summaryrefslogtreecommitdiffstats
path: root/cadi/core
diff options
context:
space:
mode:
authorInstrumental <jonathan.gathman@att.com>2018-07-02 21:41:55 -0500
committerInstrumental <jonathan.gathman@att.com>2018-07-02 21:42:28 -0500
commitca76fbda94492f1b0c895ff0f4070381f17472f0 (patch)
tree8180941d2fdc474c282ac5272e014c2f45b7da48 /cadi/core
parentc060284812fbbc18fcf22eb628c47c251505fe50 (diff)
Add ability for BAuth by domain
Issue-ID: AAF-361 Change-Id: I6f437ffcfef5555f44acfb32fd6020f86f8cf403 Signed-off-by: Instrumental <jonathan.gathman@att.com>
Diffstat (limited to 'cadi/core')
-rw-r--r--cadi/core/src/main/java/org/onap/aaf/cadi/CredValDomain.java25
-rw-r--r--cadi/core/src/main/java/org/onap/aaf/cadi/config/Config.java37
-rw-r--r--cadi/core/src/main/java/org/onap/aaf/cadi/principal/BasicPrincipal.java13
-rw-r--r--cadi/core/src/main/java/org/onap/aaf/cadi/principal/X509Principal.java19
-rw-r--r--cadi/core/src/main/java/org/onap/aaf/cadi/taf/basic/BasicHttpTaf.java45
-rw-r--r--cadi/core/src/main/java/org/onap/aaf/cadi/taf/cert/X509Taf.java21
-rw-r--r--cadi/core/src/test/java/org/onap/aaf/cadi/principal/test/JU_X509Principal.java10
7 files changed, 133 insertions, 37 deletions
diff --git a/cadi/core/src/main/java/org/onap/aaf/cadi/CredValDomain.java b/cadi/core/src/main/java/org/onap/aaf/cadi/CredValDomain.java
new file mode 100644
index 00000000..e8a5c54b
--- /dev/null
+++ b/cadi/core/src/main/java/org/onap/aaf/cadi/CredValDomain.java
@@ -0,0 +1,25 @@
+/**
+ * ============LICENSE_START====================================================
+ * org.onap.aaf
+ * ===========================================================================
+ * Copyright (c) 2018 AT&T Intellectual Property. All rights reserved.
+ * ===========================================================================
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ * ============LICENSE_END====================================================
+ *
+ */
+package org.onap.aaf.cadi;
+
+public interface CredValDomain extends CredVal {
+ public String domain();
+}
diff --git a/cadi/core/src/main/java/org/onap/aaf/cadi/config/Config.java b/cadi/core/src/main/java/org/onap/aaf/cadi/config/Config.java
index 9a0a53cf..b74ccb36 100644
--- a/cadi/core/src/main/java/org/onap/aaf/cadi/config/Config.java
+++ b/cadi/core/src/main/java/org/onap/aaf/cadi/config/Config.java
@@ -42,6 +42,7 @@ import org.onap.aaf.cadi.CachingLur;
import org.onap.aaf.cadi.CadiException;
import org.onap.aaf.cadi.Connector;
import org.onap.aaf.cadi.CredVal;
+import org.onap.aaf.cadi.CredValDomain;
import org.onap.aaf.cadi.Locator;
import org.onap.aaf.cadi.LocatorException;
import org.onap.aaf.cadi.Lur;
@@ -111,13 +112,6 @@ public class Config {
public static final String CADI_OAUTH2_URL="cadi_oauth2_url";
public static final String CADI_TOKEN_DIR = "cadi_token_dir";
- public static final String CSP_DOMAIN = "csp_domain";
- public static final String CSP_HOSTNAME = "csp_hostname";
- public static final String CSP_DEVL_LOCALHOST = "csp_devl_localhost";
- public static final String CSP_USER_HEADER = "CSP_USER";
- public static final String CSP_SYSTEMS_CONF = "CSPSystems.conf";
- public static final String CSP_SYSTEMS_CONF_FILE = "csp_systems_conf_file";
-
public static final String HTTPS_PROTOCOLS = "https.protocols";
public static final String HTTPS_CIPHER_SUITES = "https.cipherSuites";
public static final String HTTPS_CLIENT_PROTOCOLS="jdk.tls.client.protocols";
@@ -277,7 +271,7 @@ public class Config {
/////////////////////////////////////////////////////
// Configure Client Cert TAF
/////////////////////////////////////////////////////
-
+ X509Taf x509TAF = null;
String truststore = logProp(access, CADI_TRUSTSTORE,null);
if(truststore!=null) {
String truststore_pwd = access.getProperty(CADI_TRUSTSTORE_PASSWORD,null);
@@ -290,7 +284,7 @@ public class Config {
}
}
try {
- htlist.add(new X509Taf(access,lur));
+ htlist.add(x509TAF=new X509Taf(access,lur));
access.log(Level.INIT,"Certificate Authorization enabled");
} catch (SecurityException e) {
access.log(Level.INIT,"AAFListedCertIdentity cannot be instantiated. Certificate Authorization is now disabled",e);
@@ -339,7 +333,16 @@ public class Config {
if(!basic_warn)access.log(Level.INIT,"WARNING! The basic_warn property has been set to false.",
" There will be no additional warning if Basic Auth is used on an insecure channel"
);
- htlist.add(new BasicHttpTaf(access, up, basic_realm, userExp, basic_warn));
+ BasicHttpTaf bht = new BasicHttpTaf(access, up, basic_realm, userExp, basic_warn);
+ for(Object o : additionalTafLurs) {
+ if(o instanceof CredValDomain) {
+ bht.add((CredValDomain)o);
+ }
+ }
+ if(x509TAF!=null) {
+ x509TAF.add(bht);
+ }
+ htlist.add(bht);
access.log(Level.INIT,"Basic Authorization is enabled");
}
} else {
@@ -443,8 +446,18 @@ public class Config {
/////////////////////////////////////////////////////
if(additionalTafLurs!=null) {
for(Object additional : additionalTafLurs) {
- if(additional instanceof HttpTaf) {
- htlist.add((HttpTaf)additional);
+ if(additional instanceof BasicHttpTaf) {
+ BasicHttpTaf ht = (BasicHttpTaf)additional;
+ for(Object cv : additionalTafLurs) {
+ if(cv instanceof CredValDomain) {
+ ht.add((CredValDomain)cv);
+ access.printf(Level.INIT,"%s Authentication is enabled",cv);
+ }
+ }
+ htlist.add(ht);
+ } else if(additional instanceof HttpTaf) {
+ HttpTaf ht = (HttpTaf)additional;
+ htlist.add(ht);
access.printf(Level.INIT,"%s Authentication is enabled",additional.getClass().getSimpleName());
} else if(hasOAuthDirectTAF) {
Class<?> daupCls;
diff --git a/cadi/core/src/main/java/org/onap/aaf/cadi/principal/BasicPrincipal.java b/cadi/core/src/main/java/org/onap/aaf/cadi/principal/BasicPrincipal.java
index 22ba702c..a235f1d4 100644
--- a/cadi/core/src/main/java/org/onap/aaf/cadi/principal/BasicPrincipal.java
+++ b/cadi/core/src/main/java/org/onap/aaf/cadi/principal/BasicPrincipal.java
@@ -36,11 +36,12 @@ public class BasicPrincipal extends BearerPrincipal implements GetCred {
private String name = null;
private String shortName = null;
+ private String domain;
private byte[] cred = null;
-
private long created;
- public BasicPrincipal(String content,String domain) throws IOException {
+
+ public BasicPrincipal(String content,String defaultDomain) throws IOException {
created = System.currentTimeMillis();
ByteArrayInputStream bis = new ByteArrayInputStream(content.getBytes());
// Read past "Basic ", ensuring it starts with it.
@@ -61,13 +62,15 @@ public class BasicPrincipal extends BearerPrincipal implements GetCred {
shortName=name.substring(0, at);
} else {
shortName = name;
- name = name + '@' + domain;
+ domain=defaultDomain;
+ name = name + '@' + defaultDomain;
}
}
public BasicPrincipal(BasicCred bc, String domain) {
name = bc.getUser();
cred = bc.getCred();
+ this.domain = domain;
}
private class BasicOS extends OutputStream {
@@ -102,6 +105,10 @@ public class BasicPrincipal extends BearerPrincipal implements GetCred {
return shortName;
}
+ public String getDomain() {
+ return domain;
+ }
+
public byte[] getCred() {
return cred;
}
diff --git a/cadi/core/src/main/java/org/onap/aaf/cadi/principal/X509Principal.java b/cadi/core/src/main/java/org/onap/aaf/cadi/principal/X509Principal.java
index 16f62171..200b8174 100644
--- a/cadi/core/src/main/java/org/onap/aaf/cadi/principal/X509Principal.java
+++ b/cadi/core/src/main/java/org/onap/aaf/cadi/principal/X509Principal.java
@@ -26,31 +26,30 @@ import java.security.cert.CertificateEncodingException;
import java.security.cert.X509Certificate;
import java.util.regex.Pattern;
-import org.onap.aaf.cadi.CadiException;
import org.onap.aaf.cadi.GetCred;
+import org.onap.aaf.cadi.taf.basic.BasicHttpTaf;
public class X509Principal extends BearerPrincipal implements GetCred {
private static final Pattern pattern = Pattern.compile("[a-zA-Z0-9]*\\@[a-zA-Z0-9.]*");
private final X509Certificate cert;
private final String name;
- private TagLookup tagLookup;
- private byte[] content;
+ private byte[] content;
+ private BasicHttpTaf bht;
public X509Principal(String identity, X509Certificate cert) {
name = identity;
content = null;
this.cert = cert;
- tagLookup = null;
}
- public X509Principal(String identity, X509Certificate cert, byte[] content) {
+ public X509Principal(String identity, X509Certificate cert, byte[] content, BasicHttpTaf bht) {
name = identity;
this.content = content;
this.cert = cert;
- tagLookup = null;
+ this.bht = bht;
}
- public X509Principal(X509Certificate cert, byte[] content) throws IOException {
+ public X509Principal(X509Certificate cert, byte[] content, BasicHttpTaf bht) throws IOException {
this.content=content;
this.cert = cert;
String _name = null;
@@ -70,7 +69,7 @@ public class X509Principal extends BearerPrincipal implements GetCred {
throw new IOException("X509 does not have Identity as CN");
}
name = _name;
- tagLookup = null;
+ this.bht = bht;
}
public String getAsHeader() throws IOException {
@@ -106,4 +105,8 @@ public class X509Principal extends BearerPrincipal implements GetCred {
return "x509";
}
+ public BasicHttpTaf getBasicHttpTaf() {
+ return bht;
+ }
+
}
diff --git a/cadi/core/src/main/java/org/onap/aaf/cadi/taf/basic/BasicHttpTaf.java b/cadi/core/src/main/java/org/onap/aaf/cadi/taf/basic/BasicHttpTaf.java
index 6d516f00..ac824d0a 100644
--- a/cadi/core/src/main/java/org/onap/aaf/cadi/taf/basic/BasicHttpTaf.java
+++ b/cadi/core/src/main/java/org/onap/aaf/cadi/taf/basic/BasicHttpTaf.java
@@ -23,18 +23,21 @@ package org.onap.aaf.cadi.taf.basic;
import java.io.IOException;
import java.security.Principal;
+import java.util.Map;
+import java.util.TreeMap;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import org.onap.aaf.cadi.Access;
+import org.onap.aaf.cadi.Access.Level;
import org.onap.aaf.cadi.BasicCred;
import org.onap.aaf.cadi.CachedPrincipal;
-import org.onap.aaf.cadi.CredVal;
-import org.onap.aaf.cadi.Taf;
-import org.onap.aaf.cadi.Access.Level;
import org.onap.aaf.cadi.CachedPrincipal.Resp;
+import org.onap.aaf.cadi.CredVal;
import org.onap.aaf.cadi.CredVal.Type;
+import org.onap.aaf.cadi.CredValDomain;
+import org.onap.aaf.cadi.Taf;
import org.onap.aaf.cadi.principal.BasicPrincipal;
import org.onap.aaf.cadi.principal.CachedBasicPrincipal;
import org.onap.aaf.cadi.taf.HttpTaf;
@@ -60,6 +63,7 @@ public class BasicHttpTaf implements HttpTaf {
private Access access;
private String realm;
private CredVal rbac;
+ private Map<String,CredVal> rbacs = new TreeMap<>();
private boolean warn;
private long timeToLive;
@@ -71,6 +75,10 @@ public class BasicHttpTaf implements HttpTaf {
this.timeToLive = timeToLive;
}
+ public void add(final CredValDomain cvd) {
+ rbacs.put(cvd.domain(), cvd);
+ }
+
/**
* Note: BasicHttp works for either Carbon Based (Humans) or Silicon Based (machine) Lifeforms.
* @see Taf
@@ -84,10 +92,16 @@ public class BasicHttpTaf implements HttpTaf {
return DenialOfServiceTaf.respDenyID(access,bc.getUser());
}
CachedBasicPrincipal bp = new CachedBasicPrincipal(this,bc,realm,timeToLive);
+
+ // Be able to do Organizational specific lookups by Domain
+ CredVal cv = rbacs.get(bp.getDomain());
+ if(cv==null) {
+ cv = rbac;
+ }
+
// ONLY FOR Last Ditch DEBUGGING...
// access.log(Level.WARN,bp.getName() + ":" + new String(bp.getCred()));
-
- if(rbac.validate(bp.getName(),Type.PASSWORD,bp.getCred(),req)) {
+ if(cv.validate(bp.getName(),Type.PASSWORD,bp.getCred(),req)) {
return new BasicHttpTafResp(access,bp,bp.getName()+" authenticated by password",RESP.IS_AUTHENTICATED,resp,realm,false);
} else {
//TODO may need timed retries in a given time period
@@ -107,10 +121,16 @@ public class BasicHttpTaf implements HttpTaf {
if(DenialOfServiceTaf.isDeniedID(ba.getName())!=null) {
return DenialOfServiceTaf.respDenyID(access,ba.getName());
}
+
+ final int at = ba.getName().indexOf('@');
+ CredVal cv = rbacs.get(ba.getName().substring(at+1));
+ if(cv==null) {
+ cv = rbac; // default
+ }
// ONLY FOR Last Ditch DEBUGGING...
// access.log(Level.WARN,ba.getName() + ":" + new String(ba.getCred()));
- if(rbac.validate(ba.getName(), Type.PASSWORD, ba.getCred(), req)) {
+ if(cv.validate(ba.getShortName(), Type.PASSWORD, ba.getCred(), req)) {
return new BasicHttpTafResp(access,ba, ba.getName()+" authenticated by BasicAuth password",RESP.IS_AUTHENTICATED,resp,realm,false);
} else {
//TODO may need timed retries in a given time period
@@ -146,7 +166,19 @@ public class BasicHttpTaf implements HttpTaf {
}
return sb.toString();
}
+
+ public void addCredVal(final String realm, final CredVal cv) {
+ rbacs.put(realm, cv);
+ }
+ public CredVal getCredVal(String key) {
+ CredVal cv = rbacs.get(key);
+ if(cv==null) {
+ cv = rbac;
+ }
+ return cv;
+ }
+
@Override
public Resp revalidate(CachedPrincipal prin, Object state) {
if(prin instanceof BasicPrincipal) {
@@ -162,4 +194,5 @@ public class BasicHttpTaf implements HttpTaf {
public String toString() {
return "Basic Auth enabled on realm: " + realm;
}
+
}
diff --git a/cadi/core/src/main/java/org/onap/aaf/cadi/taf/cert/X509Taf.java b/cadi/core/src/main/java/org/onap/aaf/cadi/taf/cert/X509Taf.java
index 66683dcd..dc07bb90 100644
--- a/cadi/core/src/main/java/org/onap/aaf/cadi/taf/cert/X509Taf.java
+++ b/cadi/core/src/main/java/org/onap/aaf/cadi/taf/cert/X509Taf.java
@@ -36,12 +36,13 @@ import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import org.onap.aaf.cadi.Access;
+import org.onap.aaf.cadi.Access.Level;
import org.onap.aaf.cadi.CachedPrincipal;
+import org.onap.aaf.cadi.CachedPrincipal.Resp;
import org.onap.aaf.cadi.CadiException;
+import org.onap.aaf.cadi.CredVal;
import org.onap.aaf.cadi.Lur;
import org.onap.aaf.cadi.Symm;
-import org.onap.aaf.cadi.Access.Level;
-import org.onap.aaf.cadi.CachedPrincipal.Resp;
import org.onap.aaf.cadi.Taf.LifeForm;
import org.onap.aaf.cadi.config.Config;
import org.onap.aaf.cadi.config.SecurityInfo;
@@ -51,6 +52,7 @@ import org.onap.aaf.cadi.principal.X509Principal;
import org.onap.aaf.cadi.taf.HttpTaf;
import org.onap.aaf.cadi.taf.TafResp;
import org.onap.aaf.cadi.taf.TafResp.RESP;
+import org.onap.aaf.cadi.taf.basic.BasicHttpTaf;
import org.onap.aaf.cadi.util.Split;
public class X509Taf implements HttpTaf {
@@ -65,6 +67,7 @@ public class X509Taf implements HttpTaf {
private ArrayList<String> cadiIssuers;
private String env;
private SecurityInfo si;
+ private BasicHttpTaf bht;
static {
try {
@@ -150,7 +153,7 @@ public class X509Taf implements HttpTaf {
String[] sa = Split.splitTrim(':', subject, temp+3,end);
if(sa.length==1 || (sa.length>1 && env!=null && env.equals(sa[1]))) { // Check Environment
return new X509HttpTafResp(access,
- new X509Principal(sa[0], certarr[0],(byte[])null),
+ new X509Principal(sa[0], certarr[0],(byte[])null,bht),
"X509Taf validated " + sa[0] + (sa.length<2?"":" for aaf_env " + env ), RESP.IS_AUTHENTICATED);
}
}
@@ -259,4 +262,16 @@ public class X509Taf implements HttpTaf {
return null;
}
+ public void add(BasicHttpTaf bht) {
+ this.bht = bht;
+ }
+
+ public CredVal getCredVal(final String key) {
+ if(bht==null) {
+ return null;
+ } else {
+ return bht.getCredVal(key);
+ }
+ }
+
}
diff --git a/cadi/core/src/test/java/org/onap/aaf/cadi/principal/test/JU_X509Principal.java b/cadi/core/src/test/java/org/onap/aaf/cadi/principal/test/JU_X509Principal.java
index e62dda4f..0857a870 100644
--- a/cadi/core/src/test/java/org/onap/aaf/cadi/principal/test/JU_X509Principal.java
+++ b/cadi/core/src/test/java/org/onap/aaf/cadi/principal/test/JU_X509Principal.java
@@ -67,7 +67,7 @@ public class JU_X509Principal {
@Test
public void constructor2Test() throws IOException {
- X509Principal x509 = new X509Principal(name, cert, cred);
+ X509Principal x509 = new X509Principal(name, cert, cred,null);
// Call twice to hit both branches
assertThat(x509.getAsHeader(), is("X509 " + cred));
assertThat(x509.toString(), is("X509 Authentication for " + name));
@@ -81,7 +81,7 @@ public class JU_X509Principal {
final String longName = "name@domain";
when(subject.getName()).thenReturn("OU=" + longName + ",extra");
when(cert.getSubjectDN()).thenReturn(subject);
- X509Principal x509 = new X509Principal(cert, cred);
+ X509Principal x509 = new X509Principal(cert, cred,null);
// Call twice to hit both branches
assertThat(x509.getAsHeader(), is("X509 " + cred));
assertThat(x509.toString(), is("X509 Authentication for " + longName));
@@ -91,7 +91,7 @@ public class JU_X509Principal {
when(subject.getName()).thenReturn(longName + ",extra");
when(cert.getSubjectDN()).thenReturn(subject);
try {
- x509 = new X509Principal(cert, cred);
+ x509 = new X509Principal(cert, cred, null);
fail("Should have thrown an Exception");
} catch(IOException e) {
assertThat(e.getMessage(), is("X509 does not have Identity as CN"));
@@ -100,7 +100,7 @@ public class JU_X509Principal {
when(subject.getName()).thenReturn("OU=" + longName);
when(cert.getSubjectDN()).thenReturn(subject);
try {
- x509 = new X509Principal(cert, cred);
+ x509 = new X509Principal(cert, cred, null);
fail("Should have thrown an Exception");
} catch(IOException e) {
assertThat(e.getMessage(), is("X509 does not have Identity as CN"));
@@ -109,7 +109,7 @@ public class JU_X509Principal {
when(subject.getName()).thenReturn("OU=" + name + ",exta");
when(cert.getSubjectDN()).thenReturn(subject);
try {
- x509 = new X509Principal(cert, cred);
+ x509 = new X509Principal(cert, cred, null);
fail("Should have thrown an Exception");
} catch(IOException e) {
assertThat(e.getMessage(), is("X509 does not have Identity as CN"));