--- /dev/null
+/*******************************************************************************\r
+ * ============LICENSE_START====================================================\r
+ * * org.onap.aaf\r
+ * * ===========================================================================\r
+ * * Copyright © 2017 AT&T Intellectual Property. All rights reserved.\r
+ * * ===========================================================================\r
+ * * Licensed under the Apache License, Version 2.0 (the "License");\r
+ * * you may not use this file except in compliance with the License.\r
+ * * You may obtain a copy of the License at\r
+ * * \r
+ * * http://www.apache.org/licenses/LICENSE-2.0\r
+ * * \r
+ * * Unless required by applicable law or agreed to in writing, software\r
+ * * distributed under the License is distributed on an "AS IS" BASIS,\r
+ * * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\r
+ * * See the License for the specific language governing permissions and\r
+ * * limitations under the License.\r
+ * * ============LICENSE_END====================================================\r
+ * *\r
+ * * ECOMP is a trademark and service mark of AT&T Intellectual Property.\r
+ * *\r
+ ******************************************************************************/\r
+package org.onap.aaf.authz.gw.api;\r
+\r
+import java.io.IOException;\r
+import java.net.ConnectException;\r
+import java.net.MalformedURLException;\r
+import java.net.URI;\r
+import java.security.Principal;\r
+\r
+import javax.servlet.ServletOutputStream;\r
+import javax.servlet.http.HttpServletRequest;\r
+import javax.servlet.http.HttpServletResponse;\r
+\r
+import org.onap.aaf.authz.env.AuthzTrans;\r
+import org.onap.aaf.authz.gw.GwAPI;\r
+import org.onap.aaf.authz.gw.GwCode;\r
+import org.onap.aaf.authz.gw.facade.GwFacade;\r
+import org.onap.aaf.authz.gw.mapper.Mapper.API;\r
+import org.onap.aaf.authz.layer.Result;\r
+import org.onap.aaf.cache.Cache.Dated;\r
+import org.onap.aaf.cssa.rserv.HttpMethods;\r
+\r
+import com.att.aft.dme2.internal.jetty.http.HttpStatus;\r
+import org.onap.aaf.cadi.CadiException;\r
+import org.onap.aaf.cadi.Locator;\r
+import org.onap.aaf.cadi.Locator.Item;\r
+import org.onap.aaf.cadi.LocatorException;\r
+import org.onap.aaf.cadi.aaf.AAFPermission;\r
+import org.onap.aaf.cadi.client.Future;\r
+import org.onap.aaf.cadi.client.Rcli;\r
+import org.onap.aaf.cadi.client.Retryable;\r
+import org.onap.aaf.cadi.dme2.DME2Locator;\r
+import org.onap.aaf.cadi.principal.BasicPrincipal;\r
+import org.onap.aaf.inno.env.APIException;\r
+import org.onap.aaf.inno.env.Env;\r
+import org.onap.aaf.inno.env.TimeTaken;\r
+\r
+public class API_AAFAccess {\r
+ private static final String AUTHZ_DME2_GUI = "com.att.authz.authz-gui";\r
+ static final String AFT_ENVIRONMENT="AFT_ENVIRONMENT";\r
+ static final String AFT_ENV_CONTEXT="AFT_ENV_CONTEXT";\r
+ static final String AFTUAT="AFTUAT";\r
+ \r
+ private static final String PROD = "PROD";\r
+ private static final String IST = "IST"; // main NONPROD system\r
+ private static final String PERF = "PERF";\r
+ private static final String TEST = "TEST";\r
+ private static final String DEV = "DEV";\r
+ \r
+// private static String service, version, envContext; \r
+ private static String routeOffer;\r
+\r
+ private static final String GET_PERMS_BY_USER = "Get Perms by User";\r
+ private static final String USER_HAS_PERM ="User Has Perm";\r
+// private static final String USER_IN_ROLE ="User Has Role";\r
+ private static final String BASIC_AUTH ="AAF Basic Auth";\r
+ \r
+ /**\r
+ * Normal Init level APIs\r
+ * \r
+ * @param gwAPI\r
+ * @param facade\r
+ * @throws Exception\r
+ */\r
+ public static void init(final GwAPI gwAPI, GwFacade facade) throws Exception {\r
+ String aftenv = gwAPI.env.getProperty(AFT_ENVIRONMENT);\r
+ if(aftenv==null) throw new Exception(AFT_ENVIRONMENT + " must be set");\r
+ \r
+ int equals, count=0;\r
+ for(int slash = gwAPI.aafurl.indexOf('/');slash>0;++count) {\r
+ equals = gwAPI.aafurl.indexOf('=',slash)+1;\r
+ slash = gwAPI.aafurl.indexOf('/',slash+1);\r
+ switch(count) {\r
+ case 2:\r
+// service = gwAPI.aafurl.substring(equals, slash);\r
+ break;\r
+ case 3:\r
+// version = gwAPI.aafurl.substring(equals, slash);\r
+ break;\r
+ case 4:\r
+// envContext = gwAPI.aafurl.substring(equals, slash);\r
+ break;\r
+ case 5:\r
+ routeOffer = gwAPI.aafurl.substring(equals);\r
+ break;\r
+ }\r
+ }\r
+ if(count<6) throw new MalformedURLException(gwAPI.aafurl);\r
+ \r
+ gwAPI.route(HttpMethods.GET,"/authz/perms/user/:user",API.VOID,new GwCode(facade,GET_PERMS_BY_USER, true) {\r
+ @Override\r
+ public void handle(final AuthzTrans trans, final HttpServletRequest req, final HttpServletResponse resp) throws Exception {\r
+ TimeTaken tt = trans.start(GET_PERMS_BY_USER, Env.SUB);\r
+ try {\r
+ final String accept = req.getHeader("ACCEPT");\r
+ final String user = pathParam(req,":user");\r
+ if(!user.contains("@")) {\r
+ context.error(trans,resp,Result.ERR_BadData,"User [%s] must be fully qualified with domain",user);\r
+ return;\r
+ }\r
+ String key = trans.user() + user + (accept!=null&&accept.contains("xml")?"-xml":"-json");\r
+ TimeTaken tt2 = trans.start("Cache Lookup",Env.SUB);\r
+ Dated d;\r
+ try {\r
+ d = gwAPI.cacheUser.get(key);\r
+ } finally {\r
+ tt2.done();\r
+ }\r
+ \r
+ if(d==null || d.data.isEmpty()) {\r
+ tt2 = trans.start("AAF Service Call",Env.REMOTE);\r
+ try {\r
+ gwAPI.clientAsUser(trans.getUserPrincipal(), new Retryable<Void>() {\r
+ @Override\r
+ public Void code(Rcli<?> client) throws CadiException, ConnectException, APIException {\r
+ Future<String> fp = client.read("/authz/perms/user/"+user,accept);\r
+ if(fp.get(5000)) {\r
+ gwAPI.cacheUser.put(key, new Dated(new User(fp.code(),fp.body())));\r
+ resp.setStatus(HttpStatus.OK_200);\r
+ ServletOutputStream sos;\r
+ try {\r
+ sos = resp.getOutputStream();\r
+ sos.print(fp.value);\r
+ } catch (IOException e) {\r
+ throw new CadiException(e);\r
+ }\r
+ } else {\r
+ gwAPI.cacheUser.put(key, new Dated(new User(fp.code(),fp.body())));\r
+ context.error(trans,resp,fp.code(),fp.body());\r
+ }\r
+ return null;\r
+ }\r
+ });\r
+ } finally {\r
+ tt2.done();\r
+ }\r
+ } else {\r
+ User u = (User)d.data.get(0);\r
+ resp.setStatus(u.code);\r
+ ServletOutputStream sos = resp.getOutputStream();\r
+ sos.print(u.resp);\r
+ }\r
+ } finally {\r
+ tt.done();\r
+ }\r
+ }\r
+ });\r
+\r
+ gwAPI.route(gwAPI.env,HttpMethods.GET,"/authn/basicAuth",new GwCode(facade,BASIC_AUTH, true) {\r
+ @Override\r
+ public void handle(final AuthzTrans trans, final HttpServletRequest req, HttpServletResponse resp) throws Exception {\r
+ Principal p = trans.getUserPrincipal();\r
+ if(p == null) {\r
+ trans.error().log("Transaction not Authenticated... no Principal");\r
+ resp.setStatus(HttpStatus.FORBIDDEN_403);\r
+ } else if (p instanceof BasicPrincipal) {\r
+ // the idea is that if call is made with this credential, and it's a BasicPrincipal, it's ok\r
+ // otherwise, it wouldn't have gotten here.\r
+ resp.setStatus(HttpStatus.OK_200);\r
+ } else {\r
+ trans.checkpoint("Basic Auth Check Failed: This wasn't a Basic Auth Trans");\r
+ // For Auth Security questions, we don't give any info to client on why failed\r
+ resp.setStatus(HttpStatus.FORBIDDEN_403);\r
+ }\r
+ }\r
+ },"text/plain","*/*","*");\r
+\r
+ /**\r
+ * Query User Has Perm\r
+ */\r
+ gwAPI.route(HttpMethods.GET,"/ask/:user/has/:type/:instance/:action",API.VOID,new GwCode(facade,USER_HAS_PERM, true) {\r
+ @Override\r
+ public void handle(final AuthzTrans trans, final HttpServletRequest req, HttpServletResponse resp) throws Exception {\r
+ try {\r
+ resp.getOutputStream().print(\r
+ gwAPI.aafLurPerm.fish(pathParam(req,":user"), new AAFPermission(\r
+ pathParam(req,":type"),\r
+ pathParam(req,":instance"),\r
+ pathParam(req,":action"))));\r
+ resp.setStatus(HttpStatus.OK_200);\r
+ } catch(Exception e) {\r
+ context.error(trans, resp, Result.ERR_General, e.getMessage());\r
+ }\r
+ }\r
+ });\r
+\r
+ if(AFTUAT.equals(aftenv)) {\r
+ gwAPI.route(HttpMethods.GET,"/ist/aaf/:version/:path*",API.VOID ,new GwCode(facade,"Access UAT GUI for AAF", true) {\r
+ @Override\r
+ public void handle(AuthzTrans trans, HttpServletRequest req, HttpServletResponse resp) throws Exception {\r
+ try{\r
+ redirect(trans, req, resp, context, \r
+ new DME2Locator(gwAPI.env, gwAPI.dme2Man, AUTHZ_DME2_GUI, pathParam(req,":version"), IST, routeOffer), \r
+ pathParam(req,":path"));\r
+ } catch (LocatorException e) {\r
+ context.error(trans, resp, Result.ERR_BadData, e.getMessage());\r
+ } catch (Exception e) {\r
+ context.error(trans, resp, Result.ERR_General, e.getMessage());\r
+ }\r
+ }\r
+ });\r
+\r
+ gwAPI.route(HttpMethods.GET,"/test/aaf/:version/:path*",API.VOID ,new GwCode(facade,"Access TEST GUI for AAF", true) {\r
+ @Override\r
+ public void handle(AuthzTrans trans, HttpServletRequest req, HttpServletResponse resp) throws Exception {\r
+ try{\r
+ redirect(trans, req, resp, context, \r
+ new DME2Locator(gwAPI.env, gwAPI.dme2Man, AUTHZ_DME2_GUI, pathParam(req,":version"), TEST, routeOffer), \r
+ pathParam(req,":path"));\r
+ } catch (LocatorException e) {\r
+ context.error(trans, resp, Result.ERR_BadData, e.getMessage());\r
+ } catch (Exception e) {\r
+ context.error(trans, resp, Result.ERR_General, e.getMessage());\r
+ }\r
+ }\r
+ });\r
+\r
+ gwAPI.route(HttpMethods.GET,"/perf/aaf/:version/:path*",API.VOID ,new GwCode(facade,"Access PERF GUI for AAF", true) {\r
+ @Override\r
+ public void handle(AuthzTrans trans, HttpServletRequest req, HttpServletResponse resp) throws Exception {\r
+ try{\r
+ redirect(trans, req, resp, context, \r
+ new DME2Locator(gwAPI.env, gwAPI.dme2Man, AUTHZ_DME2_GUI, pathParam(req,":version"), PERF, routeOffer), \r
+ pathParam(req,":path"));\r
+ } catch (LocatorException e) {\r
+ context.error(trans, resp, Result.ERR_BadData, e.getMessage());\r
+ } catch (Exception e) {\r
+ context.error(trans, resp, Result.ERR_General, e.getMessage());\r
+ }\r
+ }\r
+ });\r
+\r
+ gwAPI.route(HttpMethods.GET,"/dev/aaf/:version/:path*",API.VOID,new GwCode(facade,"Access DEV GUI for AAF", true) {\r
+ @Override\r
+ public void handle(AuthzTrans trans, HttpServletRequest req, HttpServletResponse resp) throws Exception {\r
+ try {\r
+ redirect(trans, req, resp, context, \r
+ new DME2Locator(gwAPI.env, gwAPI.dme2Man, AUTHZ_DME2_GUI, pathParam(req,":version"), DEV, routeOffer), \r
+ pathParam(req,":path"));\r
+ } catch (LocatorException e) {\r
+ context.error(trans, resp, Result.ERR_BadData, e.getMessage());\r
+ } catch (Exception e) {\r
+ context.error(trans, resp, Result.ERR_General, e.getMessage());\r
+ }\r
+ }\r
+ });\r
+ } else {\r
+ gwAPI.route(HttpMethods.GET,"/aaf/:version/:path*",API.VOID,new GwCode(facade,"Access PROD GUI for AAF", true) {\r
+ @Override\r
+ public void handle(AuthzTrans trans, HttpServletRequest req, HttpServletResponse resp) throws Exception {\r
+ try {\r
+ redirect(trans, req, resp, context, \r
+ new DME2Locator(gwAPI.env, gwAPI.dme2Man, AUTHZ_DME2_GUI, pathParam(req,":version"), PROD, routeOffer), \r
+ pathParam(req,":path"));\r
+ } catch (LocatorException e) {\r
+ context.error(trans, resp, Result.ERR_BadData, e.getMessage());\r
+ } catch (Exception e) {\r
+ context.error(trans, resp, Result.ERR_General, e.getMessage());\r
+ }\r
+ }\r
+ });\r
+ }\r
+ \r
+ }\r
+ \r
+ public static void initDefault(final GwAPI gwAPI, GwFacade facade) throws Exception {\r
+ String aftenv = gwAPI.env.getProperty(AFT_ENVIRONMENT);\r
+ if(aftenv==null) throw new Exception(AFT_ENVIRONMENT + " must be set");\r
+ \r
+ String aftctx = gwAPI.env.getProperty(AFT_ENV_CONTEXT);\r
+ if(aftctx==null) throw new Exception(AFT_ENV_CONTEXT + " must be set");\r
+\r
+ /**\r
+ * "login" url\r
+ */\r
+ gwAPI.route(HttpMethods.GET,"/login",API.VOID,new GwCode(facade,"Access " + aftctx + " GUI for AAF", true) {\r
+ @Override\r
+ public void handle(AuthzTrans trans, HttpServletRequest req, HttpServletResponse resp) throws Exception {\r
+ try {\r
+ redirect(trans, req, resp, context, \r
+ new DME2Locator(gwAPI.env, gwAPI.dme2Man, AUTHZ_DME2_GUI, "2.0", aftctx, routeOffer), \r
+ "login");\r
+ } catch (LocatorException e) {\r
+ context.error(trans, resp, Result.ERR_BadData, e.getMessage());\r
+ } catch (Exception e) {\r
+ context.error(trans, resp, Result.ERR_General, e.getMessage());\r
+ }\r
+ }\r
+ });\r
+\r
+ /**\r
+ * Default URL\r
+ */\r
+ gwAPI.route(HttpMethods.GET,"/",API.VOID,new GwCode(facade,"Access " + aftctx + " GUI for AAF", true) {\r
+ @Override\r
+ public void handle(AuthzTrans trans, HttpServletRequest req, HttpServletResponse resp) throws Exception {\r
+ try {\r
+ redirect(trans, req, resp, context, \r
+ new DME2Locator(gwAPI.env, gwAPI.dme2Man, AUTHZ_DME2_GUI, "2.0", aftctx, routeOffer), \r
+ "gui/home");\r
+ } catch (LocatorException e) {\r
+ context.error(trans, resp, Result.ERR_BadData, e.getMessage());\r
+ } catch (Exception e) {\r
+ context.error(trans, resp, Result.ERR_General, e.getMessage());\r
+ }\r
+ }\r
+ });\r
+ }\r
+\r
+ private static void redirect(AuthzTrans trans, HttpServletRequest req, HttpServletResponse resp, GwFacade context, Locator loc, String path) throws IOException {\r
+ try {\r
+ if(loc.hasItems()) {\r
+ Item item = loc.best();\r
+ URI uri = (URI) loc.get(item);\r
+ StringBuilder redirectURL = new StringBuilder(uri.toString()); \r
+ redirectURL.append('/');\r
+ redirectURL.append(path);\r
+ String str = req.getQueryString();\r
+ if(str!=null) {\r
+ redirectURL.append('?');\r
+ redirectURL.append(str);\r
+ }\r
+ trans.info().log("Redirect to",redirectURL);\r
+ resp.sendRedirect(redirectURL.toString());\r
+ } else {\r
+ context.error(trans, resp, Result.err(Result.ERR_NotFound,"%s is not valid",req.getPathInfo()));\r
+ }\r
+ } catch (LocatorException e) {\r
+ context.error(trans, resp, Result.err(Result.ERR_NotFound,"No DME2 Endpoints found for %s",req.getPathInfo()));\r
+ }\r
+ }\r
+\r
+ private static class User {\r
+ public final int code;\r
+ public final String resp;\r
+ \r
+ public User(int code, String resp) {\r
+ this.code = code;\r
+ this.resp = resp;\r
+ }\r
+ }\r
+}\r
Code Review / aaf / authz.git / blobdiff