diff options
Diffstat (limited to 'cadi/core/src/main')
-rw-r--r-- | cadi/core/src/main/java/org/onap/aaf/cadi/taf/HttpEpiTaf.java | 117 | ||||
-rw-r--r-- | cadi/core/src/main/java/org/onap/aaf/cadi/taf/LoginPageTafResp.java | 58 |
2 files changed, 99 insertions, 76 deletions
diff --git a/cadi/core/src/main/java/org/onap/aaf/cadi/taf/HttpEpiTaf.java b/cadi/core/src/main/java/org/onap/aaf/cadi/taf/HttpEpiTaf.java index cc283973..5cd6323d 100644 --- a/cadi/core/src/main/java/org/onap/aaf/cadi/taf/HttpEpiTaf.java +++ b/cadi/core/src/main/java/org/onap/aaf/cadi/taf/HttpEpiTaf.java @@ -7,9 +7,9 @@ * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. * You may obtain a copy of the License at - * + * * http://www.apache.org/licenses/LICENSE-2.0 - * + * * Unless required by applicable law or agreed to in writing, software * distributed under the License is distributed on an "AS IS" BASIS, * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. @@ -40,9 +40,9 @@ import org.onap.aaf.cadi.TrustChecker; /** * HttpEpiTaf - * + * * An extension of the basic "EpiTAF" concept, check known HTTP Related TAFs for valid credentials - * + * * @author Jonathan * */ @@ -51,10 +51,10 @@ public class HttpEpiTaf implements HttpTaf { private Access access; private Locator<URI> locator; private TrustChecker trustChecker; - + /** * HttpEpiTaf constructor - * + * * Construct the HttpEpiTaf from variable Http specific TAF parameters * @param tafs @@ -65,52 +65,52 @@ public class HttpEpiTaf implements HttpTaf { this.access = access; this.locator = locator; this.trustChecker = tc; - // Establish what Header Property to look for UserChain/Trust Props -// trustChainProp = access.getProperty(Config.CADI_TRUST_PROP, Config.CADI_TRUST_PROP_DEFAULT); + // Establish what Header Property to look for UserChain/Trust Props - if(tafs.length==0) throw new CadiException("Need at least one HttpTaf implementation in constructor"); + if (tafs.length == 0) { + throw new CadiException("Need at least one HttpTaf implementation in constructor"); + } } /** * validate - * - * Respond with the first Http specific TAF to authenticate user based on variable info + * + * Respond with the first Http specific TAF to authenticate user based on variable info * and "LifeForm" (is it a human behind a browser, or a server utilizing HTTP Protocol). - * + * * If there is no HttpTAF that can authenticate, respond with the first TAF that suggests it can * establish an Authentication conversation (TRY_AUTHENTICATING) (Examples include a redirect to CSP - * Servers for CSP Cookie, or BasicAuth 401 response, suggesting User/Password for given Realm + * Servers for CSP Cookie, or BasicAuth 401 response, suggesting User/Password for given Realm * submission - * + * * If no TAF declares either, respond with NullTafResp (which denies all questions) */ public TafResp validate(LifeForm reading, HttpServletRequest req, HttpServletResponse resp) { // Given a LifeForm Neutral, for HTTP, we need to discover true Life-Form Readings - if(reading==LifeForm.LFN) { + if (reading == LifeForm.LFN) { reading = tricorderScan(req); } - TafResp tresp=null, firstTry = null; + TafResp tresp = null; + TafResp firstTry = null; List<Redirectable> redirectables = null; - List<TafResp> trlog = access.willLog(Level.DEBUG)?new ArrayList<TafResp>():null; + List<TafResp> log = (access.willLog(Level.DEBUG)) ? new ArrayList<TafResp>() : null; try { - for(HttpTaf taf : tafs) { + for (HttpTaf taf : tafs) { tresp = taf.validate(reading, req, resp); - if(trlog!=null) { - trlog.add(tresp); - } + addToLog(log, tresp); switch(tresp.isAuthenticated()) { case TRY_ANOTHER_TAF: break; // and loop case TRY_AUTHENTICATING: - if(tresp instanceof Redirectable) { - if(redirectables==null) { - redirectables = new ArrayList<Redirectable>(); + if (tresp instanceof Redirectable) { + if (redirectables == null) { + redirectables = new ArrayList<>(); } redirectables.add((Redirectable)tresp); - } else if(firstTry==null) { + } else if (firstTry == null) { firstTry = tresp; } - break; + break; case IS_AUTHENTICATED: tresp = trustChecker.mayTrust(tresp, req); return tresp; @@ -118,46 +118,42 @@ public class HttpEpiTaf implements HttpTaf { return tresp; } } - } finally { - if(trlog!=null) { - for( TafResp tr : trlog) { - access.log(Level.DEBUG, tr.desc()); - } - } + } finally { + printLog(log); } - - // If No TAFs configured, at this point. It is safer at this point to be "not validated", + + // If No TAFs configured, at this point. It is safer at this point to be "not validated", // rather than "let it go" // Note: if exists, there will always be more than 0 entries, according to above code - if(redirectables==null) { - return firstTry!=null?firstTry:NullTafResp.singleton(); + if (redirectables == null) { + return (firstTry != null) ? firstTry : NullTafResp.singleton(); } - + // If there is one Tryable entry then return it - if(redirectables.size()>1) { - return LoginPageTafResp.create(access,locator,resp,redirectables); + if (redirectables.size() > 1) { + return LoginPageTafResp.create(access, locator, resp, redirectables); } else { return redirectables.get(0); } } - + public boolean revalidate(Principal prin) throws Exception { return false; } /* * Since this is internal, we use a little Star Trek humor to indicate looking in the HTTP Request to see if we can determine what kind - * of "LifeForm" reading we can determine, i.e. is there a Human (CarbonBasedLifeForm) behind a browser, or is it mechanical + * of "LifeForm" reading we can determine, i.e. is there a Human (CarbonBasedLifeForm) behind a browser, or is it mechanical * id (SiliconBasedLifeForm)? This makes a difference in some Authentication, i.e CSP, which doesn't work well for SBLFs */ private LifeForm tricorderScan(HttpServletRequest req) { // For simplicity's sake, we'll say Humans use FQDNs, not IPs. - + // Current guess that only Browsers bother to set "Agent" codes that identify the kind of browser they are. // If mechanical frameworks are found that populate this, then more advanced analysis may be required // Jonathan 1/22/2013 String agent = req.getHeader("User-Agent"); - if(agent!=null && agent.startsWith("Mozilla")) { // covers I.E./Firefox/Safari/probably any other "advanced" Browser see http://en.wikipedia.org/wiki/User_agent + if (agent != null && agent.startsWith("Mozilla")) { // covers I.E./Firefox/Safari/probably any other "advanced" Browser see http://en.wikipedia.org/wiki/User_agent return LifeForm.CBLF; } return LifeForm.SBLF; // notably skips "curl","wget", (which is desired behavior. We don't want to try CSP, etc on these) @@ -165,17 +161,36 @@ public class HttpEpiTaf implements HttpTaf { public Resp revalidate(CachedPrincipal prin, Object state) { Resp resp; - for(HttpTaf taf : tafs) { - resp = taf.revalidate(prin,state); - switch(resp) { - case NOT_MINE: - break; - default: - return resp; + for (HttpTaf taf : tafs) { + resp = taf.revalidate(prin, state); + if (resp != Resp.NOT_MINE) { + return resp; } +// switch(resp) { +// case NOT_MINE: +// break; +// default: +// return resp; +// } } return Resp.NOT_MINE; } + + private void addToLog(List<TafResp> log, TafResp tresp) { + if (log == null) { + return; + } + log.add(tresp); + } + + private void printLog(List<TafResp> log) { + if (log == null) { + return; + } + for (TafResp tresp : log) { + access.log(Level.DEBUG, tresp.desc()); + } + } /** * List HttpTafs with their "toString" representations... primarily useful for Debugging in an IDE @@ -183,7 +198,7 @@ public class HttpEpiTaf implements HttpTaf { */ public String toString() { StringBuilder sb = new StringBuilder(); - for(HttpTaf ht : tafs) { + for (HttpTaf ht : tafs) { sb.append(ht.toString()); sb.append(". "); } diff --git a/cadi/core/src/main/java/org/onap/aaf/cadi/taf/LoginPageTafResp.java b/cadi/core/src/main/java/org/onap/aaf/cadi/taf/LoginPageTafResp.java index 9c9cbc22..3f80170e 100644 --- a/cadi/core/src/main/java/org/onap/aaf/cadi/taf/LoginPageTafResp.java +++ b/cadi/core/src/main/java/org/onap/aaf/cadi/taf/LoginPageTafResp.java @@ -53,34 +53,42 @@ public class LoginPageTafResp extends AbsTafResp { return RESP.TRY_AUTHENTICATING; } - public static TafResp create(Access access, Locator<URI> locator, final HttpServletResponse resp, List<Redirectable> redir) { - if(locator!=null) { - try { - Item item = locator.best(); - URI uri = locator.get(item); - if(uri!=null) { - StringBuilder sb = new StringBuilder(uri.toString()); - String query = uri.getQuery(); - boolean first = query==null || query.length()==0; - int count=0; - for(Redirectable t : redir) { - if(first) { - sb.append('?'); - first=false; - } - else sb.append('&'); - sb.append(t.get()); - ++count; - } - if(count>0)return new LoginPageTafResp(access, resp, sb.toString()); + public static TafResp create(Access access, Locator<URI> locator, final HttpServletResponse resp, List<Redirectable> redirectables) { + if (locator == null) { + if (!redirectables.isEmpty()) { + access.log(Level.DEBUG,"LoginPage Locator is not configured. Taking first Redirectable Taf"); + return redirectables.get(0); + } + return NullTafResp.singleton(); + } + + try { + Item item = locator.best(); + URI uri = locator.get(item); + if (uri == null) { + return NullTafResp.singleton(); + } + + StringBuilder sb = new StringBuilder(uri.toString()); + String query = uri.getQuery(); + boolean first = ((query == null) || (query.length() == 0)); + for (Redirectable redir : redirectables) { + if (first) { + sb.append('?'); + first = false; + } + else { + sb.append('&'); } - } catch (Exception e) { - access.log(e, "Error deriving Login Page location"); + sb.append(redir.get()); } - } else if(!redir.isEmpty()) { - access.log(Level.DEBUG,"LoginPage Locator is not configured. Taking first Redirectable Taf"); - return redir.get(0); + if (!redirectables.isEmpty()) { + return new LoginPageTafResp(access, resp, sb.toString()); + } + } catch (Exception e) { + access.log(e, "Error deriving Login Page location"); } + return NullTafResp.singleton(); } } |