summaryrefslogtreecommitdiffstats
path: root/cadi/core
diff options
context:
space:
mode:
Diffstat (limited to 'cadi/core')
-rw-r--r--cadi/core/src/main/java/org/onap/aaf/cadi/filter/CadiHTTPManip.java42
-rw-r--r--cadi/core/src/main/java/org/onap/aaf/cadi/taf/AbsTafResp.java34
-rw-r--r--cadi/core/src/main/java/org/onap/aaf/cadi/taf/LoginPageTafResp.java2
-rw-r--r--cadi/core/src/main/java/org/onap/aaf/cadi/taf/NullTafResp.java10
-rw-r--r--cadi/core/src/main/java/org/onap/aaf/cadi/taf/PuntTafResp.java10
-rw-r--r--cadi/core/src/main/java/org/onap/aaf/cadi/taf/TafResp.java5
-rw-r--r--cadi/core/src/main/java/org/onap/aaf/cadi/taf/TrustNotTafResp.java10
-rw-r--r--cadi/core/src/main/java/org/onap/aaf/cadi/taf/TrustTafResp.java10
-rw-r--r--cadi/core/src/main/java/org/onap/aaf/cadi/taf/basic/BasicHttpTaf.java11
-rw-r--r--cadi/core/src/main/java/org/onap/aaf/cadi/taf/basic/BasicHttpTafResp.java8
-rw-r--r--cadi/core/src/main/java/org/onap/aaf/cadi/taf/cert/X509Taf.java1
-rw-r--r--cadi/core/src/main/java/org/onap/aaf/cadi/taf/dos/DenialOfServiceTafResp.java2
-rw-r--r--cadi/core/src/test/java/org/onap/aaf/cadi/taf/test/JU_AbsTafResp.java3
-rw-r--r--cadi/core/src/test/java/org/onap/aaf/cadi/taf/test/JU_EpiTaf.java2
14 files changed, 121 insertions, 29 deletions
diff --git a/cadi/core/src/main/java/org/onap/aaf/cadi/filter/CadiHTTPManip.java b/cadi/core/src/main/java/org/onap/aaf/cadi/filter/CadiHTTPManip.java
index bab758ec..5920a260 100644
--- a/cadi/core/src/main/java/org/onap/aaf/cadi/filter/CadiHTTPManip.java
+++ b/cadi/core/src/main/java/org/onap/aaf/cadi/filter/CadiHTTPManip.java
@@ -55,7 +55,13 @@ import org.onap.aaf.cadi.util.UserChainManip;
*
*/
public class CadiHTTPManip {
- private static final String ACCESS_CADI_CONTROL = ".access|cadi|control";
+ private static final String ACCESS_DENIED = "Access Denied";
+ private static final String NO_TAF_WILL_AUTHORIZE = "No TAF will authorize";
+ private static final String AUTHENTICATION_FAILURE = "Authentication Failure";
+ private static final String AUTHENTICATING_VIA_REDIRECTION = "Authenticating via redirection";
+ private static final String MSG_FMT = "user=%s,ip=%s:%d,msg=\"%s: %s\"";
+ private static final String AUTHENTICATED = "Authenticated";
+ private static final String ACCESS_CADI_CONTROL = ".access|cadi|control";
private static final String METH = "OPTIONS";
private static final String CADI = "/cadi/";
private static final String CADI_CACHE_PRINT = "/cadi/cache/print";
@@ -120,40 +126,42 @@ public class CadiHTTPManip {
TafResp tresp = taf.validate(Taf.LifeForm.LFN, hreq, hresp);
switch(tresp.isAuthenticated()) {
case IS_AUTHENTICATED:
- access.printf(Level.INFO,"Authenticated: %s from %s:%d",
- tresp.desc(), hreq.getRemoteAddr(), hreq.getRemotePort());
+ access.printf(Level.DEBUG,MSG_FMT,tresp.getTarget(),hreq.getRemoteAddr(),
+ hreq.getRemotePort(),AUTHENTICATED,tresp.desc());
break;
case TRY_AUTHENTICATING:
switch (tresp.authenticate()) {
case IS_AUTHENTICATED:
- access.printf(Level.INFO,"Authenticated: %s from %s:%d",
- tresp.desc(), hreq.getRemoteAddr(), hreq.getRemotePort());
+ access.printf(Level.DEBUG,MSG_FMT,tresp.getTarget(),hreq.getRemoteAddr(),
+ hreq.getRemotePort(),AUTHENTICATED,tresp.desc());
break;
case HTTP_REDIRECT_INVOKED:
- access.log(Level.INFO,"Authenticating via redirection: ", tresp.desc());
+ access.printf(Level.DEBUG,MSG_FMT,tresp.getTarget(),hreq.getRemoteAddr(),
+ hreq.getRemotePort(),AUTHENTICATING_VIA_REDIRECTION,tresp.desc());
break;
case NO_FURTHER_PROCESSING:
- access.printf(Level.AUDIT,"Authentication Failure: %s from %s:%d"
- , tresp.desc(), hreq.getRemoteAddr(), hreq.getRemotePort());
+ access.printf(Level.AUDIT,MSG_FMT,tresp.getTarget(),hreq.getRemoteAddr(),
+ hreq.getRemotePort(),AUTHENTICATION_FAILURE,tresp.desc());
hresp.sendError(403, tresp.desc()); // Forbidden
break;
default:
- access.printf(Level.AUDIT,"No TAF will authorize for request from %s:%d"
- , hreq.getRemoteAddr(), hreq.getRemotePort());
+ access.printf(Level.AUDIT,MSG_FMT,tresp.getTarget(),hreq.getRemoteAddr(),
+ hreq.getRemotePort(),NO_TAF_WILL_AUTHORIZE,tresp.desc());
hresp.sendError(403, tresp.desc()); // Forbidden
}
break;
case NO_FURTHER_PROCESSING:
- access.printf(Level.AUDIT,"Authentication Failure: %s from %s:%d",
- tresp.desc(), hreq.getRemoteAddr(), hreq.getRemotePort());
- hresp.sendError(403, "Access Denied"); // FORBIDDEN
+ access.printf(Level.AUDIT,MSG_FMT, tresp.getTarget(),hreq.getRemoteAddr(),
+ hreq.getRemotePort(),NO_TAF_WILL_AUTHORIZE,tresp.desc());
+ hresp.sendError(403, ACCESS_DENIED); // FORBIDDEN
break;
default:
- access.printf(Level.AUDIT,"No TAF will authorize for request from %s:%d"
- , hreq.getRemoteAddr(), hreq.getRemotePort());
- hresp.sendError(403, "Access Denied"); // FORBIDDEN
+ access.printf(Level.AUDIT,MSG_FMT, tresp.getTarget(),hreq.getRemoteAddr(),
+ hreq.getRemotePort(),NO_TAF_WILL_AUTHORIZE,tresp.desc());
+ hresp.sendError(403, ACCESS_DENIED); // FORBIDDEN
}
+
return tresp;
}
@@ -193,7 +201,7 @@ public class CadiHTTPManip {
}
return true;
}
-
+
public Lur getLur() {
return lur;
}
diff --git a/cadi/core/src/main/java/org/onap/aaf/cadi/taf/AbsTafResp.java b/cadi/core/src/main/java/org/onap/aaf/cadi/taf/AbsTafResp.java
index b3ac0945..364a0728 100644
--- a/cadi/core/src/main/java/org/onap/aaf/cadi/taf/AbsTafResp.java
+++ b/cadi/core/src/main/java/org/onap/aaf/cadi/taf/AbsTafResp.java
@@ -37,7 +37,9 @@ public abstract class AbsTafResp implements TafResp {
protected final Access access;
protected final String tafName;
+ // Note: Valid Resp is based on Principal being non-null
protected final TaggedPrincipal principal;
+ protected final String target;
protected final String desc;
private float timing;
@@ -58,6 +60,28 @@ public abstract class AbsTafResp implements TafResp {
this.access = access;
this.tafName = tafname;
this.principal = principal;
+ this.target = principal==null?"unknown":principal.getName();
+ this.desc = description;
+ }
+
+ /**
+ * AbsTafResp
+ *
+ * Set and hold
+ * Description (for logging)
+ * Principal (as created by derived class)
+ * Access (for access to underlying container, i.e. for Logging, auditing, ClassLoaders, etc)
+ *
+ * @param access
+ * @param tafname
+ * @param principal
+ * @param description
+ */
+ public AbsTafResp(Access access, String tafname, String target, String description) {
+ this.access = access;
+ this.tafName = tafname;
+ this.principal = null;
+ this.target = target;
this.desc = description;
}
@@ -102,7 +126,15 @@ public abstract class AbsTafResp implements TafResp {
return principal;
}
- /**
+ /* (non-Javadoc)
+ * @see org.onap.aaf.cadi.taf.TafResp#getTarget()
+ */
+ @Override
+ public String getTarget() {
+ return target;
+ }
+
+ /**
* getAccess()
*
* Get the Access object from the TAF, so that appropriate Logging, etc can be coordinated.
diff --git a/cadi/core/src/main/java/org/onap/aaf/cadi/taf/LoginPageTafResp.java b/cadi/core/src/main/java/org/onap/aaf/cadi/taf/LoginPageTafResp.java
index a5ce45b7..d64fbe0d 100644
--- a/cadi/core/src/main/java/org/onap/aaf/cadi/taf/LoginPageTafResp.java
+++ b/cadi/core/src/main/java/org/onap/aaf/cadi/taf/LoginPageTafResp.java
@@ -37,7 +37,7 @@ public class LoginPageTafResp extends AbsTafResp {
private final String loginPageURL;
private LoginPageTafResp(Access access, final HttpServletResponse resp, String loginPageURL) {
- super(access, "LoginPage", null, "Multiple Possible HTTP Logins available. Redirecting to Login Choice Page");
+ super(access, "LoginPage","unknown", "Multiple Possible HTTP Logins available. Redirecting to Login Choice Page");
httpResp = resp;
this.loginPageURL = loginPageURL;
}
diff --git a/cadi/core/src/main/java/org/onap/aaf/cadi/taf/NullTafResp.java b/cadi/core/src/main/java/org/onap/aaf/cadi/taf/NullTafResp.java
index a3c8f5bb..fb66ec08 100644
--- a/cadi/core/src/main/java/org/onap/aaf/cadi/taf/NullTafResp.java
+++ b/cadi/core/src/main/java/org/onap/aaf/cadi/taf/NullTafResp.java
@@ -60,7 +60,15 @@ class NullTafResp implements TafResp {
return null;
}
- public Access getAccess() {
+ /* (non-Javadoc)
+ * @see org.onap.aaf.cadi.taf.TafResp#getTarget()
+ */
+ @Override
+ public String getTarget() {
+ return "unknown";
+ }
+
+ public Access getAccess() {
return Access.NULL;
}
diff --git a/cadi/core/src/main/java/org/onap/aaf/cadi/taf/PuntTafResp.java b/cadi/core/src/main/java/org/onap/aaf/cadi/taf/PuntTafResp.java
index e6555051..3bc278e5 100644
--- a/cadi/core/src/main/java/org/onap/aaf/cadi/taf/PuntTafResp.java
+++ b/cadi/core/src/main/java/org/onap/aaf/cadi/taf/PuntTafResp.java
@@ -63,7 +63,15 @@ public class PuntTafResp implements TafResp {
return null;
}
- public Access getAccess() {
+ /* (non-Javadoc)
+ * @see org.onap.aaf.cadi.taf.TafResp#getTarget()
+ */
+ @Override
+ public String getTarget() {
+ return "punt";
+ }
+
+ public Access getAccess() {
return NullTafResp.singleton().getAccess();
}
diff --git a/cadi/core/src/main/java/org/onap/aaf/cadi/taf/TafResp.java b/cadi/core/src/main/java/org/onap/aaf/cadi/taf/TafResp.java
index f3afde72..6850a372 100644
--- a/cadi/core/src/main/java/org/onap/aaf/cadi/taf/TafResp.java
+++ b/cadi/core/src/main/java/org/onap/aaf/cadi/taf/TafResp.java
@@ -81,6 +81,11 @@ public interface TafResp {
* @return
*/
public TaggedPrincipal getPrincipal();
+
+ /** Target - when Authentication Fails, need to know what ID was being attempted
+ * @return
+ */
+ public String getTarget();
/**
* get the Access object which created this object, allowing the responder to appropriate Log, etc
diff --git a/cadi/core/src/main/java/org/onap/aaf/cadi/taf/TrustNotTafResp.java b/cadi/core/src/main/java/org/onap/aaf/cadi/taf/TrustNotTafResp.java
index 6b8adeb8..f397cbab 100644
--- a/cadi/core/src/main/java/org/onap/aaf/cadi/taf/TrustNotTafResp.java
+++ b/cadi/core/src/main/java/org/onap/aaf/cadi/taf/TrustNotTafResp.java
@@ -62,7 +62,15 @@ public class TrustNotTafResp implements TafResp {
return delegate.getPrincipal();
}
- @Override
+ /* (non-Javadoc)
+ * @see org.onap.aaf.cadi.taf.TafResp#getTarget()
+ */
+ @Override
+ public String getTarget() {
+ return delegate.getTarget();
+ }
+
+ @Override
public Access getAccess() {
return delegate.getAccess();
}
diff --git a/cadi/core/src/main/java/org/onap/aaf/cadi/taf/TrustTafResp.java b/cadi/core/src/main/java/org/onap/aaf/cadi/taf/TrustTafResp.java
index 91f9f8c4..061d4e2f 100644
--- a/cadi/core/src/main/java/org/onap/aaf/cadi/taf/TrustTafResp.java
+++ b/cadi/core/src/main/java/org/onap/aaf/cadi/taf/TrustTafResp.java
@@ -64,7 +64,15 @@ public class TrustTafResp implements TafResp {
return principal;
}
- @Override
+ /* (non-Javadoc)
+ * @see org.onap.aaf.cadi.taf.TafResp#getTarget()
+ */
+ @Override
+ public String getTarget() {
+ return delegate.getTarget();
+ }
+
+ @Override
public Access getAccess() {
return delegate.getAccess();
}
diff --git a/cadi/core/src/main/java/org/onap/aaf/cadi/taf/basic/BasicHttpTaf.java b/cadi/core/src/main/java/org/onap/aaf/cadi/taf/basic/BasicHttpTaf.java
index d5c88464..dcd27d63 100644
--- a/cadi/core/src/main/java/org/onap/aaf/cadi/taf/basic/BasicHttpTaf.java
+++ b/cadi/core/src/main/java/org/onap/aaf/cadi/taf/basic/BasicHttpTaf.java
@@ -120,13 +120,15 @@ public class BasicHttpTaf implements HttpTaf {
return new BasicHttpTafResp(access,bp,bp.getName()+" authenticated by password",RESP.IS_AUTHENTICATED,resp,realm,false);
} else {
//TODO may need timed retries in a given time period
- return new BasicHttpTafResp(access,null,buildMsg(bp,req,"user/pass combo invalid for ",bc.getUser(),"from",req.getRemoteAddr()),
+ return new BasicHttpTafResp(access,bc.getUser(),buildMsg(bp,req,"user/pass combo invalid for ",bc.getUser(),"from",req.getRemoteAddr()),
RESP.TRY_AUTHENTICATING,resp,realm,true);
}
}
}
// Get User/Password from Authorization Header value
String authz = req.getHeader("Authorization");
+ String target="unknown";
+
if (authz != null && authz.startsWith("Basic ")) {
if (warn&&!req.isSecure()) {
access.log(Level.WARN,"WARNING! BasicAuth has been used over an insecure channel");
@@ -136,6 +138,7 @@ public class BasicHttpTaf implements HttpTaf {
}
try {
CachedBasicPrincipal ba = new CachedBasicPrincipal(this,authz,realm,timeToLive);
+ target=ba.getName();
if (DenialOfServiceTaf.isDeniedID(ba.getName())!=null) {
return DenialOfServiceTaf.respDenyID(access,ba.getName());
}
@@ -152,16 +155,16 @@ public class BasicHttpTaf implements HttpTaf {
return new BasicHttpTafResp(access,ba, ba.getName()+" authenticated by BasicAuth password",RESP.IS_AUTHENTICATED,resp,realm,false);
} else {
//TODO may need timed retries in a given time period
- return new BasicHttpTafResp(access,null,buildMsg(ba,req,"user/pass combo invalid"),
+ return new BasicHttpTafResp(access,target,buildMsg(ba,req,"user/pass combo invalid"),
RESP.TRY_AUTHENTICATING,resp,realm,true);
}
} catch (IOException e) {
String msg = buildMsg(null,req,"Failed HTTP Basic Authorization (", e.getMessage(), ')');
access.log(Level.INFO,msg);
- return new BasicHttpTafResp(access,null,msg, RESP.TRY_AUTHENTICATING, resp, realm,true);
+ return new BasicHttpTafResp(access,target,msg, RESP.TRY_AUTHENTICATING, resp, realm,true);
}
}
- return new BasicHttpTafResp(access,null,"Requesting HTTP Basic Authorization",RESP.TRY_AUTHENTICATING,resp,realm,false);
+ return new BasicHttpTafResp(access,target,"Requesting HTTP Basic Authorization",RESP.TRY_AUTHENTICATING,resp,realm,false);
}
protected String buildMsg(Principal pr, HttpServletRequest req, Object ... msg) {
diff --git a/cadi/core/src/main/java/org/onap/aaf/cadi/taf/basic/BasicHttpTafResp.java b/cadi/core/src/main/java/org/onap/aaf/cadi/taf/basic/BasicHttpTafResp.java
index d1acf5fe..e2174493 100644
--- a/cadi/core/src/main/java/org/onap/aaf/cadi/taf/basic/BasicHttpTafResp.java
+++ b/cadi/core/src/main/java/org/onap/aaf/cadi/taf/basic/BasicHttpTafResp.java
@@ -45,6 +45,14 @@ public class BasicHttpTafResp extends AbsTafResp implements TafResp {
this.wasFailed = wasFailed;
}
+ public BasicHttpTafResp(Access access, String target, String description, RESP status, HttpServletResponse resp, String realm, boolean wasFailed) {
+ super(access, tafName, target, description);
+ httpResp = resp;
+ this.realm = realm;
+ this.status = status;
+ this.wasFailed = wasFailed;
+ }
+
public RESP authenticate() throws IOException {
httpResp.setStatus(401); // Unauthorized
httpResp.setHeader("WWW-Authenticate", "Basic realm=\""+realm+'"');
diff --git a/cadi/core/src/main/java/org/onap/aaf/cadi/taf/cert/X509Taf.java b/cadi/core/src/main/java/org/onap/aaf/cadi/taf/cert/X509Taf.java
index fca99a31..5f5ff574 100644
--- a/cadi/core/src/main/java/org/onap/aaf/cadi/taf/cert/X509Taf.java
+++ b/cadi/core/src/main/java/org/onap/aaf/cadi/taf/cert/X509Taf.java
@@ -266,6 +266,7 @@ public class X509Taf implements HttpTaf {
// if Principal is found, check for "AS_USER" and whether this entity is trusted to declare
if (prin!=null) {
+ // Note: Tag for Certs is Fingerprint, but that takes computation... leaving off
return new X509HttpTafResp(
access,
prin,
diff --git a/cadi/core/src/main/java/org/onap/aaf/cadi/taf/dos/DenialOfServiceTafResp.java b/cadi/core/src/main/java/org/onap/aaf/cadi/taf/dos/DenialOfServiceTafResp.java
index 2fcd1553..2215a6f9 100644
--- a/cadi/core/src/main/java/org/onap/aaf/cadi/taf/dos/DenialOfServiceTafResp.java
+++ b/cadi/core/src/main/java/org/onap/aaf/cadi/taf/dos/DenialOfServiceTafResp.java
@@ -32,7 +32,7 @@ public class DenialOfServiceTafResp extends AbsTafResp {
private RESP ect; // Homage to Arethra Franklin
public DenialOfServiceTafResp(Access access, RESP resp, String description ) {
- super(access, tafName, null, description);
+ super(access, tafName, "dos", description);
ect = resp;
}
diff --git a/cadi/core/src/test/java/org/onap/aaf/cadi/taf/test/JU_AbsTafResp.java b/cadi/core/src/test/java/org/onap/aaf/cadi/taf/test/JU_AbsTafResp.java
index bf5a15fb..4dba8edb 100644
--- a/cadi/core/src/test/java/org/onap/aaf/cadi/taf/test/JU_AbsTafResp.java
+++ b/cadi/core/src/test/java/org/onap/aaf/cadi/taf/test/JU_AbsTafResp.java
@@ -73,7 +73,7 @@ public class JU_AbsTafResp {
assertThat(tafResp.getAccess(), is(access));
assertThat(tafResp.isFailedAttempt(), is(false));
- tafResp = new AbsTafResp(null, JUNIT, null, null) {
+ tafResp = new AbsTafResp(null, JUNIT, "unknown", null) {
@Override public RESP authenticate() throws IOException {
return null;
}
@@ -82,6 +82,7 @@ public class JU_AbsTafResp {
assertThat(tafResp.isValid(), is(false));
assertThat(tafResp.isAuthenticated(), is(RESP.TRY_ANOTHER_TAF));
assertThat(tafResp.getPrincipal(), is(nullValue()));
+ assertThat(tafResp.getTarget(), is("unknown"));
assertThat(tafResp.getAccess(), is(nullValue()));
assertThat(tafResp.taf(), is(JUNIT));
assertThat(tafResp.isFailedAttempt(), is(false));
diff --git a/cadi/core/src/test/java/org/onap/aaf/cadi/taf/test/JU_EpiTaf.java b/cadi/core/src/test/java/org/onap/aaf/cadi/taf/test/JU_EpiTaf.java
index 08602cb0..8e103893 100644
--- a/cadi/core/src/test/java/org/onap/aaf/cadi/taf/test/JU_EpiTaf.java
+++ b/cadi/core/src/test/java/org/onap/aaf/cadi/taf/test/JU_EpiTaf.java
@@ -76,6 +76,7 @@ public class JU_EpiTaf {
@Override public RESP isAuthenticated() { return RESP.TRY_ANOTHER_TAF; }
@Override public RESP authenticate() throws IOException { return null; }
@Override public TaggedPrincipal getPrincipal() { return null; }
+ @Override public String getTarget() {return "unknown";}
@Override public Access getAccess() { return null; }
@Override public boolean isFailedAttempt() { return false; }
@Override public float timing() { return 0; }
@@ -93,6 +94,7 @@ public class JU_EpiTaf {
@Override public RESP isAuthenticated() { return RESP.TRY_AUTHENTICATING; }
@Override public RESP authenticate() throws IOException { return null; }
@Override public TaggedPrincipal getPrincipal() { return null; }
+ @Override public String getTarget() {return "unknown";}
@Override public Access getAccess() { return null; }
@Override public boolean isFailedAttempt() { return false; }
@Override public float timing() { return 0; }