1 /*******************************************************************************
\r
2 * ============LICENSE_START====================================================
\r
4 * * ===========================================================================
\r
5 * * Copyright © 2017 AT&T Intellectual Property. All rights reserved.
\r
6 * * ===========================================================================
\r
7 * * Licensed under the Apache License, Version 2.0 (the "License");
\r
8 * * you may not use this file except in compliance with the License.
\r
9 * * You may obtain a copy of the License at
\r
11 * * http://www.apache.org/licenses/LICENSE-2.0
\r
13 * * Unless required by applicable law or agreed to in writing, software
\r
14 * * distributed under the License is distributed on an "AS IS" BASIS,
\r
15 * * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
\r
16 * * See the License for the specific language governing permissions and
\r
17 * * limitations under the License.
\r
18 * * ============LICENSE_END====================================================
\r
20 * * ECOMP is a trademark and service mark of AT&T Intellectual Property.
\r
22 ******************************************************************************/
\r
23 package org.onap.aaf.cadi.filter;
\r
25 import java.io.IOException;
\r
26 import java.util.ArrayList;
\r
27 import java.util.List;
\r
29 import javax.servlet.http.HttpServletRequest;
\r
30 import javax.servlet.http.HttpServletResponse;
\r
32 import org.onap.aaf.cadi.Access;
\r
33 import org.onap.aaf.cadi.CadiException;
\r
34 import org.onap.aaf.cadi.CadiWrap;
\r
35 import org.onap.aaf.cadi.Connector;
\r
36 import org.onap.aaf.cadi.CredVal;
\r
37 import org.onap.aaf.cadi.Lur;
\r
38 import org.onap.aaf.cadi.Taf;
\r
39 import org.onap.aaf.cadi.TrustChecker;
\r
40 import org.onap.aaf.cadi.Access.Level;
\r
41 import org.onap.aaf.cadi.config.Config;
\r
42 import org.onap.aaf.cadi.lur.EpiLur;
\r
43 import org.onap.aaf.cadi.taf.HttpTaf;
\r
44 import org.onap.aaf.cadi.taf.TafResp;
\r
45 import org.onap.aaf.cadi.util.UserChainManip;
\r
48 * Encapsulate common HTTP Manipulation Behavior. It will appropriately set
\r
49 * HTTPServletResponse for Redirect or Forbidden, as needed.
\r
51 * Further, this is useful, because it avoids multiple creates of Connections, where some Filters
\r
52 * are created and destroyed regularly.
\r
57 public class CadiHTTPManip {
\r
58 private static final String ACCESS_CADI_CONTROL = ".access|cadi|control";
\r
59 private static final String METH = "OPTIONS";
\r
60 private static final String CADI = "/cadi/";
\r
61 private static final String CADI_CACHE_PRINT = "/cadi/cache/print";
\r
62 private static final String CADI_CACHE_CLEAR = "/cadi/cache/clear";
\r
63 private static final String CADI_LOG_SET = "/cadi/log/set/";
\r
64 private Access access;
\r
65 private HttpTaf taf;
\r
68 private String thisPerm,companyPerm,aaf_id;
\r
70 public static final Object[] noAdditional = new Object[0]; // CadiFilter can be created each call in some systems
\r
73 public CadiHTTPManip(Access access, Connector con, TrustChecker tc, Object ... additionalTafLurs) throws CadiException {
\r
74 synchronized(CADI) {
\r
75 this.access = access;
\r
76 // Get getter = new AccessGetter(access);
\r
77 Config.setDefaultRealm(access);
\r
79 aaf_id = access.getProperty(Config.CADI_ALIAS,access.getProperty(Config.AAF_MECHID, null));
\r
81 access.printf(Level.INIT, "%s is not set. %s can be used instead",Config.AAF_MECHID,Config.CADI_ALIAS);
\r
83 access.printf(Level.INIT, "%s is set to %s",Config.AAF_MECHID,aaf_id);
\r
85 String ns = aaf_id==null?null:UserChainManip.idToNS(aaf_id);
\r
87 thisPerm = ns+ACCESS_CADI_CONTROL;
\r
88 int dot = ns.indexOf('.');
\r
90 int dot2=ns.indexOf('.',dot+1);
\r
94 companyPerm = ns.substring(0, dot2)+ACCESS_CADI_CONTROL;
\r
96 companyPerm = "com"+ACCESS_CADI_CONTROL;
\r
99 thisPerm = companyPerm = "com"+ACCESS_CADI_CONTROL;
\r
102 if(con!=null) { // try to reutilize connector
\r
103 List<Lur> ll = null;
\r
104 for(Object tl : additionalTafLurs) {
\r
105 if(tl instanceof Lur) {
\r
107 ll = new ArrayList<Lur>();
\r
108 ll.add(con.newLur());
\r
114 lur = con.newLur();
\r
116 lur = new EpiLur((Lur[])ll.toArray());
\r
119 lur = Config.configLur(access, additionalTafLurs);
\r
122 if(lur instanceof EpiLur) {
\r
123 up = ((EpiLur)lur).getUserPassImpl();
\r
124 } else if(lur instanceof CredVal) {
\r
129 taf = Config.configHttpTaf(access, tc, up, lur, additionalTafLurs);
\r
133 public TafResp validate(HttpServletRequest hreq, HttpServletResponse hresp) throws IOException {
\r
134 TafResp tresp = taf.validate(Taf.LifeForm.LFN, hreq, hresp);
\r
135 switch(tresp.isAuthenticated()) {
\r
136 case IS_AUTHENTICATED:
\r
137 access.printf(Level.INFO,"Authenticated: %s from %s:%d"
\r
138 , tresp.desc(), hreq.getRemoteAddr(), hreq.getRemotePort());
\r
140 case TRY_AUTHENTICATING:
\r
141 switch (tresp.authenticate()) {
\r
142 case IS_AUTHENTICATED:
\r
143 access.printf(Level.INFO,"Authenticated: %s from %s:%d"
\r
144 , tresp.desc(), hreq.getRemoteAddr(), hreq.getRemotePort());
\r
146 case HTTP_REDIRECT_INVOKED:
\r
147 access.log(Level.INFO,"Authenticating via redirection: ", tresp.desc());
\r
149 case NO_FURTHER_PROCESSING:
\r
150 access.printf(Level.AUDIT,"Authentication Failure: %s from %s:%d"
\r
151 , tresp.desc(), hreq.getRemoteAddr(), hreq.getRemotePort());
\r
152 hresp.sendError(403, tresp.desc()); // Forbidden
\r
156 access.printf(Level.AUDIT,"No TAF will authorize for request from %s:%d"
\r
157 , hreq.getRemoteAddr(), hreq.getRemotePort());
\r
158 hresp.sendError(403, tresp.desc()); // Forbidden
\r
161 case NO_FURTHER_PROCESSING:
\r
162 access.printf(Level.AUDIT,"Authentication Failure: %s from %s:%d",
\r
163 tresp.desc(), hreq.getRemoteAddr(), hreq.getRemotePort());
\r
164 hresp.sendError(403, "Access Denied"); // FORBIDDEN
\r
167 access.printf(Level.AUDIT,"No TAF will authorize for request from %s:%d"
\r
168 , hreq.getRemoteAddr(), hreq.getRemotePort());
\r
169 hresp.sendError(403, "Access Denied"); // FORBIDDEN
\r
174 public boolean notCadi(CadiWrap req, HttpServletResponse resp) {
\r
176 String pathInfo = req.getPathInfo();
\r
177 if(METH.equalsIgnoreCase(req.getMethod()) && pathInfo!=null && pathInfo.contains(CADI)) {
\r
178 if(req.getUser().equals(aaf_id) || req.isUserInRole(thisPerm) || req.isUserInRole(companyPerm)) {
\r
180 if(pathInfo.contains(CADI_CACHE_PRINT)) {
\r
181 resp.getOutputStream().println(lur.toString());
\r
182 resp.setStatus(200);
\r
184 } else if(pathInfo.contains(CADI_CACHE_CLEAR)) {
\r
185 StringBuilder report = new StringBuilder();
\r
186 lur.clear(req.getUserPrincipal(), report);
\r
187 resp.getOutputStream().println(report.toString());
\r
188 resp.setStatus(200);
\r
190 } else if(pathInfo.contains(CADI_LOG_SET)) {
\r
192 int slash = pathInfo.lastIndexOf('/');
\r
193 String level = pathInfo.substring(slash+1);
\r
195 l = Level.valueOf(level);
\r
196 access.printf(Level.AUDIT, "%s has set CADI Log Level to '%s'",req.getUser(),l.name());
\r
197 access.setLogLevel(l);
\r
198 } catch (IllegalArgumentException e) {
\r
199 access.printf(Level.AUDIT, "'%s' is not a valid CADI Log Level",level);
\r
203 } catch (IOException e) {
\r
211 public Lur getLur() {
\r
215 public void destroy() {
\r
216 access.log(Level.INFO,"CadiHttpChecker destroyed.");
\r
223 public Access getAccess() {
\r