From: dglFromAtt Date: Wed, 22 Aug 2018 19:20:07 +0000 (-0400) Subject: Refactor Api Auth for AAF X-Git-Tag: 1.0.16~39 X-Git-Url: https://gerrit.onap.org/r/gitweb?p=dmaap%2Fdbcapi.git;a=commitdiff_plain;h=4a0a3c6f656d35483b4918b6041ea0aea48f4e32 Refactor Api Auth for AAF - patchset 2- correct artifact.version in pom - patchset 3- reference cadi SNAPSHOT version Change-Id: I19f61f277be1daf30242afe606755a90058d6026 Signed-off-by: dglFromAtt Issue-ID: DMAAP-532 Signed-off-by: dglFromAtt --- diff --git a/pom.xml b/pom.xml index c3f39b2..4853b5c 100644 --- a/pom.xml +++ b/pom.xml @@ -196,6 +196,12 @@ + + org.onap.aaf.authz + aaf-cadi-aaf + 2.1.2-SNAPSHOT + full + com.fasterxml.jackson.core jackson-annotations @@ -344,7 +350,7 @@ UTF-8 9.3.9.v20160517 0.0.1 - 1.0.11-SNAPSHOT + 1.0.12-SNAPSHOT 0.7.7.201606060606 3.2 diff --git a/src/main/java/org/onap/dmaap/dbcapi/aaf/AafLurService.java b/src/main/java/org/onap/dmaap/dbcapi/aaf/AafLurService.java new file mode 100644 index 0000000..cb0be04 --- /dev/null +++ b/src/main/java/org/onap/dmaap/dbcapi/aaf/AafLurService.java @@ -0,0 +1,141 @@ +/*- + * ============LICENSE_START======================================================= + * org.onap.dmaap + * ================================================================================ + * Copyright (C) 2017 AT&T Intellectual Property. All rights reserved. + * ================================================================================ + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * ============LICENSE_END========================================================= + */ + +package org.onap.dmaap.dbcapi.aaf; + +import java.io.IOException; +import java.security.Principal; +import java.util.ArrayList; +import java.util.List; + +import org.apache.log4j.Logger; +import org.onap.aaf.cadi.Access; +import org.onap.aaf.cadi.CadiException; +import org.onap.aaf.cadi.LocatorException; +import org.onap.aaf.cadi.Permission; +import org.onap.aaf.cadi.aaf.AAFPermission; +import org.onap.aaf.cadi.aaf.v2_0.AAFAuthn; +import org.onap.aaf.cadi.aaf.v2_0.AAFConHttp; +import org.onap.aaf.cadi.aaf.v2_0.AAFLurPerm; +import org.onap.aaf.cadi.principal.UnAuthPrincipal; +import org.onap.aaf.misc.env.APIException; +import org.onap.dmaap.dbcapi.logging.BaseLoggingClass; +import org.onap.dmaap.dbcapi.logging.DmaapbcLogMessageEnum; +import org.onap.dmaap.dbcapi.util.DmaapConfig; + +/* + * this service uses the AAF Lur object to lookup identities and perms + */ +public class AafLurService extends BaseLoggingClass { + + + private static AAFConHttp aafcon; + private static AAFLurPerm aafLur; + private static AAFAuthn aafAuthn; + + + /* + * singleton pattern suggested by AAF + */ + private static AafLurService singleton; + private AafLurService() {} + + + + private static void init( Access myAccess ) throws APIException, CadiException, LocatorException { + appLogger.info( "myAccess=" + myAccess ); + try { + aafcon = new AAFConHttp( myAccess ); + } catch ( CadiException | LocatorException e) { + appLogger.error( "Failure of AAFConHttp: " + e.getMessage() ); + errorLogger.error( "Failure of AAFConHttp: " + e.getMessage() ); + e.printStackTrace(); + throw e; + } + try { + aafLur = aafcon.newLur(); + } catch ( CadiException e) { + appLogger.error( "Failure of newLur(): " + e.getMessage() ); + errorLogger.error( "Failure of newLur(): " + e.getMessage() ); + e.printStackTrace(); + throw e; + } + aafAuthn = aafcon.newAuthn( aafLur ); + } + + public static synchronized AafLurService getInstance( Access myAccess ) throws APIException, CadiException, LocatorException{ + if ( singleton == null ) { + singleton = new AafLurService(); + try { + init( myAccess ); + } catch (APIException | CadiException | LocatorException e) { + // TODO Auto-generated catch block + e.printStackTrace(); + throw e; + } + + } + return singleton; + } + + + public boolean checkPerm(String ns, String fqi, String pwd, DmaapPerm p) throws IOException, CadiException { + + boolean rc = false; + + if ( aafAuthn == null ) { + appLogger.error( "AafLurService: aafAuthn not set as expected."); + return rc; + } + + String ok = aafAuthn.validate( fqi, pwd ); + if ( ok != null ) { + appLogger.info( "FAILED validation of fqi=" + fqi + "with response:" + ok ); + return rc; + } + + Principal principal = new UnAuthPrincipal( fqi ); + // if we pass ns as first arg to AAFPermission constructor it gets prpended to the instance... + // as in ns|instance|type|action. we don't want that. + Permission aafPerm = new AAFPermission( null, p.getPermission(), p.getPtype(), p.getAction()); + if ( aafLur == null ) { + appLogger.error( "AafLurService: aafLur not set as expected."); + return rc; + } + rc = aafLur.fish( principal, aafPerm ); + if (rc == true ) return rc; + + List perms = new ArrayList(); + aafLur.fishAll( principal, perms); + String key = aafPerm.getKey(); + for ( Permission prm: perms ) { + if ( prm.getKey().equals( key )) { + appLogger.info( principal + " has MATCHING perm " + prm.getKey() ); + } else { + appLogger.info( principal + " has non-matching perm " + prm.getKey() ); + } + } + + + return rc; + + + } +} diff --git a/src/main/java/org/onap/dmaap/dbcapi/aaf/AafService.java b/src/main/java/org/onap/dmaap/dbcapi/aaf/AafService.java index 01506bf..68fca79 100644 --- a/src/main/java/org/onap/dmaap/dbcapi/aaf/AafService.java +++ b/src/main/java/org/onap/dmaap/dbcapi/aaf/AafService.java @@ -20,13 +20,13 @@ package org.onap.dmaap.dbcapi.aaf; -import java.io.IOException; - -import org.apache.log4j.Logger; import org.onap.dmaap.dbcapi.logging.BaseLoggingClass; import org.onap.dmaap.dbcapi.logging.DmaapbcLogMessageEnum; import org.onap.dmaap.dbcapi.util.DmaapConfig; +/* + * this service uses the AAF REST API endpoints to provision values in AAF + */ public class AafService extends BaseLoggingClass { public enum ServiceType { AAF_Admin, @@ -38,11 +38,6 @@ public class AafService extends BaseLoggingClass { private String aafURL ; private boolean useAAF = false; - public AafService() { - DmaapConfig p = (DmaapConfig)DmaapConfig.getConfig(); - useAAF= "true".equalsIgnoreCase(p.getProperty("UseAAF", "false")); - - } private String getCred( boolean wPwd ) { String mechIdProperty = null; @@ -88,6 +83,9 @@ public class AafService extends BaseLoggingClass { } private void initAafService( ServiceType t ) { + DmaapConfig p = (DmaapConfig)DmaapConfig.getConfig(); + useAAF= "true".equalsIgnoreCase(p.getProperty("UseAAF", "true")); + ctype = t; aaf = new AafConnection( getCred( true ) ); } @@ -112,7 +110,7 @@ public class AafService extends BaseLoggingClass { break; case 201: - logger.info( "expected response" ); + logger.info( "expected response: " + rc); break; default : logger.error( "Unexpected response: " + rc ); @@ -187,4 +185,6 @@ public class AafService extends BaseLoggingClass { return rc; } + + } diff --git a/src/main/java/org/onap/dmaap/dbcapi/authentication/AafLurAndFish.java b/src/main/java/org/onap/dmaap/dbcapi/authentication/AafLurAndFish.java new file mode 100644 index 0000000..b699a29 --- /dev/null +++ b/src/main/java/org/onap/dmaap/dbcapi/authentication/AafLurAndFish.java @@ -0,0 +1,97 @@ +/*- + * ============LICENSE_START======================================================= + * org.onap.dmaap + * ================================================================================ + * Copyright (C) 2018 AT&T Intellectual Property. All rights reserved. + * ================================================================================ + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * ============LICENSE_END========================================================= + */ +package org.onap.dmaap.dbcapi.authentication; + + +import java.io.FileInputStream; +import java.io.IOException; +import java.util.Properties; + +import org.apache.log4j.Logger; +import org.onap.aaf.cadi.CadiException; +import org.onap.aaf.cadi.LocatorException; +import org.onap.aaf.cadi.PropAccess; +import org.onap.aaf.misc.env.APIException; +import org.onap.dmaap.dbcapi.aaf.AafLurService; +import org.onap.dmaap.dbcapi.aaf.DmaapPerm; +import org.onap.dmaap.dbcapi.logging.BaseLoggingClass; +import org.onap.dmaap.dbcapi.server.Main; +import org.onap.dmaap.dbcapi.util.DmaapConfig; + + + + +public class AafLurAndFish implements ApiAuthorizationCheckInterface { + private AafLurService svc; + private static String api_namespace; + static final Logger logger = Logger.getLogger(AafLurAndFish.class); + + AafLurAndFish() throws AuthenticationErrorException { + + String[] args = new String[1]; + DmaapConfig p = (DmaapConfig)DmaapConfig.getConfig(); + api_namespace = p.getProperty( "ApiNamespace", "org.onap.dmaap-bc.api"); + + String cadiprop = p.getProperty( "cadi.properties", "/opt/app/osaaf/local/org.onap.dmaap-bc.props"); + logger.info( "cadiprops in " + cadiprop ); + Properties props = new Properties(); + try { + FileInputStream fis = new FileInputStream( cadiprop ); + try { + props.load( fis ); + } finally { + fis.close(); + } + } catch ( IOException e ) { + logger.error( "Unable to load " + cadiprop ); + throw new AuthenticationErrorException( ); + } + try { + PropAccess myAccess = new PropAccess( props ); + + svc = AafLurService.getInstance(myAccess); + } catch (APIException | CadiException | LocatorException e ) { + logger.error( e.toString() ); + throw new AuthenticationErrorException(); + } + + } + + public void check( String mechid, String pwd, DmaapPerm p ) throws AuthenticationErrorException { + + try { + boolean resp = svc.checkPerm( api_namespace, mechid, pwd, p ); + if ( resp == false ) { + throw new AuthenticationErrorException(); + } + } catch ( IOException | CadiException e ) { + logger.error( e.toString() ); + throw new AuthenticationErrorException(); + } + + } + + public static void main(String[] args) throws Exception { + AafLurAndFish alaf = new AafLurAndFish(); + DmaapPerm p = new DmaapPerm( "org.onap.dmaap-bc.api.dmaap", "boot", "GET"); + + alaf.check("demo@people.osaaf.org", "demo123456!", p); + } +} diff --git a/src/main/java/org/onap/dmaap/dbcapi/authentication/ApiPermissionInterface.java b/src/main/java/org/onap/dmaap/dbcapi/authentication/ApiAuthorizationCheckInterface.java similarity index 95% rename from src/main/java/org/onap/dmaap/dbcapi/authentication/ApiPermissionInterface.java rename to src/main/java/org/onap/dmaap/dbcapi/authentication/ApiAuthorizationCheckInterface.java index fa695f9..a7f0d76 100644 --- a/src/main/java/org/onap/dmaap/dbcapi/authentication/ApiPermissionInterface.java +++ b/src/main/java/org/onap/dmaap/dbcapi/authentication/ApiAuthorizationCheckInterface.java @@ -22,7 +22,7 @@ package org.onap.dmaap.dbcapi.authentication; import org.onap.dmaap.dbcapi.aaf.DmaapPerm; -public interface ApiPermissionInterface { +public interface ApiAuthorizationCheckInterface { public void check( String mechid, String pwd, DmaapPerm p ) throws AuthenticationErrorException; } diff --git a/src/main/java/org/onap/dmaap/dbcapi/authentication/ApiPolicy.java b/src/main/java/org/onap/dmaap/dbcapi/authentication/ApiPolicy.java index 33d0786..6aa2d88 100644 --- a/src/main/java/org/onap/dmaap/dbcapi/authentication/ApiPolicy.java +++ b/src/main/java/org/onap/dmaap/dbcapi/authentication/ApiPolicy.java @@ -27,18 +27,21 @@ import org.onap.dmaap.dbcapi.util.DmaapConfig; public class ApiPolicy extends BaseLoggingClass { static String allow = "allow"; String dClass = null; - ApiPermissionInterface perm = null; + private boolean useAuthClass; + ApiAuthorizationCheckInterface perm = null; public ApiPolicy() { DmaapConfig p = (DmaapConfig)DmaapConfig.getConfig(); dClass = p.getProperty( "ApiPermission.Class", allow ); logger.info( "ApiPolicy implements " + dClass); if ( dClass.equalsIgnoreCase( allow )) { + useAuthClass = false; return; - } - + } + useAuthClass = true; + logger.info( "dClass=" + dClass + " useAuthClass=" + useAuthClass ); try { - perm = (ApiPermissionInterface) (Class.forName(dClass).newInstance()); + perm = (ApiAuthorizationCheckInterface) (Class.forName(dClass).newInstance()); } catch (Exception ee ) { errorLogger.error(DmaapbcLogMessageEnum.UNEXPECTED_CONDITION, "attempting to instantiate " + dClass ); errorLogger.error( "trace is: " + ee ); @@ -54,5 +57,9 @@ public class ApiPolicy extends BaseLoggingClass { perm.check( mechid, pwd, p ); } + + public boolean getUseAuthClass() { + return useAuthClass; + } } diff --git a/src/main/java/org/onap/dmaap/dbcapi/service/ApiService.java b/src/main/java/org/onap/dmaap/dbcapi/service/ApiService.java index e708043..6ae639d 100644 --- a/src/main/java/org/onap/dmaap/dbcapi/service/ApiService.java +++ b/src/main/java/org/onap/dmaap/dbcapi/service/ApiService.java @@ -88,7 +88,7 @@ public class ApiService extends BaseLoggingClass { } private String apiNamespace; - private boolean usePE; + private String uri; private String uriPath; private String method; @@ -114,11 +114,12 @@ public class ApiService extends BaseLoggingClass { if (apiNamespace == null) { DmaapConfig p = (DmaapConfig)DmaapConfig.getConfig(); - usePE = "true".equalsIgnoreCase(p.getProperty("UsePE", "false")); apiNamespace = p.getProperty("ApiNamespace", "org.openecomp.dmaapBC.api"); + logger.info( "config param usePE has been deprecated. Use ApiPermission.Class property instead."); } apiPolicy = new ApiPolicy(); - logger.info( "usePE=" + usePE + " apiNamespace=" + apiNamespace); + + logger.info( "apiNamespace=" + apiNamespace); } public ApiService setAuth( String auth ) { @@ -295,7 +296,7 @@ public class ApiService extends BaseLoggingClass { if ( env == null || env.isEmpty() ) { env = "boot"; } - if ( ! usePE ) return; // skip authorization if not enabled + if ( ! apiPolicy.getUseAuthClass() ) return; // skip authorization if not enabled if ( authorization == null || authorization.isEmpty()) { String errmsg = "No basic authorization value provided "; err.setMessage(errmsg); diff --git a/src/main/java/org/onap/dmaap/dbcapi/util/DmaapConfig.java b/src/main/java/org/onap/dmaap/dbcapi/util/DmaapConfig.java index eaa6672..cfcdc1c 100644 --- a/src/main/java/org/onap/dmaap/dbcapi/util/DmaapConfig.java +++ b/src/main/java/org/onap/dmaap/dbcapi/util/DmaapConfig.java @@ -47,4 +47,5 @@ public class DmaapConfig extends Properties { System.exit(1); } } + } diff --git a/version.properties b/version.properties index 344bfdf..ec95b11 100644 --- a/version.properties +++ b/version.properties @@ -27,7 +27,7 @@ major=1 minor=0 -patch=11 +patch=12 base_version=${major}.${minor}.${patch} # Release must be completed with git revision # in Jenkins