1 /*******************************************************************************
\r
2 * ============LICENSE_START====================================================
\r
4 * * ===========================================================================
\r
5 * * Copyright © 2017 AT&T Intellectual Property. All rights reserved.
\r
6 * * Copyright © 2017 Amdocs
\r
7 * * ===========================================================================
\r
8 * * Licensed under the Apache License, Version 2.0 (the "License");
\r
9 * * you may not use this file except in compliance with the License.
\r
10 * * You may obtain a copy of the License at
\r
12 * * http://www.apache.org/licenses/LICENSE-2.0
\r
14 * * Unless required by applicable law or agreed to in writing, software
\r
15 * * distributed under the License is distributed on an "AS IS" BASIS,
\r
16 * * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
\r
17 * * See the License for the specific language governing permissions and
\r
18 * * limitations under the License.
\r
19 * * ============LICENSE_END====================================================
\r
21 * * ECOMP is a trademark and service mark of AT&T Intellectual Property.
\r
23 ******************************************************************************/
\r
24 package com.att.cadi.lur;
\r
26 import java.io.IOException;
\r
27 import java.security.Principal;
\r
28 import java.util.List;
\r
29 import java.util.Map;
\r
30 import java.util.Set;
\r
31 import java.util.TreeSet;
\r
33 import com.att.cadi.AbsUserCache;
\r
34 import com.att.cadi.Access;
\r
35 import com.att.cadi.Access.Level;
\r
36 import com.att.cadi.CredVal;
\r
37 import com.att.cadi.Hash;
\r
38 import com.att.cadi.Permission;
\r
39 import com.att.cadi.StrLur;
\r
40 import com.att.cadi.User;
\r
41 import com.att.cadi.config.Config;
\r
45 * An in-memory Lur that can be configured locally with User info via properties, similar to Tomcat-users.xml mechanisms.
\r
49 public final class LocalLur extends AbsUserCache<LocalPermission> implements StrLur, CredVal {
\r
50 public static final String SEMI = "\\s*;\\s*";
\r
51 public static final String COLON = "\\s*:\\s*";
\r
52 public static final String COMMA = "\\s*,\\s*";
\r
53 public static final String PERCENT = "\\s*%\\s*";
\r
55 // Use to quickly determine whether any given group is supported by this LUR
\r
56 private final Set<String> supportingGroups;
\r
57 private String supportedRealm;
\r
60 * Construct by building structure, see "build"
\r
62 * Reconstruct with "build"
\r
64 * @param userProperty
\r
65 * @param groupProperty
\r
67 * @throws IOException
\r
69 public LocalLur(Access access, String userProperty, String groupProperty) throws IOException {
\r
70 super(access, 0, 0, Integer.MAX_VALUE); // data doesn't expire
\r
71 supportedRealm = access.getProperty(Config.BASIC_REALM, "localized");
\r
72 supportingGroups = new TreeSet<String>();
\r
74 if(userProperty!=null) {
\r
75 // For each User name...
\r
76 for(String user : userProperty.trim().split(SEMI)) {
\r
77 String[] us = user.split(COLON,2);
\r
78 String[] userpass = us[0].split(PERCENT,2);
\r
80 User<LocalPermission> usr;
\r
81 if(userpass.length>1) {
\r
82 if(userpass.length>0 && userpass[0].indexOf('@')<0) {
\r
83 userpass[0]=userpass[0] + '@' + access.getProperty(Config.AAF_DEFAULT_REALM,Config.getDefaultRealm());
\r
87 byte[] pass = access.decrypt(userpass[1], true).getBytes();
\r
88 usr = new User<LocalPermission>(new ConfigPrincipal(u, pass));
\r
91 usr = new User<LocalPermission>(new ConfigPrincipal(u, (byte[])null));
\r
94 access.log(Level.INIT, "Local User:",usr.principal);
\r
97 Map<String, Permission> newMap = usr.newMap();
\r
98 for(String group : us[1].split(COMMA)) {
\r
99 supportingGroups.add(group);
\r
100 usr.add(newMap,new LocalPermission(group));
\r
102 usr.setMap(newMap);
\r
106 if(groupProperty!=null) {
\r
107 // For each Group name...
\r
108 for(String group : groupProperty.trim().split(SEMI)) {
\r
109 String[] gs = group.split(COLON,2);
\r
111 supportingGroups.add(gs[0]);
\r
112 LocalPermission p = new LocalPermission(gs[0]);
\r
113 // Add all users (known by comma separators)
\r
115 for(String grpMem : gs[1].split(COMMA)) {
\r
116 // look for password, if so, put in passMap
\r
117 String[] userpass = grpMem.split(PERCENT,2);
\r
118 if(userpass.length>0 && userpass[0].indexOf('@')<0) {
\r
119 userpass[0]=userpass[0] + '@' + access.getProperty(Config.AAF_DEFAULT_REALM,Config.getDefaultRealm());
\r
121 User<LocalPermission> usr = getUser(userpass[0]);
\r
122 if(userpass.length>1) {
\r
123 byte[] pass = access.decrypt(userpass[1], true).getBytes();
\r
124 if(usr==null)addUser(usr=new User<LocalPermission>(new ConfigPrincipal(userpass[0],pass)));
\r
125 else usr.principal=new ConfigPrincipal(userpass[0],pass);
\r
127 if(usr==null)addUser(usr=new User<LocalPermission>(new ConfigPrincipal(userpass[0],(byte[])null)));
\r
130 access.log(Level.INIT, "Local User:",usr.principal);
\r
137 public boolean validate(String user, CredVal.Type type, byte[] cred) {
\r
138 User<LocalPermission> usr = getUser(user);
\r
141 // covers null as well as bad pass
\r
142 if(usr!=null && cred!=null && usr.principal instanceof ConfigPrincipal) {
\r
143 return Hash.isEqual(cred,((ConfigPrincipal)usr.principal).getCred());
\r
151 public boolean fish(Principal bait, Permission pond) {
\r
152 if(supports(bait.getName()) && pond instanceof LocalPermission) { // local Users only have LocalPermissions
\r
153 User<LocalPermission> user = getUser(bait);
\r
154 return user==null?false:user.contains((LocalPermission)pond);
\r
159 public boolean fish(String bait, Permission pond) {
\r
160 if(supports(bait) && pond instanceof LocalPermission) { // local Users only have LocalPermissions
\r
161 User<LocalPermission> user = getUser(bait);
\r
162 return user==null?false:user.contains((LocalPermission)pond);
\r
167 // We do not want to expose the actual Group, so make a copy.
\r
168 public void fishAll(Principal bait, List<Permission> perms) {
\r
169 if(supports(bait.getName())) {
\r
170 User<LocalPermission> user = getUser(bait);
\r
172 user.copyPermsTo(perms);
\r
177 public void fishAll(String bait, List<Permission> perms) {
\r
178 if(supports(bait)) {
\r
179 User<LocalPermission> user = getUser(bait);
\r
181 user.copyPermsTo(perms);
\r
186 public boolean supports(String userName) {
\r
187 return userName!=null && userName.endsWith(supportedRealm);
\r
190 public boolean handlesExclusively(Permission pond) {
\r
191 return supportingGroups.contains(pond.getKey());
\r
195 * @see com.att.cadi.Lur#createPerm(java.lang.String)
\r
198 public Permission createPerm(String p) {
\r
199 return new LocalPermission(p);
\r