X-Git-Url: https://gerrit.onap.org/r/gitweb?a=blobdiff_plain;f=cadi%2Fcore%2Fsrc%2Fmain%2Fjava%2Forg%2Fonap%2Faaf%2Fcadi%2FCadiWrap.java;h=34d1162375d3fdb151b5175955703ea007669a7f;hb=7e966914050e66219689001ff4ab601a49eef0ac;hp=49572f4c21328e8245751ff86a34bde8ea1930f3;hpb=ceda6e8bc270202bcb24340b86617110289c902e;p=aaf%2Fauthz.git diff --git a/cadi/core/src/main/java/org/onap/aaf/cadi/CadiWrap.java b/cadi/core/src/main/java/org/onap/aaf/cadi/CadiWrap.java index 49572f4c..34d11623 100644 --- a/cadi/core/src/main/java/org/onap/aaf/cadi/CadiWrap.java +++ b/cadi/core/src/main/java/org/onap/aaf/cadi/CadiWrap.java @@ -34,6 +34,7 @@ import org.onap.aaf.cadi.filter.PermConverter; import org.onap.aaf.cadi.lur.EpiLur; import org.onap.aaf.cadi.principal.TaggedPrincipal; import org.onap.aaf.cadi.taf.TafResp; +import org.onap.aaf.cadi.util.Timing; @@ -50,149 +51,150 @@ import org.onap.aaf.cadi.taf.TafResp; * */ public class CadiWrap extends HttpServletRequestWrapper implements HttpServletRequest, BasicCred { - private TaggedPrincipal principal; - private Lur lur; - private String user; // used to set user/pass from brain-dead protocols like WSSE - private byte[] password; - private PermConverter pconv; - private Access access; - - /** - * Standard Wrapper constructor for Delegate pattern - * @param request - */ - public CadiWrap(HttpServletRequest request, TafResp tafResp, Lur lur) { - super(request); - principal = tafResp.getPrincipal(); - access = tafResp.getAccess(); - this.lur = lur; - pconv = NullPermConverter.singleton(); - } - - /** - * Standard Wrapper constructor for Delegate pattern, with PermConverter - * @param request - */ - public CadiWrap(HttpServletRequest request, TafResp tafResp, Lur lur, PermConverter pc) { - super(request); - principal = tafResp.getPrincipal(); - access = tafResp.getAccess(); - this.lur = lur; - pconv = pc; - } - - - /** - * Part of the HTTP Security API. Declare the User associated with this HTTP Transaction. - * CADI does this by reporting the name associated with the Principal obtained, if any. - */ - @Override - public String getRemoteUser() { - return principal==null?null:principal.getName(); - } - - /** - * Part of the HTTP Security API. Return the User Principal associated with this HTTP - * Transaction. - */ - @Override - public Principal getUserPrincipal() { - return principal; - } - - /** - * This is the key API call for AUTHZ in J2EE. Given a Role (String passed in), is the user - * associated with this HTTP Transaction allowed to function in this Role? - * - * For CADI, we pass the responsibility for determining this to the "LUR", which may be - * determined by the Enterprise. - * - * Note: Role check is also done in "CadiRealm" in certain cases... - * - * - */ - @Override - public boolean isUserInRole(String perm) { - return perm==null?false:checkPerm(access,"(HttpRequest)",principal,pconv,lur,perm); - } - - public static boolean checkPerm(Access access, String caller, Principal principal, PermConverter pconv, Lur lur, String perm) { - if(principal== null) { - access.log(Level.AUDIT,caller, "No Principal in Transaction"); - return false; - } else { - perm = pconv.convert(perm); - if(lur.fish(principal,lur.createPerm(perm))) { - access.log(Level.DEBUG,caller, principal.getName(), "has", perm); - return true; - } else { - access.log(Level.DEBUG,caller, principal.getName(), "does not have", perm); - return false; - } - } - - } - - /** - * CADI Function (Non J2EE standard). GetPermissions will read the Permissions from AAF (if configured) and Roles from Local Lur, etc - * as implemented with lur.fishAll - * - * To utilize, the Request must be a "CadiWrap" object, then call. - */ - public List getPermissions(Principal p) { - List perms = new ArrayList(); - lur.fishAll(p, perms); - return perms; - } - /** - * Allow setting of tafResp and lur after construction - * - * This can happen if the CadiWrap is constructed in a Valve other than CadiValve - */ - public void set(TafResp tafResp, Lur lur) { - principal = tafResp.getPrincipal(); - access = tafResp.getAccess(); - this.lur = lur; - } - - public String getUser() { - if(user==null && principal!=null) { - user = principal.getName(); - } - return user; - } - - public byte[] getCred() { - return password; - } - - public void setUser(String user) { - this.user = user; - } - - public void setCred(byte[] passwd) { - password = passwd; - } - - public CadiWrap setPermConverter(PermConverter pc) { - pconv = pc; - return this; - } - - // Add a feature - public void invalidate(String id) { - if(lur instanceof EpiLur) { - ((EpiLur)lur).remove(id); - } else if(lur instanceof CachingLur) { - ((CachingLur)lur).remove(id); - } - } - - public Lur getLur() { - return lur; - } - - public Access access() { - return access; - } + private TaggedPrincipal principal; + private Lur lur; + private String user; // used to set user/pass from brain-dead protocols like WSSE + private byte[] password; + private PermConverter pconv; + private Access access; + + /** + * Standard Wrapper constructor for Delegate pattern + * @param request + */ + public CadiWrap(HttpServletRequest request, TafResp tafResp, Lur lur) { + super(request); + principal = tafResp.getPrincipal(); + access = tafResp.getAccess(); + this.lur = lur; + pconv = NullPermConverter.singleton(); + } + + /** + * Standard Wrapper constructor for Delegate pattern, with PermConverter + * @param request + */ + public CadiWrap(HttpServletRequest request, TafResp tafResp, Lur lur, PermConverter pc) { + super(request); + principal = tafResp.getPrincipal(); + access = tafResp.getAccess(); + this.lur = lur; + pconv = pc; + } + + + /** + * Part of the HTTP Security API. Declare the User associated with this HTTP Transaction. + * CADI does this by reporting the name associated with the Principal obtained, if any. + */ + @Override + public String getRemoteUser() { + return principal==null?null:principal.getName(); + } + + /** + * Part of the HTTP Security API. Return the User Principal associated with this HTTP + * Transaction. + */ + @Override + public Principal getUserPrincipal() { + return principal; + } + + /** + * This is the key API call for AUTHZ in J2EE. Given a Role (String passed in), is the user + * associated with this HTTP Transaction allowed to function in this Role? + * + * For CADI, we pass the responsibility for determining this to the "LUR", which may be + * determined by the Enterprise. + * + * Note: Role check is also done in "CadiRealm" in certain cases... + * + * + */ + @Override + public boolean isUserInRole(String perm) { + return perm==null?false:checkPerm(access,"isUserInRole",principal,pconv,lur,perm); + } + + public static boolean checkPerm(Access access, String caller, Principal principal, PermConverter pconv, Lur lur, String perm) { + if (principal== null) { + access.log(Level.AUDIT,caller, "No Principal in Transaction"); + return false; + } else { + final long start = System.nanoTime(); + perm = pconv.convert(perm); + if (lur.fish(principal,lur.createPerm(perm))) { + access.printf(Level.DEBUG,"%s: %s has %s, %f ms", caller, principal.getName(), perm, Timing.millis(start)); + return true; + } else { + access.printf(Level.DEBUG,"%s: %s does not have %s, %f ms", caller, principal.getName(), perm, Timing.millis(start)); + return false; + } + } + + } + + /** + * CADI Function (Non J2EE standard). GetPermissions will read the Permissions from AAF (if configured) and Roles from Local Lur, etc + * as implemented with lur.fishAll + * + * To utilize, the Request must be a "CadiWrap" object, then call. + */ + public List getPermissions(Principal p) { + List perms = new ArrayList<>(); + lur.fishAll(p, perms); + return perms; + } + /** + * Allow setting of tafResp and lur after construction + * + * This can happen if the CadiWrap is constructed in a Valve other than CadiValve + */ + public void set(TafResp tafResp, Lur lur) { + principal = tafResp.getPrincipal(); + access = tafResp.getAccess(); + this.lur = lur; + } + + public String getUser() { + if (user==null && principal!=null) { + user = principal.getName(); + } + return user; + } + + public byte[] getCred() { + return password; + } + + public void setUser(String user) { + this.user = user; + } + + public void setCred(byte[] passwd) { + password = passwd; + } + + public CadiWrap setPermConverter(PermConverter pc) { + pconv = pc; + return this; + } + + // Add a feature + public void invalidate(String id) { + if (lur instanceof EpiLur) { + ((EpiLur)lur).remove(id); + } else if (lur instanceof CachingLur) { + ((CachingLur)lur).remove(id); + } + } + + public Lur getLur() { + return lur; + } + + public Access access() { + return access; + } }