1 /*******************************************************************************
\r
2 * ============LICENSE_START====================================================
\r
4 * * ===========================================================================
\r
5 * * Copyright © 2017 AT&T Intellectual Property. All rights reserved.
\r
6 * * ===========================================================================
\r
7 * * Licensed under the Apache License, Version 2.0 (the "License");
\r
8 * * you may not use this file except in compliance with the License.
\r
9 * * You may obtain a copy of the License at
\r
11 * * http://www.apache.org/licenses/LICENSE-2.0
\r
13 * * Unless required by applicable law or agreed to in writing, software
\r
14 * * distributed under the License is distributed on an "AS IS" BASIS,
\r
15 * * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
\r
16 * * See the License for the specific language governing permissions and
\r
17 * * limitations under the License.
\r
18 * * ============LICENSE_END====================================================
\r
20 * * ECOMP is a trademark and service mark of AT&T Intellectual Property.
\r
22 ******************************************************************************/
\r
23 package org.onap.aaf.cadi.aaf.v2_0;
\r
25 import java.io.IOException;
\r
26 import java.security.Principal;
\r
28 import javax.servlet.http.HttpServletRequest;
\r
29 import javax.servlet.http.HttpServletResponse;
\r
31 import org.onap.aaf.cadi.AbsUserCache;
\r
32 import org.onap.aaf.cadi.CachedPrincipal;
\r
33 import org.onap.aaf.cadi.GetCred;
\r
34 import org.onap.aaf.cadi.Hash;
\r
35 import org.onap.aaf.cadi.User;
\r
36 import org.onap.aaf.cadi.Access.Level;
\r
37 import org.onap.aaf.cadi.CachedPrincipal.Resp;
\r
38 import org.onap.aaf.cadi.Taf.LifeForm;
\r
39 import org.onap.aaf.cadi.aaf.AAFPermission;
\r
40 import org.onap.aaf.cadi.client.Future;
\r
41 import org.onap.aaf.cadi.client.Rcli;
\r
42 import org.onap.aaf.cadi.principal.BasicPrincipal;
\r
43 import org.onap.aaf.cadi.principal.CachedBasicPrincipal;
\r
44 import org.onap.aaf.cadi.taf.HttpTaf;
\r
45 import org.onap.aaf.cadi.taf.TafResp;
\r
46 import org.onap.aaf.cadi.taf.TafResp.RESP;
\r
47 import org.onap.aaf.cadi.taf.basic.BasicHttpTafResp;
\r
49 public class AAFTaf<CLIENT> extends AbsUserCache<AAFPermission> implements HttpTaf {
\r
50 // private static final String INVALID_AUTH_TOKEN = "Invalid Auth Token";
\r
51 // private static final String AUTHENTICATING_SERVICE_UNAVAILABLE = "Authenticating Service unavailable";
\r
52 private AAFCon<CLIENT> aaf;
\r
53 private boolean warn;
\r
55 public AAFTaf(AAFCon<CLIENT> con, boolean turnOnWarning) {
\r
56 super(con.access,con.cleanInterval,con.highCount, con.usageRefreshTriggerCount);
\r
58 warn = turnOnWarning;
\r
61 public AAFTaf(AAFCon<CLIENT> con, boolean turnOnWarning, AbsUserCache<AAFPermission> other) {
\r
64 warn = turnOnWarning;
\r
67 public TafResp validate(LifeForm reading, HttpServletRequest req, HttpServletResponse resp) {
\r
68 //TODO Do we allow just anybody to validate?
\r
70 // Note: Either Carbon or Silicon based LifeForms ok
\r
71 String authz = req.getHeader("Authorization");
\r
72 if(authz != null && authz.startsWith("Basic ")) {
\r
73 if(warn&&!req.isSecure())aaf.access.log(Level.WARN,"WARNING! BasicAuth has been used over an insecure channel");
\r
75 CachedBasicPrincipal bp;
\r
76 if(req.getUserPrincipal() instanceof CachedBasicPrincipal) {
\r
77 bp = (CachedBasicPrincipal)req.getUserPrincipal();
\r
79 bp = new CachedBasicPrincipal(this,authz,aaf.getRealm(),aaf.userExpires);
\r
82 User<AAFPermission> usr = getUser(bp);
\r
83 if(usr != null && usr.principal != null) {
\r
84 if(usr.principal instanceof GetCred) {
\r
85 if(Hash.isEqual(bp.getCred(),((GetCred)usr.principal).getCred())) {
\r
86 return new BasicHttpTafResp(aaf.access,bp,bp.getName()+" authenticated by cached AAF password",RESP.IS_AUTHENTICATED,resp,aaf.getRealm(),false);
\r
91 Miss miss = missed(bp.getName());
\r
92 if(miss!=null && !miss.mayContinue(bp.getCred())) {
\r
93 return new BasicHttpTafResp(aaf.access,null,buildMsg(bp,req,
\r
94 "User/Pass Retry limit exceeded"),
\r
95 RESP.FAIL,resp,aaf.getRealm(),true);
\r
98 Rcli<CLIENT> userAAF = aaf.client(AAFCon.AAF_LATEST_VERSION).forUser(aaf.basicAuthSS(bp));
\r
99 Future<String> fp = userAAF.read("/authn/basicAuth", "text/plain");
\r
100 if(fp.get(aaf.timeout)) {
\r
102 usr.principal = bp;
\r
104 addUser(new User<AAFPermission>(bp,aaf.userExpires));
\r
106 return new BasicHttpTafResp(aaf.access,bp,bp.getName()+" authenticated by AAF password",RESP.IS_AUTHENTICATED,resp,aaf.getRealm(),false);
\r
108 // Note: AddMiss checks for miss==null, and is part of logic
\r
109 boolean rv= addMiss(bp.getName(),bp.getCred());
\r
111 return new BasicHttpTafResp(aaf.access,null,buildMsg(bp,req,
\r
112 "User/Pass combo invalid via AAF"),
\r
113 RESP.TRY_AUTHENTICATING,resp,aaf.getRealm(),true);
\r
115 return new BasicHttpTafResp(aaf.access,null,buildMsg(bp,req,
\r
116 "User/Pass combo invalid via AAF - Retry limit exceeded"),
\r
117 RESP.FAIL,resp,aaf.getRealm(),true);
\r
120 } catch (IOException e) {
\r
121 String msg = buildMsg(null,req,"Invalid Auth Token");
\r
122 aaf.access.log(Level.WARN,msg,'(', e.getMessage(), ')');
\r
123 return new BasicHttpTafResp(aaf.access,null,msg, RESP.TRY_AUTHENTICATING, resp, aaf.getRealm(),true);
\r
124 } catch (Exception e) {
\r
125 String msg = buildMsg(null,req,"Authenticating Service unavailable");
\r
126 aaf.access.log(Level.WARN,msg,'(', e.getMessage(), ')');
\r
127 return new BasicHttpTafResp(aaf.access,null,msg, RESP.FAIL, resp, aaf.getRealm(),false);
\r
130 return new BasicHttpTafResp(aaf.access,null,"Requesting HTTP Basic Authorization",RESP.TRY_AUTHENTICATING,resp,aaf.getRealm(),false);
\r
133 private String buildMsg(Principal pr, HttpServletRequest req, Object ... msg) {
\r
134 StringBuilder sb = new StringBuilder();
\r
135 for(Object s : msg) {
\r
136 sb.append(s.toString());
\r
139 sb.append(" for ");
\r
140 sb.append(pr.getName());
\r
142 sb.append(" from ");
\r
143 sb.append(req.getRemoteAddr());
\r
145 sb.append(req.getRemotePort());
\r
146 return sb.toString();
\r
151 public Resp revalidate(CachedPrincipal prin) {
\r
152 // !!!! TEST THIS.. Things may not be revalidated, if not BasicPrincipal
\r
153 if(prin instanceof BasicPrincipal) {
\r
156 Rcli<CLIENT> userAAF = aaf.client(AAFCon.AAF_LATEST_VERSION).forUser(aaf.transferSS(prin));
\r
157 fp = userAAF.read("/authn/basicAuth", "text/plain");
\r
158 return fp.get(aaf.timeout)?Resp.REVALIDATED:Resp.UNVALIDATED;
\r
159 } catch (Exception e) {
\r
160 aaf.access.log(e, "Cannot Revalidate",prin.getName());
\r
161 return Resp.INACCESSIBLE;
\r
164 return Resp.NOT_MINE;
\r