cadi/aaf/src/main/java/org/onap/aaf/cadi/aaf/v2_0/AAFTaf.java

   1 /**
   2  * ============LICENSE_START====================================================
   3  * org.onap.aaf
   4  * ===========================================================================
   5  * Copyright (c) 2018 AT&T Intellectual Property. All rights reserved.
   6  * ===========================================================================
   7  * Licensed under the Apache License, Version 2.0 (the "License");
   8  * you may not use this file except in compliance with the License.
   9  * You may obtain a copy of the License at
  10  *
  11  *      http://www.apache.org/licenses/LICENSE-2.0
  12  *
  13  * Unless required by applicable law or agreed to in writing, software
  14  * distributed under the License is distributed on an "AS IS" BASIS,
  15  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
  16  * See the License for the specific language governing permissions and
  17  * limitations under the License.
  18  * ============LICENSE_END====================================================
  19  *
  20  */
  21
  22 package org.onap.aaf.cadi.aaf.v2_0;
  23
  24 import java.io.IOException;
  25 import java.security.Principal;
  26 import javax.servlet.http.HttpServletRequest;
  27 import javax.servlet.http.HttpServletResponse;
  28 import org.onap.aaf.cadi.AbsUserCache;
  29 import org.onap.aaf.cadi.Access.Level;
  30 import org.onap.aaf.cadi.CachedPrincipal;
  31 import org.onap.aaf.cadi.CachedPrincipal.Resp;
  32 import org.onap.aaf.cadi.CadiException;
  33 import org.onap.aaf.cadi.Connector;
  34 import org.onap.aaf.cadi.GetCred;
  35 import org.onap.aaf.cadi.Hash;
  36 import org.onap.aaf.cadi.SecuritySetter;
  37 import org.onap.aaf.cadi.Taf.LifeForm;
  38 import org.onap.aaf.cadi.User;
  39 import org.onap.aaf.cadi.aaf.AAFPermission;
  40 import org.onap.aaf.cadi.aaf.v2_0.AAFCon.GetSetter;
  41 import org.onap.aaf.cadi.client.Future;
  42 import org.onap.aaf.cadi.client.Rcli;
  43 import org.onap.aaf.cadi.client.Retryable;
  44 import org.onap.aaf.cadi.config.Config;
  45 import org.onap.aaf.cadi.principal.BasicPrincipal;
  46 import org.onap.aaf.cadi.principal.CachedBasicPrincipal;
  47 import org.onap.aaf.cadi.taf.HttpTaf;
  48 import org.onap.aaf.cadi.taf.TafResp;
  49 import org.onap.aaf.cadi.taf.TafResp.RESP;
  50 import org.onap.aaf.cadi.taf.basic.BasicHttpTafResp;
  51 import org.onap.aaf.misc.env.APIException;
  52
  53 public class AAFTaf<CLIENT> extends AbsUserCache<AAFPermission> implements HttpTaf {
  54         private AAFCon<CLIENT> aaf;
  55         private boolean warn;
  56
  57         public AAFTaf(AAFCon<CLIENT> con, boolean turnOnWarning) {
  58                 super(con.access,con.cleanInterval,con.highCount, con.usageRefreshTriggerCount);
  59                 aaf = con;
  60                 warn = turnOnWarning;
  61         }
  62
  63         public AAFTaf(AAFCon<CLIENT> con, boolean turnOnWarning, AbsUserCache<AAFPermission> other) {
  64                 super(other);
  65                 aaf = con;
  66                 warn = turnOnWarning;
  67         }
  68
  69         // Note: Needed for Creation of this Object with Generics
  70         @SuppressWarnings("unchecked")
  71         public AAFTaf(Connector mustBeAAFCon, boolean turnOnWarning, AbsUserCache<AAFPermission> other) {
  72                 this((AAFCon<CLIENT>)mustBeAAFCon,turnOnWarning,other);
  73         }
  74
  75         // Note: Needed for Creation of this Object with Generics
  76         @SuppressWarnings("unchecked")
  77         public AAFTaf(Connector mustBeAAFCon, boolean turnOnWarning) {
  78                 this((AAFCon<CLIENT>)mustBeAAFCon,turnOnWarning);
  79         }
  80
  81
  82         public TafResp validate(final LifeForm reading, final HttpServletRequest req, final HttpServletResponse resp) {
  83                 //TODO Do we allow just anybody to validate?
  84
  85                 // Note: Either Carbon or Silicon based LifeForms ok
  86                 String authz = req.getHeader("Authorization");
  87                 if(authz != null && authz.startsWith("Basic ")) {
  88                         if(warn&&!req.isSecure()) {
  89                                 aaf.access.log(Level.WARN,"WARNING! BasicAuth has been used over an insecure channel");
  90                         }
  91                         try {
  92                                 final CachedBasicPrincipal bp;
  93                                 if(req.getUserPrincipal() instanceof CachedBasicPrincipal) {
  94                                         bp = (CachedBasicPrincipal)req.getUserPrincipal();
  95                                 } else {
  96                                         bp = new CachedBasicPrincipal(this,authz,aaf.getRealm(),aaf.userExpires);
  97                                 }
  98                                 // First try Cache
  99                                 final User<AAFPermission> usr = getUser(bp);
 100                                 if(usr != null
 101                                         && usr.principal instanceof GetCred
 102                                         && Hash.isEqual(bp.getCred(),((GetCred)usr.principal).getCred())) {
 103                                         return new BasicHttpTafResp(aaf.access,bp,bp.getName()+" authenticated by cached AAF password",RESP.IS_AUTHENTICATED,resp,aaf.getRealm(),false);
 104                                 }
 105
 106                                 Miss miss = missed(bp.getName(), bp.getCred());
 107                                 if(miss!=null && !miss.mayContinue()) {
 108                                         return new BasicHttpTafResp(aaf.access,null,buildMsg(bp,req,
 109                                                         "User/Pass Retry limit exceeded"),
 110                                                         RESP.TRY_AUTHENTICATING,resp,aaf.getRealm(),true);
 111                                 }
 112
 113                                 return aaf.bestForUser(
 114                                         new GetSetter() {
 115                                                 @Override
 116                                                 public <CL> SecuritySetter<CL> get(AAFCon<CL> con) throws CadiException {
 117                                                         return con.basicAuthSS(bp);
 118                                                 }
 119                                         },new Retryable<BasicHttpTafResp>() {
 120                                                 @Override
 121                                                 public BasicHttpTafResp code(Rcli<?> client) throws CadiException, APIException {
 122                                                         Future<String> fp = client.read("/authn/basicAuth", "text/plain");
 123                                                         if(fp.get(aaf.timeout)) {
 124                                                                 if(usr!=null) {
 125                                                                         usr.principal = bp;
 126                                                                 } else {
 127                                                                         addUser(new User<AAFPermission>(bp,aaf.userExpires));
 128                                                                 }
 129                                                                 return new BasicHttpTafResp(aaf.access,bp,bp.getName()+" authenticated by AAF password",RESP.IS_AUTHENTICATED,resp,aaf.getRealm(),false);
 130                                                         } else {
 131                                                                 // Note: AddMiss checks for miss==null, and is part of logic
 132                                                                 boolean rv= addMiss(bp.getName(),bp.getCred());
 133                                                                 if(rv) {
 134                                                                         return new BasicHttpTafResp(aaf.access,null,buildMsg(bp,req,
 135                                                                                         "user/pass combo invalid via AAF from " + req.getRemoteAddr()),
 136                                                                                         RESP.TRY_AUTHENTICATING,resp,aaf.getRealm(),true);
 137                                                                 } else {
 138                                                                         return new BasicHttpTafResp(aaf.access,null,buildMsg(bp,req,
 139                                                                                         "user/pass combo invalid via AAF from " + req.getRemoteAddr() + " - Retry limit exceeded"),
 140                                                                                         RESP.FAIL,resp,aaf.getRealm(),true);
 141                                                                 }
 142                                                         }
 143                                                 }
 144                                         }
 145                                 );
 146                         } catch (IOException e) {
 147                                 String msg = buildMsg(null,req,"Invalid Auth Token");
 148                                 aaf.access.log(Level.WARN,msg,'(', e.getMessage(), ')');
 149                                 return new BasicHttpTafResp(aaf.access,null,msg, RESP.TRY_AUTHENTICATING, resp, aaf.getRealm(),true);
 150                         } catch (Exception e) {
 151                                 String msg = buildMsg(null,req,"Authenticating Service unavailable");
 152                                 try {
 153                                         aaf.invalidate();
 154                                 } catch (CadiException e1) {
 155                                         aaf.access.log(e1, "Error Invalidating Client");
 156                                 }
 157                                 aaf.access.log(Level.WARN,msg,'(', e.getMessage(), ')');
 158                                 return new BasicHttpTafResp(aaf.access,null,msg, RESP.FAIL, resp, aaf.getRealm(),false);
 159                         }
 160                 }
 161                 return new BasicHttpTafResp(aaf.access,null,"Requesting HTTP Basic Authorization",RESP.TRY_AUTHENTICATING,resp,aaf.getRealm(),false);
 162         }
 163
 164         private String buildMsg(Principal pr, HttpServletRequest req, Object... msg) {
 165                 StringBuilder sb = new StringBuilder();
 166                 for(Object s : msg) {
 167                         sb.append(s.toString());
 168                 }
 169                 if(pr!=null) {
 170                         sb.append(" for ");
 171                         sb.append(pr.getName());
 172                 }
 173                 sb.append(" from ");
 174                 sb.append(req.getRemoteAddr());
 175                 sb.append(':');
 176                 sb.append(req.getRemotePort());
 177                 return sb.toString();
 178         }
 179
 180
 181
 182         public Resp revalidate(CachedPrincipal prin, Object state) {
 183                 //  !!!! TEST THIS.. Things may not be revalidated, if not BasicPrincipal
 184                 if(prin instanceof BasicPrincipal) {
 185                         Future<String> fp;
 186                         try {
 187                                 Rcli<CLIENT> userAAF = aaf.client(Config.AAF_DEFAULT_VERSION).forUser(aaf.transferSS((BasicPrincipal)prin));
 188                                 fp = userAAF.read("/authn/basicAuth", "text/plain");
 189                                 return fp.get(aaf.timeout)?Resp.REVALIDATED:Resp.UNVALIDATED;
 190                         } catch (Exception e) {
 191                                 aaf.access.log(e, "Cannot Revalidate",prin.getName());
 192                                 return Resp.INACCESSIBLE;
 193                         }
 194                 }
 195                 return Resp.NOT_MINE;
 196         }
 197
 198 }