+++ /dev/null
-/*******************************************************************************\r
- * ============LICENSE_START====================================================\r
- * * org.onap.aaf\r
- * * ===========================================================================\r
- * * Copyright © 2017 AT&T Intellectual Property. All rights reserved.\r
- * * ===========================================================================\r
- * * Licensed under the Apache License, Version 2.0 (the "License");\r
- * * you may not use this file except in compliance with the License.\r
- * * You may obtain a copy of the License at\r
- * * \r
- * * http://www.apache.org/licenses/LICENSE-2.0\r
- * * \r
- * * Unless required by applicable law or agreed to in writing, software\r
- * * distributed under the License is distributed on an "AS IS" BASIS,\r
- * * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\r
- * * See the License for the specific language governing permissions and\r
- * * limitations under the License.\r
- * * ============LICENSE_END====================================================\r
- * *\r
- * * ECOMP is a trademark and service mark of AT&T Intellectual Property.\r
- * *\r
- ******************************************************************************/\r
-package org.onap.aaf.cadi.filter;\r
-\r
-import java.io.IOException;\r
-import java.util.ArrayList;\r
-import java.util.List;\r
-\r
-import javax.servlet.http.HttpServletRequest;\r
-import javax.servlet.http.HttpServletResponse;\r
-\r
-import org.onap.aaf.cadi.Access;\r
-import org.onap.aaf.cadi.CadiException;\r
-import org.onap.aaf.cadi.CadiWrap;\r
-import org.onap.aaf.cadi.Connector;\r
-import org.onap.aaf.cadi.CredVal;\r
-import org.onap.aaf.cadi.Lur;\r
-import org.onap.aaf.cadi.Taf;\r
-import org.onap.aaf.cadi.TrustChecker;\r
-import org.onap.aaf.cadi.Access.Level;\r
-import org.onap.aaf.cadi.config.Config;\r
-import org.onap.aaf.cadi.lur.EpiLur;\r
-import org.onap.aaf.cadi.taf.HttpTaf;\r
-import org.onap.aaf.cadi.taf.TafResp;\r
-import org.onap.aaf.cadi.util.UserChainManip;\r
-\r
-/**\r
- * Encapsulate common HTTP Manipulation Behavior. It will appropriately set\r
- * HTTPServletResponse for Redirect or Forbidden, as needed.\r
- * \r
- * Further, this is useful, because it avoids multiple creates of Connections, where some Filters\r
- * are created and destroyed regularly.\r
- * \r
- *\r
- *\r
- */\r
-public class CadiHTTPManip {\r
- private static final String ACCESS_CADI_CONTROL = ".access|cadi|control";\r
- private static final String METH = "OPTIONS";\r
- private static final String CADI = "/cadi/";\r
- private static final String CADI_CACHE_PRINT = "/cadi/cache/print";\r
- private static final String CADI_CACHE_CLEAR = "/cadi/cache/clear";\r
- private static final String CADI_LOG_SET = "/cadi/log/set/";\r
- private Access access;\r
- private HttpTaf taf;\r
- private CredVal up;\r
- private Lur lur;\r
- private String thisPerm,companyPerm,aaf_id;\r
- \r
- public static final Object[] noAdditional = new Object[0]; // CadiFilter can be created each call in some systems\r
-\r
-\r
- public CadiHTTPManip(Access access, Connector con, TrustChecker tc, Object ... additionalTafLurs) throws CadiException {\r
- synchronized(CADI) {\r
- this.access = access;\r
-// Get getter = new AccessGetter(access);\r
- Config.setDefaultRealm(access);\r
- \r
- aaf_id = access.getProperty(Config.CADI_ALIAS,access.getProperty(Config.AAF_MECHID, null));\r
- if(aaf_id==null) {\r
- access.printf(Level.INIT, "%s is not set. %s can be used instead",Config.AAF_MECHID,Config.CADI_ALIAS);\r
- } else {\r
- access.printf(Level.INIT, "%s is set to %s",Config.AAF_MECHID,aaf_id);\r
- }\r
- String ns = aaf_id==null?null:UserChainManip.idToNS(aaf_id);\r
- if(ns!=null) {\r
- thisPerm = ns+ACCESS_CADI_CONTROL;\r
- int dot = ns.indexOf('.');\r
- if(dot>=0) {\r
- int dot2=ns.indexOf('.',dot+1);\r
- if(dot2<0) {\r
- dot2=dot;\r
- }\r
- companyPerm = ns.substring(0, dot2)+ACCESS_CADI_CONTROL;\r
- } else {\r
- companyPerm = "com"+ACCESS_CADI_CONTROL;\r
- }\r
- } else {\r
- thisPerm = companyPerm = "com"+ACCESS_CADI_CONTROL;\r
- }\r
- \r
- if(con!=null) { // try to reutilize connector\r
- List<Lur> ll = null;\r
- for(Object tl : additionalTafLurs) {\r
- if(tl instanceof Lur) {\r
- if(ll==null) {\r
- ll = new ArrayList<Lur>();\r
- ll.add(con.newLur());\r
- }\r
- ll.add((Lur)tl);\r
- }\r
- }\r
- if(ll==null) {\r
- lur = con.newLur();\r
- } else {\r
- lur = new EpiLur((Lur[])ll.toArray());\r
- }\r
- } else {\r
- lur = Config.configLur(access, additionalTafLurs);\r
- }\r
- tc.setLur(lur);\r
- if(lur instanceof EpiLur) {\r
- up = ((EpiLur)lur).getUserPassImpl();\r
- } else if(lur instanceof CredVal) {\r
- up = (CredVal)lur;\r
- } else {\r
- up = null;\r
- }\r
- taf = Config.configHttpTaf(access, tc, up, lur, additionalTafLurs);\r
- }\r
- }\r
-\r
- public TafResp validate(HttpServletRequest hreq, HttpServletResponse hresp) throws IOException {\r
- TafResp tresp = taf.validate(Taf.LifeForm.LFN, hreq, hresp);\r
- switch(tresp.isAuthenticated()) {\r
- case IS_AUTHENTICATED:\r
- access.printf(Level.INFO,"Authenticated: %s from %s:%d"\r
- , tresp.desc(), hreq.getRemoteAddr(), hreq.getRemotePort());\r
- break;\r
- case TRY_AUTHENTICATING:\r
- switch (tresp.authenticate()) {\r
- case IS_AUTHENTICATED:\r
- access.printf(Level.INFO,"Authenticated: %s from %s:%d"\r
- , tresp.desc(), hreq.getRemoteAddr(), hreq.getRemotePort());\r
- break;\r
- case HTTP_REDIRECT_INVOKED:\r
- access.log(Level.INFO,"Authenticating via redirection: ", tresp.desc());\r
- break;\r
- case NO_FURTHER_PROCESSING:\r
- access.printf(Level.AUDIT,"Authentication Failure: %s from %s:%d"\r
- , tresp.desc(), hreq.getRemoteAddr(), hreq.getRemotePort());\r
- hresp.sendError(403, tresp.desc()); // Forbidden\r
- break;\r
-\r
- default:\r
- access.printf(Level.AUDIT,"No TAF will authorize for request from %s:%d"\r
- , hreq.getRemoteAddr(), hreq.getRemotePort());\r
- hresp.sendError(403, tresp.desc()); // Forbidden\r
- }\r
- break;\r
- case NO_FURTHER_PROCESSING:\r
- access.printf(Level.AUDIT,"Authentication Failure: %s from %s:%d", \r
- tresp.desc(), hreq.getRemoteAddr(), hreq.getRemotePort());\r
- hresp.sendError(403, "Access Denied"); // FORBIDDEN\r
- break;\r
- default:\r
- access.printf(Level.AUDIT,"No TAF will authorize for request from %s:%d"\r
- , hreq.getRemoteAddr(), hreq.getRemotePort());\r
- hresp.sendError(403, "Access Denied"); // FORBIDDEN\r
- }\r
- return tresp;\r
- }\r
- \r
- public boolean notCadi(CadiWrap req, HttpServletResponse resp) {\r
- \r
- String pathInfo = req.getPathInfo();\r
- if(METH.equalsIgnoreCase(req.getMethod()) && pathInfo!=null && pathInfo.contains(CADI)) {\r
- if(req.getUser().equals(aaf_id) || req.isUserInRole(thisPerm) || req.isUserInRole(companyPerm)) {\r
- try {\r
- if(pathInfo.contains(CADI_CACHE_PRINT)) {\r
- resp.getOutputStream().println(lur.toString());\r
- resp.setStatus(200);\r
- return false;\r
- } else if(pathInfo.contains(CADI_CACHE_CLEAR)) {\r
- StringBuilder report = new StringBuilder();\r
- lur.clear(req.getUserPrincipal(), report);\r
- resp.getOutputStream().println(report.toString());\r
- resp.setStatus(200);\r
- return false;\r
- } else if(pathInfo.contains(CADI_LOG_SET)) {\r
- Level l;\r
- int slash = pathInfo.lastIndexOf('/');\r
- String level = pathInfo.substring(slash+1);\r
- try {\r
- l = Level.valueOf(level);\r
- access.printf(Level.AUDIT, "%s has set CADI Log Level to '%s'",req.getUser(),l.name());\r
- access.setLogLevel(l);\r
- } catch (IllegalArgumentException e) {\r
- access.printf(Level.AUDIT, "'%s' is not a valid CADI Log Level",level);\r
- }\r
- return false;\r
- }\r
- } catch (IOException e) {\r
- access.log(e);\r
- }\r
- }\r
- }\r
- return true;\r
- }\r
-\r
- public Lur getLur() {\r
- return lur;\r
- }\r
- \r
- public void destroy() {\r
- access.log(Level.INFO,"CadiHttpChecker destroyed.");\r
- if(lur!=null) {\r
- lur.destroy();\r
- lur=null;\r
- }\r
- }\r
-\r
- public Access getAccess() {\r
- return access;\r
- }\r
-\r
-}\r