2 * ============LICENSE_START====================================================
4 * ===========================================================================
5 * Copyright (c) 2018 AT&T Intellectual Property. All rights reserved.
6 * ===========================================================================
7 * Licensed under the Apache License, Version 2.0 (the "License");
8 * you may not use this file except in compliance with the License.
9 * You may obtain a copy of the License at
11 * http://www.apache.org/licenses/LICENSE-2.0
13 * Unless required by applicable law or agreed to in writing, software
14 * distributed under the License is distributed on an "AS IS" BASIS,
15 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
16 * See the License for the specific language governing permissions and
17 * limitations under the License.
18 * ============LICENSE_END====================================================
22 package org.onap.aaf.auth.oauth.service;
24 import java.io.IOException;
25 import java.security.GeneralSecurityException;
26 import java.util.Date;
27 import java.util.List;
29 import java.util.UUID;
31 import javax.servlet.http.HttpServletRequest;
33 import org.onap.aaf.auth.dao.DAO;
34 import org.onap.aaf.auth.dao.cass.OAuthTokenDAO;
35 import org.onap.aaf.auth.dao.cass.Status;
36 import org.onap.aaf.auth.dao.cass.OAuthTokenDAO.Data;
37 import org.onap.aaf.auth.dao.hl.Question;
38 import org.onap.aaf.auth.direct.DirectAAFUserPass;
39 import org.onap.aaf.auth.env.AuthzTrans;
40 import org.onap.aaf.auth.env.NullTrans;
41 import org.onap.aaf.auth.layer.Result;
42 import org.onap.aaf.cadi.Access;
43 import org.onap.aaf.cadi.CadiException;
44 import org.onap.aaf.cadi.LocatorException;
45 import org.onap.aaf.cadi.CredVal.Type;
46 import org.onap.aaf.cadi.client.Holder;
47 import org.onap.aaf.cadi.config.Config;
48 import org.onap.aaf.cadi.oauth.AAFToken;
49 import org.onap.aaf.cadi.oauth.TokenClient;
50 import org.onap.aaf.cadi.oauth.TokenClientFactory;
51 import org.onap.aaf.cadi.util.Split;
52 import org.onap.aaf.misc.env.APIException;
54 import aafoauth.v2_0.Introspect;
56 public class OAuthService {
58 private static final int TOK_EXP = 60*60*1000; // 1 hour, millis.
60 public enum TOKEN_TYPE {unknown,bearer,refresh}
61 public enum GRANT_TYPE {unknown,password,client_credentials,refresh_token};
62 public enum CLIENT_TYPE {unknown,confidential};
65 private final DAO<AuthzTrans, ?>[] daos;
66 public final OAuthTokenDAO tokenDAO;
67 private final DirectAAFUserPass directUserPass;
68 private final TokenClientFactory tcf;
69 private TokenClient altIntrospectClient;
70 private String altDomain;
71 private final JSONPermLoader permLoader;
74 // If we add more CAs, may want to parameterize
76 @SuppressWarnings("unchecked")
77 public OAuthService(final Access access, final AuthzTrans trans, final Question q) throws APIException, IOException {
78 permLoader = JSONPermLoaderFactory.direct(q);
79 tokenDAO = new OAuthTokenDAO(trans, q.historyDAO);
80 daos =(DAO<AuthzTrans, ?>[]) new DAO<?,?>[] {
84 String alt_url = access.getProperty(Config.AAF_ALT_OAUTH2_INTROSPECT_URL,null);
86 tcf = TokenClientFactory.instance(access);
87 String[] split = Split.split(',', alt_url);
88 int timeout = split.length>1?Integer.parseInt(split[1]):3000;
89 altIntrospectClient = tcf.newClient(split[0], timeout);
90 altIntrospectClient.client_creds(access.getProperty(Config.AAF_ALT_CLIENT_ID,null),
91 access.getProperty(Config.AAF_ALT_CLIENT_SECRET,null));
92 altDomain = '@'+access.getProperty(Config.AAF_ALT_OAUTH2_DOMAIN,null);
96 directUserPass = new DirectAAFUserPass(trans.env(), q);
97 } catch (GeneralSecurityException | CadiException | LocatorException e) {
98 throw new APIException("Could not construct TokenClientFactory",e);
103 public Result<Void> validate(AuthzTrans trans, OCreds creds) {
104 if(directUserPass.validate(creds.username, Type.PASSWORD, creds.password, trans)) {
107 return Result.err(Result.ERR_Security, "Invalid Credential for ",creds.username);
111 public Result<Data> createToken(AuthzTrans trans, HttpServletRequest req, OAuthTokenDAO.Data odd, Holder<GRANT_TYPE> hgt) {
113 case client_credentials:
115 return createBearerToken(trans, odd);
117 return refreshBearerToken(trans, odd);
119 return Result.err(Result.ERR_BadData, "Unknown Grant Type");
123 private Result<Data> createBearerToken(AuthzTrans trans, OAuthTokenDAO.Data odd) {
125 odd.user = trans.user();
127 odd.id = AAFToken.toToken(UUID.randomUUID());
128 odd.refresh = AAFToken.toToken(UUID.randomUUID());
131 odd.expires = new Date(exp=(System.currentTimeMillis()+TOK_EXP));
132 odd.exp_sec = exp/1000;
133 odd.req_ip = trans.ip();
136 Result<Data> rd = loadToken(trans, odd);
140 } catch (APIException | CadiException e) {
141 return Result.err(e);
143 return tokenDAO.create(trans, odd);
146 private Result<Data> loadToken(AuthzTrans trans, Data odd) throws APIException, CadiException {
147 Result<String> rs = permLoader.loadJSONPerms(trans,odd.user,odd.scopes(false));
149 odd.content = rs.value;
150 odd.type = TOKEN_TYPE.bearer.ordinal();
151 return Result.ok(odd);
152 } else if(rs.status == Result.ERR_NotFound || rs.status==Status.ERR_UserRoleNotFound) {
153 odd.type = TOKEN_TYPE.bearer.ordinal();
154 return Result.ok(odd);
156 return Result.err(Result.ERR_Backend,"Error accessing AAF Info: %s",rs.errorString());
162 private Result<Data> refreshBearerToken(AuthzTrans trans, Data odd) {
163 Result<List<Data>> rld = tokenDAO.readByUser(trans, trans.user());
165 return Result.err(rld);
168 return Result.err(Result.ERR_NotFound,"Data not Found for %1 %2",trans.user(),odd.refresh==null?"":odd.refresh.toString());
171 for(Data d : rld.value) {
172 if(d.refresh.equals(odd.refresh)) {
174 boolean scopesNE = false;
175 Set<String> scopes = odd.scopes(false);
176 if(scopes.size()>0) { // only check if Scopes listed, RFC 6749, Section 6
177 if(scopesNE=!(scopes.size() == d.scopes(false).size())) {
178 for(String s : odd.scopes(false)) {
179 if(!d.scopes(false).contains(s)) {
186 return Result.err(Result.ERR_BadData,"Requested Scopes do not match existing Token");
194 trans.audit().printf("Duplicate Refresh Token (%s) attempted for %s. Possible Replay Attack",odd.refresh.toString(),trans.user());
195 return Result.err(Result.ERR_Security,"Invalid Refresh Token");
198 Data deleteMe = new Data();
199 deleteMe.id = token.id;
200 token.id = AAFToken.toToken(UUID.randomUUID());
201 token.client_id = trans.user();
202 token.refresh = AAFToken.toToken(UUID.randomUUID());
204 token.expires = new Date(exp=(System.currentTimeMillis()+TOK_EXP));
205 token.exp_sec = exp/1000;
206 token.req_ip = trans.ip();
207 Result<Data> rd = tokenDAO.create(trans, token);
209 return Result.err(rd);
211 Result<Void> rv = tokenDAO.delete(trans, deleteMe,false);
213 trans.error().log("Unable to delete token", token);
216 return Result.ok(token);
219 public Result<OAuthTokenDAO.Data> introspect(AuthzTrans trans, String token) {
220 Result<List<Data>> rld;
222 UUID uuid = AAFToken.fromToken(token);
223 if(uuid==null) { // not an AAF Token
224 // Attempt to get Alternative Token
225 if(altIntrospectClient!=null) {
226 org.onap.aaf.cadi.client.Result<Introspect> rai = altIntrospectClient.introspect(token);
228 Introspect in = rai.value;
229 if(in.getExp()==null) {
230 trans.audit().printf("Alt OAuth sent back inactive, empty token: requesting_id,%s,access_token=%s,ip=%s\n",trans.user(),token,trans.ip());
232 long expires = in.getExp()*1000;
233 if(in.isActive() && expires>System.currentTimeMillis()) {
234 // We have a good Token, modify to be Fully Qualified
235 String fqid = in.getUsername()+altDomain;
237 rld = tokenDAO.read(trans, token);
238 if(rld.isOKhasData()) {
239 Data td = rld.value.get(0);
240 in.setContent(td.content);
242 Data td = new Data();
244 td.client_id = in.getClientId();
247 td.type = TOKEN_TYPE.bearer.ordinal();
248 td.expires = new Date(expires);
249 td.exp_sec = in.getExp();
250 Set<String> scopes = td.scopes(true);
251 if(in.getScope()!=null) {
252 for(String s : Split.split(' ', in.getScope())) {
256 // td.state = nothing to add at this point
257 td.req_ip = trans.ip();
258 trans.checkpoint(td.user + ':' + td.client_id + ", " + td.id);
259 return loadToken(trans, td);
262 // System.out.println(rai.value.getClientId());
264 trans.audit().printf("Alt OAuth rejects: requesting_id,%s,access_token=%s,ip=%s,code=%d,error=%s\n",trans.user(),token,trans.ip(),rai.code,rai.error);
267 trans.audit().printf("Bad Token: requesting_id,%s,access_token=%s,ip=%s\n",trans.user(),token,trans.ip());
269 return Result.err(Result.ERR_Denied,"Bad Token");
271 return dbIntrospect(trans,token);
273 } catch (CadiException | APIException | LocatorException e) {
274 return Result.err(e);
278 public Result<Data> dbIntrospect(final AuthzTrans trans, final String token) {
279 Result<List<Data>> rld = tokenDAO.read(trans, token);
280 if(rld.notOKorIsEmpty()) {
281 return Result.err(rld);
283 OAuthTokenDAO.Data odd = rld.value.get(0);
284 trans.checkpoint(odd.user + ':' + odd.client_id + ", " + odd.id);
286 if(odd.expires.before(trans.now())) {
287 return Result.err(Result.ERR_Policy,"Token %1 has expired",token);
289 return Result.ok(rld.value.get(0)); // ok keyed on id/token.
291 return Result.err(Result.ERR_Denied,"Token %1 is inactive",token);
295 public void close() {
296 for(DAO<AuthzTrans,?> dao : daos) {
297 dao.close(NullTrans.singleton());
Code Review / aaf / authz.git / blob