1 /*******************************************************************************
\r
2 * ============LICENSE_START====================================================
\r
4 * * ===========================================================================
\r
5 * * Copyright © 2017 AT&T Intellectual Property. All rights reserved.
\r
6 * * ===========================================================================
\r
7 * * Licensed under the Apache License, Version 2.0 (the "License");
\r
8 * * you may not use this file except in compliance with the License.
\r
9 * * You may obtain a copy of the License at
\r
11 * * http://www.apache.org/licenses/LICENSE-2.0
\r
13 * * Unless required by applicable law or agreed to in writing, software
\r
14 * * distributed under the License is distributed on an "AS IS" BASIS,
\r
15 * * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
\r
16 * * See the License for the specific language governing permissions and
\r
17 * * limitations under the License.
\r
18 * * ============LICENSE_END====================================================
\r
20 * * ECOMP is a trademark and service mark of AT&T Intellectual Property.
\r
22 ******************************************************************************/
\r
23 package org.onap.aaf.authz.service.validation;
\r
25 import java.util.regex.Pattern;
\r
27 import org.onap.aaf.authz.cadi.DirectAAFLur.PermPermission;
\r
28 import org.onap.aaf.authz.env.AuthzTrans;
\r
29 import org.onap.aaf.authz.layer.Result;
\r
30 import org.onap.aaf.authz.org.Organization;
\r
31 import org.onap.aaf.dao.aaf.cass.CredDAO;
\r
32 import org.onap.aaf.dao.aaf.cass.DelegateDAO;
\r
33 import org.onap.aaf.dao.aaf.cass.Namespace;
\r
34 import org.onap.aaf.dao.aaf.cass.PermDAO;
\r
35 import org.onap.aaf.dao.aaf.cass.RoleDAO;
\r
36 import org.onap.aaf.dao.aaf.cass.UserRoleDAO;
\r
40 * Consistently apply content rules for content (incoming)
\r
42 * Note: We restrict content for usability in URLs (because RESTful service), and avoid
\r
43 * issues with Regular Expressions, and other enabling technologies.
\r
46 public class Validator {
\r
47 // % () ,-. 0-9 =A-Z _a-z
\r
48 private static final String ESSENTIAL="\\x25\\x28\\x29\\x2C-\\x2E\\x30-\\x39\\x3D\\x40-\\x5A\\x5F\\x61-\\x7A";
\r
49 private static final Pattern ESSENTIAL_CHARS=Pattern.compile("["+ESSENTIAL+"]+");
\r
51 // Must be 1 or more of Alphanumeric or the following :._-
\r
52 // '*' only allowed when it is the only character, or the only element in a key separator
\r
53 // :* :hello:* :hello:*:there etc
\r
54 public static final Pattern ACTION_CHARS=Pattern.compile(
\r
55 "["+ESSENTIAL+"]+" + // All AlphaNumeric+
\r
59 public static final Pattern INST_CHARS=Pattern.compile(
\r
60 "["+ESSENTIAL+"]+[\\*]*" + // All AlphaNumeric+ possibly ending with *
\r
61 "|\\*" + // Just Star
\r
62 "|(([:/]\\*)|([:/][!]{0,1}["+ESSENTIAL+"]+[\\*]*[:/]*))+" // Key :asdf:*:sdf*:sdk
\r
65 // Must be 1 or more of Alphanumeric or the following ._-, and be in the form id@domain
\r
66 public static final Pattern ID_CHARS=Pattern.compile("[\\w.-]+@[\\w.-]+");
\r
67 // Must be 1 or more of Alphanumeric or the following ._-
\r
68 public static final Pattern NAME_CHARS=Pattern.compile("[\\w.-]+");
\r
70 private final Pattern actionChars;
\r
71 private final Pattern instChars;
\r
72 private StringBuilder msgs;
\r
75 * Default Validator does not check for non-standard Action/Inst chars
\r
78 * IMPORTANT: Use ONLY when the Validator is doing something simple... NullOrBlank
\r
80 public Validator() {
\r
81 actionChars = ACTION_CHARS;
\r
82 instChars = INST_CHARS;
\r
86 * When Trans is passed in, check for non-standard Action/Inst chars
\r
88 * This is an opportunity to change characters, if required.
\r
90 * Use for any Object method passed (i.e. role(RoleDAO.Data d) ), to ensure fewer bugs.
\r
94 public Validator(AuthzTrans trans) {
\r
95 actionChars = ACTION_CHARS;
\r
96 instChars = INST_CHARS;
\r
100 public Validator perm(Result<PermDAO.Data> rpd) {
\r
110 public Validator perm(PermDAO.Data pd) {
\r
112 msg("Perm Data is null.");
\r
115 permType(pd.type,pd.ns);
\r
116 permInstance(pd.instance);
\r
117 permAction(pd.action);
\r
118 if(pd.roles!=null) {
\r
119 for(String role : pd.roles) {
\r
127 public Validator role(Result<RoleDAO.Data> rrd) {
\r
136 public Validator role(RoleDAO.Data pd) {
\r
138 msg("Role Data is null.");
\r
142 if(pd.perms!=null) {
\r
143 for(String perm : pd.perms) {
\r
144 String[] ps = perm.split("\\|");
\r
146 msg("Perm [" + perm + "] in Role [" + pd.fullName() + "] is not correctly separated with '|'");
\r
148 permType(ps[0],null);
\r
149 permInstance(ps[1]);
\r
158 public Validator delegate(Organization org, Result<DelegateDAO.Data> rdd) {
\r
162 delegate(org, rdd.value);
\r
167 public Validator delegate(Organization org, DelegateDAO.Data dd) {
\r
169 msg("Delegate Data is null.");
\r
172 user(org,dd.delegate);
\r
178 public Validator cred(Organization org, Result<CredDAO.Data> rcd, boolean isNew) {
\r
182 cred(org,rcd.value,isNew);
\r
187 public Validator cred(Organization org, CredDAO.Data cd, boolean isNew) {
\r
189 msg("Cred Data is null.");
\r
191 if(nob(cd.id,ID_CHARS)) {
\r
192 msg("ID [" + cd.id + "] is invalid");
\r
194 if(!org.isValidCred(cd.id)) {
\r
195 msg("ID [" + cd.id + "] is invalid for a cred");
\r
197 String str = cd.id;
\r
198 int idx = str.indexOf('@');
\r
200 str = str.substring(0,idx);
\r
203 if(cd.id.endsWith(org.getRealm())) {
\r
204 if(isNew && (str=org.isValidID(str)).length()>0) {
\r
209 if(cd.type==null) {
\r
210 msg("Credential Type must be set");
\r
213 case CredDAO.BASIC_AUTH_SHA256:
\r
217 msg("Credential Type [",Integer.toString(cd.type),"] is invalid");
\r
225 public Validator user(Organization org, String user) {
\r
226 if(nob(user,ID_CHARS)) {
\r
227 msg("User [",user,"] is invalid.");
\r
229 //TODO Change when Multi-Org solution is created
\r
230 // if(org instanceof ATT) {
\r
231 // if(!user.endsWith("@csp.att.com") &&
\r
232 // !org.isValidCred(user))
\r
233 // msg("User [",user,"] is not valid ID for Credential in ",org.getRealm());
\r
238 public Validator ns(Result<Namespace> nsd) {
\r
240 ns(nsd.value.name);
\r
241 for(String s : nsd.value.admin) {
\r
242 if(nob(s,ID_CHARS)) {
\r
243 msg("Admin [" + s + "] is invalid.");
\r
247 for(String s : nsd.value.owner) {
\r
248 if(nob(s,ID_CHARS)) {
\r
249 msg("Responsible [" + s + "] is invalid.");
\r
257 public Validator ns(String ns) {
\r
258 if(nob(ns,NAME_CHARS)){
\r
259 msg("NS [" + ns + "] is invalid.");
\r
264 public String errs() {
\r
265 return msgs.toString();
\r
269 public Validator permType(String type, String ns) {
\r
270 // TODO check for correct Splits? Type|Instance|Action ?
\r
271 if(nob(type,NAME_CHARS)) {
\r
272 msg("Perm Type [" + (ns==null?"":ns+(type.length()==0?"":'.'))+type + "] is invalid.");
\r
277 public Validator permInstance(String instance) {
\r
278 // TODO check for correct Splits? Type|Instance|Action ?
\r
279 if(nob(instance,instChars)) {
\r
280 msg("Perm Instance [" + instance + "] is invalid.");
\r
285 public Validator permAction(String action) {
\r
286 // TODO check for correct Splits? Type|Instance|Action ?
\r
287 if(nob(action, actionChars)) {
\r
288 msg("Perm Action [" + action + "] is invalid.");
\r
293 public Validator role(String role) {
\r
294 if(nob(role, NAME_CHARS)) {
\r
295 msg("Role [" + role + "] is invalid.");
\r
300 public Validator user_role(UserRoleDAO.Data urdd) {
\r
302 msg("UserRole is null");
\r
305 nullOrBlank("UserRole.ns",urdd.ns);
\r
306 nullOrBlank("UserRole.rname",urdd.rname);
\r
311 public Validator nullOrBlank(String name, String str) {
\r
313 msg(name + " is null.");
\r
314 } else if(str.length()==0) {
\r
315 msg(name + " is blank.");
\r
320 public Validator nullOrBlank(PermDAO.Data pd) {
\r
322 msg("Permission is null");
\r
324 nullOrBlank("NS",pd.ns).
\r
325 nullOrBlank("Type",pd.type).
\r
326 nullOrBlank("Instance",pd.instance).
\r
327 nullOrBlank("Action",pd.action);
\r
332 public Validator nullOrBlank(RoleDAO.Data rd) {
\r
334 msg("Role is null");
\r
336 nullOrBlank("NS",rd.ns).
\r
337 nullOrBlank("Name",rd.name);
\r
342 // nob = Null Or Not match Pattern
\r
343 private boolean nob(String str, Pattern p) {
\r
344 return str==null || !p.matcher(str).matches();
\r
347 private void msg(String ... strs) {
\r
349 msgs=new StringBuilder();
\r
351 for(String str : strs) {
\r
357 public boolean err() {
\r
362 public Validator notOK(Result<?> res) {
\r
364 msgs.append("Result object is blank");
\r
365 } else if(res.notOK()) {
\r
366 msgs.append(res.getClass().getSimpleName() + " is not OK");
\r
371 public Validator key(String key) {
\r
372 if(nob(key,NAME_CHARS)) {
\r
373 msg("NS Prop Key [" + key + "] is invalid");
\r
378 public Validator value(String value) {
\r
379 if(nob(value,ESSENTIAL_CHARS)) {
\r
380 msg("NS Prop value [" + value + "] is invalid");
\r