X-Git-Url: https://gerrit.onap.org/r/gitweb?a=blobdiff_plain;f=cadi%2Faaf%2Fsrc%2Fmain%2Fjava%2Forg%2Fonap%2Faaf%2Fcadi%2Faaf%2Fv2_0%2FAAFAuthn.java;h=e16782fa853347a0f149edb0c8bbfd81edd2ab70;hb=d47bcb076eda98afc13cdb29e8c56e8be25e78d3;hp=216468c265b2d655ec023f0b6d55ce3640dbf073;hpb=4af23fd5fcffdc01089180e3839d0fd2cc9e3122;p=aaf%2Fauthz.git diff --git a/cadi/aaf/src/main/java/org/onap/aaf/cadi/aaf/v2_0/AAFAuthn.java b/cadi/aaf/src/main/java/org/onap/aaf/cadi/aaf/v2_0/AAFAuthn.java index 216468c2..e16782fa 100644 --- a/cadi/aaf/src/main/java/org/onap/aaf/cadi/aaf/v2_0/AAFAuthn.java +++ b/cadi/aaf/src/main/java/org/onap/aaf/cadi/aaf/v2_0/AAFAuthn.java @@ -7,9 +7,9 @@ * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. * You may obtain a copy of the License at - * + * * http://www.apache.org/licenses/LICENSE-2.0 - * + * * Unless required by applicable law or agreed to in writing, software * distributed under the License is distributed on an "AS IS" BASIS, * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. @@ -22,13 +22,19 @@ package org.onap.aaf.cadi.aaf.v2_0; import java.io.IOException; +import java.net.URI; +import java.util.ArrayList; +import java.util.List; import org.onap.aaf.cadi.AbsUserCache; +import org.onap.aaf.cadi.Access; import org.onap.aaf.cadi.CachedPrincipal; import org.onap.aaf.cadi.CadiException; import org.onap.aaf.cadi.User; import org.onap.aaf.cadi.aaf.AAFPermission; import org.onap.aaf.cadi.client.Future; +import org.onap.aaf.cadi.client.Rcli; +import org.onap.aaf.cadi.locator.SingleEndpointLocator; import org.onap.aaf.cadi.lur.ConfigPrincipal; import aaf.v2_0.CredRequest; @@ -36,7 +42,7 @@ import aaf.v2_0.CredRequest; public class AAFAuthn extends AbsUserCache { private AAFCon con; private String realm; - + /** * Configure with Standard AAF properties, Stand alone * @param con @@ -51,17 +57,17 @@ public class AAFAuthn extends AbsUserCache { /** * Configure with Standard AAF properties, but share the Cache (with AAF Lur) * @param con - * @throws Exception + * @throws Exception */ // Package on purpose AAFAuthn(AAFCon con, AbsUserCache cache) { super(cache); this.con = con; } - + /** * Return Native Realm of AAF Instance. - * + * * @return */ public String getRealm() { @@ -70,24 +76,24 @@ public class AAFAuthn extends AbsUserCache { /** * Returns null if ok, or an Error String; - * + * * Convenience function. Passes "null" for State object */ public String validate(String user, String password) throws IOException { return validate(user,password,null); } - + /** * Returns null if ok, or an Error String; - * + * * For State Object, you may put in HTTPServletRequest or AuthzTrans, if available. Otherwise, * leave null - * + * * @param user * @param password * @return - * @throws IOException - * @throws CadiException + * @throws IOException + * @throws CadiException * @throws Exception */ public String validate(String user, String password, Object state) throws IOException { @@ -103,7 +109,7 @@ public class AAFAuthn extends AbsUserCache { } } - AAFCachedPrincipal cp = new AAFCachedPrincipal(user, bytes, con.cleanInterval); + AAFCachedPrincipal cp = new AAFCachedPrincipal(user, bytes, con.userExpires); // Since I've relocated the Validation piece in the Principal, just revalidate, then do Switch // Statement switch(cp.revalidate(state)) { @@ -111,21 +117,21 @@ public class AAFAuthn extends AbsUserCache { if (usr!=null) { usr.principal = cp; } else { - addUser(new User(cp,con.timeout)); + addUser(new User(cp,con.userExpires)); } return null; case INACCESSIBLE: return "AAF Inaccessible"; case UNVALIDATED: - addUser(new User(user,bytes,con.timeout)); + addUser(new User(user,bytes,con.userExpires)); return "user/pass combo invalid for " + user; case DENIED: return "AAF denies API for " + user; - default: + default: return "AAFAuthn doesn't handle Principal " + user; } } - + private class AAFCachedPrincipal extends ConfigPrincipal implements CachedPrincipal { private long expires; private long timeToLive; @@ -137,32 +143,50 @@ public class AAFAuthn extends AbsUserCache { } public Resp revalidate(Object state) { - try { - Miss missed = missed(getName(),getCred()); - if (missed==null || missed.mayContinue()) { - CredRequest cr = new CredRequest(); - cr.setId(getName()); - cr.setPassword(new String(getCred())); - Future fp = con.client().readPost("/authn/validate", con.credReqDF, cr); - //Rcli client = con.client().forUser(con.basicAuth(getName(), new String(getCred()))); - //Future fp = client.read( - // "/authn/basicAuth", - // "text/plain" - // ); - if (fp.get(con.timeout)) { - expires = System.currentTimeMillis() + timeToLive; - addUser(new User(this, expires)); - return Resp.REVALIDATED; + int maxRetries = 15; + try { // these SHOULD be an AAFConHttp and a AAFLocator or SingleEndpointLocator objects, but put in a try to be safe + AAFConHttp forceCastCon = (AAFConHttp) con; + if (forceCastCon.hman().loc instanceof SingleEndpointLocator) { + maxRetries = 1; // we cannot retry the single LGW gateway! + } else { + AAFLocator forceCastLoc = (AAFLocator) forceCastCon.hman().loc; + maxRetries = forceCastLoc.maxIters(); + } + } catch (Exception e) { + access.log(Access.Level.DEBUG, e); + } + List attemptedUris = new ArrayList<>(); + URI thisUri = null; + for (int retries = 0;; retries++) { + try { + Miss missed = missed(getName(), getCred()); + if (missed == null || missed.mayContinue()) { + Rcli client = con.clientIgnoreAlreadyAttempted(attemptedUris).forUser(con.basicAuth(getName(), new String(getCred()))); + thisUri = client.getURI(); + Future fp = client.read( + "/authn/basicAuth", + "text/plain" + ); + if (fp.get(con.timeout)) { + expires = System.currentTimeMillis() + timeToLive; + addUser(new User(this, timeToLive)); + return Resp.REVALIDATED; + } else { + addMiss(getName(), getCred()); + return Resp.UNVALIDATED; + } } else { - addMiss(getName(), getCred()); return Resp.UNVALIDATED; } - } else { - return Resp.UNVALIDATED; + } catch (Exception e) { + if (thisUri != null) { + attemptedUris.add(thisUri); + } + con.access.log(e); + if (retries > maxRetries) { + return Resp.INACCESSIBLE; + } } - } catch (Exception e) { - con.access.log(e); - return Resp.INACCESSIBLE; } }