* org.onap.dmaap
* ================================================================================
* Copyright © 2017 AT&T Intellectual Property. All rights reserved.
+ * Modification copyright (C) 2021 Nordix Foundation.
* ================================================================================
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
import java.io.FileInputStream;
import java.io.IOException;
+import java.util.Map;
import java.util.Properties;
-
-import org.slf4j.Logger;
-import org.slf4j.LoggerFactory;
-
-import org.onap.aaf.cadi.CadiException;
+import javax.security.auth.login.AppConfigurationEntry;
+import javax.security.auth.login.Configuration;
import org.onap.aaf.cadi.PropAccess;
import org.onap.aaf.cadi.aaf.AAFPermission;
import org.onap.aaf.cadi.aaf.v2_0.AAFAuthn;
import org.onap.aaf.cadi.aaf.v2_0.AAFConHttp;
import org.onap.aaf.cadi.aaf.v2_0.AbsAAFLur;
import org.onap.aaf.cadi.principal.UnAuthPrincipal;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
public class Cadi3AAFProvider implements AuthorizationProvider {
private static PropAccess access;
private static AAFCon<?> aafcon;
- private static final String CADI_PROPERTIES = "/opt/kafka/config/cadi.properties";
+ private static final String CADI_PROPERTIES = "/etc/kafka/data/cadi.properties";
private static final String AAF_LOCATOR_ENV = "aaf_locate_url";
- private static final String MR_NAMESPACE = "org.onap.dmaap.mr";
+ private static String apiKey = null;
+ private static String kafkaUsername = null;
+ private static AAFAuthn<?> aafAuthn;
+ private static AbsAAFLur<AAFPermission> aafLur;
+ private static boolean enableCadi = false;
+ private static final String ENABLE_CADI = "enableCadi";
+ private static final Logger logger = LoggerFactory.getLogger(Cadi3AAFProvider.class);
- public static AAFAuthn<?> getAafAuthn() throws CadiException {
- if (aafAuthn == null) {
- throw new CadiException("Cadi is uninitialized in Cadi3AAFProvider.getAafAuthn()");
+ static {
+ if (System.getProperty(ENABLE_CADI) != null) {
+ if (System.getProperty(ENABLE_CADI).equals("true")) {
+ enableCadi = true;
+ }
+ }
+ else{
+ if (System.getenv(ENABLE_CADI) != null && System.getenv(ENABLE_CADI).equals("true")) {
+ enableCadi = true;
+ }
+ }
+ Configuration config = Configuration.getConfiguration();
+ try {
+ if (config == null) {
+ logger.error("CRITICAL ERROR|Check java.security.auth.login.config VM argument|");
+ } else {
+ // read the section for KafkaServer
+ AppConfigurationEntry[] entries = config.getAppConfigurationEntry("KafkaServer");
+ if (entries == null) {
+ logger.error(
+ "CRITICAL ERROR|Check config contents passed in java.security.auth.login.config VM argument|");
+ kafkaUsername = "kafkaUsername";
+ apiKey = "apiKey";
+
+ } else {
+ for (AppConfigurationEntry entry : entries) {
+ Map<String, ?> optionsMap = entry.getOptions();
+ kafkaUsername = (String) optionsMap.get("username");
+ apiKey = (String) optionsMap.get("password");
+ }
+ }
+ }
+ } catch (Exception e) {
+ logger.error("CRITICAL ERROR: JAAS configuration incorrectly set: {}", e.getMessage());
}
- return aafAuthn;
}
- private static AAFAuthn<?> aafAuthn;
- private static AbsAAFLur<AAFPermission> aafLur;
+ public static String getKafkaUsername() {
+ return kafkaUsername;
+ }
- private static boolean props_ok = false;
+ public static boolean isCadiEnabled() {
- private static final Logger logger = LoggerFactory.getLogger(Cadi3AAFProvider.class);
+ return enableCadi;
+ }
public Cadi3AAFProvider() {
setup();
if (access == null) {
Properties props = new Properties();
- FileInputStream fis = null;
+ FileInputStream fis;
try {
if (System.getProperty("CADI_PROPERTIES") != null) {
fis = new FileInputStream(System.getProperty("CADI_PROPERTIES"));
logger.error("Unable to load " + CADI_PROPERTIES);
logger.error("Error", e);
}
-
- props_ok = true;
- if (props_ok == false) {
- return;
- }
}
if (aafAuthn == null) {
aafAuthn = null;
if (access != null)
access.log(e, "Failed to initialize AAF");
- props_ok = false;
}
}
public boolean hasPermission(String userId, String permission, String instance, String action) {
boolean hasPermission = false;
try {
- logger.info("^ Event at hasPermission to validate userid " + userId + " with " + permission + " " + instance
- + " " + action);
+ logger.info("^ Event at hasPermission to validate userid {} with {} {} {}", userId, permission, instance, action);
// AAF Style permissions are in the form
// Resource Name, Resource Type, Action
if (userId.equals("admin")) {
hasPermission = true;
return hasPermission;
}
- AAFPermission perm = new AAFPermission(MR_NAMESPACE, permission, instance, action);
+ AAFPermission perm = new AAFPermission(null, permission, instance, action);
if (aafLur != null) {
hasPermission = aafLur.fish(new UnAuthPrincipal(userId), perm);
- logger.trace("Permission: " + perm.getKey() + " for user :" + userId + " found: " + hasPermission);
+ logger.trace("Permission: {} for user : {} found: {}" , perm.getKey(), userId, hasPermission);
} else {
logger.error("AAF client not initialized. Not able to find permissions.");
}
return "CADI_AAF_PROVIDER";
}
- public String authenticate(String userId, String password) throws Exception {
- logger.info("^Event received with username " + userId);
- if (userId.equals("admin")) {
- logger.info("User Admin by passess AAF call ....");
+ public String authenticate(String userId, String password) throws IOException {
+
+ logger.info("^Event received with username {}", userId);
+
+ if (!enableCadi) {
return null;
- }
- String aafResponse = aafAuthn.validate(userId, password);
- logger.info("aafResponse=" + aafResponse + " for " + userId);
+ } else {
+ if (userId.equals(kafkaUsername)) {
+ if (password.equals(apiKey)) {
+ logger.info("by passes the authentication for the admin {}", kafkaUsername);
+ return null;
+ } else {
+ String errorMessage = "Authentication failed for user " + kafkaUsername;
+ logger.error(errorMessage);
+ return errorMessage;
+ }
- if (aafResponse != null) {
- logger.error("Authentication failed for user ." + userId);
+ }
+
+ String aafResponse = aafAuthn.validate(userId, password);
+ logger.info("aafResponse = {} for {}", aafResponse, userId);
+
+ if (aafResponse != null) {
+ logger.error("Authentication failed for user {}", userId);
+ }
+ return aafResponse;
}
- return aafResponse;
+
}
}