2 * ============LICENSE_START=======================================================
4 * ================================================================================
5 * Copyright © 2017-2018 AT&T Intellectual Property. All rights reserved.
6 * ================================================================================
7 * Licensed under the Apache License, Version 2.0 (the "License");
8 * you may not use this file except in compliance with the License.
9 * You may obtain a copy of the License at
11 * http://www.apache.org/licenses/LICENSE-2.0
13 * Unless required by applicable law or agreed to in writing, software
14 * distributed under the License is distributed on an "AS IS" BASIS,
15 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
16 * See the License for the specific language governing permissions and
17 * limitations under the License.
18 * ============LICENSE_END=========================================================
21 package org.onap.aai.aaf.auth;
23 import java.util.ArrayList;
24 import java.util.Arrays;
25 import java.util.Collections;
26 import java.util.List;
27 import java.util.Objects;
28 import java.util.Properties;
30 import javax.servlet.http.HttpServletRequest;
31 import java.io.FileInputStream;
32 import java.io.IOException;
33 import java.security.cert.X509Certificate;
34 import java.util.stream.Collectors;
35 import org.slf4j.Logger;
36 import org.slf4j.LoggerFactory;
39 * The Class CertUtil provides cert related utility methods.
41 public class CertUtil {
42 public static final String DEFAULT_CADI_ISSUERS = "CN=ATT AAF CADI Test Issuing " +
43 "CA 01, OU=CSO, O=ATT, C=US:CN=ATT AAF CADI Test Issuing CA 02, OU=CSO, O=ATT, C=US";
44 public static final String CADI_PROP_FILES = "cadi_prop_files";
45 public static final String CADI_ISSUERS_PROP_NAME = "cadi_x509_issuers";
46 public static final String CADI_ISSUERS_SEPARATOR = ":";
47 public static final String AAI_SSL_CLIENT_OU_HDR = "X-AAI-SSL-Client-OU";
48 public static final String AAI_SSL_ISSUER_HDR = "X-AAI-SSL-Issuer";
49 public static final String AAI_SSL_CLIENT_CN_HDR = "X-AAI-SSL-Client-CN";
50 public static final String AAI_SSL_CLIENT_O_HDR = "X-AAI-SSL-Client-O";
51 public static final String AAI_SSL_CLIENT_L_HDR = "X-AAI-SSL-Client-L";
52 public static final String AAI_SSL_CLIENT_ST_HDR = "X-AAI-SSL-Client-ST";
53 public static final String AAI_SSL_CLIENT_C_HDR = "X-AAI-SSL-Client-C";
54 public static final String AAF_USER_CHAIN_HDR = "USER_CHAIN";
55 public static final String AAF_ID = "<AAF-ID>";
56 private static final Logger LOGGER = LoggerFactory.getLogger(CertUtil.class);
58 public static String getAaiSslClientOuHeader(HttpServletRequest hsr) {
59 return (hsr.getHeader(AAI_SSL_CLIENT_OU_HDR));
62 public static boolean isHaProxy(HttpServletRequest hsr) {
64 String haProxyUser = "";
65 if (Objects.isNull(hsr.getHeader(AAI_SSL_CLIENT_CN_HDR)) || Objects.isNull(hsr.getHeader(AAI_SSL_CLIENT_OU_HDR))
66 || Objects.isNull(hsr.getHeader(AAI_SSL_CLIENT_O_HDR))
67 || Objects.isNull(hsr.getHeader(AAI_SSL_CLIENT_L_HDR))
68 || Objects.isNull(hsr.getHeader(AAI_SSL_CLIENT_ST_HDR))
69 || Objects.isNull(hsr.getHeader(AAI_SSL_CLIENT_C_HDR))) {
72 haProxyUser = String.format("CN=%s, OU=%s, O=\"%s\", L=%s, ST=%s, C=%s",
73 Objects.toString(hsr.getHeader(AAI_SSL_CLIENT_CN_HDR), ""),
74 Objects.toString(hsr.getHeader(AAI_SSL_CLIENT_OU_HDR), ""),
75 Objects.toString(hsr.getHeader(AAI_SSL_CLIENT_O_HDR), ""),
76 Objects.toString(hsr.getHeader(AAI_SSL_CLIENT_L_HDR), ""),
77 Objects.toString(hsr.getHeader(AAI_SSL_CLIENT_ST_HDR), ""),
78 Objects.toString(hsr.getHeader(AAI_SSL_CLIENT_C_HDR), "")).toLowerCase();
80 if (!haProxyUser.isEmpty()) {
81 LOGGER.debug("isHaProxy haProxyUser=" + haProxyUser);
84 LOGGER.debug("isHaProxy haProxyUser not found");
88 public static String getMechId(HttpServletRequest hsr) {
90 String ou = getAaiSslClientOuHeader(hsr);
91 if ((ou != null) && (!ou.isEmpty())) {
92 String[] parts = ou.split(CADI_ISSUERS_SEPARATOR);
93 if (parts != null && parts.length >= 1) {
97 LOGGER.debug("getMechId mechId=" + mechId);
101 public static String getCertIssuer(HttpServletRequest hsr) {
102 String issuer = hsr.getHeader(AAI_SSL_ISSUER_HDR);
103 if (issuer != null && !issuer.isEmpty()) {
104 LOGGER.debug("getCertIssuer issuer from header " + AAI_SSL_ISSUER_HDR + " " + issuer);
105 // the haproxy header replaces the ', ' with '/' and reverses on the '/' need to undo that.
106 List<String> broken = Arrays.asList(issuer.split("/"));
107 broken = broken.stream().filter(s -> !s.isEmpty()).collect(Collectors.toList());
108 Collections.reverse(broken);
109 issuer = String.join(", ", broken);
111 if (hsr.getAttribute("javax.servlet.request.cipher_suite") != null) {
112 X509Certificate[] certChain =
113 (X509Certificate[]) hsr.getAttribute("javax.servlet.request.X509Certificate");
114 if (certChain != null && certChain.length > 0) {
115 X509Certificate clientCert = certChain[0];
116 issuer = clientCert.getIssuerX500Principal().getName();
117 LOGGER.debug("getCertIssuer issuer from client cert " + issuer);
124 public static List<String> getCadiCertIssuers(Properties cadiProperties) {
126 List<String> defaultList = new ArrayList<>();
127 List<String> resultList = new ArrayList<String>();
129 String[] cadiIssuers = DEFAULT_CADI_ISSUERS.split(CADI_ISSUERS_SEPARATOR);
130 for (String issuer : cadiIssuers) {
131 defaultList.add(issuer.replaceAll("\\s+", "").toUpperCase());
134 String certPropFileName = cadiProperties.getProperty(CADI_PROP_FILES);
135 String configuredIssuers = DEFAULT_CADI_ISSUERS;
136 Properties certProperties = new Properties();
137 if (certPropFileName != null) {
138 try (FileInputStream fis = new FileInputStream(certPropFileName)) {
139 certProperties.load(fis);
141 configuredIssuers = certProperties.getProperty(CADI_ISSUERS_PROP_NAME);
143 if ((configuredIssuers != null) && (!configuredIssuers.isEmpty())) {
144 cadiIssuers = configuredIssuers.split(CADI_ISSUERS_SEPARATOR);
145 for (String issuer : cadiIssuers) {
146 resultList.add(issuer.replaceAll("\\s+", "").toUpperCase());
149 } catch (IOException ioe) {
150 return (defaultList);
152 if (resultList.isEmpty()) {
155 LOGGER.debug("getCadiCertIssuers " + resultList.toString());
159 public static String buildUserChainHeader(String user, String userChainPattern) {
160 // aaf.userchain.pattern=<AAF-ID>:${aaf.userchain.service.reference}:${aaf.userchain.auth.type}:AS
161 return (userChainPattern.replaceAll(AAF_ID, user));