1 /*******************************************************************************
\r
2 * ============LICENSE_START====================================================
\r
4 * * ===========================================================================
\r
5 * * Copyright © 2017 AT&T Intellectual Property. All rights reserved.
\r
6 * * ===========================================================================
\r
7 * * Licensed under the Apache License, Version 2.0 (the "License");
\r
8 * * you may not use this file except in compliance with the License.
\r
9 * * You may obtain a copy of the License at
\r
11 * * http://www.apache.org/licenses/LICENSE-2.0
\r
13 * * Unless required by applicable law or agreed to in writing, software
\r
14 * * distributed under the License is distributed on an "AS IS" BASIS,
\r
15 * * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
\r
16 * * See the License for the specific language governing permissions and
\r
17 * * limitations under the License.
\r
18 * * ============LICENSE_END====================================================
\r
20 * * ECOMP is a trademark and service mark of AT&T Intellectual Property.
\r
22 ******************************************************************************/
\r
23 package org.onap.aaf.cadi.taf.localhost;
\r
25 import java.net.InetAddress;
\r
26 import java.net.NetworkInterface;
\r
27 import java.net.SocketException;
\r
28 import java.net.UnknownHostException;
\r
29 import java.util.Enumeration;
\r
30 import java.util.TreeSet;
\r
32 import javax.servlet.http.HttpServletRequest;
\r
33 import javax.servlet.http.HttpServletResponse;
\r
35 import org.onap.aaf.cadi.Access;
\r
36 import org.onap.aaf.cadi.CachedPrincipal;
\r
37 import org.onap.aaf.cadi.Taf;
\r
38 import org.onap.aaf.cadi.Access.Level;
\r
39 import org.onap.aaf.cadi.CachedPrincipal.Resp;
\r
40 import org.onap.aaf.cadi.taf.HttpTaf;
\r
41 import org.onap.aaf.cadi.taf.TafResp;
\r
42 import org.onap.aaf.cadi.taf.TafResp.RESP;
\r
45 * Implement the ability to utilize LocalHost as a TAF.
\r
47 * Configure with two properties,
\r
51 * 1) If localhost.deny==true, then no localhost requests are allowed
\r
52 * 2) If localhost.deny==false, but accept==false, return "Try Another TAF" (i.e. allow further checking of the
\r
53 * chain, but don't treat localhost as an acceptable credential)
\r
54 * 3) If localhost.deny=false and accept=true, then the processes coming from the same machine, given logins are needed,
\r
55 * to run, are treated as validated. This is primarily for Developer purposes.
\r
60 public class LocalhostTaf implements HttpTaf {
\r
61 private TafResp isLocalHost,isNotLocalHost;
\r
62 private static final TreeSet<String> addrSet;
\r
65 addrSet = new TreeSet<String>();
\r
67 for(Enumeration<NetworkInterface> en = NetworkInterface.getNetworkInterfaces();en.hasMoreElements();) {
\r
68 NetworkInterface ni = en.nextElement();
\r
69 for(Enumeration<InetAddress> eia = ni.getInetAddresses();eia.hasMoreElements();) {
\r
70 InetAddress ia = eia.nextElement();
\r
71 addrSet.add(ia.getHostAddress());
\r
74 } catch (SocketException e) {
\r
79 public LocalhostTaf(Access access, boolean accept, boolean isDenied) {
\r
80 String hostname = access.getProperty("hostname",null);
\r
81 if(hostname !=null) {
\r
83 addrSet.add(InetAddress.getByName(hostname).getHostAddress());
\r
84 } catch (UnknownHostException e) {
\r
85 access.log(e,"Unknown Host");
\r
90 access.log(Level.INFO,"LocalhostTaf will deny all localhost traffic");
\r
92 access.log(Level.INFO,"LocalhostTaf will not deny localhost requests, ",
\r
93 (accept?"and will treat them as authenticated":"but will require other authentication"));
\r
95 // Set the appropriate behavior for when ID coming in is from localhost
\r
96 isLocalHost = isDenied?
\r
97 new LocalhostTafResp(access, RESP.NO_FURTHER_PROCESSING,"Localhost is denied"):
\r
99 new LocalhostTafResp(access, RESP.IS_AUTHENTICATED,"Localhost is allowed"):
\r
100 new LocalhostTafResp(access, RESP.TRY_ANOTHER_TAF,"Localhost is allowed");
\r
101 isNotLocalHost = new LocalhostTafResp(access, RESP.TRY_ANOTHER_TAF,"Address is not Localhost");
\r
105 public TafResp validate(Taf.LifeForm reading, HttpServletRequest req, HttpServletResponse resp) {
\r
106 String remote = req.getRemoteAddr();
\r
107 return addrSet.contains(remote)
\r
113 * This function used for other TAFs (i.e. CSP, which can't work on localhost address)
\r
118 public static boolean isLocalAddress(String address) {
\r
119 return addrSet.contains(address);
\r
122 public String toString() {
\r
123 return "Localhost TAF activated: " + isLocalHost.desc();
\r
126 public Resp revalidate(CachedPrincipal prin) {
\r
127 // shouldn't get here, since there's no need to Cache, but if so, LocalHost is always valid...
\r
128 return Resp.REVALIDATED;
\r