1 /*******************************************************************************
\r
2 * ============LICENSE_START====================================================
\r
4 * * ===========================================================================
\r
5 * * Copyright © 2017 AT&T Intellectual Property. All rights reserved.
\r
6 * * Copyright © 2017 Amdocs
\r
7 * * ===========================================================================
\r
8 * * Licensed under the Apache License, Version 2.0 (the "License");
\r
9 * * you may not use this file except in compliance with the License.
\r
10 * * You may obtain a copy of the License at
\r
12 * * http://www.apache.org/licenses/LICENSE-2.0
\r
14 * * Unless required by applicable law or agreed to in writing, software
\r
15 * * distributed under the License is distributed on an "AS IS" BASIS,
\r
16 * * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
\r
17 * * See the License for the specific language governing permissions and
\r
18 * * limitations under the License.
\r
19 * * ============LICENSE_END====================================================
\r
21 * * ECOMP is a trademark and service mark of AT&T Intellectual Property.
\r
23 ******************************************************************************/
\r
24 package com.att.cadi.aaf.v2_0;
\r
26 import com.att.aft.dme2.api.DME2Exception;
\r
27 import com.att.cadi.AbsUserCache;
\r
28 import com.att.cadi.CachedPrincipal;
\r
29 import com.att.cadi.GetCred;
\r
30 import com.att.cadi.Hash;
\r
31 import com.att.cadi.User;
\r
32 import com.att.cadi.aaf.AAFPermission;
\r
33 import com.att.cadi.client.Future;
\r
34 import com.att.cadi.client.Rcli;
\r
35 import com.att.cadi.config.Config;
\r
36 import com.att.cadi.lur.ConfigPrincipal;
\r
37 import com.att.inno.env.APIException;
\r
39 public class AAFAuthn<CLIENT> extends AbsUserCache<AAFPermission> {
\r
40 private AAFCon<CLIENT> con;
\r
41 private String realm;
\r
44 * Configure with Standard AAF properties, Stand alone
\r
46 * @throws Exception
\r
48 // Package on purpose
\r
49 AAFAuthn(AAFCon<CLIENT> con) throws Exception {
\r
50 super(con.access,con.cleanInterval,con.highCount,con.usageRefreshTriggerCount);
\r
55 } catch (APIException e) {
\r
56 if(e.getCause() instanceof DME2Exception) {
\r
57 // Can't contact AAF, assume default
\r
58 realm=con.access.getProperty(Config.AAF_DEFAULT_REALM, Config.getDefaultRealm());
\r
64 * Configure with Standard AAF properties, but share the Cache (with AAF Lur)
\r
66 * @throws Exception
\r
68 // Package on purpose
\r
69 AAFAuthn(AAFCon<CLIENT> con, AbsUserCache<AAFPermission> cache) throws Exception {
\r
74 } catch (Exception e) {
\r
75 if(e.getCause() instanceof DME2Exception) {
\r
77 // Can't contact AAF, assume default
\r
78 realm=con.access.getProperty(Config.AAF_DEFAULT_REALM, Config.getDefaultRealm());
\r
83 private void setRealm() throws Exception {
\r
84 // Make a call without security set to get the 401 response, which
\r
85 // includes the Realm of the server
\r
86 // This also checks on Connectivity early on.
\r
87 Future<String> fp = con.client(AAFCon.AAF_VERSION).read("/authn/basicAuth", "text/plain");
\r
88 if(fp.get(con.timeout)) {
\r
89 throw new Exception("Do not preset Basic Auth Information for AAFAuthn");
\r
91 if(fp.code()==401) {
\r
92 realm = fp.header("WWW-Authenticate");
\r
93 if(realm!=null && realm.startsWith("Basic realm=\"")) {
\r
94 realm = realm.substring(13, realm.length()-1);
\r
96 realm = "unknown.com";
\r
103 * Return Native Realm of AAF Instance.
\r
107 public String getRealm() {
\r
112 * Returns null if ok, or an Error String;
\r
117 * @throws Exception
\r
119 public String validate(String user, String password) throws Exception {
\r
120 User<AAFPermission> usr = getUser(user);
\r
121 if(password.startsWith("enc:???")) {
\r
122 password = access.decrypt(password, true);
\r
125 byte[] bytes = password.getBytes();
\r
126 if(usr != null && usr.principal != null && usr.principal.getName().equals(user)
\r
127 && usr.principal instanceof GetCred) {
\r
129 if(Hash.isEqual(((GetCred)usr.principal).getCred(),bytes)) {
\r
137 AAFCachedPrincipal cp = new AAFCachedPrincipal(this,con.app, user, bytes, con.cleanInterval);
\r
138 // Since I've relocated the Validation piece in the Principal, just revalidate, then do Switch
\r
140 switch(cp.revalidate()) {
\r
143 usr.principal = cp;
\r
145 addUser(new User<AAFPermission>(cp,con.timeout));
\r
149 return "AAF Inaccessible";
\r
151 return "User/Pass combo invalid";
\r
153 return "AAFAuthn doesn't handle this Principal";
\r
157 private class AAFCachedPrincipal extends ConfigPrincipal implements CachedPrincipal {
\r
158 private long expires,timeToLive;
\r
160 public AAFCachedPrincipal(AAFAuthn<?> aaf, String app, String name, byte[] pass, int timeToLive) {
\r
162 this.timeToLive = timeToLive;
\r
163 expires = timeToLive + System.currentTimeMillis();
\r
166 public Resp revalidate() {
\r
168 Miss missed = missed(getName());
\r
169 if(missed==null || missed.mayContinue(getCred())) {
\r
170 Rcli<CLIENT> client = con.client(AAFCon.AAF_VERSION).forUser(con.basicAuth(getName(), new String(getCred())));
\r
171 Future<String> fp = client.read(
\r
172 "/authn/basicAuth",
\r
175 if(fp.get(con.timeout)) {
\r
176 expires = System.currentTimeMillis() + timeToLive;
\r
177 addUser(new User<AAFPermission>(this, expires));
\r
178 return Resp.REVALIDATED;
\r
180 addMiss(getName(), getCred());
\r
181 return Resp.UNVALIDATED;
\r
184 return Resp.UNVALIDATED;
\r
186 } catch (Exception e) {
\r
188 return Resp.INACCESSIBLE;
\r
192 public long expires() {
\r