Jamo Luhrsen [Tue, 17 Jul 2018 21:02:03 +0000 (14:02 -0700)]
Remove dynamicAuthorization
This is in response to some bugs like these:
https://jira.opendaylight.org/browse/CONTROLLER-1838
https://jira.opendaylight.org/browse/CONTROLLER-1849
where we believe not having things fail at this
level may help give us more details about a root
cause.
Change-Id: I7416c4d61133f1553e4ae83d9f3e0be48f55de6e
Signed-off-by: Jamo Luhrsen <jluhrsen@redhat.com>
Tom Pantelis [Wed, 11 Jul 2018 00:53:26 +0000 (00:53 +0000)]
Merge changes I65221cae,If580af40
* changes:
Subscribe to authentication information instead of reading it
Subscribe to authorization information instead of reading it
Tom Pantelis [Sun, 8 Jul 2018 15:42:19 +0000 (11:42 -0400)]
Handle UnknownSessionException in ODLAuthenticator
UnknownSessionException seems to indicate the internal stored/cached
session has expired so do an explicit logout and retry the login.
Since it appears we just use the subject/session for a one-shot
authentication, perhaps we should logout immediately after login,
however that can be investigated later.
Change-Id: I72f5a418869e5cf480b21df81be4c1b2aebf4f60
JIRA: AAA-176
Signed-off-by: Tom Pantelis <tompantelis@gmail.com>
Robert Varga [Wed, 27 Jun 2018 12:43:05 +0000 (14:43 +0200)]
Subscribe to authentication information instead of reading it
Instead of explicitly reading authentication information, pull it
through a DTCL, so we can access the information without actually
touching the datastore.
Change-Id: I65221caed40d932c45cb2e29ac06e712fe85ba3b
Signed-off-by: Robert Varga <robert.varga@pantheon.tech>
Robert Varga [Tue, 26 Jun 2018 16:57:25 +0000 (18:57 +0200)]
Subscribe to authorization information instead of reading it
Instead of explicitly reading authorization information, pull it
through a DTCL, so we can access the information without actually
touching the datastore.
Change-Id: If580af40b3a1c22c1e2ad8a550c075adcba20ed1
Signed-off-by: Robert Varga <robert.varga@pantheon.tech>
Robert Varga [Thu, 28 Jun 2018 06:57:29 +0000 (08:57 +0200)]
Bump yangtools to 2.0.7
This patch bumps yangtools to latest release.
Change-Id: Iaba93bd609f4ee76a35f183c9e61a334212026ab
Signed-off-by: Robert Varga <robert.varga@pantheon.tech>
Stephen Kitt [Wed, 30 May 2018 13:44:25 +0000 (15:44 +0200)]
Bump odlparent to 3.1.2
Change-Id: I43fc0c6807b445ad5b40c38ebd2d10d54b797367
Signed-off-by: Stephen Kitt <skitt@redhat.com>
Robert Varga [Fri, 1 Jun 2018 13:29:45 +0000 (15:29 +0200)]
Bump yangtools to 2.0.5
To pick up the latest fixes.
Change-Id: I75e8408049dd91d3a08473232152da98ab63b748
Signed-off-by: Robert Varga <robert.varga@pantheon.tech>
Tom Pantelis [Mon, 4 Jun 2018 14:48:37 +0000 (14:48 +0000)]
Merge "Fixup Augmentable and Identifiable methods changing"
Ryan Goulding [Tue, 29 May 2018 14:22:08 +0000 (10:22 -0400)]
Remove Accounter impl
Accounter is purely impl and not API. It was meant to be a
means to funnel important accounting messages, but it really
doesn't provide anything above what the standard Logger provides.
Additionally, it is less configurable. Thus, get rid of it.
Just use log4j instead.
Change-Id: I39ae4fe49f496382989a8676fba0c9bfe66db9a3
Signed-off-by: Ryan Goulding <ryandgoulding@gmail.com>
Robert Varga [Tue, 24 Apr 2018 13:15:44 +0000 (15:15 +0200)]
Fixup Augmentable and Identifiable methods changing
This is a fixup of the change in binding codegen, adjusting:
- getKey() -> key()
- setKey() -> withKey()
- getAugmentation() -> augmentation()
Change-Id: I84a38f788b84e4db50cf1006ad36f6fb0863907b
Signed-off-by: Robert Varga <robert.varga@pantheon.tech>
Ryan Goulding [Sun, 3 Jun 2018 18:19:43 +0000 (18:19 +0000)]
Merge changes I737d5336,Ied83aaa0
* changes:
Undeprecate PKIUtil
Cleanup MDSALDynamicAuthorizationFilterTest
Ryan Goulding [Sun, 3 Jun 2018 18:19:13 +0000 (18:19 +0000)]
Merge changes I57664369,Ie46f76d3
* changes:
Remove odl-config-core from odl-aaa-encryption-service feature
Convert CLI commands to Action
Tom Pantelis [Sun, 3 Jun 2018 15:44:30 +0000 (11:44 -0400)]
Remove odl-config-core from odl-aaa-encryption-service feature
odl-config-core is a CSS feature which isn't needed and is going away.
Change-Id: I57664369cae15325f17392cac37bcbc61de1a503
Signed-off-by: Tom Pantelis <tompantelis@gmail.com>
Tom Pantelis [Fri, 1 Jun 2018 17:57:35 +0000 (13:57 -0400)]
Convert CLI commands to Action
OsgiCommandSupport et al are deprecated.
Change-Id: Ie46f76d30b452eee1a76867dc7b105c0274808ab
Signed-off-by: Tom Pantelis <tompantelis@gmail.com>
Tom Pantelis [Fri, 1 Jun 2018 11:18:47 +0000 (07:18 -0400)]
Undeprecate PKIUtil
There's no alternative for users to switch to and not
clear whether it actually warrants a service with API and impl.
Change-Id: I737d53362330b1aba9329d565b16476322df5a59
Signed-off-by: Tom Pantelis <tompantelis@gmail.com>
Robert Varga [Fri, 1 Jun 2018 08:47:02 +0000 (10:47 +0200)]
Do not repackage yangtools concepts
Depend of the feature providing the bundle, cutting duplicate
packaging.
Change-Id: Ia24477789545c3cbc9e2061dc82fdab3289bfe6b
Signed-off-by: Robert Varga <robert.varga@pantheon.tech>
Tom Pantelis [Fri, 1 Jun 2018 00:57:32 +0000 (00:57 +0000)]
Merge "update README.md"
Tom Pantelis [Thu, 31 May 2018 22:52:38 +0000 (18:52 -0400)]
Cleanup MDSALDynamicAuthorizationFilterTest
Consolidated some common code for reuse and to reduce the
deprecation warnings due to CheckedFuture. Also used the
real Optional and CheckedFuture classes - no need to mock
such clsses.
Change-Id: Ied83aaa0d266658fbda73c6b53beadd19d523816
Signed-off-by: Tom Pantelis <tompantelis@gmail.com>
Tom Pantelis [Thu, 31 May 2018 20:42:37 +0000 (16:42 -0400)]
Remove deprecated SHA256Calculator
Not used anywhere.
Change-Id: I1bfa0db35eb3e692cc1c98cf55b3c8ed004d3deb
Signed-off-by: Tom Pantelis <tompantelis@gmail.com>
Tom Pantelis [Thu, 31 May 2018 20:29:29 +0000 (16:29 -0400)]
Remove deprecated StoreBuilder#init
Change-Id: I9f4a92572b0db28c9a07ad596a7b9f7cf92cf841
Signed-off-by: Tom Pantelis <tompantelis@gmail.com>
Tom Pantelis [Thu, 31 May 2018 20:13:13 +0000 (16:13 -0400)]
Remove deprecated IdmLightConfig#getDbPath
Change-Id: I00e1b1143a6d4c38f42f1d9d26a6cce359a884ed
Signed-off-by: Tom Pantelis <tompantelis@gmail.com>
Tom Pantelis [Thu, 31 May 2018 19:55:09 +0000 (15:55 -0400)]
Remove static CustomFilterAdapterConfigurationImpl instance
This was kept for backwards compatibility for web.xml's which
have been removed.
Change-Id: I9a7269a4807bf54fa3945c28ee78ad32a1725f24
Signed-off-by: Tom Pantelis <tompantelis@gmail.com>
Tom Pantelis [Thu, 31 May 2018 18:22:13 +0000 (14:22 -0400)]
Fix some deprecation warnings
CheckedFuture et al.
Change-Id: Ibd4324fbc57367eb1ab1508bc56053977fb5e47a
Signed-off-by: Tom Pantelis <tompantelis@gmail.com>
Tom Pantelis [Thu, 31 May 2018 15:25:24 +0000 (11:25 -0400)]
Remove KarafIniWebEnvironment
Deprecated and not used anymore.
Change-Id: Id06ffe5768c8564a97c9c7c08db1cdd622b82e10
Signed-off-by: Tom Pantelis <tompantelis@gmail.com>
Ryan Goulding [Tue, 29 May 2018 13:44:18 +0000 (09:44 -0400)]
update README.md
Update README.md to utilize correct max line lengths as well as
maven versions and target releases for future work.
Change-Id: Ie7aecca9b8c7bbedb98a06d218c33e5d72dd6b16
Signed-off-by: Ryan Goulding <ryandgoulding@gmail.com>
Ryan Goulding [Thu, 17 May 2018 20:13:26 +0000 (16:13 -0400)]
adjust to use password-service
Use the simplified password-service instead of SHA256Calculator.
After all, SHA256Calculator is deprecated since it combines API
and IMPL even in the name!
This is also more configurable and secure.
Change-Id: I471e0fe1d11d6b65ab574c5286ce1a874a2231fb
Signed-off-by: Ryan Goulding <ryandgoulding@gmail.com>
Tom Pantelis [Wed, 30 May 2018 13:45:51 +0000 (13:45 +0000)]
Merge "Split aaa-encryption-service api and impl"
Ryan Goulding [Wed, 30 May 2018 13:17:22 +0000 (13:17 +0000)]
Merge "Convert to jersey 2"
Ryan Goulding [Tue, 22 May 2018 20:18:01 +0000 (16:18 -0400)]
Split aaa-encryption-service api and impl
The original contributor jammed api and impl into one bundle. This is
bad practice for SOA, so this change separates out api and impl. The
API class package remains the same for outside consumers (i.e., it is
left as org.opendaylight.aaa.encrypt instead of the normal convention
of org.opendaylight.aaa.encrypt.api).
Additionally, a maven-bundle-plugin instruction was added to explicitly
not export any impl bundle classes. This is important to avoid possible
consumption from downstream consumers.
Change-Id: I0e2fca345501deaf9645b4b044dbc549b222c69b
Signed-off-by: Ryan Goulding <ryandgoulding@gmail.com>
Michael Vorburger [Tue, 29 May 2018 10:10:53 +0000 (12:10 +0200)]
add .apt_generated_tests/ to .gitignore
Change-Id: Ie2c3be4911874cf59d7f691d357e45f03bdfee71
Signed-off-by: Michael Vorburger <vorburger@redhat.com>
Tom Pantelis [Wed, 23 May 2018 22:08:51 +0000 (18:08 -0400)]
Convert to jersey 2
Modified the WenInitializer to use the new servlet API and changed
the jersey client version to 2.25.1. Also modified the UTs to jersey 2
test framework.
JIRA: TSC-113
Change-Id: I3864bd217126954e93308699e095f67afc2e53da
Signed-off-by: Tom Pantelis <tompantelis@gmail.com>
Tom Pantelis [Thu, 24 May 2018 01:55:44 +0000 (21:55 -0400)]
Fix STF error in odl-aaa-password-service
[caused by: Unable to resolve org.opendaylight.aaa.password-service-api/0.8.0.SNAPSHOT: missing requirement [org.opendaylight.aaa.password-service-api/0.8.0.SNAPSHOT] osgi.wiring.package; filter:="(&(osgi.wiring.package=org.opendaylight.yangtools.concepts)(version>=2.0.0)(!(version>=3.0.0)))"]]]
The feature needs to install the mdsal binding and yangtools
artifacts.
Change-Id: I1c98bc77e76d85181b559f499a6cfe38c0da4a7b
Signed-off-by: Tom Pantelis <tompantelis@gmail.com>
Robert Varga [Mon, 23 Apr 2018 14:37:43 +0000 (16:37 +0200)]
Adjust to RPC method signature update
Input/Output structures are always present and we need to return
ListenableFuture.
Change-Id: Icce2f1091577d8741baf1bfd3b3de27463ca399e
Signed-off-by: Robert Varga <robert.varga@pantheon.tech>
Ryan Goulding [Tue, 22 May 2018 17:35:46 +0000 (13:35 -0400)]
Deprecate Encryption Service Impl
The default encryption service implemention is a mess that shouldn't be
maintained. Instead, AAA team plans to add a new implementation that
is backed by Shiro cryptography. We will expose a knob to control which
implementation is used at runtime.
Change-Id: Ie9ff9b3de7e78102f17fbfbb1ed93e14e20c2bcb
Signed-off-by: Ryan Goulding <ryandgoulding@gmail.com>
Ryan Goulding [Tue, 22 May 2018 14:33:53 +0000 (10:33 -0400)]
Add odl-aaa-password-service feature
Add in a feature for use at runtime.
Change-Id: I0ce1cf7c1cf43cba69b817f855cef2164ab1b6a7
Signed-off-by: Ryan Goulding <ryandgoulding@gmail.com>
Ryan Goulding [Thu, 17 May 2018 20:16:06 +0000 (16:16 -0400)]
password service implementation
Implement PasswordHashService with a Default impl. This impl is capable
of deriving values from aaa-password-service-config.yang.
Change-Id: I55a6bebcc18ab60b229006ec50b9440292ec5ffb
Signed-off-by: Ryan Goulding <ryandgoulding@gmail.com>
Ryan Goulding [Mon, 21 May 2018 18:04:10 +0000 (14:04 -0400)]
password-service api cleanup
Change-Id: I89949d2d40605b40286c770e950a33b2ce6320f6
Signed-off-by: Ryan Goulding <ryandgoulding@gmail.com>
Ryan Goulding [Thu, 17 May 2018 20:13:26 +0000 (16:13 -0400)]
salt creation and password hash comparison service api
A generic one-way password comparison (hash equality) and salt generation
API. This is not meant to cover Password criteria satisfaction.
Change-Id: I6c8cb72a5cf83108b29232b6c1a8b8ae1cee21e8
Signed-off-by: Ryan Goulding <ryandgoulding@gmail.com>
Tom Pantelis [Mon, 14 May 2018 18:42:17 +0000 (14:42 -0400)]
Remove AAAFilter and aaa-shiro-act
There's no more usasges of AAAFilter and restcong no longer needs
aaa-shiro-act so remove them.
Change-Id: Ia763ee7f872b13d138ad49d6120495843a447599
Signed-off-by: Tom Pantelis <tompantelis@gmail.com>
Tom Pantelis [Thu, 26 Apr 2018 13:55:38 +0000 (09:55 -0400)]
Add resource registration to web API
In order to access html files, jsps etc, the resource path(s) in the
bundle need to be registered with pax web. Added a resources property
to WebContext to capture this.
Change-Id: Ic47558588601cb340ab5b0c3c218fe43226ce769
Signed-off-by: Tom Pantelis <tompantelis@gmail.com>
Robert Varga [Fri, 13 Apr 2018 15:08:40 +0000 (17:08 +0200)]
Add web/servlet-api and jersey2 implementation
web/servlet-api provides implementation-agnostic entrypoints for
creating Clients and HttpServlets.
web/servlet-jersey2 provides an implementation based on jersey-2.25.1.
This split allows us to have applications independent of the
implementation.
Change-Id: I77d92fb8764aa28817d5dcac9f8450dc42017429
Signed-off-by: Robert Varga <robert.varga@pantheon.tech>
Michael Vorburger [Thu, 12 Apr 2018 16:06:17 +0000 (18:06 +0200)]
add full implementation in web-jetty-impl
Change-Id: I649336bcaf51f683e52284cc549332c4c1815836
Signed-off-by: Michael Vorburger <vorburger@redhat.com>
Michael Vorburger [Wed, 11 Apr 2018 18:39:40 +0000 (20:39 +0200)]
add skeleton web-jetty-impl (to be implemented)
This lets one use the new WebServer API outside of OSGi, e.g. in
component tests; specifically, I would like to use this in project
Neutron.
Change-Id: I7035078b877daaebceeb71a5e664386f6a85969a
Signed-off-by: Michael Vorburger <vorburger@redhat.com>
Ryan Goulding [Mon, 16 Apr 2018 16:43:25 +0000 (12:43 -0400)]
Align with odlparent version of jolokia
Change-Id: I123be8cd1732c467f692df11b183606d01e78d51
Signed-off-by: Ryan Goulding <ryandgoulding@gmail.com>
Stephen Kitt [Mon, 16 Apr 2018 09:16:32 +0000 (11:16 +0200)]
Ensure Jersey is initialised before AAA-Shiro
When we group the Jersey bundles with bundles using them, we run into
initialisation races where AAA-Shiro ends up trying to use Jersey
before the latter’s activators have run.
All credit to Robert Varga for figuring out that we need an ordering
constraint between Jersey as a whole and the rest of AAA-Shiro. The
new odl-aaa-jersey-1 feature will eventually be replaced by ODL
Parent’s odl-jersey-1 feature, once we’ve added jersey-client to
that.
Issue: RELENG-85
Change-Id: I3d87dc28c8067bbeb0ca32be96ccdb4f6d359573
Signed-off-by: Stephen Kitt <skitt@redhat.com>
Robert Varga [Fri, 13 Apr 2018 17:34:17 +0000 (19:34 +0200)]
Remove javax.ws.rs-api dependency
Let's not pull javax.ws.rs-api-2.0.1 and see what gives.
Change-Id: I7c8656f4423e87818c844f49019f83fe39731bc4
Signed-off-by: Robert Varga <robert.varga@pantheon.tech>
Stephen Kitt [Fri, 13 Apr 2018 11:20:11 +0000 (13:20 +0200)]
Align pax-web-api with Karaf 4.1.5
Karaf now uses version 6.0.9.
Change-Id: I08b9440448247234e1c9a15e557033deb9d467be
Signed-off-by: Stephen Kitt <skitt@redhat.com>
Stephen Kitt [Thu, 22 Mar 2018 17:24:27 +0000 (18:24 +0100)]
Bump to odlparent 3.1.0 and yangtools 2.0.3
Change-Id: Idca8474f104b93a7c4a2e5148ad4d414306cfa69
Signed-off-by: Stephen Kitt <skitt@redhat.com>
Stephen Kitt [Mon, 9 Apr 2018 13:49:53 +0000 (15:49 +0200)]
Clean up odl-aaa-web
This needs Guava, so use odl-guava-23.
Change-Id: I666b0aff22329a6e77998c7e280146f71a2a734f
Signed-off-by: Stephen Kitt <skitt@redhat.com>
Stephen Kitt [Mon, 9 Apr 2018 13:23:27 +0000 (15:23 +0200)]
Clean up odl-aaa-shiro
Pull in odl-jolokia and odl-aaa-web to reduce the bundle overlap.
Change-Id: I3bb2ba38a4a184cfe5780ca12faabc3d2a7abbf7
Signed-off-by: Stephen Kitt <skitt@redhat.com>
Jamo Luhrsen [Fri, 6 Apr 2018 04:26:57 +0000 (21:26 -0700)]
Add Karaf build profile
Project local Karaf distros are handy for devs to test their work
however is unneeded by autorelease builds and should not be released
as part of the Simultanious Release. Add a profile that is active by
default so that default behaviour is unchanged however allows the
autorelease project to disable building this module.
Change-Id: If26f62fd722bedce8d39d3dfe673064441fd1d36
Signed-off-by: Jamo Luhrsen <jluhrsen@redhat.com>
(cherry picked from commit
320971a7892e4540bc5d253cf9a2f8117b61e2ce)
Ryan Goulding [Sun, 25 Mar 2018 16:27:18 +0000 (12:27 -0400)]
AAA-143: Remove jackson dependencies
Other projects need to pull in jackson runtime dependencies themselves
instead of depending on AAA. AAA does not utilize Jackson anymore
period.
Change-Id: Ic2e0f36c19ad0903bc22da41b650ca6a66a62a40
Signed-off-by: Ryan Goulding <ryandgoulding@gmail.com>
Tom Pantelis [Tue, 20 Mar 2018 00:33:29 +0000 (20:33 -0400)]
Remove aaa-filterchain Activator and statics
Removed the bundle Activator in lieu of blueprint and also
removed the static CustomFilterAdapterConfiguration instance.
CustomFilterAdapterConfiguration was converted to an interface
with implementation CustomFilterAdapterConfigurationImpl so it
can be advertised as a service and consumed by aaa-shiro and
injected into the CustomFilterAdapter.
Change-Id: Id1b6be949d9ce1bb895050e1ed95f321cdd2188a
Signed-off-by: Tom Pantelis <tompantelis@gmail.com>
Tom Pantelis [Sun, 25 Mar 2018 21:19:40 +0000 (17:19 -0400)]
Use odl:type="default" for IdmLightProxy service reg
Change-Id: Ieb5d096aa64836e71ae6c1c7be810a36d49a907e
Signed-off-by: Tom Pantelis <tompantelis@gmail.com>
Ryan Goulding [Sun, 25 Mar 2018 15:54:59 +0000 (15:54 +0000)]
Merge "remove Import-Package from aaa-shiro POM"
Ryan Goulding [Sun, 25 Mar 2018 15:54:41 +0000 (15:54 +0000)]
Merge "Convert IdmLightProxy CLAIM_CACHE to non-static"
Robert Varga [Thu, 22 Mar 2018 15:08:10 +0000 (16:08 +0100)]
Package aaa-shiro-act
This provides simple packaging of aaa-shiro-act, so netconf does
not have to package it itself.
JIRA: AAA-164
Change-Id: I4e65d102d15a0c35b579837840f9f46ae7ece7dd
Signed-off-by: Robert Varga <robert.varga@pantheon.tech>
Tom Pantelis [Wed, 21 Mar 2018 16:11:33 +0000 (12:11 -0400)]
Convert IdmLightProxy CLAIM_CACHE to non-static
The map was static so the clearClaimCache method could be accessed
statically by UserHandler etc. Now the IdmLightProxy instance is injected
and referenced as a new interface, ClaimCache.
Change-Id: I7ed214c6158d950dc7da81813ca6b230dc3a6767
Signed-off-by: Tom Pantelis <tompantelis@gmail.com>
Ryan Goulding [Tue, 20 Mar 2018 19:55:08 +0000 (19:55 +0000)]
Merge "introduce WebContextSecurer service API"
Michael Vorburger [Mon, 12 Mar 2018 21:58:49 +0000 (22:58 +0100)]
remove Import-Package from aaa-shiro POM
as far as I can tell from a quick test, it still works.
Change-Id: Id223170832378bed19f62e620f7353fb79723a74
Signed-off-by: Michael Vorburger <vorburger@redhat.com>
Ryan Goulding [Tue, 20 Mar 2018 17:58:58 +0000 (17:58 +0000)]
Merge changes from topic 'java-8-migration'
* changes:
Java 8 migration
Java 7 migration
Ryan Goulding [Tue, 20 Mar 2018 16:55:09 +0000 (16:55 +0000)]
Merge "Java 5 migration"
Stephen Kitt [Tue, 20 Mar 2018 15:02:27 +0000 (16:02 +0100)]
Java 8 migration
As suggested by IntelliJ:
* clean up lambdas;
* use new Map methods.
Change-Id: Icda29431e29a35849aa60be145b0029ae72ad055
Signed-off-by: Stephen Kitt <skitt@redhat.com>
Ryan Goulding [Tue, 20 Mar 2018 14:30:05 +0000 (14:30 +0000)]
Merge "Remove unused code"
Ryan Goulding [Tue, 20 Mar 2018 12:59:55 +0000 (08:59 -0400)]
Remove unused code
Removed unused code.
Change-Id: I88d1a561dfd25ba6fe2908f7308c174f151c2ce4
Signed-off-by: Ryan Goulding <ryandgoulding@gmail.com>
Stephen Kitt [Tue, 20 Mar 2018 10:47:54 +0000 (11:47 +0100)]
Java 7 migration
As suggested by IntelliJ:
* remove redundant type specifiers;
* use try-with-resources.
Change-Id: Ie6b777fd9cbf9d1e9e3f98fecccdb2f8b2ee2caa
Signed-off-by: Stephen Kitt <skitt@redhat.com>
Stephen Kitt [Tue, 20 Mar 2018 10:19:21 +0000 (11:19 +0100)]
Java 5 migration
As suggested by IntelliJ:
* use foreach loops;
* use StringBuilder instead of StringBuffer;
* drop unnecessary boxing constructors.
Change-Id: Ic6d77c3413bc8ac04a83fb0cd42a34c0f09fc717
Signed-off-by: Stephen Kitt <skitt@redhat.com>
Stephen Kitt [Tue, 20 Mar 2018 08:43:02 +0000 (09:43 +0100)]
Add domain to the PasswordCredentials equality check
Change-Id: Ib719afc87e43f905e460bdcfd3890f99c7b5f5dc
Signed-off-by: Stephen Kitt <skitt@redhat.com>
Stephen Kitt [Tue, 20 Mar 2018 08:41:45 +0000 (09:41 +0100)]
Remove EqualUtil
This patch uses Objects.equals() instead. The equality checks are
preserved as-is.
Change-Id: Iaf3cd4723ddf17f38dd04c527b81ebd555b0df52
Signed-off-by: Stephen Kitt <skitt@redhat.com>
Michael Vorburger [Thu, 15 Mar 2018 23:24:26 +0000 (00:24 +0100)]
introduce odl-aaa-web feature
Change-Id: I3993ddd82e09d0075e47000b7ff75632b2bd5b3d
Signed-off-by: Michael Vorburger <vorburger@redhat.com>
Ryan Goulding [Mon, 19 Mar 2018 18:01:24 +0000 (18:01 +0000)]
Merge changes I6062ddfa,If91c0ea5,Idd92e1be,I224e0fb7,Iab290548, ...
* changes:
Enable findbugs in aaa-parent
Fix findbugs violations in aaa-cli
Fix findbugs violations in aaa-filterchain
Fix findbugs violations in aaa-shiro
Fix findbugs violations in aaa-cert
Fix findbugs violations in aaa-encrypt-service
Ryan Goulding [Mon, 19 Mar 2018 17:48:24 +0000 (17:48 +0000)]
Merge changes Ia7a47d3b,I0d9b6fc2
* changes:
Fix findbugs violations in aaa-authn-api
Move checkstyle config to aaa-parent
Michael Vorburger [Fri, 16 Mar 2018 14:43:08 +0000 (15:43 +0100)]
introduce WebContextSecurer service API
This API allows other projects to secure their web context, but without
directly relying on AAA Shiro internals. Using this, other applications
will be able to significantly reduce their dependencies, Package-Import
etc. to AAA Shiro internals. (This opens the door both to more
independently evolve aaa-shiro internals, and allows for possible
alternative implementations, later.)
This also makes aaa-shiro secure its own IdmLightApplication REST
endpoints using the same approach, which avoids copy/paste of the
AAAShiroFilter and the KarafIniWebEnvironmentLoaderListener it needs
between the WebInitializer and the ShiroWebContextSecurer.
Change-Id: Ia3a16df71384610a75acf3d28205c973c554d477
Signed-off-by: Michael Vorburger <vorburger@redhat.com>
Michael Vorburger [Mon, 19 Mar 2018 14:17:20 +0000 (15:17 +0100)]
ditch HashCodeUtil, and use JDK Objects.hash() instead
having a utility like this in Guava and in the JDK is probably are 1 too
much, let us not have another one doing the exact same thing in AAA as
well.
Change-Id: Icb19d3e5aed73eb46dee1394be0ae06181ab6ef4
Signed-off-by: Michael Vorburger <vorburger@redhat.com>
Tom Pantelis [Sun, 18 Mar 2018 00:43:44 +0000 (20:43 -0400)]
Enable findbugs in aaa-parent
Change-Id: I6062ddfa44de6cba7540beea5fbb8d215d3ca2d1
Signed-off-by: Tom Pantelis <tompantelis@gmail.com>
Tom Pantelis [Sun, 18 Mar 2018 00:36:09 +0000 (20:36 -0400)]
Fix findbugs violations in aaa-cli
- Method may fail to close stream
- Reliance on default encoding
- Incorrect lazy initialization of static field
- Unread field: should this field be static?
- Write to static field from instance method
Change-Id: If91c0ea5997490468d030cab3aead2825fbe9c9e
Signed-off-by: Tom Pantelis <tompantelis@gmail.com>
Tom Pantelis [Sat, 17 Mar 2018 13:38:50 +0000 (09:38 -0400)]
Fix findbugs violations in aaa-authn-api
- Equals method should not assume anything about the type of its argument
- Reliance on default encoding
- Dead store to local variable
- Possible null pointer dereference on branch that might be infeasible
- Field not initialized in constructor but dereferenced without null check
Change-Id: Ia7a47d3b3b6a9729263c7c42656f14791edefccc
Signed-off-by: Tom Pantelis <tompantelis@gmail.com>
Tom Pantelis [Sat, 17 Mar 2018 15:39:37 +0000 (11:39 -0400)]
Fix findbugs violations in aaa-filterchain
- May expose internal representation by returning reference to mutable object
- Inefficient use of keySet iterator instead of entrySet iterator
- Field not initialized in constructor but dereferenced without null check
Change-Id: Idd92e1beb6998a6968ae6be3b5f1e83ae1ca50d7
Signed-off-by: Tom Pantelis <tompantelis@gmail.com>
Tom Pantelis [Sat, 17 Mar 2018 12:50:56 +0000 (08:50 -0400)]
Move checkstyle config to aaa-parent
Change-Id: I0d9b6fc2f2eec27f2d438148bd3cb148901d72ff
Signed-off-by: Tom Pantelis <tompantelis@gmail.com>
Tom Pantelis [Sat, 17 Mar 2018 17:08:59 +0000 (13:08 -0400)]
Fix findbugs violations in aaa-shiro
- Possible null pointer dereference
- Class names shouldn't shadow simple name of implemented interface
- Method may fail to close database resource
- Non-transient non-serializable instance field in serializable class
- Non-serializable class has a serializable inner class
- Class is Serializable, but doesn't define serialVersionUID
- Consider using Locale parameterized version of invoked method
- Reliance on default encoding
- May expose internal representation by returning reference to mutable object
- Method invokes toString() method on a String
- Private method is never called
- Unread field
- Nonconstant string passed to execute or addBatch method on an SQL statement
- Unchecked/unconfirmed cast
- Dead store to local variable
- Class implements same interface as superclass
- Redundant nullcheck of value known to be non-null
- Exception is caught when Exception is not thrown
- Useless control flow
Change-Id: I224e0fb71f3570f69fa1963e89b8c687a464156a
Signed-off-by: Tom Pantelis <tompantelis@gmail.com>
Tom Pantelis [Sat, 17 Mar 2018 15:16:56 +0000 (11:16 -0400)]
Fix findbugs violations in aaa-cert
- Null pointer dereference
- Method ignores exceptional return value
- Method ignores results of InputStream.read()
- Method may fail to clean up stream or resource
- Method may fail to close stream on exception
- Reliance on default encoding
- Consider returning a zero length array rather than null
- Redundant nullcheck of value known to be non-null
- Potentially dangerous use of non-short-circuit logic
Change-Id: Iab2905488bbe2d4b9be3e92c69e49e5eb0129958
Signed-off-by: Tom Pantelis <tompantelis@gmail.com>
Tom Pantelis [Sat, 17 Mar 2018 14:20:35 +0000 (10:20 -0400)]
Fix findbugs violations in aaa-encrypt-service
- Method may fail to clean up stream or resource
- Reliance on default encoding
- Method invokes inefficient new String(String) constructor
- Unchecked/unconfirmed cast
Change-Id: I0dd13b306a684167bacdf94648369150f365d590
Signed-off-by: Tom Pantelis <tompantelis@gmail.com>
Tom Pantelis [Sat, 17 Mar 2018 12:20:17 +0000 (08:20 -0400)]
Derive all code sub-projects from aaa-parent
We can then centralize configs for CS and findbugs etc.
Change-Id: Iecca472fb7de14b34cf88b34765f7741d4e3c60b
Signed-off-by: Tom Pantelis <tompantelis@gmail.com>
David Suarez [Sun, 11 Mar 2018 15:37:20 +0000 (16:37 +0100)]
Fix checkstyle issues to enforce it
Change-Id: I77b3e119c7cd972f1f2f141f5adfdeab6c518ead
Signed-off-by: David Suarez <david.suarez.fuentes@gmail.com>
Tom Pantelis [Sat, 17 Mar 2018 01:24:05 +0000 (21:24 -0400)]
Remove static AuthenticationManager instance
It's only used by UT's.
Change-Id: I25271cd06d578942b7cf9cd35a38a338c5527f29
Signed-off-by: Tom Pantelis <tompantelis@gmail.com>
Tom Pantelis [Fri, 16 Mar 2018 22:59:35 +0000 (18:59 -0400)]
Remove ServiceLocator
Removed the static instance holders in favor of injection.
Change-Id: Iea7beda16450f28af4119995da4768e931086592
Signed-off-by: Tom Pantelis <tompantelis@gmail.com>
Ryan Goulding [Fri, 16 Mar 2018 15:15:55 +0000 (15:15 +0000)]
Merge "Eliminate injection of AAAShiroProvider"
Ryan Goulding [Fri, 16 Mar 2018 15:02:53 +0000 (15:02 +0000)]
Merge "New shiro EnvironmentLoaderListener"
Tom Pantelis [Thu, 15 Mar 2018 18:36:25 +0000 (14:36 -0400)]
Eliminate injection of AAAShiroProvider
AAAShiroProvider is used as a holder for some instances and is injected
into other components just to access those instances. It's better to
directly inject the instances instead of having a dependency on
AAAShiroProvider.
Change-Id: Iaed51ae360360b3460c419eb4be2d4ffe3fdf558
Signed-off-by: Tom Pantelis <tompantelis@gmail.com>
Tom Pantelis [Thu, 15 Mar 2018 16:40:17 +0000 (12:40 -0400)]
New shiro EnvironmentLoaderListener
Added ShiroWebEnvironmentLoaderListener and AAAIniWebEnvironment
that inject the required instances instead of obtaining statically.
Change-Id: I5979342b7463a3634e9208eb813f32174c2a4cb4
Signed-off-by: Tom Pantelis <tompantelis@gmail.com>
Michael Vorburger [Wed, 14 Mar 2018 11:04:14 +0000 (12:04 +0100)]
make PaxWebServer ServiceFactory fail instead of return bogus WebServer
The current implementation may return a bogus defunct noop WebServer
which just ignores Servlet & Filter registrations (and just logs a WARN,
which could easily be overlooked) in case it cannot find the Pax Web
WebContainer service.
This change makes it instead "fail fast" on the WebServer service look
up. Note that the ServiceFactory doc explicitly allows throwing
exceptions; that will be caught and turn into a null service reference,
which whatever is trying to obtain the WebServer must gracefully handle.
Change-Id: Ie4fcbdb125095d353d466958fade98fc759aefd4
Signed-off-by: Michael Vorburger <vorburger@redhat.com>
Michael Vorburger [Mon, 12 Mar 2018 22:56:39 +0000 (23:56 +0100)]
Refactor AAAShiroProvider & Co. to be non static
- The IdmLightApplication is now instantiated and injected
with the AAAShiroProvider and passed to the ServletContainer
instead of the ServletContainer instantiating it via reflection.
- For KarafIniWebEnvironmentLoaderListener and KarafIniWebEnvironment,
the initial plan was to inject the AAAShiroProvider however there
are still web.xml files in ODL land that reference
KarafIniWebEnvironment and expect a no-arg ctor. We need to keep
backwards compatibility for a while so I'll follow-up later
to add a new KarafIniWebEnvironmentLoaderListener that is advertised
as a service for programmtic use. KarafIniWebEnvironment was changed
to obtain the ShiroConfiguration statically rather than the
AAAShiroProvider.
- The shiro lib still instantiates the filter/realm etc instances via
reflection. These are specified via String key/value pairs with class names
in the Ini instance. Unfortunately I see no way around this. So
to avoid having to pass our services, eg DataBroker, via statics,
I opted to use ThreadLocals to inject indirectly. This is a bit
ugly but works.
Change-Id: I8f5114802c76cbd2b4bfda69952df2b28557cf8d
Signed-off-by: Michael Vorburger <vorburger@redhat.com>
Signed-off-by: Tom Pantelis <tompantelis@gmail.com>
Michael Vorburger [Wed, 14 Mar 2018 10:48:50 +0000 (11:48 +0100)]
use web-api as dependency instead of web-osgi-impl in aaa-shiro
and amend @author in PaxWebServer for credit where credit is due
and some minor logging related clean up in PaxWebServer
Change-Id: Ibc4f4d8fd95f5d5693c11abcad4735af2c3e4d27
Signed-off-by: Michael Vorburger <vorburger@redhat.com>
Tom Pantelis [Wed, 14 Mar 2018 02:59:26 +0000 (22:59 -0400)]
AAA-169: Advertise PaxWebServer as an OSGi service
The Pax Web WebContainer implementation registers a ServiceFactory and
uses the class loader of the bundle that obtains the OSGi service
reference. When PaxWebServer is advertised as a service, it causes a
ClassNotFoundEx when initializing shiro b/c it uses the TCCL that is
set by Pax Web obtained from the PaxWebServer's bundle. To alleviate this,
we can advertise a WebServer ServiceFactory so it use the caller's
bundle to get the WebContainer service.
Change-Id: I591c340ccb0551a8138d07ec79443bc648218baf
Signed-off-by: Tom Pantelis <tompantelis@gmail.com>
Michael Vorburger [Tue, 27 Feb 2018 20:34:07 +0000 (21:34 +0100)]
replace AAA's web.xml with programmatic registration
This is a first step with a like-for-like transformation;
future changes could go further; notably integrate it with
AAAShiroProvider which, strangely, had separate web registration
not using web.xml, and -likely- (TBC) replace the static
CompletableFuture "hoop" in AAAShiroProvider with normal DI.
Change-Id: I43c5fe90a087e2fbc68f779655c211253775c2db
Signed-off-by: Michael Vorburger <vorburger@redhat.com>
Michael Vorburger [Tue, 27 Feb 2018 20:21:14 +0000 (21:21 +0100)]
add web API implementation for OSGi environment, based on Pax Web
usage of this in AAA can be seen in the next commit ("chained")
Change-Id: If298047e2b295ca88d0494dc9733e1d91ee44a12
Signed-off-by: Michael Vorburger <vorburger@redhat.com>
Michael Vorburger [Tue, 27 Feb 2018 18:43:56 +0000 (19:43 +0100)]
add new API for programmatic registration of web Servlet, Filter, etc.
implementation & usage of this can be seen in the next "chained" commits
The purpose of this API is to let projects with web components, such as
neutron, aaa or restconf, ditch their respective web.xml. This will have
a number of advantages, some of which are documented in the JavaDoc of
the new WebServer interface and WebContext class.
see also discussion and interest from project neutron re. adoption on:
https://lists.opendaylight.org/pipermail/neutron-dev/2018-February/001587.html
This is the change originally raised in infrautils as
Ib2df87ca31a2bde547efbf73e0475a1cd64ea6ea, but now instead proposed
to aaa, as discussed during the Kernel Projects call on 2018/02/27.
Change-Id: Ib2fb02aa19e49aa482062f18ba84124a9a623364
Signed-off-by: Michael Vorburger <vorburger@redhat.com>
Ryan Goulding [Wed, 7 Mar 2018 15:06:50 +0000 (10:06 -0500)]
AAA-168: Remove embedded h2 dependency
This was code inherited from a long time ago and punted around AAA
without any real cleanup. I am not sure why the original authors
decided to embed the dependency rather than just import it, but this
causes several issues. This patch removes the embedded h2 dependency
in favor of direct import. While I recognize that other parts of
ImportPackage need to be cleaned, they will be done in a subsequent
patch since they are separate concepts than what is done here.
In other words, expect follow-ups to continuing cleaning.
aaa-cli-jar relied on aaa-shiro shading the com.h2database:h2 jar,
so I instead added it as a compile time dependency for the module
and extracted the appropriate files for the generated jar in the
maven-shade-plugin configuration.
Change-Id: I9267f1373ddc5b8af0304fd5719dcc96b8874c32
Signed-off-by: Ryan Goulding <ryandgoulding@gmail.com>
Ryan Goulding [Mon, 5 Mar 2018 16:11:57 +0000 (11:11 -0500)]
AAA-167: Refresh test cert
Test cert used in UT for AAA was expired causing failures. For now,
a 10 year cert is added to unblock the release. Later, the tests
will be refactored to generate the key on the fly.
Change-Id: Ic1da844b2ffa841691f61f82106f24e0cb27bafe
Signed-off-by: Ryan Goulding <ryandgoulding@gmail.com>