2 * ============LICENSE_START====================================================
4 * ===========================================================================
5 * Copyright (c) 2018 AT&T Intellectual Property. All rights reserved.
6 * ===========================================================================
7 * Licensed under the Apache License, Version 2.0 (the "License");
8 * you may not use this file except in compliance with the License.
9 * You may obtain a copy of the License at
11 * http://www.apache.org/licenses/LICENSE-2.0
13 * Unless required by applicable law or agreed to in writing, software
14 * distributed under the License is distributed on an "AS IS" BASIS,
15 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
16 * See the License for the specific language governing permissions and
17 * limitations under the License.
18 * ============LICENSE_END====================================================
22 package org.onap.aaf.cadi.aaf.cert;
25 import java.security.cert.CertificateException;
26 import java.security.cert.X509Certificate;
27 import java.util.HashSet;
28 import java.util.List;
31 import java.util.Timer;
32 import java.util.TimerTask;
33 import java.util.TreeMap;
35 import javax.servlet.http.HttpServletRequest;
36 import javax.xml.datatype.XMLGregorianCalendar;
38 import org.onap.aaf.cadi.Access;
39 import org.onap.aaf.cadi.Hash;
40 import org.onap.aaf.cadi.Access.Level;
41 import org.onap.aaf.cadi.aaf.v2_0.AAFCon;
42 import org.onap.aaf.cadi.client.Future;
43 import org.onap.aaf.cadi.config.Config;
44 import org.onap.aaf.cadi.principal.TaggedPrincipal;
45 import org.onap.aaf.cadi.principal.X509Principal;
46 import org.onap.aaf.cadi.taf.cert.CertIdentity;
47 import org.onap.aaf.cadi.taf.cert.X509Taf;
48 import org.onap.aaf.misc.env.APIException;
49 import org.onap.aaf.misc.env.util.Chrono;
50 import org.onap.aaf.misc.env.util.Split;
52 import aaf.v2_0.Certs;
53 import aaf.v2_0.Certs.Cert;
54 import aaf.v2_0.Users;
55 import aaf.v2_0.Users.User;
57 public class AAFListedCertIdentity implements CertIdentity {
58 //TODO should 8 hours be configurable?
59 private static final long EIGHT_HOURS = 1000*60*60*8L;
61 private static Map<ByteArrayHolder,String> certs = null;
63 // Did this to add other Trust Mechanisms
64 // Trust mechanism set by Property:
65 private static final String[] authMechanisms = new String[] {"tguard","basicAuth","csp"};
66 private static String[] certIDs;
68 private static Map<String,Set<String>> trusted =null;
70 public AAFListedCertIdentity(Access access, AAFCon<?> aafcon) throws APIException {
71 synchronized(AAFListedCertIdentity.class) {
73 String cip = access.getProperty(Config.AAF_CERT_IDS, null);
75 certIDs = Split.split(',',cip);
78 if(certIDs!=null && certs==null) {
79 TimerTask cu = new CertUpdate(aafcon);
80 cu.run(); // want this to run in this thread first...
81 new Timer("AAF Identity Refresh Timer",true).scheduleAtFixedRate(cu, EIGHT_HOURS,EIGHT_HOURS);
86 public static Set<String> trusted(String authMech) {
87 return trusted.get(authMech);
90 public TaggedPrincipal identity(HttpServletRequest req, X509Certificate cert, byte[] certBytes) throws CertificateException {
91 if(cert==null && certBytes==null)return null;
92 if(certBytes==null)certBytes = cert.getEncoded();
93 byte[] fingerprint = X509Taf.getFingerPrint(certBytes);
94 String id = certs.get(new ByteArrayHolder(fingerprint));
95 if(id!=null) { // Caller is Validated
96 return new X509Principal(id,cert,certBytes,null);
101 private static class ByteArrayHolder implements Comparable<ByteArrayHolder> {
103 public ByteArrayHolder(byte[] ba) {
106 public int compareTo(ByteArrayHolder b) {
107 return Hash.compareTo(ba, b.ba);
111 private class CertUpdate extends TimerTask {
113 private AAFCon<?> aafcon;
114 public CertUpdate(AAFCon<?> con) {
121 TreeMap<ByteArrayHolder, String> newCertsMap = new TreeMap<>();
122 Map<String,Set<String>> newTrustMap = new TreeMap<>();
123 Set<String> userLookup = new HashSet<>();
124 for(String s : certIDs) {
127 for(String authMech : authMechanisms) {
128 Future<Users> fusr = aafcon.client(Config.AAF_DEFAULT_VERSION).read("/authz/users/perm/com.att.aaf.trust/"+authMech+"/authenticate", Users.class, aafcon.usersDF);
130 List<User> users = fusr.value.getUser();
131 if(users.isEmpty()) {
132 aafcon.access.log(Level.WARN, "AAF Lookup-No IDs in Role com.att.aaf.trustForID <> "+authMech);
134 aafcon.access.log(Level.INFO,"Loading Trust Authentication Info for",authMech);
135 Set<String> hsUser = new HashSet<>();
136 for(User u : users) {
137 userLookup.add(u.getId());
138 hsUser.add(u.getId());
140 newTrustMap.put(authMech,hsUser);
143 aafcon.access.log(Level.WARN, "Could not get Users in Perm com.att.trust|tguard|authenticate",fusr.code(),fusr.body());
148 for(String u : userLookup) {
149 Future<Certs> fc = aafcon.client(Config.AAF_DEFAULT_VERSION).read("/authn/cert/id/"+u, Certs.class, aafcon.certsDF);
150 XMLGregorianCalendar now = Chrono.timeStamp();
152 List<Cert> certs = fc.value.getCert();
153 if(certs.isEmpty()) {
154 aafcon.access.log(Level.WARN, "No Cert Associations for",u);
156 for(Cert c : fc.value.getCert()) {
157 XMLGregorianCalendar then =c.getExpires();
158 if(then !=null && then.compare(now)>0) {
159 newCertsMap.put(new ByteArrayHolder(c.getFingerprint()), c.getId());
160 aafcon.access.log(Level.INIT,"Associating "+ c.getId() + " expiring " + Chrono.dateOnlyStamp(c.getExpires()) + " with " + c.getX500());
165 aafcon.access.log(Level.WARN, "Could not get Certificates for",u);
170 trusted = newTrustMap;
171 } catch(Exception e) {
172 aafcon.access.log(e, "Failure to update Certificate Identities from AAF");