Code Review / aaf / cadi.git / blob
? search:


a3df1c068fbe8d13c8039928198544750bab9234
[aaf/cadi.git] / core / src / main / java / org / onap / aaf / cadi / filter / CadiHTTPManip.java
1 /*******************************************************************************\r
2  * ============LICENSE_START====================================================\r
3  * * org.onap.aaf\r
4  * * ===========================================================================\r
5  * * Copyright © 2017 AT&T Intellectual Property. All rights reserved.\r
6  * * ===========================================================================\r
7  * * Licensed under the Apache License, Version 2.0 (the "License");\r
8  * * you may not use this file except in compliance with the License.\r
9  * * You may obtain a copy of the License at\r
10  * * \r
11  *  *      http://www.apache.org/licenses/LICENSE-2.0\r
12  * * \r
13  *  * Unless required by applicable law or agreed to in writing, software\r
14  * * distributed under the License is distributed on an "AS IS" BASIS,\r
15  * * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\r
16  * * See the License for the specific language governing permissions and\r
17  * * limitations under the License.\r
18  * * ============LICENSE_END====================================================\r
19  * *\r
20  * * ECOMP is a trademark and service mark of AT&T Intellectual Property.\r
21  * *\r
22  ******************************************************************************/\r
23 package org.onap.aaf.cadi.filter;\r
24 \r
25 import java.io.IOException;\r
26 import java.util.ArrayList;\r
27 import java.util.List;\r
28 \r
29 import javax.servlet.http.HttpServletRequest;\r
30 import javax.servlet.http.HttpServletResponse;\r
31 \r
32 import org.onap.aaf.cadi.Access;\r
33 import org.onap.aaf.cadi.CadiException;\r
34 import org.onap.aaf.cadi.CadiWrap;\r
35 import org.onap.aaf.cadi.Connector;\r
36 import org.onap.aaf.cadi.CredVal;\r
37 import org.onap.aaf.cadi.Lur;\r
38 import org.onap.aaf.cadi.Taf;\r
39 import org.onap.aaf.cadi.TrustChecker;\r
40 import org.onap.aaf.cadi.Access.Level;\r
41 import org.onap.aaf.cadi.config.Config;\r
42 import org.onap.aaf.cadi.lur.EpiLur;\r
43 import org.onap.aaf.cadi.taf.HttpTaf;\r
44 import org.onap.aaf.cadi.taf.TafResp;\r
45 import org.onap.aaf.cadi.util.UserChainManip;\r
46 \r
47 /**\r
48  * Encapsulate common HTTP Manipulation Behavior.  It will appropriately set\r
49  * HTTPServletResponse for Redirect or Forbidden, as needed.\r
50  * \r
51  * Further, this is useful, because it avoids multiple creates of Connections, where some Filters\r
52  * are created and destroyed regularly.\r
53  * \r
54  *\r
55  *\r
56  */\r
57 public class CadiHTTPManip {\r
58         private static final String ACCESS_CADI_CONTROL = ".access|cadi|control";\r
59         private static final String METH = "OPTIONS";\r
60         private static final String CADI = "/cadi/";\r
61         private static final String CADI_CACHE_PRINT = "/cadi/cache/print";\r
62         private static final String CADI_CACHE_CLEAR = "/cadi/cache/clear";\r
63         private static final String CADI_LOG_SET = "/cadi/log/set/";\r
64         private Access access;\r
65         private HttpTaf taf;\r
66         private CredVal up;\r
67         private Lur lur;\r
68         private String thisPerm,companyPerm,aaf_id;\r
69         \r
70         public static final Object[] noAdditional = new Object[0]; // CadiFilter can be created each call in some systems\r
71 \r
72 \r
73         public CadiHTTPManip(Access access, Connector con, TrustChecker tc, Object ... additionalTafLurs) throws CadiException {\r
74                 synchronized(CADI) {\r
75                         this.access = access;\r
76 //                      Get getter = new AccessGetter(access);\r
77                         Config.setDefaultRealm(access);\r
78         \r
79                         aaf_id = access.getProperty(Config.CADI_ALIAS,access.getProperty(Config.AAF_MECHID, null));\r
80                         if(aaf_id==null) {\r
81                                 access.printf(Level.INIT, "%s is not set. %s can be used instead",Config.AAF_MECHID,Config.CADI_ALIAS);\r
82                         } else {\r
83                                 access.printf(Level.INIT, "%s is set to %s",Config.AAF_MECHID,aaf_id);\r
84                         }\r
85                         String ns = aaf_id==null?null:UserChainManip.idToNS(aaf_id);\r
86                         if(ns!=null) {\r
87                                 thisPerm = ns+ACCESS_CADI_CONTROL;\r
88                                 int dot = ns.indexOf('.');\r
89                                 if(dot>=0) {\r
90                                         int dot2=ns.indexOf('.',dot+1);\r
91                                         if(dot2<0) {\r
92                                                 dot2=dot;\r
93                                         }\r
94                                         companyPerm = ns.substring(0, dot2)+ACCESS_CADI_CONTROL;\r
95                                 } else {\r
96                                         companyPerm = "com"+ACCESS_CADI_CONTROL;\r
97                                 }\r
98                         } else {\r
99                                 thisPerm = companyPerm = "com"+ACCESS_CADI_CONTROL;\r
100                         }\r
101                         \r
102                         if(con!=null) { // try to reutilize connector\r
103                                 List<Lur> ll = null;\r
104                                 for(Object tl : additionalTafLurs) {\r
105                                         if(tl instanceof Lur) {\r
106                                                 if(ll==null) {\r
107                                                         ll = new ArrayList<Lur>();\r
108                                                         ll.add(con.newLur());\r
109                                                 }\r
110                                                 ll.add((Lur)tl);\r
111                                         }\r
112                                 }\r
113                                 if(ll==null) {\r
114                                         lur = con.newLur();\r
115                                 } else {\r
116                                         lur = new EpiLur((Lur[])ll.toArray());\r
117                                 }\r
118                         } else {\r
119                                 lur = Config.configLur(access, additionalTafLurs);\r
120                         }\r
121                         tc.setLur(lur);\r
122                         if(lur instanceof EpiLur) {\r
123                                 up = ((EpiLur)lur).getUserPassImpl();\r
124                         } else if(lur instanceof CredVal) {\r
125                                 up = (CredVal)lur;\r
126                         } else {\r
127                                 up = null;\r
128                         }\r
129                         taf = Config.configHttpTaf(access, tc, up, lur, additionalTafLurs);\r
130                 }\r
131         }\r
132 \r
133         public TafResp validate(HttpServletRequest hreq, HttpServletResponse hresp) throws IOException {\r
134                 TafResp tresp = taf.validate(Taf.LifeForm.LFN, hreq, hresp);\r
135                 switch(tresp.isAuthenticated()) {\r
136                         case IS_AUTHENTICATED:\r
137                                 access.printf(Level.INFO,"Authenticated: %s from %s:%d"\r
138                                                 , tresp.desc(), hreq.getRemoteAddr(), hreq.getRemotePort());\r
139                                 break;\r
140                         case TRY_AUTHENTICATING:\r
141                                 switch (tresp.authenticate()) {\r
142                                         case IS_AUTHENTICATED:\r
143                                                 access.printf(Level.INFO,"Authenticated: %s from %s:%d"\r
144                                                                 , tresp.desc(), hreq.getRemoteAddr(), hreq.getRemotePort());\r
145                                                 break;\r
146                                         case HTTP_REDIRECT_INVOKED:\r
147                                                 access.log(Level.INFO,"Authenticating via redirection: ", tresp.desc());\r
148                                                 break;\r
149                                         case NO_FURTHER_PROCESSING:\r
150                                                 access.printf(Level.AUDIT,"Authentication Failure: %s from %s:%d"\r
151                                                                 , tresp.desc(), hreq.getRemoteAddr(), hreq.getRemotePort());\r
152                                                 hresp.sendError(403, tresp.desc()); // Forbidden\r
153                                                 break;\r
154 \r
155                                         default:\r
156                                                 access.printf(Level.AUDIT,"No TAF will authorize for request from %s:%d"\r
157                                                                 , hreq.getRemoteAddr(), hreq.getRemotePort());\r
158                                                 hresp.sendError(403, tresp.desc()); // Forbidden\r
159                                 }\r
160                                 break;\r
161                         case NO_FURTHER_PROCESSING:\r
162                                 access.printf(Level.AUDIT,"Authentication Failure: %s from %s:%d", \r
163                                                 tresp.desc(), hreq.getRemoteAddr(), hreq.getRemotePort());\r
164                                 hresp.sendError(403, "Access Denied"); // FORBIDDEN\r
165                                 break;\r
166                         default:\r
167                                 access.printf(Level.AUDIT,"No TAF will authorize for request from %s:%d"\r
168                                                 , hreq.getRemoteAddr(), hreq.getRemotePort());\r
169                                 hresp.sendError(403, "Access Denied"); // FORBIDDEN\r
170                 }\r
171                 return tresp;\r
172         }\r
173         \r
174         public boolean notCadi(CadiWrap req, HttpServletResponse resp) {\r
175                 \r
176                 String pathInfo = req.getPathInfo();\r
177                 if(METH.equalsIgnoreCase(req.getMethod()) && pathInfo!=null && pathInfo.contains(CADI)) {\r
178                         if(req.getUser().equals(aaf_id) || req.isUserInRole(thisPerm) || req.isUserInRole(companyPerm)) {\r
179                                 try {\r
180                                         if(pathInfo.contains(CADI_CACHE_PRINT)) {\r
181                                                 resp.getOutputStream().println(lur.toString());\r
182                                                 resp.setStatus(200);\r
183                                                 return false;\r
184                                         } else if(pathInfo.contains(CADI_CACHE_CLEAR)) {\r
185                                                 StringBuilder report = new StringBuilder();\r
186                                                 lur.clear(req.getUserPrincipal(), report);\r
187                                                 resp.getOutputStream().println(report.toString());\r
188                                                 resp.setStatus(200);\r
189                                                 return false;\r
190                                         } else if(pathInfo.contains(CADI_LOG_SET))  {\r
191                                                 Level l;\r
192                                                 int slash = pathInfo.lastIndexOf('/');\r
193                                                 String level = pathInfo.substring(slash+1);\r
194                                                 try {\r
195                                                         l = Level.valueOf(level);\r
196                                                         access.printf(Level.AUDIT, "%s has set CADI Log Level to '%s'",req.getUser(),l.name());\r
197                                                         access.setLogLevel(l);\r
198                                                 } catch (IllegalArgumentException e) {\r
199                                                         access.printf(Level.AUDIT, "'%s' is not a valid CADI Log Level",level);\r
200                                                 }\r
201                                                 return false;\r
202                                         }\r
203                                 } catch (IOException e) {\r
204                                         access.log(e);\r
205                                 }\r
206                         }\r
207                 }\r
208                 return true;\r
209         }\r
210 \r
211         public Lur getLur() {\r
212                 return lur;\r
213         }\r
214         \r
215         public void destroy() {\r
216                 access.log(Level.INFO,"CadiHttpChecker destroyed.");\r
217                 if(lur!=null) {\r
218                         lur.destroy();\r
219                         lur=null;\r
220                 }\r
221         }\r
222 \r
223         public Access getAccess() {\r
224                 return access;\r
225         }\r
226 \r
227 }\r
ARCHIVED- 2022-02-15 at the request of the project