authz-service/src/main/java/com/att/authz/service/api/API_Creds.java

   1 /*******************************************************************************\r
   2  * ============LICENSE_START====================================================\r
   3  * * org.onap.aaf\r
   4  * * ===========================================================================\r
   5  * * Copyright © 2017 AT&T Intellectual Property. All rights reserved.\r
   6  * * ===========================================================================\r
   7  * * Licensed under the Apache License, Version 2.0 (the "License");\r
   8  * * you may not use this file except in compliance with the License.\r
   9  * * You may obtain a copy of the License at\r
  10  * * \r
  11  *  *      http://www.apache.org/licenses/LICENSE-2.0\r
  12  * * \r
  13  *  * Unless required by applicable law or agreed to in writing, software\r
  14  * * distributed under the License is distributed on an "AS IS" BASIS,\r
  15  * * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\r
  16  * * See the License for the specific language governing permissions and\r
  17  * * limitations under the License.\r
  18  * * ============LICENSE_END====================================================\r
  19  * *\r
  20  * * ECOMP is a trademark and service mark of AT&T Intellectual Property.\r
  21  * *\r
  22  ******************************************************************************/\r
  23 package com.att.authz.service.api;\r
  24 \r
  25 import static com.att.cssa.rserv.HttpMethods.DELETE;\r
  26 import static com.att.cssa.rserv.HttpMethods.GET;\r
  27 import static com.att.cssa.rserv.HttpMethods.POST;\r
  28 import static com.att.cssa.rserv.HttpMethods.PUT;\r
  29 \r
  30 import java.security.Principal;\r
  31 import java.util.Date;\r
  32 \r
  33 import javax.servlet.http.HttpServletRequest;\r
  34 import javax.servlet.http.HttpServletResponse;\r
  35 \r
  36 import com.att.aft.dme2.internal.jetty.http.HttpStatus;\r
  37 import com.att.authz.cadi.DirectAAFUserPass;\r
  38 import com.att.authz.env.AuthzTrans;\r
  39 import com.att.authz.facade.AuthzFacade;\r
  40 import com.att.authz.layer.Result;\r
  41 import com.att.authz.service.AuthAPI;\r
  42 import com.att.authz.service.Code;\r
  43 import com.att.authz.service.mapper.Mapper.API;\r
  44 import com.att.cadi.CredVal;\r
  45 import com.att.cadi.Symm;\r
  46 import com.att.cadi.principal.BasicPrincipal;\r
  47 import com.att.cadi.principal.X509Principal;\r
  48 import com.att.cssa.rserv.HttpMethods;\r
  49 import com.att.inno.env.Env;\r
  50 \r
  51 /**\r
  52  * Initialize All Dispatches related to Credentials (AUTHN)\r
  53  *\r
  54  */\r
  55 public class API_Creds {\r
  56         // Hide Public Interface\r
  57         private API_Creds() {}\r
  58         // needed to validate Creds even when already Authenticated x509\r
  59         /**\r
  60          * TIME SENSITIVE APIs\r
  61          * \r
  62          * These will be first in the list\r
  63          * \r
  64          * @param env\r
  65          * @param authzAPI\r
  66          * @param facade\r
  67          * @param directAAFUserPass \r
  68          * @throws Exception\r
  69          */\r
  70         public static void timeSensitiveInit(Env env, AuthAPI authzAPI, AuthzFacade facade, final DirectAAFUserPass directAAFUserPass) throws Exception {\r
  71                 /**\r
  72                  * Basic Auth, quick Validation\r
  73                  * \r
  74                  * Responds OK or NotAuthorized\r
  75                  */\r
  76                 authzAPI.route(env, HttpMethods.GET, "/authn/basicAuth", new Code(facade,"Is given BasicAuth valid?",true) {\r
  77                         @Override\r
  78                         public void handle(\r
  79                                         AuthzTrans trans, \r
  80                                         HttpServletRequest req,\r
  81                                         HttpServletResponse resp) throws Exception {\r
  82 \r
  83                                 Principal p = trans.getUserPrincipal();\r
  84                                 if (p instanceof BasicPrincipal) {\r
  85                                         // the idea is that if call is made with this credential, and it's a BasicPrincipal, it's ok\r
  86                                         // otherwise, it wouldn't have gotten here.\r
  87                                         resp.setStatus(HttpStatus.OK_200);\r
  88                                 } else if (p instanceof X509Principal) {\r
  89                                         // have to check Basic Auth here, because it might be CSP.\r
  90                                         String ba = req.getHeader("Authorization");\r
  91                                         if(ba.startsWith("Basic ")) {\r
  92                                                 String decoded = Symm.base64noSplit.decode(ba.substring(6));\r
  93                                                 int colon = decoded.indexOf(':');\r
  94                                                 if(directAAFUserPass.validate(\r
  95                                                                 decoded.substring(0,colon), \r
  96                                                                 CredVal.Type.PASSWORD , \r
  97                                                                 decoded.substring(colon+1).getBytes())) {\r
  98                                                         \r
  99                                                         resp.setStatus(HttpStatus.OK_200);\r
 100                                                 } else {\r
 101                                                         resp.setStatus(HttpStatus.FORBIDDEN_403);\r
 102                                                 }\r
 103                                         }\r
 104                                 } else if(p == null) {\r
 105                                         trans.error().log("Transaction not Authenticated... no Principal");\r
 106                                         resp.setStatus(HttpStatus.FORBIDDEN_403);\r
 107                                 } else {\r
 108                                         trans.checkpoint("Basic Auth Check Failed: This wasn't a Basic Auth Trans");\r
 109                                         // For Auth Security questions, we don't give any info to client on why failed\r
 110                                         resp.setStatus(HttpStatus.FORBIDDEN_403);\r
 111                                 }\r
 112                         }\r
 113                 },"text/plain");\r
 114                 \r
 115                 /** \r
 116                  *  returns whether a given Credential is valid\r
 117                  */\r
 118                 authzAPI.route(POST, "/authn/validate", API.CRED_REQ, new Code(facade,"Is given Credential valid?",true) {\r
 119                         @Override\r
 120                         public void handle(\r
 121                                         AuthzTrans trans, \r
 122                                         HttpServletRequest req,\r
 123                                         HttpServletResponse resp) throws Exception {\r
 124                                 \r
 125                                 Result<Date> r = context.doesCredentialMatch(trans, req, resp);\r
 126                                 if(r.isOK()) {\r
 127                                                 resp.setStatus(HttpStatus.OK_200);\r
 128                                 } else {\r
 129                                                 // For Security, we don't give any info out on why failed, other than forbidden\r
 130                                                 resp.setStatus(HttpStatus.FORBIDDEN_403);\r
 131                                 }\r
 132                         }\r
 133                 });  \r
 134 \r
 135                 /** \r
 136                  *  returns whether a given Credential is valid\r
 137                  */\r
 138                 authzAPI.route(GET, "/authn/cert/id/:id", API.CERTS, new Code(facade,"Get Cert Info by ID",true) {\r
 139                         @Override\r
 140                         public void handle(\r
 141                                         AuthzTrans trans, \r
 142                                         HttpServletRequest req,\r
 143                                         HttpServletResponse resp) throws Exception {\r
 144                                 \r
 145                                 Result<Void> r = context.getCertInfoByID(trans, req, resp, pathParam(req,":id") );\r
 146                                 if(r.isOK()) {\r
 147                                                 resp.setStatus(HttpStatus.OK_200); \r
 148                                 } else {\r
 149                                                 // For Security, we don't give any info out on why failed, other than forbidden\r
 150                                                 resp.setStatus(HttpStatus.FORBIDDEN_403);\r
 151                                 }\r
 152                         }\r
 153                 });  \r
 154 \r
 155 \r
 156 \r
 157 \r
 158         }\r
 159         \r
 160         /**\r
 161          * Normal Init level APIs\r
 162          * \r
 163          * @param authzAPI\r
 164          * @param facade\r
 165          * @throws Exception\r
 166          */\r
 167         public static void init(AuthAPI authzAPI, AuthzFacade facade) throws Exception {\r
 168                 /**\r
 169                  * Create a new ID/Credential\r
 170                  */\r
 171                 authzAPI.route(POST,"/authn/cred",API.CRED_REQ,new Code(facade,"Add a New ID/Credential", true) {\r
 172                         @Override\r
 173                         public void handle(AuthzTrans trans, HttpServletRequest req, HttpServletResponse resp) throws Exception {\r
 174                                 Result<Void> r = context.createUserCred(trans, req);\r
 175                                 if(r.isOK()) {\r
 176                                         resp.setStatus(HttpStatus.CREATED_201);\r
 177                                 } else {\r
 178                                         context.error(trans,resp,r);\r
 179                                 }\r
 180                         }\r
 181                 });\r
 182                 \r
 183                 /** \r
 184                  *  gets all credentials by Namespace\r
 185                  */\r
 186                 authzAPI.route(GET, "/authn/creds/ns/:ns", API.USERS, new Code(facade,"Get Creds for a Namespace",true) {\r
 187                         @Override\r
 188                         public void handle(\r
 189                                         AuthzTrans trans, \r
 190                                         HttpServletRequest req,\r
 191                                         HttpServletResponse resp) throws Exception {\r
 192                                 \r
 193                                 Result<Void> r = context.getCredsByNS(trans, resp, pathParam(req, "ns"));\r
 194                                 if(r.isOK()) {\r
 195                                         resp.setStatus(HttpStatus.OK_200); \r
 196                                 } else {\r
 197                                         context.error(trans,resp,r);\r
 198                                 }\r
 199                         }\r
 200 \r
 201                 });\r
 202                 \r
 203                 /** \r
 204                  *  gets all credentials by ID\r
 205                  */\r
 206                 authzAPI.route(GET, "/authn/creds/id/:id", API.USERS, new Code(facade,"Get Creds by ID",true) {\r
 207                         @Override\r
 208                         public void handle(\r
 209                                         AuthzTrans trans, \r
 210                                         HttpServletRequest req,\r
 211                                         HttpServletResponse resp) throws Exception {\r
 212                                 \r
 213                                 Result<Void> r = context.getCredsByID(trans, resp, pathParam(req, "id"));\r
 214                                 if(r.isOK()) {\r
 215                                         resp.setStatus(HttpStatus.OK_200); \r
 216                                 } else {\r
 217                                         context.error(trans,resp,r);\r
 218                                 }\r
 219                         }\r
 220 \r
 221                 });\r
 222 \r
 223 \r
 224                 /**\r
 225                  * Update ID/Credential (aka reset)\r
 226                  */\r
 227                 authzAPI.route(PUT,"/authn/cred",API.CRED_REQ,new Code(facade,"Update an ID/Credential", true) {\r
 228                         @Override\r
 229                         public void handle(AuthzTrans trans, HttpServletRequest req, HttpServletResponse resp) throws Exception {\r
 230                                 \r
 231                                 Result<Void> r = context.changeUserCred(trans, req);\r
 232                                 if(r.isOK()) {\r
 233                                         resp.setStatus(HttpStatus.OK_200);\r
 234                                 } else {\r
 235                                         context.error(trans,resp,r);\r
 236                                 }\r
 237                         }\r
 238                 });\r
 239 \r
 240                 /**\r
 241                  * Extend ID/Credential\r
 242                  * This behavior will accelerate getting out of P1 outages due to ignoring renewal requests, or\r
 243                  * other expiration issues.\r
 244                  * \r
 245                  * Scenario is that people who are solving Password problems at night, are not necessarily those who\r
 246                  * know what the passwords are supposed to be.  Also, changing Password, without changing Configurations\r
 247                  * using that password only exacerbates the P1 Issue.\r
 248                  */\r
 249                 authzAPI.route(PUT,"/authn/cred/:days",API.CRED_REQ,new Code(facade,"Extend an ID/Credential", true) {\r
 250                         @Override\r
 251                         public void handle(AuthzTrans trans, HttpServletRequest req, HttpServletResponse resp) throws Exception {\r
 252                                 Result<Void> r = context.extendUserCred(trans, req, pathParam(req, "days"));\r
 253                                 if(r.isOK()) {\r
 254                                         resp.setStatus(HttpStatus.OK_200);\r
 255                                 } else {\r
 256                                         context.error(trans,resp,r);\r
 257                                 }\r
 258                         }\r
 259                 });\r
 260 \r
 261                 /**\r
 262                  * Delete a ID/Credential by Object\r
 263                  */\r
 264                 authzAPI.route(DELETE,"/authn/cred",API.CRED_REQ,new Code(facade,"Delete a Credential", true) {\r
 265                         @Override\r
 266                         public void handle(AuthzTrans trans, HttpServletRequest req, HttpServletResponse resp) throws Exception {\r
 267                                 Result<Void> r = context.deleteUserCred(trans, req);\r
 268                                 if(r.isOK()) {\r
 269                                         resp.setStatus(HttpStatus.OK_200);\r
 270                                 } else {\r
 271                                         context.error(trans,resp,r);\r
 272                                 }\r
 273                         }\r
 274                 });\r
 275 \r
 276         }\r
 277 }\r