diff options
Diffstat (limited to 'cadi/core/src/main')
4 files changed, 112 insertions, 104 deletions
diff --git a/cadi/core/src/main/java/org/onap/aaf/cadi/AbsUserCache.java b/cadi/core/src/main/java/org/onap/aaf/cadi/AbsUserCache.java index cf5c92d0..c65a9b22 100644 --- a/cadi/core/src/main/java/org/onap/aaf/cadi/AbsUserCache.java +++ b/cadi/core/src/main/java/org/onap/aaf/cadi/AbsUserCache.java @@ -60,7 +60,6 @@ public abstract class AbsUserCache<PERM extends Permission> { private Clean clean; protected Access access; -// private final static Permission teaser = new LocalPermission("***NoPERM****"); protected AbsUserCache(Access access, long cleanInterval, int highCount, int usageCount) { this.access = access; @@ -322,7 +321,6 @@ public abstract class AbsUserCache<PERM extends Permission> { for(User<PERM> user : al) { ++total; if(user.count>usageTriggerCount) { - // access.log(Level.AUDIT, "Checking Thread", new Date(now)); boolean touched = false, removed=false; if(user.principal instanceof CachedPrincipal) { CachedPrincipal cp = (CachedPrincipal)user.principal; @@ -333,7 +331,6 @@ public abstract class AbsUserCache<PERM extends Permission> { break; case REVALIDATED: user.resetCount(); - // access.log(Level.AUDIT, "CACHE revalidated credentials"); touched = true; break; default: @@ -346,9 +343,7 @@ public abstract class AbsUserCache<PERM extends Permission> { } } - // access.log(Level.AUDIT, "User Perm Expires", new Date(user.permExpires)); if(!removed && lur!=null && user.permExpires<= now ) { - // access.log(Level.AUDIT, "Reloading"); if(lur.reload(user).equals(Resp.REVALIDATED)) { user.renewPerm(); access.log(Level.DEBUG, "Reloaded Perms for",user); diff --git a/cadi/core/src/main/java/org/onap/aaf/cadi/lur/LocalLur.java b/cadi/core/src/main/java/org/onap/aaf/cadi/lur/LocalLur.java index c1a27fa7..0f9adb94 100644 --- a/cadi/core/src/main/java/org/onap/aaf/cadi/lur/LocalLur.java +++ b/cadi/core/src/main/java/org/onap/aaf/cadi/lur/LocalLur.java @@ -7,9 +7,9 @@ * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. * You may obtain a copy of the License at - * + * * http://www.apache.org/licenses/LICENSE-2.0 - * + * * Unless required by applicable law or agreed to in writing, software * distributed under the License is distributed on an "AS IS" BASIS, * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. @@ -38,10 +38,9 @@ import org.onap.aaf.cadi.User; import org.onap.aaf.cadi.Access.Level; import org.onap.aaf.cadi.config.Config; - /** * An in-memory Lur that can be configured locally with User info via properties, similar to Tomcat-users.xml mechanisms. - * + * * @author Jonathan * */ @@ -50,120 +49,69 @@ public final class LocalLur extends AbsUserCache<LocalPermission> implements Lur public static final String COLON = "\\s*:\\s*"; public static final String COMMA = "\\s*,\\s*"; public static final String PERCENT = "\\s*%\\s*"; - + // Use to quickly determine whether any given group is supported by this LUR private final Set<String> supportingGroups; - private String supportedRealm; - + private String supportedRealm; + /** * Construct by building structure, see "build" - * + * * Reconstruct with "build" - * - * @param userProperty - * @param groupProperty + * + * @param userProperties + * @param groupProperties * @param decryptor * @throws IOException */ - public LocalLur(Access access, String userProperty, String groupProperty) throws IOException { + public LocalLur(Access access, String userProperties, String groupProperties) throws IOException { super(access, 0, 0, Integer.MAX_VALUE); // data doesn't expire supportedRealm = access.getProperty(Config.BASIC_REALM, "localized"); - supportingGroups = new TreeSet<String>(); - - if(userProperty!=null) { - // For each User name... - for(String user : userProperty.trim().split(SEMI)) { - String[] us = user.split(COLON,2); - String[] userpass = us[0].split(PERCENT,2); - String u; - User<LocalPermission> usr; - if(userpass.length>1) { - if(userpass.length>0 && userpass[0].indexOf('@')<0) { - userpass[0]=userpass[0] + '@' + access.getProperty(Config.AAF_DEFAULT_REALM,Config.getDefaultRealm()); - } - - u = userpass[0]; - byte[] pass = access.decrypt(userpass[1], true).getBytes(); - usr = new User<LocalPermission>(new ConfigPrincipal(u, pass)); - } else { - u = us[0]; - usr = new User<LocalPermission>(new ConfigPrincipal(u, (byte[])null)); - } - addUser(usr); - access.log(Level.INIT, "Local User:",usr.principal); - - if(us.length>1) { - Map<String, Permission> newMap = usr.newMap(); - for(String group : us[1].split(COMMA)) { - supportingGroups.add(group); - usr.add(newMap,new LocalPermission(group)); - } - usr.setMap(newMap); - } - } + supportingGroups = new TreeSet<>(); + + if (userProperties != null) { + parseUserProperties(userProperties); } - if(groupProperty!=null) { - // For each Group name... - for(String group : groupProperty.trim().split(SEMI)) { - String[] gs = group.split(COLON,2); - if(gs.length>1) { - supportingGroups.add(gs[0]); - LocalPermission p = new LocalPermission(gs[0]); - // Add all users (known by comma separators) - - for(String grpMem : gs[1].split(COMMA)) { - // look for password, if so, put in passMap - String[] userpass = grpMem.split(PERCENT,2); - if(userpass.length>0 && userpass[0].indexOf('@')<0) { - userpass[0]=userpass[0] + '@' + access.getProperty(Config.AAF_DEFAULT_REALM,Config.getDefaultRealm()); - } - User<LocalPermission> usr = null; - if(userpass.length>1) { - byte[] pass = access.decrypt(userpass[1], true).getBytes(); - usr = getUser(userpass[0],pass); - if(usr==null)addUser(usr=new User<LocalPermission>(new ConfigPrincipal(userpass[0],pass))); - else usr.principal=new ConfigPrincipal(userpass[0],pass); - } else { - addUser(usr=new User<LocalPermission>(new ConfigPrincipal(userpass[0],(byte[])null))); - } - usr.add(p); - access.log(Level.INIT, "Local User:",usr.principal); - } - } - } + + if (groupProperties != null) { + parseGroupProperties(groupProperties); } } - + public boolean validate(String user, CredVal.Type type, byte[] cred, Object state) { - User<LocalPermission> usr = getUser(user,cred); - switch(type) { - case PASSWORD: - // covers null as well as bad pass - if(usr!=null && cred!=null && usr.principal instanceof ConfigPrincipal) { - return Hash.isEqual(cred,((ConfigPrincipal)usr.principal).getCred()); - } - break; + if (cred == null) { + return false; + } + User<LocalPermission> usr = getUser(user, cred); + if (usr == null) { + return false; + } + // covers null as well as bad pass + if ((type == Type.PASSWORD) && (usr.principal instanceof ConfigPrincipal)) {; + return Hash.isEqual(cred, ((ConfigPrincipal)usr.principal).getCred()); } return false; } // @Override public boolean fish(Principal bait, Permission pond) { - if(pond == null) { + if (pond == null) { return false; } - if(handles(bait) && pond instanceof LocalPermission) { // local Users only have LocalPermissions - User<LocalPermission> user = getUser(bait); - return user==null?false:user.contains((LocalPermission)pond); + if (handles(bait) && pond instanceof LocalPermission) { // local Users only have LocalPermissions + User<LocalPermission> user = getUser(bait); + if (user != null) { + return user.contains((LocalPermission)pond); } + } return false; } // We do not want to expose the actual Group, so make a copy. public void fishAll(Principal bait, List<Permission> perms) { - if(handles(bait)) { + if (handles(bait)) { User<LocalPermission> user = getUser(bait); - if(user!=null) { + if (user != null) { user.copyPermsTo(perms); } } @@ -174,13 +122,12 @@ public final class LocalLur extends AbsUserCache<LocalPermission> implements Lur */ @Override public boolean handles(Principal principal) { - return principal!=null && principal.getName().endsWith(supportedRealm); + if (principal == null) { + return false; + } + return principal.getName().endsWith(supportedRealm); } -// public boolean supports(String userName) { -// return userName!=null && userName.endsWith(supportedRealm); -// } -// public boolean handlesExclusively(Permission pond) { return supportingGroups.contains(pond.getKey()); } @@ -192,5 +139,74 @@ public final class LocalLur extends AbsUserCache<LocalPermission> implements Lur public Permission createPerm(String p) { return new LocalPermission(p); } + + private void parseUserProperties(String userProperties) throws IOException { + // For each User name... + for (String userProperty : userProperties.trim().split(SEMI)) { + String[] userInfo = userProperty.split(COLON, 2); + String[] userPass = userInfo[0].split(PERCENT, 2); + String userName = userPass[0]; + + byte[] password = null; + if (userPass.length > 1) { + password = access.decrypt(userPass[1], true).getBytes(); + if (userName.indexOf('@') < 0) { + userName += '@' + access.getProperty(Config.AAF_DEFAULT_REALM, Config.getDefaultRealm()); + } + } + User<LocalPermission> usr; + usr = new User<>(new ConfigPrincipal(userName, password)); + addUser(usr); + access.log(Level.INIT, "Local User:", usr.principal); + + if (userInfo.length > 1) { + Map<String, Permission> newMap = usr.newMap(); + for (String group : userInfo[1].split(COMMA)) { + supportingGroups.add(group); + usr.add(newMap, new LocalPermission(group)); + } + usr.setMap(newMap); + } + } + } + + + private void parseGroupProperties(String groupProperties) throws IOException { + // For each Group name... + for (String group : groupProperties.trim().split(SEMI)) { + String[] groups = group.split(COLON, 2); + if (groups.length <= 1) { + continue; + } + supportingGroups.add(groups[0]); + LocalPermission p = new LocalPermission(groups[0]); + + // Add all users (known by comma separators) + for (String groupMember : groups[1].split(COMMA)) { + // look for password, if so, put in passMap + String[] userPass = groupMember.split(PERCENT, 2); + String userName = userPass[0]; + if (userName.indexOf('@') < 0) { + userName += '@' + access.getProperty(Config.AAF_DEFAULT_REALM, Config.getDefaultRealm()); + } + + User<LocalPermission> usr = null; + byte[] password = null; + if (userPass.length > 1) { + password = access.decrypt(userPass[1], true).getBytes(); + } + usr = getUser(userName, password); + if (usr == null) { + usr = new User<>(new ConfigPrincipal(userName, password)); + addUser(usr); + } + else { + usr.principal = new ConfigPrincipal(userName, password); + } + usr.add(p); + access.log(Level.INIT, "Local User:", usr.principal); + } + } + } } diff --git a/cadi/core/src/main/java/org/onap/aaf/cadi/taf/AbsTafResp.java b/cadi/core/src/main/java/org/onap/aaf/cadi/taf/AbsTafResp.java index a2fc730e..c216fb57 100644 --- a/cadi/core/src/main/java/org/onap/aaf/cadi/taf/AbsTafResp.java +++ b/cadi/core/src/main/java/org/onap/aaf/cadi/taf/AbsTafResp.java @@ -62,7 +62,7 @@ public abstract class AbsTafResp implements TafResp { * Respond in the affirmative if the TAF was able to Authenticate */ public boolean isValid() { - return principal!=null; + return principal != null; } /** diff --git a/cadi/core/src/main/java/org/onap/aaf/cadi/wsse/WSSEParser.java b/cadi/core/src/main/java/org/onap/aaf/cadi/wsse/WSSEParser.java index 9e36c11f..017337b1 100644 --- a/cadi/core/src/main/java/org/onap/aaf/cadi/wsse/WSSEParser.java +++ b/cadi/core/src/main/java/org/onap/aaf/cadi/wsse/WSSEParser.java @@ -21,7 +21,6 @@ package org.onap.aaf.cadi.wsse; -import java.io.IOException; import java.io.InputStream; import javax.xml.stream.XMLStreamException; @@ -46,7 +45,6 @@ public class WSSEParser { private static final String SOAP_NS = "http://schemas.xmlsoap.org/soap/envelope/"; private static final String WSSE_NS = "http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"; private Match<BasicCred> parseTree; - //private XMLInputFactory inputFactory; public WSSEParser() { // soap:Envelope/soap:Header/wsse:Security/wsse:UsernameToken/[wsse:Password&wsse:Username] @@ -72,10 +70,9 @@ public class WSSEParser { ).stopAfter() // Stop Processing when Header Ends ).exclusive()// Envelope must match Header, and no other. FYI, Body comes after Header short circuits (see above), so it's ok ).exclusive(); // root must be Envelope - //inputFactory = XMLInputFactory.newInstance(); } - public XMLStreamException parse(BasicCred bc, InputStream is) throws IOException { + public XMLStreamException parse(BasicCred bc, InputStream is) { try { parseTree.onMatch(bc, new XReader(is)); return null; |