auth/auth-service/src/main/java/org/onap/aaf/auth/service/api/API_Creds.java

   1 /**
   2  * ============LICENSE_START====================================================
   3  * org.onap.aaf
   4  * ===========================================================================
   5  * Copyright (c) 2018 AT&T Intellectual Property. All rights reserved.
   6  * ===========================================================================
   7  * Licensed under the Apache License, Version 2.0 (the "License");
   8  * you may not use this file except in compliance with the License.
   9  * You may obtain a copy of the License at
  10  *
  11  *      http://www.apache.org/licenses/LICENSE-2.0
  12  *
  13  * Unless required by applicable law or agreed to in writing, software
  14  * distributed under the License is distributed on an "AS IS" BASIS,
  15  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
  16  * See the License for the specific language governing permissions and
  17  * limitations under the License.
  18  * ============LICENSE_END====================================================
  19  *
  20  */
  21
  22 package org.onap.aaf.auth.service.api;
  23
  24 import static org.onap.aaf.auth.rserv.HttpMethods.DELETE;
  25 import static org.onap.aaf.auth.rserv.HttpMethods.GET;
  26 import static org.onap.aaf.auth.rserv.HttpMethods.POST;
  27 import static org.onap.aaf.auth.rserv.HttpMethods.PUT;
  28
  29 import java.security.Principal;
  30 import java.util.Date;
  31
  32 import javax.servlet.http.HttpServletRequest;
  33 import javax.servlet.http.HttpServletResponse;
  34
  35 import org.eclipse.jetty.http.HttpStatus;
  36 import org.onap.aaf.auth.direct.DirectAAFUserPass;
  37 import org.onap.aaf.auth.env.AuthzTrans;
  38 import org.onap.aaf.auth.layer.Result;
  39 import org.onap.aaf.auth.rserv.HttpMethods;
  40 import org.onap.aaf.auth.service.AAF_Service;
  41 import org.onap.aaf.auth.service.Code;
  42 import org.onap.aaf.auth.service.facade.AuthzFacade;
  43 import org.onap.aaf.auth.service.mapper.Mapper.API;
  44 import org.onap.aaf.cadi.CredVal;
  45 import org.onap.aaf.cadi.CredVal.Type;
  46 import org.onap.aaf.cadi.Symm;
  47 import org.onap.aaf.cadi.principal.BasicPrincipal;
  48 import org.onap.aaf.cadi.principal.X509Principal;
  49 import org.onap.aaf.cadi.taf.basic.BasicHttpTaf;
  50 import org.onap.aaf.misc.env.Env;
  51 import org.onap.aaf.misc.env.TimeTaken;
  52
  53 /**
  54  * Initialize All Dispatches related to Credentials (AUTHN)
  55  * @author Jonathan
  56  *
  57  */
  58 public class API_Creds {
  59     // Hide Public Interface
  60     private API_Creds() {}
  61     // needed to validate Creds even when already Authenticated x509
  62     /**
  63      * TIME SENSITIVE APIs
  64      *
  65      * These will be first in the list
  66      *
  67      * @param env
  68      * @param authzAPI
  69      * @param facade
  70      * @param directAAFUserPass
  71      * @throws Exception
  72      */
  73     public static void timeSensitiveInit(Env env, AAF_Service authzAPI, AuthzFacade facade, final DirectAAFUserPass directAAFUserPass) throws Exception {
  74         /**
  75          * Basic Auth, quick Validation
  76          *
  77          * Responds OK or NotAuthorized
  78          */
  79         authzAPI.route(env, HttpMethods.GET, "/authn/basicAuth", new Code(facade,"Is given BasicAuth valid?",true) {
  80             @Override
  81             public void handle(
  82                     AuthzTrans trans,
  83                     HttpServletRequest req,
  84                     HttpServletResponse resp) throws Exception {
  85
  86                 Principal p = trans.getUserPrincipal();
  87                 if (p instanceof BasicPrincipal) {
  88                     // the idea is that if call is made with this credential, and it's a BasicPrincipal, it's ok
  89                     // otherwise, it wouldn't have gotten here.
  90                     resp.setStatus(HttpStatus.OK_200);
  91                 } else if (p instanceof X509Principal) {
  92                     // have to check Basic Auth here, because it might be CSP.
  93                     String authz = req.getHeader("Authorization");
  94                     if (authz.startsWith("Basic ")) {
  95                         BasicHttpTaf bht = ((X509Principal)p).getBasicHttpTaf();
  96                         if (bht!=null) {
  97                             BasicPrincipal bp = new BasicPrincipal(authz,"");
  98                             CredVal cv = bht.getCredVal(bp.getDomain());
  99                             if (cv!=null) {
 100                                 if (cv.validate(bp.getName(), Type.PASSWORD, bp.getCred(), null) ) {
 101                                     resp.setStatus(HttpStatus.OK_200);
 102                                 } else {
 103                                     resp.setStatus(HttpStatus.FORBIDDEN_403);
 104                                 }
 105                             }
 106                         } else {
 107                             String decoded = Symm.base64noSplit.decode(authz.substring(6));
 108                             int colon = decoded.indexOf(':');
 109                             TimeTaken tt = trans.start("Direct Validation", Env.REMOTE);
 110                             try {
 111                                 if (directAAFUserPass.validate(
 112                                         decoded.substring(0,colon),
 113                                         CredVal.Type.PASSWORD ,
 114                                         decoded.substring(colon+1).getBytes(),trans)) {
 115
 116                                     resp.setStatus(HttpStatus.OK_200);
 117                                 } else {
 118                                     // DME2 at this version crashes without some sort of response
 119                                     resp.getOutputStream().print("");
 120                                     resp.setStatus(HttpStatus.FORBIDDEN_403);
 121                                 }
 122                             } finally {
 123                                 tt.done();
 124                             }
 125                         }
 126                     }
 127                 } else if (p == null) {
 128                     trans.error().log("Transaction not Authenticated... no Principal");
 129                     resp.setStatus(HttpStatus.FORBIDDEN_403);
 130                 } else {
 131                     trans.checkpoint("Basic Auth Check Failed: This wasn't a Basic Auth Trans");
 132                     // For Auth Security questions, we don't give any info to client on why failed
 133                     resp.setStatus(HttpStatus.FORBIDDEN_403);
 134                 }
 135             }
 136         },"text/plain","*/*","*");
 137
 138         /**
 139          *  returns whether a given Credential is valid
 140          */
 141         authzAPI.route(POST, "/authn/validate", API.CRED_REQ, new Code(facade,"Is given Credential valid?",true) {
 142             @Override
 143             public void handle(
 144                     AuthzTrans trans,
 145                     HttpServletRequest req,
 146                     HttpServletResponse resp) throws Exception {
 147
 148                 Result<Date> r = context.doesCredentialMatch(trans, req, resp);
 149                 if (r.isOK()) {
 150                     resp.setStatus(HttpStatus.OK_200);
 151                 } else {
 152                     // For Security, we don't give any info out on why failed, other than forbidden
 153                     // Can't do "401", because that is on the call itself
 154                     resp.setStatus(HttpStatus.FORBIDDEN_403);
 155                 }
 156             }
 157         });
 158
 159         /**
 160          *  returns whether a given Credential is valid
 161          */
 162         authzAPI.route(GET, "/authn/cert/id/:id", API.CERTS, new Code(facade,"Get Cert Info by ID",true) {
 163             @Override
 164             public void handle(
 165                     AuthzTrans trans,
 166                     HttpServletRequest req,
 167                     HttpServletResponse resp) throws Exception {
 168
 169                 Result<Void> r = context.getCertInfoByID(trans, req, resp, pathParam(req,":id") );
 170                 if (r.isOK()) {
 171                         resp.setStatus(HttpStatus.OK_200);
 172                 } else {
 173                         // For Security, we don't give any info out on why failed, other than forbidden
 174                         resp.setStatus(HttpStatus.FORBIDDEN_403);
 175                 }
 176             }
 177         });
 178
 179
 180
 181
 182     }
 183
 184     /**
 185      * Normal Init level APIs
 186      *
 187      * @param authzAPI
 188      * @param facade
 189      * @throws Exception
 190      */
 191     public static void init(AAF_Service authzAPI, AuthzFacade facade) throws Exception {
 192         /**
 193          * Create a new ID/Credential
 194          */
 195         authzAPI.route(POST,"/authn/cred",API.CRED_REQ,new Code(facade,"Add a New ID/Credential", true) {
 196             @Override
 197             public void handle(AuthzTrans trans, HttpServletRequest req, HttpServletResponse resp) throws Exception {
 198                 Result<Void> r = context.createUserCred(trans, req);
 199                 if (r.isOK()) {
 200                     resp.setStatus(HttpStatus.CREATED_201);
 201                 } else {
 202                     context.error(trans,resp,r);
 203                 }
 204             }
 205         });
 206
 207         /**
 208          *  gets all credentials by Namespace
 209          */
 210         authzAPI.route(GET, "/authn/creds/ns/:ns", API.USERS, new Code(facade,"Get Creds for a Namespace",true) {
 211             @Override
 212             public void handle(
 213                     AuthzTrans trans,
 214                     HttpServletRequest req,
 215                     HttpServletResponse resp) throws Exception {
 216
 217                 Result<Void> r = context.getCredsByNS(trans, resp, pathParam(req, "ns"));
 218                 if (r.isOK()) {
 219                     resp.setStatus(HttpStatus.OK_200);
 220                 } else {
 221                     context.error(trans,resp,r);
 222                 }
 223             }
 224
 225         });
 226
 227         /**
 228          *  gets all credentials by ID
 229          */
 230         authzAPI.route(GET, "/authn/creds/id/:id", API.USERS, new Code(facade,"Get Creds by ID",true) {
 231             @Override
 232             public void handle(
 233                     AuthzTrans trans,
 234                     HttpServletRequest req,
 235                     HttpServletResponse resp) throws Exception {
 236
 237                 Result<Void> r = context.getCredsByID(trans, resp, pathParam(req, "id"));
 238                 if (r.isOK()) {
 239                     resp.setStatus(HttpStatus.OK_200);
 240                 } else {
 241                     context.error(trans,resp,r);
 242                 }
 243             }
 244
 245         });
 246
 247
 248         /**
 249          * Update ID/Credential (aka reset)
 250          */
 251         authzAPI.route(PUT,"/authn/cred",API.CRED_REQ,new Code(facade,"Update an ID/Credential", true) {
 252             @Override
 253             public void handle(AuthzTrans trans, HttpServletRequest req, HttpServletResponse resp) throws Exception {
 254
 255                 Result<Void> r = context.changeUserCred(trans, req);
 256                 if (r.isOK()) {
 257                     resp.setStatus(HttpStatus.OK_200);
 258                 } else {
 259                     context.error(trans,resp,r);
 260                 }
 261             }
 262         });
 263
 264         /**
 265          * Extend ID/Credential
 266          * This behavior will accelerate getting out of P1 outages due to ignoring renewal requests, or
 267          * other expiration issues.
 268          *
 269          * Scenario is that people who are solving Password problems at night, are not necessarily those who
 270          * know what the passwords are supposed to be.  Also, changing Password, without changing Configurations
 271          * using that password only exacerbates the P1 Issue.
 272          */
 273         authzAPI.route(PUT,"/authn/cred/:days",API.CRED_REQ,new Code(facade,"Extend an ID/Credential", true) {
 274             @Override
 275             public void handle(AuthzTrans trans, HttpServletRequest req, HttpServletResponse resp) throws Exception {
 276                 Result<Void> r = context.extendUserCred(trans, req, pathParam(req, "days"));
 277                 if (r.isOK()) {
 278                     resp.setStatus(HttpStatus.OK_200);
 279                 } else {
 280                     context.error(trans,resp,r);
 281                 }
 282             }
 283         });
 284
 285         /**
 286          * Delete a ID/Credential by Object
 287          */
 288         authzAPI.route(DELETE,"/authn/cred",API.CRED_REQ,new Code(facade,"Delete a Credential", true) {
 289             @Override
 290             public void handle(AuthzTrans trans, HttpServletRequest req, HttpServletResponse resp) throws Exception {
 291                 Result<Void> r = context.deleteUserCred(trans, req);
 292                 if (r.isOK()) {
 293                     resp.setStatus(HttpStatus.OK_200);
 294                 } else {
 295                     context.error(trans,resp,r);
 296                 }
 297             }
 298         });
 299
 300     }
 301 }