2 * ============LICENSE_START====================================================
4 * ===========================================================================
5 * Copyright (c) 2018 AT&T Intellectual Property. All rights reserved.
6 * ===========================================================================
7 * Licensed under the Apache License, Version 2.0 (the "License");
8 * you may not use this file except in compliance with the License.
9 * You may obtain a copy of the License at
11 * http://www.apache.org/licenses/LICENSE-2.0
13 * Unless required by applicable law or agreed to in writing, software
14 * distributed under the License is distributed on an "AS IS" BASIS,
15 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
16 * See the License for the specific language governing permissions and
17 * limitations under the License.
18 * ============LICENSE_END====================================================
22 package org.onap.aaf.cadi.client;
24 import java.io.IOException;
26 import org.onap.aaf.cadi.SecuritySetter;
27 import org.onap.aaf.cadi.Symm;
28 import org.onap.aaf.cadi.config.SecurityInfoC;
31 * AbsAuthentication is a class representing how to Authenticate onto a Client.
33 * Methods of setting Authentication on a Client vary, so CLIENT is a Generic Type
34 * This allows the ability to apply security onto Different Client Types, as they come
35 * into vogue, or change over time.
37 * Password is encrypted at rest.
43 public abstract class AbsAuthentication<CLIENT> implements SecuritySetter<CLIENT> {
44 // HTTP Header for Authentication is "Authorization". This was from an early stage of internet where
45 // Access by Credential "Authorized" you for everything on the site. Since those early days, it became
46 // clear that "full access" wasn't appropriate, so the split between Authentication and Authorization
47 // came into being... But the Header remains.
48 public static final String AUTHORIZATION = "Authorization";
49 private static final Symm symm;
51 protected static final String REPEAT_OFFENDER = "This call is aborted because of repeated usage of invalid Passwords";
52 private static final int MAX_TEMP_COUNT = 10;
53 private static final int MAX_SPAM_COUNT = 10000;
54 private static final long WAIT_TIME = 1000*60*4;
55 private final byte[] headValue;
57 protected final SecurityInfoC<CLIENT> securityInfo;
58 protected long lastMiss;
63 symm = Symm.encrypt.obtain();
64 } catch (IOException e) {
65 throw new RuntimeException("Cannot create critical internal encryption key",e);
70 public AbsAuthentication(final SecurityInfoC<CLIENT> securityInfo, final String user, final byte[] headValue) throws IOException {
71 this.headValue = headValue==null?null:symm.encode(headValue);
73 this.securityInfo = securityInfo;
78 protected String headValue() throws IOException {
82 return new String(symm.decode(headValue));
86 protected void setUser(String id) {
91 public String getID() {
95 public boolean isDenied() {
96 if(lastMiss>0 && lastMiss>System.currentTimeMillis()) {
104 public synchronized int setLastResponse(int httpcode) {
105 if(httpcode == 401) {
107 if(lastMiss==0L && count>MAX_TEMP_COUNT) {
108 lastMiss=System.currentTimeMillis()+WAIT_TIME;
110 // if(count>MAX_SPAM_COUNT) {
111 // System.err.printf("Your service has %d consecutive bad service logins to AAF. \nIt will now exit\n",
116 System.err.printf("Your service has %d consecutive bad service logins to AAF. AAF Access will be disabled after %d\n",
117 count,MAX_SPAM_COUNT);