shiro/src/main/java/org/onap/aaf/cadi/shiro/AAFRealm.java

   1 /**
   2  * ============LICENSE_START====================================================
   3  * org.onap.aaf
   4  * ===========================================================================
   5  * Copyright (c) 2018 AT&T Intellectual Property. All rights reserved.
   6  * ===========================================================================
   7  * Licensed under the Apache License, Version 2.0 (the "License");
   8  * you may not use this file except in compliance with the License.
   9  * You may obtain a copy of the License at
  10  *
  11  *      http://www.apache.org/licenses/LICENSE-2.0
  12  *
  13  * Unless required by applicable law or agreed to in writing, software
  14  * distributed under the License is distributed on an "AS IS" BASIS,
  15  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
  16  * See the License for the specific language governing permissions and
  17  * limitations under the License.
  18  * ============LICENSE_END====================================================
  19  *
  20  */
  21 package org.onap.aaf.cadi.shiro;
  22
  23 import java.io.IOException;
  24 import java.io.PrintStream;
  25 import java.security.Principal;
  26 import java.util.ArrayList;
  27 import java.util.HashSet;
  28 import java.util.List;
  29 import java.util.Map;
  30 import java.util.Map.Entry;
  31 import java.util.TreeMap;
  32
  33 import org.apache.log4j.Logger;
  34 import org.apache.log4j.PropertyConfigurator;
  35 import org.apache.shiro.authc.AuthenticationException;
  36 import org.apache.shiro.authc.AuthenticationInfo;
  37 import org.apache.shiro.authc.AuthenticationToken;
  38 import org.apache.shiro.authc.UsernamePasswordToken;
  39 import org.apache.shiro.realm.AuthorizingRealm;
  40 import org.apache.shiro.subject.PrincipalCollection;
  41 import org.onap.aaf.cadi.Access.Level;
  42 import org.onap.aaf.cadi.CadiException;
  43 import org.onap.aaf.cadi.LocatorException;
  44 import org.onap.aaf.cadi.Permission;
  45 import org.onap.aaf.cadi.PropAccess;
  46 import org.onap.aaf.cadi.Symm;
  47 import org.onap.aaf.cadi.aaf.v2_0.AAFAuthn;
  48 import org.onap.aaf.cadi.aaf.v2_0.AAFCon;
  49 import org.onap.aaf.cadi.aaf.v2_0.AAFLurPerm;
  50 import org.onap.aaf.cadi.config.Config;
  51 import org.onap.aaf.cadi.filter.MapBathConverter;
  52 import org.onap.aaf.cadi.util.CSV;
  53 import org.onap.aaf.misc.env.APIException;
  54 public class AAFRealm extends AuthorizingRealm {
  55
  56         final static Logger logger = Logger.getLogger(AAFRealm.class);
  57
  58         public static final String AAF_REALM = "AAFRealm";
  59
  60         private PropAccess access;
  61         private AAFCon<?> acon;
  62         private AAFAuthn<?> authn;
  63         private HashSet<Class<? extends AuthenticationToken>> supports;
  64         private AAFLurPerm authz;
  65         private MapBathConverter mbc;
  66         private Map<String,String> idMap;
  67
  68
  69         /**
  70          *
  71          * There appears to be no configuration objects or references available for CADI to start with.
  72          *
  73          */
  74         public AAFRealm () {
  75                 access = new PropAccess(); // pick up cadi_prop_files from VM_Args
  76                 mbc = null;
  77                 idMap = null;
  78                 String cadi_prop_files = access.getProperty(Config.CADI_PROP_FILES);
  79                 if(cadi_prop_files==null) {
  80                         String msg = Config.CADI_PROP_FILES + " in VM Args is required to initialize AAFRealm.";
  81                         access.log(Level.INIT,msg);
  82                         throw new RuntimeException(msg);
  83                 } else {
  84                         try {
  85                                 String log4jConfigFile = "./etc/org.ops4j.pax.logging.cfg";
  86                         PropertyConfigurator.configure(log4jConfigFile);
  87                         System.setOut(createLoggingProxy(System.out));
  88                         System.setErr(createLoggingProxy(System.err));
  89                         } catch(Exception e) {
  90                                 e.printStackTrace();
  91                         }
  92                         //System.out.println("Configuration done");
  93                         try {
  94                                 acon = AAFCon.newInstance(access);
  95                                 authn = acon.newAuthn();
  96                                 authz = acon.newLur(authn);
  97
  98                                 final String csv = access.getProperty(Config.CADI_BATH_CONVERT);
  99                                 if(csv!=null) {
 100                                         try {
 101                                                 mbc = new MapBathConverter(access, new CSV(csv));
 102                                                 logger.info("MapBathConversion enabled with file "+csv);
 103                                                 idMap = new TreeMap<String,String>();
 104                                                 // Load
 105                                                 for(Entry<String, String> es : mbc.map().entrySet()) {
 106                                                         String oldID = es.getKey();
 107                                                         if(oldID.startsWith("Basic ")) {
 108                                                                 oldID = Symm.base64noSplit.decode(oldID.substring(6));
 109                                                                 int idx = oldID.indexOf(':');
 110                                                                 if(idx>=0) {
 111                                                                         oldID = oldID.substring(0, idx);
 112                                                                 }
 113                                                         }
 114                                                         String newID = es.getValue();
 115                                                         if(newID.startsWith("Basic ")) {
 116                                                                 newID = Symm.base64noSplit.decode(newID.substring(6));
 117                                                                 int idx = newID.indexOf(':');
 118                                                                 if(idx>=0) {
 119                                                                         newID = newID.substring(0, idx);
 120                                                                 }
 121                                                         }
 122                                                         idMap.put(oldID,newID);
 123                                                 }
 124                                         } catch (IOException e) {
 125                                                 logger.error(e.getMessage(), e);
 126                                         }
 127                                 }
 128                         } catch (APIException | CadiException | LocatorException e) {
 129                                 String msg = "Cannot initiate AAFRealm";
 130                                 logger.info(msg + " "+ e.getMessage(), e);
 131                                 throw new RuntimeException(msg,e);
 132                         }
 133                 }
 134                 supports = new HashSet<Class<? extends AuthenticationToken>>();
 135                 supports.add(UsernamePasswordToken.class);
 136         }
 137         public static PrintStream createLoggingProxy(final PrintStream realPrintStream) {
 138         return new PrintStream(realPrintStream) {
 139             public void print(final String string) {
 140                 realPrintStream.print(string);
 141                 logger.info(string);
 142             }
 143         };
 144     }
 145
 146         @Override
 147         protected AuthenticationInfo doGetAuthenticationInfo(AuthenticationToken token) throws AuthenticationException {
 148                 logger.debug("AAFRealm.doGetAuthenticationInfo :"+token);
 149
 150                 final UsernamePasswordToken upt = (UsernamePasswordToken)token;
 151                 final String user = upt.getUsername();
 152                 String authUser = user;
 153                 final String password=new String(upt.getPassword());
 154                 String authPassword = password;
 155                 if(mbc!=null) {
 156                         try {
 157                                 final String oldBath = "Basic " + Symm.base64noSplit.encode(user+':'+password);
 158                                 String bath = mbc.convert(access, oldBath);
 159                                 if(bath!=oldBath) {
 160                                         bath = Symm.base64noSplit.decode(bath.substring(6));
 161                                         int colon = bath.indexOf(':');
 162                                         if(colon>=0) {
 163                                                 authUser = bath.substring(0, colon);
 164                                                 authPassword = bath.substring(colon+1);
 165                                         }
 166                                 }
 167                         } catch (IOException e) {
 168                                 logger.error(e.getMessage(), e);
 169                         }
 170                 }
 171                 String err;
 172                 try {
 173                         err = authn.validate(authUser,authPassword);
 174                 } catch (IOException e) {
 175                         err = "Credential cannot be validated";
 176                         logger.error(err, e);
 177                 }
 178
 179                 if(err != null) {
 180                         logger.debug(err);
 181                         throw new AuthenticationException(err);
 182                 }
 183
 184             return new AAFAuthenticationInfo(
 185                         access,
 186                         user,
 187                         password
 188             );
 189         }
 190
 191         @Override
 192         protected void assertCredentialsMatch(AuthenticationToken atoken, AuthenticationInfo ai)throws AuthenticationException {
 193                 if(ai instanceof AAFAuthenticationInfo) {
 194                         if(!((AAFAuthenticationInfo)ai).matches(atoken)) {
 195                                 throw new AuthenticationException("Credentials do not match");
 196                         }
 197                 } else {
 198                         throw new AuthenticationException("AuthenticationInfo is not an AAFAuthenticationInfo");
 199                 }
 200         }
 201
 202
 203         @Override
 204         protected AAFAuthorizationInfo doGetAuthorizationInfo(PrincipalCollection principals) {
 205                 logger.debug("AAFRealm.doGetAuthenthorizationInfo");
 206                 Principal bait = (Principal)principals.getPrimaryPrincipal();
 207                 Principal newBait = bait;
 208                 if(idMap!=null) {
 209                         final String newID = idMap.get(bait.getName());
 210                         if(newID!=null) {
 211                                 newBait = new Principal() {
 212                                         @Override
 213                                         public String getName() {
 214                                                 return newID;
 215                                         }
 216                                 };
 217                         }
 218                 }
 219                 List<Permission> pond = new ArrayList<>();
 220                 authz.fishAll(newBait,pond);
 221
 222                 return new AAFAuthorizationInfo(access,bait,pond);
 223
 224         }
 225
 226         @Override
 227         public boolean supports(AuthenticationToken token) {
 228                 return supports.contains(token.getClass());
 229         }
 230
 231         @Override
 232         public String getName() {
 233                 return AAF_REALM;
 234         }
 235
 236 }