cadi/core/src/main/java/org/onap/aaf/cadi/filter/CadiHTTPManip.java

   1 /**
   2  * ============LICENSE_START====================================================
   3  * org.onap.aaf
   4  * ===========================================================================
   5  * Copyright (c) 2018 AT&T Intellectual Property. All rights reserved.
   6  * ===========================================================================
   7  * Licensed under the Apache License, Version 2.0 (the "License");
   8  * you may not use this file except in compliance with the License.
   9  * You may obtain a copy of the License at
  10  *
  11  *      http://www.apache.org/licenses/LICENSE-2.0
  12  *
  13  * Unless required by applicable law or agreed to in writing, software
  14  * distributed under the License is distributed on an "AS IS" BASIS,
  15  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
  16  * See the License for the specific language governing permissions and
  17  * limitations under the License.
  18  * ============LICENSE_END====================================================
  19  *
  20  */
  21
  22 package org.onap.aaf.cadi.filter;
  23
  24 import java.io.IOException;
  25 import java.net.HttpURLConnection;
  26
  27 import javax.servlet.http.HttpServletRequest;
  28 import javax.servlet.http.HttpServletResponse;
  29
  30 import org.onap.aaf.cadi.Access;
  31 import org.onap.aaf.cadi.CadiException;
  32 import org.onap.aaf.cadi.CadiWrap;
  33 import org.onap.aaf.cadi.Connector;
  34 import org.onap.aaf.cadi.CredVal;
  35 import org.onap.aaf.cadi.Lur;
  36 import org.onap.aaf.cadi.Taf;
  37 import org.onap.aaf.cadi.TrustChecker;
  38 import org.onap.aaf.cadi.Access.Level;
  39 import org.onap.aaf.cadi.config.Config;
  40 import org.onap.aaf.cadi.config.SecurityInfoC;
  41 import org.onap.aaf.cadi.lur.EpiLur;
  42 import org.onap.aaf.cadi.taf.HttpTaf;
  43 import org.onap.aaf.cadi.taf.TafResp;
  44 import org.onap.aaf.cadi.util.UserChainManip;
  45
  46 /**
  47  * Encapsulate common HTTP Manipulation Behavior.  It will appropriately set
  48  * HTTPServletResponse for Redirect or Forbidden, as needed.
  49  *
  50  * Further, this is useful, because it avoids multiple creates of Connections, where some Filters
  51  * are created and destroyed regularly.
  52  *
  53  * @author Jonathan
  54  *
  55  */
  56 public class CadiHTTPManip {
  57         private static final String ACCESS_CADI_CONTROL = ".access|cadi|control";
  58         private static final String METH = "OPTIONS";
  59         private static final String CADI = "/cadi/";
  60         private static final String CADI_CACHE_PRINT = "/cadi/cache/print";
  61         private static final String CADI_CACHE_CLEAR = "/cadi/cache/clear";
  62         private static final String CADI_LOG_SET = "/cadi/log/set/";
  63         private static final Object LOCK = new Object();
  64         private Access access;
  65         private HttpTaf taf;
  66         private CredVal up;
  67         private Lur lur;
  68         private String thisPerm,companyPerm,aaf_id;
  69
  70         public static final Object[] noAdditional = new Object[0]; // CadiFilter can be created each call in some systems
  71
  72
  73         public CadiHTTPManip(Access access, Connector con, TrustChecker tc, Object ... additionalTafLurs) throws CadiException {
  74                 synchronized(LOCK) {
  75                         this.access = access;
  76 //                      Get getter = new AccessGetter(access);
  77                         Config.setDefaultRealm(access);
  78
  79                         aaf_id = access.getProperty(Config.CADI_ALIAS,access.getProperty(Config.AAF_APPID, null));
  80                         if(aaf_id==null) {
  81                                 access.printf(Level.INIT, "%s is not set. %s can be used instead",Config.AAF_APPID,Config.CADI_ALIAS);
  82                         } else {
  83                                 access.printf(Level.INIT, "%s is set to %s",Config.AAF_APPID,aaf_id);
  84                         }
  85                         String ns = aaf_id==null?null:UserChainManip.idToNS(aaf_id);
  86                         if(ns!=null) {
  87                                 thisPerm = ns+ACCESS_CADI_CONTROL;
  88                                 int dot = ns.indexOf('.');
  89                                 if(dot>=0) {
  90                                         int dot2=ns.indexOf('.',dot+1);
  91                                         if(dot2<0) {
  92                                                 dot2=dot;
  93                                         }
  94                                         companyPerm = ns.substring(0, dot2)+ACCESS_CADI_CONTROL;
  95                                 } else {
  96                                         companyPerm = "com"+ACCESS_CADI_CONTROL;
  97                                 }
  98                         } else {
  99                                 thisPerm = companyPerm = "com"+ACCESS_CADI_CONTROL;
 100                         }
 101                         SecurityInfoC<HttpURLConnection> si;
 102                         si = SecurityInfoC.instance(access, HttpURLConnection.class);
 103
 104                         lur = Config.configLur(si, con, additionalTafLurs);
 105
 106                         tc.setLur(lur);
 107                         if(lur instanceof EpiLur) {
 108                                 up = ((EpiLur)lur).getUserPassImpl();
 109                         } else if(lur instanceof CredVal) {
 110                                 up = (CredVal)lur;
 111                         } else {
 112                                 up = null;
 113                         }
 114                         taf = Config.configHttpTaf(con,si, tc, up, lur, additionalTafLurs);
 115                 }
 116         }
 117
 118         public TafResp validate(HttpServletRequest hreq, HttpServletResponse hresp, Object state) throws IOException {
 119                 TafResp tresp = taf.validate(Taf.LifeForm.LFN, hreq, hresp);
 120                 switch(tresp.isAuthenticated()) {
 121                         case IS_AUTHENTICATED:
 122                                 access.printf(Level.INFO,"Authenticated: %s from %s:%d",
 123                                                 tresp.desc(), hreq.getRemoteAddr(), hreq.getRemotePort());
 124                                 break;
 125                         case TRY_AUTHENTICATING:
 126                                 switch (tresp.authenticate()) {
 127                                         case IS_AUTHENTICATED:
 128                                                 access.printf(Level.INFO,"Authenticated: %s from %s:%d",
 129                                                                 tresp.desc(), hreq.getRemoteAddr(), hreq.getRemotePort());
 130                                                 break;
 131                                         case HTTP_REDIRECT_INVOKED:
 132                                                 access.log(Level.INFO,"Authenticating via redirection: ", tresp.desc());
 133                                                 break;
 134                                         case NO_FURTHER_PROCESSING:
 135                                                 access.printf(Level.AUDIT,"Authentication Failure: %s from %s:%d"
 136                                                                 , tresp.desc(), hreq.getRemoteAddr(), hreq.getRemotePort());
 137                                                 hresp.sendError(403, tresp.desc()); // Forbidden
 138                                                 break;
 139
 140                                         default:
 141                                                 access.printf(Level.AUDIT,"No TAF will authorize for request from %s:%d"
 142                                                                 , hreq.getRemoteAddr(), hreq.getRemotePort());
 143                                                 hresp.sendError(403, tresp.desc()); // Forbidden
 144                                 }
 145                                 break;
 146                         case NO_FURTHER_PROCESSING:
 147                                 access.printf(Level.AUDIT,"Authentication Failure: %s from %s:%d",
 148                                                 tresp.desc(), hreq.getRemoteAddr(), hreq.getRemotePort());
 149                                 hresp.sendError(403, "Access Denied"); // FORBIDDEN
 150                                 break;
 151                         default:
 152                                 access.printf(Level.AUDIT,"No TAF will authorize for request from %s:%d"
 153                                                 , hreq.getRemoteAddr(), hreq.getRemotePort());
 154                                 hresp.sendError(403, "Access Denied"); // FORBIDDEN
 155                 }
 156                 return tresp;
 157         }
 158
 159         public boolean notCadi(CadiWrap req, HttpServletResponse resp) {
 160
 161                 String pathInfo = req.getPathInfo();
 162                 if(METH.equalsIgnoreCase(req.getMethod()) && pathInfo!=null && pathInfo.contains(CADI)) {
 163                         if(req.getUser().equals(aaf_id) || req.isUserInRole(thisPerm) || req.isUserInRole(companyPerm)) {
 164                                 try {
 165                                         if(pathInfo.contains(CADI_CACHE_PRINT)) {
 166                                                 resp.getOutputStream().println(lur.toString());
 167                                                 resp.setStatus(200);
 168                                                 return false;
 169                                         } else if(pathInfo.contains(CADI_CACHE_CLEAR)) {
 170                                                 StringBuilder report = new StringBuilder();
 171                                                 lur.clear(req.getUserPrincipal(), report);
 172                                                 resp.getOutputStream().println(report.toString());
 173                                                 resp.setStatus(200);
 174                                                 return false;
 175                                         } else if(pathInfo.contains(CADI_LOG_SET))  {
 176                                                 Level l;
 177                                                 int slash = pathInfo.lastIndexOf('/');
 178                                                 String level = pathInfo.substring(slash+1);
 179                                                 try {
 180                                                         l = Level.valueOf(level);
 181                                                         access.printf(Level.AUDIT, "%s has set CADI Log Level to '%s'",req.getUser(),l.name());
 182                                                         access.setLogLevel(l);
 183                                                 } catch (IllegalArgumentException e) {
 184                                                         access.printf(Level.AUDIT, "'%s' is not a valid CADI Log Level",level);
 185                                                 }
 186                                                 return false;
 187                                         }
 188                                 } catch (IOException e) {
 189                                         access.log(e);
 190                                 }
 191                         }
 192                 }
 193                 return true;
 194         }
 195
 196         public Lur getLur() {
 197                 return lur;
 198         }
 199
 200         public void destroy() {
 201                 access.log(Level.INFO,"CadiHttpChecker destroyed.");
 202                 if(lur!=null) {
 203                         lur.destroy();
 204                         lur=null;
 205                 }
 206         }
 207
 208         public Access getAccess() {
 209                 return access;
 210         }
 211
 212 }