2 * ============LICENSE_START====================================================
4 * ===========================================================================
5 * Copyright (c) 2018 AT&T Intellectual Property. All rights reserved.
6 * ===========================================================================
7 * Licensed under the Apache License, Version 2.0 (the "License");
8 * you may not use this file except in compliance with the License.
9 * You may obtain a copy of the License at
11 * http://www.apache.org/licenses/LICENSE-2.0
13 * Unless required by applicable law or agreed to in writing, software
14 * distributed under the License is distributed on an "AS IS" BASIS,
15 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
16 * See the License for the specific language governing permissions and
17 * limitations under the License.
18 * ============LICENSE_END====================================================
22 package org.onap.aaf.cadi.aaf.v2_0;
24 import java.io.IOException;
25 import java.security.Principal;
26 import javax.servlet.http.HttpServletRequest;
27 import javax.servlet.http.HttpServletResponse;
28 import org.onap.aaf.cadi.AbsUserCache;
29 import org.onap.aaf.cadi.Access.Level;
30 import org.onap.aaf.cadi.CachedPrincipal;
31 import org.onap.aaf.cadi.CachedPrincipal.Resp;
32 import org.onap.aaf.cadi.CadiException;
33 import org.onap.aaf.cadi.Connector;
34 import org.onap.aaf.cadi.GetCred;
35 import org.onap.aaf.cadi.Hash;
36 import org.onap.aaf.cadi.SecuritySetter;
37 import org.onap.aaf.cadi.Taf.LifeForm;
38 import org.onap.aaf.cadi.User;
39 import org.onap.aaf.cadi.aaf.AAFPermission;
40 import org.onap.aaf.cadi.aaf.v2_0.AAFCon.GetSetter;
41 import org.onap.aaf.cadi.client.Future;
42 import org.onap.aaf.cadi.client.Rcli;
43 import org.onap.aaf.cadi.client.Retryable;
44 import org.onap.aaf.cadi.config.Config;
45 import org.onap.aaf.cadi.principal.BasicPrincipal;
46 import org.onap.aaf.cadi.principal.CachedBasicPrincipal;
47 import org.onap.aaf.cadi.taf.HttpTaf;
48 import org.onap.aaf.cadi.taf.TafResp;
49 import org.onap.aaf.cadi.taf.TafResp.RESP;
50 import org.onap.aaf.cadi.taf.basic.BasicHttpTafResp;
51 import org.onap.aaf.misc.env.APIException;
53 public class AAFTaf<CLIENT> extends AbsUserCache<AAFPermission> implements HttpTaf {
54 private AAFCon<CLIENT> aaf;
57 public AAFTaf(AAFCon<CLIENT> con, boolean turnOnWarning) {
58 super(con.access,con.cleanInterval,con.highCount, con.usageRefreshTriggerCount);
63 public AAFTaf(AAFCon<CLIENT> con, boolean turnOnWarning, AbsUserCache<AAFPermission> other) {
69 // Note: Needed for Creation of this Object with Generics
70 @SuppressWarnings("unchecked")
71 public AAFTaf(Connector mustBeAAFCon, boolean turnOnWarning, AbsUserCache<AAFPermission> other) {
72 this((AAFCon<CLIENT>)mustBeAAFCon,turnOnWarning,other);
75 // Note: Needed for Creation of this Object with Generics
76 @SuppressWarnings("unchecked")
77 public AAFTaf(Connector mustBeAAFCon, boolean turnOnWarning) {
78 this((AAFCon<CLIENT>)mustBeAAFCon,turnOnWarning);
82 public TafResp validate(final LifeForm reading, final HttpServletRequest req, final HttpServletResponse resp) {
83 //TODO Do we allow just anybody to validate?
85 // Note: Either Carbon or Silicon based LifeForms ok
86 String authz = req.getHeader("Authorization");
87 if(authz != null && authz.startsWith("Basic ")) {
88 if(warn&&!req.isSecure()) {
89 aaf.access.log(Level.WARN,"WARNING! BasicAuth has been used over an insecure channel");
92 final CachedBasicPrincipal bp;
93 if(req.getUserPrincipal() instanceof CachedBasicPrincipal) {
94 bp = (CachedBasicPrincipal)req.getUserPrincipal();
96 bp = new CachedBasicPrincipal(this,authz,aaf.getRealm(),aaf.userExpires);
99 final User<AAFPermission> usr = getUser(bp);
101 && usr.principal instanceof GetCred
102 && Hash.isEqual(bp.getCred(),((GetCred)usr.principal).getCred())) {
103 return new BasicHttpTafResp(aaf.access,bp,bp.getName()+" authenticated by cached AAF password",RESP.IS_AUTHENTICATED,resp,aaf.getRealm(),false);
106 Miss miss = missed(bp.getName(), bp.getCred());
107 if(miss!=null && !miss.mayContinue()) {
108 return new BasicHttpTafResp(aaf.access,null,buildMsg(bp,req,
109 "User/Pass Retry limit exceeded"),
110 RESP.TRY_AUTHENTICATING,resp,aaf.getRealm(),true);
113 return aaf.bestForUser(
116 public <CL> SecuritySetter<CL> get(AAFCon<CL> con) throws CadiException {
117 return con.basicAuthSS(bp);
119 },new Retryable<BasicHttpTafResp>() {
121 public BasicHttpTafResp code(Rcli<?> client) throws CadiException, APIException {
122 Future<String> fp = client.read("/authn/basicAuth", "text/plain");
123 if(fp.get(aaf.timeout)) {
127 addUser(new User<AAFPermission>(bp,aaf.userExpires));
129 return new BasicHttpTafResp(aaf.access,bp,bp.getName()+" authenticated by AAF password",RESP.IS_AUTHENTICATED,resp,aaf.getRealm(),false);
131 // Note: AddMiss checks for miss==null, and is part of logic
132 boolean rv= addMiss(bp.getName(),bp.getCred());
134 return new BasicHttpTafResp(aaf.access,null,buildMsg(bp,req,
135 "user/pass combo invalid via AAF from " + req.getRemoteAddr()),
136 RESP.TRY_AUTHENTICATING,resp,aaf.getRealm(),true);
138 return new BasicHttpTafResp(aaf.access,null,buildMsg(bp,req,
139 "user/pass combo invalid via AAF from " + req.getRemoteAddr() + " - Retry limit exceeded"),
140 RESP.FAIL,resp,aaf.getRealm(),true);
146 } catch (IOException e) {
147 String msg = buildMsg(null,req,"Invalid Auth Token");
148 aaf.access.log(Level.WARN,msg,'(', e.getMessage(), ')');
149 return new BasicHttpTafResp(aaf.access,null,msg, RESP.TRY_AUTHENTICATING, resp, aaf.getRealm(),true);
150 } catch (Exception e) {
151 String msg = buildMsg(null,req,"Authenticating Service unavailable");
154 } catch (CadiException e1) {
155 aaf.access.log(e1, "Error Invalidating Client");
157 aaf.access.log(Level.WARN,msg,'(', e.getMessage(), ')');
158 return new BasicHttpTafResp(aaf.access,null,msg, RESP.FAIL, resp, aaf.getRealm(),false);
161 return new BasicHttpTafResp(aaf.access,null,"Requesting HTTP Basic Authorization",RESP.TRY_AUTHENTICATING,resp,aaf.getRealm(),false);
164 private String buildMsg(Principal pr, HttpServletRequest req, Object... msg) {
165 StringBuilder sb = new StringBuilder();
166 for(Object s : msg) {
167 sb.append(s.toString());
171 sb.append(pr.getName());
174 sb.append(req.getRemoteAddr());
176 sb.append(req.getRemotePort());
177 return sb.toString();
182 public Resp revalidate(CachedPrincipal prin, Object state) {
183 // !!!! TEST THIS.. Things may not be revalidated, if not BasicPrincipal
184 if(prin instanceof BasicPrincipal) {
187 Rcli<CLIENT> userAAF = aaf.client(Config.AAF_DEFAULT_VERSION).forUser(aaf.transferSS((BasicPrincipal)prin));
188 fp = userAAF.read("/authn/basicAuth", "text/plain");
189 return fp.get(aaf.timeout)?Resp.REVALIDATED:Resp.UNVALIDATED;
190 } catch (Exception e) {
191 aaf.access.log(e, "Cannot Revalidate",prin.getName());
192 return Resp.INACCESSIBLE;
195 return Resp.NOT_MINE;