2 * ============LICENSE_START====================================================
4 * ===========================================================================
5 * Copyright (c) 2018 AT&T Intellectual Property. All rights reserved.
6 * ===========================================================================
7 * Licensed under the Apache License, Version 2.0 (the "License");
8 * you may not use this file except in compliance with the License.
9 * You may obtain a copy of the License at
11 * http://www.apache.org/licenses/LICENSE-2.0
13 * Unless required by applicable law or agreed to in writing, software
14 * distributed under the License is distributed on an "AS IS" BASIS,
15 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
16 * See the License for the specific language governing permissions and
17 * limitations under the License.
18 * ============LICENSE_END====================================================
22 package org.onap.aaf.cadi.enduser.test;
24 import java.io.IOException;
25 import java.net.ConnectException;
26 import java.security.GeneralSecurityException;
27 import java.util.Date;
28 import java.util.GregorianCalendar;
31 import org.onap.aaf.cadi.Access.Level;
32 import org.onap.aaf.cadi.CadiException;
33 import org.onap.aaf.cadi.LocatorException;
34 import org.onap.aaf.cadi.PropAccess;
35 import org.onap.aaf.cadi.client.Future;
36 import org.onap.aaf.cadi.client.Rcli;
37 import org.onap.aaf.cadi.client.Result;
38 import org.onap.aaf.cadi.client.Retryable;
39 import org.onap.aaf.cadi.config.Config;
40 import org.onap.aaf.cadi.configure.Agent;
41 import org.onap.aaf.cadi.oauth.TimedToken;
42 import org.onap.aaf.cadi.oauth.TokenClient;
43 import org.onap.aaf.cadi.oauth.TokenClientFactory;
44 import org.onap.aaf.cadi.oauth.TzClient;
45 import org.onap.aaf.cadi.util.FQI;
46 import org.onap.aaf.misc.env.APIException;
47 import org.onap.aaf.misc.env.util.Chrono;
49 import aafoauth.v2_0.Introspect;
50 import aafoauth.v2_0.Token;
53 public class OAuthExample {
54 private static TokenClientFactory tcf;
55 private static PropAccess access;
57 public final static void main(final String args[]) {
58 // These Objects are expected to be Long-Lived... Construct once
61 // This method will allow you to set "cadi_prop_files" (or any other property) on Command line
62 access = new PropAccess(args);
64 // access = PropAccess();
65 // Note: This style will load "cadi_prop_files" from VM Args
67 // Token aware Client Factory
69 tcf = TokenClientFactory.instance(access);
70 } catch (APIException | GeneralSecurityException | IOException | CadiException e1) {
71 access.log(e1, "Unable to setup OAuth Client Factory, Fail Fast");
76 // Obtain Endpoints for OAuth2 from Properties. Expected is "cadi.properties" file, pointed to by "cadi_prop_files"
78 Map<String, String> aaf_urls = Agent.loadURLs(access);
79 Agent.fillMissing(access, aaf_urls);
80 String tokenServiceURL = access.getProperty(Config.AAF_OAUTH2_TOKEN_URL); // Default to AAF
81 String tokenIntrospectURL = access.getProperty(Config.AAF_OAUTH2_INTROSPECT_URL); // Default to AAF);
83 final String endServicesURL = access.getProperty(Config.AAF_OAUTH2_HELLO_URL);
85 final int CALL_TIMEOUT = Integer.parseInt(access.getProperty(Config.AAF_CALL_TIMEOUT,Config.AAF_CALL_TIMEOUT_DEF));
87 //////////////////////////////////////////////////////////////////////
89 // Get and use an OAuth Client, which understands Token Management
90 //////////////////////////////////////////////////////////////////////
91 // Create a Token Client, that gets its tokens from expected OAuth Server
92 // In this example, it is AAF, but it can be the Alternate OAuth
94 TokenClient tc = tcf.newClient(tokenServiceURL); // can set your own timeout here (url, timeoutMilliseconds)
95 // Set your Application (MicroService, whatever) Credentials here
96 // These are how your Application is known, particularly to the OAuth Server.
97 // If AAF Token server, then its just the same as your other AAF MechID creds
98 // If it is the Alternate OAUTH, you'll need THOSE credentials. See that tool's Onboarding procedures.
99 String client_id = access.getProperty(Config.AAF_APPID);
100 if (client_id==null) {
101 // For AAF, client_id CAN be Certificate. This is not necessarily true elsewhere
102 client_id = access.getProperty(Config.CADI_ALIAS);
104 String client_secret = access.getProperty(Config.AAF_APPPASS);
105 tc.client_creds(client_id, client_secret);
107 // If you are working with Credentials the End User, set username/password as appropriate to the OAuth Server
108 // tc.password(end_user_id, end_user_password);
110 // if you are setting client Credentials, you MAY NOT reuse this Client mid-transaction. You CAN reuse after setting
111 // tc.clearEndUser();
112 // You may want to see "Pooled Client" example, using special CADI utility
114 // With AAF, the Scopes you put in are the AAF Namespaces you want access to. Your Token will contain the
115 // AAF Permissions of the Namespaces (you can put in more than one), the user name (or client_id if no user_name),
116 // is allowed to see.
118 // Here's a trick to get the namespace out of a Fully Qualified AAF Identity (your MechID)
119 String ns = FQI.reverseDomain(client_id);
120 System.out.printf("\nNote: The AAF Namespace of FQI (Fully Qualified Identity) %s is %s\n\n",client_id, ns);
122 // Now, we can get a Token. Note: for "scope", use AAF Namespaces to get AAF Permissions embedded in
123 // Note: getToken checks if Token is expired, if so, then refreshes before handing back.
124 Result<TimedToken> rtt = tc.getToken(ns,"org.onap.test");
126 // Note: you can clear a Token's Disk/Memory presence by
127 // 1) removing the Token from the "token/outgoing" directory on the O/S
128 // 2) programmatically by calling "clearToken" with exact params as "getToken", when it has the same credentials set
129 // tc.clearToken("org.onap.aaf","org.onap.test");
131 // Result Object can be queried for success
133 TimedToken token = rtt.value;
134 print(token); // Take a look at what's in a Token
136 // Use this Token in your client calls with "Tokenized Client" (TzClient)
137 // These should NOT be used cross thread.
138 TzClient helloClient = tcf.newTzClient(endServicesURL);
139 helloClient.setToken(client_id, token);
141 // This client call style, "best" call with "Retryable" inner class covers finding an available Service
142 // (when Multi-services exist) for the best service, based (currently) on distance.
144 // the "Generic" in Type gives a Return Value for the Code, which you can set on the "best" method
145 // Note that variables used in the inner class from this part of the code must be "final", see "CALL_TIMEOUT"
146 String rv = helloClient.best(new Retryable<String>() {
148 public String code(Rcli<?> client) throws CadiException, ConnectException, APIException {
149 Future<String> future = client.read("hello","text/plain");
150 // The "future" calling method allows you to do other processing, such as call more than one backend
151 // client before picking up the result
152 // If "get" matches the HTTP Code for the method (i.e. read HTTP Return value is 200), then
153 if (future.get(CALL_TIMEOUT)) {
154 // Client Returned expected value
157 throw new APIException(future.code() + future.body());
162 // You want to do something with returned value. Here, we say "hello"
163 System.out.printf("\nPositive Response from Hello: %s\n",rv);
166 //////////////////////////////////////////////////////////////////////
168 // As a Service, read Introspection information as proof of Authenticated Authorization
169 //////////////////////////////////////////////////////////////////////
170 // CADI Framework (i.e. CadiFilter) works with the Introspection to drive the J2EE interfaces (
171 // i.e. if (isUserInRole("ns.perm|instance|action")) {...
173 // Here, however, is a way to introspect via Java
175 // now, call Introspect (making sure right URLs are set in properties)
176 // We need a Different Introspect TokenClient, because different Endpoint (and usually different Services)
177 TokenClient tci = tcf.newClient(tokenIntrospectURL);
178 tci.client_creds(client_id, client_secret);
179 Result<Introspect> is = tci.introspect(token.getAccessToken());
181 // Note that AAF will add JSON set of Permissions as part of "Content:", legitimate extension of OAuth Structure
182 print(is.value); // do something with Introspect Object
184 access.printf(Level.ERROR, "Unable to introspect OAuth Token %s: %d %s\n",
185 token.getAccessToken(),rtt.code,rtt.error);
188 access.printf(Level.ERROR, "Unable to obtain OAuth Token: %d %s\n",rtt.code,rtt.error);
191 } catch (CadiException | LocatorException | APIException | IOException e) {
196 /////////////////////////////////////////////////////////////
197 // Examples of Object Access
198 /////////////////////////////////////////////////////////////
199 private static void print(Token t) {
200 GregorianCalendar exp_date = new GregorianCalendar();
201 exp_date.add(GregorianCalendar.SECOND, t.getExpiresIn());
202 System.out.printf("Access Token\n\tToken:\t\t%s\n\tToken Type:\t%s\n\tExpires In:\t%d (%s)\n\tScope:\t\t%s\n\tRefresh Token:\t%s\n",
206 Chrono.timeStamp(new Date(System.currentTimeMillis()+(t.getExpiresIn()*1000))),
208 t.getRefreshToken());
211 private static void print(Introspect ti) {
212 if (ti==null || ti.getClientId()==null) {
213 System.out.println("Empty Introspect");
216 Date exp = new Date(ti.getExp()*1000); // seconds
217 System.out.printf("Introspect\n"
218 + "\tAccessToken:\t%s\n"
219 + "\tClient-id:\t%s\n"
220 + "\tClient Type:\t%s\n"
222 + "\tUserName:\t%s\n"
223 + "\tExpires: \t%d (%s)\n"
225 + "\tContent:\t%s\n",
229 ti.isActive()?Boolean.TRUE.toString():Boolean.FALSE.toString(),
232 Chrono.timeStamp(exp),
234 ti.getContent()==null?"":ti.getContent());
236 System.out.println();
Code Review / aaf / authz.git / blob