2 * ============LICENSE_START=======================================================
4 * ================================================================================
5 * Copyright (C) 2017,2019 AT&T Intellectual Property. All rights reserved.
6 * ================================================================================
7 * Licensed under the Apache License, Version 2.0 (the "License");
8 * you may not use this file except in compliance with the License.
9 * You may obtain a copy of the License at
11 * http://www.apache.org/licenses/LICENSE-2.0
13 * Unless required by applicable law or agreed to in writing, software
14 * distributed under the License is distributed on an "AS IS" BASIS,
15 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
16 * See the License for the specific language governing permissions and
17 * limitations under the License.
18 * ============LICENSE_END=========================================================
21 package org.onap.policy.pdp.rest.restauth;
23 import com.att.research.xacml.util.XACMLProperties;
24 import java.io.FileInputStream;
25 import java.io.IOException;
26 import java.io.InputStream;
27 import java.nio.charset.StandardCharsets;
28 import java.nio.file.Path;
29 import java.nio.file.Paths;
30 import java.util.ArrayList;
31 import java.util.Arrays;
32 import java.util.Base64;
33 import java.util.Collections;
34 import java.util.HashMap;
35 import java.util.List;
37 import java.util.Properties;
38 import java.util.StringTokenizer;
39 import javax.servlet.ServletRequest;
40 import org.apache.commons.lang3.StringUtils;
41 import org.onap.policy.api.PolicyEngineException;
42 import org.onap.policy.common.logging.eelf.MessageCodes;
43 import org.onap.policy.common.logging.flexlogger.FlexLogger;
44 import org.onap.policy.common.logging.flexlogger.Logger;
45 import org.onap.policy.rest.XACMLRestProperties;
46 import org.onap.policy.utils.AAFPolicyClient;
47 import org.onap.policy.utils.AAFPolicyException;
48 import org.onap.policy.utils.PeCryptoUtils;
49 import org.onap.policy.utils.PolicyUtils;
50 import org.onap.policy.xacml.api.XACMLErrorConstants;
52 public class AuthenticationService {
53 private static final Logger LOGGER = FlexLogger.getLogger(AuthenticationService.class);
54 private static String environment = null;
55 private static Path clientPath = null;
56 private static Map<String, ArrayList<String>> clientMap = null;
57 private static Long oldModified = null;
58 private static AAFPolicyClient aafClient = null;
60 private AuthenticationService() {
61 // Private Constructor
65 * Set Property by reading the properties File.
67 private static void setProperty() {
68 environment = XACMLProperties.getProperty("ENVIRONMENT", "DEVL");
69 String clientFile = XACMLProperties.getProperty(XACMLRestProperties.PROP_PEP_IDFILE);
70 if (clientFile != null) {
71 clientPath = Paths.get(clientFile);
74 aafClient = AAFPolicyClient.getInstance(XACMLProperties.getProperties());
75 } catch (AAFPolicyException | IOException e) {
76 LOGGER.error(MessageCodes.ERROR_SYSTEM_ERROR, e, "AAF Client Not instantiated properly.");
81 * Gets the environment.
83 * @return the environment
85 public static String getEnvironment() {
86 if (environment == null) {
92 private static String reverseNamespace(String namespace) {
93 final List<String> components = Arrays.asList(namespace.split("\\."));
94 Collections.reverse(components);
95 return String.join(".", components);
99 * Security check for authentication and authorizations.
101 * @param clientAuthHeader the client auth header
102 * @param authHeader the auth header
103 * @param resource the resource
105 * @return true, if successful
107 public static boolean checkPermissions(String clientAuthHeader, String authHeader, String resource, String env,
108 ServletRequest request) {
109 boolean result = false;
110 // check whether env matches
111 result = checkEnv(env);
113 LOGGER.info(XACMLErrorConstants.ERROR_PERMISSIONS + " invalid Environment Header");
116 // decode the user/pwd from the request header
117 String[] userNamePass = getUserInfo(authHeader, clientAuthHeader);
120 // Check Backward Compatibility.
121 request.setAttribute("Mechid", "");
124 * If AAF is NOT enabled in the properties we will allow the user to continue to use the client.properties
125 * file to authenticate. Note: Disabling AAF is for testing purposes and not intended for production.
127 if ("false".equals(XACMLProperties.getProperty("enable_aaf"))) {
128 result = clientAuth(userNamePass);
131 result = aafAuth(userNamePass, resource);
132 request.setAttribute("Mechid", userNamePass[0]);
134 } catch (Exception e) {
135 LOGGER.error(MessageCodes.ERROR_PERMISSIONS, e);
142 private static boolean checkEnv(String env) {
143 if (StringUtils.isBlank(env)) {
144 // must be old type of req
147 return env.trim().equalsIgnoreCase(getEnvironment());
152 private static boolean aafAuth(String[] userNamePass, String resource) {
153 boolean result = false;
154 String permission = getPermission(resource);
156 String aafPolicyNameSpace = XACMLProperties.getProperty("policy.aaf.namespace");
157 if (!userNamePass[0].contains("@") && aafPolicyNameSpace != null) {
158 userNamePass[0] = userNamePass[0] + "@" + reverseNamespace(aafPolicyNameSpace);
160 LOGGER.info("No AAF NameSpace specified in properties");
163 LOGGER.info("Contacting AAF in : " + environment);
164 result = aafClient.checkAuthPerm(userNamePass[0], userNamePass[1], permission, environment, "*");
167 } catch (Exception e) {
168 LOGGER.error(MessageCodes.ERROR_PERMISSIONS, e);
173 private static String getPermission(String resource) {
174 String aafResource = XACMLProperties.getProperty("policy.aaf.root.permission");
175 String perm = resource;
176 if (StringUtils.containsIgnoreCase(perm, "Notification")) {
177 perm = "notification";
178 } else if (StringUtils.containsIgnoreCase(perm, "heartbeat")) {
179 perm = "notification";
180 } else if (StringUtils.containsIgnoreCase(perm, "createDictionary")) {
181 perm = "createDictionary";
182 } else if (StringUtils.containsIgnoreCase(perm, "updateDictionary")) {
183 perm = "updateDictionary";
184 } else if (StringUtils.containsIgnoreCase(perm, "getDictionary")) {
185 perm = "getDictionary";
186 } else if (StringUtils.containsIgnoreCase(perm, "create")) {
187 perm = "createPolicy";
188 } else if (StringUtils.containsIgnoreCase(perm, "update")) {
189 perm = "updatePolicy";
192 if (!StringUtils.isBlank(aafResource)) {
193 perm = aafResource + "." + perm;
195 LOGGER.info("No AAF Resource specified in properties");
200 private static Boolean clientAuth(String[] userNamePass) {
201 if (clientPath == null) {
204 if (!clientPath.toFile().exists()) {
206 } else if (clientPath.toString().endsWith(".properties")) {
208 readProps(clientPath);
209 if (clientMap.containsKey(userNamePass[0])
210 && clientMap.get(userNamePass[0]).get(0).equals(userNamePass[1])) {
213 } catch (PolicyEngineException e) {
214 LOGGER.error(MessageCodes.ERROR_PERMISSIONS, e);
221 private static Map<String, ArrayList<String>> readProps(Path clientPath) throws PolicyEngineException {
222 if (oldModified != null) {
223 Long newModified = clientPath.toFile().lastModified();
224 if (oldModified.equals(newModified)) {
229 Properties clientProp = new Properties();
230 try (InputStream in = new FileInputStream(clientPath.toFile())) {
232 } catch (IOException e) {
233 LOGGER.error(XACMLErrorConstants.ERROR_SYSTEM_ERROR, e);
234 throw new PolicyEngineException(XACMLErrorConstants.ERROR_SYSTEM_ERROR + "Cannot Load the Properties file",
237 // Read the Properties and Load the Clients and their scopes.
238 clientMap = new HashMap<>();
240 for (Object propKey : clientProp.keySet()) {
241 String clientId = (String) propKey;
242 String clientValue = clientProp.getProperty(clientId);
243 if (clientValue != null && clientValue.contains(",")) {
244 ArrayList<String> clientValues = new ArrayList<>(Arrays.asList(clientValue.split("\\s*,\\s*")));
245 if (!StringUtils.isBlank(clientValues.get(0))) {
246 clientValues.set(0, PeCryptoUtils.decrypt(clientValues.get(0)));
247 clientMap.put(clientId, clientValues);
251 if (clientMap.isEmpty()) {
252 LOGGER.debug(XACMLErrorConstants.ERROR_PERMISSIONS
253 + "No Clients ID , Client Key and Scopes are available. Cannot serve any Clients !!");
254 throw new PolicyEngineException("Empty Client file");
256 oldModified = clientPath.toFile().lastModified();
260 private static String[] getUserInfo(final String authHeader, final String clientAuthHeader) {
261 String userInfo = authHeader;
262 if (!StringUtils.isBlank(clientAuthHeader)) {
263 userInfo = clientAuthHeader;
266 String[] userNamePass = null;
269 userNamePass = PolicyUtils.decodeBasicEncoding(userInfo);
270 if (userNamePass == null || userNamePass.length == 0) {
271 String usernameAndPassword = null;
272 byte[] decodedBytes = Base64.getDecoder().decode(userInfo);
273 usernameAndPassword = new String(decodedBytes, StandardCharsets.UTF_8);
274 StringTokenizer tokenizer = new StringTokenizer(usernameAndPassword, ":");
275 String username = tokenizer.nextToken();
276 String password = tokenizer.nextToken();
277 userNamePass = new String[] {username, password};
279 LOGGER.info("User " + userNamePass[0] + " is Accessing Policy Engine API - ");
280 } catch (Exception e) {
281 LOGGER.error(MessageCodes.ERROR_PERMISSIONS, e);
282 return new String[0];