core/src/main/java/com/att/cadi/lur/LocalLur.java

   1 /*******************************************************************************\r
   2  * ============LICENSE_START====================================================\r
   3  * * org.onap.aai\r
   4  * * ===========================================================================\r
   5  * * Copyright © 2017 AT&T Intellectual Property. All rights reserved.\r
   6  * * Copyright © 2017 Amdocs\r
   7  * * ===========================================================================\r
   8  * * Licensed under the Apache License, Version 2.0 (the "License");\r
   9  * * you may not use this file except in compliance with the License.\r
  10  * * You may obtain a copy of the License at\r
  11  * * \r
  12  *  *      http://www.apache.org/licenses/LICENSE-2.0\r
  13  * * \r
  14  *  * Unless required by applicable law or agreed to in writing, software\r
  15  * * distributed under the License is distributed on an "AS IS" BASIS,\r
  16  * * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\r
  17  * * See the License for the specific language governing permissions and\r
  18  * * limitations under the License.\r
  19  * * ============LICENSE_END====================================================\r
  20  * *\r
  21  * * ECOMP is a trademark and service mark of AT&T Intellectual Property.\r
  22  * *\r
  23  ******************************************************************************/\r
  24 package com.att.cadi.lur;\r
  25 \r
  26 import java.io.IOException;\r
  27 import java.security.Principal;\r
  28 import java.util.List;\r
  29 import java.util.Map;\r
  30 import java.util.Set;\r
  31 import java.util.TreeSet;\r
  32 \r
  33 import com.att.cadi.AbsUserCache;\r
  34 import com.att.cadi.Access;\r
  35 import com.att.cadi.Access.Level;\r
  36 import com.att.cadi.CredVal;\r
  37 import com.att.cadi.Hash;\r
  38 import com.att.cadi.Permission;\r
  39 import com.att.cadi.StrLur;\r
  40 import com.att.cadi.User;\r
  41 import com.att.cadi.config.Config;\r
  42 \r
  43 \r
  44 /**\r
  45  * An in-memory Lur that can be configured locally with User info via properties, similar to Tomcat-users.xml mechanisms.\r
  46  * \r
  47  *\r
  48  */\r
  49 public final class LocalLur extends AbsUserCache<LocalPermission> implements StrLur, CredVal {\r
  50         public static final String SEMI = "\\s*;\\s*";\r
  51         public static final String COLON = "\\s*:\\s*";\r
  52         public static final String COMMA = "\\s*,\\s*";\r
  53         public static final String PERCENT = "\\s*%\\s*";\r
  54         \r
  55         // Use to quickly determine whether any given group is supported by this LUR\r
  56         private final Set<String> supportingGroups;\r
  57         private String supportedRealm; \r
  58         \r
  59         /**\r
  60          * Construct by building structure, see "build"\r
  61          * \r
  62          * Reconstruct with "build"\r
  63          * \r
  64          * @param userProperty\r
  65          * @param groupProperty\r
  66          * @param decryptor\r
  67          * @throws IOException\r
  68          */\r
  69         public LocalLur(Access access, String userProperty, String groupProperty) throws IOException {\r
  70                 super(access, 0, 0, Integer.MAX_VALUE);  // data doesn't expire\r
  71                 supportedRealm = access.getProperty(Config.BASIC_REALM, "localized");\r
  72                 supportingGroups = new TreeSet<String>();\r
  73                 \r
  74                 if(userProperty!=null) {\r
  75                         // For each User name...\r
  76                         for(String user : userProperty.trim().split(SEMI)) {\r
  77                                 String[] us = user.split(COLON,2);\r
  78                                 String[] userpass = us[0].split(PERCENT,2);\r
  79                                 String u;\r
  80                                 User<LocalPermission> usr;\r
  81                                 if(userpass.length>1) {\r
  82                                         if(userpass.length>0 && userpass[0].indexOf('@')<0) {\r
  83                                                 userpass[0]=userpass[0] + '@' + access.getProperty(Config.AAF_DEFAULT_REALM,Config.getDefaultRealm());\r
  84                                         }\r
  85 \r
  86                                         u = userpass[0];\r
  87                                         byte[] pass = access.decrypt(userpass[1], true).getBytes();\r
  88                                         usr = new User<LocalPermission>(new ConfigPrincipal(u, pass));\r
  89                                 } else {\r
  90                                         u = us[0];\r
  91                                         usr = new User<LocalPermission>(new ConfigPrincipal(u, (byte[])null));\r
  92                                 }\r
  93                                 addUser(usr);\r
  94                                 access.log(Level.INIT, "Local User:",usr.principal);\r
  95                                 \r
  96                                 if(us.length>1) {\r
  97                                         Map<String, Permission> newMap = usr.newMap();\r
  98                                         for(String group : us[1].split(COMMA)) {\r
  99                                                 supportingGroups.add(group);\r
 100                                                 usr.add(newMap,new LocalPermission(group));\r
 101                                         }\r
 102                                         usr.setMap(newMap);\r
 103                                 }\r
 104                         }\r
 105                 }\r
 106                 if(groupProperty!=null) {\r
 107                         // For each Group name...\r
 108                         for(String group : groupProperty.trim().split(SEMI)) {\r
 109                                 String[] gs = group.split(COLON,2);\r
 110                                 if(gs.length>1) {\r
 111                                         supportingGroups.add(gs[0]);\r
 112                                         LocalPermission p = new LocalPermission(gs[0]);\r
 113                                         // Add all users (known by comma separators)    \r
 114                                         \r
 115                                         for(String grpMem : gs[1].split(COMMA)) {\r
 116                                                 // look for password, if so, put in passMap\r
 117                                                 String[] userpass = grpMem.split(PERCENT,2);\r
 118                                                 if(userpass.length>0 && userpass[0].indexOf('@')<0) {\r
 119                                                         userpass[0]=userpass[0] + '@' + access.getProperty(Config.AAF_DEFAULT_REALM,Config.getDefaultRealm());\r
 120                                                 }\r
 121                                                 User<LocalPermission> usr = getUser(userpass[0]);\r
 122                                                 if(userpass.length>1) {\r
 123                                                         byte[] pass = access.decrypt(userpass[1], true).getBytes();\r
 124                                                         if(usr==null)addUser(usr=new User<LocalPermission>(new ConfigPrincipal(userpass[0],pass)));\r
 125                                                         else usr.principal=new ConfigPrincipal(userpass[0],pass);\r
 126                                                 } else {\r
 127                                                         if(usr==null)addUser(usr=new User<LocalPermission>(new ConfigPrincipal(userpass[0],(byte[])null)));\r
 128                                                 }\r
 129                                                 usr.add(p);\r
 130                                                 access.log(Level.INIT, "Local User:",usr.principal);\r
 131                                         }\r
 132                                 }\r
 133                         }\r
 134                 }\r
 135         }\r
 136         \r
 137         public boolean validate(String user, CredVal.Type type, byte[] cred) {\r
 138                 User<LocalPermission> usr = getUser(user);\r
 139                 switch(type) {\r
 140                         case PASSWORD:\r
 141                                 // covers null as well as bad pass\r
 142                                 if(usr!=null && cred!=null && usr.principal instanceof ConfigPrincipal) {\r
 143                                         return Hash.isEqual(cred,((ConfigPrincipal)usr.principal).getCred());\r
 144                                 }\r
 145                                 break;\r
 146                 }\r
 147                 return false;\r
 148         }\r
 149 \r
 150         //      @Override\r
 151         public boolean fish(Principal bait, Permission pond) {\r
 152                 if(supports(bait.getName()) && pond instanceof LocalPermission) { // local Users only have LocalPermissions\r
 153                                 User<LocalPermission> user = getUser(bait);\r
 154                                 return user==null?false:user.contains((LocalPermission)pond);\r
 155                         }\r
 156                 return false;\r
 157         }\r
 158 \r
 159         public boolean fish(String bait, Permission pond) {\r
 160                 if(supports(bait) && pond instanceof LocalPermission) { // local Users only have LocalPermissions\r
 161                         User<LocalPermission> user = getUser(bait);\r
 162                         return user==null?false:user.contains((LocalPermission)pond);\r
 163                 }\r
 164                 return false;\r
 165         }\r
 166 \r
 167         // We do not want to expose the actual Group, so make a copy.\r
 168         public void fishAll(Principal bait, List<Permission> perms) {\r
 169                 if(supports(bait.getName())) {\r
 170                         User<LocalPermission> user = getUser(bait);\r
 171                         if(user!=null) {\r
 172                                 user.copyPermsTo(perms);\r
 173                         }\r
 174                 }\r
 175         }\r
 176 \r
 177         public void fishAll(String bait, List<Permission> perms) {\r
 178                 if(supports(bait)) {\r
 179                         User<LocalPermission> user = getUser(bait);\r
 180                         if(user!=null) {\r
 181                                 user.copyPermsTo(perms);\r
 182                         }\r
 183                 }\r
 184         }\r
 185 \r
 186         public boolean supports(String userName) {\r
 187                 return userName!=null && userName.endsWith(supportedRealm);\r
 188         }\r
 189 \r
 190         public boolean handlesExclusively(Permission pond) {\r
 191                 return supportingGroups.contains(pond.getKey());\r
 192         }\r
 193 \r
 194         /* (non-Javadoc)\r
 195          * @see com.att.cadi.Lur#createPerm(java.lang.String)\r
 196          */\r
 197         @Override\r
 198         public Permission createPerm(String p) {\r
 199                 return new LocalPermission(p);\r
 200         }\r
 201 \r
 202 }\r