2 * ============LICENSE_START=======================================================
4 * ================================================================================
5 * Copyright © 2017-2018 AT&T Intellectual Property. All rights reserved.
6 * ================================================================================
7 * Licensed under the Apache License, Version 2.0 (the "License");
8 * you may not use this file except in compliance with the License.
9 * You may obtain a copy of the License at
11 * http://www.apache.org/licenses/LICENSE-2.0
13 * Unless required by applicable law or agreed to in writing, software
14 * distributed under the License is distributed on an "AS IS" BASIS,
15 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
16 * See the License for the specific language governing permissions and
17 * limitations under the License.
18 * ============LICENSE_END=========================================================
21 package org.onap.aai.aaf.auth;
23 import com.fasterxml.jackson.core.JsonProcessingException;
24 import com.google.gson.JsonArray;
25 import com.google.gson.JsonElement;
26 import com.google.gson.JsonObject;
27 import com.google.gson.JsonParser;
30 import java.io.FileNotFoundException;
31 import java.io.UnsupportedEncodingException;
32 import java.nio.file.Files;
33 import java.nio.file.Paths;
35 import java.util.regex.Matcher;
36 import java.util.regex.Pattern;
37 import java.util.stream.Collectors;
39 import org.eclipse.jetty.util.security.Password;
40 import org.onap.aai.aaf.auth.exceptions.AAIUnrecognizedFunctionException;
41 import org.onap.aai.logging.ErrorLogHelper;
42 import org.onap.aai.util.AAIConfig;
43 import org.onap.aai.util.AAIConstants;
44 import org.slf4j.Logger;
45 import org.slf4j.LoggerFactory;
48 * The Class AAIAuthCore.
50 public final class AAIAuthCore {
52 private static final Logger LOGGER = LoggerFactory.getLogger(AAIAuthCore.class);
54 private static final String ERROR_CODE_AAI_4001 = "AAI_4001";
56 private String globalAuthFileName = AAIConstants.AAI_AUTH_CONFIG_FILENAME;
58 private final Pattern authPolicyPattern;
59 private final Set<String> validFunctions = new HashSet<>();
60 private Map<String, AAIUser> users;
61 private boolean timerSet = false;
62 private Timer timer = null;
64 private String basePath;
67 * Instantiates a new AAI auth core.
69 public AAIAuthCore(String basePath) {
70 this(basePath, AAIConstants.AAI_AUTH_CONFIG_FILENAME);
73 public AAIAuthCore(String basePath, String filename) {
74 this.basePath = basePath;
75 this.globalAuthFileName = filename;
76 authPolicyPattern = Pattern.compile("^" + this.basePath + "/v\\d+/([\\w\\-]*)");
80 public AAIAuthCore(String basePath, String filename, String pattern) {
81 this.basePath = basePath;
82 this.globalAuthFileName = filename;
83 authPolicyPattern = Pattern.compile(pattern);
90 private synchronized void init() {
92 LOGGER.debug("Initializing Auth Policy Config");
97 * this timer code is setting up a recurring task that checks if the
98 * auth config file has been updated and reloads the users if so to get
99 * the most up to date info (that update check logic is within
102 * the timing this method uses is coarser than the frequency of requests
103 * AI&I gets so we're looking at better ways of doing this (TODO)
105 TimerTask task = new FileWatcher(new File(globalAuthFileName)) {
107 protected void onChange(File file) {
116 // repeat the check every second
117 timer.schedule(task, new Date(), 10000);
119 LOGGER.debug("Static Initializiation complete");
125 // just ends the auth config file update checking timer
126 public void cleanup() {
134 * this essentially takes the data file, which is organized role-first with
135 * users under each role and converts it to data organized user-first with
136 * each user containing their role with its associated allowed functions
137 * this data stored in the class field users
139 private synchronized void reloadUsers() {
141 Map<String, AAIUser> tempUsers = new HashMap<>();
144 LOGGER.debug("Reading from " + globalAuthFileName);
145 String authFile = new String(Files.readAllBytes(Paths.get(globalAuthFileName)));
147 JsonParser parser = new JsonParser();
148 JsonObject authObject = parser.parse(authFile).getAsJsonObject();
149 if (authObject.has("roles")) {
150 JsonArray roles = authObject.getAsJsonArray("roles");
151 for (JsonElement role : roles) {
152 if (role.isJsonObject()) {
153 JsonObject roleObject = role.getAsJsonObject();
154 String roleName = roleObject.get("name").getAsString();
155 Map<String, Boolean> usrs = this.getUsernamesFromRole(roleObject);
156 List<String> aaiFunctions = this.getAAIFunctions(roleObject);
158 usrs.forEach((key, value) -> {
159 final AAIUser au = tempUsers.getOrDefault(key, new AAIUser(key, value));
160 au.addRole(roleName);
161 aaiFunctions.forEach(f -> {
162 List<String> httpMethods = this.getRoleHttpMethods(f, roleObject);
163 httpMethods.forEach(hm -> au.setUserAccess(f, hm));
164 this.validFunctions.add(f);
167 tempUsers.put(key, au);
172 if (!tempUsers.isEmpty()) {
176 } catch (FileNotFoundException e) {
177 ErrorLogHelper.logError(ERROR_CODE_AAI_4001, globalAuthFileName + ". Exception: " + e);
178 } catch (JsonProcessingException e) {
179 ErrorLogHelper.logError(ERROR_CODE_AAI_4001, globalAuthFileName + ". Not valid JSON: " + e);
180 } catch (Exception e) {
181 ErrorLogHelper.logError(ERROR_CODE_AAI_4001, globalAuthFileName + ". Exception caught: " + e);
185 private List<String> getRoleHttpMethods(String aaiFunctionName, JsonObject roleObject) {
186 List<String> httpMethods = new ArrayList<>();
188 JsonArray ja = roleObject.getAsJsonArray("functions");
189 for (JsonElement je : ja) {
190 if (je.isJsonObject() && je.getAsJsonObject().has("name")
191 && je.getAsJsonObject().get("name").getAsString().equals(aaiFunctionName)) {
192 JsonArray jaMeth = je.getAsJsonObject().getAsJsonArray("methods");
193 for (JsonElement jeMeth : jaMeth) {
194 if (jeMeth.isJsonObject() && jeMeth.getAsJsonObject().has("name")) {
195 httpMethods.add(jeMeth.getAsJsonObject().get("name").getAsString());
204 private List<String> getAAIFunctions(JsonObject roleObject) {
205 List<String> aaiFunctions = new ArrayList<>();
207 JsonArray ja = roleObject.getAsJsonArray("functions");
208 for (JsonElement je : ja) {
209 if (je.isJsonObject() && je.getAsJsonObject().has("name")) {
210 aaiFunctions.add(je.getAsJsonObject().get("name").getAsString());
217 private Map<String, Boolean> getUsernamesFromRole(JsonObject roleObject) throws UnsupportedEncodingException {
218 Map<String, Boolean> usernames = new HashMap<>();
220 JsonArray uja = roleObject.getAsJsonArray("users");
221 for (JsonElement je : uja) {
222 if (je.isJsonObject()) {
223 if (je.getAsJsonObject().has("username")) {
224 if (je.getAsJsonObject().has("is-wildcard-id")) {
225 usernames.put(je.getAsJsonObject().get("username").getAsString().toLowerCase(),
226 je.getAsJsonObject().get("is-wildcard-id").getAsBoolean());
228 usernames.put(je.getAsJsonObject().get("username").getAsString().toLowerCase(), false);
230 } else if (je.getAsJsonObject().has("user")) {
231 String auth = je.getAsJsonObject().get("user").getAsString() + ":"
232 + Password.deobfuscate(je.getAsJsonObject().get("pass").getAsString());
233 String authorizationCode = new String(Base64.getEncoder().encode(auth.getBytes("utf-8")));
234 usernames.put(authorizationCode, false);
242 public String getAuthPolicyFunctName(String uri) {
243 String authPolicyFunctionName = "";
244 if (uri.startsWith(basePath + "/search")) {
245 authPolicyFunctionName = "search";
246 } else if (uri.startsWith(basePath + "/recents")) {
247 authPolicyFunctionName = "recents";
248 } else if (uri.startsWith(basePath + "/cq2gremlin")) {
249 authPolicyFunctionName = "cq2gremlin";
250 } else if (uri.startsWith(basePath + "/cq2gremlintest")) {
251 authPolicyFunctionName = "cq2gremlintest";
252 } else if (uri.startsWith(basePath + "/util/echo")) {
253 authPolicyFunctionName = "util";
254 } else if (uri.startsWith(basePath + "/tools")) {
255 authPolicyFunctionName = "tools";
257 Matcher match = authPolicyPattern.matcher(uri);
259 authPolicyFunctionName = match.group(1);
262 return authPolicyFunctionName;
266 * for backwards compatibility
273 * @throws AAIUnrecognizedFunctionException
275 public boolean authorize(String username, String uri, String httpMethod, String haProxyUser)
276 throws AAIUnrecognizedFunctionException {
277 return authorize(username, uri, httpMethod, haProxyUser, null);
286 * @param issuer issuer of the cert
288 * @throws AAIUnrecognizedFunctionException
290 public boolean authorize(String username, String uri, String httpMethod, String haProxyUser, String issuer)
291 throws AAIUnrecognizedFunctionException {
292 String aaiMethod = this.getAuthPolicyFunctName(uri);
293 if (!this.validFunctions.contains(aaiMethod) && !("info".equalsIgnoreCase(aaiMethod))) {
294 throw new AAIUnrecognizedFunctionException(aaiMethod);
296 boolean wildcardCheck = isWildcardIssuer(issuer);
299 "Authorizing the user for the request cert {}, haproxy header {}, aai method {}, httpMethod {}, cert issuer {}",
300 username, haProxyUser, aaiMethod, httpMethod, issuer);
301 Optional<AAIUser> oau = this.getUser(username, wildcardCheck);
302 if (oau.isPresent()) {
303 AAIUser au = oau.get();
304 if (au.hasRole("HAProxy")) {
305 LOGGER.debug("User has HAProxy role");
306 if ("GET".equalsIgnoreCase(httpMethod) && "util".equalsIgnoreCase(aaiMethod) && haProxyUser.isEmpty()) {
307 LOGGER.debug("Authorized user has HAProxy role with echo request");
308 authorized = this.authorize(au, aaiMethod, httpMethod);
310 authorized = this.authorize(haProxyUser, uri, httpMethod, "", issuer);
313 LOGGER.debug("User doesn't have HAProxy role so assuming its a regular client");
314 authorized = this.authorize(au, aaiMethod, httpMethod);
317 LOGGER.debug("User not found: " + username + " on function " + aaiMethod + " request type " + httpMethod);
324 private boolean isWildcardIssuer(String issuer) {
325 if (issuer != null && !issuer.isEmpty()) {
326 List<String> validIssuers = Arrays
327 .asList(AAIConfig.get("aaf.valid.issuer.wildcard", UUID.randomUUID().toString()).split("\\|"));
328 for (String validIssuer : validIssuers) {
329 if (issuer.contains(validIssuer)) {
338 * returns aai user either matching the username or containing the wildcard.
343 public Optional<AAIUser> getUser(String username, boolean wildcardCheck) {
344 if (users.containsKey(username)) {
345 return Optional.of(users.get(username));
346 } else if (wildcardCheck) {
348 users.entrySet().stream().filter(e -> e.getValue().isWildcard() && username.contains(e.getKey()))
349 .map(Map.Entry::getValue).collect(Collectors.toList());
350 if (!laus.isEmpty()) {
351 return Optional.of(laus.get(0));
354 return Optional.empty();
360 * aai user with the username
362 * aai function the authorization is required on
364 * http action user is attempting
365 * @return true, if successful
367 private boolean authorize(AAIUser aaiUser, String aaiMethod, String httpMethod) {
368 if ("info".equalsIgnoreCase(aaiMethod) || aaiUser.hasAccess(aaiMethod, httpMethod)) {
369 LOGGER.debug("AUTH ACCEPTED: " + aaiUser.getUsername() + " on function " + aaiMethod + " request type "
373 LOGGER.debug("AUTH FAILED: " + aaiUser.getUsername() + " on function " + aaiMethod + " request type "