1 /*******************************************************************************
\r
2 * ============LICENSE_START====================================================
\r
4 * * ===========================================================================
\r
5 * * Copyright © 2017 AT&T Intellectual Property. All rights reserved.
\r
6 * * ===========================================================================
\r
7 * * Licensed under the Apache License, Version 2.0 (the "License");
\r
8 * * you may not use this file except in compliance with the License.
\r
9 * * You may obtain a copy of the License at
\r
11 * * http://www.apache.org/licenses/LICENSE-2.0
\r
13 * * Unless required by applicable law or agreed to in writing, software
\r
14 * * distributed under the License is distributed on an "AS IS" BASIS,
\r
15 * * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
\r
16 * * See the License for the specific language governing permissions and
\r
17 * * limitations under the License.
\r
18 * * ============LICENSE_END====================================================
\r
20 * * ECOMP is a trademark and service mark of AT&T Intellectual Property.
\r
22 ******************************************************************************/
\r
23 package org.onap.aaf.cadi.lur;
\r
25 import java.io.IOException;
\r
26 import java.security.Principal;
\r
27 import java.util.List;
\r
28 import java.util.Map;
\r
29 import java.util.Set;
\r
30 import java.util.TreeSet;
\r
32 import org.onap.aaf.cadi.AbsUserCache;
\r
33 import org.onap.aaf.cadi.Access;
\r
34 import org.onap.aaf.cadi.CredVal;
\r
35 import org.onap.aaf.cadi.Hash;
\r
36 import org.onap.aaf.cadi.Permission;
\r
37 import org.onap.aaf.cadi.StrLur;
\r
38 import org.onap.aaf.cadi.User;
\r
39 import org.onap.aaf.cadi.Access.Level;
\r
40 import org.onap.aaf.cadi.config.Config;
\r
44 * An in-memory Lur that can be configured locally with User info via properties, similar to Tomcat-users.xml mechanisms.
\r
48 public final class LocalLur extends AbsUserCache<LocalPermission> implements StrLur, CredVal {
\r
49 public static final String SEMI = "\\s*;\\s*";
\r
50 public static final String COLON = "\\s*:\\s*";
\r
51 public static final String COMMA = "\\s*,\\s*";
\r
52 public static final String PERCENT = "\\s*%\\s*";
\r
54 // Use to quickly determine whether any given group is supported by this LUR
\r
55 private final Set<String> supportingGroups;
\r
56 private String supportedRealm;
\r
59 * Construct by building structure, see "build"
\r
61 * Reconstruct with "build"
\r
63 * @param userProperty
\r
64 * @param groupProperty
\r
66 * @throws IOException
\r
68 public LocalLur(Access access, String userProperty, String groupProperty) throws IOException {
\r
69 super(access, 0, 0, Integer.MAX_VALUE); // data doesn't expire
\r
70 supportedRealm = access.getProperty(Config.BASIC_REALM, "localized");
\r
71 supportingGroups = new TreeSet<String>();
\r
73 if(userProperty!=null) {
\r
74 // For each User name...
\r
75 for(String user : userProperty.trim().split(SEMI)) {
\r
76 String[] us = user.split(COLON,2);
\r
77 String[] userpass = us[0].split(PERCENT,2);
\r
79 User<LocalPermission> usr;
\r
80 if(userpass.length>1) {
\r
81 if(userpass.length>0 && userpass[0].indexOf('@')<0) {
\r
82 userpass[0]=userpass[0] + '@' + access.getProperty(Config.AAF_DEFAULT_REALM,Config.getDefaultRealm());
\r
86 byte[] pass = access.decrypt(userpass[1], true).getBytes();
\r
87 usr = new User<LocalPermission>(new ConfigPrincipal(u, pass));
\r
90 usr = new User<LocalPermission>(new ConfigPrincipal(u, (byte[])null));
\r
93 access.log(Level.INIT, "Local User:",usr.principal);
\r
96 Map<String, Permission> newMap = usr.newMap();
\r
97 for(String group : us[1].split(COMMA)) {
\r
98 supportingGroups.add(group);
\r
99 usr.add(newMap,new LocalPermission(group));
\r
101 usr.setMap(newMap);
\r
105 if(groupProperty!=null) {
\r
106 // For each Group name...
\r
107 for(String group : groupProperty.trim().split(SEMI)) {
\r
108 String[] gs = group.split(COLON,2);
\r
110 supportingGroups.add(gs[0]);
\r
111 LocalPermission p = new LocalPermission(gs[0]);
\r
112 // Add all users (known by comma separators)
\r
114 for(String grpMem : gs[1].split(COMMA)) {
\r
115 // look for password, if so, put in passMap
\r
116 String[] userpass = grpMem.split(PERCENT,2);
\r
117 if(userpass.length>0 && userpass[0].indexOf('@')<0) {
\r
118 userpass[0]=userpass[0] + '@' + access.getProperty(Config.AAF_DEFAULT_REALM,Config.getDefaultRealm());
\r
120 User<LocalPermission> usr = getUser(userpass[0]);
\r
121 if(userpass.length>1) {
\r
122 byte[] pass = access.decrypt(userpass[1], true).getBytes();
\r
123 if(usr==null)addUser(usr=new User<LocalPermission>(new ConfigPrincipal(userpass[0],pass)));
\r
124 else usr.principal=new ConfigPrincipal(userpass[0],pass);
\r
126 if(usr==null)addUser(usr=new User<LocalPermission>(new ConfigPrincipal(userpass[0],(byte[])null)));
\r
129 access.log(Level.INIT, "Local User:",usr.principal);
\r
136 public boolean validate(String user, CredVal.Type type, byte[] cred) {
\r
137 User<LocalPermission> usr = getUser(user);
\r
140 // covers null as well as bad pass
\r
141 if(usr!=null && cred!=null && usr.principal instanceof ConfigPrincipal) {
\r
142 return Hash.isEqual(cred,((ConfigPrincipal)usr.principal).getCred());
\r
150 public boolean fish(Principal bait, Permission pond) {
\r
151 if(supports(bait.getName()) && pond instanceof LocalPermission) { // local Users only have LocalPermissions
\r
152 User<LocalPermission> user = getUser(bait);
\r
153 return user==null?false:user.contains((LocalPermission)pond);
\r
158 public boolean fish(String bait, Permission pond) {
\r
159 if(supports(bait) && pond instanceof LocalPermission) { // local Users only have LocalPermissions
\r
160 User<LocalPermission> user = getUser(bait);
\r
161 return user==null?false:user.contains((LocalPermission)pond);
\r
166 // We do not want to expose the actual Group, so make a copy.
\r
167 public void fishAll(Principal bait, List<Permission> perms) {
\r
168 if(supports(bait.getName())) {
\r
169 User<LocalPermission> user = getUser(bait);
\r
171 user.copyPermsTo(perms);
\r
176 public void fishAll(String bait, List<Permission> perms) {
\r
177 if(supports(bait)) {
\r
178 User<LocalPermission> user = getUser(bait);
\r
180 user.copyPermsTo(perms);
\r
185 public boolean supports(String userName) {
\r
186 return userName!=null && userName.endsWith(supportedRealm);
\r
189 public boolean handlesExclusively(Permission pond) {
\r
190 return supportingGroups.contains(pond.getKey());
\r
194 * @see com.att.cadi.Lur#createPerm(java.lang.String)
\r
197 public Permission createPerm(String p) {
\r
198 return new LocalPermission(p);
\r