cadi/aaf/src/main/java/org/onap/aaf/cadi/aaf/cert/AAFListedCertIdentity.java

   1 /**
   2  * ============LICENSE_START====================================================
   3  * org.onap.aaf
   4  * ===========================================================================
   5  * Copyright (c) 2018 AT&T Intellectual Property. All rights reserved.
   6  * ===========================================================================
   7  * Licensed under the Apache License, Version 2.0 (the "License");
   8  * you may not use this file except in compliance with the License.
   9  * You may obtain a copy of the License at
  10  *
  11  *      http://www.apache.org/licenses/LICENSE-2.0
  12  *
  13  * Unless required by applicable law or agreed to in writing, software
  14  * distributed under the License is distributed on an "AS IS" BASIS,
  15  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
  16  * See the License for the specific language governing permissions and
  17  * limitations under the License.
  18  * ============LICENSE_END====================================================
  19  *
  20  */
  21
  22 package org.onap.aaf.cadi.aaf.cert;
  23
  24
  25 import java.security.cert.CertificateException;
  26 import java.security.cert.X509Certificate;
  27 import java.util.HashSet;
  28 import java.util.List;
  29 import java.util.Map;
  30 import java.util.Set;
  31 import java.util.Timer;
  32 import java.util.TimerTask;
  33 import java.util.TreeMap;
  34
  35 import javax.servlet.http.HttpServletRequest;
  36 import javax.xml.datatype.XMLGregorianCalendar;
  37
  38 import org.onap.aaf.cadi.Access;
  39 import org.onap.aaf.cadi.Hash;
  40 import org.onap.aaf.cadi.Access.Level;
  41 import org.onap.aaf.cadi.aaf.v2_0.AAFCon;
  42 import org.onap.aaf.cadi.client.Future;
  43 import org.onap.aaf.cadi.config.Config;
  44 import org.onap.aaf.cadi.principal.TaggedPrincipal;
  45 import org.onap.aaf.cadi.principal.X509Principal;
  46 import org.onap.aaf.cadi.taf.cert.CertIdentity;
  47 import org.onap.aaf.cadi.taf.cert.X509Taf;
  48 import org.onap.aaf.misc.env.APIException;
  49 import org.onap.aaf.misc.env.util.Chrono;
  50 import org.onap.aaf.misc.env.util.Split;
  51
  52 import aaf.v2_0.Certs;
  53 import aaf.v2_0.Certs.Cert;
  54 import aaf.v2_0.Users;
  55 import aaf.v2_0.Users.User;
  56
  57 public class AAFListedCertIdentity implements CertIdentity {
  58         //TODO should 8 hours be configurable?
  59         private static final long EIGHT_HOURS = 1000*60*60*8L;
  60
  61         private static Map<ByteArrayHolder,String> certs = null;
  62
  63         // Did this to add other Trust Mechanisms
  64         // Trust mechanism set by Property:
  65         private static final String[] authMechanisms = new String[] {"tguard","basicAuth","csp"};
  66         private static String[] certIDs;
  67
  68         private static Map<String,Set<String>> trusted =null;
  69
  70         public AAFListedCertIdentity(Access access, AAFCon<?> aafcon) throws APIException {
  71                 synchronized(AAFListedCertIdentity.class) {
  72                         if(certIDs==null) {
  73                                 String cip = access.getProperty(Config.AAF_CERT_IDS, null);
  74                                 if(cip!=null) {
  75                                         certIDs = Split.split(',',cip);
  76                                 }
  77                         }
  78                         if(certIDs!=null && certs==null) {
  79                                 TimerTask cu = new CertUpdate(aafcon);
  80                                 cu.run(); // want this to run in this thread first...
  81                                 new Timer("AAF Identity Refresh Timer",true).scheduleAtFixedRate(cu, EIGHT_HOURS,EIGHT_HOURS);
  82                         }
  83                 }
  84         }
  85
  86         public static Set<String> trusted(String authMech) {
  87                 return trusted.get(authMech);
  88         }
  89
  90         public TaggedPrincipal identity(HttpServletRequest req, X509Certificate cert,   byte[] certBytes) throws CertificateException {
  91                 if(cert==null && certBytes==null)return null;
  92                 if(certBytes==null)certBytes = cert.getEncoded();
  93                 byte[] fingerprint = X509Taf.getFingerPrint(certBytes);
  94                 String id = certs.get(new ByteArrayHolder(fingerprint));
  95                 if(id!=null) { // Caller is Validated
  96                         return new X509Principal(id,cert,certBytes,null);
  97                 }
  98                 return null;
  99         }
 100
 101         private static class ByteArrayHolder implements Comparable<ByteArrayHolder> {
 102                 private byte[] ba;
 103                 public ByteArrayHolder(byte[] ba) {
 104                         this.ba = ba;
 105                 }
 106                 public int compareTo(ByteArrayHolder b) {
 107                         return Hash.compareTo(ba, b.ba);
 108                 }
 109         }
 110
 111         private class CertUpdate extends TimerTask {
 112
 113                 private AAFCon<?> aafcon;
 114                 public CertUpdate(AAFCon<?> con) {
 115                         aafcon = con;
 116                 }
 117
 118                 @Override
 119                 public void run() {
 120                         try {
 121                                 TreeMap<ByteArrayHolder, String> newCertsMap = new TreeMap<>();
 122                                 Map<String,Set<String>> newTrustMap = new TreeMap<>();
 123                                 Set<String> userLookup = new HashSet<>();
 124                                 for(String s : certIDs) {
 125                                         userLookup.add(s);
 126                                 }
 127                                 for(String authMech : authMechanisms) {
 128                                         Future<Users> fusr = aafcon.client(Config.AAF_DEFAULT_VERSION).read("/authz/users/perm/com.att.aaf.trust/"+authMech+"/authenticate", Users.class, aafcon.usersDF);
 129                                         if(fusr.get(5000)) {
 130                                                 List<User> users = fusr.value.getUser();
 131                                                 if(users.isEmpty()) {
 132                                                         aafcon.access.log(Level.WARN, "AAF Lookup-No IDs in Role com.att.aaf.trustForID <> "+authMech);
 133                                                 } else {
 134                                                         aafcon.access.log(Level.INFO,"Loading Trust Authentication Info for",authMech);
 135                                                         Set<String> hsUser = new HashSet<>();
 136                                                         for(User u : users) {
 137                                                                 userLookup.add(u.getId());
 138                                                                 hsUser.add(u.getId());
 139                                                         }
 140                                                         newTrustMap.put(authMech,hsUser);
 141                                                 }
 142                                         } else {
 143                                                 aafcon.access.log(Level.WARN, "Could not get Users in Perm com.att.trust|tguard|authenticate",fusr.code(),fusr.body());
 144                                         }
 145
 146                                 }
 147
 148                                 for(String u : userLookup) {
 149                                         Future<Certs> fc = aafcon.client(Config.AAF_DEFAULT_VERSION).read("/authn/cert/id/"+u, Certs.class, aafcon.certsDF);
 150                                         XMLGregorianCalendar now = Chrono.timeStamp();
 151                                         if(fc.get(5000)) {
 152                                                 List<Cert> certs = fc.value.getCert();
 153                                                 if(certs.isEmpty()) {
 154                                                         aafcon.access.log(Level.WARN, "No Cert Associations for",u);
 155                                                 } else {
 156                                                         for(Cert c : fc.value.getCert()) {
 157                                                                 XMLGregorianCalendar then =c.getExpires();
 158                                                                 if(then !=null && then.compare(now)>0) {
 159                                                                         newCertsMap.put(new ByteArrayHolder(c.getFingerprint()), c.getId());
 160                                                                         aafcon.access.log(Level.INIT,"Associating "+ c.getId() + " expiring " + Chrono.dateOnlyStamp(c.getExpires()) + " with " + c.getX500());
 161                                                                 }
 162                                                         }
 163                                                 }
 164                                         } else {
 165                                                 aafcon.access.log(Level.WARN, "Could not get Certificates for",u);
 166                                         }
 167                                 }
 168
 169                                 certs = newCertsMap;
 170                                 trusted = newTrustMap;
 171                         } catch(Exception e) {
 172                                 aafcon.access.log(e, "Failure to update Certificate Identities from AAF");
 173                         }
 174                 }
 175         }
 176 }