Stephen Kitt [Mon, 16 Apr 2018 09:16:32 +0000 (11:16 +0200)]
Ensure Jersey is initialised before AAA-Shiro
When we group the Jersey bundles with bundles using them, we run into
initialisation races where AAA-Shiro ends up trying to use Jersey
before the latter’s activators have run.
All credit to Robert Varga for figuring out that we need an ordering
constraint between Jersey as a whole and the rest of AAA-Shiro. The
new odl-aaa-jersey-1 feature will eventually be replaced by ODL
Parent’s odl-jersey-1 feature, once we’ve added jersey-client to
that.
Issue: RELENG-85
Change-Id: I3d87dc28c8067bbeb0ca32be96ccdb4f6d359573
Signed-off-by: Stephen Kitt <skitt@redhat.com>
Robert Varga [Fri, 13 Apr 2018 17:34:17 +0000 (19:34 +0200)]
Remove javax.ws.rs-api dependency
Let's not pull javax.ws.rs-api-2.0.1 and see what gives.
Change-Id: I7c8656f4423e87818c844f49019f83fe39731bc4
Signed-off-by: Robert Varga <robert.varga@pantheon.tech>
Stephen Kitt [Fri, 13 Apr 2018 11:20:11 +0000 (13:20 +0200)]
Align pax-web-api with Karaf 4.1.5
Karaf now uses version 6.0.9.
Change-Id: I08b9440448247234e1c9a15e557033deb9d467be
Signed-off-by: Stephen Kitt <skitt@redhat.com>
Stephen Kitt [Thu, 22 Mar 2018 17:24:27 +0000 (18:24 +0100)]
Bump to odlparent 3.1.0 and yangtools 2.0.3
Change-Id: Idca8474f104b93a7c4a2e5148ad4d414306cfa69
Signed-off-by: Stephen Kitt <skitt@redhat.com>
Stephen Kitt [Mon, 9 Apr 2018 13:49:53 +0000 (15:49 +0200)]
Clean up odl-aaa-web
This needs Guava, so use odl-guava-23.
Change-Id: I666b0aff22329a6e77998c7e280146f71a2a734f
Signed-off-by: Stephen Kitt <skitt@redhat.com>
Stephen Kitt [Mon, 9 Apr 2018 13:23:27 +0000 (15:23 +0200)]
Clean up odl-aaa-shiro
Pull in odl-jolokia and odl-aaa-web to reduce the bundle overlap.
Change-Id: I3bb2ba38a4a184cfe5780ca12faabc3d2a7abbf7
Signed-off-by: Stephen Kitt <skitt@redhat.com>
Jamo Luhrsen [Fri, 6 Apr 2018 04:26:57 +0000 (21:26 -0700)]
Add Karaf build profile
Project local Karaf distros are handy for devs to test their work
however is unneeded by autorelease builds and should not be released
as part of the Simultanious Release. Add a profile that is active by
default so that default behaviour is unchanged however allows the
autorelease project to disable building this module.
Change-Id: If26f62fd722bedce8d39d3dfe673064441fd1d36
Signed-off-by: Jamo Luhrsen <jluhrsen@redhat.com>
(cherry picked from commit
320971a7892e4540bc5d253cf9a2f8117b61e2ce)
Ryan Goulding [Sun, 25 Mar 2018 16:27:18 +0000 (12:27 -0400)]
AAA-143: Remove jackson dependencies
Other projects need to pull in jackson runtime dependencies themselves
instead of depending on AAA. AAA does not utilize Jackson anymore
period.
Change-Id: Ic2e0f36c19ad0903bc22da41b650ca6a66a62a40
Signed-off-by: Ryan Goulding <ryandgoulding@gmail.com>
Tom Pantelis [Tue, 20 Mar 2018 00:33:29 +0000 (20:33 -0400)]
Remove aaa-filterchain Activator and statics
Removed the bundle Activator in lieu of blueprint and also
removed the static CustomFilterAdapterConfiguration instance.
CustomFilterAdapterConfiguration was converted to an interface
with implementation CustomFilterAdapterConfigurationImpl so it
can be advertised as a service and consumed by aaa-shiro and
injected into the CustomFilterAdapter.
Change-Id: Id1b6be949d9ce1bb895050e1ed95f321cdd2188a
Signed-off-by: Tom Pantelis <tompantelis@gmail.com>
Tom Pantelis [Sun, 25 Mar 2018 21:19:40 +0000 (17:19 -0400)]
Use odl:type="default" for IdmLightProxy service reg
Change-Id: Ieb5d096aa64836e71ae6c1c7be810a36d49a907e
Signed-off-by: Tom Pantelis <tompantelis@gmail.com>
Ryan Goulding [Sun, 25 Mar 2018 15:54:59 +0000 (15:54 +0000)]
Merge "remove Import-Package from aaa-shiro POM"
Ryan Goulding [Sun, 25 Mar 2018 15:54:41 +0000 (15:54 +0000)]
Merge "Convert IdmLightProxy CLAIM_CACHE to non-static"
Robert Varga [Thu, 22 Mar 2018 15:08:10 +0000 (16:08 +0100)]
Package aaa-shiro-act
This provides simple packaging of aaa-shiro-act, so netconf does
not have to package it itself.
JIRA: AAA-164
Change-Id: I4e65d102d15a0c35b579837840f9f46ae7ece7dd
Signed-off-by: Robert Varga <robert.varga@pantheon.tech>
Tom Pantelis [Wed, 21 Mar 2018 16:11:33 +0000 (12:11 -0400)]
Convert IdmLightProxy CLAIM_CACHE to non-static
The map was static so the clearClaimCache method could be accessed
statically by UserHandler etc. Now the IdmLightProxy instance is injected
and referenced as a new interface, ClaimCache.
Change-Id: I7ed214c6158d950dc7da81813ca6b230dc3a6767
Signed-off-by: Tom Pantelis <tompantelis@gmail.com>
Ryan Goulding [Tue, 20 Mar 2018 19:55:08 +0000 (19:55 +0000)]
Merge "introduce WebContextSecurer service API"
Michael Vorburger [Mon, 12 Mar 2018 21:58:49 +0000 (22:58 +0100)]
remove Import-Package from aaa-shiro POM
as far as I can tell from a quick test, it still works.
Change-Id: Id223170832378bed19f62e620f7353fb79723a74
Signed-off-by: Michael Vorburger <vorburger@redhat.com>
Ryan Goulding [Tue, 20 Mar 2018 17:58:58 +0000 (17:58 +0000)]
Merge changes from topic 'java-8-migration'
* changes:
Java 8 migration
Java 7 migration
Ryan Goulding [Tue, 20 Mar 2018 16:55:09 +0000 (16:55 +0000)]
Merge "Java 5 migration"
Stephen Kitt [Tue, 20 Mar 2018 15:02:27 +0000 (16:02 +0100)]
Java 8 migration
As suggested by IntelliJ:
* clean up lambdas;
* use new Map methods.
Change-Id: Icda29431e29a35849aa60be145b0029ae72ad055
Signed-off-by: Stephen Kitt <skitt@redhat.com>
Ryan Goulding [Tue, 20 Mar 2018 14:30:05 +0000 (14:30 +0000)]
Merge "Remove unused code"
Ryan Goulding [Tue, 20 Mar 2018 12:59:55 +0000 (08:59 -0400)]
Remove unused code
Removed unused code.
Change-Id: I88d1a561dfd25ba6fe2908f7308c174f151c2ce4
Signed-off-by: Ryan Goulding <ryandgoulding@gmail.com>
Stephen Kitt [Tue, 20 Mar 2018 10:47:54 +0000 (11:47 +0100)]
Java 7 migration
As suggested by IntelliJ:
* remove redundant type specifiers;
* use try-with-resources.
Change-Id: Ie6b777fd9cbf9d1e9e3f98fecccdb2f8b2ee2caa
Signed-off-by: Stephen Kitt <skitt@redhat.com>
Stephen Kitt [Tue, 20 Mar 2018 10:19:21 +0000 (11:19 +0100)]
Java 5 migration
As suggested by IntelliJ:
* use foreach loops;
* use StringBuilder instead of StringBuffer;
* drop unnecessary boxing constructors.
Change-Id: Ic6d77c3413bc8ac04a83fb0cd42a34c0f09fc717
Signed-off-by: Stephen Kitt <skitt@redhat.com>
Stephen Kitt [Tue, 20 Mar 2018 08:43:02 +0000 (09:43 +0100)]
Add domain to the PasswordCredentials equality check
Change-Id: Ib719afc87e43f905e460bdcfd3890f99c7b5f5dc
Signed-off-by: Stephen Kitt <skitt@redhat.com>
Stephen Kitt [Tue, 20 Mar 2018 08:41:45 +0000 (09:41 +0100)]
Remove EqualUtil
This patch uses Objects.equals() instead. The equality checks are
preserved as-is.
Change-Id: Iaf3cd4723ddf17f38dd04c527b81ebd555b0df52
Signed-off-by: Stephen Kitt <skitt@redhat.com>
Michael Vorburger [Thu, 15 Mar 2018 23:24:26 +0000 (00:24 +0100)]
introduce odl-aaa-web feature
Change-Id: I3993ddd82e09d0075e47000b7ff75632b2bd5b3d
Signed-off-by: Michael Vorburger <vorburger@redhat.com>
Ryan Goulding [Mon, 19 Mar 2018 18:01:24 +0000 (18:01 +0000)]
Merge changes I6062ddfa,If91c0ea5,Idd92e1be,I224e0fb7,Iab290548, ...
* changes:
Enable findbugs in aaa-parent
Fix findbugs violations in aaa-cli
Fix findbugs violations in aaa-filterchain
Fix findbugs violations in aaa-shiro
Fix findbugs violations in aaa-cert
Fix findbugs violations in aaa-encrypt-service
Ryan Goulding [Mon, 19 Mar 2018 17:48:24 +0000 (17:48 +0000)]
Merge changes Ia7a47d3b,I0d9b6fc2
* changes:
Fix findbugs violations in aaa-authn-api
Move checkstyle config to aaa-parent
Michael Vorburger [Fri, 16 Mar 2018 14:43:08 +0000 (15:43 +0100)]
introduce WebContextSecurer service API
This API allows other projects to secure their web context, but without
directly relying on AAA Shiro internals. Using this, other applications
will be able to significantly reduce their dependencies, Package-Import
etc. to AAA Shiro internals. (This opens the door both to more
independently evolve aaa-shiro internals, and allows for possible
alternative implementations, later.)
This also makes aaa-shiro secure its own IdmLightApplication REST
endpoints using the same approach, which avoids copy/paste of the
AAAShiroFilter and the KarafIniWebEnvironmentLoaderListener it needs
between the WebInitializer and the ShiroWebContextSecurer.
Change-Id: Ia3a16df71384610a75acf3d28205c973c554d477
Signed-off-by: Michael Vorburger <vorburger@redhat.com>
Michael Vorburger [Mon, 19 Mar 2018 14:17:20 +0000 (15:17 +0100)]
ditch HashCodeUtil, and use JDK Objects.hash() instead
having a utility like this in Guava and in the JDK is probably are 1 too
much, let us not have another one doing the exact same thing in AAA as
well.
Change-Id: Icb19d3e5aed73eb46dee1394be0ae06181ab6ef4
Signed-off-by: Michael Vorburger <vorburger@redhat.com>
Tom Pantelis [Sun, 18 Mar 2018 00:43:44 +0000 (20:43 -0400)]
Enable findbugs in aaa-parent
Change-Id: I6062ddfa44de6cba7540beea5fbb8d215d3ca2d1
Signed-off-by: Tom Pantelis <tompantelis@gmail.com>
Tom Pantelis [Sun, 18 Mar 2018 00:36:09 +0000 (20:36 -0400)]
Fix findbugs violations in aaa-cli
- Method may fail to close stream
- Reliance on default encoding
- Incorrect lazy initialization of static field
- Unread field: should this field be static?
- Write to static field from instance method
Change-Id: If91c0ea5997490468d030cab3aead2825fbe9c9e
Signed-off-by: Tom Pantelis <tompantelis@gmail.com>
Tom Pantelis [Sat, 17 Mar 2018 13:38:50 +0000 (09:38 -0400)]
Fix findbugs violations in aaa-authn-api
- Equals method should not assume anything about the type of its argument
- Reliance on default encoding
- Dead store to local variable
- Possible null pointer dereference on branch that might be infeasible
- Field not initialized in constructor but dereferenced without null check
Change-Id: Ia7a47d3b3b6a9729263c7c42656f14791edefccc
Signed-off-by: Tom Pantelis <tompantelis@gmail.com>
Tom Pantelis [Sat, 17 Mar 2018 15:39:37 +0000 (11:39 -0400)]
Fix findbugs violations in aaa-filterchain
- May expose internal representation by returning reference to mutable object
- Inefficient use of keySet iterator instead of entrySet iterator
- Field not initialized in constructor but dereferenced without null check
Change-Id: Idd92e1beb6998a6968ae6be3b5f1e83ae1ca50d7
Signed-off-by: Tom Pantelis <tompantelis@gmail.com>
Tom Pantelis [Sat, 17 Mar 2018 12:50:56 +0000 (08:50 -0400)]
Move checkstyle config to aaa-parent
Change-Id: I0d9b6fc2f2eec27f2d438148bd3cb148901d72ff
Signed-off-by: Tom Pantelis <tompantelis@gmail.com>
Tom Pantelis [Sat, 17 Mar 2018 17:08:59 +0000 (13:08 -0400)]
Fix findbugs violations in aaa-shiro
- Possible null pointer dereference
- Class names shouldn't shadow simple name of implemented interface
- Method may fail to close database resource
- Non-transient non-serializable instance field in serializable class
- Non-serializable class has a serializable inner class
- Class is Serializable, but doesn't define serialVersionUID
- Consider using Locale parameterized version of invoked method
- Reliance on default encoding
- May expose internal representation by returning reference to mutable object
- Method invokes toString() method on a String
- Private method is never called
- Unread field
- Nonconstant string passed to execute or addBatch method on an SQL statement
- Unchecked/unconfirmed cast
- Dead store to local variable
- Class implements same interface as superclass
- Redundant nullcheck of value known to be non-null
- Exception is caught when Exception is not thrown
- Useless control flow
Change-Id: I224e0fb71f3570f69fa1963e89b8c687a464156a
Signed-off-by: Tom Pantelis <tompantelis@gmail.com>
Tom Pantelis [Sat, 17 Mar 2018 15:16:56 +0000 (11:16 -0400)]
Fix findbugs violations in aaa-cert
- Null pointer dereference
- Method ignores exceptional return value
- Method ignores results of InputStream.read()
- Method may fail to clean up stream or resource
- Method may fail to close stream on exception
- Reliance on default encoding
- Consider returning a zero length array rather than null
- Redundant nullcheck of value known to be non-null
- Potentially dangerous use of non-short-circuit logic
Change-Id: Iab2905488bbe2d4b9be3e92c69e49e5eb0129958
Signed-off-by: Tom Pantelis <tompantelis@gmail.com>
Tom Pantelis [Sat, 17 Mar 2018 14:20:35 +0000 (10:20 -0400)]
Fix findbugs violations in aaa-encrypt-service
- Method may fail to clean up stream or resource
- Reliance on default encoding
- Method invokes inefficient new String(String) constructor
- Unchecked/unconfirmed cast
Change-Id: I0dd13b306a684167bacdf94648369150f365d590
Signed-off-by: Tom Pantelis <tompantelis@gmail.com>
Tom Pantelis [Sat, 17 Mar 2018 12:20:17 +0000 (08:20 -0400)]
Derive all code sub-projects from aaa-parent
We can then centralize configs for CS and findbugs etc.
Change-Id: Iecca472fb7de14b34cf88b34765f7741d4e3c60b
Signed-off-by: Tom Pantelis <tompantelis@gmail.com>
David Suarez [Sun, 11 Mar 2018 15:37:20 +0000 (16:37 +0100)]
Fix checkstyle issues to enforce it
Change-Id: I77b3e119c7cd972f1f2f141f5adfdeab6c518ead
Signed-off-by: David Suarez <david.suarez.fuentes@gmail.com>
Tom Pantelis [Sat, 17 Mar 2018 01:24:05 +0000 (21:24 -0400)]
Remove static AuthenticationManager instance
It's only used by UT's.
Change-Id: I25271cd06d578942b7cf9cd35a38a338c5527f29
Signed-off-by: Tom Pantelis <tompantelis@gmail.com>
Tom Pantelis [Fri, 16 Mar 2018 22:59:35 +0000 (18:59 -0400)]
Remove ServiceLocator
Removed the static instance holders in favor of injection.
Change-Id: Iea7beda16450f28af4119995da4768e931086592
Signed-off-by: Tom Pantelis <tompantelis@gmail.com>
Ryan Goulding [Fri, 16 Mar 2018 15:15:55 +0000 (15:15 +0000)]
Merge "Eliminate injection of AAAShiroProvider"
Ryan Goulding [Fri, 16 Mar 2018 15:02:53 +0000 (15:02 +0000)]
Merge "New shiro EnvironmentLoaderListener"
Tom Pantelis [Thu, 15 Mar 2018 18:36:25 +0000 (14:36 -0400)]
Eliminate injection of AAAShiroProvider
AAAShiroProvider is used as a holder for some instances and is injected
into other components just to access those instances. It's better to
directly inject the instances instead of having a dependency on
AAAShiroProvider.
Change-Id: Iaed51ae360360b3460c419eb4be2d4ffe3fdf558
Signed-off-by: Tom Pantelis <tompantelis@gmail.com>
Tom Pantelis [Thu, 15 Mar 2018 16:40:17 +0000 (12:40 -0400)]
New shiro EnvironmentLoaderListener
Added ShiroWebEnvironmentLoaderListener and AAAIniWebEnvironment
that inject the required instances instead of obtaining statically.
Change-Id: I5979342b7463a3634e9208eb813f32174c2a4cb4
Signed-off-by: Tom Pantelis <tompantelis@gmail.com>
Michael Vorburger [Wed, 14 Mar 2018 11:04:14 +0000 (12:04 +0100)]
make PaxWebServer ServiceFactory fail instead of return bogus WebServer
The current implementation may return a bogus defunct noop WebServer
which just ignores Servlet & Filter registrations (and just logs a WARN,
which could easily be overlooked) in case it cannot find the Pax Web
WebContainer service.
This change makes it instead "fail fast" on the WebServer service look
up. Note that the ServiceFactory doc explicitly allows throwing
exceptions; that will be caught and turn into a null service reference,
which whatever is trying to obtain the WebServer must gracefully handle.
Change-Id: Ie4fcbdb125095d353d466958fade98fc759aefd4
Signed-off-by: Michael Vorburger <vorburger@redhat.com>
Michael Vorburger [Mon, 12 Mar 2018 22:56:39 +0000 (23:56 +0100)]
Refactor AAAShiroProvider & Co. to be non static
- The IdmLightApplication is now instantiated and injected
with the AAAShiroProvider and passed to the ServletContainer
instead of the ServletContainer instantiating it via reflection.
- For KarafIniWebEnvironmentLoaderListener and KarafIniWebEnvironment,
the initial plan was to inject the AAAShiroProvider however there
are still web.xml files in ODL land that reference
KarafIniWebEnvironment and expect a no-arg ctor. We need to keep
backwards compatibility for a while so I'll follow-up later
to add a new KarafIniWebEnvironmentLoaderListener that is advertised
as a service for programmtic use. KarafIniWebEnvironment was changed
to obtain the ShiroConfiguration statically rather than the
AAAShiroProvider.
- The shiro lib still instantiates the filter/realm etc instances via
reflection. These are specified via String key/value pairs with class names
in the Ini instance. Unfortunately I see no way around this. So
to avoid having to pass our services, eg DataBroker, via statics,
I opted to use ThreadLocals to inject indirectly. This is a bit
ugly but works.
Change-Id: I8f5114802c76cbd2b4bfda69952df2b28557cf8d
Signed-off-by: Michael Vorburger <vorburger@redhat.com>
Signed-off-by: Tom Pantelis <tompantelis@gmail.com>
Michael Vorburger [Wed, 14 Mar 2018 10:48:50 +0000 (11:48 +0100)]
use web-api as dependency instead of web-osgi-impl in aaa-shiro
and amend @author in PaxWebServer for credit where credit is due
and some minor logging related clean up in PaxWebServer
Change-Id: Ibc4f4d8fd95f5d5693c11abcad4735af2c3e4d27
Signed-off-by: Michael Vorburger <vorburger@redhat.com>
Tom Pantelis [Wed, 14 Mar 2018 02:59:26 +0000 (22:59 -0400)]
AAA-169: Advertise PaxWebServer as an OSGi service
The Pax Web WebContainer implementation registers a ServiceFactory and
uses the class loader of the bundle that obtains the OSGi service
reference. When PaxWebServer is advertised as a service, it causes a
ClassNotFoundEx when initializing shiro b/c it uses the TCCL that is
set by Pax Web obtained from the PaxWebServer's bundle. To alleviate this,
we can advertise a WebServer ServiceFactory so it use the caller's
bundle to get the WebContainer service.
Change-Id: I591c340ccb0551a8138d07ec79443bc648218baf
Signed-off-by: Tom Pantelis <tompantelis@gmail.com>
Michael Vorburger [Tue, 27 Feb 2018 20:34:07 +0000 (21:34 +0100)]
replace AAA's web.xml with programmatic registration
This is a first step with a like-for-like transformation;
future changes could go further; notably integrate it with
AAAShiroProvider which, strangely, had separate web registration
not using web.xml, and -likely- (TBC) replace the static
CompletableFuture "hoop" in AAAShiroProvider with normal DI.
Change-Id: I43c5fe90a087e2fbc68f779655c211253775c2db
Signed-off-by: Michael Vorburger <vorburger@redhat.com>
Michael Vorburger [Tue, 27 Feb 2018 20:21:14 +0000 (21:21 +0100)]
add web API implementation for OSGi environment, based on Pax Web
usage of this in AAA can be seen in the next commit ("chained")
Change-Id: If298047e2b295ca88d0494dc9733e1d91ee44a12
Signed-off-by: Michael Vorburger <vorburger@redhat.com>
Michael Vorburger [Tue, 27 Feb 2018 18:43:56 +0000 (19:43 +0100)]
add new API for programmatic registration of web Servlet, Filter, etc.
implementation & usage of this can be seen in the next "chained" commits
The purpose of this API is to let projects with web components, such as
neutron, aaa or restconf, ditch their respective web.xml. This will have
a number of advantages, some of which are documented in the JavaDoc of
the new WebServer interface and WebContext class.
see also discussion and interest from project neutron re. adoption on:
https://lists.opendaylight.org/pipermail/neutron-dev/2018-February/001587.html
This is the change originally raised in infrautils as
Ib2df87ca31a2bde547efbf73e0475a1cd64ea6ea, but now instead proposed
to aaa, as discussed during the Kernel Projects call on 2018/02/27.
Change-Id: Ib2fb02aa19e49aa482062f18ba84124a9a623364
Signed-off-by: Michael Vorburger <vorburger@redhat.com>
Ryan Goulding [Wed, 7 Mar 2018 15:06:50 +0000 (10:06 -0500)]
AAA-168: Remove embedded h2 dependency
This was code inherited from a long time ago and punted around AAA
without any real cleanup. I am not sure why the original authors
decided to embed the dependency rather than just import it, but this
causes several issues. This patch removes the embedded h2 dependency
in favor of direct import. While I recognize that other parts of
ImportPackage need to be cleaned, they will be done in a subsequent
patch since they are separate concepts than what is done here.
In other words, expect follow-ups to continuing cleaning.
aaa-cli-jar relied on aaa-shiro shading the com.h2database:h2 jar,
so I instead added it as a compile time dependency for the module
and extracted the appropriate files for the generated jar in the
maven-shade-plugin configuration.
Change-Id: I9267f1373ddc5b8af0304fd5719dcc96b8874c32
Signed-off-by: Ryan Goulding <ryandgoulding@gmail.com>
Ryan Goulding [Mon, 5 Mar 2018 16:11:57 +0000 (11:11 -0500)]
AAA-167: Refresh test cert
Test cert used in UT for AAA was expired causing failures. For now,
a 10 year cert is added to unblock the release. Later, the tests
will be refactored to generate the key on the fly.
Change-Id: Ic1da844b2ffa841691f61f82106f24e0cb27bafe
Signed-off-by: Ryan Goulding <ryandgoulding@gmail.com>
Michael Vorburger [Thu, 1 Mar 2018 16:48:02 +0000 (17:48 +0100)]
AAA-166 fix (attempt)
Change-Id: Ib2217b035138d993a88b2bc279316fd14925ea73
Signed-off-by: Michael Vorburger <vorburger@redhat.com>
Anil Belur [Mon, 26 Feb 2018 07:41:40 +0000 (17:41 +1000)]
Bump versions by x.(y+1).z for next dev cycle
Change-Id: I135cb265c0a637da0b34907025ede4f686c9bcc3
Signed-off-by: Anil Belur <abelur@linuxfoundation.org>
Ryan Goulding [Fri, 16 Feb 2018 19:01:50 +0000 (19:01 +0000)]
Merge "AAA-163: implement isEnabled flag in user model"
Ryan Goulding [Mon, 12 Feb 2018 16:19:06 +0000 (11:19 -0500)]
AAA-163: implement isEnabled flag in user model
Make it possible to utilize "isEnabled" for users. This has been
broken since inception since the folks submitted the code back in
2014, and was recently caught. Basically, it was not implemented
period in the user lookup logic.
Additionally, changes were needed to the "User" API-- Jaxb
serialization was never working. That is, the original authors
decided to use an "int" to represent enabled in H2, yet, tried to
map to a Boolean in the serdes process. This means that calls to
User.isEnabled() always returned null, which is VERY bad practice.
The public methods were left in place, some wrappers were added, and
the internal implementation was changed to utilize an int for
User.enabled field, but still provide boolean the User.isEnabled()
predicate.
Change-Id: I92aa981035d91ca6ee1836d00546b446c7dc9738
Signed-off-by: Ryan Goulding <ryandgoulding@gmail.com>
Ryan Goulding [Thu, 15 Feb 2018 15:36:18 +0000 (15:36 +0000)]
Merge "Eliminate infinite busy wait in KarafIniWebEnvironment"
Tom Pantelis [Wed, 14 Feb 2018 01:01:13 +0000 (20:01 -0500)]
Eliminate infinite busy wait in KarafIniWebEnvironment
We've seen SFT's hang on shut down due to the busy wait if the
blueprint container for aaa-shiro fails or is destroyed while
being created. The busy wait blocks startup of the web app and also
blocks on shut down causing the hang. To alleviate this, use a
Future to obtain the AAAShiroProvider. Also added a BundleActivator
to register a blueprint event listener that fails the Future
exceptionally when the blueprint container is destroyed.
Change-Id: I9198579aa026ab685af73ee624c353d7097ba86e
Signed-off-by: Tom Pantelis <tompantelis@gmail.com>
Jamo Luhrsen [Sat, 10 Feb 2018 04:30:49 +0000 (20:30 -0800)]
AAA-165: Add explicit import apache.commons.text
- added a simple UT for domain delete, but even that UT
would not fail for AAA-165
- moved from commons-lang3 to commons-text as I noticed
StringEscapeUtils is deprecated in lang3 and text was
what should be used
Change-Id: I0e8a5067666d062e2f119ddaa7511f0cc3a2dda1
Signed-off-by: Jamo Luhrsen <jluhrsen@redhat.com>
Ryan Goulding [Thu, 8 Feb 2018 15:00:40 +0000 (10:00 -0500)]
AAA-134: Cannot update domain name
Modified the update SQL statement to include name.
Change-Id: I8fce9cbbf403fcc627b927e5750750de4d04403c
Signed-off-by: Ryan Goulding <ryandgoulding@gmail.com>
Ryan Goulding [Fri, 9 Feb 2018 13:43:58 +0000 (13:43 +0000)]
Merge "AAA-147: Jolokia Credentials are backed by AAA"
Ryan Goulding [Fri, 9 Feb 2018 13:43:16 +0000 (13:43 +0000)]
Merge "Move AAAShiroProvider class in act into separate package"
Ryan Goulding [Thu, 8 Feb 2018 19:02:59 +0000 (14:02 -0500)]
AAA-147: Jolokia Credentials are backed by AAA
Inject an Authenticator implementation into the service registry
for use with odl-jolokia from controller. Corresponding patch:
https://git.opendaylight.org/gerrit/68069
W/o this Authenticator installed, jolokia authentication fails.
Change-Id: I8141336453f04052b617f322c94d6add8a37fcf5
Signed-off-by: Ryan Goulding <ryandgoulding@gmail.com>
Michael Vorburger [Thu, 8 Feb 2018 17:16:14 +0000 (18:16 +0100)]
Move AAAShiroProvider class in act into separate package
There are two classes named AAAShiroProvider both in package
org.opendaylight.aaa; one in artifact (and OSGi bundle) aaa-shiro and
another one in aaa-shiro-act.
As far as I understand the AAA code, this does not seem to be done
intentionally for any particular reason, probably just historical
copy/paste.
Under OSGi, this doesn't really cause any major issues (other than it
being "really not nice", possibly confusing, and theoretically causing
issues if one were to use package import), as the two AAAShiroProvider
are loaded into separate ClassLoaders in their respective bundles.
When attempting to use AAA in a (non-OSGi) flat classpath environment
however, then the present situation, leads to this error:
[main] ERROR org.apache.shiro.web.env.EnvironmentLoader - Shiro
environment initialization failed
java.lang.NoSuchMethodError:
org.opendaylight.aaa.AAAShiroProvider.getInstance()Lorg/opendaylight/aaa/AAAShiroProvider;
at org.opendaylight.aaa.shiro.web.env.KarafIniWebEnvironment.init(KarafIniWebEnvironment.java:67)
This change fixes above, for non-OSGi test envs, but seems a reasonable
clean up if for the standard deployment model of running ODL in OSGi.
Change-Id: Ia5d34e6f3ecf9d6539bdac9537b8628dcde59049
Signed-off-by: Michael Vorburger <vorburger@redhat.com>
Stephen Kitt [Tue, 30 Jan 2018 12:32:40 +0000 (13:32 +0100)]
Clean up artifacts
This removes a number of obsolete artifacts from aaa-artifacts, adds
some new ones, and adds a new module to verify that listed artifacts
are actually available.
Change-Id: I2ab9600a5ffb1b99c1dee00b0b6ac456cae49f57
Signed-off-by: Stephen Kitt <skitt@redhat.com>
Ryan Goulding [Wed, 7 Feb 2018 19:11:37 +0000 (14:11 -0500)]
AAA-158: remove exception output in HTTP response
Change-Id: Icb3c2cfcf1d546bb365fb61d558cd3be428e5a15
Signed-off-by: Ryan Goulding <ryandgoulding@gmail.com>
Ryan Goulding [Wed, 7 Feb 2018 18:31:16 +0000 (13:31 -0500)]
Fix README refactor
During the refactor that eliminated "impl" from the packaging
structure, this README was not correctly updated.
Change-Id: Ib367cb3410513a3477a4dbe75fa1a8468ffa0d76
Signed-off-by: Ryan Goulding <ryandgoulding@gmail.com>
serngawy [Fri, 26 Jan 2018 18:24:42 +0000 (13:24 -0500)]
AAA-160: Fix aaa-cli commands
Adding final to the command line variable make the variable
finally initalized and not re-assign value at runtime.
Access the datastore using AaaShiroProvider and delete the
old datastore service.
Change-Id: I8c2f7d39bd5e9be5349a2b922bb8afdbbb0b15a3
Signed-off-by: serngawy <m.elserngawy@gmail.com>
Ryan Goulding [Tue, 6 Feb 2018 21:44:35 +0000 (21:44 +0000)]
Merge "AAA-159: Switch to using gson for JSON serialization"
Ryan Goulding [Thu, 25 Jan 2018 21:45:16 +0000 (21:45 +0000)]
AAA-159: Switch to using gson for JSON serialization
Due to jackson incompatibility issues with other web env
elements (namely jax-rs), this change switches the serdes
for AAA endpoints to gson. The motivation is two fold:
1) fix the immediate issue with the rest endpoints
2) align on a common JSON serdes framework in ODL
Since yangtools and others already utilize gson, and gson
seems to be a lot more friendly from a provider stand-
point, this change is the best solution to the given bug.
This patch does not completely remove jackson, since RESTCONF
depends on us bringing it in. This will be another multi-
step process:
1) this patch
2) convert restconf to GSON or just add the jackson deps
there (features/odl-aaa-shiro/pom.xml changes in last
patch)
3) remove jackson dependencies from AAA
Change-Id: Id969ab11282513fc314b98cd2a3487327250113f
Signed-off-by: Ryan Goulding <ryandgoulding@gmail.com>
Stephen Kitt [Tue, 6 Feb 2018 15:46:51 +0000 (16:46 +0100)]
ODLPARENT-139: re-use caches when restarting
When the Shiro bundles restart, for whatever reason, they always
attempt to re-create their caches; that fails because the caches are
still present. This patch re-uses existing cache managers and caches
when possible.
This doesn’t entirely resolve the SSH issues reported in
ODLPARENT-139, but it helps the SSH connection survive longer (which
makes it easier to debug).
Change-Id: I27944a87cfbd78b385274dee0c7c17b9aac4dd58
Signed-off-by: Stephen Kitt <skitt@redhat.com>
Ryan Goulding [Mon, 29 Jan 2018 20:38:41 +0000 (15:38 -0500)]
NETCONF-502: Provide GsonProvider for JSON serdes
Just provide the GsonProvider for downstream consumption.
Transitioning AAA to this provider will happen in a later
patch in order to avoid breaking downstreams in the
meantime.
Change-Id: I1b129bae712446678546daaf77ea23cccd1bdd1e
Signed-off-by: Ryan Goulding <ryandgoulding@gmail.com>
Ryan Goulding [Thu, 25 Jan 2018 14:50:23 +0000 (09:50 -0500)]
Fix packaging for shiro bundle
Align packages to keep IDEs from barfing.
Change-Id: Ifdaa0a25dbf3d56860ca35f630554cc9a5285fd7
Signed-off-by: Ryan Goulding <ryandgoulding@gmail.com>
Ryan Goulding [Thu, 25 Jan 2018 19:52:03 +0000 (14:52 -0500)]
Revert "Switch to using gson for JSON serialization"
Temporary revert to unblock the broken distribution until the NETCONF
team responds to the actual fix.
Change-Id: Ic8a446c33b3ee2cc1a994bcb8fab77bd486a8c15
Signed-off-by: Ryan Goulding <ryandgoulding@gmail.com>
Ryan Goulding [Thu, 25 Jan 2018 17:33:23 +0000 (12:33 -0500)]
Move AAAShiroProvider back
Caused some strange blueprint issues in dist-check.
Change-Id: I9d66e7e8ecbc87b549823fce852aac29a305bf8f
Signed-off-by: Ryan Goulding <ryandgoulding@gmail.com>
Robert Varga [Wed, 29 Nov 2017 11:42:50 +0000 (12:42 +0100)]
Switch to using gson for JSON serialization
This patch changes JSON provider to GSON, skipping jackson
packaging completely. GSON is used by many upstream ODL
projects and is the desired single JSON library for the
future.
Some unit tests surrounding Handlers needed to be ignored
temporarily due to classpath issues; some of the overlapping
technology is tested in integration-test so the AAA team
feels it is okay to temporarily disable for now.
For now, this change exposes a provider package for the
GsonProvider so that other projects running into the same
issue can utilize it without copying and pasting code.
Later, it will be moved somewhere more intelligent.
Change-Id: I6033980d0fdaa31be32e2e77a0b9f869a755246b
Signed-off-by: Robert Varga <robert.varga@pantheon.tech>
Signed-off-by: Ryan Goulding <ryandgoulding@gmail.com>
Ryan Goulding [Thu, 25 Jan 2018 14:50:23 +0000 (09:50 -0500)]
Fix packaging for shiro bundle
Align packages to keep IDEs from barfing.
Change-Id: Ie037a1b2f1768840861bdc43a466b65aa8f014d7
Signed-off-by: Ryan Goulding <ryandgoulding@gmail.com>
Stephen Kitt [Fri, 19 Jan 2018 16:36:43 +0000 (17:36 +0100)]
Drop explicit jetty-servlets dependency
odl-feat-karaf-jetty ends up pulling in jetty-servlets, so there’s no
need to depend on it explicitly here. Getting it via the odlparent
feature ensures that our runtime is consistent.
Change-Id: I6c11f0eb9cafb0db815760fed0ae6c6a976d171a
Signed-off-by: Stephen Kitt <skitt@redhat.com>
Tom Pantelis [Fri, 19 Jan 2018 13:56:13 +0000 (08:56 -0500)]
Eliminate unnecessary explicit yangtools dependencies
Changed the parent pom to derive from bindng-parent so
yangtools version and dependencies comes from mdsal.
Change-Id: Id10a9d47abdda3a586af3707d7553f74382c566b
Signed-off-by: Tom Pantelis <tompantelis@gmail.com>
Robert Varga [Wed, 17 Jan 2018 23:38:16 +0000 (00:38 +0100)]
Bump to yangtools-2.0.1
Adopt latest release for corrected SchemaContext behavior, forcing
downstreams to use those.
Change-Id: Ibe596ef486d11da4c06e1f250005e6f4ea995573
Signed-off-by: Robert Varga <robert.varga@pantheon.tech>
Ryan Goulding [Thu, 18 Jan 2018 13:40:34 +0000 (13:40 +0000)]
Merge "Rely on mdsal for yangtools features"
Robert Varga [Wed, 17 Jan 2018 23:37:01 +0000 (00:37 +0100)]
Eliminate yangtools.version
Versions should be pushed via artifact imports, not via properties.
Change-Id: I9b59e4ef5a56a46939d3254327cd43baf16dba8a
Signed-off-by: Robert Varga <robert.varga@pantheon.tech>
Stephen Kitt [Wed, 17 Jan 2018 15:27:57 +0000 (16:27 +0100)]
Rely on mdsal for yangtools features
Instead of explicitly listing yangtools features, rely on mdsal
providing them for us. This simplifies yangtools version bumps.
Change-Id: I4e9fd3b0a593d96e41dcd3fac22392db77dd633f
Signed-off-by: Stephen Kitt <skitt@redhat.com>
Robert Varga [Thu, 12 Oct 2017 11:33:08 +0000 (13:33 +0200)]
Bump to yangtools-2.0.0 and odlparent-3.0.2
Adopt yangtools-2.0.0 and odlparent-3.0.2, adjusting feature
references. Since we are bumping to karaf-4.1.x, we also need
to bump sshd references.
Change-Id: I31aed1ebb96ad7cf3f0cdd131a25515dc77e3dbe
Signed-off-by: Robert Varga <robert.varga@pantheon.tech>
Signed-off-by: Stephen Kitt <skitt@redhat.com>
Signed-off-by: Tom Pantelis <tompantelis@gmail.com>
Signed-off-by: Ryan Goulding <ryandgoulding@gmail.com>
Ryan Goulding [Thu, 11 Jan 2018 15:01:00 +0000 (15:01 +0000)]
Merge "Revert "Moon Authorization Driver for ODL/AAA""
Ryan Goulding [Thu, 11 Jan 2018 14:20:46 +0000 (14:20 +0000)]
Revert "Moon Authorization Driver for ODL/AAA"
This reverts commit
6ccfaeb9fcaacdf0edc94a7383ccc2e71a32738f.
Change-Id: I88ba0e0f3862cb751105569aa81c8d88e71fcf8a
Signed-off-by: Ryan Goulding <ryandgoulding@gmail.com>
Ryan Goulding [Mon, 8 Jan 2018 21:08:17 +0000 (21:08 +0000)]
Merge "Temp. Remove MDSAL from aaa-app-config"
Ryan Goulding [Mon, 8 Jan 2018 20:02:11 +0000 (15:02 -0500)]
Temp. Remove MDSAL from aaa-app-config
Per AAA meeting discussions, it is probably better to delegate
Token Processing to the MdsalRealm or a corresponding pre-filter.
This has been done in the past for things like OAuth2 Token
processing. This change purely removes the option for MDSAL
backed store from the aaa-app-config, since the existing impl is
provided separately through MdsalRealm. Right now, choosing
MDSAL as an option actually only instantiates skeleton code, so it
is better to leave this option out in this release for
security purposes.
Change-Id: Ia32809f02865af8f96e0bdacbd20d064055114fe
Signed-off-by: Ryan Goulding <ryandgoulding@gmail.com>
Evan Zeller [Fri, 5 Jan 2018 23:19:17 +0000 (15:19 -0800)]
AAA-155: don't force non-null input on currentUser cache lookup
On the first CLI command issued no auth users are cached in either the
SessionsManager cache nor AaaCliAbstractCommand's static authUser. We
must take input from the user and do the lookup in the identity store.
Subsequent commands will use the now cached user until the entry is
evicted. getCurrentUser should handle the null input and be explicit
about the nullability of its return value.
Change-Id: I18291e25723f428d2e27f79184d957f7715357f8
Signed-off-by: Evan Zeller <evanrzeller@gmail.com>
Ryan Goulding [Mon, 8 Jan 2018 17:18:17 +0000 (12:18 -0500)]
Remove shiro.ini conversion script
shiro.ini was done away with many releases ago. As part
of its removal, the AAA team added a conversion script to
convert the shiro.ini file into a format that could be
recognized by the aaa clustered-app-config. Since the
shiro.ini based approach has been gone for over a release,
this patch removes the conversion script since it should
no longer be needed.
Change-Id: I6866ae1faea0362251ff26fabc8f6df360acde08
Signed-off-by: Ryan Goulding <ryandgoulding@gmail.com>
YuchenWang [Tue, 19 Dec 2017 14:05:45 +0000 (22:05 +0800)]
Moon Authorization Driver for ODL/AAA
https://github.com/WangYuchenSJTU/ODL-Moon-Authz
Change-Id: I7cc569561c7dd3cee26985b11c27ba9dbf913642
Signed-off-by: YuchenWang <lucassjtu@gmail.com>
Ryan Goulding [Fri, 1 Dec 2017 19:44:10 +0000 (19:44 +0000)]
Merge "AAA-154 Make H2 database credentials configurable"
Ryan Goulding [Tue, 28 Nov 2017 17:59:59 +0000 (12:59 -0500)]
Collapse features into features-aaa repository
Instead of providing two of essentially the same repository,
instead just provide one called features-aaa.
Change-Id: Ic60fca3a2b3129fe424e353ea1a1e074927f0a98
Signed-off-by: Ryan Goulding <ryandgoulding@gmail.com>
Ryan Goulding [Wed, 29 Nov 2017 14:02:31 +0000 (14:02 +0000)]
Merge "Clear claim cache when grants/roles/domains change"
Ryan Goulding [Wed, 29 Nov 2017 13:57:21 +0000 (13:57 +0000)]
Merge "Use gson to parse JSON output"
Robert Varga [Wed, 29 Nov 2017 11:01:33 +0000 (12:01 +0100)]
Use gson to parse JSON output
org.json is poorly maintained and licensed piece of software,
which is causing us headaches whenever encountered. Remove its use
and use GSON to parse JSON payloads.
Change-Id: I07a7cc486b88e949b23b1d8714163eabea116b92
Signed-off-by: Robert Varga <robert.varga@pantheon.tech>
Ryan Goulding [Tue, 28 Nov 2017 22:00:19 +0000 (17:00 -0500)]
Clear claim cache when grants/roles/domains change
The claim cache should be cleared whenever a change
occurs to these entitites.
Change-Id: Iadfc71e219847609147b64394fd3b549c7979342
Signed-off-by: Ryan Goulding <ryandgoulding@gmail.com>