2 * ============LICENSE_START====================================================
4 * ===========================================================================
5 * Copyright (c) 2018 AT&T Intellectual Property. All rights reserved.
6 * ===========================================================================
7 * Licensed under the Apache License, Version 2.0 (the "License");
8 * you may not use this file except in compliance with the License.
9 * You may obtain a copy of the License at
11 * http://www.apache.org/licenses/LICENSE-2.0
13 * Unless required by applicable law or agreed to in writing, software
14 * distributed under the License is distributed on an "AS IS" BASIS,
15 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
16 * See the License for the specific language governing permissions and
17 * limitations under the License.
18 * ============LICENSE_END====================================================
22 package org.onap.aaf.cadi.filter;
24 import java.io.IOException;
25 import java.net.HttpURLConnection;
27 import javax.servlet.http.HttpServletRequest;
28 import javax.servlet.http.HttpServletResponse;
30 import org.onap.aaf.cadi.Access;
31 import org.onap.aaf.cadi.Access.Level;
32 import org.onap.aaf.cadi.CadiException;
33 import org.onap.aaf.cadi.CadiWrap;
34 import org.onap.aaf.cadi.Connector;
35 import org.onap.aaf.cadi.CredVal;
36 import org.onap.aaf.cadi.LocatorException;
37 import org.onap.aaf.cadi.Lur;
38 import org.onap.aaf.cadi.Taf;
39 import org.onap.aaf.cadi.TrustChecker;
40 import org.onap.aaf.cadi.config.Config;
41 import org.onap.aaf.cadi.config.SecurityInfoC;
42 import org.onap.aaf.cadi.lur.EpiLur;
43 import org.onap.aaf.cadi.taf.HttpTaf;
44 import org.onap.aaf.cadi.taf.TafResp;
45 import org.onap.aaf.cadi.util.UserChainManip;
48 * Encapsulate common HTTP Manipulation Behavior. It will appropriately set
49 * HTTPServletResponse for Redirect or Forbidden, as needed.
51 * Further, this is useful, because it avoids multiple creates of Connections, where some Filters
52 * are created and destroyed regularly.
57 public class CadiHTTPManip {
58 private static final String ACCESS_DENIED = "Access Denied";
59 private static final String NO_TAF_WILL_AUTHORIZE = "No TAF will authorize";
60 private static final String AUTHENTICATION_FAILURE = "Authentication Failure";
61 private static final String AUTHENTICATING_VIA_REDIRECTION = "Authenticating via redirection";
62 private static final String MSG_FMT = "user=%s,ip=%s:%d,msg=\"%s: %s\"";
63 private static final String AUTHENTICATED = "Authenticated";
64 private static final String ACCESS_CADI_CONTROL = ".access|cadi|control";
65 private static final String METH = "OPTIONS";
66 private static final String CADI = "/cadi/";
67 private static final String CADI_CACHE_PRINT = "/cadi/cache/print";
68 private static final String CADI_CACHE_CLEAR = "/cadi/cache/clear";
69 private static final String CADI_LOG_SET = "/cadi/log/set/";
70 private static final Object LOCK = new Object();
71 private Access access;
75 private String thisPerm,companyPerm,aaf_id;
77 public static final Object[] noAdditional = new Object[0]; // CadiFilter can be created each call in some systems
80 public CadiHTTPManip(Access access, Connector con, TrustChecker tc, Object ... additionalTafLurs) throws CadiException, LocatorException {
83 // Get getter = new AccessGetter(access);
84 Config.setDefaultRealm(access);
86 aaf_id = access.getProperty(Config.CADI_ALIAS,access.getProperty(Config.AAF_APPID, null));
88 access.printf(Level.INIT, "%s is not set. %s can be used instead",Config.AAF_APPID,Config.CADI_ALIAS);
90 access.printf(Level.INIT, "%s is set to %s",Config.AAF_APPID,aaf_id);
92 String ns = aaf_id==null?null:UserChainManip.idToNS(aaf_id);
94 thisPerm = ns+ACCESS_CADI_CONTROL;
95 int dot = ns.indexOf('.');
97 int dot2=ns.indexOf('.',dot+1);
101 companyPerm = ns.substring(0, dot2)+ACCESS_CADI_CONTROL;
103 companyPerm = "com"+ACCESS_CADI_CONTROL;
106 thisPerm = companyPerm = "com"+ACCESS_CADI_CONTROL;
108 SecurityInfoC<HttpURLConnection> si;
109 si = SecurityInfoC.instance(access, HttpURLConnection.class);
111 lur = Config.configLur(si, con, additionalTafLurs);
114 if (lur instanceof EpiLur) {
115 up = ((EpiLur)lur).getUserPassImpl();
116 } else if (lur instanceof CredVal) {
121 taf = Config.configHttpTaf(con,si, tc, up, lur, additionalTafLurs);
125 public TafResp validate(HttpServletRequest hreq, HttpServletResponse hresp, Object state) throws IOException {
126 TafResp tresp = taf.validate(Taf.LifeForm.LFN, hreq, hresp);
127 switch(tresp.isAuthenticated()) {
128 case IS_AUTHENTICATED:
129 access.printf(Level.DEBUG,MSG_FMT,tresp.getTarget(),hreq.getRemoteAddr(),
130 hreq.getRemotePort(),AUTHENTICATED,tresp.desc());
132 case TRY_AUTHENTICATING:
133 switch (tresp.authenticate()) {
134 case IS_AUTHENTICATED:
135 access.printf(Level.DEBUG,MSG_FMT,tresp.getTarget(),hreq.getRemoteAddr(),
136 hreq.getRemotePort(),AUTHENTICATED,tresp.desc());
138 case HTTP_REDIRECT_INVOKED:
139 access.printf(Level.DEBUG,MSG_FMT,tresp.getTarget(),hreq.getRemoteAddr(),
140 hreq.getRemotePort(),AUTHENTICATING_VIA_REDIRECTION,tresp.desc());
142 case NO_FURTHER_PROCESSING:
143 access.printf(Level.AUDIT,MSG_FMT,tresp.getTarget(),hreq.getRemoteAddr(),
144 hreq.getRemotePort(),AUTHENTICATION_FAILURE,tresp.desc());
145 hresp.sendError(403, tresp.desc()); // Forbidden
149 access.printf(Level.AUDIT,MSG_FMT,tresp.getTarget(),hreq.getRemoteAddr(),
150 hreq.getRemotePort(),NO_TAF_WILL_AUTHORIZE,tresp.desc());
151 hresp.sendError(403, tresp.desc()); // Forbidden
154 case NO_FURTHER_PROCESSING:
155 access.printf(Level.AUDIT,MSG_FMT, tresp.getTarget(),hreq.getRemoteAddr(),
156 hreq.getRemotePort(),NO_TAF_WILL_AUTHORIZE,tresp.desc());
157 hresp.sendError(403, ACCESS_DENIED); // FORBIDDEN
160 access.printf(Level.AUDIT,MSG_FMT, tresp.getTarget(),hreq.getRemoteAddr(),
161 hreq.getRemotePort(),NO_TAF_WILL_AUTHORIZE,tresp.desc());
162 hresp.sendError(403, ACCESS_DENIED); // FORBIDDEN
168 public boolean notCadi(CadiWrap req, HttpServletResponse resp) {
170 String pathInfo = req.getPathInfo();
171 if (METH.equalsIgnoreCase(req.getMethod()) && pathInfo!=null && pathInfo.contains(CADI)) {
172 if (req.getUser().equals(aaf_id) || req.isUserInRole(thisPerm) || req.isUserInRole(companyPerm)) {
174 if (pathInfo.contains(CADI_CACHE_PRINT)) {
175 resp.getOutputStream().println(lur.toString());
178 } else if (pathInfo.contains(CADI_CACHE_CLEAR)) {
179 StringBuilder report = new StringBuilder();
180 lur.clear(req.getUserPrincipal(), report);
181 resp.getOutputStream().println(report.toString());
184 } else if (pathInfo.contains(CADI_LOG_SET)) {
186 int slash = pathInfo.lastIndexOf('/');
187 String level = pathInfo.substring(slash+1);
189 l = Level.valueOf(level);
190 access.printf(Level.AUDIT, "%s has set CADI Log Level to '%s'",req.getUser(),l.name());
191 access.setLogLevel(l);
192 } catch (IllegalArgumentException e) {
193 access.printf(Level.AUDIT, "'%s' is not a valid CADI Log Level",level);
197 } catch (IOException e) {
205 public Lur getLur() {
209 public void destroy() {
210 access.log(Level.INFO,"CadiHttpChecker destroyed.");
217 public Access getAccess() {