X-Git-Url: https://gerrit.onap.org/r/gitweb?a=blobdiff_plain;f=auth%2Fauth-service%2Fsrc%2Fmain%2Fjava%2Forg%2Fonap%2Faaf%2Fauth%2Fservice%2Fapi%2FAPI_Creds.java;h=fbc1baa245c4fe93e356eaac36b31b40b0d076a4;hb=07fb3ece74a9aa1fad8e2a9fab73b4de3e36853b;hp=390c3089417fab12a2b0c0ed4ce8b7e4da935908;hpb=ca76fbda94492f1b0c895ff0f4070381f17472f0;p=aaf%2Fauthz.git diff --git a/auth/auth-service/src/main/java/org/onap/aaf/auth/service/api/API_Creds.java b/auth/auth-service/src/main/java/org/onap/aaf/auth/service/api/API_Creds.java index 390c3089..fbc1baa2 100644 --- a/auth/auth-service/src/main/java/org/onap/aaf/auth/service/api/API_Creds.java +++ b/auth/auth-service/src/main/java/org/onap/aaf/auth/service/api/API_Creds.java @@ -56,245 +56,247 @@ import org.onap.aaf.misc.env.TimeTaken; * */ public class API_Creds { - // Hide Public Interface - private API_Creds() {} - // needed to validate Creds even when already Authenticated x509 - /** - * TIME SENSITIVE APIs - * - * These will be first in the list - * - * @param env - * @param authzAPI - * @param facade - * @param directAAFUserPass - * @throws Exception - */ - public static void timeSensitiveInit(Env env, AAF_Service authzAPI, AuthzFacade facade, final DirectAAFUserPass directAAFUserPass) throws Exception { - /** - * Basic Auth, quick Validation - * - * Responds OK or NotAuthorized - */ - authzAPI.route(env, HttpMethods.GET, "/authn/basicAuth", new Code(facade,"Is given BasicAuth valid?",true) { - @Override - public void handle( - AuthzTrans trans, - HttpServletRequest req, - HttpServletResponse resp) throws Exception { + // Hide Public Interface + private API_Creds() {} + // needed to validate Creds even when already Authenticated x509 + /** + * TIME SENSITIVE APIs + * + * These will be first in the list + * + * @param env + * @param authzAPI + * @param facade + * @param directAAFUserPass + * @throws Exception + */ + public static void timeSensitiveInit(Env env, AAF_Service authzAPI, AuthzFacade facade, final DirectAAFUserPass directAAFUserPass) throws Exception { + /** + * Basic Auth, quick Validation + * + * Responds OK or NotAuthorized + */ + authzAPI.route(env, HttpMethods.GET, "/authn/basicAuth", new Code(facade,"Is given BasicAuth valid?",true) { + @Override + public void handle( + AuthzTrans trans, + HttpServletRequest req, + HttpServletResponse resp) throws Exception { - Principal p = trans.getUserPrincipal(); - if (p instanceof BasicPrincipal) { - // the idea is that if call is made with this credential, and it's a BasicPrincipal, it's ok - // otherwise, it wouldn't have gotten here. - resp.setStatus(HttpStatus.OK_200); - } else if (p instanceof X509Principal) { - // have to check Basic Auth here, because it might be CSP. - String authz = req.getHeader("Authorization"); - if(authz.startsWith("Basic ")) { - BasicHttpTaf bht = ((X509Principal)p).getBasicHttpTaf(); - if(bht!=null) { - BasicPrincipal bp = new BasicPrincipal(authz,""); - CredVal cv = bht.getCredVal(bp.getDomain()); - if(cv!=null) { - if(cv.validate(bp.getName(), Type.PASSWORD, bp.getCred(), null) ) { - resp.setStatus(HttpStatus.OK_200); - } else { - resp.setStatus(HttpStatus.FORBIDDEN_403); - } - } - } else { - String decoded = Symm.base64noSplit.decode(authz.substring(6)); - int colon = decoded.indexOf(':'); - TimeTaken tt = trans.start("Direct Validation", Env.REMOTE); - try { - if(directAAFUserPass.validate( - decoded.substring(0,colon), - CredVal.Type.PASSWORD , - decoded.substring(colon+1).getBytes(),trans)) { - - resp.setStatus(HttpStatus.OK_200); - } else { - // DME2 at this version crashes without some sort of response - resp.getOutputStream().print(""); - resp.setStatus(HttpStatus.FORBIDDEN_403); - } - } finally { - tt.done(); - } - } - } - } else if(p == null) { - trans.error().log("Transaction not Authenticated... no Principal"); - resp.setStatus(HttpStatus.FORBIDDEN_403); - } else { - trans.checkpoint("Basic Auth Check Failed: This wasn't a Basic Auth Trans"); - // For Auth Security questions, we don't give any info to client on why failed - resp.setStatus(HttpStatus.FORBIDDEN_403); - } - } - },"text/plain","*/*","*"); - - /** - * returns whether a given Credential is valid - */ - authzAPI.route(POST, "/authn/validate", API.CRED_REQ, new Code(facade,"Is given Credential valid?",true) { - @Override - public void handle( - AuthzTrans trans, - HttpServletRequest req, - HttpServletResponse resp) throws Exception { - - Result r = context.doesCredentialMatch(trans, req, resp); - if(r.isOK()) { - resp.setStatus(HttpStatus.OK_200); - } else { - // For Security, we don't give any info out on why failed, other than forbidden - // Can't do "401", because that is on the call itself - resp.setStatus(HttpStatus.FORBIDDEN_403); - } - } - }); + Principal p = trans.getUserPrincipal(); + if (p instanceof BasicPrincipal) { + // the idea is that if call is made with this credential, and it's a BasicPrincipal, it's ok + // otherwise, it wouldn't have gotten here. + resp.setStatus(HttpStatus.OK_200); + } else if (p instanceof X509Principal) { + // have to check Basic Auth here, because it might be CSP. + String authz = req.getHeader("Authorization"); + if (authz.startsWith("Basic ")) { + BasicHttpTaf bht = ((X509Principal)p).getBasicHttpTaf(); + if (bht!=null) { + BasicPrincipal bp = new BasicPrincipal(authz,""); + CredVal cv = bht.getCredVal(bp.getDomain()); + if (cv!=null) { + if (cv.validate(bp.getName(), Type.PASSWORD, bp.getCred(), null) ) { + resp.setStatus(HttpStatus.OK_200); + } else { + resp.setStatus(HttpStatus.UNAUTHORIZED_401); + } + } + } else { + String decoded = Symm.base64noSplit.decode(authz.substring(6)); + int colon = decoded.indexOf(':'); + TimeTaken tt = trans.start("Direct Validation", Env.REMOTE); + try { + if (directAAFUserPass.validate( + decoded.substring(0,colon), + CredVal.Type.PASSWORD , + decoded.substring(colon+1).getBytes(),trans)) { + resp.setStatus(HttpStatus.OK_200); + } else { + // DME2 at this version crashes without some sort of response + resp.getOutputStream().print(""); + resp.setStatus(HttpStatus.FORBIDDEN_403); + } + } finally { + tt.done(); + } + } + } + } else if (p == null) { + trans.error().log("Transaction not Authenticated... no Principal"); + resp.setStatus(HttpStatus.FORBIDDEN_403); + } else { + trans.checkpoint("Basic Auth Check Failed: This wasn't a Basic Auth Trans"); + // For Auth Security questions, we don't give any info to client on why failed + resp.setStatus(HttpStatus.FORBIDDEN_403); + } + } + },"text/plain","*/*","*"); + + /** + * returns whether a given Credential is valid + */ + authzAPI.route(POST, "/authn/validate", API.CRED_REQ, new Code(facade,"Is given Credential valid?",true) { + @Override + public void handle( + AuthzTrans trans, + HttpServletRequest req, + HttpServletResponse resp) throws Exception { + // will be a valid Entity. Do we need to add permission + //if(trans.fish("ns","password","request")) or the like + Result r = context.doesCredentialMatch(trans, req, resp); + if (r.isOK()) { + resp.setStatus(HttpStatus.OK_200); + } else { + // For Security, we don't give any info out on why failed, other than forbidden + // Can't do "401", because that is on the call itself + // 403 Implies you MAY NOT Ask. + resp.setStatus(HttpStatus.NOT_ACCEPTABLE_406); + } + } + }); - /** - * returns whether a given Credential is valid - */ - authzAPI.route(GET, "/authn/cert/id/:id", API.CERTS, new Code(facade,"Get Cert Info by ID",true) { - @Override - public void handle( - AuthzTrans trans, - HttpServletRequest req, - HttpServletResponse resp) throws Exception { - - Result r = context.getCertInfoByID(trans, req, resp, pathParam(req,":id") ); - if(r.isOK()) { - resp.setStatus(HttpStatus.OK_200); - } else { - // For Security, we don't give any info out on why failed, other than forbidden - resp.setStatus(HttpStatus.FORBIDDEN_403); - } - } - }); + /** + * returns whether a given Credential is valid + */ + authzAPI.route(GET, "/authn/cert/id/:id", API.CERTS, new Code(facade,"Get Cert Info by ID",true) { + @Override + public void handle( + AuthzTrans trans, + HttpServletRequest req, + HttpServletResponse resp) throws Exception { + + Result r = context.getCertInfoByID(trans, req, resp, pathParam(req,":id") ); + if (r.isOK()) { + resp.setStatus(HttpStatus.OK_200); + } else { + // For Security, we don't give any info out on why failed, other than forbidden + resp.setStatus(HttpStatus.FORBIDDEN_403); + } + } + }); - } - - /** - * Normal Init level APIs - * - * @param authzAPI - * @param facade - * @throws Exception - */ - public static void init(AAF_Service authzAPI, AuthzFacade facade) throws Exception { - /** - * Create a new ID/Credential - */ - authzAPI.route(POST,"/authn/cred",API.CRED_REQ,new Code(facade,"Add a New ID/Credential", true) { - @Override - public void handle(AuthzTrans trans, HttpServletRequest req, HttpServletResponse resp) throws Exception { Result r = context.createUserCred(trans, req); - if(r.isOK()) { - resp.setStatus(HttpStatus.CREATED_201); - } else { - context.error(trans,resp,r); - } - } - }); - - /** - * gets all credentials by Namespace - */ - authzAPI.route(GET, "/authn/creds/ns/:ns", API.USERS, new Code(facade,"Get Creds for a Namespace",true) { - @Override - public void handle( - AuthzTrans trans, - HttpServletRequest req, - HttpServletResponse resp) throws Exception { - - Result r = context.getCredsByNS(trans, resp, pathParam(req, "ns")); - if(r.isOK()) { - resp.setStatus(HttpStatus.OK_200); - } else { - context.error(trans,resp,r); - } - } + } + + /** + * Normal Init level APIs + * + * @param authzAPI + * @param facade + * @throws Exception + */ + public static void init(AAF_Service authzAPI, AuthzFacade facade) throws Exception { + /** + * Create a new ID/Credential + */ + authzAPI.route(POST,"/authn/cred",API.CRED_REQ,new Code(facade,"Add a New ID/Credential", true) { + @Override + public void handle(AuthzTrans trans, HttpServletRequest req, HttpServletResponse resp) throws Exception { + Result r = context.createUserCred(trans, req); + if (r.isOK()) { + resp.setStatus(HttpStatus.CREATED_201); + } else { + context.error(trans,resp,r); + } + } + }); + + /** + * gets all credentials by Namespace + */ + authzAPI.route(GET, "/authn/creds/ns/:ns", API.USERS, new Code(facade,"Get Creds for a Namespace",true) { + @Override + public void handle( + AuthzTrans trans, + HttpServletRequest req, + HttpServletResponse resp) throws Exception { + + Result r = context.getCredsByNS(trans, resp, pathParam(req, "ns")); + if (r.isOK()) { + resp.setStatus(HttpStatus.OK_200); + } else { + context.error(trans,resp,r); + } + } - }); - - /** - * gets all credentials by ID - */ - authzAPI.route(GET, "/authn/creds/id/:id", API.USERS, new Code(facade,"Get Creds by ID",true) { - @Override - public void handle( - AuthzTrans trans, - HttpServletRequest req, - HttpServletResponse resp) throws Exception { - - Result r = context.getCredsByID(trans, resp, pathParam(req, "id")); - if(r.isOK()) { - resp.setStatus(HttpStatus.OK_200); - } else { - context.error(trans,resp,r); - } - } + }); + + /** + * gets all credentials by ID + */ + authzAPI.route(GET, "/authn/creds/id/:id", API.USERS, new Code(facade,"Get Creds by ID",true) { + @Override + public void handle( + AuthzTrans trans, + HttpServletRequest req, + HttpServletResponse resp) throws Exception { + + Result r = context.getCredsByID(trans, resp, pathParam(req, "id")); + if (r.isOK()) { + resp.setStatus(HttpStatus.OK_200); + } else { + context.error(trans,resp,r); + } + } - }); + }); - /** - * Update ID/Credential (aka reset) - */ - authzAPI.route(PUT,"/authn/cred",API.CRED_REQ,new Code(facade,"Update an ID/Credential", true) { - @Override - public void handle(AuthzTrans trans, HttpServletRequest req, HttpServletResponse resp) throws Exception { - - Result r = context.changeUserCred(trans, req); - if(r.isOK()) { - resp.setStatus(HttpStatus.OK_200); - } else { - context.error(trans,resp,r); - } - } - }); + /** + * Update ID/Credential (aka reset) + */ + authzAPI.route(PUT,"/authn/cred",API.CRED_REQ,new Code(facade,"Update an ID/Credential", true) { + @Override + public void handle(AuthzTrans trans, HttpServletRequest req, HttpServletResponse resp) throws Exception { + + Result r = context.changeUserCred(trans, req); + if (r.isOK()) { + resp.setStatus(HttpStatus.OK_200); + } else { + context.error(trans,resp,r); + } + } + }); - /** - * Extend ID/Credential - * This behavior will accelerate getting out of P1 outages due to ignoring renewal requests, or - * other expiration issues. - * - * Scenario is that people who are solving Password problems at night, are not necessarily those who - * know what the passwords are supposed to be. Also, changing Password, without changing Configurations - * using that password only exacerbates the P1 Issue. - */ - authzAPI.route(PUT,"/authn/cred/:days",API.CRED_REQ,new Code(facade,"Extend an ID/Credential", true) { - @Override - public void handle(AuthzTrans trans, HttpServletRequest req, HttpServletResponse resp) throws Exception { - Result r = context.extendUserCred(trans, req, pathParam(req, "days")); - if(r.isOK()) { - resp.setStatus(HttpStatus.OK_200); - } else { - context.error(trans,resp,r); - } - } - }); + /** + * Extend ID/Credential + * This behavior will accelerate getting out of P1 outages due to ignoring renewal requests, or + * other expiration issues. + * + * Scenario is that people who are solving Password problems at night, are not necessarily those who + * know what the passwords are supposed to be. Also, changing Password, without changing Configurations + * using that password only exacerbates the P1 Issue. + */ + authzAPI.route(PUT,"/authn/cred/:days",API.CRED_REQ,new Code(facade,"Extend an ID/Credential", true) { + @Override + public void handle(AuthzTrans trans, HttpServletRequest req, HttpServletResponse resp) throws Exception { + Result r = context.extendUserCred(trans, req, pathParam(req, "days")); + if (r.isOK()) { + resp.setStatus(HttpStatus.OK_200); + } else { + context.error(trans,resp,r); + } + } + }); - /** - * Delete a ID/Credential by Object - */ - authzAPI.route(DELETE,"/authn/cred",API.CRED_REQ,new Code(facade,"Delete a Credential", true) { - @Override - public void handle(AuthzTrans trans, HttpServletRequest req, HttpServletResponse resp) throws Exception { - Result r = context.deleteUserCred(trans, req); - if(r.isOK()) { - resp.setStatus(HttpStatus.OK_200); - } else { - context.error(trans,resp,r); - } - } - }); + /** + * Delete a ID/Credential by Object + */ + authzAPI.route(DELETE,"/authn/cred",API.CRED_REQ,new Code(facade,"Delete a Credential", true) { + @Override + public void handle(AuthzTrans trans, HttpServletRequest req, HttpServletResponse resp) throws Exception { + Result r = context.deleteUserCred(trans, req); + if (r.isOK()) { + resp.setStatus(HttpStatus.OK_200); + } else { + context.error(trans,resp,r); + } + } + }); - } + } }