+++ /dev/null
-/*******************************************************************************\r
- * ============LICENSE_START====================================================\r
- * * org.onap.aaf\r
- * * ===========================================================================\r
- * * Copyright © 2017 AT&T Intellectual Property. All rights reserved.\r
- * * ===========================================================================\r
- * * Licensed under the Apache License, Version 2.0 (the "License");\r
- * * you may not use this file except in compliance with the License.\r
- * * You may obtain a copy of the License at\r
- * * \r
- * * http://www.apache.org/licenses/LICENSE-2.0\r
- * * \r
- * * Unless required by applicable law or agreed to in writing, software\r
- * * distributed under the License is distributed on an "AS IS" BASIS,\r
- * * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\r
- * * See the License for the specific language governing permissions and\r
- * * limitations under the License.\r
- * * ============LICENSE_END====================================================\r
- * *\r
- * * ECOMP is a trademark and service mark of AT&T Intellectual Property.\r
- * *\r
- ******************************************************************************/\r
-package org.onap.aaf.cadi.config;\r
-\r
-import java.io.IOException;\r
-import java.lang.reflect.Constructor;\r
-import java.lang.reflect.Field;\r
-import java.lang.reflect.Method;\r
-import java.net.InetAddress;\r
-import java.net.URI;\r
-import java.net.UnknownHostException;\r
-import java.security.NoSuchAlgorithmException;\r
-import java.security.cert.CertificateException;\r
-import java.util.ArrayList;\r
-import java.util.List;\r
-import java.util.Map.Entry;\r
-\r
-import org.onap.aaf.cadi.AbsUserCache;\r
-import org.onap.aaf.cadi.Access;\r
-import org.onap.aaf.cadi.CachingLur;\r
-import org.onap.aaf.cadi.CadiException;\r
-import org.onap.aaf.cadi.CredVal;\r
-import org.onap.aaf.cadi.Locator;\r
-import org.onap.aaf.cadi.Lur;\r
-import org.onap.aaf.cadi.PropAccess;\r
-import org.onap.aaf.cadi.Symm;\r
-import org.onap.aaf.cadi.TrustChecker;\r
-import org.onap.aaf.cadi.Access.Level;\r
-import org.onap.aaf.cadi.lur.EpiLur;\r
-import org.onap.aaf.cadi.lur.LocalLur;\r
-import org.onap.aaf.cadi.lur.NullLur;\r
-import org.onap.aaf.cadi.taf.HttpEpiTaf;\r
-import org.onap.aaf.cadi.taf.HttpTaf;\r
-import org.onap.aaf.cadi.taf.basic.BasicHttpTaf;\r
-import org.onap.aaf.cadi.taf.cert.X509Taf;\r
-import org.onap.aaf.cadi.taf.dos.DenialOfServiceTaf;\r
-\r
-import java.util.Properties;\r
-import java.util.TimerTask;\r
-\r
-/**\r
- * Create a Consistent Configuration mechanism, even when configuration styles are as vastly different as\r
- * Properties vs JavaBeans vs FilterConfigs...\r
- * \r
- *\r
- */\r
-public class Config {\r
-\r
- private static final String HIDE_PASS = "***************";\r
-\r
- public static final String UTF_8 = "UTF-8";\r
-\r
- // Property Names associated with configurations.\r
- // As of 1.0.2, these have had the dots removed so as to be compatible with JavaBean style\r
- // configurations as well as property list style.\r
- public static final String HOSTNAME = "hostname";\r
- public static final String CADI_PROP_FILES = "cadi_prop_files"; // Additional Properties files (separate with ;)\r
- public static final String CADI_LOGLEVEL = "cadi_loglevel";\r
- public static final String CADI_LOGNAME = "cadi_logname";\r
- public static final String CADI_KEYFILE = "cadi_keyfile";\r
- public static final String CADI_KEYSTORE = "cadi_keystore";\r
- public static final String CADI_KEYSTORE_PASSWORD = "cadi_keystore_password";\r
- public static final String CADI_ALIAS = "cadi_alias";\r
- public static final String CADI_LOGINPAGE_URL = "cadi_loginpage_url";\r
-\r
- public static final String CADI_KEY_PASSWORD = "cadi_key_password";\r
- public static final String CADI_TRUSTSTORE = "cadi_truststore";\r
- public static final String CADI_TRUSTSTORE_PASSWORD = "cadi_truststore_password";\r
- public static final String CADI_X509_ISSUERS = "cadi_x509_issuers";\r
- public static final String CADI_TRUST_MASKS="cadi_trust_masks";\r
- public static final String CADI_TRUST_PERM="cadi_trust_perm"; // IDs with this perm can utilize the "AS " user concept\r
- public static final String CADI_PROTOCOLS = "cadi_protocols";\r
- public static final String CADI_NOAUTHN = "cadi_noauthn";\r
- public static final String CADI_LOC_LIST = "cadi_loc_list";\r
- \r
- public static final String CADI_USER_CHAIN_TAG = "cadi_user_chain";\r
- public static final String CADI_USER_CHAIN = "USER_CHAIN";\r
-\r
- \r
- \r
- public static final String CSP_DOMAIN = "csp_domain";\r
- public static final String CSP_HOSTNAME = "csp_hostname";\r
- public static final String CSP_DEVL_LOCALHOST = "csp_devl_localhost";\r
- public static final String CSP_USER_HEADER = "CSP_USER";\r
- public static final String CSP_SYSTEMS_CONF = "CSPSystems.conf";\r
- public static final String CSP_SYSTEMS_CONF_FILE = "csp_systems_conf_file";\r
-\r
-\r
- public static final String TGUARD_ENV="tguard_env";\r
- public static final String TGUARD_DOMAIN = "tguard_domain";\r
- public static final String TGUARD_TIMEOUT = "tguard_timeout";\r
- public static final String TGUARD_TIMEOUT_DEF = "5000";\r
- public static final String TGUARD_CERTS = "tguard_certs"; // comma delimited SHA-256 finger prints\r
-// public static final String TGUARD_DEVL_LOCALHOST = "tguard_devl_localhost";\r
-// public static final String TGUARD_USER_HEADER = "TGUARD_USER";\r
-\r
- public static final String LOCALHOST_ALLOW = "localhost_allow";\r
- public static final String LOCALHOST_DENY = "localhost_deny";\r
- \r
- public static final String BASIC_REALM = "basic_realm"; // what is sent to the client \r
- public static final String BASIC_WARN = "basic_warn"; // Warning of insecure channel \r
- public static final String USERS = "local_users";\r
- public static final String GROUPS = "local_groups";\r
- public static final String WRITE_TO = "local_writeto"; // dump RBAC to local file in Tomcat Style (some apps use)\r
- \r
- public static final String AAF_ENV = "aaf_env";\r
- public static final String AAF_ROOT_NS = "aaf_root_ns";\r
- public static final String AAF_ROOT_COMPANY = "aaf_root_company";\r
- public static final String AAF_URL = "aaf_url"; //URL for AAF... Use to trigger AAF configuration\r
- public static final String AAF_MECHID = "aaf_id";\r
- public static final String AAF_MECHPASS = "aaf_password";\r
- public static final String AAF_LUR_CLASS = "aaf_lur_class";\r
- public static final String AAF_TAF_CLASS = "aaf_taf_class";\r
- public static final String AAF_CONNECTOR_CLASS = "aaf_connector_class";\r
- public static final String AAF_LOCATOR_CLASS = "aaf_locator_class";\r
- public static final String AAF_CONN_TIMEOUT = "aaf_conn_timeout";\r
- public static final String AAF_CONN_TIMEOUT_DEF = "3000";\r
- public static final String AAF_READ_TIMEOUT = "aaf_timeout";\r
- public static final String AAF_READ_TIMEOUT_DEF = "5000";\r
- public static final String AAF_USER_EXPIRES = "aaf_user_expires";\r
- public static final String AAF_USER_EXPIRES_DEF = "600000"; // Default is 10 mins\r
- public static final String AAF_CLEAN_INTERVAL = "aaf_clean_interval";\r
- public static final String AAF_CLEAN_INTERVAL_DEF = "30000"; // Default is 30 seconds\r
- public static final String AAF_REFRESH_TRIGGER_COUNT = "aaf_refresh_trigger_count";\r
- public static final String AAF_REFRESH_TRIGGER_COUNT_DEF = "3"; // Default is 10 mins\r
- \r
- public static final String AAF_HIGH_COUNT = "aaf_high_count";\r
- public static final String AAF_HIGH_COUNT_DEF = "1000"; // Default is 1000 entries\r
- public static final String AAF_PERM_MAP = "aaf_perm_map";\r
- public static final String AAF_DEPLOYED_VERSION = "DEPLOYED_VERSION";\r
- public static final String AAF_CERT_IDS = "aaf_cert_ids";\r
- public static final String AAF_DEBUG_IDS = "aaf_debug_ids"; // comma delimited\r
- \r
- public static final String GW_URL = "gw_url";\r
- public static final String CM_URL = "cm_url";\r
- public static final String CM_TRUSTED_CAS = "cm_trusted_cas";\r
-\r
- public static final String PATHFILTER_URLPATTERN = "pathfilter_urlpattern";\r
- public static final String PATHFILTER_STACK = "pathfilter_stack";\r
- public static final String PATHFILTER_NS = "pathfilter_ns";\r
- public static final String PATHFILTER_NOT_AUTHORIZED_MSG = "pathfilter_not_authorized_msg";\r
-\r
- public static final String AFT_DME2_TRUSTSTORE_PASSWORD = "AFT_DME2_TRUSTSTORE_PASSWORD";\r
- public static final String AFT_DME2_TRUSTSTORE = "AFT_DME2_TRUSTSTORE";\r
- public static final String AFT_DME2_KEYSTORE_PASSWORD = "AFT_DME2_KEYSTORE_PASSWORD";\r
- public static final String AFT_DME2_KEY_PASSWORD = "AFT_DME2_KEY_PASSWORD";\r
- public static final String AFT_DME2_KEYSTORE = "AFT_DME2_KEYSTORE";\r
- public static final String AFT_DME2_SSL_TRUST_ALL = "AFT_DME2_SSL_TRUST_ALL";\r
- public static final String AFT_DME2_SSL_INCLUDE_PROTOCOLS = "AFT_DME2_SSL_INCLUDE_PROTOCOLS";\r
-\r
-\r
- // DME2 Client. First property must be set to "false", and the others set in order to use SSL Client\r
- public static final String AFT_DME2_CLIENT_IGNORE_SSL_CONFIG="AFT_DME2_CLIENT_IGNORE_SSL_CONFIG";\r
- public static final String AFT_DME2_CLIENT_KEYSTORE = "AFT_DME2_CLIENT_KEYSTORE";\r
- public static final String AFT_DME2_CLIENT_KEYSTORE_PASSWORD = "AFT_DME2_CLIENT_KEYSTORE_PASSWORD";\r
- public static final String AFT_DME2_CLIENT_TRUSTSTORE = "AFT_DME2_CLIENT_TRUSTSTORE";\r
- public static final String AFT_DME2_CLIENT_TRUSTSTORE_PASSWORD = "AFT_DME2_CLIENT_TRUSTSTORE_PASSWORD";\r
- public static final String AFT_DME2_CLIENT_SSL_CERT_ALIAS = "AFT_DME2_CLIENT_SSL_CERT_ALIAS"; \r
- public static final String AFT_DME2_CLIENT_SSL_INCLUDE_PROTOCOLS = "AFT_DME2_CLIENT_SSL_INCLUDE_PROTOCOLS";\r
-\r
- \r
- // This one should go unpublic\r
- public static final String AAF_DEFAULT_REALM = "aaf_default_realm";\r
- private static String defaultRealm="none";\r
-\r
- public static final String AAF_DOMAIN_SUPPORT = "aaf_domain_support";\r
- //public static final String AAF_DOMAIN_SUPPORT_DEF = ".com";\r
- public static final String AAF_DOMAIN_SUPPORT_DEF = ".org";\r
-\r
-\r
- public static void setDefaultRealm(Access access) throws CadiException {\r
- try {\r
- boolean hasCSP;\r
- try {\r
- Class.forName("com.att.cadi.taf.csp.CSPTaf");\r
- hasCSP=true;\r
- } catch(ClassNotFoundException e) {\r
- hasCSP = logProp(access,Config.CSP_DOMAIN, null)!=null;\r
- }\r
- defaultRealm = logProp(access,Config.AAF_DEFAULT_REALM,\r
- hasCSP?"csp.att.com":\r
- logProp(access,Config.BASIC_REALM,\r
- logProp(access,HOSTNAME,InetAddress.getLocalHost().getHostName())\r
- )\r
- );\r
- } catch (UnknownHostException e) {\r
- //defaultRealm="none";\r
- }\r
- }\r
- \r
-\r
- public static HttpTaf configHttpTaf(Access access, TrustChecker tc, CredVal up, Lur lur, Object ... additionalTafLurs) throws CadiException {\r
- /////////////////////////////////////////////////////\r
- // Setup AAFCon for any following\r
- /////////////////////////////////////////////////////\r
- Object aafcon = null;\r
- if(lur != null) {\r
- Field f = null;\r
- try {\r
- f = lur.getClass().getField("aaf");\r
- aafcon = f.get(lur);\r
- } catch (Exception nsfe) {\r
- }\r
- }\r
- // IMPORTANT! Don't attempt to load AAF Connector if there is no AAF URL\r
- String aafURL = access.getProperty(AAF_URL,null);\r
- if(aafcon==null && aafURL!=null) {\r
- aafcon = loadAAFConnector(access, aafURL); \r
- }\r
- \r
- HttpTaf taf;\r
- // Setup Host, in case Network reports an unusable Hostname (i.e. VTiers, VPNs, etc)\r
- String hostname = logProp(access, HOSTNAME,null);\r
- if(hostname==null) {\r
- try {\r
- hostname = InetAddress.getLocalHost().getHostName();\r
- } catch (UnknownHostException e1) {\r
- throw new CadiException("Unable to determine Hostname",e1);\r
- }\r
- }\r
- \r
- access.log(Level.INIT, "Hostname set to",hostname);\r
- // Get appropriate TAFs\r
- ArrayList<HttpTaf> htlist = new ArrayList<HttpTaf>();\r
-\r
- /////////////////////////////////////////////////////\r
- // Add a Denial of Service TAF\r
- // Note: how IPs and IDs are added are up to service type.\r
- // They call "DenialOfServiceTaf.denyIP(String) or denyID(String)\r
- /////////////////////////////////////////////////////\r
- htlist.add(new DenialOfServiceTaf(access));\r
-\r
- /////////////////////////////////////////////////////\r
- // Configure LocalHost \r
- /////////////////////////////////////////////////////\r
- \r
- String truststore = logProp(access, CADI_TRUSTSTORE, access.getProperty("AFT_DME2_TRUSTSTORE", null));\r
- if(truststore!=null) {\r
- String truststore_pwd = access.getProperty(CADI_TRUSTSTORE_PASSWORD, access.getProperty("AFT_DME2_TRUSTSTORE_PASSWORD",null));\r
- if(truststore_pwd!=null) {\r
- if(truststore_pwd.startsWith(Symm.ENC)) {\r
- try {\r
- truststore_pwd = access.decrypt(truststore_pwd,false);\r
- } catch (IOException e) {\r
- throw new CadiException(CADI_TRUSTSTORE_PASSWORD + " cannot be decrypted",e);\r
- }\r
- }\r
- try {\r
- htlist.add(new X509Taf(access,lur));\r
- access.log(Level.INIT,"Certificate Authorization enabled");\r
- } catch (SecurityException e) {\r
- access.log(Level.INIT,"AAFListedCertIdentity cannot be instantiated. Certificate Authorization is now disabled",e);\r
- } catch (IllegalArgumentException e) {\r
- access.log(Level.INIT,"AAFListedCertIdentity cannot be instantiated. Certificate Authorization is now disabled",e);\r
- } catch (CertificateException e) {\r
- access.log(Level.INIT,"Certificate Authorization failed, it is disabled",e);\r
- } catch (NoSuchAlgorithmException e) {\r
- access.log(Level.INIT,"Certificate Authorization failed, wrong Security Algorithm",e);\r
- }\r
- }\r
- } else {\r
- access.log(Level.INIT,"Certificate Authorization not enabled");\r
- }\r
- \r
- /////////////////////////////////////////////////////\r
- // Configure Basic Auth (local content)\r
- /////////////////////////////////////////////////////\r
- String basic_realm = logProp(access, BASIC_REALM,null);\r
- boolean basic_warn = "TRUE".equals(access.getProperty(BASIC_WARN,"FALSE"));\r
- if(basic_realm!=null && up!=null) {\r
- access.log(Level.INIT,"Basic Authorization is enabled using realm",basic_realm);\r
- // Allow warning about insecure channel to be turned off\r
- if(!basic_warn)access.log(Level.INIT,"WARNING! The basic_warn property has been set to false.",\r
- " There will be no additional warning if Basic Auth is used on an insecure channel"\r
- );\r
- String aafCleanup = logProp(access, AAF_USER_EXPIRES,AAF_USER_EXPIRES_DEF); // Default is 10 mins\r
- long userExp = Long.parseLong(aafCleanup);\r
-\r
- htlist.add(new BasicHttpTaf(access, up, basic_realm, userExp, basic_warn));\r
- } else {\r
- access.log(Level.INIT,"Local Basic Authorization is disabled. Enable by setting basic_realm=<appropriate realm, i.e. my.att.com>");\r
- }\r
- \r
- /////////////////////////////////////////////////////\r
- // Configure AAF Driven Basic Auth\r
- /////////////////////////////////////////////////////\r
- boolean getRemoteAAF = true;\r
- if(additionalTafLurs!=null) {\r
- for(Object o : additionalTafLurs) {\r
- if(o.getClass().getSimpleName().equals("DirectAAFLur")) {\r
- getRemoteAAF = false;\r
- break;\r
- }\r
- }\r
- }\r
- HttpTaf aaftaf=null;\r
- if(getRemoteAAF) {\r
- if(aafcon==null) {\r
- access.log(Level.INIT,"AAF Connection (AAFcon) is null. Cannot create an AAF TAF");\r
- } else if(aafURL==null) {\r
- access.log(Level.INIT,"No AAF URL in properties, Cannot create an AAF TAF");\r
- } else {// There's an AAF_URL... try to configure an AAF \r
- String defName = aafURL.contains("version=2.0")?"com.att.cadi.aaf.v2_0.AAFTaf":"";\r
- String aafTafClassName = logProp(access, AAF_TAF_CLASS,defName);\r
- // Only 2.0 available at this time\r
- if("com.att.cadi.aaf.v2_0.AAFTaf".equals(aafTafClassName)) { \r
- try {\r
- Class<?> aafTafClass = loadClass(access,aafTafClassName);\r
- Class<?> aafConClass = loadClass(access,"com.att.cadi.aaf.v2_0.AAFCon");\r
- \r
- Constructor<?> cstr = aafTafClass.getConstructor(aafConClass,boolean.class,AbsUserCache.class);\r
- if(cstr!=null) {\r
- aaftaf = (HttpTaf)cstr.newInstance(aafcon,basic_warn,lur);\r
- if(aaftaf==null) {\r
- access.log(Level.INIT,"ERROR! AAF TAF Failed construction. NOT Configured");\r
- } else {\r
- access.log(Level.INIT,"AAF TAF Configured to ",aafURL);\r
- // Note: will add later, after all others configured\r
- }\r
- }\r
- } catch(Exception e) {\r
- access.log(Level.INIT,"ERROR! AAF TAF Failed construction. NOT Configured");\r
- }\r
- }\r
- }\r
- }\r
- \r
- \r
- String alias = logProp(access, CADI_ALIAS,null);\r
-\r
- /////////////////////////////////////////////////////\r
- // Configure tGuard... (AT&T Client Repo)\r
- /////////////////////////////////////////////////////\r
- // TGUARD Environment, translated to any other remote Environment validation mechanism...\r
- String tGuard_domain = logProp(access, TGUARD_DOMAIN,null);\r
- String tGuard_env = logProp(access, TGUARD_ENV, null);\r
-\r
- if(!("PROD".equals(tGuard_env) || "STAGE".equals(tGuard_env))) {\r
- access.log(Level.INIT, "tGuard Authorization is disabled. Enable by setting", TGUARD_ENV, "to \"PROD\" or \"STAGE\"");\r
- } else if(tGuard_domain==null) {\r
- access.log(Level.INIT,TGUARD_DOMAIN + " must be set: tGuard Authorization is disabled.");\r
- } else if(alias == null) {\r
- access.log(Level.INIT,CADI_ALIAS + " must be set: tGuard Authorization is disabled.");\r
- } else {\r
- try {\r
- Class<?> tGuardClass = loadClass(access,"com.att.cadi.tguard.TGuardHttpTaf");\r
- if(aaftaf!=null) {\r
- Constructor<?> tGuardCnst = tGuardClass.getConstructor(new Class[]{Access.class, AbsUserCache.class});\r
- htlist.add((HttpTaf)tGuardCnst.newInstance(new Object[] {access,aaftaf}));\r
- access.log(Level.INIT,"tGuard Authorization is enabled on",tGuard_env,"on the",tGuard_domain," tGuard Domain");\r
- } else {\r
- Constructor<?> tGuardCnst = tGuardClass.getConstructor(new Class[]{Access.class, int.class, int.class, int.class});\r
- htlist.add((HttpTaf)tGuardCnst.newInstance(new Object[] {\r
- access,\r
- Integer.parseInt(logProp(access, AAF_CLEAN_INTERVAL,AAF_CLEAN_INTERVAL_DEF)),\r
- Integer.parseInt(logProp(access, AAF_HIGH_COUNT, AAF_HIGH_COUNT_DEF)),\r
- Integer.parseInt(logProp(access, AAF_REFRESH_TRIGGER_COUNT, AAF_REFRESH_TRIGGER_COUNT_DEF))\r
- }));\r
- access.log(Level.INIT,"tGuard Authorization is enabled on",tGuard_env,"on the",tGuard_domain," tGuard Domain");\r
- }\r
- } catch(Exception e) {\r
- access.log(e, Level.INIT,"tGuard Class cannot be loaded: tGuard Authorization is disabled.");\r
- }\r
- }\r
- \r
- /////////////////////////////////////////////////////\r
- // Adding BasicAuth (AAF) last, after other primary Cookie Based\r
- // Needs to be before Cert... see below\r
- /////////////////////////////////////////////////////\r
- if(aaftaf!=null) {\r
- htlist.add(aaftaf);\r
- }\r
-\r
-\r
- /////////////////////////////////////////////////////\r
- // Any Additional Lurs passed in Constructor\r
- /////////////////////////////////////////////////////\r
- if(additionalTafLurs!=null) {\r
- for(Object additional : additionalTafLurs) {\r
- if(additional instanceof HttpTaf) {\r
- htlist.add((HttpTaf)additional);\r
- access.log(Level.INIT,additional);\r
- }\r
- }\r
- }\r
-\r
- /////////////////////////////////////////////////////\r
- // Create EpiTaf from configured TAFs\r
- /////////////////////////////////////////////////////\r
- if(htlist.size()==1) {\r
- // just return the one\r
- taf = htlist.get(0);\r
- } else {\r
- HttpTaf[] htarray = new HttpTaf[htlist.size()];\r
- htlist.toArray(htarray);\r
- Locator<URI> locator = loadLocator(access, logProp(access, CADI_LOGINPAGE_URL, null));\r
- \r
- taf = new HttpEpiTaf(access,locator, tc, htarray); // ok to pass locator == null\r
- String level = logProp(access, CADI_LOGLEVEL, null);\r
- if(level!=null) {\r
- access.setLogLevel(Level.valueOf(level));\r
- }\r
- }\r
- \r
- return taf;\r
- }\r
- \r
- public static String logProp(Access access,String tag, String def) {\r
- String rv = access.getProperty(tag, def);\r
- if(rv == null) {\r
- access.log(Level.INIT,tag,"is not set");\r
- } else {\r
- access.log(Level.INIT,tag,"is set to",rv);\r
- }\r
- return rv;\r
- }\r
- \r
- public static Lur configLur(Access access, Object ... additionalTafLurs) throws CadiException {\r
- List<Lur> lurs = new ArrayList<Lur>();\r
- \r
- /////////////////////////////////////////////////////\r
- // Configure a Local Property Based RBAC/LUR\r
- /////////////////////////////////////////////////////\r
- try {\r
- String users = access.getProperty(USERS,null);\r
- String groups = access.getProperty(GROUPS,null);\r
-\r
- if(groups!=null || users!=null) {\r
- LocalLur ll;\r
- lurs.add(ll = new LocalLur(access, users, groups)); // note b64==null is ok.. just means no encryption.\r
- \r
- String writeto = access.getProperty(WRITE_TO,null);\r
- if(writeto!=null) {\r
- String msg = UsersDump.updateUsers(writeto, ll);\r
- if(msg!=null) access.log(Level.INIT,"ERROR! Error Updating ",writeto,"with roles and users:",msg);\r
- }\r
- }\r
- } catch (IOException e) {\r
- throw new CadiException(e);\r
- }\r
- \r
- /////////////////////////////////////////////////////\r
- // Configure the AAF Lur (if any)\r
- /////////////////////////////////////////////////////\r
- String aafURL = logProp(access,AAF_URL,null); // Trigger Property\r
- String aaf_env = access.getProperty(AAF_ENV,null);\r
- if(aaf_env == null && aafURL!=null && access instanceof PropAccess) { // set AAF_ENV from AAF_URL\r
- int ec = aafURL.indexOf("envContext=");\r
- if(ec>0) {\r
- ec += 11; // length of envContext=\r
- int slash = aafURL.indexOf('/', ec);\r
- if(slash>0) {\r
- aaf_env = aafURL.substring(ec, slash);\r
- ((PropAccess)access).setProperty(AAF_ENV, aaf_env);\r
- access.printf(Level.INIT, "Setting aaf_env to %s from aaf_url value",aaf_env);\r
- }\r
- }\r
- }\r
- \r
- if(aafURL==null) {\r
- access.log(Level.INIT,"No AAF LUR properties, AAF will not be loaded");\r
- } else {// There's an AAF_URL... try to configure an AAF\r
- String aafLurClassStr = logProp(access,AAF_LUR_CLASS,"com.att.cadi.aaf.v2_0.AAFLurPerm");\r
- ////////////AAF Lur 2.0 /////////////\r
- if(aafLurClassStr.startsWith("com.att.cadi.aaf.v2_0")) { \r
- try {\r
- Object aafcon = loadAAFConnector(access, aafURL);\r
- if(aafcon==null) {\r
- access.log(Level.INIT,"AAF LUR class,",aafLurClassStr,"cannot be constructed without valid AAFCon object.");\r
- } else {\r
- Class<?> aafAbsAAFCon = loadClass(access, "com.att.cadi.aaf.v2_0.AAFCon");\r
- Method mNewLur = aafAbsAAFCon.getMethod("newLur");\r
- Object aaflur = mNewLur.invoke(aafcon);\r
- \r
- if(aaflur==null) {\r
- access.log(Level.INIT,"ERROR! AAF LUR Failed construction. NOT Configured");\r
- } else {\r
- access.log(Level.INIT,"AAF LUR Configured to ",aafURL);\r
- lurs.add((Lur)aaflur);\r
- String debugIDs = logProp(access,Config.AAF_DEBUG_IDS, null);\r
- if(debugIDs !=null && aaflur instanceof CachingLur) {\r
- ((CachingLur<?>)aaflur).setDebug(debugIDs);\r
- }\r
- }\r
- }\r
- } catch (Exception e) {\r
- access.log(e,"AAF LUR class,",aafLurClassStr,"could not be constructed with given Constructors.");\r
- }\r
- } \r
- } \r
-\r
- /////////////////////////////////////////////////////\r
- // Any Additional passed in Constructor\r
- /////////////////////////////////////////////////////\r
- if(additionalTafLurs!=null) {\r
- for(Object additional : additionalTafLurs) {\r
- if(additional instanceof Lur) {\r
- lurs.add((Lur)additional);\r
- access.log(Level.INIT, additional);\r
- }\r
- }\r
- }\r
-\r
- /////////////////////////////////////////////////////\r
- // Return a Lur based on how many there are... \r
- /////////////////////////////////////////////////////\r
- switch(lurs.size()) {\r
- case 0: \r
- access.log(Level.INIT,"WARNING! No CADI LURs configured");\r
- // Return a NULL Lur that does nothing.\r
- return new NullLur();\r
- case 1:\r
- return lurs.get(0); // Only one, just return it, save processing\r
- default:\r
- // Multiple Lurs, use EpiLUR to handle\r
- Lur[] la = new Lur[lurs.size()];\r
- lurs.toArray(la);\r
- return new EpiLur(la);\r
- }\r
- }\r
- \r
- private static final String COM_ATT_CADI_AAF_V2_0_AAF_CON_DME2 = "com.att.cadi.aaf.v2_0.AAFConDME2";\r
- private static final String COM_ATT_CADI_AAF_V2_0_AAF_CON_HTTP = "com.att.cadi.aaf.v2_0.AAFConHttp";\r
- public static Object loadAAFConnector(Access access, String aafURL) {\r
- Object aafcon = null;\r
- Class<?> aafConClass = null;\r
-\r
- try {\r
- if(aafURL!=null) {\r
- String aafConnector = access.getProperty(AAF_CONNECTOR_CLASS, COM_ATT_CADI_AAF_V2_0_AAF_CON_HTTP);\r
- if(COM_ATT_CADI_AAF_V2_0_AAF_CON_DME2.equals(aafConnector) || aafURL.contains("/service=")) {\r
- aafConClass = loadClass(access, COM_ATT_CADI_AAF_V2_0_AAF_CON_DME2);\r
- if(aafConClass!=null) {\r
- Constructor<?> cons = aafConClass.getConstructor(PropAccess.class);\r
- aafcon = cons.newInstance(access);\r
- } else {\r
- access.log(Level.ERROR, "URL contains '/service=', which requires DME2");\r
- }\r
- } else if(COM_ATT_CADI_AAF_V2_0_AAF_CON_HTTP.equals(aafConnector)) {\r
- aafConClass = loadClass(access, COM_ATT_CADI_AAF_V2_0_AAF_CON_HTTP);\r
- for(Constructor<?> c : aafConClass.getConstructors()) {\r
- List<Object> lo = new ArrayList<Object>();\r
- for(Class<?> pc : c.getParameterTypes()) {\r
- if(pc.equals(PropAccess.class)) {\r
- lo.add(access);\r
- } else if(pc.equals(Locator.class)) {\r
- lo.add(loadLocator(access, aafURL));\r
- } else {\r
- continue;\r
- }\r
- }\r
- if(c.getParameterTypes().length!=lo.size()) {\r
- continue; // back to another Constructor\r
- } else {\r
- aafcon = c.newInstance(lo.toArray());\r
- }\r
- break;\r
- }\r
- }\r
- if(aafcon!=null) {\r
- String mechid = logProp(access,Config.AAF_MECHID, null);\r
- String pass = access.getProperty(Config.AAF_MECHPASS, null);\r
- if(mechid!=null && pass!=null) {\r
- try {\r
- Method basicAuth = aafConClass.getMethod("basicAuth", String.class, String.class);\r
- basicAuth.invoke(aafcon, mechid,pass);\r
- } catch (NoSuchMethodException nsme) {\r
- // it's ok, don't use\r
- }\r
- }\r
- }\r
- }\r
- } catch (Exception e) {\r
- access.log(e,"AAF Connector could not be constructed with given Constructors.");\r
- }\r
- \r
- return aafcon;\r
- }\r
-\r
- public static Class<?> loadClass(Access access, String className) {\r
- Class<?> cls=null;\r
- try {\r
- cls = access.classLoader().loadClass(className);\r
- } catch (ClassNotFoundException cnfe) {\r
- try {\r
- cls = access.getClass().getClassLoader().loadClass(className);\r
- } catch (ClassNotFoundException cnfe2) {\r
- // just return null\r
- }\r
- }\r
- return cls;\r
- }\r
-\r
- @SuppressWarnings("unchecked")\r
- public static Locator<URI> loadLocator(Access access, String url) {\r
- Locator<URI> locator = null;\r
- if(url==null) {\r
- access.log(Level.INIT,"No URL for AAF Login Page. Disabled");\r
- } else {\r
- if(url.contains("DME2RESOLVE")) {\r
- try {\r
- Class<?> lcls = loadClass(access,"com.att.cadi.locator.DME2Locator");\r
- Class<?> dmcls = loadClass(access,"com.att.aft.dme2.api.DME2Manager");\r
- Constructor<?> cnst = lcls.getConstructor(new Class[] {Access.class,dmcls,String.class});\r
- locator = (Locator<URI>)cnst.newInstance(new Object[] {access,null,url});\r
- access.log(Level.INFO, "DME2Locator enabled with " + url);\r
- } catch (Exception e) {\r
- access.log(Level.INIT,"AAF Login Page accessed by " + url + " requires DME2. It is now disabled",e);\r
- }\r
- } else {\r
- try {\r
- Class<?> cls = loadClass(access,"com.att.cadi.locator.PropertyLocator");\r
- Constructor<?> cnst = cls.getConstructor(new Class[] {String.class});\r
- locator = (Locator<URI>)cnst.newInstance(new Object[] {url});\r
- access.log(Level.INFO, "PropertyLocator enabled with " + url);\r
- } catch (Exception e) {\r
- access.log(Level.INIT,"AAF Login Page accessed by " + url + " requires PropertyLocator. It is now disabled",e);\r
- }\r
- }\r
- }\r
- return locator;\r
- }\r
-\r
- /*\r
- * DME2 can only read Passwords as clear text properties. Leaving in "System Properties" un-encrypted exposes these passwords\r
- */\r
- public static class PasswordRemoval extends TimerTask {\r
- private Access access;\r
- \r
- private final List<String> pws;\r
-\r
- public PasswordRemoval(Access access) {\r
- this.access = access;\r
- pws = new ArrayList<String>();\r
- }\r
- \r
- @Override\r
- public void run() {\r
- for(String key:pws) {\r
- access.log(Level.INIT, "Scrubbing " + key);\r
- System.clearProperty(key);\r
- }\r
- } \r
- public void add(String key) {\r
- pws.add(key);\r
- }\r
- }\r
-\r
- private static final String Y = "Y";\r
-\r
- private static String[][] CONVERTER_STRINGS=new String[][] {\r
- {AFT_DME2_KEYSTORE,CADI_KEYSTORE,null},\r
- {AFT_DME2_KEYSTORE_PASSWORD,CADI_KEYSTORE_PASSWORD,null},\r
- {AFT_DME2_KEY_PASSWORD,CADI_KEY_PASSWORD,null},\r
- {AFT_DME2_TRUSTSTORE,CADI_TRUSTSTORE,null},\r
- {AFT_DME2_TRUSTSTORE_PASSWORD,CADI_TRUSTSTORE_PASSWORD,null},\r
- {AFT_DME2_CLIENT_KEYSTORE,CADI_KEYSTORE,null},\r
- {AFT_DME2_CLIENT_KEYSTORE_PASSWORD,CADI_KEYSTORE_PASSWORD,null},\r
- {AFT_DME2_CLIENT_TRUSTSTORE,CADI_TRUSTSTORE,null},\r
- {AFT_DME2_CLIENT_TRUSTSTORE_PASSWORD,CADI_TRUSTSTORE_PASSWORD,null},\r
- {AFT_DME2_CLIENT_SSL_CERT_ALIAS,CADI_ALIAS,null},\r
- {AFT_DME2_CLIENT_SSL_INCLUDE_PROTOCOLS,CADI_PROTOCOLS,null},\r
- {"AFT_DME2_HOSTNAME",HOSTNAME,null},\r
- {"AFT_LATITUDE",null,Y},\r
- {"AFT_LONGITUDE",null,Y},\r
- {"AFT_ENVIRONMENT",null,Y},\r
- {"SCLD_PLATFORM",null,Y},\r
- {"DME2_EP_REGISTRY_CLASS",null,Y},// for Developer local access\r
- {"AFT_DME2_EP_REGISTRY_FS_DIR",null,Y},\r
- {"DME2.DEBUG",null,null},\r
- {"AFT_DME2_HTTP_EXCHANGE_TRACE_ON",null,null},\r
- {"AFT_DME2_SSL_ENABLE",null,null},\r
- {"AFT_DME2_SSL_WANT_CLIENT_AUTH",null,null},\r
- {AFT_DME2_SSL_INCLUDE_PROTOCOLS,CADI_PROTOCOLS,null},\r
- {"AFT_DME2_SSL_VALIDATE_CERTS",null,null},\r
- {AFT_DME2_CLIENT_IGNORE_SSL_CONFIG,null,null},\r
- {"https.protocols",CADI_PROTOCOLS,Y},\r
- };\r
-\r
-\r
-\r
- public static Properties getDME2Props(PropAccess access) {\r
- Properties dprops = new Properties();\r
- String value = null;\r
- boolean reqClientConfig = false;\r
- for(String[] row : CONVERTER_STRINGS) {\r
- value = access.getProperty(row[0],null);\r
- if(value==null) {\r
- value = System.getProperty(row[0]);\r
- if(value==null && row[1]!=null) {\r
- value = access.getProperty(row[1],null);\r
- if(value == null) {\r
- value = System.getProperty(row[1]);\r
- }\r
- }\r
- }\r
- if(value!=null) {\r
- if(row[0].contains("_SSL_")) {\r
- reqClientConfig = true;\r
- }\r
- if(row[0].startsWith("AFT") || row[0].startsWith("SCLD") || row[0].contains("DME2")) {\r
- if(value.startsWith("enc:")) {\r
- try {\r
- value = access.decrypt(value, true);\r
- } catch (IOException e) {\r
- access.log(Level.ERROR, e);\r
- }\r
- System.setProperty(row[0], value);\r
- } else if(Y.equals(row[2])) {\r
- System.setProperty(row[0], value);\r
- dprops.setProperty(row[0], value);\r
- } else if(row[0].contains("PASSWORD") || row[0].contains("STORE")) {\r
- System.setProperty(row[0], value);\r
- } else {\r
- dprops.setProperty(row[0], value);\r
- }\r
- }\r
- \r
- }\r
- \r
- }\r
- \r
- Properties sprops = System.getProperties();\r
- if(reqClientConfig && sprops.getProperty(AFT_DME2_CLIENT_IGNORE_SSL_CONFIG)==null) {\r
- sprops.put(AFT_DME2_CLIENT_IGNORE_SSL_CONFIG, "false");\r
- replaceKeyWithTrust(sprops,AFT_DME2_KEYSTORE,AFT_DME2_TRUSTSTORE);\r
- replaceKeyWithTrust(sprops,AFT_DME2_KEYSTORE_PASSWORD,AFT_DME2_TRUSTSTORE_PASSWORD);\r
- replaceKeyWithTrust(sprops,AFT_DME2_CLIENT_KEYSTORE,AFT_DME2_CLIENT_TRUSTSTORE);\r
- replaceKeyWithTrust(sprops,AFT_DME2_CLIENT_KEYSTORE_PASSWORD,AFT_DME2_CLIENT_TRUSTSTORE_PASSWORD);\r
- }\r
- \r
- if(sprops.getProperty(AFT_DME2_CLIENT_SSL_INCLUDE_PROTOCOLS)==null) {\r
- sprops.setProperty(AFT_DME2_CLIENT_SSL_INCLUDE_PROTOCOLS, access.getProperty(CADI_PROTOCOLS,SecurityInfo.HTTPS_PROTOCOLS_DEFAULT));\r
- }\r
-\r
- if(sprops.getProperty(AFT_DME2_SSL_INCLUDE_PROTOCOLS)==null) {\r
- sprops.setProperty(AFT_DME2_SSL_INCLUDE_PROTOCOLS, access.getProperty(CADI_PROTOCOLS,SecurityInfo.HTTPS_PROTOCOLS_DEFAULT));\r
- }\r
- \r
- if(access.willLog(Level.DEBUG)) {\r
- if(access instanceof PropAccess) {\r
- access.log(Level.DEBUG,"Access Properties");\r
- for(Entry<Object, Object> es : ((PropAccess)access).getProperties().entrySet()) {\r
- access.printf(Level.DEBUG," %s=%s",es.getKey().toString(),es.getValue().toString());\r
- }\r
- }\r
- access.log(Level.DEBUG,"DME2 Properties()");\r
- for(Entry<Object, Object> es : dprops.entrySet()) {\r
- value = es.getValue().toString();\r
- if(es.getKey().toString().contains("PASS")) {\r
- if(value==null || !value.contains("enc:")) {\r
- value = HIDE_PASS;\r
- }\r
- }\r
- access.printf(Level.DEBUG," %s=%s",es.getKey().toString(),value);\r
- }\r
- \r
- access.log(Level.DEBUG,"System (AFT) Properties");\r
- for(Entry<Object, Object> es : System.getProperties().entrySet()) {\r
- if(es.getKey().toString().startsWith("AFT")) {\r
- value = es.getValue().toString();\r
- if(es.getKey().toString().contains("PASS")) {\r
- if(value==null || !value.contains("enc:")) {\r
- value = HIDE_PASS;\r
- }\r
- }\r
- access.printf(Level.DEBUG," %s=%s",es.getKey().toString(),value);\r
- }\r
- }\r
- }\r
- // Cover any not specific AFT props\r
- String key;\r
- for(Entry<Object, Object> es : access.getProperties().entrySet()) {\r
- if((key=es.getKey().toString()).startsWith("AFT_") && \r
- !key.contains("PASSWORD") &&\r
- dprops.get(key)==null) {\r
- dprops.put(key, es.getValue());\r
- }\r
- }\r
- return dprops;\r
- }\r
- \r
- private static void replaceKeyWithTrust(Properties props, String ks, String ts) {\r
- String value;\r
- if(props.get(ks)==null && (value=props.getProperty(ts))!=null) {\r
- props.put(ks,value);\r
- props.remove(ts);\r
- }\r
- }\r
- // Set by CSP, or is hostname.\r
- public static String getDefaultRealm() {\r
- return defaultRealm;\r
- }\r
-\r
-}\r