2 * ============LICENSE_START====================================================
4 * ===========================================================================
5 * Copyright (c) 2018 AT&T Intellectual Property. All rights reserved.
6 * ===========================================================================
7 * Licensed under the Apache License, Version 2.0 (the "License");
8 * you may not use this file except in compliance with the License.
9 * You may obtain a copy of the License at
11 * http://www.apache.org/licenses/LICENSE-2.0
13 * Unless required by applicable law or agreed to in writing, software
14 * distributed under the License is distributed on an "AS IS" BASIS,
15 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
16 * See the License for the specific language governing permissions and
17 * limitations under the License.
18 * ============LICENSE_END====================================================
22 package org.onap.aaf.cadi.aaf.v2_0;
24 import java.io.IOException;
25 import java.security.Principal;
27 import javax.servlet.http.HttpServletRequest;
28 import javax.servlet.http.HttpServletResponse;
30 import org.onap.aaf.cadi.AbsUserCache;
31 import org.onap.aaf.cadi.Access.Level;
32 import org.onap.aaf.cadi.CachedPrincipal;
33 import org.onap.aaf.cadi.CachedPrincipal.Resp;
34 import org.onap.aaf.cadi.CadiException;
35 import org.onap.aaf.cadi.Connector;
36 import org.onap.aaf.cadi.GetCred;
37 import org.onap.aaf.cadi.Hash;
38 import org.onap.aaf.cadi.SecuritySetter;
39 import org.onap.aaf.cadi.Taf.LifeForm;
40 import org.onap.aaf.cadi.User;
41 import org.onap.aaf.cadi.aaf.AAFPermission;
42 import org.onap.aaf.cadi.aaf.v2_0.AAFCon.GetSetter;
43 import org.onap.aaf.cadi.client.Future;
44 import org.onap.aaf.cadi.client.Rcli;
45 import org.onap.aaf.cadi.client.Retryable;
46 import org.onap.aaf.cadi.config.Config;
47 import org.onap.aaf.cadi.filter.MapBathConverter;
48 import org.onap.aaf.cadi.principal.BasicPrincipal;
49 import org.onap.aaf.cadi.principal.CachedBasicPrincipal;
50 import org.onap.aaf.cadi.taf.HttpTaf;
51 import org.onap.aaf.cadi.taf.TafResp;
52 import org.onap.aaf.cadi.taf.TafResp.RESP;
53 import org.onap.aaf.cadi.taf.basic.BasicHttpTafResp;
54 import org.onap.aaf.cadi.util.CSV;
55 import org.onap.aaf.misc.env.APIException;
57 public class AAFTaf<CLIENT> extends AbsUserCache<AAFPermission> implements HttpTaf {
58 private AAFCon<CLIENT> aaf;
60 private MapBathConverter mapIds;
62 public AAFTaf(AAFCon<CLIENT> con, boolean turnOnWarning) {
63 super(con.access,con.cleanInterval,con.highCount, con.usageRefreshTriggerCount);
66 initMapBathConverter();
69 public AAFTaf(AAFCon<CLIENT> con, boolean turnOnWarning, AbsUserCache<AAFPermission> other) {
73 initMapBathConverter();
77 // Note: Needed for Creation of this Object with Generics
78 @SuppressWarnings("unchecked")
79 public AAFTaf(Connector mustBeAAFCon, boolean turnOnWarning, AbsUserCache<AAFPermission> other) {
80 this((AAFCon<CLIENT>)mustBeAAFCon,turnOnWarning,other);
83 // Note: Needed for Creation of this Object with Generics
84 @SuppressWarnings("unchecked")
85 public AAFTaf(Connector mustBeAAFCon, boolean turnOnWarning) {
86 this((AAFCon<CLIENT>)mustBeAAFCon,turnOnWarning);
89 private void initMapBathConverter() {
90 String csvFile = access.getProperty(Config.CADI_BATH_CONVERT, null);
95 mapIds = new MapBathConverter(access, new CSV(csvFile));
96 } catch (IOException | CadiException e) {
97 access.log(e,"Bath Map Conversion is not initialzed (non fatal)");
103 public TafResp validate(final LifeForm reading, final HttpServletRequest req, final HttpServletResponse resp) {
104 //TODO Do we allow just anybody to validate?
106 // Note: Either Carbon or Silicon based LifeForms ok
107 String authz = req.getHeader("Authorization");
108 if (authz != null && authz.startsWith("Basic ")) {
109 if (warn&&!req.isSecure()) {
110 aaf.access.log(Level.WARN,"WARNING! BasicAuth has been used over an insecure channel");
113 authz = mapIds.convert(access, authz);
117 final CachedBasicPrincipal bp;
118 if (req.getUserPrincipal() instanceof CachedBasicPrincipal) {
119 bp = (CachedBasicPrincipal)req.getUserPrincipal();
121 bp = new CachedBasicPrincipal(this,authz,aaf.getRealm(),aaf.userExpires);
124 final User<AAFPermission> usr = getUser(bp);
126 && usr.principal instanceof GetCred
127 && Hash.isEqual(bp.getCred(),((GetCred)usr.principal).getCred())) {
128 return new BasicHttpTafResp(aaf.access,bp,bp.getName()+" authenticated by cached AAF password",RESP.IS_AUTHENTICATED,resp,aaf.getRealm(),false);
131 Miss miss = missed(bp.getName(), bp.getCred());
132 if (miss!=null && !miss.mayContinue()) {
133 return new BasicHttpTafResp(aaf.access,null,buildMsg(bp,req,
134 "User/Pass Retry limit exceeded"),
135 RESP.TRY_AUTHENTICATING,resp,aaf.getRealm(),true);
138 return aaf.bestForUser(
141 public <CL> SecuritySetter<CL> get(AAFCon<CL> con) throws CadiException {
142 return con.basicAuthSS(bp);
144 },new Retryable<BasicHttpTafResp>() {
146 public BasicHttpTafResp code(Rcli<?> client) throws CadiException, APIException {
147 Future<String> fp = client.read("/authn/basicAuth", "text/plain");
148 if (fp.get(aaf.timeout)) {
152 addUser(new User<AAFPermission>(bp,aaf.userExpires));
154 return new BasicHttpTafResp(aaf.access,bp,bp.getName()+" authenticated by AAF password",RESP.IS_AUTHENTICATED,resp,aaf.getRealm(),false);
156 // Note: AddMiss checks for miss==null, and is part of logic
157 boolean rv= addMiss(bp.getName(),bp.getCred());
159 return new BasicHttpTafResp(aaf.access,null,buildMsg(bp,req,
160 "user/pass combo invalid via AAF from " + req.getRemoteAddr()),
161 RESP.TRY_AUTHENTICATING,resp,aaf.getRealm(),true);
163 return new BasicHttpTafResp(aaf.access,null,buildMsg(bp,req,
164 "user/pass combo invalid via AAF from " + req.getRemoteAddr() + " - Retry limit exceeded"),
165 RESP.FAIL,resp,aaf.getRealm(),true);
171 } catch (IOException e) {
172 String msg = buildMsg(null,req,"Invalid Auth Token");
173 aaf.access.log(Level.WARN,msg,'(', e.getMessage(), ')');
174 return new BasicHttpTafResp(aaf.access,null,msg, RESP.TRY_AUTHENTICATING, resp, aaf.getRealm(),true);
175 } catch (Exception e) {
176 String msg = buildMsg(null,req,"Authenticating Service unavailable");
179 } catch (CadiException e1) {
180 aaf.access.log(e1, "Error Invalidating Client");
182 aaf.access.log(Level.WARN,msg,'(', e.getMessage(), ')');
183 return new BasicHttpTafResp(aaf.access,null,msg, RESP.FAIL, resp, aaf.getRealm(),false);
186 return new BasicHttpTafResp(aaf.access,null,"Requesting HTTP Basic Authorization",RESP.TRY_AUTHENTICATING,resp,aaf.getRealm(),false);
189 private String buildMsg(Principal pr, HttpServletRequest req, Object... msg) {
190 StringBuilder sb = new StringBuilder();
191 for (Object s : msg) {
192 sb.append(s.toString());
196 sb.append(pr.getName());
199 sb.append(req.getRemoteAddr());
201 sb.append(req.getRemotePort());
202 return sb.toString();
207 public Resp revalidate(CachedPrincipal prin, Object state) {
208 // !!!! TEST THIS.. Things may not be revalidated, if not BasicPrincipal
209 if (prin instanceof BasicPrincipal) {
212 Rcli<CLIENT> userAAF = aaf.client(Config.AAF_DEFAULT_VERSION).forUser(aaf.transferSS((BasicPrincipal)prin));
213 fp = userAAF.read("/authn/basicAuth", "text/plain");
214 return fp.get(aaf.timeout)?Resp.REVALIDATED:Resp.UNVALIDATED;
215 } catch (Exception e) {
216 aaf.access.log(e, "Cannot Revalidate",prin.getName());
217 return Resp.INACCESSIBLE;
220 return Resp.NOT_MINE;