+++ /dev/null
-/*******************************************************************************\r
- * ============LICENSE_START====================================================\r
- * * org.onap.aaf\r
- * * ===========================================================================\r
- * * Copyright © 2017 AT&T Intellectual Property. All rights reserved.\r
- * * ===========================================================================\r
- * * Licensed under the Apache License, Version 2.0 (the "License");\r
- * * you may not use this file except in compliance with the License.\r
- * * You may obtain a copy of the License at\r
- * * \r
- * * http://www.apache.org/licenses/LICENSE-2.0\r
- * * \r
- * * Unless required by applicable law or agreed to in writing, software\r
- * * distributed under the License is distributed on an "AS IS" BASIS,\r
- * * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\r
- * * See the License for the specific language governing permissions and\r
- * * limitations under the License.\r
- * * ============LICENSE_END====================================================\r
- * *\r
- * * ECOMP is a trademark and service mark of AT&T Intellectual Property.\r
- * *\r
- ******************************************************************************/\r
-package org.onap.aaf.cadi.aaf.v2_0;\r
-\r
-import java.io.IOException;\r
-\r
-import org.onap.aaf.cadi.AbsUserCache;\r
-import org.onap.aaf.cadi.CachedPrincipal;\r
-import org.onap.aaf.cadi.CadiException;\r
-import org.onap.aaf.cadi.GetCred;\r
-import org.onap.aaf.cadi.Hash;\r
-import org.onap.aaf.cadi.User;\r
-import org.onap.aaf.cadi.aaf.AAFPermission;\r
-import org.onap.aaf.cadi.client.Future;\r
-import org.onap.aaf.cadi.client.Rcli;\r
-import org.onap.aaf.cadi.config.Config;\r
-import org.onap.aaf.cadi.lur.ConfigPrincipal;\r
-\r
-import com.att.aft.dme2.api.DME2Exception;\r
-import org.onap.aaf.inno.env.APIException;\r
-\r
-public class AAFAuthn<CLIENT> extends AbsUserCache<AAFPermission> {\r
- private AAFCon<CLIENT> con;\r
- private String realm;\r
- \r
- /**\r
- * Configure with Standard AAF properties, Stand alone\r
- * @param con\r
- * @throws Exception \r
- */\r
- // Package on purpose\r
- AAFAuthn(AAFCon<CLIENT> con) throws Exception {\r
- super(con.access,con.cleanInterval,con.highCount,con.usageRefreshTriggerCount);\r
- this.con = con;\r
-\r
- try {\r
- setRealm();\r
- } catch (APIException e) {\r
- if(e.getCause() instanceof DME2Exception) {\r
- // Can't contact AAF, assume default\r
- realm=con.access.getProperty(Config.AAF_DEFAULT_REALM, Config.getDefaultRealm());\r
- }\r
- }\r
- }\r
-\r
- /**\r
- * Configure with Standard AAF properties, but share the Cache (with AAF Lur)\r
- * @param con\r
- * @throws Exception \r
- */\r
- // Package on purpose\r
- AAFAuthn(AAFCon<CLIENT> con, AbsUserCache<AAFPermission> cache) throws Exception {\r
- super(cache);\r
- this.con = con;\r
- try {\r
- setRealm();\r
- } catch (Exception e) {\r
- if(e.getCause() instanceof DME2Exception) {\r
- access.log(e);\r
- // Can't contact AAF, assume default \r
- realm=con.access.getProperty(Config.AAF_DEFAULT_REALM, Config.getDefaultRealm());\r
- }\r
- }\r
- }\r
-\r
- private void setRealm() throws Exception {\r
- // Make a call without security set to get the 401 response, which\r
- // includes the Realm of the server\r
- // This also checks on Connectivity early on.\r
- Future<String> fp = con.client(AAFCon.AAF_LATEST_VERSION).read("/authn/basicAuth", "text/plain");\r
- if(fp.get(con.timeout)) {\r
- throw new Exception("Do not preset Basic Auth Information for AAFAuthn");\r
- } else {\r
- if(fp.code()==401) {\r
- realm = fp.header("WWW-Authenticate");\r
- if(realm!=null && realm.startsWith("Basic realm=\"")) {\r
- realm = realm.substring(13, realm.length()-1);\r
- } else {\r
- realm = "unknown.com";\r
- }\r
- }\r
- }\r
- }\r
- \r
- /**\r
- * Return Native Realm of AAF Instance.\r
- * \r
- * @return\r
- */\r
- public String getRealm() {\r
- return realm;\r
- }\r
-\r
- /**\r
- * Returns null if ok, or an Error String;\r
- * \r
- * @param user\r
- * @param password\r
- * @return\r
- * @throws IOException \r
- * @throws CadiException \r
- * @throws Exception\r
- */\r
- public String validate(String user, String password) throws IOException, CadiException {\r
- User<AAFPermission> usr = getUser(user);\r
- if(password.startsWith("enc:???")) {\r
- password = access.decrypt(password, true);\r
- }\r
-\r
- byte[] bytes = password.getBytes();\r
- if(usr != null && usr.principal != null && usr.principal.getName().equals(user) \r
- && usr.principal instanceof GetCred) {\r
- \r
- if(Hash.isEqual(((GetCred)usr.principal).getCred(),bytes)) {\r
- return null;\r
- } else {\r
- remove(usr);\r
- usr = null;\r
- }\r
- }\r
- \r
- AAFCachedPrincipal cp = new AAFCachedPrincipal(this,con.app, user, bytes, con.cleanInterval);\r
- // Since I've relocated the Validation piece in the Principal, just revalidate, then do Switch\r
- // Statement\r
- switch(cp.revalidate()) {\r
- case REVALIDATED:\r
- if(usr!=null) {\r
- usr.principal = cp;\r
- } else {\r
- addUser(new User<AAFPermission>(cp,con.timeout));\r
- }\r
- return null;\r
- case INACCESSIBLE:\r
- return "AAF Inaccessible";\r
- case UNVALIDATED:\r
- return "User/Pass combo invalid for " + user;\r
- case DENIED:\r
- return "AAF denies API for " + user;\r
- default: \r
- return "AAFAuthn doesn't handle Principal " + user;\r
- }\r
- }\r
- \r
- private class AAFCachedPrincipal extends ConfigPrincipal implements CachedPrincipal {\r
- private long expires,timeToLive;\r
-\r
- public AAFCachedPrincipal(AAFAuthn<?> aaf, String app, String name, byte[] pass, int timeToLive) {\r
- super(name,pass);\r
- this.timeToLive = timeToLive;\r
- expires = timeToLive + System.currentTimeMillis();\r
- }\r
-\r
- public Resp revalidate() {\r
- if(con.isDisabled()) {\r
- return Resp.DENIED;\r
- }\r
- try {\r
- Miss missed = missed(getName());\r
- if(missed==null || missed.mayContinue(getCred())) {\r
- Rcli<CLIENT> client = con.client(AAFCon.AAF_LATEST_VERSION).forUser(con.basicAuth(getName(), new String(getCred())));\r
- Future<String> fp = client.read(\r
- "/authn/basicAuth",\r
- "text/plain"\r
- );\r
- if(fp.get(con.timeout)) {\r
- expires = System.currentTimeMillis() + timeToLive;\r
- addUser(new User<AAFPermission>(this, expires));\r
- return Resp.REVALIDATED;\r
- } else {\r
- addMiss(getName(), getCred());\r
- return Resp.UNVALIDATED;\r
- }\r
- } else {\r
- return Resp.UNVALIDATED;\r
- }\r
- } catch (Exception e) {\r
- con.access.log(e);\r
- return Resp.INACCESSIBLE;\r
- }\r
- }\r
-\r
- public long expires() {\r
- return expires;\r
- }\r
- };\r
-\r
-}\r