AT&T 2.0.19 Code drop, stage 3

[aaf/authz.git] / auth / auth-locate / src / main / java / org / onap / aaf / auth / locate / BasicAuthCode.java

/**
 * ============LICENSE_START====================================================
 * org.onap.aaf
 * ===========================================================================
 * Copyright (c) 2018 AT&T Intellectual Property. All rights reserved.
 * ===========================================================================
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
 * You may obtain a copy of the License at
 * 
 *      http://www.apache.org/licenses/LICENSE-2.0
 * 
 * Unless required by applicable law or agreed to in writing, software
 * distributed under the License is distributed on an "AS IS" BASIS,
 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 * See the License for the specific language governing permissions and
 * limitations under the License.
 * ============LICENSE_END====================================================
 *
 */

package org.onap.aaf.auth.locate;

import java.security.Principal;

import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;

import org.eclipse.jetty.http.HttpStatus;
import org.onap.aaf.auth.env.AuthzTrans;
import org.onap.aaf.auth.locate.facade.LocateFacade;
import org.onap.aaf.cadi.Symm;
import org.onap.aaf.cadi.aaf.v2_0.AAFAuthn;
import org.onap.aaf.cadi.principal.BasicPrincipal;
import org.onap.aaf.cadi.principal.X509Principal;

public class BasicAuthCode extends LocateCode {
        private AAFAuthn<?> authn;

        public BasicAuthCode(AAFAuthn<?> authn, LocateFacade facade) {
                super(facade, "AAF Basic Auth",true);
                this.authn = authn;
        }

        @Override
        public void handle(AuthzTrans trans, HttpServletRequest req, HttpServletResponse resp) throws Exception {
                Principal p = trans.getUserPrincipal();
                if(p == null) {
                        trans.error().log("Transaction not Authenticated... no Principal");
                } else if (p instanceof BasicPrincipal) {
                        // the idea is that if call is made with this credential, and it's a BasicPrincipal, it's ok
                        // otherwise, it wouldn't have gotten here.
                        resp.setStatus(HttpStatus.OK_200);
                        return;
                } else if (p instanceof X509Principal) {
                        // Since X509Principal has priority, BasicAuth Info might be there, but not validated.
                        String ba;
                        if((ba=req.getHeader("Authorization"))!=null && ba.startsWith("Basic ")) {
                                ba = Symm.base64noSplit.decode(ba.substring(6));
                                int colon = ba.indexOf(':');
                                if(colon>=0) {
                                        String err;
                                        if((err=authn.validate(ba.substring(0, colon), ba.substring(colon+1),trans))==null) {
                                                resp.setStatus(HttpStatus.OK_200);
                                        } else {
                                                trans.audit().log(ba.substring(0,colon),": ",err);
                                                resp.setStatus(HttpStatus.UNAUTHORIZED_401);
                                        }
                                        return;
                                }
                        }
                }
                trans.checkpoint("Basic Auth Check Failed: This wasn't a Basic Auth Trans");
                // For Auth Security questions, we don't give any info to client on why failed
                resp.setStatus(HttpStatus.FORBIDDEN_403);
        }
}