+++ /dev/null
-/*******************************************************************************\r
- * ============LICENSE_START====================================================\r
- * * org.onap.aaf\r
- * * ===========================================================================\r
- * * Copyright © 2017 AT&T Intellectual Property. All rights reserved.\r
- * * ===========================================================================\r
- * * Licensed under the Apache License, Version 2.0 (the "License");\r
- * * you may not use this file except in compliance with the License.\r
- * * You may obtain a copy of the License at\r
- * * \r
- * * http://www.apache.org/licenses/LICENSE-2.0\r
- * * \r
- * * Unless required by applicable law or agreed to in writing, software\r
- * * distributed under the License is distributed on an "AS IS" BASIS,\r
- * * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\r
- * * See the License for the specific language governing permissions and\r
- * * limitations under the License.\r
- * * ============LICENSE_END====================================================\r
- * *\r
- * * ECOMP is a trademark and service mark of AT&T Intellectual Property.\r
- * *\r
- ******************************************************************************/\r
-package org.onap.aaf.cadi;\r
-\r
-\r
-import java.security.Principal;\r
-import java.util.ArrayList;\r
-import java.util.List;\r
-import java.util.Map;\r
-import java.util.Timer;\r
-import java.util.TimerTask;\r
-import java.util.TreeMap;\r
-import java.util.concurrent.ConcurrentHashMap;\r
-\r
-import org.onap.aaf.cadi.Access.Level;\r
-import org.onap.aaf.cadi.CachedPrincipal.Resp;\r
-\r
-/**\r
- * Implement Fast lookup and Cache for Local User Info\r
- * \r
- * Include ability to add and remove Users\r
- * \r
- * Also includes a Timer Thread (when necessary) to invoke cleanup on expiring Credentials\r
- * \r
- *\r
- */\r
-public abstract class AbsUserCache<PERM extends Permission> {\r
- static final int MIN_INTERVAL = 15000;\r
- static final int MAX_INTERVAL = 1000*60*5; // 5 mins\r
- private static Timer timer;\r
- // Map of userName to User\r
- private final Map<String, User<PERM>> userMap;\r
- private final Map<String, Miss> missMap;\r
- private Clean clean;\r
- protected Access access;\r
-// private final static Permission teaser = new LocalPermission("***NoPERM****");\r
- \r
- protected AbsUserCache(Access access, long cleanInterval, int highCount, int usageCount) {\r
- this.access = access;\r
- userMap = new ConcurrentHashMap<String, User<PERM>>();\r
- missMap = new TreeMap<String,Miss>();\r
- if(cleanInterval>0) {\r
- cleanInterval = Math.max(MIN_INTERVAL, cleanInterval);\r
- synchronized(AbsUserCache.class) { // Lazy instantiate.. in case there is no cleanup needed\r
- if(timer==null) {\r
- timer = new Timer("CADI Cleanup Timer",true);\r
- }\r
- \r
- timer.schedule(clean = new Clean(access, cleanInterval, highCount, usageCount), cleanInterval, cleanInterval);\r
- access.log(Access.Level.INIT, "Cleaning Thread initialized with interval of",cleanInterval, "ms and max objects of", highCount);\r
- }\r
- }\r
- }\r
- \r
- @SuppressWarnings("unchecked")\r
- public AbsUserCache(AbsUserCache<PERM> cache) {\r
- this.access = cache.access;\r
- userMap = cache.userMap;\r
- missMap = cache.missMap;\r
- synchronized(AbsUserCache.class) {\r
- if(cache.clean!=null && cache.clean.lur==null && this instanceof CachingLur) {\r
- cache.clean.lur=(CachingLur<PERM>)this;\r
- }\r
- }\r
- }\r
-\r
- protected void setLur(CachingLur<PERM> lur) {\r
- if(clean!=null)clean.lur = lur;\r
- \r
- }\r
- \r
- protected void addUser(User<PERM> user) {\r
- userMap.put(user.principal.getName(), user);\r
- }\r
-\r
- // Useful for looking up by WebToken, etc.\r
- protected void addUser(String key, User<PERM> user) {\r
- userMap.put(key, user);\r
- }\r
- \r
- /**\r
- * Add miss to missMap. If Miss exists, or too many tries, returns false.\r
- * \r
- * otherwise, returns true to allow another attempt.\r
- * \r
- * @param key\r
- * @param bs\r
- * @return\r
- */\r
- protected boolean addMiss(String key, byte[] bs) {\r
- Miss miss = missMap.get(key);\r
- if(miss==null) {\r
- synchronized(missMap) {\r
- missMap.put(key, new Miss(bs,clean==null?MIN_INTERVAL:clean.timeInterval));\r
- }\r
- return true;\r
- }\r
- return miss.add(bs); \r
- }\r
-\r
- protected Miss missed(String key) {\r
- return missMap.get(key);\r
- }\r
-\r
- protected User<PERM> getUser(String userName) {\r
- User<PERM> u = userMap.get(userName);\r
- if(u!=null) {\r
- u.incCount();\r
- }\r
- return u;\r
- }\r
- \r
- protected User<PERM> getUser(Principal principal) {\r
- return getUser(principal.getName()); \r
- }\r
- \r
- /**\r
- * Removes User from the Cache\r
- * @param user\r
- */\r
- protected void remove(User<PERM> user) {\r
- userMap.remove(user.principal.getName());\r
- }\r
- \r
- /**\r
- * Removes user from the Cache\r
- * \r
- * @param user\r
- */\r
- public void remove(String user) {\r
- Object o = userMap.remove(user);\r
- if(o!=null) {\r
- access.log(Level.INFO, user,"removed from Client Cache by Request");\r
- }\r
- }\r
- \r
- /**\r
- * Clear all users from the Client Cache\r
- */\r
- public void clearAll() {\r
- userMap.clear();\r
- }\r
- \r
- public final List<DumpInfo> dumpInfo() {\r
- List<DumpInfo> rv = new ArrayList<DumpInfo>();\r
- for(User<PERM> user : userMap.values()) {\r
- rv.add(new DumpInfo(user));\r
- }\r
- return rv;\r
- }\r
-\r
- /**\r
- * The default behavior of a LUR is to not handle something exclusively.\r
- */\r
- public boolean handlesExclusively(Permission pond) {\r
- return false;\r
- }\r
- \r
- /**\r
- * Container calls when cleaning up... \r
- * \r
- * If overloading in Derived class, be sure to call "super.destroy()"\r
- */\r
- public void destroy() {\r
- if(timer!=null) {\r
- timer.purge();\r
- timer.cancel();\r
- }\r
- }\r
- \r
- \r
-\r
- // Simple map of Group name to a set of User Names\r
- // private Map<String, Set<String>> groupMap = new HashMap<String, Set<String>>();\r
-\r
- /**\r
- * Class to hold a small subset of the data, because we don't want to expose actual Permission or User Objects\r
- */\r
- public final class DumpInfo {\r
- public String user;\r
- public List<String> perms;\r
- \r
- public DumpInfo(User<PERM> user) {\r
- this.user = user.principal.getName();\r
- perms = new ArrayList<String>(user.perms.keySet());\r
- }\r
- }\r
- \r
- /**\r
- * Clean will examine resources, and remove those that have expired.\r
- * \r
- * If "highs" have been exceeded, then we'll expire 10% more the next time. This will adjust after each run\r
- * without checking contents more than once, making a good average "high" in the minimum speed.\r
- * \r
- *\r
- */\r
- private final class Clean extends TimerTask {\r
- private final Access access;\r
- private CachingLur<PERM> lur;\r
- \r
- // The idea here is to not be too restrictive on a high, but to Expire more items by \r
- // shortening the time to expire. This is done by judiciously incrementing "advance"\r
- // when the "highs" are exceeded. This effectively reduces numbers of cached items quickly.\r
- private final int high;\r
- private long advance;\r
- private final long timeInterval;\r
- private final int usageTriggerCount;\r
- \r
- public Clean(Access access, long cleanInterval, int highCount, int usageTriggerCount) {\r
- this.access = access;\r
- lur = null;\r
- high = highCount;\r
- timeInterval = cleanInterval;\r
- advance = 0;\r
- this.usageTriggerCount=usageTriggerCount;\r
- }\r
- public void run() {\r
- int renewed = 0;\r
- int count = 0;\r
- int total = 0;\r
- try {\r
- // look at now. If we need to expire more by increasing "now" by "advance"\r
- ArrayList<User<PERM>> al = new ArrayList<User<PERM>>(userMap.values().size());\r
- al.addAll(0, userMap.values());\r
- long now = System.currentTimeMillis() + advance;\r
- for(User<PERM> user : al) {\r
- ++total;\r
- if(user.count>usageTriggerCount) {\r
- // access.log(Level.AUDIT, "Checking Thread", new Date(now));\r
- boolean touched = false, removed=false;\r
- if(user.principal instanceof CachedPrincipal) {\r
- CachedPrincipal cp = (CachedPrincipal)user.principal;\r
- if(cp.expires() < now) {\r
- switch(cp.revalidate()) {\r
- case INACCESSIBLE:\r
- access.log(Level.AUDIT, "AAF Inaccessible. Keeping credentials");\r
- break;\r
- case REVALIDATED:\r
- user.resetCount();\r
- // access.log(Level.AUDIT, "CACHE revalidated credentials");\r
- touched = true;\r
- break;\r
- default:\r
- user.resetCount();\r
- remove(user);\r
- ++count;\r
- removed = true;\r
- break;\r
- }\r
- }\r
- }\r
- \r
- // access.log(Level.AUDIT, "User Perm Expires", new Date(user.permExpires));\r
- if(!removed && lur!=null && user.permExpires<= now ) {\r
- // access.log(Level.AUDIT, "Reloading");\r
- if(lur.reload(user).equals(Resp.REVALIDATED)) {\r
- user.renewPerm();\r
- access.log(Level.DEBUG, "Reloaded Perms for",user);\r
- touched = true;\r
- }\r
- }\r
- user.resetCount();\r
- if(touched) {\r
- ++renewed;\r
- }\r
- \r
- } else {\r
- if(user.permExpired()) {\r
- remove(user);\r
- ++count;\r
- }\r
- }\r
- }\r
- \r
- // Clean out Misses\r
- int missTotal = missMap.keySet().size();\r
- int miss = 0;\r
- if(missTotal>0) {\r
- ArrayList<String> keys = new ArrayList<String>(missTotal);\r
- keys.addAll(missMap.keySet());\r
- for(String key : keys) {\r
- Miss m = missMap.get(key);\r
- if(m!=null && m.timestamp<System.currentTimeMillis()) {\r
- synchronized(missMap) {\r
- missMap.remove(key);\r
- }\r
- access.log(Level.INFO, key, "has been removed from Missed Credential Map (" + m.tries + " invalid tries)");\r
- ++miss;\r
- }\r
- }\r
- }\r
- \r
- if(count+renewed+miss>0) {\r
- access.log(Level.INFO, (lur==null?"Cache":lur.getClass().getSimpleName()), "removed",count,\r
- "and renewed",renewed,"expired Permissions out of", total,"and removed", miss, "password misses out of",missTotal);\r
- }\r
- \r
- // If High (total) is reached during this period, increase the number of expired services removed for next time.\r
- // There's no point doing it again here, as there should have been cleaned items.\r
- if(total>high) {\r
- // advance cleanup by 10%, without getting greater than timeInterval.\r
- advance = Math.min(timeInterval, advance+(timeInterval/10));\r
- } else {\r
- // reduce advance by 10%, without getting lower than 0.\r
- advance = Math.max(0, advance-(timeInterval/10));\r
- }\r
- } catch (Exception e) {\r
- access.log(Level.ERROR,e.getMessage());\r
- }\r
- }\r
- }\r
- \r
- public static class Miss {\r
- private static final int MAX_TRIES = 3;\r
-\r
- long timestamp;\r
- byte[][] array;\r
-\r
- private long timetolive;\r
-\r
- private int tries;\r
- \r
- public Miss(byte[] first, long timeInterval) {\r
- array = new byte[MAX_TRIES][];\r
- array[0]=first;\r
- timestamp = System.currentTimeMillis() + timeInterval;\r
- this.timetolive = timeInterval;\r
- tries = 1;\r
- }\r
- \r
- public boolean mayContinue(byte[] bs) {\r
- if(++tries > MAX_TRIES) return false;\r
- for(byte[] a : array) {\r
- if(a==null)return true;\r
- if(equals(a,bs)) {\r
- return false;\r
- }\r
- }\r
- return true;\r
- }\r
-\r
- public synchronized boolean add(byte[] bc) {\r
- if(++tries>MAX_TRIES)return false;\r
- timestamp = System.currentTimeMillis()+timetolive;\r
- for(int i=0;i<MAX_TRIES;++i) {\r
- if(array[i]==null) {\r
- array[i]=bc;\r
- return true; // add to array, and allow more tries\r
- } else if(equals(array[i],bc)) {\r
- return false;\r
- }\r
- }\r
- return false; // no more tries until cache cleared.\r
- }\r
- \r
- private boolean equals(byte[] src, byte[] target) {\r
- if(target.length==src.length) {\r
- for(int j=0;j<src.length;++j) {\r
- if(src[j]!=target[j]) return false;\r
- }\r
- return true; // same length and same chars\r
- }\r
- return false;\r
- }\r
- }\r
- \r
- /**\r
- * Report on state\r
- */\r
- public String toString() {\r
- return getClass().getSimpleName() + \r
- " Cache:\n Users Cached: " +\r
- userMap.size() +\r
- "\n Misses Saved: " +\r
- missMap.size() +\r
- '\n';\r
- \r
- }\r
-\r
- public void clear(Principal p, StringBuilder sb) {\r
- sb.append(toString());\r
- userMap.clear();\r
- missMap.clear();\r
- access.log(Level.AUDIT, p.getName(),"has cleared User Cache in",getClass().getSimpleName());\r
- sb.append("Now cleared\n");\r
- }\r
-\r
-}\r
Code Review / aaf / cadi.git / blobdiff