+++ /dev/null
-/*******************************************************************************\r
- * ============LICENSE_START====================================================\r
- * * org.onap.aaf\r
- * * ===========================================================================\r
- * * Copyright © 2017 AT&T Intellectual Property. All rights reserved.\r
- * * ===========================================================================\r
- * * Licensed under the Apache License, Version 2.0 (the "License");\r
- * * you may not use this file except in compliance with the License.\r
- * * You may obtain a copy of the License at\r
- * * \r
- * * http://www.apache.org/licenses/LICENSE-2.0\r
- * * \r
- * * Unless required by applicable law or agreed to in writing, software\r
- * * distributed under the License is distributed on an "AS IS" BASIS,\r
- * * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\r
- * * See the License for the specific language governing permissions and\r
- * * limitations under the License.\r
- * * ============LICENSE_END====================================================\r
- * *\r
- * * ECOMP is a trademark and service mark of AT&T Intellectual Property.\r
- * *\r
- ******************************************************************************/\r
-package org.onap.aaf.authz.gw.api;\r
-\r
-import java.io.IOException;\r
-import java.net.ConnectException;\r
-import java.net.MalformedURLException;\r
-import java.net.URI;\r
-import java.security.Principal;\r
-\r
-import javax.servlet.ServletOutputStream;\r
-import javax.servlet.http.HttpServletRequest;\r
-import javax.servlet.http.HttpServletResponse;\r
-\r
-import org.onap.aaf.authz.env.AuthzTrans;\r
-import org.onap.aaf.authz.gw.GwAPI;\r
-import org.onap.aaf.authz.gw.GwCode;\r
-import org.onap.aaf.authz.gw.facade.GwFacade;\r
-import org.onap.aaf.authz.gw.mapper.Mapper.API;\r
-import org.onap.aaf.authz.layer.Result;\r
-import org.onap.aaf.cache.Cache.Dated;\r
-import org.onap.aaf.cssa.rserv.HttpMethods;\r
-\r
-import com.att.aft.dme2.internal.jetty.http.HttpStatus;\r
-import org.onap.aaf.cadi.CadiException;\r
-import org.onap.aaf.cadi.Locator;\r
-import org.onap.aaf.cadi.Locator.Item;\r
-import org.onap.aaf.cadi.LocatorException;\r
-import org.onap.aaf.cadi.aaf.AAFPermission;\r
-import org.onap.aaf.cadi.client.Future;\r
-import org.onap.aaf.cadi.client.Rcli;\r
-import org.onap.aaf.cadi.client.Retryable;\r
-import org.onap.aaf.cadi.dme2.DME2Locator;\r
-import org.onap.aaf.cadi.principal.BasicPrincipal;\r
-import org.onap.aaf.inno.env.APIException;\r
-import org.onap.aaf.inno.env.Env;\r
-import org.onap.aaf.inno.env.TimeTaken;\r
-\r
-public class API_AAFAccess {\r
- private static final String AUTHZ_DME2_GUI = "com.att.authz.authz-gui";\r
- static final String AFT_ENVIRONMENT="AFT_ENVIRONMENT";\r
- static final String AFT_ENV_CONTEXT="AFT_ENV_CONTEXT";\r
- static final String AFTUAT="AFTUAT";\r
- \r
- private static final String PROD = "PROD";\r
- private static final String IST = "IST"; // main NONPROD system\r
- private static final String PERF = "PERF";\r
- private static final String TEST = "TEST";\r
- private static final String DEV = "DEV";\r
- \r
-// private static String service, version, envContext; \r
- private static String routeOffer;\r
-\r
- private static final String GET_PERMS_BY_USER = "Get Perms by User";\r
- private static final String USER_HAS_PERM ="User Has Perm";\r
-// private static final String USER_IN_ROLE ="User Has Role";\r
- private static final String BASIC_AUTH ="AAF Basic Auth";\r
- \r
- /**\r
- * Normal Init level APIs\r
- * \r
- * @param gwAPI\r
- * @param facade\r
- * @throws Exception\r
- */\r
- public static void init(final GwAPI gwAPI, GwFacade facade) throws Exception {\r
- String aftenv = gwAPI.env.getProperty(AFT_ENVIRONMENT);\r
- if(aftenv==null) throw new Exception(AFT_ENVIRONMENT + " must be set");\r
- \r
- int equals, count=0;\r
- for(int slash = gwAPI.aafurl.indexOf('/');slash>0;++count) {\r
- equals = gwAPI.aafurl.indexOf('=',slash)+1;\r
- slash = gwAPI.aafurl.indexOf('/',slash+1);\r
- switch(count) {\r
- case 2:\r
-// service = gwAPI.aafurl.substring(equals, slash);\r
- break;\r
- case 3:\r
-// version = gwAPI.aafurl.substring(equals, slash);\r
- break;\r
- case 4:\r
-// envContext = gwAPI.aafurl.substring(equals, slash);\r
- break;\r
- case 5:\r
- routeOffer = gwAPI.aafurl.substring(equals);\r
- break;\r
- }\r
- }\r
- if(count<6) throw new MalformedURLException(gwAPI.aafurl);\r
- \r
- gwAPI.route(HttpMethods.GET,"/authz/perms/user/:user",API.VOID,new GwCode(facade,GET_PERMS_BY_USER, true) {\r
- @Override\r
- public void handle(final AuthzTrans trans, final HttpServletRequest req, final HttpServletResponse resp) throws Exception {\r
- TimeTaken tt = trans.start(GET_PERMS_BY_USER, Env.SUB);\r
- try {\r
- final String accept = req.getHeader("ACCEPT");\r
- final String user = pathParam(req,":user");\r
- if(!user.contains("@")) {\r
- context.error(trans,resp,Result.ERR_BadData,"User [%s] must be fully qualified with domain",user);\r
- return;\r
- }\r
- String key = trans.user() + user + (accept!=null&&accept.contains("xml")?"-xml":"-json");\r
- TimeTaken tt2 = trans.start("Cache Lookup",Env.SUB);\r
- Dated d;\r
- try {\r
- d = gwAPI.cacheUser.get(key);\r
- } finally {\r
- tt2.done();\r
- }\r
- \r
- if(d==null || d.data.isEmpty()) {\r
- tt2 = trans.start("AAF Service Call",Env.REMOTE);\r
- try {\r
- gwAPI.clientAsUser(trans.getUserPrincipal(), new Retryable<Void>() {\r
- @Override\r
- public Void code(Rcli<?> client) throws CadiException, ConnectException, APIException {\r
- Future<String> fp = client.read("/authz/perms/user/"+user,accept);\r
- if(fp.get(5000)) {\r
- gwAPI.cacheUser.put(key, new Dated(new User(fp.code(),fp.body())));\r
- resp.setStatus(HttpStatus.OK_200);\r
- ServletOutputStream sos;\r
- try {\r
- sos = resp.getOutputStream();\r
- sos.print(fp.value);\r
- } catch (IOException e) {\r
- throw new CadiException(e);\r
- }\r
- } else {\r
- gwAPI.cacheUser.put(key, new Dated(new User(fp.code(),fp.body())));\r
- context.error(trans,resp,fp.code(),fp.body());\r
- }\r
- return null;\r
- }\r
- });\r
- } finally {\r
- tt2.done();\r
- }\r
- } else {\r
- User u = (User)d.data.get(0);\r
- resp.setStatus(u.code);\r
- ServletOutputStream sos = resp.getOutputStream();\r
- sos.print(u.resp);\r
- }\r
- } finally {\r
- tt.done();\r
- }\r
- }\r
- });\r
-\r
- gwAPI.route(gwAPI.env,HttpMethods.GET,"/authn/basicAuth",new GwCode(facade,BASIC_AUTH, true) {\r
- @Override\r
- public void handle(final AuthzTrans trans, final HttpServletRequest req, HttpServletResponse resp) throws Exception {\r
- Principal p = trans.getUserPrincipal();\r
- if(p == null) {\r
- trans.error().log("Transaction not Authenticated... no Principal");\r
- resp.setStatus(HttpStatus.FORBIDDEN_403);\r
- } else if (p instanceof BasicPrincipal) {\r
- // the idea is that if call is made with this credential, and it's a BasicPrincipal, it's ok\r
- // otherwise, it wouldn't have gotten here.\r
- resp.setStatus(HttpStatus.OK_200);\r
- } else {\r
- trans.checkpoint("Basic Auth Check Failed: This wasn't a Basic Auth Trans");\r
- // For Auth Security questions, we don't give any info to client on why failed\r
- resp.setStatus(HttpStatus.FORBIDDEN_403);\r
- }\r
- }\r
- },"text/plain","*/*","*");\r
-\r
- /**\r
- * Query User Has Perm\r
- */\r
- gwAPI.route(HttpMethods.GET,"/ask/:user/has/:type/:instance/:action",API.VOID,new GwCode(facade,USER_HAS_PERM, true) {\r
- @Override\r
- public void handle(final AuthzTrans trans, final HttpServletRequest req, HttpServletResponse resp) throws Exception {\r
- try {\r
- resp.getOutputStream().print(\r
- gwAPI.aafLurPerm.fish(pathParam(req,":user"), new AAFPermission(\r
- pathParam(req,":type"),\r
- pathParam(req,":instance"),\r
- pathParam(req,":action"))));\r
- resp.setStatus(HttpStatus.OK_200);\r
- } catch(Exception e) {\r
- context.error(trans, resp, Result.ERR_General, e.getMessage());\r
- }\r
- }\r
- });\r
-\r
- if(AFTUAT.equals(aftenv)) {\r
- gwAPI.route(HttpMethods.GET,"/ist/aaf/:version/:path*",API.VOID ,new GwCode(facade,"Access UAT GUI for AAF", true) {\r
- @Override\r
- public void handle(AuthzTrans trans, HttpServletRequest req, HttpServletResponse resp) throws Exception {\r
- try{\r
- redirect(trans, req, resp, context, \r
- new DME2Locator(gwAPI.env, gwAPI.dme2Man, AUTHZ_DME2_GUI, pathParam(req,":version"), IST, routeOffer), \r
- pathParam(req,":path"));\r
- } catch (LocatorException e) {\r
- context.error(trans, resp, Result.ERR_BadData, e.getMessage());\r
- } catch (Exception e) {\r
- context.error(trans, resp, Result.ERR_General, e.getMessage());\r
- }\r
- }\r
- });\r
-\r
- gwAPI.route(HttpMethods.GET,"/test/aaf/:version/:path*",API.VOID ,new GwCode(facade,"Access TEST GUI for AAF", true) {\r
- @Override\r
- public void handle(AuthzTrans trans, HttpServletRequest req, HttpServletResponse resp) throws Exception {\r
- try{\r
- redirect(trans, req, resp, context, \r
- new DME2Locator(gwAPI.env, gwAPI.dme2Man, AUTHZ_DME2_GUI, pathParam(req,":version"), TEST, routeOffer), \r
- pathParam(req,":path"));\r
- } catch (LocatorException e) {\r
- context.error(trans, resp, Result.ERR_BadData, e.getMessage());\r
- } catch (Exception e) {\r
- context.error(trans, resp, Result.ERR_General, e.getMessage());\r
- }\r
- }\r
- });\r
-\r
- gwAPI.route(HttpMethods.GET,"/perf/aaf/:version/:path*",API.VOID ,new GwCode(facade,"Access PERF GUI for AAF", true) {\r
- @Override\r
- public void handle(AuthzTrans trans, HttpServletRequest req, HttpServletResponse resp) throws Exception {\r
- try{\r
- redirect(trans, req, resp, context, \r
- new DME2Locator(gwAPI.env, gwAPI.dme2Man, AUTHZ_DME2_GUI, pathParam(req,":version"), PERF, routeOffer), \r
- pathParam(req,":path"));\r
- } catch (LocatorException e) {\r
- context.error(trans, resp, Result.ERR_BadData, e.getMessage());\r
- } catch (Exception e) {\r
- context.error(trans, resp, Result.ERR_General, e.getMessage());\r
- }\r
- }\r
- });\r
-\r
- gwAPI.route(HttpMethods.GET,"/dev/aaf/:version/:path*",API.VOID,new GwCode(facade,"Access DEV GUI for AAF", true) {\r
- @Override\r
- public void handle(AuthzTrans trans, HttpServletRequest req, HttpServletResponse resp) throws Exception {\r
- try {\r
- redirect(trans, req, resp, context, \r
- new DME2Locator(gwAPI.env, gwAPI.dme2Man, AUTHZ_DME2_GUI, pathParam(req,":version"), DEV, routeOffer), \r
- pathParam(req,":path"));\r
- } catch (LocatorException e) {\r
- context.error(trans, resp, Result.ERR_BadData, e.getMessage());\r
- } catch (Exception e) {\r
- context.error(trans, resp, Result.ERR_General, e.getMessage());\r
- }\r
- }\r
- });\r
- } else {\r
- gwAPI.route(HttpMethods.GET,"/aaf/:version/:path*",API.VOID,new GwCode(facade,"Access PROD GUI for AAF", true) {\r
- @Override\r
- public void handle(AuthzTrans trans, HttpServletRequest req, HttpServletResponse resp) throws Exception {\r
- try {\r
- redirect(trans, req, resp, context, \r
- new DME2Locator(gwAPI.env, gwAPI.dme2Man, AUTHZ_DME2_GUI, pathParam(req,":version"), PROD, routeOffer), \r
- pathParam(req,":path"));\r
- } catch (LocatorException e) {\r
- context.error(trans, resp, Result.ERR_BadData, e.getMessage());\r
- } catch (Exception e) {\r
- context.error(trans, resp, Result.ERR_General, e.getMessage());\r
- }\r
- }\r
- });\r
- }\r
- \r
- }\r
- \r
- public static void initDefault(final GwAPI gwAPI, GwFacade facade) throws Exception {\r
- String aftenv = gwAPI.env.getProperty(AFT_ENVIRONMENT);\r
- if(aftenv==null) throw new Exception(AFT_ENVIRONMENT + " must be set");\r
- \r
- String aftctx = gwAPI.env.getProperty(AFT_ENV_CONTEXT);\r
- if(aftctx==null) throw new Exception(AFT_ENV_CONTEXT + " must be set");\r
-\r
- /**\r
- * "login" url\r
- */\r
- gwAPI.route(HttpMethods.GET,"/login",API.VOID,new GwCode(facade,"Access " + aftctx + " GUI for AAF", true) {\r
- @Override\r
- public void handle(AuthzTrans trans, HttpServletRequest req, HttpServletResponse resp) throws Exception {\r
- try {\r
- redirect(trans, req, resp, context, \r
- new DME2Locator(gwAPI.env, gwAPI.dme2Man, AUTHZ_DME2_GUI, "2.0", aftctx, routeOffer), \r
- "login");\r
- } catch (LocatorException e) {\r
- context.error(trans, resp, Result.ERR_BadData, e.getMessage());\r
- } catch (Exception e) {\r
- context.error(trans, resp, Result.ERR_General, e.getMessage());\r
- }\r
- }\r
- });\r
-\r
- /**\r
- * Default URL\r
- */\r
- gwAPI.route(HttpMethods.GET,"/",API.VOID,new GwCode(facade,"Access " + aftctx + " GUI for AAF", true) {\r
- @Override\r
- public void handle(AuthzTrans trans, HttpServletRequest req, HttpServletResponse resp) throws Exception {\r
- try {\r
- redirect(trans, req, resp, context, \r
- new DME2Locator(gwAPI.env, gwAPI.dme2Man, AUTHZ_DME2_GUI, "2.0", aftctx, routeOffer), \r
- "gui/home");\r
- } catch (LocatorException e) {\r
- context.error(trans, resp, Result.ERR_BadData, e.getMessage());\r
- } catch (Exception e) {\r
- context.error(trans, resp, Result.ERR_General, e.getMessage());\r
- }\r
- }\r
- });\r
- }\r
-\r
- private static void redirect(AuthzTrans trans, HttpServletRequest req, HttpServletResponse resp, GwFacade context, Locator loc, String path) throws IOException {\r
- try {\r
- if(loc.hasItems()) {\r
- Item item = loc.best();\r
- URI uri = (URI) loc.get(item);\r
- StringBuilder redirectURL = new StringBuilder(uri.toString()); \r
- redirectURL.append('/');\r
- redirectURL.append(path);\r
- String str = req.getQueryString();\r
- if(str!=null) {\r
- redirectURL.append('?');\r
- redirectURL.append(str);\r
- }\r
- trans.info().log("Redirect to",redirectURL);\r
- resp.sendRedirect(redirectURL.toString());\r
- } else {\r
- context.error(trans, resp, Result.err(Result.ERR_NotFound,"%s is not valid",req.getPathInfo()));\r
- }\r
- } catch (LocatorException e) {\r
- context.error(trans, resp, Result.err(Result.ERR_NotFound,"No DME2 Endpoints found for %s",req.getPathInfo()));\r
- }\r
- }\r
-\r
- private static class User {\r
- public final int code;\r
- public final String resp;\r
- \r
- public User(int code, String resp) {\r
- this.code = code;\r
- this.resp = resp;\r
- }\r
- }\r
-}\r
Code Review / aaf / authz.git / blobdiff