a.getSponsor()); AAFSSO.cons.printf("Machine: %s\n",a.getMachine()); AAFSSO.cons.printf("CA: %s\n",a.getCa()); @@ -650,7 +650,7 @@ public class Agent { // Have to wait for JDK 1.7 source... //switch(artifact.getType()) { if(acf.value.getArtifact()==null || acf.value.getArtifact().isEmpty()) { - AAFSSO.cons.printf("No Artifacts found for %s on %s", mechID, machine); + AAFSSO.cons.printf("No Artifacts found for %s on %s ", mechID, machine); } else { String id = aafcon.defID(); boolean allowed; @@ -660,7 +660,7 @@ public class Agent { && aafcon.securityInfo().defSS.getClass().isAssignableFrom(HBasicAuthSS.class))); if(!allowed) { Future pf = aafcon.client(CM_VER).read("/cert/may/" + - a.getNs() + ".certman|"+a.getCa()+"|showpass","*/*"); + a.getNs()+"|certman|"+a.getCa()+"|showpass","*/*"); if(pf.get(TIMEOUT)) { allowed = true; } else { @@ -1017,13 +1017,13 @@ public class Agent { String prop; File f; - if((prop=props.getProperty(Config.CADI_KEYFILE))==null || + if((prop=trans.getProperty(Config.CADI_KEYFILE))==null || !(f=new File(prop)).exists()) { trans.error().printf("Keyfile must exist to check Certificates for %s on %s", a.getMechid(), a.getMachine()); } else { - String ksf = props.getProperty(Config.CADI_KEYSTORE); - String ksps = props.getProperty(Config.CADI_KEYSTORE_PASSWORD); + String ksf = trans.getProperty(Config.CADI_KEYSTORE); + String ksps = trans.getProperty(Config.CADI_KEYSTORE_PASSWORD); if(ksf==null || ksps == null) { trans.error().printf("Properties %s and %s must exist to check Certificates for %s on %s", Config.CADI_KEYSTORE, Config.CADI_KEYSTORE_PASSWORD,a.getMechid(), a.getMachine()); diff --git a/cadi/aaf/src/main/java/org/onap/aaf/cadi/configure/PlaceArtifactInKeystore.java b/cadi/aaf/src/main/java/org/onap/aaf/cadi/configure/PlaceArtifactInKeystore.java index 3123b89e..c5413919 100644 --- a/cadi/aaf/src/main/java/org/onap/aaf/cadi/configure/PlaceArtifactInKeystore.java +++ b/cadi/aaf/src/main/java/org/onap/aaf/cadi/configure/PlaceArtifactInKeystore.java @@ -28,7 +28,6 @@ import java.security.cert.Certificate; import java.security.cert.X509Certificate; import java.util.ArrayList; import java.util.Collection; -import java.util.Collections; import java.util.HashSet; import java.util.List; import java.util.Set; @@ -51,7 +50,7 @@ public class PlaceArtifactInKeystore extends ArtifactDir { @Override public boolean _place(Trans trans, CertInfo certInfo, Artifact arti) throws CadiException { - File fks = new File(dir,arti.getNs()+'.'+(kst=="pkcs12"?"p12":kst)); + File fks = new File(dir,arti.getNs()+'.'+(kst==Agent.PKCS12?"p12":kst)); try { KeyStore jks = KeyStore.getInstance(kst); if(fks.exists()) { @@ -125,7 +124,7 @@ public class PlaceArtifactInKeystore extends ArtifactDir { fks.renameTo(backup); } - jks = KeyStore.getInstance("jks"); + jks = KeyStore.getInstance(Agent.JKS); // Set Truststore Password addProperty(Config.CADI_TRUSTSTORE,fks.getAbsolutePath()); diff --git a/cadi/aaf/src/test/java/org/onap/aaf/cadi/cm/test/JU_ArtifactDir.java b/cadi/aaf/src/test/java/org/onap/aaf/cadi/cm/test/JU_ArtifactDir.java index ecadb6ed..d50b87a2 100644 --- a/cadi/aaf/src/test/java/org/onap/aaf/cadi/cm/test/JU_ArtifactDir.java +++ b/cadi/aaf/src/test/java/org/onap/aaf/cadi/cm/test/JU_ArtifactDir.java @@ -42,6 +42,7 @@ import org.junit.Test; import org.mockito.Mock; import org.mockito.MockitoAnnotations; import org.onap.aaf.cadi.CadiException; +import org.onap.aaf.cadi.configure.Agent; import org.onap.aaf.cadi.configure.ArtifactDir; import org.onap.aaf.cadi.util.Chmod; import org.onap.aaf.misc.env.Trans; @@ -112,7 +113,7 @@ public class JU_ArtifactDir { } catch(NullPointerException e) { } - KeyStore ks = KeyStore.getInstance("pkcs12"); + KeyStore ks = KeyStore.getInstance(Agent.PKCS12); try { ArtifactDir.write(writableFile, Chmod.to755, ks, luggagePassword.toCharArray()); fail("Should've thrown an exception"); diff --git a/cadi/aaf/src/test/java/org/onap/aaf/cadi/cm/test/JU_PlaceArtifactInKeystore.java b/cadi/aaf/src/test/java/org/onap/aaf/cadi/cm/test/JU_PlaceArtifactInKeystore.java index 0b086f11..d61ac499 100644 --- a/cadi/aaf/src/test/java/org/onap/aaf/cadi/cm/test/JU_PlaceArtifactInKeystore.java +++ b/cadi/aaf/src/test/java/org/onap/aaf/cadi/cm/test/JU_PlaceArtifactInKeystore.java @@ -21,9 +21,11 @@ package org.onap.aaf.cadi.cm.test; -import static org.junit.Assert.*; -import static org.hamcrest.CoreMatchers.*; -import static org.mockito.Mockito.*; +import static org.hamcrest.CoreMatchers.is; +import static org.junit.Assert.assertThat; +import static org.junit.Assert.fail; +import static org.mockito.Mockito.mock; +import static org.mockito.Mockito.when; import java.io.BufferedReader; import java.io.ByteArrayOutputStream; @@ -31,14 +33,17 @@ import java.io.File; import java.io.FileNotFoundException; import java.io.FileReader; import java.io.IOException; +import java.security.cert.CertificateException; import java.util.ArrayList; import java.util.List; -import java.security.cert.CertificateException; - -import org.junit.*; -import org.mockito.*; +import org.junit.AfterClass; +import org.junit.Before; +import org.junit.Test; +import org.mockito.Mock; +import org.mockito.MockitoAnnotations; import org.onap.aaf.cadi.CadiException; +import org.onap.aaf.cadi.configure.Agent; import org.onap.aaf.cadi.configure.PlaceArtifactInKeystore; import org.onap.aaf.misc.env.Env; import org.onap.aaf.misc.env.TimeTaken; @@ -97,12 +102,12 @@ public class JU_PlaceArtifactInKeystore { @Test public void test() throws CadiException { // Note: PKCS12 can't be tested in JDK 7 and earlier. Can't handle Trusting Certificates. - PlaceArtifactInKeystore placer = new PlaceArtifactInKeystore("jks"); + PlaceArtifactInKeystore placer = new PlaceArtifactInKeystore(Agent.JKS); certs.add(x509String); certs.add(x509Chain); assertThat(placer.place(transMock, certInfoMock, artiMock, "machine"), is(true)); - for (String ext : new String[] {"chal", "keyfile", "jks", "trust.jks", "cred.props"}) { + for (String ext : new String[] {"chal", "keyfile", Agent.JKS, "trust.jks", "cred.props"}) { File f = new File(dirName + '/' + nsName + '.' + ext); assertThat(f.exists(), is(true)); } -- 2.16.6