X-Git-Url: https://gerrit.onap.org/r/gitweb?a=blobdiff_plain;f=cadi%2Faaf%2Fsrc%2Fmain%2Fjava%2Forg%2Fonap%2Faaf%2Fcadi%2Faaf%2Fv2_0%2FAAFTaf.java;h=99c3c3fca779db88fb8ca43a0505b5ac8f2ff640;hb=59ffb7d529245c3bd0233dbf6cb0ae9fe9ccb856;hp=2cfe1227e90325e250e9fc770990b91e39dac73c;hpb=4b5a7d721d994a49057e9bfb403c7bff1b376660;p=aaf%2Fauthz.git diff --git a/cadi/aaf/src/main/java/org/onap/aaf/cadi/aaf/v2_0/AAFTaf.java b/cadi/aaf/src/main/java/org/onap/aaf/cadi/aaf/v2_0/AAFTaf.java index 2cfe1227..99c3c3fc 100644 --- a/cadi/aaf/src/main/java/org/onap/aaf/cadi/aaf/v2_0/AAFTaf.java +++ b/cadi/aaf/src/main/java/org/onap/aaf/cadi/aaf/v2_0/AAFTaf.java @@ -23,8 +23,10 @@ package org.onap.aaf.cadi.aaf.v2_0; import java.io.IOException; import java.security.Principal; + import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; + import org.onap.aaf.cadi.AbsUserCache; import org.onap.aaf.cadi.Access.Level; import org.onap.aaf.cadi.CachedPrincipal; @@ -42,28 +44,34 @@ import org.onap.aaf.cadi.client.Future; import org.onap.aaf.cadi.client.Rcli; import org.onap.aaf.cadi.client.Retryable; import org.onap.aaf.cadi.config.Config; +import org.onap.aaf.cadi.filter.MapBathConverter; import org.onap.aaf.cadi.principal.BasicPrincipal; import org.onap.aaf.cadi.principal.CachedBasicPrincipal; import org.onap.aaf.cadi.taf.HttpTaf; import org.onap.aaf.cadi.taf.TafResp; import org.onap.aaf.cadi.taf.TafResp.RESP; import org.onap.aaf.cadi.taf.basic.BasicHttpTafResp; +import org.onap.aaf.cadi.util.CSV; import org.onap.aaf.misc.env.APIException; public class AAFTaf extends AbsUserCache implements HttpTaf { private AAFCon aaf; private boolean warn; - + private MapBathConverter mapIds; + public AAFTaf(AAFCon con, boolean turnOnWarning) { super(con.access,con.cleanInterval,con.highCount, con.usageRefreshTriggerCount); aaf = con; warn = turnOnWarning; + initMapBathConverter(); } public AAFTaf(AAFCon con, boolean turnOnWarning, AbsUserCache other) { super(other); aaf = con; warn = turnOnWarning; + initMapBathConverter(); + } // Note: Needed for Creation of this Object with Generics @@ -78,33 +86,51 @@ public class AAFTaf extends AbsUserCache implements HttpT this((AAFCon)mustBeAAFCon,turnOnWarning); } + private void initMapBathConverter() { + String csvFile = access.getProperty(Config.CADI_BATH_CONVERT, null); + if(csvFile==null) { + mapIds=null; + } else { + try { + mapIds = new MapBathConverter(access, new CSV(access,csvFile)); + access.log(Level.INIT,"Basic Auth Conversion using",csvFile,"enabled" ); + } catch (IOException | CadiException e) { + access.log(e,"Bath Map Conversion is not initialized (non fatal)"); + } + } + + } public TafResp validate(final LifeForm reading, final HttpServletRequest req, final HttpServletResponse resp) { //TODO Do we allow just anybody to validate? // Note: Either Carbon or Silicon based LifeForms ok String authz = req.getHeader("Authorization"); - if(authz != null && authz.startsWith("Basic ")) { - if(warn&&!req.isSecure()) { + if (authz != null && authz.startsWith("Basic ")) { + if (warn&&!req.isSecure()) { aaf.access.log(Level.WARN,"WARNING! BasicAuth has been used over an insecure channel"); } + if(mapIds != null) { + authz = mapIds.convert(access, authz); + } + try { final CachedBasicPrincipal bp; - if(req.getUserPrincipal() instanceof CachedBasicPrincipal) { + if (req.getUserPrincipal() instanceof CachedBasicPrincipal) { bp = (CachedBasicPrincipal)req.getUserPrincipal(); } else { bp = new CachedBasicPrincipal(this,authz,aaf.getRealm(),aaf.userExpires); } // First try Cache final User usr = getUser(bp); - if(usr != null + if (usr != null && usr.principal instanceof GetCred && Hash.isEqual(bp.getCred(),((GetCred)usr.principal).getCred())) { return new BasicHttpTafResp(aaf.access,bp,bp.getName()+" authenticated by cached AAF password",RESP.IS_AUTHENTICATED,resp,aaf.getRealm(),false); } Miss miss = missed(bp.getName(), bp.getCred()); - if(miss!=null && !miss.mayContinue()) { + if (miss!=null && !miss.mayContinue()) { return new BasicHttpTafResp(aaf.access,null,buildMsg(bp,req, "User/Pass Retry limit exceeded"), RESP.TRY_AUTHENTICATING,resp,aaf.getRealm(),true); @@ -120,8 +146,8 @@ public class AAFTaf extends AbsUserCache implements HttpT @Override public BasicHttpTafResp code(Rcli client) throws CadiException, APIException { Future fp = client.read("/authn/basicAuth", "text/plain"); - if(fp.get(aaf.timeout)) { - if(usr!=null) { + if (fp.get(aaf.timeout)) { + if (usr!=null) { usr.principal = bp; } else { addUser(new User(bp,aaf.userExpires)); @@ -130,7 +156,7 @@ public class AAFTaf extends AbsUserCache implements HttpT } else { // Note: AddMiss checks for miss==null, and is part of logic boolean rv= addMiss(bp.getName(),bp.getCred()); - if(rv) { + if (rv) { return new BasicHttpTafResp(aaf.access,null,buildMsg(bp,req, "user/pass combo invalid via AAF from " + req.getRemoteAddr()), RESP.TRY_AUTHENTICATING,resp,aaf.getRealm(),true); @@ -163,10 +189,10 @@ public class AAFTaf extends AbsUserCache implements HttpT private String buildMsg(Principal pr, HttpServletRequest req, Object... msg) { StringBuilder sb = new StringBuilder(); - for(Object s : msg) { + for (Object s : msg) { sb.append(s.toString()); } - if(pr!=null) { + if (pr!=null) { sb.append(" for "); sb.append(pr.getName()); } @@ -181,10 +207,10 @@ public class AAFTaf extends AbsUserCache implements HttpT public Resp revalidate(CachedPrincipal prin, Object state) { // !!!! TEST THIS.. Things may not be revalidated, if not BasicPrincipal - if(prin instanceof BasicPrincipal) { + if (prin instanceof BasicPrincipal) { Future fp; try { - Rcli userAAF = aaf.client(Config.AAF_DEFAULT_VERSION).forUser(aaf.transferSS((BasicPrincipal)prin)); + Rcli userAAF = aaf.client().forUser(aaf.transferSS((BasicPrincipal)prin)); fp = userAAF.read("/authn/basicAuth", "text/plain"); return fp.get(aaf.timeout)?Resp.REVALIDATED:Resp.UNVALIDATED; } catch (Exception e) {