cadi/core/src/main/java/org/onap/aaf/cadi/taf/basic/BasicHttpTaf.java

   1 /**
   2  * ============LICENSE_START====================================================
   3  * org.onap.aaf
   4  * ===========================================================================
   5  * Copyright (c) 2018 AT&T Intellectual Property. All rights reserved.
   6  * ===========================================================================
   7  * Licensed under the Apache License, Version 2.0 (the "License");
   8  * you may not use this file except in compliance with the License.
   9  * You may obtain a copy of the License at
  10  *
  11  *      http://www.apache.org/licenses/LICENSE-2.0
  12  *
  13  * Unless required by applicable law or agreed to in writing, software
  14  * distributed under the License is distributed on an "AS IS" BASIS,
  15  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
  16  * See the License for the specific language governing permissions and
  17  * limitations under the License.
  18  * ============LICENSE_END====================================================
  19  *
  20  */
  21
  22 package org.onap.aaf.cadi.taf.basic;
  23
  24 import java.io.IOException;
  25 import java.security.Principal;
  26
  27 import javax.servlet.http.HttpServletRequest;
  28 import javax.servlet.http.HttpServletResponse;
  29
  30 import org.onap.aaf.cadi.Access;
  31 import org.onap.aaf.cadi.BasicCred;
  32 import org.onap.aaf.cadi.CachedPrincipal;
  33 import org.onap.aaf.cadi.CredVal;
  34 import org.onap.aaf.cadi.Taf;
  35 import org.onap.aaf.cadi.Access.Level;
  36 import org.onap.aaf.cadi.CachedPrincipal.Resp;
  37 import org.onap.aaf.cadi.CredVal.Type;
  38 import org.onap.aaf.cadi.principal.BasicPrincipal;
  39 import org.onap.aaf.cadi.principal.CachedBasicPrincipal;
  40 import org.onap.aaf.cadi.taf.HttpTaf;
  41 import org.onap.aaf.cadi.taf.TafResp;
  42 import org.onap.aaf.cadi.taf.TafResp.RESP;
  43 import org.onap.aaf.cadi.taf.dos.DenialOfServiceTaf;
  44
  45 /**
  46  * BasicHttpTaf
  47  *
  48  * This TAF implements the "Basic Auth" protocol.
  49  *
  50  * WARNING! It is true for any implementation of "Basic Auth" that the password is passed unencrypted.
  51  * This is because the expectation, when designed years ago, was that it would only be used in
  52  * conjunction with SSL (https).  It is common, however, for users to ignore this on the assumption that
  53  * their internal network is secure, or just ignorance.  Therefore, a WARNING will be printed
  54  * when the HTTP Channel is not encrypted (unless explicitly turned off).
  55  *
  56  * @author Jonathan
  57  *
  58  */
  59 public class BasicHttpTaf implements HttpTaf {
  60         private Access access;
  61         private String realm;
  62         private CredVal rbac;
  63         private boolean warn;
  64         private long timeToLive;
  65
  66         public BasicHttpTaf(Access access, CredVal rbac, String realm, long timeToLive, boolean turnOnWarning) {
  67                 this.access = access;
  68                 this.realm = realm;
  69                 this.rbac = rbac;
  70                 this.warn = turnOnWarning;
  71                 this.timeToLive = timeToLive;
  72         }
  73
  74         /**
  75          * Note: BasicHttp works for either Carbon Based (Humans) or Silicon Based (machine) Lifeforms.
  76          * @see Taf
  77          */
  78         public TafResp validate(Taf.LifeForm reading, HttpServletRequest req, HttpServletResponse resp) {
  79                 // See if Request implements BasicCred (aka CadiWrap or other), and if User/Pass has already been set separately
  80                 if(req instanceof BasicCred) {
  81                         BasicCred bc = (BasicCred)req;
  82                         if(bc.getUser()!=null) { // CadiWrap, if set, makes sure User & Password are both valid, or both null
  83                                 if(DenialOfServiceTaf.isDeniedID(bc.getUser())!=null) {
  84                                         return DenialOfServiceTaf.respDenyID(access,bc.getUser());
  85                                 }
  86                                 CachedBasicPrincipal bp = new CachedBasicPrincipal(this,bc,realm,timeToLive);
  87                                 // ONLY FOR Last Ditch DEBUGGING...
  88                                 // access.log(Level.WARN,bp.getName() + ":" + new String(bp.getCred()));
  89
  90                                 if(rbac.validate(bp.getName(),Type.PASSWORD,bp.getCred(),req)) {
  91                                         return new BasicHttpTafResp(access,bp,bp.getName()+" authenticated by password",RESP.IS_AUTHENTICATED,resp,realm,false);
  92                                 } else {
  93                                         //TODO may need timed retries in a given time period
  94                                         return new BasicHttpTafResp(access,null,buildMsg(bp,req,"user/pass combo invalid for ",bc.getUser(),"from",req.getRemoteAddr()),
  95                                                         RESP.TRY_AUTHENTICATING,resp,realm,true);
  96                                 }
  97                         }
  98                 }
  99                 // Get User/Password from Authorization Header value
 100                 String authz = req.getHeader("Authorization");
 101                 if(authz != null && authz.startsWith("Basic ")) {
 102                         if(warn&&!req.isSecure()) {
 103                                 access.log(Level.WARN,"WARNING! BasicAuth has been used over an insecure channel");
 104                         }
 105                         try {
 106                                 CachedBasicPrincipal ba = new CachedBasicPrincipal(this,authz,realm,timeToLive);
 107                                 if(DenialOfServiceTaf.isDeniedID(ba.getName())!=null) {
 108                                         return DenialOfServiceTaf.respDenyID(access,ba.getName());
 109                                 }
 110
 111                                 // ONLY FOR Last Ditch DEBUGGING...
 112                                 // access.log(Level.WARN,ba.getName() + ":" + new String(ba.getCred()));
 113                                 if(rbac.validate(ba.getName(), Type.PASSWORD, ba.getCred(), req)) {
 114                                         return new BasicHttpTafResp(access,ba, ba.getName()+" authenticated by BasicAuth password",RESP.IS_AUTHENTICATED,resp,realm,false);
 115                                 } else {
 116                                         //TODO may need timed retries in a given time period
 117                                         return new BasicHttpTafResp(access,null,buildMsg(ba,req,"user/pass combo invalid"),
 118                                                         RESP.TRY_AUTHENTICATING,resp,realm,true);
 119                                 }
 120                         } catch (IOException e) {
 121                                 String msg = buildMsg(null,req,"Failed HTTP Basic Authorization (", e.getMessage(), ')');
 122                                 access.log(Level.INFO,msg);
 123                                 return new BasicHttpTafResp(access,null,msg, RESP.TRY_AUTHENTICATING, resp, realm,true);
 124                         }
 125                 }
 126                 return new BasicHttpTafResp(access,null,"Requesting HTTP Basic Authorization",RESP.TRY_AUTHENTICATING,resp,realm,false);
 127         }
 128
 129         protected String buildMsg(Principal pr, HttpServletRequest req, Object ... msg) {
 130                 StringBuilder sb = new StringBuilder();
 131                 if(pr!=null) {
 132                         sb.append("user=");
 133                         sb.append(pr.getName());
 134                         sb.append(',');
 135                 }
 136                 sb.append("ip=");
 137                 sb.append(req.getRemoteAddr());
 138                 sb.append(",port=");
 139                 sb.append(req.getRemotePort());
 140                 if(msg.length>0) {
 141                         sb.append(",msg=\"");
 142                         for(Object s : msg) {
 143                                 sb.append(s.toString());
 144                         }
 145                         sb.append('"');
 146                 }
 147                 return sb.toString();
 148         }
 149
 150         @Override
 151         public Resp revalidate(CachedPrincipal prin, Object state) {
 152                 if(prin instanceof BasicPrincipal) {
 153                         BasicPrincipal ba = (BasicPrincipal)prin;
 154                         if(DenialOfServiceTaf.isDeniedID(ba.getName())!=null) {
 155                                 return Resp.UNVALIDATED;
 156                         }
 157                         return rbac.validate(ba.getName(), Type.PASSWORD, ba.getCred(), state)?Resp.REVALIDATED:Resp.UNVALIDATED;
 158                 }
 159                 return Resp.NOT_MINE;
 160         }
 161
 162         public String toString() {
 163                 return "Basic Auth enabled on realm: " + realm;
 164         }
 165 }