X-Git-Url: https://gerrit.onap.org/r/gitweb?a=blobdiff_plain;f=cadi%2Fcore%2Fsrc%2Fmain%2Fjava%2Forg%2Fonap%2Faaf%2Fcadi%2Ftaf%2FHttpEpiTaf.java;h=5cd6323dec9e7829962de1f5e5c6f49c011afdbd;hb=799f1236dceea6234561f39f73a317f8d93d71e6;hp=cc283973b8ad064014cf409b1cbf7a883ac433d6;hpb=40a9c869994113c1d0701d205829c60837fe3e8b;p=aaf%2Fauthz.git diff --git a/cadi/core/src/main/java/org/onap/aaf/cadi/taf/HttpEpiTaf.java b/cadi/core/src/main/java/org/onap/aaf/cadi/taf/HttpEpiTaf.java index cc283973..5cd6323d 100644 --- a/cadi/core/src/main/java/org/onap/aaf/cadi/taf/HttpEpiTaf.java +++ b/cadi/core/src/main/java/org/onap/aaf/cadi/taf/HttpEpiTaf.java @@ -7,9 +7,9 @@ * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. * You may obtain a copy of the License at - * + * * http://www.apache.org/licenses/LICENSE-2.0 - * + * * Unless required by applicable law or agreed to in writing, software * distributed under the License is distributed on an "AS IS" BASIS, * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. @@ -40,9 +40,9 @@ import org.onap.aaf.cadi.TrustChecker; /** * HttpEpiTaf - * + * * An extension of the basic "EpiTAF" concept, check known HTTP Related TAFs for valid credentials - * + * * @author Jonathan * */ @@ -51,10 +51,10 @@ public class HttpEpiTaf implements HttpTaf { private Access access; private Locator locator; private TrustChecker trustChecker; - + /** * HttpEpiTaf constructor - * + * * Construct the HttpEpiTaf from variable Http specific TAF parameters * @param tafs @@ -65,52 +65,52 @@ public class HttpEpiTaf implements HttpTaf { this.access = access; this.locator = locator; this.trustChecker = tc; - // Establish what Header Property to look for UserChain/Trust Props -// trustChainProp = access.getProperty(Config.CADI_TRUST_PROP, Config.CADI_TRUST_PROP_DEFAULT); + // Establish what Header Property to look for UserChain/Trust Props - if(tafs.length==0) throw new CadiException("Need at least one HttpTaf implementation in constructor"); + if (tafs.length == 0) { + throw new CadiException("Need at least one HttpTaf implementation in constructor"); + } } /** * validate - * - * Respond with the first Http specific TAF to authenticate user based on variable info + * + * Respond with the first Http specific TAF to authenticate user based on variable info * and "LifeForm" (is it a human behind a browser, or a server utilizing HTTP Protocol). - * + * * If there is no HttpTAF that can authenticate, respond with the first TAF that suggests it can * establish an Authentication conversation (TRY_AUTHENTICATING) (Examples include a redirect to CSP - * Servers for CSP Cookie, or BasicAuth 401 response, suggesting User/Password for given Realm + * Servers for CSP Cookie, or BasicAuth 401 response, suggesting User/Password for given Realm * submission - * + * * If no TAF declares either, respond with NullTafResp (which denies all questions) */ public TafResp validate(LifeForm reading, HttpServletRequest req, HttpServletResponse resp) { // Given a LifeForm Neutral, for HTTP, we need to discover true Life-Form Readings - if(reading==LifeForm.LFN) { + if (reading == LifeForm.LFN) { reading = tricorderScan(req); } - TafResp tresp=null, firstTry = null; + TafResp tresp = null; + TafResp firstTry = null; List redirectables = null; - List trlog = access.willLog(Level.DEBUG)?new ArrayList():null; + List log = (access.willLog(Level.DEBUG)) ? new ArrayList() : null; try { - for(HttpTaf taf : tafs) { + for (HttpTaf taf : tafs) { tresp = taf.validate(reading, req, resp); - if(trlog!=null) { - trlog.add(tresp); - } + addToLog(log, tresp); switch(tresp.isAuthenticated()) { case TRY_ANOTHER_TAF: break; // and loop case TRY_AUTHENTICATING: - if(tresp instanceof Redirectable) { - if(redirectables==null) { - redirectables = new ArrayList(); + if (tresp instanceof Redirectable) { + if (redirectables == null) { + redirectables = new ArrayList<>(); } redirectables.add((Redirectable)tresp); - } else if(firstTry==null) { + } else if (firstTry == null) { firstTry = tresp; } - break; + break; case IS_AUTHENTICATED: tresp = trustChecker.mayTrust(tresp, req); return tresp; @@ -118,46 +118,42 @@ public class HttpEpiTaf implements HttpTaf { return tresp; } } - } finally { - if(trlog!=null) { - for( TafResp tr : trlog) { - access.log(Level.DEBUG, tr.desc()); - } - } + } finally { + printLog(log); } - - // If No TAFs configured, at this point. It is safer at this point to be "not validated", + + // If No TAFs configured, at this point. It is safer at this point to be "not validated", // rather than "let it go" // Note: if exists, there will always be more than 0 entries, according to above code - if(redirectables==null) { - return firstTry!=null?firstTry:NullTafResp.singleton(); + if (redirectables == null) { + return (firstTry != null) ? firstTry : NullTafResp.singleton(); } - + // If there is one Tryable entry then return it - if(redirectables.size()>1) { - return LoginPageTafResp.create(access,locator,resp,redirectables); + if (redirectables.size() > 1) { + return LoginPageTafResp.create(access, locator, resp, redirectables); } else { return redirectables.get(0); } } - + public boolean revalidate(Principal prin) throws Exception { return false; } /* * Since this is internal, we use a little Star Trek humor to indicate looking in the HTTP Request to see if we can determine what kind - * of "LifeForm" reading we can determine, i.e. is there a Human (CarbonBasedLifeForm) behind a browser, or is it mechanical + * of "LifeForm" reading we can determine, i.e. is there a Human (CarbonBasedLifeForm) behind a browser, or is it mechanical * id (SiliconBasedLifeForm)? This makes a difference in some Authentication, i.e CSP, which doesn't work well for SBLFs */ private LifeForm tricorderScan(HttpServletRequest req) { // For simplicity's sake, we'll say Humans use FQDNs, not IPs. - + // Current guess that only Browsers bother to set "Agent" codes that identify the kind of browser they are. // If mechanical frameworks are found that populate this, then more advanced analysis may be required // Jonathan 1/22/2013 String agent = req.getHeader("User-Agent"); - if(agent!=null && agent.startsWith("Mozilla")) { // covers I.E./Firefox/Safari/probably any other "advanced" Browser see http://en.wikipedia.org/wiki/User_agent + if (agent != null && agent.startsWith("Mozilla")) { // covers I.E./Firefox/Safari/probably any other "advanced" Browser see http://en.wikipedia.org/wiki/User_agent return LifeForm.CBLF; } return LifeForm.SBLF; // notably skips "curl","wget", (which is desired behavior. We don't want to try CSP, etc on these) @@ -165,17 +161,36 @@ public class HttpEpiTaf implements HttpTaf { public Resp revalidate(CachedPrincipal prin, Object state) { Resp resp; - for(HttpTaf taf : tafs) { - resp = taf.revalidate(prin,state); - switch(resp) { - case NOT_MINE: - break; - default: - return resp; + for (HttpTaf taf : tafs) { + resp = taf.revalidate(prin, state); + if (resp != Resp.NOT_MINE) { + return resp; } +// switch(resp) { +// case NOT_MINE: +// break; +// default: +// return resp; +// } } return Resp.NOT_MINE; } + + private void addToLog(List log, TafResp tresp) { + if (log == null) { + return; + } + log.add(tresp); + } + + private void printLog(List log) { + if (log == null) { + return; + } + for (TafResp tresp : log) { + access.log(Level.DEBUG, tresp.desc()); + } + } /** * List HttpTafs with their "toString" representations... primarily useful for Debugging in an IDE @@ -183,7 +198,7 @@ public class HttpEpiTaf implements HttpTaf { */ public String toString() { StringBuilder sb = new StringBuilder(); - for(HttpTaf ht : tafs) { + for (HttpTaf ht : tafs) { sb.append(ht.toString()); sb.append(". "); }