1 /*******************************************************************************
\r
2 * ============LICENSE_START====================================================
\r
4 * * ===========================================================================
\r
5 * * Copyright © 2017 AT&T Intellectual Property. All rights reserved.
\r
6 * * ===========================================================================
\r
7 * * Licensed under the Apache License, Version 2.0 (the "License");
\r
8 * * you may not use this file except in compliance with the License.
\r
9 * * You may obtain a copy of the License at
\r
11 * * http://www.apache.org/licenses/LICENSE-2.0
\r
13 * * Unless required by applicable law or agreed to in writing, software
\r
14 * * distributed under the License is distributed on an "AS IS" BASIS,
\r
15 * * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
\r
16 * * See the License for the specific language governing permissions and
\r
17 * * limitations under the License.
\r
18 * * ============LICENSE_END====================================================
\r
20 * * ECOMP is a trademark and service mark of AT&T Intellectual Property.
\r
22 ******************************************************************************/
\r
23 package org.onap.aaf.cadi.aaf.cass;
\r
25 import java.io.IOException;
\r
26 import java.io.UnsupportedEncodingException;
\r
27 import java.util.Arrays;
\r
28 import java.util.HashMap;
\r
29 import java.util.Map;
\r
31 import org.apache.cassandra.auth.AuthenticatedUser;
\r
32 import org.apache.cassandra.auth.IAuthenticator;
\r
33 import org.apache.cassandra.auth.ISaslAwareAuthenticator;
\r
34 import org.apache.cassandra.exceptions.AuthenticationException;
\r
35 import org.apache.cassandra.exceptions.InvalidRequestException;
\r
36 import org.apache.cassandra.exceptions.RequestExecutionException;
\r
37 import org.onap.aaf.cadi.Symm;
\r
38 import org.onap.aaf.cadi.Access.Level;
\r
39 import org.onap.aaf.cadi.CredVal.Type;
\r
40 import org.onap.aaf.cadi.config.Config;
\r
42 public class AAFAuthenticator extends AAFBase implements ISaslAwareAuthenticator {
\r
44 public boolean requireAuthentication() {
\r
49 * Invoked to authenticate an user
\r
51 public AuthenticatedUser authenticate(Map<String, String> credentials) throws AuthenticationException {
\r
52 String username = (String)credentials.get("username");
\r
53 if (username == null) {
\r
54 throw new AuthenticationException("'username' is missing");
\r
57 AAFAuthenticatedUser aau = new AAFAuthenticatedUser(access,username);
\r
58 String fullName=aau.getFullName();
\r
59 access.log(Level.DEBUG, "Authenticating", aau.getName(),"(", fullName,")");
\r
61 String password = (String)credentials.get("password");
\r
62 if (password == null) {
\r
63 throw new AuthenticationException("'password' is missing");
\r
64 } else if(password.startsWith("bsf:")) {
\r
66 password = Symm.base64noSplit.depass(password);
\r
67 } catch (IOException e) {
\r
68 throw new AuthenticationException("AAF bnf: Password cannot be decoded");
\r
70 } else if(password.startsWith("enc:???")) {
\r
72 password = access.decrypt(password, true);
\r
73 } catch (IOException e) {
\r
74 throw new AuthenticationException("AAF Encrypted Password cannot be decrypted");
\r
78 if(localLur!=null) {
\r
79 access.log(Level.DEBUG, "Validating",fullName, "with LocalTaf", password);
\r
80 if(localLur.validate(fullName, Type.PASSWORD, password.getBytes())) {
\r
81 aau.setAnonymous(true);
\r
83 access.log(Level.DEBUG, fullName, "is authenticated locally");
\r
90 access.log(Level.DEBUG, "Validating",fullName, "with AAF");//, password);
\r
91 aafResponse = aafAuthn.validate(fullName, password);
\r
92 if(aafResponse != null) { // Reason for failing.
\r
93 access.log(Level.AUDIT, "AAF reports ",fullName,":",aafResponse);
\r
94 throw new AuthenticationException(aafResponse);
\r
96 access.log(Level.AUDIT, fullName, "is authenticated"); //,password);
\r
97 // This tells Cassandra to skip checking it's own tables for User Entries.
\r
98 aau.setAnonymous(true);
\r
99 } catch (AuthenticationException ex) {
\r
101 } catch(Exception ex) {
\r
102 access.log(ex,"Exception validating user");
\r
103 throw new AuthenticationException("Exception validating user");
\r
109 public void create(String username, Map<IAuthenticator.Option, Object> options) throws InvalidRequestException, RequestExecutionException {
\r
110 access.log(Level.INFO,"Use AAF CLI to create user");
\r
113 public void alter(String username, Map<IAuthenticator.Option, Object> options) throws RequestExecutionException {
\r
114 access.log(Level.INFO,"Use AAF CLI to alter user");
\r
117 public void drop(String username) throws RequestExecutionException {
\r
118 access.log(Level.INFO,"Use AAF CLI to delete user");
\r
121 public SaslAuthenticator newAuthenticator() {
\r
122 return new ISaslAwareAuthenticator.SaslAuthenticator() {
\r
123 private boolean complete = false;
\r
124 private Map<String, String> credentials;
\r
126 public byte[] evaluateResponse(byte[] clientResponse) throws AuthenticationException {
\r
127 this.credentials = decodeCredentials(clientResponse);
\r
128 this.complete = true;
\r
132 public boolean isComplete() {
\r
133 return this.complete;
\r
136 public AuthenticatedUser getAuthenticatedUser() throws AuthenticationException {
\r
137 return AAFAuthenticator.this.authenticate(this.credentials);
\r
140 private Map<String, String> decodeCredentials(byte[] bytes) throws AuthenticationException {
\r
141 access.log(Level.DEBUG,"Decoding credentials from client token");
\r
142 byte[] user = null;
\r
143 byte[] pass = null;
\r
144 int end = bytes.length;
\r
145 for (int i = bytes.length - 1; i >= 0; i--)
\r
150 pass = Arrays.copyOfRange(bytes, i + 1, end);
\r
151 else if (user == null)
\r
152 user = Arrays.copyOfRange(bytes, i + 1, end);
\r
157 throw new AuthenticationException("Authentication ID must not be null");
\r
158 if (pass == null) {
\r
159 throw new AuthenticationException("Password must not be null");
\r
161 Map<String,String> credentials = new HashMap<String,String>();
\r
163 credentials.put(IAuthenticator.USERNAME_KEY, new String(user, Config.UTF_8));
\r
164 credentials.put(IAuthenticator.PASSWORD_KEY, new String(pass, Config.UTF_8));
\r
165 } catch (UnsupportedEncodingException e) {
\r
166 throw new AuthenticationException(e.getMessage());
\r
168 return credentials;
\r