2 * ============LICENSE_START=======================================================
4 * ================================================================================
5 * Copyright © 2017-2018 AT&T Intellectual Property. All rights reserved.
6 * ================================================================================
7 * Licensed under the Apache License, Version 2.0 (the "License");
8 * you may not use this file except in compliance with the License.
9 * You may obtain a copy of the License at
11 * http://www.apache.org/licenses/LICENSE-2.0
13 * Unless required by applicable law or agreed to in writing, software
14 * distributed under the License is distributed on an "AS IS" BASIS,
15 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
16 * See the License for the specific language governing permissions and
17 * limitations under the License.
18 * ============LICENSE_END=========================================================
21 package org.onap.aai.aaf.auth;
23 import org.slf4j.Logger;
24 import org.slf4j.LoggerFactory;
26 import javax.servlet.http.HttpServletRequest;
28 import java.io.FileInputStream;
29 import java.io.IOException;
30 import java.security.cert.X509Certificate;
32 import java.util.stream.Collectors;
35 * The Class CertUtil provides cert related utility methods.
37 public class CertUtil {
38 public static final String DEFAULT_CADI_ISSUERS =
39 "CN=ATT AAF CADI Test Issuing CA 01, OU=CSO, O=ATT, C=US:CN=ATT AAF CADI Test Issuing CA 02, OU=CSO, O=ATT, C=US";
40 public static final String CADI_PROP_FILES = "cadi_prop_files";
41 public static final String CADI_ISSUERS_PROP_NAME = "cadi_x509_issuers";
42 public static final String CADI_ISSUERS_SEPARATOR = ":";
43 public static final String AAI_SSL_CLIENT_OU_HDR = "X-AAI-SSL-Client-OU";
44 public static final String AAI_SSL_ISSUER_HDR = "X-AAI-SSL-Issuer";
45 public static final String AAI_SSL_CLIENT_CN_HDR = "X-AAI-SSL-Client-CN";
46 public static final String AAI_SSL_CLIENT_O_HDR = "X-AAI-SSL-Client-O";
47 public static final String AAI_SSL_CLIENT_L_HDR = "X-AAI-SSL-Client-L";
48 public static final String AAI_SSL_CLIENT_ST_HDR = "X-AAI-SSL-Client-ST";
49 public static final String AAI_SSL_CLIENT_C_HDR = "X-AAI-SSL-Client-C";
50 public static final String AAF_USER_CHAIN_HDR = "USER_CHAIN";
51 public static final String AAF_ID = "<AAF-ID>";
52 private static final Logger LOGGER = LoggerFactory.getLogger(CertUtil.class);
54 public static String getAaiSslClientOuHeader(HttpServletRequest hsr) {
55 return (hsr.getHeader(AAI_SSL_CLIENT_OU_HDR));
58 public static boolean isHaProxy(HttpServletRequest hsr) {
60 String haProxyUser = "";
61 if (Objects.isNull(hsr.getHeader(AAI_SSL_CLIENT_CN_HDR)) || Objects.isNull(hsr.getHeader(AAI_SSL_CLIENT_OU_HDR))
62 || Objects.isNull(hsr.getHeader(AAI_SSL_CLIENT_O_HDR))
63 || Objects.isNull(hsr.getHeader(AAI_SSL_CLIENT_L_HDR))
64 || Objects.isNull(hsr.getHeader(AAI_SSL_CLIENT_ST_HDR))
65 || Objects.isNull(hsr.getHeader(AAI_SSL_CLIENT_C_HDR))) {
68 haProxyUser = String.format("CN=%s, OU=%s, O=\"%s\", L=%s, ST=%s, C=%s",
69 Objects.toString(hsr.getHeader(AAI_SSL_CLIENT_CN_HDR), ""),
70 Objects.toString(hsr.getHeader(AAI_SSL_CLIENT_OU_HDR), ""),
71 Objects.toString(hsr.getHeader(AAI_SSL_CLIENT_O_HDR), ""),
72 Objects.toString(hsr.getHeader(AAI_SSL_CLIENT_L_HDR), ""),
73 Objects.toString(hsr.getHeader(AAI_SSL_CLIENT_ST_HDR), ""),
74 Objects.toString(hsr.getHeader(AAI_SSL_CLIENT_C_HDR), "")).toLowerCase();
76 if (!haProxyUser.isEmpty()) {
77 LOGGER.debug("isHaProxy haProxyUser=" + haProxyUser);
80 LOGGER.debug("isHaProxy haProxyUser not found");
84 public static String getMechId(HttpServletRequest hsr) {
86 String ou = getAaiSslClientOuHeader(hsr);
87 if ((ou != null) && (!ou.isEmpty())) {
88 String[] parts = ou.split(CADI_ISSUERS_SEPARATOR);
89 if (parts != null && parts.length >= 1) {
93 LOGGER.debug("getMechId mechId=" + mechId);
97 public static String getCertIssuer(HttpServletRequest hsr) {
98 String issuer = hsr.getHeader(AAI_SSL_ISSUER_HDR);
99 if (issuer != null && !issuer.isEmpty()) {
100 LOGGER.debug("getCertIssuer issuer from header " + AAI_SSL_ISSUER_HDR + " " + issuer);
101 // the haproxy header replaces the ', ' with '/' and reverses on the '/' need to undo that.
102 List<String> broken = Arrays.asList(issuer.split("/"));
103 broken = broken.stream().filter(s -> !s.isEmpty()).collect(Collectors.toList());
104 Collections.reverse(broken);
105 issuer = String.join(", ", broken);
107 if (hsr.getAttribute("javax.servlet.request.cipher_suite") != null) {
108 X509Certificate[] certChain =
109 (X509Certificate[]) hsr.getAttribute("javax.servlet.request.X509Certificate");
110 if (certChain != null && certChain.length > 0) {
111 X509Certificate clientCert = certChain[0];
112 issuer = clientCert.getIssuerX500Principal().getName();
113 LOGGER.debug("getCertIssuer issuer from client cert " + issuer);
120 public static List<String> getCadiCertIssuers(Properties cadiProperties) {
122 List<String> defaultList = new ArrayList<String>();
123 List<String> resultList = new ArrayList<String>();
125 String[] cIssuers = DEFAULT_CADI_ISSUERS.split(CADI_ISSUERS_SEPARATOR);
126 for (String issuer : cIssuers) {
127 defaultList.add(issuer.replaceAll("\\s+", "").toUpperCase());
130 String certPropFileName = cadiProperties.getProperty(CADI_PROP_FILES);
131 String configuredIssuers = DEFAULT_CADI_ISSUERS;
132 Properties certProperties = new Properties();
133 if (certPropFileName != null) {
134 certProperties.load(new FileInputStream(new File(certPropFileName)));
135 configuredIssuers = certProperties.getProperty(CADI_ISSUERS_PROP_NAME);
137 if ((configuredIssuers != null) && (!configuredIssuers.isEmpty())) {
138 cIssuers = configuredIssuers.split(CADI_ISSUERS_SEPARATOR);
139 for (String issuer : cIssuers) {
140 resultList.add(issuer.replaceAll("\\s+", "").toUpperCase());
143 } catch (IOException ioe) {
144 return (defaultList);
146 if (resultList.isEmpty()) {
149 LOGGER.debug("getCadiCertIssuers " + resultList.toString());
153 public static String buildUserChainHeader(String user, String userChainPattern) {
154 // aaf.userchain.pattern=<AAF-ID>:${aaf.userchain.service.reference}:${aaf.userchain.auth.type}:AS
155 return (userChainPattern.replaceAll(AAF_ID, user));