[AAF-21] Initial code import

[aaf/cadi.git] / aaf / src / main / java / com / att / cadi / aaf / v2_0 / AAFTaf.java

/*******************************************************************************\r
 * ============LICENSE_START====================================================\r
 * * org.onap.aai\r
 * * ===========================================================================\r
 * * Copyright © 2017 AT&T Intellectual Property. All rights reserved.\r
 * * Copyright © 2017 Amdocs\r
 * * ===========================================================================\r
 * * Licensed under the Apache License, Version 2.0 (the "License");\r
 * * you may not use this file except in compliance with the License.\r
 * * You may obtain a copy of the License at\r
 * * \r
 *  *      http://www.apache.org/licenses/LICENSE-2.0\r
 * * \r
 *  * Unless required by applicable law or agreed to in writing, software\r
 * * distributed under the License is distributed on an "AS IS" BASIS,\r
 * * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\r
 * * See the License for the specific language governing permissions and\r
 * * limitations under the License.\r
 * * ============LICENSE_END====================================================\r
 * *\r
 * * ECOMP is a trademark and service mark of AT&T Intellectual Property.\r
 * *\r
 ******************************************************************************/\r
package com.att.cadi.aaf.v2_0;\r
\r
import java.io.IOException;\r
import java.security.Principal;\r
\r
import javax.servlet.http.HttpServletRequest;\r
import javax.servlet.http.HttpServletResponse;\r
\r
import com.att.cadi.AbsUserCache;\r
import com.att.cadi.Access.Level;\r
import com.att.cadi.CachedPrincipal;\r
import com.att.cadi.CachedPrincipal.Resp;\r
import com.att.cadi.GetCred;\r
import com.att.cadi.Hash;\r
import com.att.cadi.Taf.LifeForm;\r
import com.att.cadi.User;\r
import com.att.cadi.aaf.AAFPermission;\r
import com.att.cadi.client.Future;\r
import com.att.cadi.client.Rcli;\r
import com.att.cadi.principal.BasicPrincipal;\r
import com.att.cadi.principal.CachedBasicPrincipal;\r
import com.att.cadi.taf.HttpTaf;\r
import com.att.cadi.taf.TafResp;\r
import com.att.cadi.taf.TafResp.RESP;\r
import com.att.cadi.taf.basic.BasicHttpTafResp;\r
\r
public class AAFTaf<CLIENT> extends AbsUserCache<AAFPermission> implements HttpTaf {\r
//      private static final String INVALID_AUTH_TOKEN = "Invalid Auth Token";\r
//      private static final String AUTHENTICATING_SERVICE_UNAVAILABLE = "Authenticating Service unavailable";\r
        private AAFCon<CLIENT> aaf;\r
        private boolean warn;\r
\r
        public AAFTaf(AAFCon<CLIENT> con, boolean turnOnWarning) {\r
                super(con.access,con.cleanInterval,con.highCount, con.usageRefreshTriggerCount);\r
                aaf = con;\r
                warn = turnOnWarning;\r
        }\r
\r
        public AAFTaf(AAFCon<CLIENT> con, boolean turnOnWarning, AbsUserCache<AAFPermission> other) {\r
                super(other);\r
                aaf = con;\r
                warn = turnOnWarning;\r
        }\r
\r
        public TafResp validate(LifeForm reading, HttpServletRequest req, HttpServletResponse resp) {\r
                //TODO Do we allow just anybody to validate?\r
\r
                // Note: Either Carbon or Silicon based LifeForms ok\r
                String authz = req.getHeader("Authorization");\r
                if(authz != null && authz.startsWith("Basic ")) {\r
                        if(warn&&!req.isSecure())aaf.access.log(Level.WARN,"WARNING! BasicAuth has been used over an insecure channel");\r
                        try {\r
                                CachedBasicPrincipal bp;\r
                                if(req.getUserPrincipal() instanceof CachedBasicPrincipal) {\r
                                        bp = (CachedBasicPrincipal)req.getUserPrincipal();\r
                                } else {\r
                                        bp = new CachedBasicPrincipal(this,authz,aaf.getRealm(),aaf.userExpires);\r
                                }\r
                                // First try Cache\r
                                User<AAFPermission> usr = getUser(bp);\r
                                if(usr != null && usr.principal != null) {\r
                                        if(usr.principal instanceof GetCred) {\r
                                                if(Hash.isEqual(bp.getCred(),((GetCred)usr.principal).getCred())) {\r
                                                        return new BasicHttpTafResp(aaf.access,bp,bp.getName()+" authenticated by cached AAF password",RESP.IS_AUTHENTICATED,resp,aaf.getRealm(),false);\r
                                                }\r
                                        }\r
                                }\r
                                \r
                                Miss miss = missed(bp.getName());\r
                                if(miss!=null && !miss.mayContinue(bp.getCred())) {\r
                                        return new BasicHttpTafResp(aaf.access,null,buildMsg(bp,req,\r
                                                        "User/Pass Retry limit exceeded"), \r
                                                        RESP.FAIL,resp,aaf.getRealm(),true);\r
                                }\r
                                \r
                                Rcli<CLIENT> userAAF = aaf.client(AAFCon.AAF_LATEST_VERSION).forUser(aaf.basicAuthSS(bp));\r
                                Future<String> fp = userAAF.read("/authn/basicAuth", "text/plain");\r
                                if(fp.get(aaf.timeout)) {\r
                                        if(usr!=null) {\r
                                                usr.principal = bp;\r
                                        } else {\r
                                                addUser(new User<AAFPermission>(bp,aaf.userExpires));\r
                                        }\r
                                        return new BasicHttpTafResp(aaf.access,bp,bp.getName()+" authenticated by AAF password",RESP.IS_AUTHENTICATED,resp,aaf.getRealm(),false);\r
                                } else {\r
                                        // Note: AddMiss checks for miss==null, and is part of logic\r
                                        boolean rv= addMiss(bp.getName(),bp.getCred());\r
                                        if(rv) {\r
                                                return new BasicHttpTafResp(aaf.access,null,buildMsg(bp,req,\r
                                                                "User/Pass combo invalid via AAF"), \r
                                                                RESP.TRY_AUTHENTICATING,resp,aaf.getRealm(),true);\r
                                        } else {\r
                                                return new BasicHttpTafResp(aaf.access,null,buildMsg(bp,req,\r
                                                                "User/Pass combo invalid via AAF - Retry limit exceeded"), \r
                                                                RESP.FAIL,resp,aaf.getRealm(),true);\r
                                        }\r
                                }\r
                        } catch (IOException e) {\r
                                String msg = buildMsg(null,req,"Invalid Auth Token");\r
                                aaf.access.log(Level.WARN,msg,'(', e.getMessage(), ')');\r
                                return new BasicHttpTafResp(aaf.access,null,msg, RESP.TRY_AUTHENTICATING, resp, aaf.getRealm(),true);\r
                        } catch (Exception e) {\r
                                String msg = buildMsg(null,req,"Authenticating Service unavailable");\r
                                aaf.access.log(Level.WARN,msg,'(', e.getMessage(), ')');\r
                                return new BasicHttpTafResp(aaf.access,null,msg, RESP.FAIL, resp, aaf.getRealm(),false);\r
                        }\r
                }\r
                return new BasicHttpTafResp(aaf.access,null,"Requesting HTTP Basic Authorization",RESP.TRY_AUTHENTICATING,resp,aaf.getRealm(),false);\r
        }\r
        \r
        private String buildMsg(Principal pr, HttpServletRequest req, Object ... msg) {\r
                StringBuilder sb = new StringBuilder();\r
                for(Object s : msg) {\r
                        sb.append(s.toString());\r
                }\r
                if(pr!=null) {\r
                        sb.append(" for ");\r
                        sb.append(pr.getName());\r
                }\r
                sb.append(" from ");\r
                sb.append(req.getRemoteAddr());\r
                sb.append(':');\r
                sb.append(req.getRemotePort());\r
                return sb.toString();\r
        }\r
\r
\r
        \r
        public Resp revalidate(CachedPrincipal prin) {\r
                //  !!!! TEST THIS.. Things may not be revalidated, if not BasicPrincipal\r
                if(prin instanceof BasicPrincipal) {\r
                        Future<String> fp;\r
                        try {\r
                                Rcli<CLIENT> userAAF = aaf.client(AAFCon.AAF_LATEST_VERSION).forUser(aaf.transferSS(prin));\r
                                fp = userAAF.read("/authn/basicAuth", "text/plain");\r
                                return fp.get(aaf.timeout)?Resp.REVALIDATED:Resp.UNVALIDATED;\r
                        } catch (Exception e) {\r
                                aaf.access.log(e, "Cannot Revalidate",prin.getName());\r
                                return Resp.INACCESSIBLE;\r
                        }\r
                }\r
                return Resp.NOT_MINE;\r
        }\r
\r
}\r