* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
- *
+ *
* http://www.apache.org/licenses/LICENSE-2.0
- *
+ *
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
/**
* Create a Consistent Configuration mechanism, even when configuration styles are as vastly different as
* Properties vs JavaBeans vs FilterConfigs...
- *
+ *
* @author Jonathan
*
*/
public static final String CADI_PROTOCOLS = "cadi_protocols";
public static final String CADI_NOAUTHN = "cadi_noauthn";
public static final String CADI_LOC_LIST = "cadi_loc_list";
-
+
// Special Behaviors
public static final String CADI_BATH_CONVERT = "cadi_bath_convert";
public static final String CADI_API_ENFORCEMENT = "cadi_api_enforcement";
public static final String CADI_ADD_TAFS = "cadi_add_tafs";
public static final String CADI_ADD_LURS = "cadi_add_lurs";
-
+
public static final String CADI_USER_CHAIN_TAG = "cadi_user_chain";
public static final String CADI_USER_CHAIN = "USER_CHAIN";
-
+
public static final String CADI_OAUTH2_URL="cadi_oauth2_url";
public static final String CADI_TOKEN_DIR = "cadi_token_dir";
+ "TLS_ECDHE_ECDSA_WITH_RC4_128_SHA,TLS_ECDHE_RSA_WITH_RC4_128_SHA,TLS_ECDH_ECDSA_WITH_RC4_128_SHA,"
+ "TLS_ECDH_RSA_WITH_RC4_128_SHA,TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA,TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,"
+ "TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA,TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA,TLS_EMPTY_RENEGOTIATION_INFO_SCSV";
-
+
public static final String LOCALHOST_ALLOW = "localhost_allow";
public static final String LOCALHOST_DENY = "localhost_deny";
-
- public static final String BASIC_REALM = "basic_realm"; // what is sent to the client
- public static final String BASIC_WARN = "basic_warn"; // Warning of insecure channel
+
+ public static final String BASIC_REALM = "basic_realm"; // what is sent to the client
+ public static final String BASIC_WARN = "basic_warn"; // Warning of insecure channel
public static final String USERS = "local_users";
public static final String GROUPS = "local_groups";
public static final String WRITE_TO = "local_writeto"; // dump RBAC to local file in Tomcat Style (some apps use)
-
+
public static final String OAUTH_CLIENT_ID="client_id";
public static final String OAUTH_CLIENT_SECRET="client_secret";
-
+
public static final String AAF_ENV = "aaf_env";
public static final String AAF_ROOT_NS = "aaf_root_ns";
public static final String AAF_ROOT_NS_DEF = "org.osaaf.aaf";
public static final String AAF_DEFAULT_API_VERSION = "2.1";
public static final String AAF_DEPLOYED_VERSION="aaf_deployed_version";
public static final String AAF_API_VERSION = "aaf_api_version";
- public static final String AAF_URL = "aaf_url"; //URL for AAF... Use to trigger AAF configuration
+ public static final String AAF_URL = "aaf_url"; //URL for AAF... Use to trigger AAF configuration
public static final String AAF_LOCATOR_CLASS = "aaf_locator_class";
// AAF Locator Entries are ADDITIONAL entries, which also gives the Property ability
// to set these entries manually
// example: adding a K8S name like "oom"
- // this will allow Registrations to pick up
+ // this will allow Registrations to pick up
// locator_ns.oom for onap's "OOM" based k8s entries, etc.
public static final String AAF_LOCATOR_CONTAINER="aaf_locator_container";
- // An ID for another Container, to be used to avoid picking up the wrong internal info
+ // An ID for another Container, to be used to avoid picking up the wrong internal info
// for another container.
public static final String AAF_LOCATOR_CONTAINER_ID = "aaf_locator_container_id";
public static final String AAF_LOCATOR_CONTAINER_NS = "aaf_locator_container_ns";
public static final String AAF_LOCATOR_PUBLIC_PORT = "aaf_locator_public_port";
public static final String AAF_LOCATOR_PUBLIC_FQDN = "aaf_locator_public_fqdn";
public static final String AAF_LOCATOR_PUBLIC_NAME = "aaf_locator_public_name";
-
+
// AAF Service will write to the Audit Log if a past due AAF stored Password
// is being used within # of days specified.
public static final String AAF_CRED_WARN_DAYS="aaf_cred_warn_days";
public static final String AAF_CONN_TIMEOUT_DEF = "3000";
public static final String AAF_CONN_IDLE_TIMEOUT = "aaf_conn_idle_timeout"; // only for Direct Jetty Access.
public static final String AAF_CONN_IDLE_TIMEOUT_DEF = "10000"; // only for Direct Jetty Access.
-
+
// Default Classes: These are for Class loading to avoid direct compile links
public static final String AAF_TAF_CLASS_DEF = "org.onap.aaf.cadi.aaf.v2_0.AAFTaf";
public static final String AAF_LOCATOR_CLASS_DEF = "org.onap.aaf.cadi.aaf.v2_0.AAFLocator";
public static final String AAF_CLEAN_INTERVAL_DEF = "30000"; // Default is 30 seconds
public static final String AAF_REFRESH_TRIGGER_COUNT = "aaf_refresh_trigger_count";
public static final String AAF_REFRESH_TRIGGER_COUNT_DEF = "3"; // Default is 10 mins
-
+
public static final String AAF_HIGH_COUNT = "aaf_high_count";
public static final String AAF_HIGH_COUNT_DEF = "1000"; // Default is 1000 entries
public static final String AAF_PERM_MAP = "aaf_perm_map";
public static final String AAF_OAUTH2_INTROSPECT_URL = "aaf_oauth2_introspect_url";
public static final String AAF_ALT_OAUTH2_TOKEN_URL = "aaf_alt_oauth2_token_url";
public static final String AAF_ALT_OAUTH2_INTROSPECT_URL = "aaf_alt_oauth2_introspect_url";
- public static final String AAF_ALT_OAUTH2_DOMAIN = "aaf_alt_oauth2_domain";
+ public static final String AAF_ALT_OAUTH2_DOMAIN = "aaf_alt_oauth2_domain";
public static final String AAF_ALT_CLIENT_ID = "aaf_alt_oauth2_client_id";
public static final String AAF_ALT_CLIENT_SECRET = "aaf_alt_oauth2_client_secret";
public static final String AAF_OAUTH2_HELLO_URL = "aaf_oauth2_hello_url";
// IMPORTANT! Don't attempt to load AAF Connector if there is no AAF URL
String aafURL = logProp(rph, AAF_URL,null);
if (!hasDirectAAF && aafcon==null && aafURL!=null) {
- aafcon = loadAAFConnector(si, aafURL);
+ aafcon = loadAAFConnector(si, aafURL);
}
-
+
HttpTaf taf;
// Setup Host, in case Network reports an unusable Hostname (i.e. VTiers, VPNs, etc)
String hostname = logProp(access, HOSTNAME,null);
throw new CadiException("Unable to determine Hostname",e1);
}
}
-
+
access.log(Level.INIT, "Hostname set to",hostname);
// Get appropriate TAFs
ArrayList<Priori<HttpTaf>> htlist = new ArrayList<>();
} else {
access.log(Level.INIT,"Certificate Authorization not enabled");
}
-
+
/////////////////////////////////////////////////////
// Configure Basic Auth (local content)
/////////////////////////////////////////////////////
} else {
access.log(Level.INIT,"Local Basic Authorization is disabled. Enable by setting basicRealm=<appropriate realm, i.e. my.att.com>");
}
-
+
/////////////////////////////////////////////////////
// Configure AAF Driven Basic Auth
/////////////////////////////////////////////////////
access.log(Level.INIT,"AAF Connection (AAFcon) is null. Cannot create an AAF TAF");
} else if (aafURL==null) {
access.log(Level.INIT,"No AAF URL in properties, Cannot create an AAF TAF");
- } else {// There's an AAF_URL... try to configure an AAF
+ } else {// There's an AAF_URL... try to configure an AAF
String aafTafClassName = logProp(access, AAF_TAF_CLASS,AAF_TAF_CLASS_DEF);
// Only 2.0 available at this time
- if (AAF_TAF_CLASS_DEF.equals(aafTafClassName)) {
+ if (AAF_TAF_CLASS_DEF.equals(aafTafClassName)) {
try {
Class<?> aafTafClass = loadClass(access,aafTafClassName);
if (aafTafClass!=null) {
}
}
}
-
+
/////////////////////////////////////////////////////
// Configure OAuth TAF
/////////////////////////////////////////////////////
access.log(Level.INIT,"OAuth TAF is not configured");
}
}
-
+
/////////////////////////////////////////////////////
// Adding BasicAuth (AAF) last, after other primary Cookie Based
// Needs to be before Cert... see below
if (aaftaf!=null) {
htlist.add(new Priori<HttpTaf>(aaftaf,40));
}
- }
+ }
/////////////////////////////////////////////////////
// Any Additional Tafs passed in Constructor
}
}
}
-
+
// Add BasicAuth, if any, to x509Taf
if (x509TAF!=null) {
for ( Priori<HttpTaf> ht : htlist) {
}
}
}
-
+
/////////////////////////////////////////////////////
// Additional TAFs by Plugin
/////////////////////////////////////////////////////
Priori.add(access, CADI_ADD_TAFS, htlist);
-
+
/////////////////////////////////////////////////////
// Create EpiTaf from configured TAFs
/////////////////////////////////////////////////////
access.log(Level.INIT, sb);
Locator<URI> locator = loadLocator(si, aafURL);
-
+
taf = new HttpEpiTaf(access,locator, tc, htarray); // ok to pass locator == null
String level = logProp(access, CADI_LOGLEVEL, null);
if (level!=null) {
access.setLogLevel(Level.valueOf(level));
}
}
-
+
return taf;
}
-
+
public static String logProp(RegistrationPropHolder rph, String tag, String def) {
String rv = rph.access().getProperty(tag, def);
if (rv == null) {
rph.access().log(Level.INIT,tag,"is set to",rv);
}
return rv;
-
+
}
-
+
public static String logProp(Access access,String tag, String def) {
String rv = access.getProperty(tag, def);
if (rv == null) {
}
return rv;
}
-
+
public static Lur configLur(SecurityInfoC<HttpURLConnection> si, Connector con, Object ... additionalTafLurs) throws CadiException {
Access access = si.access;
RegistrationPropHolder rph;
}
List<Priori<Lur>> lurs = new ArrayList<>();
-
+
/////////////////////////////////////////////////////
// Configure a Local Property Based RBAC/LUR
/////////////////////////////////////////////////////
if (groups!=null || users!=null) {
LocalLur ll = new LocalLur(access, users, groups); // note b64==null is ok.. just means no encryption.
lurs.add(new Priori<Lur>(ll,10));
-
+
String writeto = access.getProperty(WRITE_TO,null);
if (writeto!=null) {
String msg = UsersDump.updateUsers(writeto, ll);
msg = e.getCause().getMessage();
}
access.log(Level.INIT,"AAF/OAuth LUR is not instantiated.",msg,e);
- }
+ }
} else {
access.log(Level.INIT, "OAuth2 Lur disabled");
}
if (con!=null) { // try to reutilize connector
lurs.add(new Priori<Lur>(con.newLur(),30));
- } else {
+ } else {
/////////////////////////////////////////////////////
// Configure the AAF Lur (if any)
/////////////////////////////////////////////////////
} else {// There's an AAF_URL... try to configure an AAF
String aafLurClassStr = logProp(access,AAF_LUR_CLASS,AAF_V2_0_AAF_LUR_PERM);
////////////AAF Lur 2.0 /////////////
- if (aafLurClassStr!=null && aafLurClassStr.startsWith(AAF_V2_0)) {
+ if (aafLurClassStr!=null && aafLurClassStr.startsWith(AAF_V2_0)) {
try {
Object aafcon = loadAAFConnector(si, aafURL);
if (aafcon==null) {
if (aafAbsAAFCon!=null) {
Method mNewLur = aafAbsAAFCon.getMethod("newLur");
Object aaflur = mNewLur.invoke(aafcon);
-
+
if (aaflur==null) {
access.log(Level.INIT,"ERROR! AAF LUR Failed construction. NOT Configured");
} else {
} catch (Exception e) {
access.log(e,"AAF LUR class,",aafLurClassStr,"could not be constructed with given Constructors.");
}
- }
+ }
}
}
}
/////////////////////////////////////////////////////
// Additional LURs by Plugin
/////////////////////////////////////////////////////
- Priori.add(access, CADI_ADD_LURS, lurs);
+ Priori.add(access, CADI_ADD_LURS, lurs);
/////////////////////////////////////////////////////
- // Return a Lur based on how many there are...
+ // Return a Lur based on how many there are...
/////////////////////////////////////////////////////
switch(lurs.size()) {
- case 0:
+ case 0:
access.log(Level.INIT,"WARNING! No CADI LURs configured");
// Return a NULL Lur that does nothing.
return new NullLur();
return new EpiLur(la);
}
}
-
+
private static boolean hasDirect(String simpleClassName, Object[] additionalTafLurs) {
if (additionalTafLurs!=null) {
for (Object tf : additionalTafLurs) {
locator = (Locator<URI>)cnst.newInstance(new Object[] {si,locatorURI});
int port = fui.getPort();
String portS = port<0?"":(":"+port);
-
+
access.log(Level.INFO, "AAFLocator enabled using " + locatorURI.getScheme() +"://"+fui.getHost() + portS);
} else {
access.log(Level.INFO, "AAFLocator enabled using preloaded " + locator.getClass().getSimpleName());
public static String getDefaultRealm() {
return defaultRealm;
}
-
+
public static String getAAFLocateUrl(Access access) {
String rv = null;
String cont = access.getProperty(AAF_LOCATOR_CONTAINER,null);
private static class Priori<T> implements Comparable<Priori<T>> {
public final T t;
public final int priority;
-
+
public Priori(final T t, final int priority) {
this.t = t;
this.priority = priority;
access.printf(Level.ERROR, "%s format is <classname>,priority[;...]\n",CADI_ADD_TAFS);
}
}
-
+
if(clssn!=null) {
Class<?> cls = loadClass(access, clssn);
if(cls!=null) {
} catch (InstantiationException | IllegalAccessException | IllegalArgumentException | InvocationTargetException e) {
String hostname = access.getProperty(Config.HOSTNAME,null);
if(hostname==null) {
- access.printf(Level.ERROR, "%s cannot be constructed on this machine. Set valid 'hostname' in your properties\n",clssn);
+ access.printf(Level.ERROR, "%s cannot be constructed on this machine. Set valid 'hostname' in your properties\n",clssn);
} else {
access.printf(Level.ERROR, "%s cannot be constructed on %s with Access.\n",clssn, hostname);
}
Code Review / aaf / authz.git / blobdiff