X-Git-Url: https://gerrit.onap.org/r/gitweb?a=blobdiff_plain;f=cadi%2Faaf%2Fsrc%2Fmain%2Fjava%2Forg%2Fonap%2Faaf%2Fcadi%2Faaf%2Fv2_0%2FAAFAuthn.java;h=bd94d0ad343113ef467bd807cc5f2161a7de239e;hb=f6c52528524b737706a67e26c83b580021fbd621;hp=3c970bc249f5d8cd603abbf38b3f084b5deafb67;hpb=a20accc73189d8e5454cd26049c0e6fae75da16f;p=aaf%2Fauthz.git diff --git a/cadi/aaf/src/main/java/org/onap/aaf/cadi/aaf/v2_0/AAFAuthn.java b/cadi/aaf/src/main/java/org/onap/aaf/cadi/aaf/v2_0/AAFAuthn.java index 3c970bc2..bd94d0ad 100644 --- a/cadi/aaf/src/main/java/org/onap/aaf/cadi/aaf/v2_0/AAFAuthn.java +++ b/cadi/aaf/src/main/java/org/onap/aaf/cadi/aaf/v2_0/AAFAuthn.java @@ -7,9 +7,9 @@ * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. * You may obtain a copy of the License at - * + * * http://www.apache.org/licenses/LICENSE-2.0 - * + * * Unless required by applicable law or agreed to in writing, software * distributed under the License is distributed on an "AS IS" BASIS, * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. @@ -22,6 +22,9 @@ package org.onap.aaf.cadi.aaf.v2_0; import java.io.IOException; +import java.net.URI; +import java.util.ArrayList; +import java.util.List; import org.onap.aaf.cadi.AbsUserCache; import org.onap.aaf.cadi.CachedPrincipal; @@ -30,140 +33,157 @@ import org.onap.aaf.cadi.User; import org.onap.aaf.cadi.aaf.AAFPermission; import org.onap.aaf.cadi.client.Future; import org.onap.aaf.cadi.client.Rcli; -import org.onap.aaf.cadi.config.Config; import org.onap.aaf.cadi.lur.ConfigPrincipal; +import aaf.v2_0.CredRequest; + public class AAFAuthn extends AbsUserCache { - private AAFCon con; - private String realm; - - /** - * Configure with Standard AAF properties, Stand alone - * @param con - * @throws Exception .. - */ - // Package on purpose - AAFAuthn(AAFCon con) throws Exception { - super(con.access,con.cleanInterval,con.highCount,con.usageRefreshTriggerCount); - this.con = con; - } - - /** - * Configure with Standard AAF properties, but share the Cache (with AAF Lur) - * @param con - * @throws Exception - */ - // Package on purpose - AAFAuthn(AAFCon con, AbsUserCache cache) { - super(cache); - this.con = con; - } - - /** - * Return Native Realm of AAF Instance. - * - * @return - */ - public String getRealm() { - return realm; - } - - /** - * Returns null if ok, or an Error String; - * - * Convenience function. Passes "null" for State object - */ - public String validate(String user, String password) throws IOException, CadiException { - return validate(user,password,null); - } - - /** - * Returns null if ok, or an Error String; - * - * For State Object, you may put in HTTPServletRequest or AuthzTrans, if available. Otherwise, - * leave null - * - * @param user - * @param password - * @return - * @throws IOException - * @throws CadiException - * @throws Exception - */ - public String validate(String user, String password, Object state) throws IOException, CadiException { - password = access.decrypt(password, false); - byte[] bytes = password.getBytes(); - User usr = getUser(user,bytes); - - if(usr != null && !usr.permExpired()) { - if(usr.principal==null) { - return "User already denied"; - } else { - return null; // good - } - } - - AAFCachedPrincipal cp = new AAFCachedPrincipal(this,con.app, user, bytes, con.cleanInterval); - // Since I've relocated the Validation piece in the Principal, just revalidate, then do Switch - // Statement - switch(cp.revalidate(state)) { - case REVALIDATED: - if(usr!=null) { - usr.principal = cp; - } else { - addUser(new User(cp,con.timeout)); - } - return null; - case INACCESSIBLE: - return "AAF Inaccessible"; - case UNVALIDATED: - addUser(new User(user,bytes,con.timeout)); - return "User/Pass combo invalid for " + user; - case DENIED: - return "AAF denies API for " + user; - default: - return "AAFAuthn doesn't handle Principal " + user; - } - } - - private class AAFCachedPrincipal extends ConfigPrincipal implements CachedPrincipal { - private long expires,timeToLive; - - public AAFCachedPrincipal(AAFAuthn aaf, String app, String name, byte[] pass, int timeToLive) { - super(name,pass); - this.timeToLive = timeToLive; - expires = timeToLive + System.currentTimeMillis(); - } - - public Resp revalidate(Object state) { - try { - Miss missed = missed(getName(),getCred()); - if(missed==null || missed.mayContinue()) { - Rcli client = con.client(Config.AAF_DEFAULT_VERSION).forUser(con.basicAuth(getName(), new String(getCred()))); - Future fp = client.read( - "/authn/basicAuth", - "text/plain" - ); - if(fp.get(con.timeout)) { - expires = System.currentTimeMillis() + timeToLive; - addUser(new User(this, expires)); - return Resp.REVALIDATED; - } else { - addMiss(getName(), getCred()); - return Resp.UNVALIDATED; - } - } else { - return Resp.UNVALIDATED; - } - } catch (Exception e) { - con.access.log(e); - return Resp.INACCESSIBLE; - } - } - - public long expires() { - return expires; - } - }; + private AAFCon con; + private String realm; + + /** + * Configure with Standard AAF properties, Stand alone + * @param con + * @throws Exception .. + */ + // Package on purpose + AAFAuthn(AAFCon con) { + super(con.access,con.cleanInterval,con.highCount,con.usageRefreshTriggerCount); + this.con = con; + } + + /** + * Configure with Standard AAF properties, but share the Cache (with AAF Lur) + * @param con + * @throws Exception + */ + // Package on purpose + AAFAuthn(AAFCon con, AbsUserCache cache) { + super(cache); + this.con = con; + } + + /** + * Return Native Realm of AAF Instance. + * + * @return + */ + public String getRealm() { + return realm; + } + + /** + * Returns null if ok, or an Error String; + * + * Convenience function. Passes "null" for State object + */ + public String validate(String user, String password) throws IOException { + return validate(user,password,null); + } + + /** + * Returns null if ok, or an Error String; + * + * For State Object, you may put in HTTPServletRequest or AuthzTrans, if available. Otherwise, + * leave null + * + * @param user + * @param password + * @return + * @throws IOException + * @throws CadiException + * @throws Exception + */ + public String validate(String user, String password, Object state) throws IOException { + password = access.decrypt(password, false); + byte[] bytes = password.getBytes(); + User usr = getUser(user,bytes); + + if (usr != null && !usr.permExpired()) { + if (usr.principal==null) { + return "User already denied"; + } else { + return null; // good + } + } + + AAFCachedPrincipal cp = new AAFCachedPrincipal(user, bytes, con.cleanInterval); + // Since I've relocated the Validation piece in the Principal, just revalidate, then do Switch + // Statement + switch(cp.revalidate(state)) { + case REVALIDATED: + if (usr!=null) { + usr.principal = cp; + } else { + addUser(new User(cp,con.timeout)); + } + return null; + case INACCESSIBLE: + return "AAF Inaccessible"; + case UNVALIDATED: + addUser(new User(user,bytes,con.timeout)); + return "user/pass combo invalid for " + user; + case DENIED: + return "AAF denies API for " + user; + default: + return "AAFAuthn doesn't handle Principal " + user; + } + } + + private class AAFCachedPrincipal extends ConfigPrincipal implements CachedPrincipal { + private long expires; + private long timeToLive; + + private AAFCachedPrincipal(String name, byte[] pass, int timeToLive) { + super(name,pass); + this.timeToLive = timeToLive; + expires = timeToLive + System.currentTimeMillis(); + } + + public Resp revalidate(Object state) { + List attemptedUris = new ArrayList<>(); + URI thisUri = null; + for (int retries = 0;; retries++) { + try { + Miss missed = missed(getName(), getCred()); + if (missed == null || missed.mayContinue()) { + CredRequest cr = new CredRequest(); + cr.setId(getName()); + cr.setPassword(new String(getCred())); + Rcli client = con.clientIgnoreAlreadyAttempted(attemptedUris); + thisUri = client.getURI(); + Future fp = client.readPost("/authn/validate", con.credReqDF, cr); + //Rcli client = con.client().forUser(con.basicAuth(getName(), new String(getCred()))); + //Future fp = client.read( + // "/authn/basicAuth", + // "text/plain" + // ); + if (fp.get(con.timeout)) { + expires = System.currentTimeMillis() + timeToLive; + addUser(new User(this, expires)); + return Resp.REVALIDATED; + } else { + addMiss(getName(), getCred()); + return Resp.UNVALIDATED; + } + } else { + return Resp.UNVALIDATED; + } + } catch (Exception e) { + if (thisUri != null) { + attemptedUris.add(thisUri); + } + con.access.log(e); + if (retries > 2) { + return Resp.INACCESSIBLE; + } + } + } + } + + public long expires() { + return expires; + } + } }