summaryrefslogtreecommitdiffstats
path: root/cadi/oauth-enduser
diff options
context:
space:
mode:
authorInstrumental <jcgmisc@stl.gathman.org>2018-03-26 13:49:56 -0700
committerInstrumental <jcgmisc@stl.gathman.org>2018-03-26 13:50:07 -0700
commita20accc73189d8e5454cd26049c0e6fae75da16f (patch)
tree3526110a1f65591354eff6400383512df4828903 /cadi/oauth-enduser
parentac1e1ec76e9125206be91a2f32c7104c9392dc9a (diff)
AT&T 2.0.19 Code drop, stage 2
Issue-ID: AAF-197 Change-Id: Ifc93308f52c10d6ad82e99cd3ff5ddb900bf219a Signed-off-by: Instrumental <jcgmisc@stl.gathman.org>
Diffstat (limited to 'cadi/oauth-enduser')
-rw-r--r--cadi/oauth-enduser/.gitignore6
-rw-r--r--cadi/oauth-enduser/.settings/.gitignore2
-rw-r--r--cadi/oauth-enduser/cadi.properties57
-rw-r--r--cadi/oauth-enduser/pom.xml112
-rw-r--r--cadi/oauth-enduser/src/.gitignore1
-rw-r--r--cadi/oauth-enduser/src/main/java/com/att/cadi/enduser/OAuthExample.java233
6 files changed, 411 insertions, 0 deletions
diff --git a/cadi/oauth-enduser/.gitignore b/cadi/oauth-enduser/.gitignore
new file mode 100644
index 00000000..ed10e327
--- /dev/null
+++ b/cadi/oauth-enduser/.gitignore
@@ -0,0 +1,6 @@
+/target/
+/.DS_Store
+/.classpath
+/tokens/
+/bin/
+/.project
diff --git a/cadi/oauth-enduser/.settings/.gitignore b/cadi/oauth-enduser/.settings/.gitignore
new file mode 100644
index 00000000..e2635f07
--- /dev/null
+++ b/cadi/oauth-enduser/.settings/.gitignore
@@ -0,0 +1,2 @@
+/org.eclipse.jdt.core.prefs
+/org.eclipse.m2e.core.prefs
diff --git a/cadi/oauth-enduser/cadi.properties b/cadi/oauth-enduser/cadi.properties
new file mode 100644
index 00000000..fb497314
--- /dev/null
+++ b/cadi/oauth-enduser/cadi.properties
@@ -0,0 +1,57 @@
+############################################################
+# Properties for OAuth Example
+# Jonathan Gathman
+# on 2018-01-30
+# These properties are the BARE essentials for OAuth calling
+############################################################
+# aaf_locate is the replacement whenever a URL is set to "AAF_LOCATE_URL"
+# at this time, only AAF has this ability.
+#
+# This is, effectively, the Environment you will use for AAF Location
+# TEST ENV
+aaf_locate_url=https://aaftest.test.att.com
+
+# IST ENV
+# aaf_locate_url=https://aafist.test.att.com
+
+# PROD ENV
+# aaf_locate_url=https://aaf.it.att.com
+
+cadi_latitude=<YOUR Latitude (try bing.com/maps)
+cadi_longitude=<YOUR Longitude>
+
+aaf_url=https://AAF_LOCATE_URL/locate/com.att.aaf.service:2.0
+cadi_keyfile=<YOUR Keyfile. Create with java -jar cadi-core<Version>.jar keygen keyfile. chmod 400 keyfile>
+
+aaf_id=<YOUR Fully Qualified AAF MechID>
+aaf_password=enc:<YOUR encrypted passwrod. Create with java -jar cadi-core<Version>.jar digest keyfile>
+# aaf_alias=<YOUR AAF Certman Generated alias FOR the right AAF Env>
+
+# aaf_conn_timeout=6000
+# aaf_timeout=10000
+
+# A Sample AAF OAuth Enabled Service
+#aaf_oauth2_hello_url=https://AAF_LOCATE_URL/locate/com.att.aaf.hello:2.0/hello
+aaf_oauth2_hello_url=http://135.46.170.156:32245/restservices/echo/v1/testCXF/testGet
+
+# OAuth2
+# AAF OAuth2 Service.
+aaf_oauth2_token_url=https://AAF_LOCATE_URL/locate/com.att.aaf.token:2.0/token
+aaf_oauth2_introspect_url=https://AAF_LOCATE_URL/locate/com.att.aaf.introspect:2.0/introspect
+
+#ISAM
+aaf_alt_oauth2_domain=isam.att.com
+#aaf_alt_oauth2_client_id=<get from ISAM>
+#aaf_alt_oauth2_domain=csp.att.com
+
+#ISAM TEST
+#aaf_alt_oauth2_token_url=https://oauth.stage.elogin.att.com/mga/sps/oauth/oauth20/token
+#aaf_alt_oauth2_introspect_url=https://oauthapp.stage.att.com/mga/sps/oauth/oauth20/introspect
+#aaf_alt_oauth2_client_secret=enc:<encrypt with cadi tool>
+
+#ISAM PROD
+#aaf_alt_oauth2_token_url=https://oauth.idp.elogin.att.com/mga/sps/oauth/oauth20/token
+#aaf_alt_oauth2_introspect_url=https://oa-app.e-access.att.com/mga/sps/oauth/oauth20/introspect
+#aaf_alt_oauth2_client_secret=enc:<encrypt with cadi tool>
+
+
diff --git a/cadi/oauth-enduser/pom.xml b/cadi/oauth-enduser/pom.xml
new file mode 100644
index 00000000..2423c530
--- /dev/null
+++ b/cadi/oauth-enduser/pom.xml
@@ -0,0 +1,112 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+ * ============LICENSE_START====================================================
+ * org.onap.aaf
+ * ===========================================================================
+ * Copyright (c) 2017 AT&T Intellectual Property. All rights reserved.
+ * ===========================================================================
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ * ============LICENSE_END====================================================
+ *
+-->
+<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+ xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
+ <modelVersion>4.0.0</modelVersion>
+ <name>AAF CADI Sample OAuth EndUser</name>
+ <groupId>org.onap.aaf.cadi</groupId>
+ <version>1.5.0-SNAPSHOT</version>
+ <artifactId>aaf-cadi-oauth-enduser</artifactId>
+
+ <packaging>jar</packaging>
+
+ <developers>
+ <developer>
+ <name>Jonathan Gathman</name>
+ <email>jonathan.gathman@att.com</email>
+ <organization>ATT</organization>
+ <roles>
+ <role>Architect</role>
+ <role>Lead Developer</role>
+ </roles>
+ </developer>
+ <developer>
+ <name>Gabe Maurer</name>
+ <email>gabe.maurer@att.com</email>
+ <organization>ATT</organization>
+ <roles>
+ <role>Developer</role>
+ </roles>
+ </developer>
+ <developer>
+ <name>Ian Howell</name>
+ <email>ian.howell@att.com</email>
+ <organization>ATT</organization>
+ <roles>
+ <role>Developer</role>
+ </roles>
+ </developer>
+ </developers>
+
+ <dependencies>
+ <dependency>
+ <groupId>org.onap.aaf.cadi</groupId>
+ <artifactId>aaf-cadi-core</artifactId>
+ <version>1.5.0-SNAPSHOT</version>
+ </dependency>
+ <dependency>
+ <groupId>org.onap.aaf.cadi</groupId>
+ <artifactId>aaf-cadi-aaf</artifactId>
+ <version>1.5.0-SNAPSHOT</version>
+ </dependency>
+ </dependencies>
+
+ <build>
+ <pluginManagement>
+ <plugins>
+ <plugin>
+ <groupId>org.apache.maven.plugins</groupId>
+ <artifactId>maven-compiler-plugin</artifactId>
+ <version>2.3.2</version>
+ <configuration>
+ <source>1.8</source>
+ <target>1.8</target>
+ </configuration>
+ </plugin>
+
+ <plugin>
+ <groupId>org.apache.maven.plugins</groupId>
+ <version>2.4</version>
+ <artifactId>maven-jar-plugin</artifactId>
+ <configuration>
+ <outputDirectory>target</outputDirectory>
+ </configuration>
+ </plugin>
+ <plugin>
+ <artifactId>maven-assembly-plugin</artifactId>
+ <version>2.4</version>
+ <configuration>
+ <archive>
+ <manifest>
+ <mainClass>org.onap.aaf.cadi.enduser.OAuthExample</mainClass>
+ </manifest>
+ </archive>
+ <descriptors>
+ <descriptor>src/main/assemble/cadi-oauth-enduser-assemble.xml</descriptor>
+ </descriptors>
+ </configuration>
+ </plugin>
+ </plugins>
+ </pluginManagement>
+ </build>
+
+</project>
diff --git a/cadi/oauth-enduser/src/.gitignore b/cadi/oauth-enduser/src/.gitignore
new file mode 100644
index 00000000..9bb88d37
--- /dev/null
+++ b/cadi/oauth-enduser/src/.gitignore
@@ -0,0 +1 @@
+/.DS_Store
diff --git a/cadi/oauth-enduser/src/main/java/com/att/cadi/enduser/OAuthExample.java b/cadi/oauth-enduser/src/main/java/com/att/cadi/enduser/OAuthExample.java
new file mode 100644
index 00000000..9cb4b4af
--- /dev/null
+++ b/cadi/oauth-enduser/src/main/java/com/att/cadi/enduser/OAuthExample.java
@@ -0,0 +1,233 @@
+/**
+ * ============LICENSE_START====================================================
+ * org.onap.aaf
+ * ===========================================================================
+ * Copyright (c) 2018 AT&T Intellectual Property. All rights reserved.
+ * ===========================================================================
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ * ============LICENSE_END====================================================
+ *
+ */
+
+package com.att.cadi.enduser;
+
+import java.io.IOException;
+import java.net.ConnectException;
+import java.security.GeneralSecurityException;
+import java.util.Date;
+import java.util.GregorianCalendar;
+
+import org.onap.aaf.cadi.Access.Level;
+import org.onap.aaf.cadi.CadiException;
+import org.onap.aaf.cadi.LocatorException;
+import org.onap.aaf.cadi.PropAccess;
+import org.onap.aaf.cadi.client.Future;
+import org.onap.aaf.cadi.client.Rcli;
+import org.onap.aaf.cadi.client.Result;
+import org.onap.aaf.cadi.client.Retryable;
+import org.onap.aaf.cadi.config.Config;
+import org.onap.aaf.cadi.oauth.TimedToken;
+import org.onap.aaf.cadi.oauth.TokenClient;
+import org.onap.aaf.cadi.oauth.TokenClientFactory;
+import org.onap.aaf.cadi.oauth.TzClient;
+import org.onap.aaf.cadi.util.FQI;
+import org.onap.aaf.misc.env.APIException;
+import org.onap.aaf.misc.env.util.Chrono;
+
+import aafoauth.v2_0.Introspect;
+import aafoauth.v2_0.Token;
+
+
+public class OAuthExample {
+ private static TokenClientFactory tcf;
+ private static PropAccess access;
+
+ public final static void main(final String args[]) {
+ // These Objects are expected to be Long-Lived... Construct once
+
+ // Property Access
+ // This method will allow you to set "cadi_prop_files" (or any other property) on Command line
+ access = new PropAccess(args);
+
+ // access = PropAccess();
+ // Note: This style will load "cadi_prop_files" from VM Args
+
+ // Token aware Client Factory
+ try {
+ tcf = TokenClientFactory.instance(access);
+ } catch (APIException | GeneralSecurityException | IOException | CadiException e1) {
+ access.log(e1, "Unable to setup OAuth Client Factory, Fail Fast");
+ System.exit(1);
+ }
+
+
+ // Obtain Endpoints for OAuth2 from Properties. Expected is "cadi.properties" file, pointed to by "cadi_prop_files"
+ String tokenServiceURL = access.getProperty(Config.AAF_OAUTH2_TOKEN_URL);
+ String tokenIntrospectURL = access.getProperty(Config.AAF_OAUTH2_INTROSPECT_URL);
+
+
+ // Get Properties
+ final String endServicesURL = access.getProperty(Config.AAF_OAUTH2_HELLO_URL);
+
+ final int CALL_TIMEOUT = Integer.parseInt(access.getProperty(Config.AAF_CALL_TIMEOUT,Config.AAF_CALL_TIMEOUT_DEF));
+
+ try {
+ //////////////////////////////////////////////////////////////////////
+ // Scenario 1:
+ // Get and use an OAuth Client, which understands Token Management
+ //////////////////////////////////////////////////////////////////////
+ // Create a Token Client, that gets its tokens from expected OAuth Server
+ // In this example, it is AAF, but it can be the Alternate OAuth
+
+ TokenClient tc = tcf.newClient(tokenServiceURL); // can set your own timeout here (url, timeoutMilliseconds)
+ // Set your Application (MicroService, whatever) Credentials here
+ // These are how your Application is known, particularly to the OAuth Server.
+ // If AAF Token server, then its just the same as your other AAF MechID creds
+ // If it is the Alternate OAUTH, you'll need THOSE credentials. See that tool's Onboarding procedures.
+ String client_id = access.getProperty(Config.AAF_APPID);
+ String client_secret = access.getProperty(Config.AAF_APPPASS);
+ tc.client_creds(client_id, client_secret);
+
+ // If you are working with Credentials the End User, set username/password as appropriate to the OAuth Server
+ // tc.password(end_user_id, end_user_password);
+ // IMPORTANT:
+ // if you are setting client Credentials, you MAY NOT reuse this Client mid-transaction. You CAN reuse after setting
+ // tc.clearEndUser();
+ // You may want to see "Pooled Client" example, using special CADI utility
+
+ // With AAF, the Scopes you put in are the AAF Namespaces you want access to. Your Token will contain the
+ // AAF Permissions of the Namespaces (you can put in more than one), the user name (or client_id if no user_name),
+ // is allowed to see.
+
+ // Here's a trick to get the namespace out of a Fully Qualified AAF Identity (your MechID)
+ String ns = FQI.reverseDomain(client_id);
+ System.out.printf("\nNote: The AAF Namespace of FQI (Fully Qualified Identity) %s is %s\n\n",client_id, ns);
+
+ // Now, we can get a Token. Note: for "scope", use AAF Namespaces to get AAF Permissions embedded in
+ // Note: getToken checks if Token is expired, if so, then refreshes before handing back.
+ Result<TimedToken> rtt = tc.getToken(ns,"org.onap.test");
+
+ // Note: you can clear a Token's Disk/Memory presence by
+ // 1) removing the Token from the "token/outgoing" directory on the O/S
+ // 2) programmatically by calling "clearToken" with exact params as "getToken", when it has the same credentials set
+ // tc.clearToken("org.onap.aaf","org.onap.test");
+
+ // Result Object can be queried for success
+ if(rtt.isOK()) {
+ TimedToken token = rtt.value;
+ print(token); // Take a look at what's in a Token
+
+ // Use this Token in your client calls with "Tokenized Client" (TzClient)
+ // These should NOT be used cross thread.
+ TzClient helloClient = tcf.newTzClient(endServicesURL);
+ helloClient.setToken(client_id, token);
+
+ // This client call style, "best" call with "Retryable" inner class covers finding an available Service
+ // (when Multi-services exist) for the best service, based (currently) on distance.
+ //
+ // the "Generic" in Type gives a Return Value for the Code, which you can set on the "best" method
+ // Note that variables used in the inner class from this part of the code must be "final", see "CALL_TIMEOUT"
+ String rv = helloClient.best(new Retryable<String>() {
+ @Override
+ public String code(Rcli<?> client) throws CadiException, ConnectException, APIException {
+ Future<String> future = client.read(null,"text/plain");
+ // The "future" calling method allows you to do other processing, such as call more than one backend
+ // client before picking up the result
+ // If "get" matches the HTTP Code for the method (i.e. read HTTP Return value is 200), then
+ if(future.get(CALL_TIMEOUT)) {
+ // Client Returned expected value
+ return future.value;
+ } else {
+ throw new APIException(future.code() + future.body());
+ }
+ }
+ });
+
+ // You want to do something with returned value. Here, we say "hello"
+ System.out.printf("\nPositive Response from Hello: %s\n",rv);
+
+
+ //////////////////////////////////////////////////////////////////////
+ // Scenario 2:
+ // As a Service, read Introspection information as proof of Authenticated Authorization
+ //////////////////////////////////////////////////////////////////////
+ // CADI Framework (i.e. CadiFilter) works with the Introspection to drive the J2EE interfaces (
+ // i.e. if(isUserInRole("ns.perm|instance|action")) {...
+ //
+ // Here, however, is a way to introspect via Java
+ //
+ // now, call Introspect (making sure right URLs are set in properties)
+ // We need a Different Introspect TokenClient, because different Endpoint (and usually different Services)
+ TokenClient tci = tcf.newClient(tokenIntrospectURL);
+ tci.client_creds(client_id, client_secret);
+ Result<Introspect> is = tci.introspect(token.getAccessToken());
+ if(is.isOK()) {
+ // Note that AAF will add JSON set of Permissions as part of "Content:", legitimate extension of OAuth Structure
+ print(is.value); // do something with Introspect Object
+ } else {
+ access.printf(Level.ERROR, "Unable to introspect OAuth Token %s: %d %s\n",
+ token.getAccessToken(),rtt.code,rtt.error);
+ }
+ } else {
+ access.printf(Level.ERROR, "Unable to obtain OAuth Token: %d %s\n",rtt.code,rtt.error);
+ }
+
+ } catch (CadiException | LocatorException | APIException | IOException e) {
+ e.printStackTrace();
+ }
+ }
+
+ /////////////////////////////////////////////////////////////
+ // Examples of Object Access
+ /////////////////////////////////////////////////////////////
+ private static void print(Token t) {
+ GregorianCalendar exp_date = new GregorianCalendar();
+ exp_date.add(GregorianCalendar.SECOND, t.getExpiresIn());
+ System.out.printf("Access Token\n\tToken:\t\t%s\n\tToken Type:\t%s\n\tExpires In:\t%d (%s)\n\tScope:\t\t%s\n\tRefresh Token:\t%s\n",
+ t.getAccessToken(),
+ t.getTokenType(),
+ t.getExpiresIn(),
+ Chrono.timeStamp(new Date(System.currentTimeMillis()+(t.getExpiresIn()*1000))),
+ t.getScope(),
+ t.getRefreshToken());
+ }
+
+ private static void print(Introspect ti) {
+ if(ti==null || ti.getClientId()==null) {
+ System.out.println("Empty Introspect");
+ return;
+ }
+ Date exp = new Date(ti.getExp()*1000); // seconds
+ System.out.printf("Introspect\n"
+ + "\tAccessToken:\t%s\n"
+ + "\tClient-id:\t%s\n"
+ + "\tClient Type:\t%s\n"
+ + "\tActive: \t%s\n"
+ + "\tUserName:\t%s\n"
+ + "\tExpires: \t%d (%s)\n"
+ + "\tScope:\t\t%s\n"
+ + "\tContent:\t\t%s\n",
+ ti.getAccessToken(),
+ ti.getClientId(),
+ ti.getClientType(),
+ ti.isActive()?Boolean.TRUE.toString():Boolean.FALSE.toString(),
+ ti.getUsername(),
+ ti.getExp(),
+ Chrono.timeStamp(exp),
+ ti.getScope(),
+ ti.getContent()==null?"":ti.getContent());
+
+ System.out.println();
+ }
+
+}