core/src/main/java/com/att/cadi/lur/LocalLur.java

   1 /*******************************************************************************\r
   2  * ============LICENSE_START====================================================\r
   3  * * org.onap.aaf\r
   4  * * ===========================================================================\r
   5  * * Copyright © 2017 AT&T Intellectual Property. All rights reserved.\r
   6  * * ===========================================================================\r
   7  * * Licensed under the Apache License, Version 2.0 (the "License");\r
   8  * * you may not use this file except in compliance with the License.\r
   9  * * You may obtain a copy of the License at\r
  10  * * \r
  11  *  *      http://www.apache.org/licenses/LICENSE-2.0\r
  12  * * \r
  13  *  * Unless required by applicable law or agreed to in writing, software\r
  14  * * distributed under the License is distributed on an "AS IS" BASIS,\r
  15  * * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\r
  16  * * See the License for the specific language governing permissions and\r
  17  * * limitations under the License.\r
  18  * * ============LICENSE_END====================================================\r
  19  * *\r
  20  * * ECOMP is a trademark and service mark of AT&T Intellectual Property.\r
  21  * *\r
  22  ******************************************************************************/\r
  23 package com.att.cadi.lur;\r
  24 \r
  25 import java.io.IOException;\r
  26 import java.security.Principal;\r
  27 import java.util.List;\r
  28 import java.util.Map;\r
  29 import java.util.Set;\r
  30 import java.util.TreeSet;\r
  31 \r
  32 import com.att.cadi.AbsUserCache;\r
  33 import com.att.cadi.Access;\r
  34 import com.att.cadi.Access.Level;\r
  35 import com.att.cadi.CredVal;\r
  36 import com.att.cadi.Hash;\r
  37 import com.att.cadi.Permission;\r
  38 import com.att.cadi.StrLur;\r
  39 import com.att.cadi.User;\r
  40 import com.att.cadi.config.Config;\r
  41 \r
  42 \r
  43 /**\r
  44  * An in-memory Lur that can be configured locally with User info via properties, similar to Tomcat-users.xml mechanisms.\r
  45  * \r
  46  *\r
  47  */\r
  48 public final class LocalLur extends AbsUserCache<LocalPermission> implements StrLur, CredVal {\r
  49         public static final String SEMI = "\\s*;\\s*";\r
  50         public static final String COLON = "\\s*:\\s*";\r
  51         public static final String COMMA = "\\s*,\\s*";\r
  52         public static final String PERCENT = "\\s*%\\s*";\r
  53         \r
  54         // Use to quickly determine whether any given group is supported by this LUR\r
  55         private final Set<String> supportingGroups;\r
  56         private String supportedRealm; \r
  57         \r
  58         /**\r
  59          * Construct by building structure, see "build"\r
  60          * \r
  61          * Reconstruct with "build"\r
  62          * \r
  63          * @param userProperty\r
  64          * @param groupProperty\r
  65          * @param decryptor\r
  66          * @throws IOException\r
  67          */\r
  68         public LocalLur(Access access, String userProperty, String groupProperty) throws IOException {\r
  69                 super(access, 0, 0, Integer.MAX_VALUE);  // data doesn't expire\r
  70                 supportedRealm = access.getProperty(Config.BASIC_REALM, "localized");\r
  71                 supportingGroups = new TreeSet<String>();\r
  72                 \r
  73                 if(userProperty!=null) {\r
  74                         // For each User name...\r
  75                         for(String user : userProperty.trim().split(SEMI)) {\r
  76                                 String[] us = user.split(COLON,2);\r
  77                                 String[] userpass = us[0].split(PERCENT,2);\r
  78                                 String u;\r
  79                                 User<LocalPermission> usr;\r
  80                                 if(userpass.length>1) {\r
  81                                         if(userpass.length>0 && userpass[0].indexOf('@')<0) {\r
  82                                                 userpass[0]=userpass[0] + '@' + access.getProperty(Config.AAF_DEFAULT_REALM,Config.getDefaultRealm());\r
  83                                         }\r
  84 \r
  85                                         u = userpass[0];\r
  86                                         byte[] pass = access.decrypt(userpass[1], true).getBytes();\r
  87                                         usr = new User<LocalPermission>(new ConfigPrincipal(u, pass));\r
  88                                 } else {\r
  89                                         u = us[0];\r
  90                                         usr = new User<LocalPermission>(new ConfigPrincipal(u, (byte[])null));\r
  91                                 }\r
  92                                 addUser(usr);\r
  93                                 access.log(Level.INIT, "Local User:",usr.principal);\r
  94                                 \r
  95                                 if(us.length>1) {\r
  96                                         Map<String, Permission> newMap = usr.newMap();\r
  97                                         for(String group : us[1].split(COMMA)) {\r
  98                                                 supportingGroups.add(group);\r
  99                                                 usr.add(newMap,new LocalPermission(group));\r
 100                                         }\r
 101                                         usr.setMap(newMap);\r
 102                                 }\r
 103                         }\r
 104                 }\r
 105                 if(groupProperty!=null) {\r
 106                         // For each Group name...\r
 107                         for(String group : groupProperty.trim().split(SEMI)) {\r
 108                                 String[] gs = group.split(COLON,2);\r
 109                                 if(gs.length>1) {\r
 110                                         supportingGroups.add(gs[0]);\r
 111                                         LocalPermission p = new LocalPermission(gs[0]);\r
 112                                         // Add all users (known by comma separators)    \r
 113                                         \r
 114                                         for(String grpMem : gs[1].split(COMMA)) {\r
 115                                                 // look for password, if so, put in passMap\r
 116                                                 String[] userpass = grpMem.split(PERCENT,2);\r
 117                                                 if(userpass.length>0 && userpass[0].indexOf('@')<0) {\r
 118                                                         userpass[0]=userpass[0] + '@' + access.getProperty(Config.AAF_DEFAULT_REALM,Config.getDefaultRealm());\r
 119                                                 }\r
 120                                                 User<LocalPermission> usr = getUser(userpass[0]);\r
 121                                                 if(userpass.length>1) {\r
 122                                                         byte[] pass = access.decrypt(userpass[1], true).getBytes();\r
 123                                                         if(usr==null)addUser(usr=new User<LocalPermission>(new ConfigPrincipal(userpass[0],pass)));\r
 124                                                         else usr.principal=new ConfigPrincipal(userpass[0],pass);\r
 125                                                 } else {\r
 126                                                         if(usr==null)addUser(usr=new User<LocalPermission>(new ConfigPrincipal(userpass[0],(byte[])null)));\r
 127                                                 }\r
 128                                                 usr.add(p);\r
 129                                                 access.log(Level.INIT, "Local User:",usr.principal);\r
 130                                         }\r
 131                                 }\r
 132                         }\r
 133                 }\r
 134         }\r
 135         \r
 136         public boolean validate(String user, CredVal.Type type, byte[] cred) {\r
 137                 User<LocalPermission> usr = getUser(user);\r
 138                 switch(type) {\r
 139                         case PASSWORD:\r
 140                                 // covers null as well as bad pass\r
 141                                 if(usr!=null && cred!=null && usr.principal instanceof ConfigPrincipal) {\r
 142                                         return Hash.isEqual(cred,((ConfigPrincipal)usr.principal).getCred());\r
 143                                 }\r
 144                                 break;\r
 145                 }\r
 146                 return false;\r
 147         }\r
 148 \r
 149         //      @Override\r
 150         public boolean fish(Principal bait, Permission pond) {\r
 151                 if(supports(bait.getName()) && pond instanceof LocalPermission) { // local Users only have LocalPermissions\r
 152                                 User<LocalPermission> user = getUser(bait);\r
 153                                 return user==null?false:user.contains((LocalPermission)pond);\r
 154                         }\r
 155                 return false;\r
 156         }\r
 157 \r
 158         public boolean fish(String bait, Permission pond) {\r
 159                 if(supports(bait) && pond instanceof LocalPermission) { // local Users only have LocalPermissions\r
 160                         User<LocalPermission> user = getUser(bait);\r
 161                         return user==null?false:user.contains((LocalPermission)pond);\r
 162                 }\r
 163                 return false;\r
 164         }\r
 165 \r
 166         // We do not want to expose the actual Group, so make a copy.\r
 167         public void fishAll(Principal bait, List<Permission> perms) {\r
 168                 if(supports(bait.getName())) {\r
 169                         User<LocalPermission> user = getUser(bait);\r
 170                         if(user!=null) {\r
 171                                 user.copyPermsTo(perms);\r
 172                         }\r
 173                 }\r
 174         }\r
 175 \r
 176         public void fishAll(String bait, List<Permission> perms) {\r
 177                 if(supports(bait)) {\r
 178                         User<LocalPermission> user = getUser(bait);\r
 179                         if(user!=null) {\r
 180                                 user.copyPermsTo(perms);\r
 181                         }\r
 182                 }\r
 183         }\r
 184 \r
 185         public boolean supports(String userName) {\r
 186                 return userName!=null && userName.endsWith(supportedRealm);\r
 187         }\r
 188 \r
 189         public boolean handlesExclusively(Permission pond) {\r
 190                 return supportingGroups.contains(pond.getKey());\r
 191         }\r
 192 \r
 193         /* (non-Javadoc)\r
 194          * @see com.att.cadi.Lur#createPerm(java.lang.String)\r
 195          */\r
 196         @Override\r
 197         public Permission createPerm(String p) {\r
 198                 return new LocalPermission(p);\r
 199         }\r
 200 \r
 201 }\r