X-Git-Url: https://gerrit.onap.org/r/gitweb?a=blobdiff_plain;f=auth%2Fauth-oauth%2Fsrc%2Fmain%2Fjava%2Forg%2Fonap%2Faaf%2Fauth%2Foauth%2Fservice%2FOAuthService.java;h=b5d260602593bd5461db4b232f424151a9081ad2;hb=deb396a3d53a84b2eb5a46d40122b4902d72c601;hp=1d926a74917d43a36533e4ce9ef05c422aac4939;hpb=4b5a7d721d994a49057e9bfb403c7bff1b376660;p=aaf%2Fauthz.git diff --git a/auth/auth-oauth/src/main/java/org/onap/aaf/auth/oauth/service/OAuthService.java b/auth/auth-oauth/src/main/java/org/onap/aaf/auth/oauth/service/OAuthService.java index 1d926a74..b5d26060 100644 --- a/auth/auth-oauth/src/main/java/org/onap/aaf/auth/oauth/service/OAuthService.java +++ b/auth/auth-oauth/src/main/java/org/onap/aaf/auth/oauth/service/OAuthService.java @@ -7,9 +7,9 @@ * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. * You may obtain a copy of the License at - * + * * http://www.apache.org/licenses/LICENSE-2.0 - * + * * Unless required by applicable law or agreed to in writing, software * distributed under the License is distributed on an "AS IS" BASIS, * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. @@ -43,7 +43,7 @@ import org.onap.aaf.cadi.Access; import org.onap.aaf.cadi.CadiException; import org.onap.aaf.cadi.LocatorException; import org.onap.aaf.cadi.CredVal.Type; -import org.onap.aaf.cadi.client.Holder; +import org.onap.aaf.cadi.util.Holder; import org.onap.aaf.cadi.config.Config; import org.onap.aaf.cadi.oauth.AAFToken; import org.onap.aaf.cadi.oauth.TokenClient; @@ -54,13 +54,13 @@ import org.onap.aaf.misc.env.APIException; import aafoauth.v2_0.Introspect; public class OAuthService { - + private static final int TOK_EXP = 60*60*1000; // 1 hour, millis. public enum TOKEN_TYPE {unknown,bearer,refresh} public enum GRANT_TYPE {unknown,password,client_credentials,refresh_token}; public enum CLIENT_TYPE {unknown,confidential}; - + // Additional Expires private final DAO[] daos; public final OAuthTokenDAO tokenDAO; @@ -76,18 +76,18 @@ public class OAuthService { @SuppressWarnings("unchecked") public OAuthService(final Access access, final AuthzTrans trans, final Question q) throws APIException, IOException { permLoader = JSONPermLoaderFactory.direct(q); - tokenDAO = new OAuthTokenDAO(trans, q.historyDAO); + tokenDAO = new OAuthTokenDAO(trans, q.historyDAO()); daos =(DAO[]) new DAO[] { tokenDAO }; try { String alt_url = access.getProperty(Config.AAF_ALT_OAUTH2_INTROSPECT_URL,null); - if(alt_url!=null) { + if (alt_url!=null) { tcf = TokenClientFactory.instance(access); String[] split = Split.split(',', alt_url); int timeout = split.length>1?Integer.parseInt(split[1]):3000; altIntrospectClient = tcf.newClient(split[0], timeout); - altIntrospectClient.client_creds(access.getProperty(Config.AAF_ALT_CLIENT_ID,null), + altIntrospectClient.client_creds(access.getProperty(Config.AAF_ALT_CLIENT_ID,null), access.getProperty(Config.AAF_ALT_CLIENT_SECRET,null)); altDomain = '@'+access.getProperty(Config.AAF_ALT_OAUTH2_DOMAIN,null); } else { @@ -97,11 +97,11 @@ public class OAuthService { } catch (GeneralSecurityException | CadiException | LocatorException e) { throw new APIException("Could not construct TokenClientFactory",e); } - + } public Result validate(AuthzTrans trans, OCreds creds) { - if(directUserPass.validate(creds.username, Type.PASSWORD, creds.password, trans)) { + if (directUserPass.validate(creds.username, Type.PASSWORD, creds.password, trans)) { return Result.ok(); } else { return Result.err(Result.ERR_Security, "Invalid Credential for ",creds.username); @@ -119,22 +119,23 @@ public class OAuthService { return Result.err(Result.ERR_BadData, "Unknown Grant Type"); } } - + private Result createBearerToken(AuthzTrans trans, OAuthTokenDAO.Data odd) { - if(odd.user==null) { + if (odd.user==null) { odd.user = trans.user(); } odd.id = AAFToken.toToken(UUID.randomUUID()); odd.refresh = AAFToken.toToken(UUID.randomUUID()); odd.active = true; long exp; - odd.expires = new Date(exp=(System.currentTimeMillis()+TOK_EXP)); + exp=(System.currentTimeMillis()+TOK_EXP); + odd.expires = new Date(exp); odd.exp_sec = exp/1000; odd.req_ip = trans.ip(); - + try { Result rd = loadToken(trans, odd); - if(rd.notOK()) { + if (rd.notOK()) { return rd; } } catch (APIException | CadiException e) { @@ -142,55 +143,55 @@ public class OAuthService { } return tokenDAO.create(trans, odd); } - + private Result loadToken(AuthzTrans trans, Data odd) throws APIException, CadiException { Result rs = permLoader.loadJSONPerms(trans,odd.user,odd.scopes(false)); - if(rs.isOK()) { + if (rs.isOK()) { odd.content = rs.value; odd.type = TOKEN_TYPE.bearer.ordinal(); return Result.ok(odd); - } else if(rs.status == Result.ERR_NotFound || rs.status==Status.ERR_UserRoleNotFound) { + } else if (rs.status == Result.ERR_NotFound || rs.status==Status.ERR_UserRoleNotFound) { odd.type = TOKEN_TYPE.bearer.ordinal(); return Result.ok(odd); } else { return Result.err(Result.ERR_Backend,"Error accessing AAF Info: %s",rs.errorString()); } } - - + + private Result refreshBearerToken(AuthzTrans trans, Data odd) { Result> rld = tokenDAO.readByUser(trans, trans.user()); - if(rld.notOK()) { + if (rld.notOK()) { return Result.err(rld); } - if(rld.isEmpty()) { + if (rld.isEmpty()) { return Result.err(Result.ERR_NotFound,"Data not Found for %1 %2",trans.user(),odd.refresh==null?"":odd.refresh.toString()); } Data token = null; - for(Data d : rld.value) { - if(d.refresh.equals(odd.refresh)) { + for (Data d : rld.value) { + if (d.refresh.equals(odd.refresh)) { token = d; boolean scopesNE = false; Set scopes = odd.scopes(false); - if(scopes.size()>0) { // only check if Scopes listed, RFC 6749, Section 6 - if(scopesNE=!(scopes.size() == d.scopes(false).size())) { - for(String s : odd.scopes(false)) { - if(!d.scopes(false).contains(s)) { + if (scopes.size()>0) { // only check if Scopes listed, RFC 6749, Section 6 + if (scopesNE=!(scopes.size() == d.scopes(false).size())) { + for (String s : odd.scopes(false)) { + if (!d.scopes(false).contains(s)) { scopesNE=true; break; } } } - if(scopesNE) { + if (scopesNE) { return Result.err(Result.ERR_BadData,"Requested Scopes do not match existing Token"); } } break; } } - - if(token==null) { + + if (token==null) { trans.audit().printf("Duplicate Refresh Token (%s) attempted for %s. Possible Replay Attack",odd.refresh.toString(),trans.user()); return Result.err(Result.ERR_Security,"Invalid Refresh Token"); } else { @@ -205,11 +206,11 @@ public class OAuthService { token.exp_sec = exp/1000; token.req_ip = trans.ip(); Result rd = tokenDAO.create(trans, token); - if(rd.notOK()) { + if (rd.notOK()) { return Result.err(rd); } Result rv = tokenDAO.delete(trans, deleteMe,false); - if(rv.notOK()) { + if (rv.notOK()) { trans.error().log("Unable to delete token", token); } } @@ -220,22 +221,22 @@ public class OAuthService { Result> rld; try { UUID uuid = AAFToken.fromToken(token); - if(uuid==null) { // not an AAF Token + if (uuid==null) { // not an AAF Token // Attempt to get Alternative Token - if(altIntrospectClient!=null) { + if (altIntrospectClient!=null) { org.onap.aaf.cadi.client.Result rai = altIntrospectClient.introspect(token); - if(rai.isOK()) { + if (rai.isOK()) { Introspect in = rai.value; - if(in.getExp()==null) { + if (in.getExp()==null) { trans.audit().printf("Alt OAuth sent back inactive, empty token: requesting_id,%s,access_token=%s,ip=%s\n",trans.user(),token,trans.ip()); } long expires = in.getExp()*1000; - if(in.isActive() && expires>System.currentTimeMillis()) { + if (in.isActive() && expires>System.currentTimeMillis()) { // We have a good Token, modify to be Fully Qualified String fqid = in.getUsername()+altDomain; // read contents rld = tokenDAO.read(trans, token); - if(rld.isOKhasData()) { + if (rld.isOKhasData()) { Data td = rld.value.get(0); in.setContent(td.content); } else { @@ -248,8 +249,8 @@ public class OAuthService { td.expires = new Date(expires); td.exp_sec = in.getExp(); Set scopes = td.scopes(true); - if(in.getScope()!=null) { - for(String s : Split.split(' ', in.getScope())) { + if (in.getScope()!=null) { + for (String s : Split.split(' ', in.getScope())) { scopes.add(s); } } @@ -277,13 +278,13 @@ public class OAuthService { public Result dbIntrospect(final AuthzTrans trans, final String token) { Result> rld = tokenDAO.read(trans, token); - if(rld.notOKorIsEmpty()) { + if (rld.notOKorIsEmpty()) { return Result.err(rld); } OAuthTokenDAO.Data odd = rld.value.get(0); trans.checkpoint(odd.user + ':' + odd.client_id + ", " + odd.id); - if(odd.active) { - if(odd.expires.before(trans.now())) { + if (odd.active) { + if (odd.expires.before(trans.now())) { return Result.err(Result.ERR_Policy,"Token %1 has expired",token); } return Result.ok(rld.value.get(0)); // ok keyed on id/token. @@ -293,7 +294,7 @@ public class OAuthService { } public void close() { - for(DAO dao : daos) { + for (DAO dao : daos) { dao.close(NullTrans.singleton()); } }