core/src/main/java/com/att/cadi/taf/basic/BasicHttpTaf.java

   1 /*******************************************************************************\r
   2  * ============LICENSE_START====================================================\r
   3  * * org.onap.aai\r
   4  * * ===========================================================================\r
   5  * * Copyright © 2017 AT&T Intellectual Property. All rights reserved.\r
   6  * * Copyright © 2017 Amdocs\r
   7  * * ===========================================================================\r
   8  * * Licensed under the Apache License, Version 2.0 (the "License");\r
   9  * * you may not use this file except in compliance with the License.\r
  10  * * You may obtain a copy of the License at\r
  11  * * \r
  12  *  *      http://www.apache.org/licenses/LICENSE-2.0\r
  13  * * \r
  14  *  * Unless required by applicable law or agreed to in writing, software\r
  15  * * distributed under the License is distributed on an "AS IS" BASIS,\r
  16  * * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\r
  17  * * See the License for the specific language governing permissions and\r
  18  * * limitations under the License.\r
  19  * * ============LICENSE_END====================================================\r
  20  * *\r
  21  * * ECOMP is a trademark and service mark of AT&T Intellectual Property.\r
  22  * *\r
  23  ******************************************************************************/\r
  24 package com.att.cadi.taf.basic;\r
  25 \r
  26 import java.io.IOException;\r
  27 import java.security.Principal;\r
  28 \r
  29 import javax.servlet.http.HttpServletRequest;\r
  30 import javax.servlet.http.HttpServletResponse;\r
  31 \r
  32 import com.att.cadi.Access;\r
  33 import com.att.cadi.Access.Level;\r
  34 import com.att.cadi.BasicCred;\r
  35 import com.att.cadi.CachedPrincipal;\r
  36 import com.att.cadi.CachedPrincipal.Resp;\r
  37 import com.att.cadi.CredVal;\r
  38 import com.att.cadi.CredVal.Type;\r
  39 import com.att.cadi.Taf;\r
  40 import com.att.cadi.principal.BasicPrincipal;\r
  41 import com.att.cadi.principal.CachedBasicPrincipal;\r
  42 import com.att.cadi.taf.HttpTaf;\r
  43 import com.att.cadi.taf.TafResp;\r
  44 import com.att.cadi.taf.TafResp.RESP;\r
  45 import com.att.cadi.taf.dos.DenialOfServiceTaf;\r
  46 \r
  47 /**\r
  48  * BasicHttpTaf\r
  49  * \r
  50  * This TAF implements the "Basic Auth" protocol.  \r
  51  * \r
  52  * WARNING! It is true for any implementation of "Basic Auth" that the password is passed unencrypted.  \r
  53  * This is because the expectation, when designed years ago, was that it would only be used in \r
  54  * conjunction with SSL (https).  It is common, however, for users to ignore this on the assumption that\r
  55  * their internal network is secure, or just ignorance.  Therefore, a WARNING will be printed\r
  56  * when the HTTP Channel is not encrypted (unless explicitly turned off).\r
  57  * \r
  58  *\r
  59  */\r
  60 public class BasicHttpTaf implements HttpTaf {\r
  61         private Access access;\r
  62         private String realm;\r
  63         private CredVal rbac;\r
  64         private boolean warn;\r
  65         private long timeToLive;\r
  66         \r
  67         public BasicHttpTaf(Access access, CredVal rbac, String realm, long timeToLive, boolean turnOnWarning) {\r
  68                 this.access = access;\r
  69                 this.realm = realm;\r
  70                 this.rbac = rbac;\r
  71                 this.warn = turnOnWarning;\r
  72                 this.timeToLive = timeToLive;\r
  73         }\r
  74 \r
  75         /**\r
  76          * Note: BasicHttp works for either Carbon Based (Humans) or Silicon Based (machine) Lifeforms.  \r
  77          * @see Taf\r
  78          */\r
  79         public TafResp validate(Taf.LifeForm reading, HttpServletRequest req, HttpServletResponse resp) {\r
  80                 // See if Request implements BasicCred (aka CadiWrap or other), and if User/Pass has already been set separately\r
  81                 if(req instanceof BasicCred) {\r
  82                         BasicCred bc = (BasicCred)req;\r
  83                         if(bc.getUser()!=null) { // CadiWrap, if set, makes sure User & Password are both valid, or both null\r
  84                                 if(DenialOfServiceTaf.isDeniedID(bc.getUser())!=null) {\r
  85                                         return DenialOfServiceTaf.respDenyID(access,bc.getUser());\r
  86                                 }\r
  87                                 CachedBasicPrincipal bp = new CachedBasicPrincipal(this,bc,realm,timeToLive);\r
  88                                 // ONLY FOR Last Ditch DEBUGGING... \r
  89                                 // access.log(Level.WARN,bp.getName() + ":" + new String(bp.getCred()));\r
  90                                 if(rbac.validate(bp.getName(),Type.PASSWORD,bp.getCred())) {\r
  91                                         return new BasicHttpTafResp(access,bp,bp.getName()+" authenticated by password",RESP.IS_AUTHENTICATED,resp,realm,false);\r
  92                                 } else {\r
  93                                         //TODO may need timed retries in a given time period\r
  94                                         return new BasicHttpTafResp(access,null,buildMsg(bp,req,"User/Pass combo invalid for ",bc.getUser()), \r
  95                                                         RESP.TRY_AUTHENTICATING,resp,realm,true);\r
  96                                 }\r
  97                         }\r
  98                 }\r
  99                 // Get User/Password from Authorization Header value\r
 100                 String authz = req.getHeader("Authorization");\r
 101                 if(authz != null && authz.startsWith("Basic ")) {\r
 102                         if(warn&&!req.isSecure()) {\r
 103                                 access.log(Level.WARN,"WARNING! BasicAuth has been used over an insecure channel");\r
 104                         }\r
 105                         try {\r
 106                                 CachedBasicPrincipal ba = new CachedBasicPrincipal(this,authz,realm,timeToLive);\r
 107                                 if(DenialOfServiceTaf.isDeniedID(ba.getName())!=null) {\r
 108                                         return DenialOfServiceTaf.respDenyID(access,ba.getName());\r
 109                                 }\r
 110 \r
 111                                 // ONLY FOR Last Ditch DEBUGGING... \r
 112                                 // access.log(Level.WARN,ba.getName() + ":" + new String(ba.getCred()));\r
 113                                 if(rbac.validate(ba.getName(), Type.PASSWORD, ba.getCred())) {\r
 114                                         return new BasicHttpTafResp(access,ba, ba.getName()+" authenticated by BasicAuth password",RESP.IS_AUTHENTICATED,resp,realm,false);\r
 115                                 } else {\r
 116                                         //TODO may need timed retries in a given time period\r
 117                                         return new BasicHttpTafResp(access,null,buildMsg(ba,req,"User/Pass combo invalid"), \r
 118                                                         RESP.TRY_AUTHENTICATING,resp,realm,true);\r
 119                                 }\r
 120                         } catch (IOException e) {\r
 121                                 String msg = buildMsg(null,req,"Failed HTTP Basic Authorization (", e.getMessage(), ')');\r
 122                                 access.log(Level.INFO,msg);\r
 123                                 return new BasicHttpTafResp(access,null,msg, RESP.TRY_AUTHENTICATING, resp, realm,true);\r
 124                         }\r
 125                 }\r
 126                 return new BasicHttpTafResp(access,null,"Requesting HTTP Basic Authorization",RESP.TRY_AUTHENTICATING,resp,realm,false);\r
 127         }\r
 128         \r
 129         protected String buildMsg(Principal pr, HttpServletRequest req, Object ... msg) {\r
 130                 StringBuilder sb = new StringBuilder();\r
 131                 for(Object s : msg) {\r
 132                         sb.append(s.toString());\r
 133                 }\r
 134                 if(pr!=null) {\r
 135                         sb.append(" for ");\r
 136                         sb.append(pr.getName());\r
 137                 }\r
 138                 sb.append(" from ");\r
 139                 sb.append(req.getRemoteAddr());\r
 140                 sb.append(':');\r
 141                 sb.append(req.getRemotePort());\r
 142                 return sb.toString();\r
 143         }\r
 144 \r
 145         @Override\r
 146         public Resp revalidate(CachedPrincipal prin) {\r
 147                 if(prin instanceof BasicPrincipal) {\r
 148                         BasicPrincipal ba = (BasicPrincipal)prin;\r
 149                         if(DenialOfServiceTaf.isDeniedID(ba.getName())!=null) {\r
 150                                 return Resp.UNVALIDATED;\r
 151                         }\r
 152                         return rbac.validate(ba.getName(), Type.PASSWORD, ba.getCred())?Resp.REVALIDATED:Resp.UNVALIDATED;\r
 153                 }\r
 154                 return Resp.NOT_MINE;\r
 155         }\r
 156         \r
 157         public String toString() {\r
 158                 return "Basic Auth enabled on realm: " + realm;\r
 159         }\r
 160 }\r