cadi/aaf/src/main/java/org/onap/aaf/cadi/aaf/v2_0/AAFTaf.java

   1 /**
   2  * ============LICENSE_START====================================================
   3  * org.onap.aaf
   4  * ===========================================================================
   5  * Copyright (c) 2018 AT&T Intellectual Property. All rights reserved.
   6  * ===========================================================================
   7  * Licensed under the Apache License, Version 2.0 (the "License");
   8  * you may not use this file except in compliance with the License.
   9  * You may obtain a copy of the License at
  10  *
  11  *      http://www.apache.org/licenses/LICENSE-2.0
  12  *
  13  * Unless required by applicable law or agreed to in writing, software
  14  * distributed under the License is distributed on an "AS IS" BASIS,
  15  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
  16  * See the License for the specific language governing permissions and
  17  * limitations under the License.
  18  * ============LICENSE_END====================================================
  19  *
  20  */
  21
  22 package org.onap.aaf.cadi.aaf.v2_0;
  23
  24 import java.io.IOException;
  25 import java.security.Principal;
  26
  27 import javax.servlet.http.HttpServletRequest;
  28 import javax.servlet.http.HttpServletResponse;
  29
  30 import org.onap.aaf.cadi.AbsUserCache;
  31 import org.onap.aaf.cadi.Access.Level;
  32 import org.onap.aaf.cadi.CachedPrincipal;
  33 import org.onap.aaf.cadi.CachedPrincipal.Resp;
  34 import org.onap.aaf.cadi.CadiException;
  35 import org.onap.aaf.cadi.Connector;
  36 import org.onap.aaf.cadi.GetCred;
  37 import org.onap.aaf.cadi.Hash;
  38 import org.onap.aaf.cadi.SecuritySetter;
  39 import org.onap.aaf.cadi.Taf.LifeForm;
  40 import org.onap.aaf.cadi.User;
  41 import org.onap.aaf.cadi.aaf.AAFPermission;
  42 import org.onap.aaf.cadi.aaf.v2_0.AAFCon.GetSetter;
  43 import org.onap.aaf.cadi.client.Future;
  44 import org.onap.aaf.cadi.client.Rcli;
  45 import org.onap.aaf.cadi.client.Retryable;
  46 import org.onap.aaf.cadi.config.Config;
  47 import org.onap.aaf.cadi.filter.MapBathConverter;
  48 import org.onap.aaf.cadi.principal.BasicPrincipal;
  49 import org.onap.aaf.cadi.principal.CachedBasicPrincipal;
  50 import org.onap.aaf.cadi.taf.HttpTaf;
  51 import org.onap.aaf.cadi.taf.TafResp;
  52 import org.onap.aaf.cadi.taf.TafResp.RESP;
  53 import org.onap.aaf.cadi.taf.basic.BasicHttpTafResp;
  54 import org.onap.aaf.cadi.util.CSV;
  55 import org.onap.aaf.misc.env.APIException;
  56
  57 public class AAFTaf<CLIENT> extends AbsUserCache<AAFPermission> implements HttpTaf {
  58     private AAFCon<CLIENT> aaf;
  59     private boolean warn;
  60     private MapBathConverter mapIds;
  61
  62     public AAFTaf(AAFCon<CLIENT> con, boolean turnOnWarning) {
  63         super(con.access,con.cleanInterval,con.highCount, con.usageRefreshTriggerCount);
  64         aaf = con;
  65         warn = turnOnWarning;
  66         initMapBathConverter();
  67     }
  68
  69     public AAFTaf(AAFCon<CLIENT> con, boolean turnOnWarning, AbsUserCache<AAFPermission> other) {
  70         super(other);
  71         aaf = con;
  72         warn = turnOnWarning;
  73         initMapBathConverter();
  74
  75     }
  76
  77     // Note: Needed for Creation of this Object with Generics
  78     @SuppressWarnings("unchecked")
  79     public AAFTaf(Connector mustBeAAFCon, boolean turnOnWarning, AbsUserCache<AAFPermission> other) {
  80         this((AAFCon<CLIENT>)mustBeAAFCon,turnOnWarning,other);
  81     }
  82
  83     // Note: Needed for Creation of this Object with Generics
  84     @SuppressWarnings("unchecked")
  85     public AAFTaf(Connector mustBeAAFCon, boolean turnOnWarning) {
  86         this((AAFCon<CLIENT>)mustBeAAFCon,turnOnWarning);
  87     }
  88
  89     private void initMapBathConverter() {
  90         String csvFile = access.getProperty(Config.CADI_BATH_CONVERT, null);
  91         if(csvFile==null) {
  92                 mapIds=null;
  93         } else {
  94                 try {
  95                                 mapIds = new MapBathConverter(access, new CSV(csvFile));
  96                         } catch (IOException | CadiException e) {
  97                                 access.log(e,"Bath Map Conversion is not initialzed (non fatal)");
  98                         }
  99         }
 100
 101     }
 102
 103     public TafResp validate(final LifeForm reading, final HttpServletRequest req, final HttpServletResponse resp) {
 104         //TODO Do we allow just anybody to validate?
 105
 106         // Note: Either Carbon or Silicon based LifeForms ok
 107         String authz = req.getHeader("Authorization");
 108         if (authz != null && authz.startsWith("Basic ")) {
 109             if (warn&&!req.isSecure()) {
 110                 aaf.access.log(Level.WARN,"WARNING! BasicAuth has been used over an insecure channel");
 111             }
 112             if(mapIds != null) {
 113                 authz = mapIds.convert(access, authz);
 114             }
 115
 116             try {
 117                 final CachedBasicPrincipal bp;
 118                 if (req.getUserPrincipal() instanceof CachedBasicPrincipal) {
 119                     bp = (CachedBasicPrincipal)req.getUserPrincipal();
 120                 } else {
 121                     bp = new CachedBasicPrincipal(this,authz,aaf.getRealm(),aaf.userExpires);
 122                 }
 123                 // First try Cache
 124                 final User<AAFPermission> usr = getUser(bp);
 125                 if (usr != null
 126                     && usr.principal instanceof GetCred
 127                     && Hash.isEqual(bp.getCred(),((GetCred)usr.principal).getCred())) {
 128                     return new BasicHttpTafResp(aaf.access,bp,bp.getName()+" authenticated by cached AAF password",RESP.IS_AUTHENTICATED,resp,aaf.getRealm(),false);
 129                 }
 130
 131                 Miss miss = missed(bp.getName(), bp.getCred());
 132                 if (miss!=null && !miss.mayContinue()) {
 133                     return new BasicHttpTafResp(aaf.access,null,buildMsg(bp,req,
 134                             "User/Pass Retry limit exceeded"),
 135                             RESP.TRY_AUTHENTICATING,resp,aaf.getRealm(),true);
 136                 }
 137
 138                 return aaf.bestForUser(
 139                     new GetSetter() {
 140                         @Override
 141                         public <CL> SecuritySetter<CL> get(AAFCon<CL> con) throws CadiException {
 142                             return con.basicAuthSS(bp);
 143                         }
 144                     },new Retryable<BasicHttpTafResp>() {
 145                         @Override
 146                         public BasicHttpTafResp code(Rcli<?> client) throws CadiException, APIException {
 147                             Future<String> fp = client.read("/authn/basicAuth", "text/plain");
 148                             if (fp.get(aaf.timeout)) {
 149                                 if (usr!=null) {
 150                                     usr.principal = bp;
 151                                 } else {
 152                                     addUser(new User<AAFPermission>(bp,aaf.userExpires));
 153                                 }
 154                                 return new BasicHttpTafResp(aaf.access,bp,bp.getName()+" authenticated by AAF password",RESP.IS_AUTHENTICATED,resp,aaf.getRealm(),false);
 155                             } else {
 156                                 // Note: AddMiss checks for miss==null, and is part of logic
 157                                 boolean rv= addMiss(bp.getName(),bp.getCred());
 158                                 if (rv) {
 159                                     return new BasicHttpTafResp(aaf.access,null,buildMsg(bp,req,
 160                                             "user/pass combo invalid via AAF from " + req.getRemoteAddr()),
 161                                             RESP.TRY_AUTHENTICATING,resp,aaf.getRealm(),true);
 162                                 } else {
 163                                     return new BasicHttpTafResp(aaf.access,null,buildMsg(bp,req,
 164                                             "user/pass combo invalid via AAF from " + req.getRemoteAddr() + " - Retry limit exceeded"),
 165                                             RESP.FAIL,resp,aaf.getRealm(),true);
 166                                 }
 167                             }
 168                         }
 169                     }
 170                 );
 171             } catch (IOException e) {
 172                 String msg = buildMsg(null,req,"Invalid Auth Token");
 173                 aaf.access.log(Level.WARN,msg,'(', e.getMessage(), ')');
 174                 return new BasicHttpTafResp(aaf.access,null,msg, RESP.TRY_AUTHENTICATING, resp, aaf.getRealm(),true);
 175             } catch (Exception e) {
 176                 String msg = buildMsg(null,req,"Authenticating Service unavailable");
 177                 try {
 178                     aaf.invalidate();
 179                 } catch (CadiException e1) {
 180                     aaf.access.log(e1, "Error Invalidating Client");
 181                 }
 182                 aaf.access.log(Level.WARN,msg,'(', e.getMessage(), ')');
 183                 return new BasicHttpTafResp(aaf.access,null,msg, RESP.FAIL, resp, aaf.getRealm(),false);
 184             }
 185         }
 186         return new BasicHttpTafResp(aaf.access,null,"Requesting HTTP Basic Authorization",RESP.TRY_AUTHENTICATING,resp,aaf.getRealm(),false);
 187     }
 188
 189     private String buildMsg(Principal pr, HttpServletRequest req, Object... msg) {
 190         StringBuilder sb = new StringBuilder();
 191         for (Object s : msg) {
 192             sb.append(s.toString());
 193         }
 194         if (pr!=null) {
 195             sb.append(" for ");
 196             sb.append(pr.getName());
 197         }
 198         sb.append(" from ");
 199         sb.append(req.getRemoteAddr());
 200         sb.append(':');
 201         sb.append(req.getRemotePort());
 202         return sb.toString();
 203     }
 204
 205
 206
 207     public Resp revalidate(CachedPrincipal prin, Object state) {
 208         //  !!!! TEST THIS.. Things may not be revalidated, if not BasicPrincipal
 209         if (prin instanceof BasicPrincipal) {
 210             Future<String> fp;
 211             try {
 212                 Rcli<CLIENT> userAAF = aaf.client().forUser(aaf.transferSS((BasicPrincipal)prin));
 213                 fp = userAAF.read("/authn/basicAuth", "text/plain");
 214                 return fp.get(aaf.timeout)?Resp.REVALIDATED:Resp.UNVALIDATED;
 215             } catch (Exception e) {
 216                 aaf.access.log(e, "Cannot Revalidate",prin.getName());
 217                 return Resp.INACCESSIBLE;
 218             }
 219         }
 220         return Resp.NOT_MINE;
 221     }
 222
 223 }