cadi/core/src/main/java/org/onap/aaf/cadi/filter/CadiHTTPManip.java

   1 /**
   2  * ============LICENSE_START====================================================
   3  * org.onap.aaf
   4  * ===========================================================================
   5  * Copyright (c) 2018 AT&T Intellectual Property. All rights reserved.
   6  * ===========================================================================
   7  * Licensed under the Apache License, Version 2.0 (the "License");
   8  * you may not use this file except in compliance with the License.
   9  * You may obtain a copy of the License at
  10  *
  11  *      http://www.apache.org/licenses/LICENSE-2.0
  12  *
  13  * Unless required by applicable law or agreed to in writing, software
  14  * distributed under the License is distributed on an "AS IS" BASIS,
  15  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
  16  * See the License for the specific language governing permissions and
  17  * limitations under the License.
  18  * ============LICENSE_END====================================================
  19  *
  20  */
  21
  22 package org.onap.aaf.cadi.filter;
  23
  24 import java.io.IOException;
  25 import java.net.HttpURLConnection;
  26
  27 import javax.servlet.http.HttpServletRequest;
  28 import javax.servlet.http.HttpServletResponse;
  29
  30 import org.onap.aaf.cadi.Access;
  31 import org.onap.aaf.cadi.Access.Level;
  32 import org.onap.aaf.cadi.CadiException;
  33 import org.onap.aaf.cadi.CadiWrap;
  34 import org.onap.aaf.cadi.Connector;
  35 import org.onap.aaf.cadi.CredVal;
  36 import org.onap.aaf.cadi.LocatorException;
  37 import org.onap.aaf.cadi.Lur;
  38 import org.onap.aaf.cadi.Taf;
  39 import org.onap.aaf.cadi.TrustChecker;
  40 import org.onap.aaf.cadi.config.Config;
  41 import org.onap.aaf.cadi.config.SecurityInfoC;
  42 import org.onap.aaf.cadi.lur.EpiLur;
  43 import org.onap.aaf.cadi.taf.HttpTaf;
  44 import org.onap.aaf.cadi.taf.TafResp;
  45 import org.onap.aaf.cadi.util.UserChainManip;
  46
  47 /**
  48  * Encapsulate common HTTP Manipulation Behavior.  It will appropriately set
  49  * HTTPServletResponse for Redirect or Forbidden, as needed.
  50  *
  51  * Further, this is useful, because it avoids multiple creates of Connections, where some Filters
  52  * are created and destroyed regularly.
  53  *
  54  * @author Jonathan
  55  *
  56  */
  57 public class CadiHTTPManip {
  58     private static final String ACCESS_CADI_CONTROL = ".access|cadi|control";
  59     private static final String METH = "OPTIONS";
  60     private static final String CADI = "/cadi/";
  61     private static final String CADI_CACHE_PRINT = "/cadi/cache/print";
  62     private static final String CADI_CACHE_CLEAR = "/cadi/cache/clear";
  63     private static final String CADI_LOG_SET = "/cadi/log/set/";
  64     private static final Object LOCK = new Object();
  65     private Access access;
  66     private HttpTaf taf;
  67     private CredVal up;
  68     private Lur lur;
  69     private String thisPerm,companyPerm,aaf_id;
  70
  71     public static final Object[] noAdditional = new Object[0]; // CadiFilter can be created each call in some systems
  72
  73
  74     public CadiHTTPManip(Access access, Connector con, TrustChecker tc, Object ... additionalTafLurs) throws CadiException, LocatorException {
  75         synchronized(LOCK) {
  76             this.access = access;
  77 //            Get getter = new AccessGetter(access);
  78             Config.setDefaultRealm(access);
  79
  80             aaf_id = access.getProperty(Config.CADI_ALIAS,access.getProperty(Config.AAF_APPID, null));
  81             if (aaf_id==null) {
  82                 access.printf(Level.INIT, "%s is not set. %s can be used instead",Config.AAF_APPID,Config.CADI_ALIAS);
  83             } else {
  84                 access.printf(Level.INIT, "%s is set to %s",Config.AAF_APPID,aaf_id);
  85             }
  86             String ns = aaf_id==null?null:UserChainManip.idToNS(aaf_id);
  87             if (ns!=null) {
  88                 thisPerm = ns+ACCESS_CADI_CONTROL;
  89                 int dot = ns.indexOf('.');
  90                 if (dot>=0) {
  91                     int dot2=ns.indexOf('.',dot+1);
  92                     if (dot2<0) {
  93                         dot2=dot;
  94                     }
  95                     companyPerm = ns.substring(0, dot2)+ACCESS_CADI_CONTROL;
  96                 } else {
  97                     companyPerm = "com"+ACCESS_CADI_CONTROL;
  98                 }
  99             } else {
 100                 thisPerm = companyPerm = "com"+ACCESS_CADI_CONTROL;
 101             }
 102             SecurityInfoC<HttpURLConnection> si;
 103             si = SecurityInfoC.instance(access, HttpURLConnection.class);
 104
 105             lur = Config.configLur(si, con, additionalTafLurs);
 106
 107             tc.setLur(lur);
 108             if (lur instanceof EpiLur) {
 109                 up = ((EpiLur)lur).getUserPassImpl();
 110             } else if (lur instanceof CredVal) {
 111                 up = (CredVal)lur;
 112             } else {
 113                 up = null;
 114             }
 115             taf = Config.configHttpTaf(con,si, tc, up, lur, additionalTafLurs);
 116         }
 117     }
 118
 119     public TafResp validate(HttpServletRequest hreq, HttpServletResponse hresp, Object state) throws IOException {
 120         TafResp tresp = taf.validate(Taf.LifeForm.LFN, hreq, hresp);
 121         switch(tresp.isAuthenticated()) {
 122             case IS_AUTHENTICATED:
 123                 access.printf(Level.INFO,"Authenticated: %s from %s:%d",
 124                         tresp.desc(), hreq.getRemoteAddr(), hreq.getRemotePort());
 125                 break;
 126             case TRY_AUTHENTICATING:
 127                 switch (tresp.authenticate()) {
 128                     case IS_AUTHENTICATED:
 129                         access.printf(Level.INFO,"Authenticated: %s from %s:%d",
 130                                 tresp.desc(), hreq.getRemoteAddr(), hreq.getRemotePort());
 131                         break;
 132                     case HTTP_REDIRECT_INVOKED:
 133                         access.log(Level.INFO,"Authenticating via redirection: ", tresp.desc());
 134                         break;
 135                     case NO_FURTHER_PROCESSING:
 136                         access.printf(Level.AUDIT,"Authentication Failure: %s from %s:%d"
 137                                 , tresp.desc(), hreq.getRemoteAddr(), hreq.getRemotePort());
 138                         hresp.sendError(403, tresp.desc()); // Forbidden
 139                         break;
 140
 141                     default:
 142                         access.printf(Level.AUDIT,"No TAF will authorize for request from %s:%d"
 143                                 , hreq.getRemoteAddr(), hreq.getRemotePort());
 144                         hresp.sendError(403, tresp.desc()); // Forbidden
 145                 }
 146                 break;
 147             case NO_FURTHER_PROCESSING:
 148                 access.printf(Level.AUDIT,"Authentication Failure: %s from %s:%d",
 149                         tresp.desc(), hreq.getRemoteAddr(), hreq.getRemotePort());
 150                 hresp.sendError(403, "Access Denied"); // FORBIDDEN
 151                 break;
 152             default:
 153                 access.printf(Level.AUDIT,"No TAF will authorize for request from %s:%d"
 154                         , hreq.getRemoteAddr(), hreq.getRemotePort());
 155                 hresp.sendError(403, "Access Denied"); // FORBIDDEN
 156         }
 157         return tresp;
 158     }
 159
 160     public boolean notCadi(CadiWrap req, HttpServletResponse resp) {
 161
 162         String pathInfo = req.getPathInfo();
 163         if (METH.equalsIgnoreCase(req.getMethod()) && pathInfo!=null && pathInfo.contains(CADI)) {
 164             if (req.getUser().equals(aaf_id) || req.isUserInRole(thisPerm) || req.isUserInRole(companyPerm)) {
 165                 try {
 166                     if (pathInfo.contains(CADI_CACHE_PRINT)) {
 167                         resp.getOutputStream().println(lur.toString());
 168                         resp.setStatus(200);
 169                         return false;
 170                     } else if (pathInfo.contains(CADI_CACHE_CLEAR)) {
 171                         StringBuilder report = new StringBuilder();
 172                         lur.clear(req.getUserPrincipal(), report);
 173                         resp.getOutputStream().println(report.toString());
 174                         resp.setStatus(200);
 175                         return false;
 176                     } else if (pathInfo.contains(CADI_LOG_SET))  {
 177                         Level l;
 178                         int slash = pathInfo.lastIndexOf('/');
 179                         String level = pathInfo.substring(slash+1);
 180                         try {
 181                             l = Level.valueOf(level);
 182                             access.printf(Level.AUDIT, "%s has set CADI Log Level to '%s'",req.getUser(),l.name());
 183                             access.setLogLevel(l);
 184                         } catch (IllegalArgumentException e) {
 185                             access.printf(Level.AUDIT, "'%s' is not a valid CADI Log Level",level);
 186                         }
 187                         return false;
 188                     }
 189                 } catch (IOException e) {
 190                     access.log(e);
 191                 }
 192             }
 193         }
 194         return true;
 195     }
 196
 197     public Lur getLur() {
 198         return lur;
 199     }
 200
 201     public void destroy() {
 202         access.log(Level.INFO,"CadiHttpChecker destroyed.");
 203         if (lur!=null) {
 204             lur.destroy();
 205             lur=null;
 206         }
 207     }
 208
 209     public Access getAccess() {
 210         return access;
 211     }
 212
 213 }