+++ /dev/null
-/*******************************************************************************\r
- * ============LICENSE_START====================================================\r
- * * org.onap.aaf\r
- * * ===========================================================================\r
- * * Copyright © 2017 AT&T Intellectual Property. All rights reserved.\r
- * * ===========================================================================\r
- * * Licensed under the Apache License, Version 2.0 (the "License");\r
- * * you may not use this file except in compliance with the License.\r
- * * You may obtain a copy of the License at\r
- * * \r
- * * http://www.apache.org/licenses/LICENSE-2.0\r
- * * \r
- * * Unless required by applicable law or agreed to in writing, software\r
- * * distributed under the License is distributed on an "AS IS" BASIS,\r
- * * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\r
- * * See the License for the specific language governing permissions and\r
- * * limitations under the License.\r
- * * ============LICENSE_END====================================================\r
- * *\r
- * * ECOMP is a trademark and service mark of AT&T Intellectual Property.\r
- * *\r
- ******************************************************************************/\r
-package org.onap.aaf.cadi.taf;\r
-\r
-import java.net.URI;\r
-import java.security.Principal;\r
-import java.util.ArrayList;\r
-import java.util.List;\r
-\r
-import javax.servlet.http.HttpServletRequest;\r
-import javax.servlet.http.HttpServletResponse;\r
-\r
-import org.onap.aaf.cadi.Access;\r
-import org.onap.aaf.cadi.CachedPrincipal;\r
-import org.onap.aaf.cadi.CadiException;\r
-import org.onap.aaf.cadi.Locator;\r
-import org.onap.aaf.cadi.TrustChecker;\r
-import org.onap.aaf.cadi.CachedPrincipal.Resp;\r
-import org.onap.aaf.cadi.Taf.LifeForm;\r
-\r
-/**\r
- * HttpEpiTaf\r
- * \r
- * An extension of the basic "EpiTAF" concept, check known HTTP Related TAFs for valid credentials\r
- * \r
- *\r
- */\r
-public class HttpEpiTaf implements HttpTaf {\r
- private HttpTaf[] tafs;\r
- private Access access;\r
- private Locator<URI> locator;\r
- private TrustChecker trustChecker;\r
- \r
- /**\r
- * HttpEpiTaf constructor\r
- * \r
- * Construct the HttpEpiTaf from variable Http specific TAF parameters\r
-\r
- * @param tafs\r
- * @throws CadiException\r
- */\r
- public HttpEpiTaf(Access access, Locator<URI> locator, TrustChecker tc, HttpTaf ... tafs) throws CadiException{\r
- this.tafs = tafs;\r
- this.access = access;\r
- this.locator = locator;\r
- this.trustChecker = tc;\r
- // Establish what Header Property to look for UserChain/Trust Props \r
-// trustChainProp = access.getProperty(Config.CADI_TRUST_PROP, Config.CADI_TRUST_PROP_DEFAULT);\r
-\r
- if(tafs.length==0) throw new CadiException("Need at least one HttpTaf implementation in constructor");\r
- }\r
-\r
- /**\r
- * validate\r
- * \r
- * Respond with the first Http specific TAF to authenticate user based on variable info \r
- * and "LifeForm" (is it a human behind a browser, or a server utilizing HTTP Protocol).\r
- * \r
- * If there is no HttpTAF that can authenticate, respond with the first TAF that suggests it can\r
- * establish an Authentication conversation (TRY_AUTHENTICATING) (Examples include a redirect to CSP\r
- * Servers for CSP Cookie, or BasicAuth 401 response, suggesting User/Password for given Realm \r
- * submission\r
- * \r
- * If no TAF declares either, respond with NullTafResp (which denies all questions)\r
- */\r
- public TafResp validate(LifeForm reading, HttpServletRequest req, HttpServletResponse resp) {\r
- // Given a LifeForm Neutral, for HTTP, we need to discover true Life-Form Readings\r
- if(reading==LifeForm.LFN) {\r
- reading = tricorderScan(req);\r
- }\r
- TafResp tresp=null, firstTry = null;\r
- List<Redirectable> redirectables = null;\r
- \r
- for(HttpTaf taf : tafs) {\r
- tresp = taf.validate(reading, req, resp);\r
- switch(tresp.isAuthenticated()) {\r
- case TRY_ANOTHER_TAF:\r
- break; // and loop\r
- case TRY_AUTHENTICATING:\r
- if(tresp instanceof Redirectable) {\r
- if(redirectables==null) {\r
- redirectables = new ArrayList<Redirectable>();\r
- }\r
- redirectables.add((Redirectable)tresp);\r
- } else if(firstTry==null) {\r
- firstTry = tresp;\r
- }\r
- break; \r
- case IS_AUTHENTICATED:\r
- tresp = trustChecker.mayTrust(tresp, req);\r
- return tresp;\r
- default:\r
- return tresp;\r
- }\r
- }\r
- \r
- // If No TAFs configured, at this point. It is safer at this point to be "not validated", \r
- // rather than "let it go"\r
- // Note: if exists, there will always be more than 0 entries, according to above code\r
- if(redirectables==null) {\r
- return firstTry!=null?firstTry:NullTafResp.singleton();\r
- }\r
- \r
- // If there is one Tryable entry then return it\r
- if(redirectables.size()>1) {\r
- return LoginPageTafResp.create(access,locator,resp,redirectables);\r
- } else {\r
- return redirectables.get(0);\r
- }\r
- }\r
- \r
- public boolean revalidate(Principal prin) throws Exception {\r
- return false;\r
- }\r
-\r
- /*\r
- * Since this is internal, we use a little Star Trek humor to indicate looking in the HTTP Request to see if we can determine what kind\r
- * of "LifeForm" reading we can determine, i.e. is there a Human (CarbonBasedLifeForm) behind a browser, or is it mechanical \r
- * id (SiliconBasedLifeForm)? This makes a difference in some Authentication, i.e CSP, which doesn't work well for SBLFs\r
- */\r
- private LifeForm tricorderScan(HttpServletRequest req) {\r
- // For simplicity's sake, we'll say Humans use FQDNs, not IPs.\r
- \r
- String auth = req.getParameter("Authentication");\r
- if(auth!=null) {\r
- if("BasicAuth".equals(auth)) {\r
- return LifeForm.SBLF;\r
- }\r
- }\r
- // Current guess that only Browsers bother to set "Agent" codes that identify the kind of browser they are.\r
- // If mechanical frameworks are found that populate this, then more advanced analysis may be required\r
- // 1/22/2013\r
- String agent = req.getHeader("User-Agent");\r
- if(agent!=null && agent.startsWith("Mozilla")) // covers I.E./Firefox/Safari/probably any other "advanced" Browser see http://en.wikipedia.org/wiki/User_agent\r
- return LifeForm.CBLF; \r
- return LifeForm.SBLF; // notably skips "curl","wget", (which is desired behavior. We don't want to try CSP, etc on these)\r
- }\r
-\r
- public Resp revalidate(CachedPrincipal prin) {\r
- Resp resp;\r
- for(HttpTaf taf : tafs) {\r
- resp = taf.revalidate(prin);\r
- switch(resp) {\r
- case NOT_MINE:\r
- break;\r
- default:\r
- return resp;\r
- }\r
- }\r
- return Resp.NOT_MINE;\r
- }\r
-\r
- /**\r
- * List HttpTafs with their "toString" representations... primarily useful for Debugging in an IDE\r
- * like Eclipse.\r
- */\r
- public String toString() {\r
- StringBuilder sb = new StringBuilder();\r
- for(HttpTaf ht : tafs) {\r
- sb.append(ht.toString());\r
- sb.append(". ");\r
- }\r
- return sb.toString();\r
- }\r
-}\r