1 /*******************************************************************************
\r
2 * ============LICENSE_START====================================================
\r
4 * * ===========================================================================
\r
5 * * Copyright © 2017 AT&T Intellectual Property. All rights reserved.
\r
6 * * Copyright © 2017 Amdocs
\r
7 * * ===========================================================================
\r
8 * * Licensed under the Apache License, Version 2.0 (the "License");
\r
9 * * you may not use this file except in compliance with the License.
\r
10 * * You may obtain a copy of the License at
\r
12 * * http://www.apache.org/licenses/LICENSE-2.0
\r
14 * * Unless required by applicable law or agreed to in writing, software
\r
15 * * distributed under the License is distributed on an "AS IS" BASIS,
\r
16 * * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
\r
17 * * See the License for the specific language governing permissions and
\r
18 * * limitations under the License.
\r
19 * * ============LICENSE_END====================================================
\r
21 * * ECOMP is a trademark and service mark of AT&T Intellectual Property.
\r
23 ******************************************************************************/
\r
24 package com.att.cadi.aaf.v2_0;
\r
26 import java.io.IOException;
\r
27 import java.security.Principal;
\r
29 import javax.servlet.http.HttpServletRequest;
\r
30 import javax.servlet.http.HttpServletResponse;
\r
32 import com.att.cadi.AbsUserCache;
\r
33 import com.att.cadi.Access.Level;
\r
34 import com.att.cadi.CachedPrincipal;
\r
35 import com.att.cadi.CachedPrincipal.Resp;
\r
36 import com.att.cadi.GetCred;
\r
37 import com.att.cadi.Hash;
\r
38 import com.att.cadi.Taf.LifeForm;
\r
39 import com.att.cadi.User;
\r
40 import com.att.cadi.aaf.AAFPermission;
\r
41 import com.att.cadi.client.Future;
\r
42 import com.att.cadi.client.Rcli;
\r
43 import com.att.cadi.principal.BasicPrincipal;
\r
44 import com.att.cadi.principal.CachedBasicPrincipal;
\r
45 import com.att.cadi.taf.HttpTaf;
\r
46 import com.att.cadi.taf.TafResp;
\r
47 import com.att.cadi.taf.TafResp.RESP;
\r
48 import com.att.cadi.taf.basic.BasicHttpTafResp;
\r
50 public class AAFTaf<CLIENT> extends AbsUserCache<AAFPermission> implements HttpTaf {
\r
51 // private static final String INVALID_AUTH_TOKEN = "Invalid Auth Token";
\r
52 // private static final String AUTHENTICATING_SERVICE_UNAVAILABLE = "Authenticating Service unavailable";
\r
53 private AAFCon<CLIENT> aaf;
\r
54 private boolean warn;
\r
56 public AAFTaf(AAFCon<CLIENT> con, boolean turnOnWarning) {
\r
57 super(con.access,con.cleanInterval,con.highCount, con.usageRefreshTriggerCount);
\r
59 warn = turnOnWarning;
\r
62 public AAFTaf(AAFCon<CLIENT> con, boolean turnOnWarning, AbsUserCache<AAFPermission> other) {
\r
65 warn = turnOnWarning;
\r
68 public TafResp validate(LifeForm reading, HttpServletRequest req, HttpServletResponse resp) {
\r
69 //TODO Do we allow just anybody to validate?
\r
71 // Note: Either Carbon or Silicon based LifeForms ok
\r
72 String authz = req.getHeader("Authorization");
\r
73 if(authz != null && authz.startsWith("Basic ")) {
\r
74 if(warn&&!req.isSecure())aaf.access.log(Level.WARN,"WARNING! BasicAuth has been used over an insecure channel");
\r
76 CachedBasicPrincipal bp;
\r
77 if(req.getUserPrincipal() instanceof CachedBasicPrincipal) {
\r
78 bp = (CachedBasicPrincipal)req.getUserPrincipal();
\r
80 bp = new CachedBasicPrincipal(this,authz,aaf.getRealm(),aaf.userExpires);
\r
83 User<AAFPermission> usr = getUser(bp);
\r
84 if(usr != null && usr.principal != null) {
\r
85 if(usr.principal instanceof GetCred) {
\r
86 if(Hash.isEqual(bp.getCred(),((GetCred)usr.principal).getCred())) {
\r
87 return new BasicHttpTafResp(aaf.access,bp,bp.getName()+" authenticated by cached AAF password",RESP.IS_AUTHENTICATED,resp,aaf.getRealm(),false);
\r
92 Miss miss = missed(bp.getName());
\r
93 if(miss!=null && !miss.mayContinue(bp.getCred())) {
\r
94 return new BasicHttpTafResp(aaf.access,null,buildMsg(bp,req,
\r
95 "User/Pass Retry limit exceeded"),
\r
96 RESP.FAIL,resp,aaf.getRealm(),true);
\r
99 Rcli<CLIENT> userAAF = aaf.client(AAFCon.AAF_LATEST_VERSION).forUser(aaf.basicAuthSS(bp));
\r
100 Future<String> fp = userAAF.read("/authn/basicAuth", "text/plain");
\r
101 if(fp.get(aaf.timeout)) {
\r
103 usr.principal = bp;
\r
105 addUser(new User<AAFPermission>(bp,aaf.userExpires));
\r
107 return new BasicHttpTafResp(aaf.access,bp,bp.getName()+" authenticated by AAF password",RESP.IS_AUTHENTICATED,resp,aaf.getRealm(),false);
\r
109 // Note: AddMiss checks for miss==null, and is part of logic
\r
110 boolean rv= addMiss(bp.getName(),bp.getCred());
\r
112 return new BasicHttpTafResp(aaf.access,null,buildMsg(bp,req,
\r
113 "User/Pass combo invalid via AAF"),
\r
114 RESP.TRY_AUTHENTICATING,resp,aaf.getRealm(),true);
\r
116 return new BasicHttpTafResp(aaf.access,null,buildMsg(bp,req,
\r
117 "User/Pass combo invalid via AAF - Retry limit exceeded"),
\r
118 RESP.FAIL,resp,aaf.getRealm(),true);
\r
121 } catch (IOException e) {
\r
122 String msg = buildMsg(null,req,"Invalid Auth Token");
\r
123 aaf.access.log(Level.WARN,msg,'(', e.getMessage(), ')');
\r
124 return new BasicHttpTafResp(aaf.access,null,msg, RESP.TRY_AUTHENTICATING, resp, aaf.getRealm(),true);
\r
125 } catch (Exception e) {
\r
126 String msg = buildMsg(null,req,"Authenticating Service unavailable");
\r
127 aaf.access.log(Level.WARN,msg,'(', e.getMessage(), ')');
\r
128 return new BasicHttpTafResp(aaf.access,null,msg, RESP.FAIL, resp, aaf.getRealm(),false);
\r
131 return new BasicHttpTafResp(aaf.access,null,"Requesting HTTP Basic Authorization",RESP.TRY_AUTHENTICATING,resp,aaf.getRealm(),false);
\r
134 private String buildMsg(Principal pr, HttpServletRequest req, Object ... msg) {
\r
135 StringBuilder sb = new StringBuilder();
\r
136 for(Object s : msg) {
\r
137 sb.append(s.toString());
\r
140 sb.append(" for ");
\r
141 sb.append(pr.getName());
\r
143 sb.append(" from ");
\r
144 sb.append(req.getRemoteAddr());
\r
146 sb.append(req.getRemotePort());
\r
147 return sb.toString();
\r
152 public Resp revalidate(CachedPrincipal prin) {
\r
153 // !!!! TEST THIS.. Things may not be revalidated, if not BasicPrincipal
\r
154 if(prin instanceof BasicPrincipal) {
\r
157 Rcli<CLIENT> userAAF = aaf.client(AAFCon.AAF_LATEST_VERSION).forUser(aaf.transferSS(prin));
\r
158 fp = userAAF.read("/authn/basicAuth", "text/plain");
\r
159 return fp.get(aaf.timeout)?Resp.REVALIDATED:Resp.UNVALIDATED;
\r
160 } catch (Exception e) {
\r
161 aaf.access.log(e, "Cannot Revalidate",prin.getName());
\r
162 return Resp.INACCESSIBLE;
\r
165 return Resp.NOT_MINE;
\r