+++ /dev/null
-/*******************************************************************************\r
- * ============LICENSE_START====================================================\r
- * * org.onap.aaf\r
- * * ===========================================================================\r
- * * Copyright © 2017 AT&T Intellectual Property. All rights reserved.\r
- * * ===========================================================================\r
- * * Licensed under the Apache License, Version 2.0 (the "License");\r
- * * you may not use this file except in compliance with the License.\r
- * * You may obtain a copy of the License at\r
- * * \r
- * * http://www.apache.org/licenses/LICENSE-2.0\r
- * * \r
- * * Unless required by applicable law or agreed to in writing, software\r
- * * distributed under the License is distributed on an "AS IS" BASIS,\r
- * * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\r
- * * See the License for the specific language governing permissions and\r
- * * limitations under the License.\r
- * * ============LICENSE_END====================================================\r
- * *\r
- * * ECOMP is a trademark and service mark of AT&T Intellectual Property.\r
- * *\r
- ******************************************************************************/\r
-package org.onap.aaf.authz.service.api;\r
-\r
-import static org.onap.aaf.cssa.rserv.HttpMethods.DELETE;\r
-import static org.onap.aaf.cssa.rserv.HttpMethods.GET;\r
-import static org.onap.aaf.cssa.rserv.HttpMethods.POST;\r
-import static org.onap.aaf.cssa.rserv.HttpMethods.PUT;\r
-\r
-import java.security.Principal;\r
-import java.util.Date;\r
-\r
-import javax.servlet.http.HttpServletRequest;\r
-import javax.servlet.http.HttpServletResponse;\r
-\r
-import org.onap.aaf.authz.cadi.DirectAAFUserPass;\r
-import org.onap.aaf.authz.env.AuthzTrans;\r
-import org.onap.aaf.authz.facade.AuthzFacade;\r
-import org.onap.aaf.authz.layer.Result;\r
-import org.onap.aaf.authz.service.AuthAPI;\r
-import org.onap.aaf.authz.service.Code;\r
-import org.onap.aaf.authz.service.mapper.Mapper.API;\r
-import org.onap.aaf.cssa.rserv.HttpMethods;\r
-\r
-import com.att.aft.dme2.internal.jetty.http.HttpStatus;\r
-import org.onap.aaf.cadi.CredVal;\r
-import org.onap.aaf.cadi.Symm;\r
-import org.onap.aaf.cadi.principal.BasicPrincipal;\r
-import org.onap.aaf.cadi.principal.X509Principal;\r
-import org.onap.aaf.inno.env.Env;\r
-\r
-/**\r
- * Initialize All Dispatches related to Credentials (AUTHN)\r
- *\r
- */\r
-public class API_Creds {\r
- // Hide Public Interface\r
- private API_Creds() {}\r
- // needed to validate Creds even when already Authenticated x509\r
- /**\r
- * TIME SENSITIVE APIs\r
- * \r
- * These will be first in the list\r
- * \r
- * @param env\r
- * @param authzAPI\r
- * @param facade\r
- * @param directAAFUserPass \r
- * @throws Exception\r
- */\r
- public static void timeSensitiveInit(Env env, AuthAPI authzAPI, AuthzFacade facade, final DirectAAFUserPass directAAFUserPass) throws Exception {\r
- /**\r
- * Basic Auth, quick Validation\r
- * \r
- * Responds OK or NotAuthorized\r
- */\r
- authzAPI.route(env, HttpMethods.GET, "/authn/basicAuth", new Code(facade,"Is given BasicAuth valid?",true) {\r
- @Override\r
- public void handle(\r
- AuthzTrans trans, \r
- HttpServletRequest req,\r
- HttpServletResponse resp) throws Exception {\r
-\r
- Principal p = trans.getUserPrincipal();\r
- if (p instanceof BasicPrincipal) {\r
- // the idea is that if call is made with this credential, and it's a BasicPrincipal, it's ok\r
- // otherwise, it wouldn't have gotten here.\r
- resp.setStatus(HttpStatus.OK_200);\r
- } else if (p instanceof X509Principal) {\r
- // have to check Basic Auth here, because it might be CSP.\r
- String ba = req.getHeader("Authorization");\r
- if(ba.startsWith("Basic ")) {\r
- String decoded = Symm.base64noSplit.decode(ba.substring(6));\r
- int colon = decoded.indexOf(':');\r
- if(directAAFUserPass.validate(\r
- decoded.substring(0,colon), \r
- CredVal.Type.PASSWORD , \r
- decoded.substring(colon+1).getBytes())) {\r
- \r
- resp.setStatus(HttpStatus.OK_200);\r
- } else {\r
- resp.setStatus(HttpStatus.FORBIDDEN_403);\r
- }\r
- }\r
- } else if(p == null) {\r
- trans.error().log("Transaction not Authenticated... no Principal");\r
- resp.setStatus(HttpStatus.FORBIDDEN_403);\r
- } else {\r
- trans.checkpoint("Basic Auth Check Failed: This wasn't a Basic Auth Trans");\r
- // For Auth Security questions, we don't give any info to client on why failed\r
- resp.setStatus(HttpStatus.FORBIDDEN_403);\r
- }\r
- }\r
- },"text/plain");\r
- \r
- /** \r
- * returns whether a given Credential is valid\r
- */\r
- authzAPI.route(POST, "/authn/validate", API.CRED_REQ, new Code(facade,"Is given Credential valid?",true) {\r
- @Override\r
- public void handle(\r
- AuthzTrans trans, \r
- HttpServletRequest req,\r
- HttpServletResponse resp) throws Exception {\r
- \r
- Result<Date> r = context.doesCredentialMatch(trans, req, resp);\r
- if(r.isOK()) {\r
- resp.setStatus(HttpStatus.OK_200);\r
- } else {\r
- // For Security, we don't give any info out on why failed, other than forbidden\r
- resp.setStatus(HttpStatus.FORBIDDEN_403);\r
- }\r
- }\r
- }); \r
-\r
- /** \r
- * returns whether a given Credential is valid\r
- */\r
- authzAPI.route(GET, "/authn/cert/id/:id", API.CERTS, new Code(facade,"Get Cert Info by ID",true) {\r
- @Override\r
- public void handle(\r
- AuthzTrans trans, \r
- HttpServletRequest req,\r
- HttpServletResponse resp) throws Exception {\r
- \r
- Result<Void> r = context.getCertInfoByID(trans, req, resp, pathParam(req,":id") );\r
- if(r.isOK()) {\r
- resp.setStatus(HttpStatus.OK_200); \r
- } else {\r
- // For Security, we don't give any info out on why failed, other than forbidden\r
- resp.setStatus(HttpStatus.FORBIDDEN_403);\r
- }\r
- }\r
- }); \r
-\r
-\r
-\r
-\r
- }\r
- \r
- /**\r
- * Normal Init level APIs\r
- * \r
- * @param authzAPI\r
- * @param facade\r
- * @throws Exception\r
- */\r
- public static void init(AuthAPI authzAPI, AuthzFacade facade) throws Exception {\r
- /**\r
- * Create a new ID/Credential\r
- */\r
- authzAPI.route(POST,"/authn/cred",API.CRED_REQ,new Code(facade,"Add a New ID/Credential", true) {\r
- @Override\r
- public void handle(AuthzTrans trans, HttpServletRequest req, HttpServletResponse resp) throws Exception {\r
- Result<Void> r = context.createUserCred(trans, req);\r
- if(r.isOK()) {\r
- resp.setStatus(HttpStatus.CREATED_201);\r
- } else {\r
- context.error(trans,resp,r);\r
- }\r
- }\r
- });\r
- \r
- /** \r
- * gets all credentials by Namespace\r
- */\r
- authzAPI.route(GET, "/authn/creds/ns/:ns", API.USERS, new Code(facade,"Get Creds for a Namespace",true) {\r
- @Override\r
- public void handle(\r
- AuthzTrans trans, \r
- HttpServletRequest req,\r
- HttpServletResponse resp) throws Exception {\r
- \r
- Result<Void> r = context.getCredsByNS(trans, resp, pathParam(req, "ns"));\r
- if(r.isOK()) {\r
- resp.setStatus(HttpStatus.OK_200); \r
- } else {\r
- context.error(trans,resp,r);\r
- }\r
- }\r
-\r
- });\r
- \r
- /** \r
- * gets all credentials by ID\r
- */\r
- authzAPI.route(GET, "/authn/creds/id/:id", API.USERS, new Code(facade,"Get Creds by ID",true) {\r
- @Override\r
- public void handle(\r
- AuthzTrans trans, \r
- HttpServletRequest req,\r
- HttpServletResponse resp) throws Exception {\r
- \r
- Result<Void> r = context.getCredsByID(trans, resp, pathParam(req, "id"));\r
- if(r.isOK()) {\r
- resp.setStatus(HttpStatus.OK_200); \r
- } else {\r
- context.error(trans,resp,r);\r
- }\r
- }\r
-\r
- });\r
-\r
-\r
- /**\r
- * Update ID/Credential (aka reset)\r
- */\r
- authzAPI.route(PUT,"/authn/cred",API.CRED_REQ,new Code(facade,"Update an ID/Credential", true) {\r
- @Override\r
- public void handle(AuthzTrans trans, HttpServletRequest req, HttpServletResponse resp) throws Exception {\r
- \r
- Result<Void> r = context.changeUserCred(trans, req);\r
- if(r.isOK()) {\r
- resp.setStatus(HttpStatus.OK_200);\r
- } else {\r
- context.error(trans,resp,r);\r
- }\r
- }\r
- });\r
-\r
- /**\r
- * Extend ID/Credential\r
- * This behavior will accelerate getting out of P1 outages due to ignoring renewal requests, or\r
- * other expiration issues.\r
- * \r
- * Scenario is that people who are solving Password problems at night, are not necessarily those who\r
- * know what the passwords are supposed to be. Also, changing Password, without changing Configurations\r
- * using that password only exacerbates the P1 Issue.\r
- */\r
- authzAPI.route(PUT,"/authn/cred/:days",API.CRED_REQ,new Code(facade,"Extend an ID/Credential", true) {\r
- @Override\r
- public void handle(AuthzTrans trans, HttpServletRequest req, HttpServletResponse resp) throws Exception {\r
- Result<Void> r = context.extendUserCred(trans, req, pathParam(req, "days"));\r
- if(r.isOK()) {\r
- resp.setStatus(HttpStatus.OK_200);\r
- } else {\r
- context.error(trans,resp,r);\r
- }\r
- }\r
- });\r
-\r
- /**\r
- * Delete a ID/Credential by Object\r
- */\r
- authzAPI.route(DELETE,"/authn/cred",API.CRED_REQ,new Code(facade,"Delete a Credential", true) {\r
- @Override\r
- public void handle(AuthzTrans trans, HttpServletRequest req, HttpServletResponse resp) throws Exception {\r
- Result<Void> r = context.deleteUserCred(trans, req);\r
- if(r.isOK()) {\r
- resp.setStatus(HttpStatus.OK_200);\r
- } else {\r
- context.error(trans,resp,r);\r
- }\r
- }\r
- });\r
-\r
- }\r
-}\r
Code Review / aaf / authz.git / blobdiff