From a20accc73189d8e5454cd26049c0e6fae75da16f Mon Sep 17 00:00:00 2001 From: Instrumental Date: Mon, 26 Mar 2018 13:49:56 -0700 Subject: AT&T 2.0.19 Code drop, stage 2 Issue-ID: AAF-197 Change-Id: Ifc93308f52c10d6ad82e99cd3ff5ddb900bf219a Signed-off-by: Instrumental --- cadi/.gitignore | 2 + cadi/.project | 17 + cadi/aaf/.gitignore | 4 + cadi/aaf/.project | 23 + cadi/aaf/jenkins-pom.xml | 257 ++++++ cadi/aaf/pom.xml | 109 +++ .../java/org/onap/aaf/cadi/aaf/AAFPermission.java | 126 +++ .../main/java/org/onap/aaf/cadi/aaf/PermEval.java | 148 ++++ .../org/onap/aaf/cadi/aaf/TestConnectivity.java | 303 +++++++ .../aaf/cadi/aaf/cert/AAFListedCertIdentity.java | 176 ++++ .../org/onap/aaf/cadi/aaf/client/ErrMessage.java | 96 ++ .../org/onap/aaf/cadi/aaf/client/Examples.java | 443 ++++++++++ .../org/onap/aaf/cadi/aaf/marshal/CertMarshal.java | 65 ++ .../onap/aaf/cadi/aaf/marshal/CertsMarshal.java | 44 + .../java/org/onap/aaf/cadi/aaf/v2_0/AAFAuthn.java | 169 ++++ .../java/org/onap/aaf/cadi/aaf/v2_0/AAFCon.java | 371 ++++++++ .../org/onap/aaf/cadi/aaf/v2_0/AAFConHttp.java | 229 +++++ .../org/onap/aaf/cadi/aaf/v2_0/AAFLocator.java | 132 +++ .../org/onap/aaf/cadi/aaf/v2_0/AAFLurPerm.java | 243 +++++ .../java/org/onap/aaf/cadi/aaf/v2_0/AAFTaf.java | 203 +++++ .../onap/aaf/cadi/aaf/v2_0/AAFTrustChecker.java | 114 +++ .../org/onap/aaf/cadi/aaf/v2_0/AbsAAFLocator.java | 496 +++++++++++ .../java/org/onap/aaf/cadi/aaf/v2_0/AbsAAFLur.java | 289 ++++++ .../java/org/onap/aaf/cadi/cm/ArtifactDir.java | 286 ++++++ .../java/org/onap/aaf/cadi/cm/CertException.java | 45 + .../main/java/org/onap/aaf/cadi/cm/CmAgent.java | 722 +++++++++++++++ .../main/java/org/onap/aaf/cadi/cm/Factory.java | 447 ++++++++++ .../java/org/onap/aaf/cadi/cm/PlaceArtifact.java | 32 + .../org/onap/aaf/cadi/cm/PlaceArtifactInFiles.java | 52 ++ .../onap/aaf/cadi/cm/PlaceArtifactInKeystore.java | 147 ++++ .../onap/aaf/cadi/cm/PlaceArtifactOnStream.java | 51 ++ .../org/onap/aaf/cadi/cm/PlaceArtifactScripts.java | 157 ++++ .../java/org/onap/aaf/cadi/oauth/AAFToken.java | 86 ++ .../java/org/onap/aaf/cadi/oauth/AbsOTafLur.java | 130 +++ .../org/onap/aaf/cadi/oauth/HRenewingTokenSS.java | 104 +++ .../org/onap/aaf/cadi/oauth/OAuth2HttpTaf.java | 82 ++ .../org/onap/aaf/cadi/oauth/OAuth2HttpTafResp.java | 66 ++ .../java/org/onap/aaf/cadi/oauth/OAuth2Lur.java | 107 +++ .../org/onap/aaf/cadi/oauth/OAuth2Principal.java | 54 ++ .../java/org/onap/aaf/cadi/oauth/TimedToken.java | 132 +++ .../java/org/onap/aaf/cadi/oauth/TokenClient.java | 474 ++++++++++ .../onap/aaf/cadi/oauth/TokenClientFactory.java | 170 ++++ .../java/org/onap/aaf/cadi/oauth/TokenMgr.java | 193 ++++ .../java/org/onap/aaf/cadi/oauth/TokenPerm.java | 171 ++++ .../java/org/onap/aaf/cadi/oauth/TzClient.java | 40 + .../java/org/onap/aaf/cadi/oauth/TzHClient.java | 82 ++ .../org/onap/aaf/cadi/obasic/OBasicHttpTaf.java | 196 +++++ .../src/main/java/org/onap/aaf/cadi/olur/OLur.java | 150 ++++ .../java/org/onap/aaf/cadi/persist/Persist.java | 301 +++++++ .../org/onap/aaf/cadi/persist/PersistFile.java | 252 ++++++ .../org/onap/aaf/cadi/persist/Persistable.java | 39 + .../java/org/onap/aaf/cadi/persist/Persisting.java | 167 ++++ .../org/onap/aaf/cadi/register/Registrant.java | 30 + .../java/org/onap/aaf/cadi/register/Registrar.java | 101 +++ .../onap/aaf/cadi/register/RemoteRegistrant.java | 165 ++++ .../main/java/org/onap/aaf/cadi/sso/AAFSSO.java | 284 ++++++ .../aaf/cadi/aaf/client/JU_ErrMessageTest.java | 128 +++ .../aaf/cadi/aaf/marshal/JU_CertsMarshalTest.java | 48 + .../org/onap/aaf/cadi/aaf/test/JU_AAFLocator.java | 80 ++ .../org/onap/aaf/cadi/aaf/test/TestHClient.java | 87 ++ .../onap/aaf/cadi/aaf/v2_0/JU_AAFAuthnTest.java | 154 ++++ .../org/onap/aaf/cadi/lur/aaf/test/JU_JMeter.java | 143 +++ .../onap/aaf/cadi/lur/aaf/test/JU_Lur2_0Call.java | 573 ++++++++++++ .../cadi/lur/aaf/test/JU_MultiThreadPermHit.java | 148 ++++ .../onap/aaf/cadi/lur/aaf/test/JU_PermEval.java | 107 +++ .../onap/aaf/cadi/lur/aaf/test/JU_TestAccess.java | 127 +++ .../onap/aaf/cadi/lur/aaf/test1/JU_PermEval.java | 123 +++ .../aaf/cadi/lur/aaf/test1/MultiThreadPermHit.java | 145 +++ .../org/onap/aaf/cadi/oauth/test/JU_FastPerms.java | 106 +++ .../org/onap/aaf/cadi/oauth/test/JU_OAuthTest.java | 277 ++++++ .../onap/aaf/cadi/oauth/test/JU_OAuthToken.java | 86 ++ .../test/java/org/onap/aaf/content/JU_Content.java | 81 ++ .../org/onap/aaf/example/JU_ExampleAuthCheck.java | 56 ++ .../java/org/onap/aaf/example/JU_X509Test.java | 88 ++ .../test/java/org/onap/aaf/stillNeed/CadiTest.java | 63 ++ .../org/onap/aaf/stillNeed/ExampleAuthCheck.java | 55 ++ .../java/org/onap/aaf/stillNeed/TestPrincipal.java | 35 + .../test/java/org/onap/aaf/stillNeed/X509Test.java | 89 ++ cadi/aaf/src/test/resources/cadi.properties | 37 + cadi/aaf/src/test/resources/log4j.properties | 32 + cadi/cass/.gitignore | 4 + cadi/cass/.project | 23 + cadi/cass/etc/cadi.properties | 45 + cadi/cass/pom.xml | 96 ++ .../att/aaf/cadi/cass/AAFAuthenticatedUser.java | 109 +++ .../com/att/aaf/cadi/cass/AAFAuthenticator.java | 173 ++++ .../java/com/att/aaf/cadi/cass/AAFAuthorizer.java | 224 +++++ .../main/java/com/att/aaf/cadi/cass/AAFBase.java | 193 ++++ .../aaf/cadi/cass/JU_AAFAuthenticatedUserTest.java | 90 ++ .../onap/aaf/cadi/cass/JU_AAFAuthenticator.java | 110 +++ .../onap/aaf/cadi/cass/JU_AAFAuthorizerTest.java | 109 +++ .../org/onap/aaf/cadi/cass/JU_AAFBaseTest.java | 70 ++ .../test/java/org/onap/aaf/cadi/cass/JU_CASS.java | 106 +++ cadi/client/.gitignore | 5 + cadi/client/pom.xml | 89 ++ .../onap/aaf/cadi/client/AbsAuthentication.java | 130 +++ .../org/onap/aaf/cadi/client/AbsTransferSS.java | 76 ++ .../java/org/onap/aaf/cadi/client/BasicAuth.java | 28 + .../java/org/onap/aaf/cadi/client/EClient.java | 51 ++ .../main/java/org/onap/aaf/cadi/client/Future.java | 33 + .../main/java/org/onap/aaf/cadi/client/Holder.java | 46 + .../main/java/org/onap/aaf/cadi/client/Rcli.java | 974 +++++++++++++++++++++ .../main/java/org/onap/aaf/cadi/client/Result.java | 60 ++ .../java/org/onap/aaf/cadi/client/Retryable.java | 71 ++ .../onap/aaf/cadi/http/HAuthorizationHeader.java | 54 ++ .../java/org/onap/aaf/cadi/http/HBasicAuthSS.java | 68 ++ .../main/java/org/onap/aaf/cadi/http/HClient.java | 444 ++++++++++ .../main/java/org/onap/aaf/cadi/http/HMangr.java | 248 ++++++ .../java/org/onap/aaf/cadi/http/HNoAuthSS.java | 45 + .../main/java/org/onap/aaf/cadi/http/HRcli.java | 130 +++ .../main/java/org/onap/aaf/cadi/http/HTokenSS.java | 34 + .../java/org/onap/aaf/cadi/http/HTransferSS.java | 64 ++ .../main/java/org/onap/aaf/cadi/http/HX509SS.java | 152 ++++ .../java/org/onap/aaf/cadi/locator/DNSLocator.java | 210 +++++ .../aaf/cadi/locator/HClientHotPeerLocator.java | 60 ++ .../org/onap/aaf/cadi/locator/HotPeerLocator.java | 302 +++++++ .../org/onap/aaf/cadi/locator/PropertyLocator.java | 289 ++++++ .../org/onap/aaf/cadi/routing/GreatCircle.java | 188 ++++ .../onap/aaf/cadi/client/test/JU_DNSLocator.java | 55 ++ .../onap/aaf/cadi/client/test/JU_GreatCircle.java | 62 ++ .../aaf/cadi/client/test/JU_PropertyLocator.java | 96 ++ .../org/onap/aaf/client/test/JU_DNSLocator.java | 55 ++ .../org/onap/aaf/client/test/JU_HolderTest.java | 79 ++ .../onap/aaf/client/test/JU_PropertyLocator.java | 96 ++ .../org/onap/aaf/client/test/JU_ResultTest.java | 108 +++ .../org/onap/aaf/client/test/JU_TestAccess.java | 98 +++ cadi/core/.gitignore | 5 + cadi/core/.project | 23 + cadi/core/conf/.gitignore | 1 + cadi/core/conf/cadi.properties | 34 + cadi/core/pom.xml | 95 ++ cadi/core/src/main/java/org/onap/aaf/cadi/AES.java | 131 +++ .../main/java/org/onap/aaf/cadi/AbsUserCache.java | 463 ++++++++++ .../src/main/java/org/onap/aaf/cadi/Access.java | 180 ++++ .../src/main/java/org/onap/aaf/cadi/BasicCred.java | 36 + .../onap/aaf/cadi/BufferedServletInputStream.java | 200 +++++ .../java/org/onap/aaf/cadi/CachedPrincipal.java | 47 + .../main/java/org/onap/aaf/cadi/CachingLur.java | 34 + .../main/java/org/onap/aaf/cadi/CadiException.java | 50 ++ .../src/main/java/org/onap/aaf/cadi/CadiWrap.java | 198 +++++ .../src/main/java/org/onap/aaf/cadi/Capacitor.java | 241 +++++ .../src/main/java/org/onap/aaf/cadi/CmdLine.java | 361 ++++++++ .../src/main/java/org/onap/aaf/cadi/Connector.java | 26 + .../src/main/java/org/onap/aaf/cadi/CredVal.java | 42 + .../src/main/java/org/onap/aaf/cadi/GetCred.java | 26 + .../core/src/main/java/org/onap/aaf/cadi/Hash.java | 258 ++++++ .../src/main/java/org/onap/aaf/cadi/Locator.java | 36 + .../java/org/onap/aaf/cadi/LocatorException.java | 46 + cadi/core/src/main/java/org/onap/aaf/cadi/Lur.java | 92 ++ .../main/java/org/onap/aaf/cadi/Permission.java | 28 + .../main/java/org/onap/aaf/cadi/PropAccess.java | 387 ++++++++ .../main/java/org/onap/aaf/cadi/Revalidator.java | 34 + .../java/org/onap/aaf/cadi/SecuritySetter.java | 44 + .../org/onap/aaf/cadi/ServletContextAccess.java | 67 ++ .../core/src/main/java/org/onap/aaf/cadi/Symm.java | 854 ++++++++++++++++++ cadi/core/src/main/java/org/onap/aaf/cadi/Taf.java | 57 ++ .../main/java/org/onap/aaf/cadi/Transmutate.java | 45 + .../main/java/org/onap/aaf/cadi/TrustChecker.java | 52 ++ .../core/src/main/java/org/onap/aaf/cadi/User.java | 177 ++++ .../src/main/java/org/onap/aaf/cadi/UserChain.java | 43 + .../main/java/org/onap/aaf/cadi/config/Config.java | 728 +++++++++++++++ .../main/java/org/onap/aaf/cadi/config/Get.java | 97 ++ .../java/org/onap/aaf/cadi/config/GetAccess.java | 62 ++ .../java/org/onap/aaf/cadi/config/MultiGet.java | 42 + .../org/onap/aaf/cadi/config/SecurityInfo.java | 255 ++++++ .../org/onap/aaf/cadi/config/SecurityInfoC.java | 72 ++ .../java/org/onap/aaf/cadi/config/UsersDump.java | 157 ++++ .../main/java/org/onap/aaf/cadi/filter/AUTHZ.java | 36 + .../org/onap/aaf/cadi/filter/AUTHZServlet.java | 100 +++ .../org/onap/aaf/cadi/filter/AccessGetter.java | 35 + .../java/org/onap/aaf/cadi/filter/CadiFilter.java | 332 +++++++ .../org/onap/aaf/cadi/filter/CadiHTTPManip.java | 210 +++++ .../main/java/org/onap/aaf/cadi/filter/FCGet.java | 76 ++ .../org/onap/aaf/cadi/filter/MapPermConverter.java | 54 ++ .../onap/aaf/cadi/filter/NullPermConverter.java | 43 + .../java/org/onap/aaf/cadi/filter/PathFilter.java | 183 ++++ .../org/onap/aaf/cadi/filter/PermConverter.java | 32 + .../org/onap/aaf/cadi/filter/RolesAllowed.java | 56 ++ .../java/org/onap/aaf/cadi/filter/ServletImpl.java | 56 ++ .../org/onap/aaf/cadi/lur/ConfigPrincipal.java | 69 ++ .../main/java/org/onap/aaf/cadi/lur/EpiLur.java | 169 ++++ .../main/java/org/onap/aaf/cadi/lur/LocalLur.java | 196 +++++ .../org/onap/aaf/cadi/lur/LocalPermission.java | 50 ++ .../main/java/org/onap/aaf/cadi/lur/NullLur.java | 87 ++ .../onap/aaf/cadi/principal/BasicPrincipal.java | 126 +++ .../onap/aaf/cadi/principal/BearerPrincipal.java | 33 + .../aaf/cadi/principal/CachedBasicPrincipal.java | 65 ++ .../java/org/onap/aaf/cadi/principal/Kind.java | 53 ++ .../aaf/cadi/principal/OAuth2FormPrincipal.java | 61 ++ .../onap/aaf/cadi/principal/StringTagLookup.java | 35 + .../onap/aaf/cadi/principal/TaggedPrincipal.java | 60 ++ .../onap/aaf/cadi/principal/TrustPrincipal.java | 70 ++ .../onap/aaf/cadi/principal/UnAuthPrincipal.java | 37 + .../org/onap/aaf/cadi/principal/X509Principal.java | 109 +++ .../java/org/onap/aaf/cadi/taf/AbsTafResp.java | 116 +++ .../main/java/org/onap/aaf/cadi/taf/EpiTaf.java | 84 ++ .../java/org/onap/aaf/cadi/taf/HttpEpiTaf.java | 197 +++++ .../main/java/org/onap/aaf/cadi/taf/HttpTaf.java | 60 ++ .../org/onap/aaf/cadi/taf/LoginPageTafResp.java | 86 ++ .../main/java/org/onap/aaf/cadi/taf/NullTaf.java | 64 ++ .../java/org/onap/aaf/cadi/taf/NullTafResp.java | 73 ++ .../java/org/onap/aaf/cadi/taf/PuntTafResp.java | 69 ++ .../java/org/onap/aaf/cadi/taf/Redirectable.java | 31 + .../main/java/org/onap/aaf/cadi/taf/TafResp.java | 94 ++ .../org/onap/aaf/cadi/taf/TrustNotTafResp.java | 76 ++ .../java/org/onap/aaf/cadi/taf/TrustTafResp.java | 78 ++ .../org/onap/aaf/cadi/taf/basic/BasicHttpTaf.java | 165 ++++ .../onap/aaf/cadi/taf/basic/BasicHttpTafResp.java | 62 ++ .../org/onap/aaf/cadi/taf/cert/CertIdentity.java | 46 + .../onap/aaf/cadi/taf/cert/X509HttpTafResp.java | 51 ++ .../java/org/onap/aaf/cadi/taf/cert/X509Taf.java | 261 ++++++ .../onap/aaf/cadi/taf/dos/DenialOfServiceTaf.java | 374 ++++++++ .../aaf/cadi/taf/dos/DenialOfServiceTafResp.java | 47 + .../main/java/org/onap/aaf/cadi/util/Chmod.java | 62 ++ .../src/main/java/org/onap/aaf/cadi/util/FQI.java | 51 ++ .../org/onap/aaf/cadi/util/JsonOutputStream.java | 89 ++ .../onap/aaf/cadi/util/MaskFormatException.java | 31 + .../java/org/onap/aaf/cadi/util/MyConsole.java | 28 + .../main/java/org/onap/aaf/cadi/util/NetMask.java | 99 +++ .../src/main/java/org/onap/aaf/cadi/util/Pool.java | 380 ++++++++ .../main/java/org/onap/aaf/cadi/util/Split.java | 114 +++ .../org/onap/aaf/cadi/util/SubStandardConsole.java | 62 ++ .../java/org/onap/aaf/cadi/util/TheConsole.java | 47 + .../org/onap/aaf/cadi/util/UserChainManip.java | 77 ++ .../src/main/java/org/onap/aaf/cadi/util/Vars.java | 120 +++ .../main/java/org/onap/aaf/cadi/wsse/Action.java | 37 + .../main/java/org/onap/aaf/cadi/wsse/Match.java | 130 +++ .../java/org/onap/aaf/cadi/wsse/WSSEParser.java | 86 ++ .../main/java/org/onap/aaf/cadi/wsse/XEvent.java | 135 +++ .../main/java/org/onap/aaf/cadi/wsse/XReader.java | 417 +++++++++ cadi/core/src/test/java/.gitignore | 0 .../test/java/org/onap/aaf/cadi/test/JU_AES.java | 180 ++++ .../java/org/onap/aaf/cadi/test/JU_Access.java | 66 ++ .../java/org/onap/aaf/cadi/test/JU_Base64.java | 92 ++ .../onap/aaf/cadi/test/JU_BufferedCadiWrap.java | 45 + .../cadi/test/JU_BufferedServletInputStream.java | 320 +++++++ .../onap/aaf/cadi/test/JU_CadiExceptionTest.java | 121 +++ .../org/onap/aaf/cadi/test/JU_CadiWrapTest.java | 155 ++++ .../java/org/onap/aaf/cadi/test/JU_Capacitor.java | 155 ++++ .../java/org/onap/aaf/cadi/test/JU_CmdLine.java | 273 ++++++ .../test/java/org/onap/aaf/cadi/test/JU_Hash.java | 210 +++++ .../onap/aaf/cadi/test/JU_LocatorException.java | 60 ++ .../java/org/onap/aaf/cadi/test/JU_PropAccess.java | 151 ++++ .../aaf/cadi/test/JU_ServletContextAccess.java | 104 +++ .../test/java/org/onap/aaf/cadi/test/JU_Symm.java | 203 +++++ .../org/onap/aaf/cadi/test/JU_TrustChecker.java | 37 + .../test/java/org/onap/aaf/cadi/test/JU_User.java | 185 ++++ .../onap/aaf/cadi/test/filter/JU_FCGetTest.java | 103 +++ .../onap/aaf/cadi/test/lur/JU_ConfigPrincipal.java | 79 ++ .../org/onap/aaf/cadi/test/lur/JU_LocalLur.java | 103 +++ .../onap/aaf/cadi/test/lur/JU_LocalPermission.java | 71 ++ .../org/onap/aaf/cadi/test/lur/JU_NullLur.java | 80 ++ .../aaf/cadi/test/principal/JU_BasicPrincipal.java | 123 +++ .../test/principal/JU_CachedBasicPrincipal.java | 125 +++ .../org/onap/aaf/cadi/test/principal/JU_Kind.java | 70 ++ .../test/principal/JU_OAuth2FormPrincipal.java | 56 ++ .../cadi/test/principal/JU_StringTagLookup.java | 40 + .../cadi/test/principal/JU_TaggedPrincipal.java | 68 ++ .../aaf/cadi/test/principal/JU_TrustPrincipal.java | 91 ++ .../cadi/test/principal/JU_UnAuthPrincipal.java | 41 + .../aaf/cadi/test/principal/JU_X509Principal.java | 140 +++ .../onap/aaf/cadi/test/taf/JU_NullTafRespTest.java | 62 ++ .../java/org/onap/aaf/cadi/test/util/JU_FQI.java | 44 + .../aaf/cadi/test/util/JU_JsonOutputStream.java | 93 ++ .../aaf/cadi/test/util/JU_MaskFormatException.java | 44 + .../org/onap/aaf/cadi/test/util/JU_NetMask.java | 65 ++ .../java/org/onap/aaf/cadi/test/util/JU_Split.java | 113 +++ .../org/onap/aaf/cadi/test/util/JU_TheConsole.java | 34 + .../onap/aaf/cadi/test/util/JU_UserChainManip.java | 66 ++ .../java/org/onap/aaf/cadi/test/util/JU_Vars.java | 150 ++++ .../org/onap/aaf/cadi/test/wsse/JU_WSSE_Read.java | 189 ++++ .../org/onap/aaf/cadi/test/wsse/JU_XReader.java | 65 ++ cadi/core/test/AESKeyFile | 27 + cadi/core/test/CBUSevent.xml | 44 + cadi/core/test/cadi.properties | 60 ++ cadi/core/test/cadi.properties.duplicate | 58 ++ cadi/core/test/keyfile | 27 + cadi/oauth-enduser/.gitignore | 6 + cadi/oauth-enduser/.settings/.gitignore | 2 + cadi/oauth-enduser/cadi.properties | 57 ++ cadi/oauth-enduser/pom.xml | 112 +++ cadi/oauth-enduser/src/.gitignore | 1 + .../java/com/att/cadi/enduser/OAuthExample.java | 233 +++++ cadi/pom.xml | 383 ++++++++ cadi/shiro/.gitignore | 5 + cadi/shiro/pom.xml | 78 ++ .../onap/aaf/cadi/shiro/AAFAuthenticationInfo.java | 90 ++ .../onap/aaf/cadi/shiro/AAFAuthorizationInfo.java | 94 ++ .../aaf/cadi/shiro/AAFPrincipalCollection.java | 125 +++ .../java/org/onap/aaf/cadi/shiro/AAFRealm.java | 142 +++ .../onap/aaf/cadi/shiro/AAFShiroPermission.java | 45 + .../org/onap/aaf/cadi/shiro/test/JU_AAFRealm.java | 92 ++ 292 files changed, 36705 insertions(+) create mode 100644 cadi/.gitignore create mode 100644 cadi/.project create mode 100644 cadi/aaf/.gitignore create mode 100644 cadi/aaf/.project create mode 100644 cadi/aaf/jenkins-pom.xml create mode 100644 cadi/aaf/pom.xml create mode 100644 cadi/aaf/src/main/java/org/onap/aaf/cadi/aaf/AAFPermission.java create mode 100644 cadi/aaf/src/main/java/org/onap/aaf/cadi/aaf/PermEval.java create mode 100644 cadi/aaf/src/main/java/org/onap/aaf/cadi/aaf/TestConnectivity.java create mode 100644 cadi/aaf/src/main/java/org/onap/aaf/cadi/aaf/cert/AAFListedCertIdentity.java create mode 100644 cadi/aaf/src/main/java/org/onap/aaf/cadi/aaf/client/ErrMessage.java create mode 100644 cadi/aaf/src/main/java/org/onap/aaf/cadi/aaf/client/Examples.java create mode 100644 cadi/aaf/src/main/java/org/onap/aaf/cadi/aaf/marshal/CertMarshal.java create mode 100644 cadi/aaf/src/main/java/org/onap/aaf/cadi/aaf/marshal/CertsMarshal.java create mode 100644 cadi/aaf/src/main/java/org/onap/aaf/cadi/aaf/v2_0/AAFAuthn.java create mode 100644 cadi/aaf/src/main/java/org/onap/aaf/cadi/aaf/v2_0/AAFCon.java create mode 100644 cadi/aaf/src/main/java/org/onap/aaf/cadi/aaf/v2_0/AAFConHttp.java create mode 100644 cadi/aaf/src/main/java/org/onap/aaf/cadi/aaf/v2_0/AAFLocator.java create mode 100644 cadi/aaf/src/main/java/org/onap/aaf/cadi/aaf/v2_0/AAFLurPerm.java create mode 100644 cadi/aaf/src/main/java/org/onap/aaf/cadi/aaf/v2_0/AAFTaf.java create mode 100644 cadi/aaf/src/main/java/org/onap/aaf/cadi/aaf/v2_0/AAFTrustChecker.java create mode 100644 cadi/aaf/src/main/java/org/onap/aaf/cadi/aaf/v2_0/AbsAAFLocator.java create mode 100644 cadi/aaf/src/main/java/org/onap/aaf/cadi/aaf/v2_0/AbsAAFLur.java create mode 100644 cadi/aaf/src/main/java/org/onap/aaf/cadi/cm/ArtifactDir.java create mode 100644 cadi/aaf/src/main/java/org/onap/aaf/cadi/cm/CertException.java create mode 100644 cadi/aaf/src/main/java/org/onap/aaf/cadi/cm/CmAgent.java create mode 100644 cadi/aaf/src/main/java/org/onap/aaf/cadi/cm/Factory.java create mode 100644 cadi/aaf/src/main/java/org/onap/aaf/cadi/cm/PlaceArtifact.java create mode 100644 cadi/aaf/src/main/java/org/onap/aaf/cadi/cm/PlaceArtifactInFiles.java create mode 100644 cadi/aaf/src/main/java/org/onap/aaf/cadi/cm/PlaceArtifactInKeystore.java create mode 100644 cadi/aaf/src/main/java/org/onap/aaf/cadi/cm/PlaceArtifactOnStream.java create mode 100644 cadi/aaf/src/main/java/org/onap/aaf/cadi/cm/PlaceArtifactScripts.java create mode 100644 cadi/aaf/src/main/java/org/onap/aaf/cadi/oauth/AAFToken.java create mode 100644 cadi/aaf/src/main/java/org/onap/aaf/cadi/oauth/AbsOTafLur.java create mode 100644 cadi/aaf/src/main/java/org/onap/aaf/cadi/oauth/HRenewingTokenSS.java create mode 100644 cadi/aaf/src/main/java/org/onap/aaf/cadi/oauth/OAuth2HttpTaf.java create mode 100644 cadi/aaf/src/main/java/org/onap/aaf/cadi/oauth/OAuth2HttpTafResp.java create mode 100644 cadi/aaf/src/main/java/org/onap/aaf/cadi/oauth/OAuth2Lur.java create mode 100644 cadi/aaf/src/main/java/org/onap/aaf/cadi/oauth/OAuth2Principal.java create mode 100644 cadi/aaf/src/main/java/org/onap/aaf/cadi/oauth/TimedToken.java create mode 100644 cadi/aaf/src/main/java/org/onap/aaf/cadi/oauth/TokenClient.java create mode 100644 cadi/aaf/src/main/java/org/onap/aaf/cadi/oauth/TokenClientFactory.java create mode 100644 cadi/aaf/src/main/java/org/onap/aaf/cadi/oauth/TokenMgr.java create mode 100644 cadi/aaf/src/main/java/org/onap/aaf/cadi/oauth/TokenPerm.java create mode 100644 cadi/aaf/src/main/java/org/onap/aaf/cadi/oauth/TzClient.java create mode 100644 cadi/aaf/src/main/java/org/onap/aaf/cadi/oauth/TzHClient.java create mode 100644 cadi/aaf/src/main/java/org/onap/aaf/cadi/obasic/OBasicHttpTaf.java create mode 100644 cadi/aaf/src/main/java/org/onap/aaf/cadi/olur/OLur.java create mode 100644 cadi/aaf/src/main/java/org/onap/aaf/cadi/persist/Persist.java create mode 100644 cadi/aaf/src/main/java/org/onap/aaf/cadi/persist/PersistFile.java create mode 100644 cadi/aaf/src/main/java/org/onap/aaf/cadi/persist/Persistable.java create mode 100644 cadi/aaf/src/main/java/org/onap/aaf/cadi/persist/Persisting.java create mode 100644 cadi/aaf/src/main/java/org/onap/aaf/cadi/register/Registrant.java create mode 100644 cadi/aaf/src/main/java/org/onap/aaf/cadi/register/Registrar.java create mode 100644 cadi/aaf/src/main/java/org/onap/aaf/cadi/register/RemoteRegistrant.java create mode 100644 cadi/aaf/src/main/java/org/onap/aaf/cadi/sso/AAFSSO.java create mode 100644 cadi/aaf/src/test/java/org/onap/aaf/cadi/aaf/client/JU_ErrMessageTest.java create mode 100644 cadi/aaf/src/test/java/org/onap/aaf/cadi/aaf/marshal/JU_CertsMarshalTest.java create mode 100644 cadi/aaf/src/test/java/org/onap/aaf/cadi/aaf/test/JU_AAFLocator.java create mode 100644 cadi/aaf/src/test/java/org/onap/aaf/cadi/aaf/test/TestHClient.java create mode 100644 cadi/aaf/src/test/java/org/onap/aaf/cadi/aaf/v2_0/JU_AAFAuthnTest.java create mode 100644 cadi/aaf/src/test/java/org/onap/aaf/cadi/lur/aaf/test/JU_JMeter.java create mode 100644 cadi/aaf/src/test/java/org/onap/aaf/cadi/lur/aaf/test/JU_Lur2_0Call.java create mode 100644 cadi/aaf/src/test/java/org/onap/aaf/cadi/lur/aaf/test/JU_MultiThreadPermHit.java create mode 100644 cadi/aaf/src/test/java/org/onap/aaf/cadi/lur/aaf/test/JU_PermEval.java create mode 100644 cadi/aaf/src/test/java/org/onap/aaf/cadi/lur/aaf/test/JU_TestAccess.java create mode 100644 cadi/aaf/src/test/java/org/onap/aaf/cadi/lur/aaf/test1/JU_PermEval.java create mode 100644 cadi/aaf/src/test/java/org/onap/aaf/cadi/lur/aaf/test1/MultiThreadPermHit.java create mode 100644 cadi/aaf/src/test/java/org/onap/aaf/cadi/oauth/test/JU_FastPerms.java create mode 100644 cadi/aaf/src/test/java/org/onap/aaf/cadi/oauth/test/JU_OAuthTest.java create mode 100644 cadi/aaf/src/test/java/org/onap/aaf/cadi/oauth/test/JU_OAuthToken.java create mode 100644 cadi/aaf/src/test/java/org/onap/aaf/content/JU_Content.java create mode 100644 cadi/aaf/src/test/java/org/onap/aaf/example/JU_ExampleAuthCheck.java create mode 100644 cadi/aaf/src/test/java/org/onap/aaf/example/JU_X509Test.java create mode 100644 cadi/aaf/src/test/java/org/onap/aaf/stillNeed/CadiTest.java create mode 100644 cadi/aaf/src/test/java/org/onap/aaf/stillNeed/ExampleAuthCheck.java create mode 100644 cadi/aaf/src/test/java/org/onap/aaf/stillNeed/TestPrincipal.java create mode 100644 cadi/aaf/src/test/java/org/onap/aaf/stillNeed/X509Test.java create mode 100644 cadi/aaf/src/test/resources/cadi.properties create mode 100644 cadi/aaf/src/test/resources/log4j.properties create mode 100644 cadi/cass/.gitignore create mode 100644 cadi/cass/.project create mode 100644 cadi/cass/etc/cadi.properties create mode 100644 cadi/cass/pom.xml create mode 100644 cadi/cass/src/main/java/com/att/aaf/cadi/cass/AAFAuthenticatedUser.java create mode 100644 cadi/cass/src/main/java/com/att/aaf/cadi/cass/AAFAuthenticator.java create mode 100644 cadi/cass/src/main/java/com/att/aaf/cadi/cass/AAFAuthorizer.java create mode 100644 cadi/cass/src/main/java/com/att/aaf/cadi/cass/AAFBase.java create mode 100644 cadi/cass/src/test/java/org/onap/aaf/cadi/cass/JU_AAFAuthenticatedUserTest.java create mode 100644 cadi/cass/src/test/java/org/onap/aaf/cadi/cass/JU_AAFAuthenticator.java create mode 100644 cadi/cass/src/test/java/org/onap/aaf/cadi/cass/JU_AAFAuthorizerTest.java create mode 100644 cadi/cass/src/test/java/org/onap/aaf/cadi/cass/JU_AAFBaseTest.java create mode 100644 cadi/cass/src/test/java/org/onap/aaf/cadi/cass/JU_CASS.java create mode 100644 cadi/client/.gitignore create mode 100644 cadi/client/pom.xml create mode 100644 cadi/client/src/main/java/org/onap/aaf/cadi/client/AbsAuthentication.java create mode 100644 cadi/client/src/main/java/org/onap/aaf/cadi/client/AbsTransferSS.java create mode 100644 cadi/client/src/main/java/org/onap/aaf/cadi/client/BasicAuth.java create mode 100644 cadi/client/src/main/java/org/onap/aaf/cadi/client/EClient.java create mode 100644 cadi/client/src/main/java/org/onap/aaf/cadi/client/Future.java create mode 100644 cadi/client/src/main/java/org/onap/aaf/cadi/client/Holder.java create mode 100644 cadi/client/src/main/java/org/onap/aaf/cadi/client/Rcli.java create mode 100644 cadi/client/src/main/java/org/onap/aaf/cadi/client/Result.java create mode 100644 cadi/client/src/main/java/org/onap/aaf/cadi/client/Retryable.java create mode 100644 cadi/client/src/main/java/org/onap/aaf/cadi/http/HAuthorizationHeader.java create mode 100644 cadi/client/src/main/java/org/onap/aaf/cadi/http/HBasicAuthSS.java create mode 100644 cadi/client/src/main/java/org/onap/aaf/cadi/http/HClient.java create mode 100644 cadi/client/src/main/java/org/onap/aaf/cadi/http/HMangr.java create mode 100644 cadi/client/src/main/java/org/onap/aaf/cadi/http/HNoAuthSS.java create mode 100644 cadi/client/src/main/java/org/onap/aaf/cadi/http/HRcli.java create mode 100644 cadi/client/src/main/java/org/onap/aaf/cadi/http/HTokenSS.java create mode 100644 cadi/client/src/main/java/org/onap/aaf/cadi/http/HTransferSS.java create mode 100644 cadi/client/src/main/java/org/onap/aaf/cadi/http/HX509SS.java create mode 100644 cadi/client/src/main/java/org/onap/aaf/cadi/locator/DNSLocator.java create mode 100644 cadi/client/src/main/java/org/onap/aaf/cadi/locator/HClientHotPeerLocator.java create mode 100644 cadi/client/src/main/java/org/onap/aaf/cadi/locator/HotPeerLocator.java create mode 100644 cadi/client/src/main/java/org/onap/aaf/cadi/locator/PropertyLocator.java create mode 100644 cadi/client/src/main/java/org/onap/aaf/cadi/routing/GreatCircle.java create mode 100644 cadi/client/src/test/java/org/onap/aaf/cadi/client/test/JU_DNSLocator.java create mode 100644 cadi/client/src/test/java/org/onap/aaf/cadi/client/test/JU_GreatCircle.java create mode 100644 cadi/client/src/test/java/org/onap/aaf/cadi/client/test/JU_PropertyLocator.java create mode 100644 cadi/client/src/test/java/org/onap/aaf/client/test/JU_DNSLocator.java create mode 100644 cadi/client/src/test/java/org/onap/aaf/client/test/JU_HolderTest.java create mode 100644 cadi/client/src/test/java/org/onap/aaf/client/test/JU_PropertyLocator.java create mode 100644 cadi/client/src/test/java/org/onap/aaf/client/test/JU_ResultTest.java create mode 100644 cadi/client/src/test/java/org/onap/aaf/client/test/JU_TestAccess.java create mode 100644 cadi/core/.gitignore create mode 100644 cadi/core/.project create mode 100644 cadi/core/conf/.gitignore create mode 100644 cadi/core/conf/cadi.properties create mode 100644 cadi/core/pom.xml create mode 100644 cadi/core/src/main/java/org/onap/aaf/cadi/AES.java create mode 100644 cadi/core/src/main/java/org/onap/aaf/cadi/AbsUserCache.java create mode 100644 cadi/core/src/main/java/org/onap/aaf/cadi/Access.java create mode 100644 cadi/core/src/main/java/org/onap/aaf/cadi/BasicCred.java create mode 100644 cadi/core/src/main/java/org/onap/aaf/cadi/BufferedServletInputStream.java create mode 100644 cadi/core/src/main/java/org/onap/aaf/cadi/CachedPrincipal.java create mode 100644 cadi/core/src/main/java/org/onap/aaf/cadi/CachingLur.java create mode 100644 cadi/core/src/main/java/org/onap/aaf/cadi/CadiException.java create mode 100644 cadi/core/src/main/java/org/onap/aaf/cadi/CadiWrap.java create mode 100644 cadi/core/src/main/java/org/onap/aaf/cadi/Capacitor.java create mode 100644 cadi/core/src/main/java/org/onap/aaf/cadi/CmdLine.java create mode 100644 cadi/core/src/main/java/org/onap/aaf/cadi/Connector.java create mode 100644 cadi/core/src/main/java/org/onap/aaf/cadi/CredVal.java create mode 100644 cadi/core/src/main/java/org/onap/aaf/cadi/GetCred.java create mode 100644 cadi/core/src/main/java/org/onap/aaf/cadi/Hash.java create mode 100644 cadi/core/src/main/java/org/onap/aaf/cadi/Locator.java create mode 100644 cadi/core/src/main/java/org/onap/aaf/cadi/LocatorException.java create mode 100644 cadi/core/src/main/java/org/onap/aaf/cadi/Lur.java create mode 100644 cadi/core/src/main/java/org/onap/aaf/cadi/Permission.java create mode 100644 cadi/core/src/main/java/org/onap/aaf/cadi/PropAccess.java create mode 100644 cadi/core/src/main/java/org/onap/aaf/cadi/Revalidator.java create mode 100644 cadi/core/src/main/java/org/onap/aaf/cadi/SecuritySetter.java create mode 100644 cadi/core/src/main/java/org/onap/aaf/cadi/ServletContextAccess.java create mode 100644 cadi/core/src/main/java/org/onap/aaf/cadi/Symm.java create mode 100644 cadi/core/src/main/java/org/onap/aaf/cadi/Taf.java create mode 100644 cadi/core/src/main/java/org/onap/aaf/cadi/Transmutate.java create mode 100644 cadi/core/src/main/java/org/onap/aaf/cadi/TrustChecker.java create mode 100644 cadi/core/src/main/java/org/onap/aaf/cadi/User.java create mode 100644 cadi/core/src/main/java/org/onap/aaf/cadi/UserChain.java create mode 100644 cadi/core/src/main/java/org/onap/aaf/cadi/config/Config.java create mode 100644 cadi/core/src/main/java/org/onap/aaf/cadi/config/Get.java create mode 100644 cadi/core/src/main/java/org/onap/aaf/cadi/config/GetAccess.java create mode 100644 cadi/core/src/main/java/org/onap/aaf/cadi/config/MultiGet.java create mode 100644 cadi/core/src/main/java/org/onap/aaf/cadi/config/SecurityInfo.java create mode 100644 cadi/core/src/main/java/org/onap/aaf/cadi/config/SecurityInfoC.java create mode 100644 cadi/core/src/main/java/org/onap/aaf/cadi/config/UsersDump.java create mode 100644 cadi/core/src/main/java/org/onap/aaf/cadi/filter/AUTHZ.java create mode 100644 cadi/core/src/main/java/org/onap/aaf/cadi/filter/AUTHZServlet.java create mode 100644 cadi/core/src/main/java/org/onap/aaf/cadi/filter/AccessGetter.java create mode 100644 cadi/core/src/main/java/org/onap/aaf/cadi/filter/CadiFilter.java create mode 100644 cadi/core/src/main/java/org/onap/aaf/cadi/filter/CadiHTTPManip.java create mode 100644 cadi/core/src/main/java/org/onap/aaf/cadi/filter/FCGet.java create mode 100644 cadi/core/src/main/java/org/onap/aaf/cadi/filter/MapPermConverter.java create mode 100644 cadi/core/src/main/java/org/onap/aaf/cadi/filter/NullPermConverter.java create mode 100644 cadi/core/src/main/java/org/onap/aaf/cadi/filter/PathFilter.java create mode 100644 cadi/core/src/main/java/org/onap/aaf/cadi/filter/PermConverter.java create mode 100644 cadi/core/src/main/java/org/onap/aaf/cadi/filter/RolesAllowed.java create mode 100644 cadi/core/src/main/java/org/onap/aaf/cadi/filter/ServletImpl.java create mode 100644 cadi/core/src/main/java/org/onap/aaf/cadi/lur/ConfigPrincipal.java create mode 100644 cadi/core/src/main/java/org/onap/aaf/cadi/lur/EpiLur.java create mode 100644 cadi/core/src/main/java/org/onap/aaf/cadi/lur/LocalLur.java create mode 100644 cadi/core/src/main/java/org/onap/aaf/cadi/lur/LocalPermission.java create mode 100644 cadi/core/src/main/java/org/onap/aaf/cadi/lur/NullLur.java create mode 100644 cadi/core/src/main/java/org/onap/aaf/cadi/principal/BasicPrincipal.java create mode 100644 cadi/core/src/main/java/org/onap/aaf/cadi/principal/BearerPrincipal.java create mode 100644 cadi/core/src/main/java/org/onap/aaf/cadi/principal/CachedBasicPrincipal.java create mode 100644 cadi/core/src/main/java/org/onap/aaf/cadi/principal/Kind.java create mode 100644 cadi/core/src/main/java/org/onap/aaf/cadi/principal/OAuth2FormPrincipal.java create mode 100644 cadi/core/src/main/java/org/onap/aaf/cadi/principal/StringTagLookup.java create mode 100644 cadi/core/src/main/java/org/onap/aaf/cadi/principal/TaggedPrincipal.java create mode 100644 cadi/core/src/main/java/org/onap/aaf/cadi/principal/TrustPrincipal.java create mode 100644 cadi/core/src/main/java/org/onap/aaf/cadi/principal/UnAuthPrincipal.java create mode 100644 cadi/core/src/main/java/org/onap/aaf/cadi/principal/X509Principal.java create mode 100644 cadi/core/src/main/java/org/onap/aaf/cadi/taf/AbsTafResp.java create mode 100644 cadi/core/src/main/java/org/onap/aaf/cadi/taf/EpiTaf.java create mode 100644 cadi/core/src/main/java/org/onap/aaf/cadi/taf/HttpEpiTaf.java create mode 100644 cadi/core/src/main/java/org/onap/aaf/cadi/taf/HttpTaf.java create mode 100644 cadi/core/src/main/java/org/onap/aaf/cadi/taf/LoginPageTafResp.java create mode 100644 cadi/core/src/main/java/org/onap/aaf/cadi/taf/NullTaf.java create mode 100644 cadi/core/src/main/java/org/onap/aaf/cadi/taf/NullTafResp.java create mode 100644 cadi/core/src/main/java/org/onap/aaf/cadi/taf/PuntTafResp.java create mode 100644 cadi/core/src/main/java/org/onap/aaf/cadi/taf/Redirectable.java create mode 100644 cadi/core/src/main/java/org/onap/aaf/cadi/taf/TafResp.java create mode 100644 cadi/core/src/main/java/org/onap/aaf/cadi/taf/TrustNotTafResp.java create mode 100644 cadi/core/src/main/java/org/onap/aaf/cadi/taf/TrustTafResp.java create mode 100644 cadi/core/src/main/java/org/onap/aaf/cadi/taf/basic/BasicHttpTaf.java create mode 100644 cadi/core/src/main/java/org/onap/aaf/cadi/taf/basic/BasicHttpTafResp.java create mode 100644 cadi/core/src/main/java/org/onap/aaf/cadi/taf/cert/CertIdentity.java create mode 100644 cadi/core/src/main/java/org/onap/aaf/cadi/taf/cert/X509HttpTafResp.java create mode 100644 cadi/core/src/main/java/org/onap/aaf/cadi/taf/cert/X509Taf.java create mode 100644 cadi/core/src/main/java/org/onap/aaf/cadi/taf/dos/DenialOfServiceTaf.java create mode 100644 cadi/core/src/main/java/org/onap/aaf/cadi/taf/dos/DenialOfServiceTafResp.java create mode 100644 cadi/core/src/main/java/org/onap/aaf/cadi/util/Chmod.java create mode 100644 cadi/core/src/main/java/org/onap/aaf/cadi/util/FQI.java create mode 100644 cadi/core/src/main/java/org/onap/aaf/cadi/util/JsonOutputStream.java create mode 100644 cadi/core/src/main/java/org/onap/aaf/cadi/util/MaskFormatException.java create mode 100644 cadi/core/src/main/java/org/onap/aaf/cadi/util/MyConsole.java create mode 100644 cadi/core/src/main/java/org/onap/aaf/cadi/util/NetMask.java create mode 100644 cadi/core/src/main/java/org/onap/aaf/cadi/util/Pool.java create mode 100644 cadi/core/src/main/java/org/onap/aaf/cadi/util/Split.java create mode 100644 cadi/core/src/main/java/org/onap/aaf/cadi/util/SubStandardConsole.java create mode 100644 cadi/core/src/main/java/org/onap/aaf/cadi/util/TheConsole.java create mode 100644 cadi/core/src/main/java/org/onap/aaf/cadi/util/UserChainManip.java create mode 100644 cadi/core/src/main/java/org/onap/aaf/cadi/util/Vars.java create mode 100644 cadi/core/src/main/java/org/onap/aaf/cadi/wsse/Action.java create mode 100644 cadi/core/src/main/java/org/onap/aaf/cadi/wsse/Match.java create mode 100644 cadi/core/src/main/java/org/onap/aaf/cadi/wsse/WSSEParser.java create mode 100644 cadi/core/src/main/java/org/onap/aaf/cadi/wsse/XEvent.java create mode 100644 cadi/core/src/main/java/org/onap/aaf/cadi/wsse/XReader.java create mode 100644 cadi/core/src/test/java/.gitignore create mode 100644 cadi/core/src/test/java/org/onap/aaf/cadi/test/JU_AES.java create mode 100644 cadi/core/src/test/java/org/onap/aaf/cadi/test/JU_Access.java create mode 100644 cadi/core/src/test/java/org/onap/aaf/cadi/test/JU_Base64.java create mode 100644 cadi/core/src/test/java/org/onap/aaf/cadi/test/JU_BufferedCadiWrap.java create mode 100644 cadi/core/src/test/java/org/onap/aaf/cadi/test/JU_BufferedServletInputStream.java create mode 100644 cadi/core/src/test/java/org/onap/aaf/cadi/test/JU_CadiExceptionTest.java create mode 100644 cadi/core/src/test/java/org/onap/aaf/cadi/test/JU_CadiWrapTest.java create mode 100644 cadi/core/src/test/java/org/onap/aaf/cadi/test/JU_Capacitor.java create mode 100644 cadi/core/src/test/java/org/onap/aaf/cadi/test/JU_CmdLine.java create mode 100644 cadi/core/src/test/java/org/onap/aaf/cadi/test/JU_Hash.java create mode 100644 cadi/core/src/test/java/org/onap/aaf/cadi/test/JU_LocatorException.java create mode 100644 cadi/core/src/test/java/org/onap/aaf/cadi/test/JU_PropAccess.java create mode 100644 cadi/core/src/test/java/org/onap/aaf/cadi/test/JU_ServletContextAccess.java create mode 100644 cadi/core/src/test/java/org/onap/aaf/cadi/test/JU_Symm.java create mode 100644 cadi/core/src/test/java/org/onap/aaf/cadi/test/JU_TrustChecker.java create mode 100644 cadi/core/src/test/java/org/onap/aaf/cadi/test/JU_User.java create mode 100644 cadi/core/src/test/java/org/onap/aaf/cadi/test/filter/JU_FCGetTest.java create mode 100644 cadi/core/src/test/java/org/onap/aaf/cadi/test/lur/JU_ConfigPrincipal.java create mode 100644 cadi/core/src/test/java/org/onap/aaf/cadi/test/lur/JU_LocalLur.java create mode 100644 cadi/core/src/test/java/org/onap/aaf/cadi/test/lur/JU_LocalPermission.java create mode 100644 cadi/core/src/test/java/org/onap/aaf/cadi/test/lur/JU_NullLur.java create mode 100644 cadi/core/src/test/java/org/onap/aaf/cadi/test/principal/JU_BasicPrincipal.java create mode 100644 cadi/core/src/test/java/org/onap/aaf/cadi/test/principal/JU_CachedBasicPrincipal.java create mode 100644 cadi/core/src/test/java/org/onap/aaf/cadi/test/principal/JU_Kind.java create mode 100644 cadi/core/src/test/java/org/onap/aaf/cadi/test/principal/JU_OAuth2FormPrincipal.java create mode 100644 cadi/core/src/test/java/org/onap/aaf/cadi/test/principal/JU_StringTagLookup.java create mode 100644 cadi/core/src/test/java/org/onap/aaf/cadi/test/principal/JU_TaggedPrincipal.java create mode 100644 cadi/core/src/test/java/org/onap/aaf/cadi/test/principal/JU_TrustPrincipal.java create mode 100644 cadi/core/src/test/java/org/onap/aaf/cadi/test/principal/JU_UnAuthPrincipal.java create mode 100644 cadi/core/src/test/java/org/onap/aaf/cadi/test/principal/JU_X509Principal.java create mode 100644 cadi/core/src/test/java/org/onap/aaf/cadi/test/taf/JU_NullTafRespTest.java create mode 100644 cadi/core/src/test/java/org/onap/aaf/cadi/test/util/JU_FQI.java create mode 100644 cadi/core/src/test/java/org/onap/aaf/cadi/test/util/JU_JsonOutputStream.java create mode 100644 cadi/core/src/test/java/org/onap/aaf/cadi/test/util/JU_MaskFormatException.java create mode 100644 cadi/core/src/test/java/org/onap/aaf/cadi/test/util/JU_NetMask.java create mode 100644 cadi/core/src/test/java/org/onap/aaf/cadi/test/util/JU_Split.java create mode 100644 cadi/core/src/test/java/org/onap/aaf/cadi/test/util/JU_TheConsole.java create mode 100644 cadi/core/src/test/java/org/onap/aaf/cadi/test/util/JU_UserChainManip.java create mode 100644 cadi/core/src/test/java/org/onap/aaf/cadi/test/util/JU_Vars.java create mode 100644 cadi/core/src/test/java/org/onap/aaf/cadi/test/wsse/JU_WSSE_Read.java create mode 100644 cadi/core/src/test/java/org/onap/aaf/cadi/test/wsse/JU_XReader.java create mode 100644 cadi/core/test/AESKeyFile create mode 100644 cadi/core/test/CBUSevent.xml create mode 100644 cadi/core/test/cadi.properties create mode 100644 cadi/core/test/cadi.properties.duplicate create mode 100644 cadi/core/test/keyfile create mode 100644 cadi/oauth-enduser/.gitignore create mode 100644 cadi/oauth-enduser/.settings/.gitignore create mode 100644 cadi/oauth-enduser/cadi.properties create mode 100644 cadi/oauth-enduser/pom.xml create mode 100644 cadi/oauth-enduser/src/.gitignore create mode 100644 cadi/oauth-enduser/src/main/java/com/att/cadi/enduser/OAuthExample.java create mode 100644 cadi/pom.xml create mode 100644 cadi/shiro/.gitignore create mode 100644 cadi/shiro/pom.xml create mode 100644 cadi/shiro/src/main/java/org/onap/aaf/cadi/shiro/AAFAuthenticationInfo.java create mode 100644 cadi/shiro/src/main/java/org/onap/aaf/cadi/shiro/AAFAuthorizationInfo.java create mode 100644 cadi/shiro/src/main/java/org/onap/aaf/cadi/shiro/AAFPrincipalCollection.java create mode 100644 cadi/shiro/src/main/java/org/onap/aaf/cadi/shiro/AAFRealm.java create mode 100644 cadi/shiro/src/main/java/org/onap/aaf/cadi/shiro/AAFShiroPermission.java create mode 100644 cadi/shiro/src/test/java/org/onap/aaf/cadi/shiro/test/JU_AAFRealm.java diff --git a/cadi/.gitignore b/cadi/.gitignore new file mode 100644 index 00000000..100951d2 --- /dev/null +++ b/cadi/.gitignore @@ -0,0 +1,2 @@ +/.settings/ +/.classpath diff --git a/cadi/.project b/cadi/.project new file mode 100644 index 00000000..544e2f33 --- /dev/null +++ b/cadi/.project @@ -0,0 +1,17 @@ + + + cadi + + + + + + org.eclipse.m2e.core.maven2Builder + + + + + + org.eclipse.m2e.core.maven2Nature + + diff --git a/cadi/aaf/.gitignore b/cadi/aaf/.gitignore new file mode 100644 index 00000000..30c908e8 --- /dev/null +++ b/cadi/aaf/.gitignore @@ -0,0 +1,4 @@ +/.settings/ +/.classpath +/logs/ +/target/ diff --git a/cadi/aaf/.project b/cadi/aaf/.project new file mode 100644 index 00000000..8151d3d5 --- /dev/null +++ b/cadi/aaf/.project @@ -0,0 +1,23 @@ + + + cadi_aaf + + + + + + org.eclipse.jdt.core.javabuilder + + + + + org.eclipse.m2e.core.maven2Builder + + + + + + org.eclipse.jdt.core.javanature + org.eclipse.m2e.core.maven2Nature + + diff --git a/cadi/aaf/jenkins-pom.xml b/cadi/aaf/jenkins-pom.xml new file mode 100644 index 00000000..f1a0f0a8 --- /dev/null +++ b/cadi/aaf/jenkins-pom.xml @@ -0,0 +1,257 @@ + + + + com.att.cadi + parent + 1.2.2 + .. + + + 4.0.0 + CADI AAF (Application Authorization Framework) LUR + jar + cadi-aaf + + + + com.att.authz + authz-client + + + + com.att.cadi + cadi-client + + + + com.att.aft + dme2 + + + org.slf4j + slf4j-log4j12 + + + log4j + log4j + + + + + + + + + + + org.codehaus.mojo + jaxb2-maven-plugin + 1.3 + + + generate-sources + + xjc + + + + + src/main/xsd + + + + org.apache.maven.plugins + maven-jar-plugin + + + + true + + + + + + + test-jar + package + + test-jar + + + + + + + + + maven-assembly-plugin + 2.4 + + tests + + + true + + + + + + full + package + + single + + + + src/assemble/cadi-aaf.xml + + + + + + + + + org.apache.maven.plugins + maven-jarsigner-plugin + + true + + + + sign-full + + sign + + + target/${project.artifactId}-${project.version}-full.jar + + + + verify-full + + verify + + + target/${project.artifactId}-${project.version}-full.jar + + + + + + + org.codehaus.mojo + jaxb2-maven-plugin + 1.3 + + + generate-sources + + xjc + + + + + src/main/xsd + + + + org.apache.maven.plugins + maven-deploy-plugin + 2.6 + + false + + + + + + + + + org.eclipse.m2e + lifecycle-mapping + 1.0.0 + + + + + + + org.codehaus.mojo + + + jaxb2-maven-plugin + + + [1.3,) + + + xjc + + + + + + + + + + + + + + + + + nexus + attarch-releases + http://mavencentral.it.att.com:8084/nexus/content/repositories/attarch-releases + + + nexus + attarch-snapshots + http://mavencentral.it.att.com:8084/nexus/content/repositories/attarch-snapshots + + + + diff --git a/cadi/aaf/pom.xml b/cadi/aaf/pom.xml new file mode 100644 index 00000000..d7b6f550 --- /dev/null +++ b/cadi/aaf/pom.xml @@ -0,0 +1,109 @@ + + + + + org.onap.aaf.cadi + parent + 1.5.0-SNAPSHOT + .. + + + 4.0.0 + aaf-cadi-aaf + AAF CADI AAF Connection Library + jar + + + + Jonathan Gathman + jonathan.gathman@att.com + ATT + + Architect + Lead Developer + + + + Gabe Maurer + gabe.maurer@att.com + ATT + + Developer + + + + Ian Howell + ian.howell@att.com + ATT + + Developer + + + + + + + + org.onap.aaf.auth + aaf-auth-client + + + + org.onap.aaf.cadi + aaf-cadi-client + + + + org.onap.aaf.misc + aaf-misc-env + + + + org.onap.aaf.cadi + aaf-cadi-core + + + + javax.servlet + javax.servlet-api + provided + + + + + + org.apache.maven.plugins + maven-compiler-plugin + + + + + + diff --git a/cadi/aaf/src/main/java/org/onap/aaf/cadi/aaf/AAFPermission.java b/cadi/aaf/src/main/java/org/onap/aaf/cadi/aaf/AAFPermission.java new file mode 100644 index 00000000..b3f0c4bb --- /dev/null +++ b/cadi/aaf/src/main/java/org/onap/aaf/cadi/aaf/AAFPermission.java @@ -0,0 +1,126 @@ +/** + * ============LICENSE_START==================================================== + * org.onap.aaf + * =========================================================================== + * Copyright (c) 2018 AT&T Intellectual Property. All rights reserved. + * =========================================================================== + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * ============LICENSE_END==================================================== + * + */ + +package org.onap.aaf.cadi.aaf; + +import java.util.ArrayList; +import java.util.List; + +import org.onap.aaf.cadi.Permission; + +/** + * A Class that understands the AAF format of Permission (name/type/action) + * or String "name|type|action" + * + * @author Jonathan + * + */ +public class AAFPermission implements Permission { + private static final List NO_ROLES; + protected String type,instance,action,key; + private List roles; + + static { + NO_ROLES = new ArrayList(); + } + + protected AAFPermission() {roles=NO_ROLES;} + + public AAFPermission(String type, String instance, String action) { + this.type = type; + this.instance = instance; + this.action = action; + key = type + '|' + instance + '|' + action; + this.roles = NO_ROLES; + + } + public AAFPermission(String type, String instance, String action, List roles) { + this.type = type; + this.instance = instance; + this.action = action; + key = type + '|' + instance + '|' + action; + this.roles = roles==null?NO_ROLES:roles; + } + + /** + * Match a Permission + * if Permission is Fielded type "Permission", we use the fields + * otherwise, we split the Permission with '|' + * + * when the type or action starts with REGEX indicator character ( ! ), + * then it is evaluated as a regular expression. + * + * If you want a simple field comparison, it is faster without REGEX + */ + public boolean match(Permission p) { + if(p instanceof AAFPermission) { + AAFPermission ap = (AAFPermission)p; + // Note: In AAF > 1.0, Accepting "*" from name would violate multi-tenancy + // Current solution is only allow direct match on Type. + // 8/28/2014 Jonathan - added REGEX ability + if(type.equals(ap.getName())) + if(PermEval.evalInstance(instance,ap.getInstance())) + if(PermEval.evalAction(action,ap.getAction())) + return true; + } else { + // Permission is concatenated together: separated by | + String[] aaf = p.getKey().split("[\\s]*\\|[\\s]*",3); + if(aaf.length>0 && type.equals(aaf[0])) + if(PermEval.evalInstance(instance,aaf.length>1?aaf[1]:"*")) + if(PermEval.evalAction(action,aaf.length>2?aaf[2]:"*")) + return true; + } + return false; + } + + public String getName() { + return type; + } + + public String getInstance() { + return instance; + } + + public String getAction() { + return action; + } + + public String getKey() { + return key; + } + + /* (non-Javadoc) + * @see org.onap.aaf.cadi.Permission#permType() + */ + public String permType() { + return "AAF"; + } + + public List roles() { + return roles; + } + public String toString() { + return "AAFPermission:\n\tType: " + type + + "\n\tInstance: " + instance + + "\n\tAction: " + action + + "\n\tKey: " + key; + } +} diff --git a/cadi/aaf/src/main/java/org/onap/aaf/cadi/aaf/PermEval.java b/cadi/aaf/src/main/java/org/onap/aaf/cadi/aaf/PermEval.java new file mode 100644 index 00000000..aa65504d --- /dev/null +++ b/cadi/aaf/src/main/java/org/onap/aaf/cadi/aaf/PermEval.java @@ -0,0 +1,148 @@ +/** + * ============LICENSE_START==================================================== + * org.onap.aaf + * =========================================================================== + * Copyright (c) 2018 AT&T Intellectual Property. All rights reserved. + * =========================================================================== + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * ============LICENSE_END==================================================== + * + */ + +package org.onap.aaf.cadi.aaf; + +import org.onap.aaf.misc.env.util.Split; + + +public class PermEval { + public static final char START_REGEX_CHAR = '!'; + public static final char START_INST_KEY_CHAR=':'; + public static final char ALT_START_INST_KEY_CHAR='/'; + + public static final char LIST_SEP = ','; + public static final String INST_KEY_REGEX = new StringBuilder().append(START_INST_KEY_CHAR).toString(); + public static final String ASTERIX = "*"; + + /** + * Evaluate Instance + * + * Instance can be more complex. It can be a string, a Regular Expression, or a ":" separated Key + * who's parts can also be a String, Regular Expression. + * + * sInst = Server's Instance + * In order to prevent false matches, keys must be the same length to count as equal + * Changing this will break existing users, like Cassandra. Jonathan 9-4-2015 + */ + public static boolean evalInstance(String sInst, String pInst) { + if(sInst==null || pInst == null) { + return false; + } + if(ASTERIX.equals(sInst)) { + return true; // If Server's String is "*", then it accepts every Instance + } + char firstChar = pInst.charAt(0); + char startChar = firstChar==ALT_START_INST_KEY_CHAR?ALT_START_INST_KEY_CHAR:START_INST_KEY_CHAR; + switch(pInst.charAt(0)) { // First char + case START_REGEX_CHAR: // Evaluate as Regular Expression + String pItem = pInst.substring(1); + for(String sItem : Split.split(LIST_SEP,sInst)) { // allow for "," definition in Action + return sItem.matches(pItem); + } + + case START_INST_KEY_CHAR: // Evaluate a special Key field, i.e.:xyz:*:!df.* + case ALT_START_INST_KEY_CHAR: // Also allow '/' as special Key Field, i.e. /xyz/*/!.* + if(sInst.charAt(0)==startChar) { // To compare key-to-key, both strings must be keys + String[] skeys=Split.split(startChar,sInst); + String[] pkeys=Split.split(startChar,pInst); + if(skeys.length!=pkeys.length) return false; + + boolean pass = true; + for(int i=1;pass && i []"); + } else { + print(true,"START OF CONNECTIVITY TESTS",new Date().toString(),System.getProperty("user.name"), + "Note: All API Calls are /authz/perms/user/"); + + if(!args[0].contains(Config.CADI_PROP_FILES+'=')) { + args[0]=Config.CADI_PROP_FILES+'='+args[0]; + } + + PropAccess access = new PropAccess(args); + String aaflocate; + if(args.length>1) { + aaflocate = "https://" + args[1] + "/locate"; + access.setProperty(Config.AAF_LOCATE_URL, "https://" + args[1]); + } else { + aaflocate = access.getProperty(Config.AAF_LOCATE_URL); + if(aaflocate==null) { + print(true,"Properties must contain ",Config.AAF_LOCATE_URL); + } + } + + try { + SecurityInfoC si = SecurityInfoC.instance(access, HttpURLConnection.class); + + List> lss = loadSetters(access,si); + ///////// + print(true,"Test Connections driven by AAFLocator"); + URI serviceURI = new URI(aaflocate+"/AAF_NS.service/2.0"); + + for(URI uri : new URI[] { + serviceURI, + new URI(aaflocate+"/AAF_NS.service:2.0"), + new URI(aaflocate+"/AAF_NS.service"), + new URI(aaflocate+"/AAF_NS.gw:2.0"), + new URI(aaflocate+"/AAF_NS.token:2.0"), + new URI(aaflocate+"/AAF_NS.certman:2.0"), + new URI(aaflocate+"/AAF_NS.hello") + }) { + Locator locator = new AAFLocator(si, uri); + try { + connectTest(locator, uri); + } catch (Exception e) { + e.printStackTrace(); + System.err.flush(); + } + } + + ///////// + print(true,"Test Service driven by AAFLocator"); + Locator locator = new AAFLocator(si,new URI(aaflocate+"/AAF_NS.service:2.0")); + for(SecuritySetter ss : lss) { + permTest(locator,ss); + } + + ///////// + print(true,"Test Proxy Access driven by AAFLocator"); + locator = new AAFLocator(si, new URI(aaflocate+"/AAF_NS.gw:2.0/proxy")); + for(SecuritySetter ss : lss) { + permTest(locator,ss); + } + + ////////// + print(true,"Test essential BasicAuth Service call, driven by AAFLocator"); + for(SecuritySetter ss : lss) { + if(ss instanceof HBasicAuthSS) { + basicAuthTest(new AAFLocator(si, new URI(aaflocate+"/AAF_NS.service:2.0")),ss); + } + } + + } catch(Exception e) { + e.printStackTrace(System.err); + } finally { + print(true,"END OF TESTS"); + } + } + } + + private static List> loadSetters(PropAccess access, SecurityInfoC si) { + print(true,"Load Security Setters from Configuration Information"); + String user = access.getProperty(Config.AAF_APPID); + + ArrayList> lss = new ArrayList>(); + + + try { + HBasicAuthSS hbass = new HBasicAuthSS(si,true); + if(hbass==null || hbass.getID()==null) { + access.log(Level.INFO, "BasicAuth Information is not available in configuration, BasicAuth tests will not be conducted... Continuing"); + } else { + access.log(Level.INFO, "BasicAuth Information found with ID",hbass.getID(),". BasicAuth tests will be performed."); + lss.add(hbass); + } + } catch (Exception e) { + access.log(Level.INFO, "BasicAuth Security Setter constructor threw exception: \"",e.getMessage(),"\". BasicAuth tests will not be performed"); + } + + try { + HX509SS hxss = new HX509SS(user,si); + if(hxss==null || hxss.getID()==null) { + access.log(Level.INFO, "X509 (Client certificate) Information is not available in configuration, X509 tests will not be conducted... Continuing"); + } else { + access.log(Level.INFO, "X509 (Client certificate) Information found with ID",hxss.getID(),". X509 tests will be performed."); + lss.add(hxss); + } + } catch (Exception e) { + access.log(Level.INFO, "X509 (Client certificate) Security Setter constructor threw exception: \"",e.getMessage(),"\". X509 tests will not be performed"); + } + + String tokenURL = access.getProperty(Config.AAF_OAUTH2_TOKEN_URL); + String locateURL=access.getProperty(Config.AAF_LOCATE_URL); + if(tokenURL==null || (tokenURL.contains("/locate/") && locateURL!=null)) { + tokenURL=locateURL+"/locate/AAF_NS.token:2.0/token"; + } + + try { + HRenewingTokenSS hrtss = new HRenewingTokenSS(access, tokenURL); + access.log(Level.INFO, "AAF OAUTH2 Information found with ID",hrtss.getID(),". AAF OAUTH2 tests will be performed."); + lss.add(hrtss); + } catch (Exception e) { + access.log(Level.INFO, "AAF OAUTH2 Security Setter constructor threw exception: \"",e.getMessage(),"\". AAF OAUTH2 tests will not be conducted... Continuing"); + } + + tokenURL = access.getProperty(Config.AAF_ALT_OAUTH2_TOKEN_URL); + if(tokenURL==null) { + access.log(Level.INFO, "AAF Alternative OAUTH2 requires",Config.AAF_ALT_OAUTH2_TOKEN_URL, "OAuth2 tests to", tokenURL, "will not be conducted... Continuing"); + } else { + try { + HRenewingTokenSS hrtss = new HRenewingTokenSS(access, tokenURL); + access.log(Level.INFO, "ALT OAUTH2 Information found with ID",hrtss.getID(),". ALT OAUTH2 tests will be performed."); + lss.add(hrtss); + } catch (Exception e) { + access.log(Level.INFO, "ALT OAUTH2 Security Setter constructor threw exception: \"",e.getMessage(),"\". ALT OAuth2 tests to", tokenURL, " will not be conducted... Continuing"); + } + } + + return lss; + } + + private static void print(Boolean strong, String ... args) { + PrintStream out = System.out; + out.println(); + if(strong) { + for(int i=0;i<70;++i) { + out.print('='); + } + out.println(); + } + for(String s : args) { + out.print(strong?"== ":"------ "); + out.print(s); + if(!strong) { + out.print(" ------"); + } + out.println(); + } + if(strong) { + for(int i=0;i<70;++i) { + out.print('='); + } + } + out.println(); + } + + private static void connectTest(Locator dl, URI locatorURI) throws LocatorException { + URI uri; + Socket socket; + print(false,"TCP/IP Connect test to all Located Services for " + locatorURI.toString() ); + for(Item li = dl.first();li!=null;li=dl.next(li)) { + if((uri = dl.get(li)) == null) { + System.out.println("Locator Item empty"); + } else { + try { + socket = new Socket(); + socket.connect(new InetSocketAddress(uri.getHost(), uri.getPort()),3000); + System.out.printf("Can Connect a Socket to %s %d\n",uri.getHost(),uri.getPort()); + try { + socket.close(); + } catch (IOException e1) { + System.out.printf("Could not close Socket Connection: %s\n",e1.getMessage()); + } + } catch (IOException e) { + System.out.printf("Cannot Connect a Socket to %s %d: %s\n",uri.getHost(),uri.getPort(),e.getMessage()); + } + } + } + } + + private static void permTest(Locator dl, SecuritySetter ss) { + try { + URI uri = dl.get(dl.best()); + if(uri==null) { + System.out.print("No URI available using " + ss.getClass().getSimpleName()); + System.out.println(); + return; + } else { + System.out.print("Resolved to: " + uri + " using " + ss.getClass().getSimpleName()); + } + if(ss instanceof HRenewingTokenSS) { + System.out.println(" " + ((HRenewingTokenSS)ss).tokenURL()); + } else { + System.out.println(); + } + HClient client = new HClient(ss, uri, 3000); + client.setMethod("GET"); + String user = ss.getID(); + if(user.indexOf('@')<0) { + user+="@isam.att.com"; + } + client.setPathInfo("/authz/perms/user/"+user); + client.send(); + Future future = client.futureReadString(); + if(future.get(7000)) { + System.out.println(future.body()); + } else { + if(future.code()==401 && ss instanceof HX509SS) { + System.out.println(" Authentication denied with 401 for Certificate.\n\t" + + "This means Certificate isn't valid for this environment, and has attempted another method of Authentication"); + } else { + System.out.println(future.code() + ":" + future.body()); + } + } + } catch (CadiException | LocatorException | APIException e) { + e.printStackTrace(); + } + } + + + private static void basicAuthTest(Locator dl, SecuritySetter ss) { + try { + URI uri = dl.get(dl.best()); + System.out.println("Resolved to: " + uri); + HClient client = new HClient(ss, uri, 3000); + client.setMethod("GET"); + client.setPathInfo("/authn/basicAuth"); + client.addHeader("Accept", "text/plain"); + client.send(); + + + Future future = client.futureReadString(); + if(future.get(7000)) { + System.out.println("BasicAuth Validated"); + } else { + System.out.println("Failure " + future.code() + ":" + future.body()); + } + } catch (CadiException | LocatorException | APIException e) { + e.printStackTrace(); + } + } +} diff --git a/cadi/aaf/src/main/java/org/onap/aaf/cadi/aaf/cert/AAFListedCertIdentity.java b/cadi/aaf/src/main/java/org/onap/aaf/cadi/aaf/cert/AAFListedCertIdentity.java new file mode 100644 index 00000000..de8ae7df --- /dev/null +++ b/cadi/aaf/src/main/java/org/onap/aaf/cadi/aaf/cert/AAFListedCertIdentity.java @@ -0,0 +1,176 @@ +/** + * ============LICENSE_START==================================================== + * org.onap.aaf + * =========================================================================== + * Copyright (c) 2018 AT&T Intellectual Property. All rights reserved. + * =========================================================================== + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * ============LICENSE_END==================================================== + * + */ + +package org.onap.aaf.cadi.aaf.cert; + + +import java.security.cert.CertificateException; +import java.security.cert.X509Certificate; +import java.util.HashSet; +import java.util.List; +import java.util.Map; +import java.util.Set; +import java.util.Timer; +import java.util.TimerTask; +import java.util.TreeMap; + +import javax.servlet.http.HttpServletRequest; +import javax.xml.datatype.XMLGregorianCalendar; + +import org.onap.aaf.cadi.Access; +import org.onap.aaf.cadi.Hash; +import org.onap.aaf.cadi.Access.Level; +import org.onap.aaf.cadi.aaf.v2_0.AAFCon; +import org.onap.aaf.cadi.client.Future; +import org.onap.aaf.cadi.config.Config; +import org.onap.aaf.cadi.principal.TaggedPrincipal; +import org.onap.aaf.cadi.principal.X509Principal; +import org.onap.aaf.cadi.taf.cert.CertIdentity; +import org.onap.aaf.cadi.taf.cert.X509Taf; +import org.onap.aaf.misc.env.APIException; +import org.onap.aaf.misc.env.util.Chrono; +import org.onap.aaf.misc.env.util.Split; + +import aaf.v2_0.Certs; +import aaf.v2_0.Certs.Cert; +import aaf.v2_0.Users; +import aaf.v2_0.Users.User; + +public class AAFListedCertIdentity implements CertIdentity { + //TODO should 8 hours be configurable? + private static final long EIGHT_HOURS = 1000*60*60*8; + + private static Map certs = null; + + // Did this to add other Trust Mechanisms + // Trust mechanism set by Property: + private static final String[] authMechanisms = new String[] {"tguard","basicAuth","csp"}; + private static String[] certIDs; + + private static Map> trusted =null; + + public AAFListedCertIdentity(Access access, AAFCon aafcon) throws APIException { + synchronized(AAFListedCertIdentity.class) { + if(certIDs==null) { + String cip = access.getProperty(Config.AAF_CERT_IDS, null); + if(cip!=null) { + certIDs = Split.split(',',cip); + } + } + if(certIDs!=null && certs==null) { + TimerTask cu = new CertUpdate(aafcon); + cu.run(); // want this to run in this thread first... + new Timer("AAF Identity Refresh Timer",true).scheduleAtFixedRate(cu, EIGHT_HOURS,EIGHT_HOURS); + } + } + } + + public static Set trusted(String authMech) { + return trusted.get(authMech); + } + + public TaggedPrincipal identity(HttpServletRequest req, X509Certificate cert, byte[] certBytes) throws CertificateException { + if(cert==null && certBytes==null)return null; + if(certBytes==null)certBytes = cert.getEncoded(); + byte[] fingerprint = X509Taf.getFingerPrint(certBytes); + String id = certs.get(new ByteArrayHolder(fingerprint)); + if(id!=null) { // Caller is Validated + return new X509Principal(id,cert,certBytes); + } + return null; + } + + private static class ByteArrayHolder implements Comparable { + private byte[] ba; + public ByteArrayHolder(byte[] ba) { + this.ba = ba; + } + public int compareTo(ByteArrayHolder b) { + return Hash.compareTo(ba, b.ba); + } + } + + private class CertUpdate extends TimerTask { + + private AAFCon aafcon; + public CertUpdate(AAFCon con) { + aafcon = con; + } + + @Override + public void run() { + try { + TreeMap newCertsMap = new TreeMap(); + Map> newTrustMap = new TreeMap>(); + Set userLookup = new HashSet(); + for(String s : certIDs) { + userLookup.add(s); + } + for(String authMech : authMechanisms) { + Future fusr = aafcon.client(Config.AAF_DEFAULT_VERSION).read("/authz/users/perm/com.att.aaf.trust/"+authMech+"/authenticate", Users.class, aafcon.usersDF); + if(fusr.get(5000)) { + List users = fusr.value.getUser(); + if(users.isEmpty()) { + aafcon.access.log(Level.WARN, "AAF Lookup-No IDs in Role com.att.aaf.trustForID <> "+authMech); + } else { + aafcon.access.log(Level.INFO,"Loading Trust Authentication Info for",authMech); + Set hsUser = new HashSet(); + for(User u : users) { + userLookup.add(u.getId()); + hsUser.add(u.getId()); + } + newTrustMap.put(authMech,hsUser); + } + } else { + aafcon.access.log(Level.WARN, "Could not get Users in Perm com.att.trust|tguard|authenticate",fusr.code(),fusr.body()); + } + + } + + for(String u : userLookup) { + Future fc = aafcon.client(Config.AAF_DEFAULT_VERSION).read("/authn/cert/id/"+u, Certs.class, aafcon.certsDF); + XMLGregorianCalendar now = Chrono.timeStamp(); + if(fc.get(5000)) { + List certs = fc.value.getCert(); + if(certs.isEmpty()) { + aafcon.access.log(Level.WARN, "No Cert Associations for",u); + } else { + for(Cert c : fc.value.getCert()) { + XMLGregorianCalendar then =c.getExpires(); + if(then !=null && then.compare(now)>0) { + newCertsMap.put(new ByteArrayHolder(c.getFingerprint()), c.getId()); + aafcon.access.log(Level.INIT,"Associating "+ c.getId() + " expiring " + Chrono.dateOnlyStamp(c.getExpires()) + " with " + c.getX500()); + } + } + } + } else { + aafcon.access.log(Level.WARN, "Could not get Certificates for",u); + } + } + + certs = newCertsMap; + trusted = newTrustMap; + } catch(Exception e) { + aafcon.access.log(e, "Failure to update Certificate Identities from AAF"); + } + } + } +} diff --git a/cadi/aaf/src/main/java/org/onap/aaf/cadi/aaf/client/ErrMessage.java b/cadi/aaf/src/main/java/org/onap/aaf/cadi/aaf/client/ErrMessage.java new file mode 100644 index 00000000..0fb4d60d --- /dev/null +++ b/cadi/aaf/src/main/java/org/onap/aaf/cadi/aaf/client/ErrMessage.java @@ -0,0 +1,96 @@ +/** + * ============LICENSE_START==================================================== + * org.onap.aaf + * =========================================================================== + * Copyright (c) 2018 AT&T Intellectual Property. All rights reserved. + * =========================================================================== + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * ============LICENSE_END==================================================== + * + */ + +package org.onap.aaf.cadi.aaf.client; + +import java.io.PrintStream; + +import org.onap.aaf.cadi.client.Future; +import org.onap.aaf.cadi.util.Vars; +import org.onap.aaf.misc.env.APIException; +import org.onap.aaf.misc.env.Data.TYPE; +import org.onap.aaf.misc.rosetta.env.RosettaDF; +import org.onap.aaf.misc.rosetta.env.RosettaEnv; + +import aaf.v2_0.Error; + +public class ErrMessage { + private RosettaDF errDF; + + public ErrMessage(RosettaEnv env) throws APIException { + errDF = env.newDataFactory(Error.class); + } + + /** + * AT&T Requires a specific Error Format for RESTful Services, which AAF complies with. + * + * This code will create a meaningful string from this format. + * + * @param ps + * @param df + * @param r + * @throws APIException + */ + public void printErr(PrintStream ps, String attErrJson) throws APIException { + StringBuilder sb = new StringBuilder(); + Error err = errDF.newData().in(TYPE.JSON).load(attErrJson).asObject(); + ps.println(toMsg(sb,err)); + } + + /** + * AT&T Requires a specific Error Format for RESTful Services, which AAF complies with. + * + * This code will create a meaningful string from this format. + * + * @param sb + * @param df + * @param r + * @throws APIException + */ + public StringBuilder toMsg(StringBuilder sb, String attErrJson) throws APIException { + return toMsg(sb,errDF.newData().in(TYPE.JSON).load(attErrJson).asObject()); + } + + public StringBuilder toMsg(Future future) { + return toMsg(new StringBuilder(),future); + } + + public StringBuilder toMsg(StringBuilder sb, Future future) { + try { + toMsg(sb,errDF.newData().in(TYPE.JSON).load(future.body()).asObject()); + } catch(Exception e) { + //just print what we can + sb.append(future.code()); + sb.append(": "); + sb.append(future.body()); + } + return sb; + } + + public StringBuilder toMsg(StringBuilder sb, Error err) { + sb.append(err.getMessageId()); + sb.append(' '); + String[] vars = new String[err.getVariables().size()]; + err.getVariables().toArray(vars); + Vars.convert(sb, err.getText(),vars); + return sb; + } +} diff --git a/cadi/aaf/src/main/java/org/onap/aaf/cadi/aaf/client/Examples.java b/cadi/aaf/src/main/java/org/onap/aaf/cadi/aaf/client/Examples.java new file mode 100644 index 00000000..31f60ee8 --- /dev/null +++ b/cadi/aaf/src/main/java/org/onap/aaf/cadi/aaf/client/Examples.java @@ -0,0 +1,443 @@ +/** + * ============LICENSE_START==================================================== + * org.onap.aaf + * =========================================================================== + * Copyright (c) 2018 AT&T Intellectual Property. All rights reserved. + * =========================================================================== + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * ============LICENSE_END==================================================== + * + */ + +package org.onap.aaf.cadi.aaf.client; + + +import java.lang.reflect.InvocationTargetException; +import java.lang.reflect.Method; +import java.util.GregorianCalendar; + +import org.onap.aaf.misc.env.APIException; +import org.onap.aaf.misc.env.Data; +import org.onap.aaf.misc.env.Data.TYPE; +import org.onap.aaf.misc.env.util.Chrono; +import org.onap.aaf.misc.rosetta.env.RosettaDF; +import org.onap.aaf.misc.rosetta.env.RosettaEnv; + +import aaf.v2_0.Approval; +import aaf.v2_0.Approvals; +import aaf.v2_0.CredRequest; +import aaf.v2_0.Keys; +import aaf.v2_0.NsRequest; +import aaf.v2_0.Nss; +import aaf.v2_0.Nss.Ns; +import aaf.v2_0.Perm; +import aaf.v2_0.PermKey; +import aaf.v2_0.PermRequest; +import aaf.v2_0.Perms; +import aaf.v2_0.Pkey; +import aaf.v2_0.Request; +import aaf.v2_0.Role; +import aaf.v2_0.RoleKey; +import aaf.v2_0.RolePermRequest; +import aaf.v2_0.RoleRequest; +import aaf.v2_0.Roles; +import aaf.v2_0.UserRole; +import aaf.v2_0.UserRoleRequest; +import aaf.v2_0.UserRoles; +import aaf.v2_0.Users; +import aaf.v2_0.Users.User; + +public class Examples { + public static String print(RosettaEnv env, String nameOrContentType, boolean optional) throws APIException, SecurityException, NoSuchMethodException, IllegalArgumentException, IllegalAccessException, InvocationTargetException { + // Discover ClassName + String className = null; + String version = null; + TYPE type = TYPE.JSON; // default + if(nameOrContentType.startsWith("application/")) { + for(String ct : nameOrContentType.split("\\s*,\\s*")) { + for(String elem : ct.split("\\s*;\\s*")) { + if(elem.endsWith("+json")) { + type = TYPE.JSON; + className = elem.substring(elem.indexOf('/')+1, elem.length()-5); + } else if(elem.endsWith("+xml")) { + type = TYPE.XML; + className = elem.substring(elem.indexOf('/')+1, elem.length()-4); + } else if(elem.startsWith("version=")) { + version = elem.substring(8); + } + } + if(className!=null && version!=null)break; + } + if(className==null) { + throw new APIException(nameOrContentType + " does not contain Class Information"); + } + } else { + className = nameOrContentType; + } + + // No Void.class in aaf.v2_0 package causing errors when trying to use a newVoidv2_0 + // method similar to others in this class. This makes it work, but is it right? + if ("Void".equals(className)) return ""; + + if("1.1".equals(version)) { + version = "v1_0"; + } else if(version!=null) { + version = "v" + version.replace('.', '_'); + } else { + version = "v2_0"; + } + + Class cls; + try { + cls = Examples.class.getClassLoader().loadClass("aaf."+version+'.'+className); + } catch (ClassNotFoundException e) { + throw new APIException(e); + } + + Method meth; + try { + meth = Examples.class.getDeclaredMethod("new"+cls.getSimpleName()+version,boolean.class); + } catch (Exception e) { + throw new APIException("ERROR: " + cls.getName() + " does not have an Example in Code. Request from AAF Developers"); + } + + RosettaDF df = env.newDataFactory(cls); + df.option(Data.PRETTY); + + Object data = meth.invoke(null,optional); + + @SuppressWarnings("unchecked") + String rv = df.newData().load((C)data).out(type).asString(); +// Object obj = df.newData().in(type).load(rv).asObject(); + return rv; + } + + /* + * Set Base Class Request (easier than coding over and over) + */ + private static void setOptional(Request req) { + GregorianCalendar gc = new GregorianCalendar(); + req.setStart(Chrono.timeStamp(gc)); + gc.add(GregorianCalendar.MONTH, 6); + req.setEnd(Chrono.timeStamp(gc)); +// req.setForce("false"); + + } + + @SuppressWarnings("unused") + private static Request newRequestv2_0(boolean optional) { + Request r = new Request(); + setOptional(r); + return r; + } + @SuppressWarnings("unused") + private static RolePermRequest newRolePermRequestv2_0(boolean optional) { + RolePermRequest rpr = new RolePermRequest(); + Pkey pkey = new Pkey(); + pkey.setType("org.osaaf.myns.mytype"); + pkey.setInstance("myInstance"); + pkey.setAction("myAction"); + rpr.setPerm(pkey); + rpr.setRole("org.osaaf.myns.myrole"); + if(optional)setOptional(rpr); + return rpr; + } + + @SuppressWarnings("unused") + private static Roles newRolesv2_0(boolean optional) { + Role r; + Pkey p; + Roles rs = new Roles(); + rs.getRole().add(r = new Role()); + r.setName("org.osaaf.myns.myRole"); + r.getPerms().add(p = new Pkey()); + p.setType("org.osaaf.myns.myType"); + p.setInstance("myInstance"); + p.setAction("myAction"); + + r.getPerms().add(p = new Pkey()); + p.setType("org.osaaf.myns.myType"); + p.setInstance("myInstance"); + p.setAction("myOtherAction"); + + rs.getRole().add(r = new Role()); + r.setName("org.osaaf.myns.myOtherRole"); + r.getPerms().add(p = new Pkey()); + p.setType("org.osaaf.myns.myOtherType"); + p.setInstance("myInstance"); + p.setAction("myAction"); + + r.getPerms().add(p = new Pkey()); + p.setType("org.osaaf.myns.myOthertype"); + p.setInstance("myInstance"); + p.setAction("myOtherAction"); + + return rs; + } + + + @SuppressWarnings("unused") + private static PermRequest newPermRequestv2_0(boolean optional) { + PermRequest pr = new PermRequest(); + pr.setType("org.osaaf.myns.myType"); + pr.setInstance("myInstance"); + pr.setAction("myAction"); + if(optional) { + pr.setDescription("Short and meaningful verbiage about the Permission"); + + setOptional(pr); + } + return pr; + } + + @SuppressWarnings("unused") + private static Perm newPermv2_0(boolean optional) { + Perm pr = new Perm(); + pr.setType("org.osaaf.myns.myType"); + pr.setInstance("myInstance"); + pr.setAction("myAction"); + pr.getRoles().add("org.osaaf.aaf.myRole"); + pr.getRoles().add("org.osaaf.aaf.myRole2"); + pr.setDescription("This is my description, and I'm sticking with it"); + if(optional) { + pr.setDescription("Short and meaningful verbiage about the Permission"); + } + return pr; + } + + + @SuppressWarnings("unused") + private static PermKey newPermKeyv2_0(boolean optional) { + PermKey pr = new PermKey(); + pr.setType("org.osaaf.myns.myType"); + pr.setInstance("myInstance"); + pr.setAction("myAction"); + return pr; + } + + @SuppressWarnings("unused") + private static Perms newPermsv2_0(boolean optional) { + Perms perms = new Perms(); + Perm p; + perms.getPerm().add(p=new Perm()); + p.setType("org.osaaf.myns.myType"); + p.setInstance("myInstance"); + p.setAction("myAction"); + p.getRoles().add("org.osaaf.myns.myRole"); + p.getRoles().add("org.osaaf.myns.myRole2"); + + + perms.getPerm().add(p=new Perm()); + p.setType("org.osaaf.myns.myOtherType"); + p.setInstance("myInstance"); + p.setAction("myOtherAction"); + p.getRoles().add("org.osaaf.myns.myRole"); + p.getRoles().add("org.osaaf.myns.myRole2"); + + return perms; + + } + + @SuppressWarnings("unused") + private static UserRoleRequest newUserRoleRequestv2_0(boolean optional) { + UserRoleRequest urr = new UserRoleRequest(); + urr.setRole("org.osaaf.myns.myRole"); + urr.setUser("ab1234@csp.att.com"); + if(optional) setOptional(urr); + return urr; + } + + @SuppressWarnings("unused") + private static NsRequest newNsRequestv2_0(boolean optional) { + NsRequest nr = new NsRequest(); + nr.setName("org.osaaf.myns"); + nr.getResponsible().add("ab1234@csp.att.com"); + nr.getResponsible().add("cd5678@csp.att.com"); + nr.getAdmin().add("zy9876@csp.att.com"); + nr.getAdmin().add("xw5432@csp.att.com"); + if(optional) { + nr.setDescription("This is my Namespace to set up"); + nr.setType("APP"); + setOptional(nr); + } + return nr; + } + + + @SuppressWarnings("unused") + private static Nss newNssv2_0(boolean optional) { + Ns ns; + + Nss nss = new Nss(); + nss.getNs().add(ns = new Nss.Ns()); + ns.setName("org.osaaf.myns"); + ns.getResponsible().add("ab1234@csp.att.com"); + ns.getResponsible().add("cd5678@csp.att.com"); + ns.getAdmin().add("zy9876@csp.att.com"); + ns.getAdmin().add("xw5432@csp.att.com"); + ns.setDescription("This is my Namespace to set up"); + + nss.getNs().add(ns = new Nss.Ns()); + ns.setName("org.osaaf.myOtherNs"); + ns.getResponsible().add("ab1234@csp.att.com"); + ns.getResponsible().add("cd5678@csp.att.com"); + ns.getAdmin().add("zy9876@csp.att.com"); + ns.getAdmin().add("xw5432@csp.att.com"); + + return nss; + } + @SuppressWarnings("unused") + private static RoleRequest newRoleRequestv2_0(boolean optional) { + RoleRequest rr = new RoleRequest(); + rr.setName("org.osaaf.myns.myRole"); + if(optional) { + rr.setDescription("This is my Role"); + setOptional(rr); + } + return rr; + } + + @SuppressWarnings("unused") + private static CredRequest newCredRequestv2_0(boolean optional) { + CredRequest cr = new CredRequest(); + cr.setId("myID@fully.qualified.domain"); + if(optional) { + cr.setType(2); + cr.setEntry("0x125AB256344CE"); + } else { + cr.setPassword("This is my provisioned password"); + } + + return cr; + } + + @SuppressWarnings("unused") + private static Users newUsersv2_0(boolean optional) { + User user; + + Users users = new Users(); + users.getUser().add(user = new Users.User()); + user.setId("ab1234@csp.att.com"); + GregorianCalendar gc = new GregorianCalendar(); + user.setExpires(Chrono.timeStamp(gc)); + + users.getUser().add(user = new Users.User()); + user.setId("zy9876@csp.att.com"); + user.setExpires(Chrono.timeStamp(gc)); + + return users; + } + + @SuppressWarnings("unused") + private static Role newRolev2_0(boolean optional) { + Role r = new Role(); + Pkey p; + r.setName("org.osaaf.myns.myRole"); + r.getPerms().add(p = new Pkey()); + p.setType("org.osaaf.myns.myType"); + p.setInstance("myInstance"); + p.setAction("myAction"); + + return r; + } + + @SuppressWarnings("unused") + private static RoleKey newRoleKeyv2_0(boolean optional) { + RoleKey r = new RoleKey(); + Pkey p; + r.setName("org.osaaf.myns.myRole"); + return r; + } + + @SuppressWarnings("unused") + private static Keys newKeysv2_0(boolean optional) { + Keys ks = new Keys(); + ks.getKey().add("Reponse 1"); + ks.getKey().add("Response 2"); + return ks; + } + + @SuppressWarnings("unused") + private static UserRoles newUserRolesv2_0(boolean optional) { + UserRoles urs = new UserRoles(); + UserRole ur = new UserRole(); + ur.setUser("xy1234"); + ur.setRole("com.test.myapp.myRole"); + ur.setExpires(Chrono.timeStamp()); + urs.getUserRole().add(ur); + + ur = new UserRole(); + ur.setUser("yx4321"); + ur.setRole("com.test.yourapp.yourRole"); + ur.setExpires(Chrono.timeStamp()); + urs.getUserRole().add(ur); + return urs; + } + + + @SuppressWarnings("unused") + private static Approvals newApprovalsv2_0(boolean optional) { + Approvals as = new Approvals(); + Approval a = new Approval(); + a.setApprover("MyApprover"); + a.setId("MyID"); + a.setMemo("My memo (and then some)"); + a.setOperation("MyOperation"); + a.setStatus("MyStatus"); + a.setTicket("MyTicket"); + a.setType("MyType"); + a.setUpdated(Chrono.timeStamp()); + a.setUser("MyUser"); + as.getApprovals().add(a); + a = new Approval(); + a.setApprover("MyApprover2"); + a.setId("MyID2"); + a.setMemo("My memo (and then some)2"); + a.setOperation("MyOperation2"); + a.setStatus("MyStatus2"); + a.setTicket("MyTicket2"); + a.setType("MyType2"); + a.setUpdated(Chrono.timeStamp()); + a.setUser("MyUser2"); + as.getApprovals().add(a); + return as; + } + + @SuppressWarnings("unused") + private static Approval newApprovalv2_0(boolean optional) { + Approval a = new Approval(); + a.setApprover("MyApprover"); + a.setId("MyID"); + a.setMemo("My memo (and then some)"); + a.setOperation("MyOperation"); + a.setStatus("MyStatus"); + a.setTicket("MyTicket"); + a.setType("MyType"); + a.setUpdated(Chrono.timeStamp()); + a.setUser("MyUser"); + return a; + } + + + + @SuppressWarnings("unused") + private static aaf.v2_0.Error newErrorv2_0(boolean optional) { + aaf.v2_0.Error err = new aaf.v2_0.Error(); + err.setMessageId("SVC1403"); + err.setText("MyText %s, %s: The last three digits are usually the HTTP Code"); + err.getVariables().add("Variable 1"); + err.getVariables().add("Variable 2"); + return err; + } + +} diff --git a/cadi/aaf/src/main/java/org/onap/aaf/cadi/aaf/marshal/CertMarshal.java b/cadi/aaf/src/main/java/org/onap/aaf/cadi/aaf/marshal/CertMarshal.java new file mode 100644 index 00000000..5ceb082f --- /dev/null +++ b/cadi/aaf/src/main/java/org/onap/aaf/cadi/aaf/marshal/CertMarshal.java @@ -0,0 +1,65 @@ +/** + * ============LICENSE_START==================================================== + * org.onap.aaf + * =========================================================================== + * Copyright (c) 2018 AT&T Intellectual Property. All rights reserved. + * =========================================================================== + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * ============LICENSE_END==================================================== + * + */ + +package org.onap.aaf.cadi.aaf.marshal; + +import javax.xml.datatype.XMLGregorianCalendar; + +import org.onap.aaf.misc.rosetta.marshal.FieldDateTime; +import org.onap.aaf.misc.rosetta.marshal.FieldHexBinary; +import org.onap.aaf.misc.rosetta.marshal.FieldString; +import org.onap.aaf.misc.rosetta.marshal.ObjMarshal; + +import aaf.v2_0.Certs.Cert; + +public class CertMarshal extends ObjMarshal { + public CertMarshal() { + add(new FieldHexBinary("fingerprint") { + @Override + protected byte[] data(Cert t) { + return t.getFingerprint(); + } + }); + + add(new FieldString("id") { + @Override + protected String data(Cert t) { + return t.getId(); + } + }); + + add(new FieldString("x500") { + @Override + protected String data(Cert t) { + return t.getX500(); + } + }); + + add(new FieldDateTime("expires") { + @Override + protected XMLGregorianCalendar data(Cert t) { + return t.getExpires(); + } + }); + + + } +} diff --git a/cadi/aaf/src/main/java/org/onap/aaf/cadi/aaf/marshal/CertsMarshal.java b/cadi/aaf/src/main/java/org/onap/aaf/cadi/aaf/marshal/CertsMarshal.java new file mode 100644 index 00000000..c6e28408 --- /dev/null +++ b/cadi/aaf/src/main/java/org/onap/aaf/cadi/aaf/marshal/CertsMarshal.java @@ -0,0 +1,44 @@ +/** + * ============LICENSE_START==================================================== + * org.onap.aaf + * =========================================================================== + * Copyright (c) 2018 AT&T Intellectual Property. All rights reserved. + * =========================================================================== + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * ============LICENSE_END==================================================== + * + */ + +package org.onap.aaf.cadi.aaf.marshal; + +import java.util.List; + +import org.onap.aaf.misc.rosetta.marshal.ObjArray; +import org.onap.aaf.misc.rosetta.marshal.ObjMarshal; + +import aaf.v2_0.Certs; +import aaf.v2_0.Certs.Cert; + +public class CertsMarshal extends ObjMarshal { + + public CertsMarshal() { + add(new ObjArray("cert",new CertMarshal()) { + @Override + protected List data(Certs t) { + return t.getCert(); + } + }); + } + + +} diff --git a/cadi/aaf/src/main/java/org/onap/aaf/cadi/aaf/v2_0/AAFAuthn.java b/cadi/aaf/src/main/java/org/onap/aaf/cadi/aaf/v2_0/AAFAuthn.java new file mode 100644 index 00000000..3c970bc2 --- /dev/null +++ b/cadi/aaf/src/main/java/org/onap/aaf/cadi/aaf/v2_0/AAFAuthn.java @@ -0,0 +1,169 @@ +/** + * ============LICENSE_START==================================================== + * org.onap.aaf + * =========================================================================== + * Copyright (c) 2018 AT&T Intellectual Property. All rights reserved. + * =========================================================================== + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * ============LICENSE_END==================================================== + * + */ + +package org.onap.aaf.cadi.aaf.v2_0; + +import java.io.IOException; + +import org.onap.aaf.cadi.AbsUserCache; +import org.onap.aaf.cadi.CachedPrincipal; +import org.onap.aaf.cadi.CadiException; +import org.onap.aaf.cadi.User; +import org.onap.aaf.cadi.aaf.AAFPermission; +import org.onap.aaf.cadi.client.Future; +import org.onap.aaf.cadi.client.Rcli; +import org.onap.aaf.cadi.config.Config; +import org.onap.aaf.cadi.lur.ConfigPrincipal; + +public class AAFAuthn extends AbsUserCache { + private AAFCon con; + private String realm; + + /** + * Configure with Standard AAF properties, Stand alone + * @param con + * @throws Exception .. + */ + // Package on purpose + AAFAuthn(AAFCon con) throws Exception { + super(con.access,con.cleanInterval,con.highCount,con.usageRefreshTriggerCount); + this.con = con; + } + + /** + * Configure with Standard AAF properties, but share the Cache (with AAF Lur) + * @param con + * @throws Exception + */ + // Package on purpose + AAFAuthn(AAFCon con, AbsUserCache cache) { + super(cache); + this.con = con; + } + + /** + * Return Native Realm of AAF Instance. + * + * @return + */ + public String getRealm() { + return realm; + } + + /** + * Returns null if ok, or an Error String; + * + * Convenience function. Passes "null" for State object + */ + public String validate(String user, String password) throws IOException, CadiException { + return validate(user,password,null); + } + + /** + * Returns null if ok, or an Error String; + * + * For State Object, you may put in HTTPServletRequest or AuthzTrans, if available. Otherwise, + * leave null + * + * @param user + * @param password + * @return + * @throws IOException + * @throws CadiException + * @throws Exception + */ + public String validate(String user, String password, Object state) throws IOException, CadiException { + password = access.decrypt(password, false); + byte[] bytes = password.getBytes(); + User usr = getUser(user,bytes); + + if(usr != null && !usr.permExpired()) { + if(usr.principal==null) { + return "User already denied"; + } else { + return null; // good + } + } + + AAFCachedPrincipal cp = new AAFCachedPrincipal(this,con.app, user, bytes, con.cleanInterval); + // Since I've relocated the Validation piece in the Principal, just revalidate, then do Switch + // Statement + switch(cp.revalidate(state)) { + case REVALIDATED: + if(usr!=null) { + usr.principal = cp; + } else { + addUser(new User(cp,con.timeout)); + } + return null; + case INACCESSIBLE: + return "AAF Inaccessible"; + case UNVALIDATED: + addUser(new User(user,bytes,con.timeout)); + return "User/Pass combo invalid for " + user; + case DENIED: + return "AAF denies API for " + user; + default: + return "AAFAuthn doesn't handle Principal " + user; + } + } + + private class AAFCachedPrincipal extends ConfigPrincipal implements CachedPrincipal { + private long expires,timeToLive; + + public AAFCachedPrincipal(AAFAuthn aaf, String app, String name, byte[] pass, int timeToLive) { + super(name,pass); + this.timeToLive = timeToLive; + expires = timeToLive + System.currentTimeMillis(); + } + + public Resp revalidate(Object state) { + try { + Miss missed = missed(getName(),getCred()); + if(missed==null || missed.mayContinue()) { + Rcli client = con.client(Config.AAF_DEFAULT_VERSION).forUser(con.basicAuth(getName(), new String(getCred()))); + Future fp = client.read( + "/authn/basicAuth", + "text/plain" + ); + if(fp.get(con.timeout)) { + expires = System.currentTimeMillis() + timeToLive; + addUser(new User(this, expires)); + return Resp.REVALIDATED; + } else { + addMiss(getName(), getCred()); + return Resp.UNVALIDATED; + } + } else { + return Resp.UNVALIDATED; + } + } catch (Exception e) { + con.access.log(e); + return Resp.INACCESSIBLE; + } + } + + public long expires() { + return expires; + } + }; + +} diff --git a/cadi/aaf/src/main/java/org/onap/aaf/cadi/aaf/v2_0/AAFCon.java b/cadi/aaf/src/main/java/org/onap/aaf/cadi/aaf/v2_0/AAFCon.java new file mode 100644 index 00000000..70b3e766 --- /dev/null +++ b/cadi/aaf/src/main/java/org/onap/aaf/cadi/aaf/v2_0/AAFCon.java @@ -0,0 +1,371 @@ +/** + * ============LICENSE_START==================================================== + * org.onap.aaf + * =========================================================================== + * Copyright (c) 2018 AT&T Intellectual Property. All rights reserved. + * =========================================================================== + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * ============LICENSE_END==================================================== + * + */ + +package org.onap.aaf.cadi.aaf.v2_0; + +import java.net.URI; +import java.util.Map; +import java.util.concurrent.ConcurrentHashMap; + +import org.onap.aaf.cadi.AbsUserCache; +import org.onap.aaf.cadi.Access; +import org.onap.aaf.cadi.CadiException; +import org.onap.aaf.cadi.CadiWrap; +import org.onap.aaf.cadi.Connector; +import org.onap.aaf.cadi.Locator; +import org.onap.aaf.cadi.LocatorException; +import org.onap.aaf.cadi.Lur; +import org.onap.aaf.cadi.PropAccess; +import org.onap.aaf.cadi.SecuritySetter; +import org.onap.aaf.cadi.aaf.AAFPermission; +import org.onap.aaf.cadi.aaf.marshal.CertsMarshal; +import org.onap.aaf.cadi.client.Future; +import org.onap.aaf.cadi.client.Rcli; +import org.onap.aaf.cadi.client.Retryable; +import org.onap.aaf.cadi.config.Config; +import org.onap.aaf.cadi.config.SecurityInfoC; +import org.onap.aaf.cadi.lur.EpiLur; +import org.onap.aaf.cadi.principal.BasicPrincipal; +import org.onap.aaf.cadi.principal.TaggedPrincipal; +import org.onap.aaf.cadi.util.FQI; +import org.onap.aaf.cadi.util.Vars; +import org.onap.aaf.misc.env.APIException; +import org.onap.aaf.misc.env.Data.TYPE; +import org.onap.aaf.misc.rosetta.env.RosettaDF; +import org.onap.aaf.misc.rosetta.env.RosettaEnv; + +import aaf.v2_0.Certs; +import aaf.v2_0.Error; +import aaf.v2_0.Perms; +import aaf.v2_0.Users; + +public abstract class AAFCon implements Connector { + final public Access access; + // Package access + final public int timeout, cleanInterval, connTimeout; + final public int highCount, userExpires, usageRefreshTriggerCount; + private Map> clients = new ConcurrentHashMap>(); + final public RosettaDF permsDF; + final public RosettaDF certsDF; + final public RosettaDF usersDF; + final public RosettaDF errDF; + private String realm; + public final String app; + protected SecuritySetter ss; + protected SecurityInfoC si; + + private AAFLurPerm lur; + + final public RosettaEnv env; + protected abstract URI initURI(); + protected abstract void setInitURI(String uriString) throws CadiException; + + /** + * Use this call to get the appropriate client based on configuration (HTTP, future) + * + * @param apiVersion + * @return + * @throws CadiException + */ + public Rcli client(String apiVersion) throws CadiException { + Rcli client = clients.get(apiVersion); + if(client==null) { + client = rclient(initURI(),ss); + client.apiVersion(apiVersion) + .readTimeout(connTimeout); + clients.put(apiVersion, client); + } + return client; + } + + public Rcli client(URI uri) throws CadiException { + return rclient(uri,ss).readTimeout(connTimeout); + } + + /** + * Use this API when you have permission to have your call act as the end client's ID. + * + * Your calls will get 403 errors if you do not have this permission. it is a special setup, rarely given. + * + * @param apiVersion + * @param req + * @return + * @throws CadiException + */ + public Rcli clientAs(String apiVersion, TaggedPrincipal p) throws CadiException { + Rcli cl = client(apiVersion); + return cl.forUser(transferSS(p)); + } + + protected AAFCon(AAFCon copy) { + access = copy.access; + timeout = copy.timeout; + cleanInterval = copy.cleanInterval; + connTimeout = copy.connTimeout; + highCount = copy.highCount; + userExpires = copy.userExpires; + usageRefreshTriggerCount = copy.usageRefreshTriggerCount; + permsDF = copy.permsDF; + certsDF = copy.certsDF; + usersDF = copy.usersDF; + errDF = copy.errDF; + app = copy.app; + ss = copy.ss; + si = copy.si; + env = copy.env; + realm = copy.realm; + } + + protected AAFCon(Access access, String tag, SecurityInfoC si) throws CadiException{ + if(tag==null) { + throw new CadiException("AAFCon cannot be constructed without a property tag or URL"); + } else { + String str = access.getProperty(tag,null); + if(str==null) { + if(tag.contains("://")) { // assume a URL + str = tag; + } else { + throw new CadiException("A URL or " + tag + " property is required."); + } + } + setInitURI(str); + } + try { + this.access = access; + this.si = si; + this.ss = si.defSS; + if(ss.getID().equals(SecurityInfoC.DEF_ID)) { // it's the Preliminary SS, try to get a better one + String mechid = access.getProperty(Config.AAF_APPID, null); + if(mechid==null) { + mechid=access.getProperty(Config.OAUTH_CLIENT_ID,null); + } + String encpass = access.getProperty(Config.AAF_APPPASS, null); + if(encpass==null) { + encpass = access.getProperty(Config.OAUTH_CLIENT_SECRET,null); + } + if(encpass==null) { + String alias = access.getProperty(Config.CADI_ALIAS, mechid); + if(alias==null) { + access.printf(Access.Level.WARN,"%s, %s or %s required before use.", Config.CADI_ALIAS, Config.AAF_APPID, Config.OAUTH_CLIENT_ID); + set(si.defSS); + } else { + set(si.defSS=x509Alias(alias)); + } + } else { + if(mechid!=null && encpass !=null) { + set(si.defSS=basicAuth(mechid, encpass)); + } else { + set(si.defSS=new SecuritySetter() { + + @Override + public String getID() { + return ""; + } + + @Override + public void setSecurity(CLIENT client) throws CadiException { + throw new CadiException("AAFCon has not been initialized with Credentials (SecuritySetter)"); + } + + @Override + public int setLastResponse(int respCode) { + return 0; + } + }); + } + } + } + + timeout = Integer.parseInt(access.getProperty(Config.AAF_CALL_TIMEOUT, Config.AAF_CALL_TIMEOUT_DEF)); + cleanInterval = Integer.parseInt(access.getProperty(Config.AAF_CLEAN_INTERVAL, Config.AAF_CLEAN_INTERVAL_DEF)); + highCount = Integer.parseInt(access.getProperty(Config.AAF_HIGH_COUNT, Config.AAF_HIGH_COUNT_DEF).trim()); + connTimeout = Integer.parseInt(access.getProperty(Config.AAF_CONN_TIMEOUT, Config.AAF_CONN_TIMEOUT_DEF).trim()); + userExpires = Integer.parseInt(access.getProperty(Config.AAF_USER_EXPIRES, Config.AAF_USER_EXPIRES_DEF).trim()); + usageRefreshTriggerCount = Integer.parseInt(access.getProperty(Config.AAF_USER_EXPIRES, Config.AAF_USER_EXPIRES_DEF).trim())-1; // zero based + + app=FQI.reverseDomain(ss.getID()); + //TODO Get Realm from AAF + realm="csp.att.com"; + + env = new RosettaEnv(); + permsDF = env.newDataFactory(Perms.class); + usersDF = env.newDataFactory(Users.class); + certsDF = env.newDataFactory(Certs.class); + certsDF.rootMarshal(new CertsMarshal()); // Speedier Marshaling + errDF = env.newDataFactory(Error.class); + } catch (APIException e) { + throw new CadiException("AAFCon cannot be configured",e); + } + } + + public RosettaEnv env() { + return env; + } + + /** + * Return the backing AAFCon, if there is a Lur Setup that is AAF. + * + * If there is no AAFLur setup, it will return "null" + * @param servletRequest + * @return + */ + public static final AAFCon obtain(Object servletRequest) { + if(servletRequest instanceof CadiWrap) { + Lur lur = ((CadiWrap)servletRequest).getLur(); + if(lur != null) { + if(lur instanceof EpiLur) { + AbsAAFLur aal = (AbsAAFLur) ((EpiLur)lur).subLur(AbsAAFLur.class); + if(aal!=null) { + return aal.aaf; + } + } else { + if(lur instanceof AbsAAFLur) { + return ((AbsAAFLur)lur).aaf; + } + } + } + } + return null; + } + + public abstract AAFCon clone(String url) throws CadiException, LocatorException; + + public AAFAuthn newAuthn() throws APIException { + try { + return new AAFAuthn(this); + } catch (APIException e) { + throw e; + } catch (Exception e) { + throw new APIException(e); + } + } + + public AAFAuthn newAuthn(AbsUserCache c) { + return new AAFAuthn(this,c); + } + + public AAFLurPerm newLur() throws CadiException { + try { + if(lur==null) { + return (lur = new AAFLurPerm(this)); + } else { + return new AAFLurPerm(this,lur); + } + } catch (CadiException e) { + throw e; + } catch (Exception e) { + throw new CadiException(e); + } + } + + public AAFLurPerm newLur(AbsUserCache c) throws APIException { + try { + return new AAFLurPerm(this,c); + } catch (APIException e) { + throw e; + } catch (Exception e) { + throw new APIException(e); + } + } + + protected abstract Rcli rclient(URI uri, SecuritySetter ss) throws CadiException; + + public abstract Rcli rclient(Locator loc, SecuritySetter ss) throws CadiException; + + public Rcli client(Locator locator) throws CadiException { + return rclient(locator,ss); + } + + public abstract RET best(Retryable retryable) throws LocatorException, CadiException, APIException; + + public abstract RET bestForUser(GetSetter get, Retryable retryable) throws LocatorException, CadiException, APIException; + + public abstract SecuritySetter basicAuth(String user, String password) throws CadiException; + + public abstract SecuritySetter transferSS(TaggedPrincipal principal) throws CadiException; + + public abstract SecuritySetter basicAuthSS(BasicPrincipal principal) throws CadiException; + + public abstract SecuritySetter tokenSS(final String client_id, final String accessToken) throws CadiException; + + public abstract SecuritySetter x509Alias(String alias) throws APIException, CadiException; + + + public String getRealm() { + return realm; + + } + + /** + * This interface allows the AAFCon, even though generic, to pass in correctly typed values based on the above SS commands. + * @author Jonathan + * + */ + public interface GetSetter { + public SecuritySetter get(AAFCon con) throws CadiException; + } + + public SecuritySetter set(final SecuritySetter ss) { + this.ss = ss; + for(Rcli client : clients.values()) { + client.setSecuritySetter(ss); + } + return ss; + } + + public SecurityInfoC securityInfo() { + return si; + } + + public String defID() { + if(ss!=null) { + return ss.getID(); + } + return "unknown"; + } + + public void invalidate() throws CadiException { + for(Rcli client : clients.values()) { + client.invalidate(); + } + clients.clear(); + } + + public String readableErrMsg(Future f) { + String text = f.body(); + if(text==null || text.length()==0) { + text = f.code() + ": **No Message**"; + } else if(text.contains("%")) { + try { + Error err = errDF.newData().in(TYPE.JSON).load(f.body()).asObject(); + return Vars.convert(err.getText(),err.getVariables()); + } catch (APIException e){ + // just return the body below + } + } + return text; + } + + public static AAFCon newInstance(PropAccess pa) throws APIException, CadiException, LocatorException { + // Potentially add plugin for other kinds of Access + return new AAFConHttp(pa); + } +} diff --git a/cadi/aaf/src/main/java/org/onap/aaf/cadi/aaf/v2_0/AAFConHttp.java b/cadi/aaf/src/main/java/org/onap/aaf/cadi/aaf/v2_0/AAFConHttp.java new file mode 100644 index 00000000..6d54e36f --- /dev/null +++ b/cadi/aaf/src/main/java/org/onap/aaf/cadi/aaf/v2_0/AAFConHttp.java @@ -0,0 +1,229 @@ +/** + * ============LICENSE_START==================================================== + * org.onap.aaf + * =========================================================================== + * Copyright (c) 2018 AT&T Intellectual Property. All rights reserved. + * =========================================================================== + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * ============LICENSE_END==================================================== + * + */ + +package org.onap.aaf.cadi.aaf.v2_0; + +import java.io.IOException; +import java.net.HttpURLConnection; +import java.net.URI; + +import org.onap.aaf.cadi.Access; +import org.onap.aaf.cadi.CadiException; +import org.onap.aaf.cadi.Locator; +import org.onap.aaf.cadi.Locator.Item; +import org.onap.aaf.cadi.LocatorException; +import org.onap.aaf.cadi.SecuritySetter; +import org.onap.aaf.cadi.client.AbsTransferSS; +import org.onap.aaf.cadi.client.Rcli; +import org.onap.aaf.cadi.client.Retryable; +import org.onap.aaf.cadi.config.Config; +import org.onap.aaf.cadi.config.SecurityInfoC; +import org.onap.aaf.cadi.http.HBasicAuthSS; +import org.onap.aaf.cadi.http.HMangr; +import org.onap.aaf.cadi.http.HRcli; +import org.onap.aaf.cadi.http.HTokenSS; +import org.onap.aaf.cadi.http.HTransferSS; +import org.onap.aaf.cadi.http.HX509SS; +import org.onap.aaf.cadi.principal.BasicPrincipal; +import org.onap.aaf.cadi.principal.TaggedPrincipal; +import org.onap.aaf.misc.env.APIException; + +public class AAFConHttp extends AAFCon { + private final HMangr hman; + + public AAFConHttp(Access access) throws APIException, CadiException, LocatorException { + super(access,Config.AAF_URL,SecurityInfoC.instance(access, HttpURLConnection.class)); + bestSS(si); + hman = new HMangr(access,Config.loadLocator(si, access.getProperty(Config.AAF_URL,null))); + } + + public static SecuritySetter bestSS(SecurityInfoC si) throws APIException, CadiException { + Access access = si.access; + String s; + if((s = access.getProperty(Config.CADI_ALIAS, null))!=null) { + return new HX509SS(s,si,true); + } else if((s = access.getProperty(Config.AAF_APPID, null))!=null){ + try { + return new HBasicAuthSS(si,true); + } catch (IOException /*| GeneralSecurityException*/ e) { + throw new CadiException(e); + } + } + return null; + } + + public AAFConHttp(Access access, String tag) throws APIException, CadiException, LocatorException { + super(access,tag,SecurityInfoC.instance(access, HttpURLConnection.class)); + bestSS(si); + hman = new HMangr(access,Config.loadLocator(si, access.getProperty(tag,tag/*try the content itself*/))); + } + + public AAFConHttp(Access access, String urlTag, SecurityInfoC si) throws CadiException, APIException, LocatorException { + super(access,urlTag,si); + bestSS(si); + hman = new HMangr(access,Config.loadLocator(si, access.getProperty(urlTag,null))); + } + + public AAFConHttp(Access access, Locator locator) throws CadiException, LocatorException, APIException { + super(access,Config.AAF_URL,SecurityInfoC.instance(access, HttpURLConnection.class)); + bestSS(si); + hman = new HMangr(access,locator); + } + + public AAFConHttp(Access access, Locator locator, SecurityInfoC si) throws CadiException, LocatorException { + super(access,Config.AAF_URL,si); + hman = new HMangr(access,locator); + } + + public AAFConHttp(Access access, Locator locator, SecurityInfoC si, String tag) throws CadiException, LocatorException { + super(access,tag,si); + hman = new HMangr(access, locator); + } + + private AAFConHttp(AAFCon aafcon, String url) throws LocatorException { + super(aafcon); + hman = new HMangr(aafcon.access,Config.loadLocator(si, url)); + } + + @Override + public AAFCon clone(String url) throws LocatorException { + return new AAFConHttp(this,url); + } + + /* (non-Javadoc) + * @see org.onap.aaf.cadi.aaf.v2_0.AAFCon#basicAuth(java.lang.String, java.lang.String) + */ + @Override + public SecuritySetter basicAuth(String user, String password) throws CadiException { + if(password.startsWith("enc:")) { + try { + password = access.decrypt(password, true); + } catch (IOException e) { + throw new CadiException("Error decrypting password",e); + } + } + try { + return new HBasicAuthSS(si,user,password); + } catch (IOException e) { + throw new CadiException("Error creating HBasicAuthSS",e); + } + } + + public SecuritySetter x509Alias(String alias) throws APIException, CadiException { + try { + return set(new HX509SS(alias,si)); + } catch (Exception e) { + throw new CadiException("Error creating X509SS",e); + } + } + + /* (non-Javadoc) + * @see org.onap.aaf.cadi.aaf.v2_0.AAFCon#rclient(java.net.URI, org.onap.aaf.cadi.SecuritySetter) + */ + @Override + protected Rcli rclient(URI ignoredURI, SecuritySetter ss) throws CadiException { + if(hman.loc==null) { + throw new CadiException("No Locator set in AAFConHttp"); + } + try { + return new HRcli(hman, hman.loc.best() ,ss); + } catch (Exception e) { + throw new CadiException(e); + } + } + + @Override + public Rcli rclient(Locator loc, SecuritySetter ss) throws CadiException { + try { + HMangr newHMan = new HMangr(access, loc); + return new HRcli(newHMan,newHMan.loc.best(),ss); + } catch (Exception e) { + throw new CadiException(e); + } + } + @Override + public AbsTransferSS transferSS(TaggedPrincipal principal) throws CadiException { + return new HTransferSS(principal, app,si); + } + + /* (non-Javadoc) + * @see org.onap.aaf.cadi.aaf.v2_0.AAFCon#basicAuthSS(java.security.Principal) + */ + @Override + public SecuritySetter basicAuthSS(BasicPrincipal principal) throws CadiException { + try { + return new HBasicAuthSS(principal,si); + } catch (IOException e) { + throw new CadiException("Error creating HBasicAuthSS",e); + } + } + + @Override + public SecuritySetter tokenSS(final String client_id, final String accessToken) throws CadiException { + try { + return new HTokenSS(si, client_id, accessToken); + } catch (IOException e) { + throw new CadiException(e); + } + } + + public HMangr hman() { + return hman; + } + + @Override + public RET best(Retryable retryable) throws LocatorException, CadiException, APIException { + return hman.best(ss, (Retryable)retryable); + } + + /* (non-Javadoc) + * @see org.onap.aaf.cadi.aaf.v2_0.AAFCon#bestForUser(org.onap.aaf.cadi.SecuritySetter, org.onap.aaf.cadi.client.Retryable) + */ + @Override + public RET bestForUser(GetSetter getSetter, Retryable retryable) throws LocatorException, CadiException, APIException { + return hman.best(getSetter.get(this), (Retryable)retryable); + } + + /* (non-Javadoc) + * @see org.onap.aaf.cadi.aaf.v2_0.AAFCon#initURI() + */ + @Override + protected URI initURI() { + try { + Item item = hman.loc.best(); + if(item!=null) { + return hman.loc.get(item); + } + } catch (LocatorException e) { + access.log(e, "Error in AAFConHttp obtaining initial URI"); + } + return null; + } + + /* (non-Javadoc) + * @see org.onap.aaf.cadi.aaf.v2_0.AAFCon#setInitURI(java.lang.String) + */ + @Override + protected void setInitURI(String uriString) throws CadiException { + // Using Locator, not URLString, which is mostly for DME2 + } + +} diff --git a/cadi/aaf/src/main/java/org/onap/aaf/cadi/aaf/v2_0/AAFLocator.java b/cadi/aaf/src/main/java/org/onap/aaf/cadi/aaf/v2_0/AAFLocator.java new file mode 100644 index 00000000..4f60edaf --- /dev/null +++ b/cadi/aaf/src/main/java/org/onap/aaf/cadi/aaf/v2_0/AAFLocator.java @@ -0,0 +1,132 @@ +/** + * ============LICENSE_START==================================================== + * org.onap.aaf + * =========================================================================== + * Copyright (c) 2018 AT&T Intellectual Property. All rights reserved. + * =========================================================================== + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * ============LICENSE_END==================================================== + * + */ + +package org.onap.aaf.cadi.aaf.v2_0; + +import java.net.HttpURLConnection; +import java.net.URI; +import java.net.URISyntaxException; +import java.util.Collections; +import java.util.LinkedList; +import java.util.List; + +import org.onap.aaf.cadi.CadiException; +import org.onap.aaf.cadi.LocatorException; +import org.onap.aaf.cadi.SecuritySetter; +import org.onap.aaf.cadi.client.Future; +import org.onap.aaf.cadi.config.Config; +import org.onap.aaf.cadi.config.SecurityInfoC; +import org.onap.aaf.cadi.http.HClient; +import org.onap.aaf.cadi.util.Split; +import org.onap.aaf.misc.env.APIException; +import org.onap.aaf.misc.env.Data.TYPE; +import org.onap.aaf.misc.env.impl.BasicTrans; +import org.onap.aaf.misc.rosetta.env.RosettaDF; +import org.onap.aaf.misc.rosetta.env.RosettaEnv; + +import locate.v1_0.Endpoint; +import locate.v1_0.Endpoints; + +public class AAFLocator extends AbsAAFLocator { + private static RosettaEnv env; + HClient client; + private RosettaDF epsDF; + + public AAFLocator(SecurityInfoC si, URI locatorURI) throws LocatorException { + super(si.access, nameFromLocatorURI(locatorURI), 10000L /* Wait at least 10 seconds between refreshes */); + SecuritySetter ss; + try { + ss=AAFConHttp.bestSS(si); + } catch (APIException | CadiException e1) { + throw new LocatorException(e1); + } + synchronized(sr) { + if(env==null) { + env = new RosettaEnv(access.getProperties()); + } + } + + int connectTimeout = Integer.parseInt(si.access.getProperty(Config.AAF_CONN_TIMEOUT, Config.AAF_CONN_TIMEOUT_DEF)); + try { + String[] path = Split.split('/',locatorURI.getPath()); + if(path.length>2 && "locate".equals(path[1])) { + StringBuilder sb = new StringBuilder(); + for(int i=3;i fr = client.futureRead(epsDF, TYPE.JSON); + if(fr.get(client.timeout())) { + List epl = new LinkedList(); + for(Endpoint endpoint : fr.value.getEndpoint()) { + epl.add(new EP(endpoint,latitude,longitude)); + } + + Collections.sort(epl); + replace(epl); + return true; + } else { + env.error().printf("Error reading location information from %s: %d %s\n",client.getURI().toString(),fr.code(),fr.body()); + } + } catch (CadiException | URISyntaxException | APIException e) { + env.error().log(e,"Error connecting " + client.getURI() + " for location."); + } + return false; + } + + /* (non-Javadoc) + * @see org.onap.aaf.cadi.aaf.v2_0.AbsAAFLocator#getURI() + */ + @Override + protected URI getURI() { + return client.getURI(); + } +} diff --git a/cadi/aaf/src/main/java/org/onap/aaf/cadi/aaf/v2_0/AAFLurPerm.java b/cadi/aaf/src/main/java/org/onap/aaf/cadi/aaf/v2_0/AAFLurPerm.java new file mode 100644 index 00000000..41f237d6 --- /dev/null +++ b/cadi/aaf/src/main/java/org/onap/aaf/cadi/aaf/v2_0/AAFLurPerm.java @@ -0,0 +1,243 @@ +/** + * ============LICENSE_START==================================================== + * org.onap.aaf + * =========================================================================== + * Copyright (c) 2018 AT&T Intellectual Property. All rights reserved. + * =========================================================================== + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * ============LICENSE_END==================================================== + * + */ + +package org.onap.aaf.cadi.aaf.v2_0; + +import java.lang.reflect.Constructor; +import java.lang.reflect.InvocationTargetException; +import java.net.ConnectException; +import java.net.URISyntaxException; +import java.security.Principal; +import java.util.Map; + +import org.onap.aaf.cadi.AbsUserCache; +import org.onap.aaf.cadi.Access; +import org.onap.aaf.cadi.CadiException; +import org.onap.aaf.cadi.Lur; +import org.onap.aaf.cadi.Permission; +import org.onap.aaf.cadi.User; +import org.onap.aaf.cadi.Access.Level; +import org.onap.aaf.cadi.CachedPrincipal.Resp; +import org.onap.aaf.cadi.aaf.AAFPermission; +import org.onap.aaf.cadi.client.Future; +import org.onap.aaf.cadi.client.Rcli; +import org.onap.aaf.cadi.client.Retryable; +import org.onap.aaf.cadi.config.Config; +import org.onap.aaf.cadi.lur.LocalPermission; +import org.onap.aaf.misc.env.APIException; +import org.onap.aaf.misc.env.util.Split; + +import aaf.v2_0.Perm; +import aaf.v2_0.Perms; + +/** + * Use AAF Service as Permission Service. + * + * This Lur goes after AAF Permissions, which are elements of Roles, not the Roles themselves. + * + * If you want a simple Role Lur, use AAFRoleLur + * + * @author Jonathan + * + */ +public class AAFLurPerm extends AbsAAFLur { + /** + * Need to be able to transmutate a Principal into either ATTUID or MechID, which are the only ones accepted at this + * point by AAF. There is no "domain", aka, no "@att.com" in "ab1234@att.com". + * + * The only thing that matters here for AAF is that we don't waste calls with IDs that obviously aren't valid. + * Thus, we validate that the ID portion follows the rules before we waste time accessing AAF remotely + * @throws APIException + * @throws URISyntaxException + * @throws DME2Exception + */ + // Package on purpose + AAFLurPerm(AAFCon con) throws CadiException, APIException { + super(con); + attachOAuth2(con); + } + + // Package on purpose + AAFLurPerm(AAFCon con, AbsUserCache auc) throws APIException { + super(con,auc); + attachOAuth2(con); + } + + private void attachOAuth2(AAFCon con) throws APIException { + String oauth2_url; + Class tmcls = Config.loadClass(access,"org.osaaf.cadi.oauth.TokenMgr"); + if(tmcls!=null) { + if((oauth2_url = con.access.getProperty(Config.CADI_OAUTH2_URL,null))!=null) { + try { + Constructor tmconst = tmcls.getConstructor(AAFCon.class,String.class); + Object tokMangr = tmconst.newInstance(con,oauth2_url); + @SuppressWarnings("unchecked") + Class oa2cls = (Class)Config.loadClass(access,"org.osaaf.cadi.oauth.OAuth2Lur"); + Constructor oa2const = oa2cls.getConstructor(tmcls); + Lur oa2 = oa2const.newInstance(tokMangr); + setPreemptiveLur(oa2); + } catch (NoSuchMethodException | SecurityException | InstantiationException | IllegalAccessException | IllegalArgumentException | InvocationTargetException e) { + throw new APIException(e); + } + } else { + access.log(Level.INIT, "Both cadi-oauth jar and Property",Config.CADI_OAUTH2_URL,"is required to initialize OAuth2"); + } + } + } + + protected User loadUser(final Principal principal) { + final String name = principal.getName(); +// // Note: The rules for AAF is that it only stores permissions for ATTUID and MechIDs, which don't +// // have domains. We are going to make the Transitive Class (see this.transmutative) to convert +// final Principal tp = principal; //transmutate.mutate(principal); +// if(tp==null) { +// return null; // if not a valid Transmutated credential, don't bother calling... +// } +// TODO Create a dynamic way to declare domains supported. + final long start = System.nanoTime(); + final boolean[] success = new boolean[]{false}; + +// new Exception("loadUser").printStackTrace(); + try { + return aaf.best(new Retryable>() { + @Override + public User code(Rcli client) throws CadiException, ConnectException, APIException { + Future fp = client.read("/authz/perms/user/"+name,aaf.permsDF); + + // In the meantime, lookup User, create if necessary + User user = getUser(principal); + Principal p; + if(user!=null && user.principal == null) { + p = new Principal() {// Create a holder for lookups + private String n = name; + public String getName() { + return n; + } + }; + } else { + p = principal; + } + + if(user==null) { + addUser(user = new User(p,aaf.userExpires)); // no password + } + + // OK, done all we can, now get content + if(fp.get(aaf.timeout)) { + success[0]=true; + Map newMap = user.newMap(); + boolean willLog = aaf.access.willLog(Level.DEBUG); + for(Perm perm : fp.value.getPerm()) { + user.add(newMap,new AAFPermission(perm.getType(),perm.getInstance(),perm.getAction(),perm.getRoles())); + if(willLog) { + aaf.access.log(Level.DEBUG, name,"has '",perm.getType(),'|',perm.getInstance(),'|',perm.getAction(),'\''); + } + } + user.setMap(newMap); + } else { + int code; + switch(code=fp.code()) { + case 401: + aaf.access.log(Access.Level.ERROR, code, "Unauthorized to make AAF calls"); + break; + case 404: + user.setNoPerms(); + break; + default: + aaf.access.log(Access.Level.ERROR, code, fp.body()); + } + } + + return user; + } + }); + } catch (Exception e) { + aaf.access.log(e,"Calling","/authz/perms/user/"+name); + success[0]=false; + return null; + } finally { + float time = (System.nanoTime()-start)/1000000f; + aaf.access.log(Level.INFO, success[0]?"Loaded":"Load Failure",name,"from AAF in",time,"ms"); + } + } + + public Resp reload(User user) { + final String name = user.name; + long start = System.nanoTime(); + boolean success = false; + try { + Future fp = aaf.client(Config.AAF_DEFAULT_VERSION).read( + "/authz/perms/user/"+name, + aaf.permsDF + ); + + // OK, done all we can, now get content + if(fp.get(aaf.timeout)) { + success = true; + Map newMap = user.newMap(); + boolean willLog = aaf.access.willLog(Level.DEBUG); + for(Perm perm : fp.value.getPerm()) { + user.add(newMap, new AAFPermission(perm.getType(),perm.getInstance(),perm.getAction(),perm.getRoles())); + if(willLog) { + aaf.access.log(Level.DEBUG, name,"has",perm.getType(),perm.getInstance(),perm.getAction()); + } + } + user.renewPerm(); + return Resp.REVALIDATED; + } else { + int code; + switch(code=fp.code()) { + case 401: + aaf.access.log(Access.Level.ERROR, code, "Unauthorized to make AAF calls"); + break; + default: + aaf.access.log(Access.Level.ERROR, code, fp.body()); + } + return Resp.UNVALIDATED; + } + } catch (Exception e) { + aaf.access.log(e,"Calling","/authz/perms/user/"+name); + return Resp.INACCESSIBLE; + } finally { + float time = (System.nanoTime()-start)/1000000f; + aaf.access.log(Level.AUDIT, success?"Reloaded":"Reload Failure",name,"from AAF in",time,"ms"); + } + } + + @Override + protected boolean isCorrectPermType(Permission pond) { + return pond instanceof AAFPermission; + } + + /* (non-Javadoc) + * @see org.onap.aaf.cadi.Lur#createPerm(java.lang.String) + */ + @Override + public Permission createPerm(String p) { + String[] params = Split.split('|', p); + if(params.length==3) { + return new AAFPermission(params[0],params[1],params[2]); + } else { + return new LocalPermission(p); + } + } + +} diff --git a/cadi/aaf/src/main/java/org/onap/aaf/cadi/aaf/v2_0/AAFTaf.java b/cadi/aaf/src/main/java/org/onap/aaf/cadi/aaf/v2_0/AAFTaf.java new file mode 100644 index 00000000..42f3ec4d --- /dev/null +++ b/cadi/aaf/src/main/java/org/onap/aaf/cadi/aaf/v2_0/AAFTaf.java @@ -0,0 +1,203 @@ +/** + * ============LICENSE_START==================================================== + * org.onap.aaf + * =========================================================================== + * Copyright (c) 2018 AT&T Intellectual Property. All rights reserved. + * =========================================================================== + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * ============LICENSE_END==================================================== + * + */ + +package org.onap.aaf.cadi.aaf.v2_0; + +import java.io.IOException; +import java.net.ConnectException; +import java.security.Principal; + +import javax.servlet.http.HttpServletRequest; +import javax.servlet.http.HttpServletResponse; + +import org.onap.aaf.cadi.AbsUserCache; +import org.onap.aaf.cadi.CachedPrincipal; +import org.onap.aaf.cadi.CadiException; +import org.onap.aaf.cadi.Connector; +import org.onap.aaf.cadi.GetCred; +import org.onap.aaf.cadi.Hash; +import org.onap.aaf.cadi.SecuritySetter; +import org.onap.aaf.cadi.User; +import org.onap.aaf.cadi.Access.Level; +import org.onap.aaf.cadi.CachedPrincipal.Resp; +import org.onap.aaf.cadi.Taf.LifeForm; +import org.onap.aaf.cadi.aaf.AAFPermission; +import org.onap.aaf.cadi.aaf.v2_0.AAFCon.GetSetter; +import org.onap.aaf.cadi.client.Future; +import org.onap.aaf.cadi.client.Rcli; +import org.onap.aaf.cadi.client.Retryable; +import org.onap.aaf.cadi.config.Config; +import org.onap.aaf.cadi.principal.BasicPrincipal; +import org.onap.aaf.cadi.principal.CachedBasicPrincipal; +import org.onap.aaf.cadi.taf.HttpTaf; +import org.onap.aaf.cadi.taf.TafResp; +import org.onap.aaf.cadi.taf.TafResp.RESP; +import org.onap.aaf.cadi.taf.basic.BasicHttpTafResp; +import org.onap.aaf.misc.env.APIException; + +public class AAFTaf extends AbsUserCache implements HttpTaf { +// private static final String INVALID_AUTH_TOKEN = "Invalid Auth Token"; +// private static final String AUTHENTICATING_SERVICE_UNAVAILABLE = "Authenticating Service unavailable"; + private AAFCon aaf; + private boolean warn; + + public AAFTaf(AAFCon con, boolean turnOnWarning) { + super(con.access,con.cleanInterval,con.highCount, con.usageRefreshTriggerCount); + aaf = con; + warn = turnOnWarning; + } + + public AAFTaf(AAFCon con, boolean turnOnWarning, AbsUserCache other) { + super(other); + aaf = (AAFCon)con; + warn = turnOnWarning; + } + + // Note: Needed for Creation of this Object with Generics + @SuppressWarnings("unchecked") + public AAFTaf(Connector mustBeAAFCon, boolean turnOnWarning, AbsUserCache other) throws CadiException { + this((AAFCon)mustBeAAFCon,turnOnWarning,other); + } + + // Note: Needed for Creation of this Object with Generics + @SuppressWarnings("unchecked") + public AAFTaf(Connector mustBeAAFCon, boolean turnOnWarning) throws CadiException { + this((AAFCon)mustBeAAFCon,turnOnWarning); + } + + + public TafResp validate(final LifeForm reading, final HttpServletRequest req, final HttpServletResponse resp) { + //TODO Do we allow just anybody to validate? + + // Note: Either Carbon or Silicon based LifeForms ok + String authz = req.getHeader("Authorization"); + if(authz != null && authz.startsWith("Basic ")) { + if(warn&&!req.isSecure())aaf.access.log(Level.WARN,"WARNING! BasicAuth has been used over an insecure channel"); + try { + final CachedBasicPrincipal bp; + if(req.getUserPrincipal() instanceof CachedBasicPrincipal) { + bp = (CachedBasicPrincipal)req.getUserPrincipal(); + } else { + bp = new CachedBasicPrincipal(this,authz,aaf.getRealm(),aaf.userExpires); + } + // First try Cache + final User usr = getUser(bp); + if(usr != null && usr.principal != null) { + if(usr.principal instanceof GetCred) { + if(Hash.isEqual(bp.getCred(),((GetCred)usr.principal).getCred())) { + return new BasicHttpTafResp(aaf.access,bp,bp.getName()+" authenticated by cached AAF password",RESP.IS_AUTHENTICATED,resp,aaf.getRealm(),false); + } + } + } + + Miss miss = missed(bp.getName(), bp.getCred()); + if(miss!=null && !miss.mayContinue()) { + return new BasicHttpTafResp(aaf.access,null,buildMsg(bp,req, + "User/Pass Retry limit exceeded"), + RESP.TRY_AUTHENTICATING,resp,aaf.getRealm(),true); + } + + return aaf.bestForUser( + new GetSetter() { + @Override + public SecuritySetter get(AAFCon con) throws CadiException { + return con.basicAuthSS(bp); + } + },new Retryable() { + @Override + public BasicHttpTafResp code(Rcli client) throws CadiException, ConnectException, APIException { + Future fp = client.read("/authn/basicAuth", "text/plain"); + if(fp.get(aaf.timeout)) { + if(usr!=null) { + usr.principal = bp; + } else { + addUser(new User(bp,aaf.userExpires)); + } + return new BasicHttpTafResp(aaf.access,bp,bp.getName()+" authenticated by AAF password",RESP.IS_AUTHENTICATED,resp,aaf.getRealm(),false); + } else { + // Note: AddMiss checks for miss==null, and is part of logic + boolean rv= addMiss(bp.getName(),bp.getCred()); + if(rv) { + return new BasicHttpTafResp(aaf.access,null,buildMsg(bp,req, + "user/pass combo invalid via AAF from " + req.getRemoteAddr()), + RESP.TRY_AUTHENTICATING,resp,aaf.getRealm(),true); + } else { + return new BasicHttpTafResp(aaf.access,null,buildMsg(bp,req, + "user/pass combo invalid via AAF from " + req.getRemoteAddr() + " - Retry limit exceeded"), + RESP.FAIL,resp,aaf.getRealm(),true); + } + } + } + } + ); + } catch (IOException e) { + String msg = buildMsg(null,req,"Invalid Auth Token"); + aaf.access.log(Level.WARN,msg,'(', e.getMessage(), ')'); + return new BasicHttpTafResp(aaf.access,null,msg, RESP.TRY_AUTHENTICATING, resp, aaf.getRealm(),true); + } catch (Exception e) { + String msg = buildMsg(null,req,"Authenticating Service unavailable"); + try { + aaf.invalidate(); + } catch (CadiException e1) { + aaf.access.log(e1, "Error Invalidating Client"); + } + aaf.access.log(Level.WARN,msg,'(', e.getMessage(), ')'); + return new BasicHttpTafResp(aaf.access,null,msg, RESP.FAIL, resp, aaf.getRealm(),false); + } + } + return new BasicHttpTafResp(aaf.access,null,"Requesting HTTP Basic Authorization",RESP.TRY_AUTHENTICATING,resp,aaf.getRealm(),false); + } + + public String buildMsg(Principal pr, HttpServletRequest req, Object ... msg) { + StringBuilder sb = new StringBuilder(); + for(Object s : msg) { + sb.append(s.toString()); + } + if(pr!=null) { + sb.append(" for "); + sb.append(pr.getName()); + } + sb.append(" from "); + sb.append(req.getRemoteAddr()); + sb.append(':'); + sb.append(req.getRemotePort()); + return sb.toString(); + } + + + + public Resp revalidate(CachedPrincipal prin, Object state) { + // !!!! TEST THIS.. Things may not be revalidated, if not BasicPrincipal + if(prin instanceof BasicPrincipal) { + Future fp; + try { + Rcli userAAF = aaf.client(Config.AAF_DEFAULT_VERSION).forUser(aaf.transferSS((BasicPrincipal)prin)); + fp = userAAF.read("/authn/basicAuth", "text/plain"); + return fp.get(aaf.timeout)?Resp.REVALIDATED:Resp.UNVALIDATED; + } catch (Exception e) { + aaf.access.log(e, "Cannot Revalidate",prin.getName()); + return Resp.INACCESSIBLE; + } + } + return Resp.NOT_MINE; + } + +} diff --git a/cadi/aaf/src/main/java/org/onap/aaf/cadi/aaf/v2_0/AAFTrustChecker.java b/cadi/aaf/src/main/java/org/onap/aaf/cadi/aaf/v2_0/AAFTrustChecker.java new file mode 100644 index 00000000..074b704b --- /dev/null +++ b/cadi/aaf/src/main/java/org/onap/aaf/cadi/aaf/v2_0/AAFTrustChecker.java @@ -0,0 +1,114 @@ +/** + * ============LICENSE_START==================================================== + * org.onap.aaf + * =========================================================================== + * Copyright (c) 2018 AT&T Intellectual Property. All rights reserved. + * =========================================================================== + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * ============LICENSE_END==================================================== + * + */ + +package org.onap.aaf.cadi.aaf.v2_0; + +import javax.servlet.http.HttpServletRequest ; + +import org.onap.aaf.cadi.Access; +import org.onap.aaf.cadi.Lur; +import org.onap.aaf.cadi.TrustChecker; +import org.onap.aaf.cadi.aaf.AAFPermission; +import org.onap.aaf.cadi.config.Config; +import org.onap.aaf.cadi.principal.TrustPrincipal; +import org.onap.aaf.cadi.taf.TafResp; +import org.onap.aaf.cadi.taf.TrustNotTafResp; +import org.onap.aaf.cadi.taf.TrustTafResp; +import org.onap.aaf.misc.env.Env; +import org.onap.aaf.misc.env.util.Split; + +public class AAFTrustChecker implements TrustChecker { + private final String tag, id; + private final AAFPermission perm; + private Lur lur; + + /** + * + * Instance will be replaced by Identity + * @param lur + * + * @param tag + * @param perm + */ + public AAFTrustChecker(final Env env) { + tag = env.getProperty(Config.CADI_USER_CHAIN_TAG, Config.CADI_USER_CHAIN); + id = env.getProperty(Config.CADI_ALIAS,env.getProperty(Config.AAF_APPID)); // share between components + String str = env.getProperty(Config.CADI_TRUST_PERM); + AAFPermission temp=null; + if(str!=null) { + String[] sp = Split.splitTrim('|', str); + if(sp.length==3) { + temp = new AAFPermission(sp[0],sp[1],sp[2]); + } + } + perm=temp; + } + + public AAFTrustChecker(final Access access) { + tag = access.getProperty(Config.CADI_USER_CHAIN_TAG, Config.CADI_USER_CHAIN); + id = access.getProperty(Config.CADI_ALIAS,access.getProperty(Config.AAF_APPID,null)); // share between components + String str = access.getProperty(Config.CADI_TRUST_PERM,null); + AAFPermission temp=null; + if(str!=null) { + String[] sp = Split.splitTrim('|', str); + if(sp.length==3) { + temp = new AAFPermission(sp[0],sp[1],sp[2]); + } + } + perm=temp; + } + + /* (non-Javadoc) + * @see org.onap.aaf.cadi.TrustChecker#setLur(org.onap.aaf.cadi.Lur) + */ + @Override + public void setLur(Lur lur) { + this.lur = lur; + } + + @Override + public TafResp mayTrust(TafResp tresp, HttpServletRequest req) { + String user_info = req.getHeader(tag); + if(user_info !=null ) { + String[] info = Split.split(',', user_info); + if(info.length>0) { + String[] flds = Split.splitTrim(':',info[0]); + if(flds.length>3 && "AS".equals(flds[3])) { // is it set for "AS" + String pn = tresp.getPrincipal().getName(); + if(pn.equals(id) // We do trust our own App Components: if a trust entry is made with self, always accept + || lur.fish(tresp.getPrincipal(), perm)) { // Have Perm set by Config.CADI_TRUST_PERM + return new TrustTafResp(tresp, + new TrustPrincipal(tresp.getPrincipal(), flds[0]), + " " + flds[0] + " validated using " + flds[2] + " by " + flds[1] + ',' + ); + } else if(pn.equals(flds[0])) { // Ignore if same identity + return tresp; + } else { + return new TrustNotTafResp(tresp, tresp.getPrincipal().getName() + " requested trust as " + + flds[0] + ", but does not have Authorization"); + } + } + } + } + return tresp; + } + +} \ No newline at end of file diff --git a/cadi/aaf/src/main/java/org/onap/aaf/cadi/aaf/v2_0/AbsAAFLocator.java b/cadi/aaf/src/main/java/org/onap/aaf/cadi/aaf/v2_0/AbsAAFLocator.java new file mode 100644 index 00000000..19beef68 --- /dev/null +++ b/cadi/aaf/src/main/java/org/onap/aaf/cadi/aaf/v2_0/AbsAAFLocator.java @@ -0,0 +1,496 @@ +/** + * ============LICENSE_START==================================================== + * org.onap.aaf + * =========================================================================== + * Copyright (c) 2018 AT&T Intellectual Property. All rights reserved. + * =========================================================================== + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * ============LICENSE_END==================================================== + * + */ + +package org.onap.aaf.cadi.aaf.v2_0; + +import java.net.URI; +import java.net.URISyntaxException; +import java.security.SecureRandom; +import java.util.ArrayList; +import java.util.Iterator; +import java.util.LinkedList; +import java.util.List; + +import org.onap.aaf.cadi.Access; +import org.onap.aaf.cadi.Access.Level; +import org.onap.aaf.cadi.Locator; +import org.onap.aaf.cadi.LocatorException; +import org.onap.aaf.cadi.config.Config; +import org.onap.aaf.cadi.locator.PropertyLocator; +import org.onap.aaf.cadi.routing.GreatCircle; +import org.onap.aaf.misc.env.Trans; +import org.onap.aaf.misc.env.util.Split; + +import locate.v1_0.Endpoint; + +public abstract class AbsAAFLocator implements Locator { + protected static final SecureRandom sr = new SecureRandom(); + private static LocatorCreator locatorCreator; + protected final Access access; + + protected final double latitude; + protected final double longitude; + protected List epList; + protected final String name, version; + private String pathInfo = null; + private String query = null; + private String fragment = null; + private boolean additional = false; + protected String myhostname; + protected int myport; + protected final String aaf_locator_host; + private long earliest; + private final long refreshWait; + + + public AbsAAFLocator(Access access, String name, final long refreshMin) throws LocatorException { + aaf_locator_host = access.getProperty(Config.AAF_LOCATE_URL, null); + + epList = new LinkedList(); + refreshWait = refreshMin; + + this.access = access; + String lat = access.getProperty(Config.CADI_LATITUDE,null); + String lng = access.getProperty(Config.CADI_LONGITUDE,null); + if(lat==null || lng==null) { + throw new LocatorException(Config.CADI_LATITUDE + " and " + Config.CADI_LONGITUDE + " properties are required."); + } else { + latitude = Double.parseDouble(lat); + longitude = Double.parseDouble(lng); + } + if(name.startsWith("http")) { // simple URL + this.name = name; + this.version = Config.AAF_DEFAULT_VERSION; + } else { + String[] split = Split.split(':', name); + + switch(split.length) { + case 1: + this.name = split[0]; + this.version = Config.AAF_DEFAULT_VERSION; + break; + case 0: + this.name = name; + this.version = Config.AAF_DEFAULT_VERSION; + break; + default: + this.version = split[1]; + this.name = split[0]; + + } + } + + } + + /** + * This is the way to setup specialized AAFLocators ahead of time. + * @param preload + */ + public static void setCreator(LocatorCreator lc) { + locatorCreator = lc; + } + + public static Locator create(String key) throws LocatorException { + String name = null; + String version = Config.AAF_DEFAULT_VERSION; + String pathInfo = null; + int prev = key.indexOf("/locate"); + if(prev>0) { + prev = key.indexOf('/',prev+6); + if(prev>0) { + int next = key.indexOf('/',++prev); + if(next>0) { + name = key.substring(prev, next); + pathInfo=key.substring(next); + } else { + name = key.substring(prev); + } + String[] split = Split.split(':', name); + switch(split.length) { + case 3: + case 2: + version = split[1]; + name = split[0]; + break; + } + } + } + + if(key.startsWith("http")) { + if(name!=null) { + if(locatorCreator != null) { + if(name!=null) { + AbsAAFLocator aal = locatorCreator.create(name, version); + if(pathInfo!=null) { + aal.setPathInfo(pathInfo); + } + return aal; + } + } + } else { + return new PropertyLocator(key); + } + } + return null; + } + + public static Locator create(final String name, final String version) throws LocatorException { + return locatorCreator.create(name, version); + } + + public interface LocatorCreator { + public AbsAAFLocator create(String key, String version) throws LocatorException; + public void setSelf(String hostname, int port); + } + + protected static String nameFromLocatorURI(URI locatorURI) { + String[] path = Split.split('/', locatorURI.getPath()); + if(path.length>2 && "locate".equals(path[1])) { + return path[2]; + } else { + return locatorURI.toString(); + } + } + + /** + * Setting "self" excludes this service from the list. Critical for contacting peers. + */ + public void setSelf(final String hostname, final int port) { + myhostname=hostname; + myport=port; + } + + + public static void setCreatorSelf(final String hostname, final int port) { + if(locatorCreator!=null) { + locatorCreator.setSelf(hostname,port); + } + } + + protected final synchronized void replace(List list) { + epList = list; + } + + /** + * Call _refresh as needed during calls, but actual refresh will not occur if there + * are existing entities or if it has been called in the last 10 (settable) seconds. + * Timed Refreshes happen by Scheduled Thread + */ + private final boolean _refresh() { + boolean rv = false; + long now=System.currentTimeMillis(); + if(noEntries()) { + if(earliest iter = epList.iterator(); iter.hasNext(); ) { + EP ep = iter.next(); + if(ep.valid) { + return true; + } + } + isEmpty = true; + } + if(_refresh()) { // is refreshed... check again + isEmpty = epList.isEmpty(); + } + return !isEmpty; + } + + @Override + public void invalidate(Item item) throws LocatorException { + if(item!=null) { + if(item instanceof AAFLItem) { + AAFLItem ali =(AAFLItem)item; + EP ep = ali.ep; + synchronized(epList) { + epList.remove(ep); + } + ep.invalid(); + ali.iter = getIterator(); // for next guy... fresh iterator + } else { + throw new LocatorException(item.getClass().getName() + " does not belong to AAFLocator"); + } + } + } + + @Override + public Item best() throws LocatorException { + if(!hasItems()) { + throw new LocatorException("No Entries found" + (pathInfo==null?"":(" for " + pathInfo))); + } + List lep = new ArrayList(); + EP first = null; + // Note: Deque is sorted on the way by closest distance + Iterator iter = getIterator(); + EP ep; + while(iter.hasNext()) { + ep = iter.next(); + if(ep.valid) { + if(first==null) { + first = ep; + lep.add(first); + } else { + if(Math.abs(ep.distance-first.distance)<.1) { // allow for nearby/precision issues. + lep.add(ep); + } else { + break; + } + } + } + } + switch(lep.size()) { + case 0: + return null; + case 1: + return new AAFLItem(iter,first); + default: + int i = Math.abs(sr.nextInt())%lep.size(); + if(i<0) { + return null; + } else { + return new AAFLItem(iter,lep.get(i)); + } + + } + } + + private Iterator getIterator() { + Object[] epa = epList.toArray(); + if(epa.length==0) { + _refresh(); + epa = epList.toArray(); + } + return new EPIterator(epa, epList); + } + + public class EPIterator implements Iterator { + private final Object[] epa; + private final List epList; + private int idx; + + public EPIterator(Object[] epa, List epList) { + this.epa = epa; + this.epList = epList; + idx = epa.length>0?0:-1; + } + + @Override + public boolean hasNext() { + if(idx<0) { + return false; + } else { + Object obj; + while(idx=0 && idx iter = getIterator(); + EP ep = AAFLItem.next(iter); + if(ep==null) { + return null; + } + return new AAFLItem(iter,ep); + } + + @Override + public Item next(Item prev) throws LocatorException { + if(prev==null) { + StringBuilder sb = new StringBuilder("Locator Item passed in next(item) is null."); + int lines = 0; + for(StackTraceElement st : Thread.currentThread().getStackTrace()) { + sb.append("\n\t"); + sb.append(st.toString()); + if(++lines > 5) { + sb.append("\n\t..."); + break; + } + } + access.log(Level.ERROR, sb); + } else { + if(prev instanceof AAFLItem) { + AAFLItem ali = (AAFLItem)prev; + EP ep = AAFLItem.next(ali.iter); + if(ep!=null) { + return new AAFLItem(ali.iter,ep); + } + } else { + throw new LocatorException(prev.getClass().getName() + " does not belong to AAFLocator"); + } + } + return null; + } + + protected static class AAFLItem implements Item { + private Iterator iter; + private URI uri; + private EP ep; + + public AAFLItem(Iterator iter, EP ep) { + this.iter = iter; + this.ep = ep; + uri = ep.uri; + } + + private static EP next(Iterator iter) { + EP ep=null; + while(iter.hasNext() && (ep==null || !ep.valid)) { + ep = iter.next(); + } + return ep; + } + + public String toString() { + return ep==null?"Locator Item Invalid":ep.toString(); + } + } + + protected static class EP implements Comparable { + public URI uri; + public final double distance; + private boolean valid; + + public EP(final Endpoint ep, double latitude, double longitude) throws URISyntaxException { + uri = new URI(ep.getProtocol(),null,ep.getHostname(),ep.getPort(),null,null,null); + distance = GreatCircle.calc(latitude, longitude, ep.getLatitude(), ep.getLongitude()); + valid = true; + } + + public void invalid() { + valid = false; + } + + @Override + public int compareTo(EP o) { + if(distance setPathInfo(String pathInfo) { + this.pathInfo = pathInfo; + additional=true; + return this; + } + + public AbsAAFLocator setQuery(String query) { + this.query = query; + additional=true; + return this; + } + + public AbsAAFLocator setFragment(String fragment) { + this.fragment = fragment; + additional=true; + return this; + } + + // Core URI, for reporting purposes + protected abstract URI getURI(); + + protected URI getURI(URI rv) throws LocatorException { + if(additional) { + try { + return new URI(rv.getScheme(),rv.getUserInfo(),rv.getHost(),rv.getPort(),pathInfo,query,fragment); + } catch (URISyntaxException e) { + throw new LocatorException("Error coping URL"); + } + } + return rv; + } + + +} diff --git a/cadi/aaf/src/main/java/org/onap/aaf/cadi/aaf/v2_0/AbsAAFLur.java b/cadi/aaf/src/main/java/org/onap/aaf/cadi/aaf/v2_0/AbsAAFLur.java new file mode 100644 index 00000000..083537a8 --- /dev/null +++ b/cadi/aaf/src/main/java/org/onap/aaf/cadi/aaf/v2_0/AbsAAFLur.java @@ -0,0 +1,289 @@ +/** + * ============LICENSE_START==================================================== + * org.onap.aaf + * =========================================================================== + * Copyright (c) 2018 AT&T Intellectual Property. All rights reserved. + * =========================================================================== + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * ============LICENSE_END==================================================== + * + */ + +package org.onap.aaf.cadi.aaf.v2_0; + +import java.security.Principal; +import java.util.ArrayList; +import java.util.Date; +import java.util.List; + +import org.onap.aaf.cadi.AbsUserCache; +import org.onap.aaf.cadi.Access.Level; +import org.onap.aaf.cadi.CachingLur; +import org.onap.aaf.cadi.Lur; +import org.onap.aaf.cadi.Permission; +import org.onap.aaf.cadi.User; +import org.onap.aaf.cadi.aaf.AAFPermission; +import org.onap.aaf.cadi.config.Config; +import org.onap.aaf.misc.env.APIException; +import org.onap.aaf.misc.env.util.Split; + +public abstract class AbsAAFLur extends AbsUserCache implements CachingLur { + protected static final byte[] BLANK_PASSWORD = new byte[0]; + private String[] debug = null; + public AAFCon aaf; + public Lur preemptiveLur=null; // Initial Use is for OAuth2, preemptive Lur + private String[] supports; + + public AbsAAFLur(AAFCon con) throws APIException { + super(con.access, con.cleanInterval, con.highCount, con.usageRefreshTriggerCount); + aaf = con; + setLur(this); + supports = con.access.getProperty(Config.AAF_DOMAIN_SUPPORT, Config.AAF_DOMAIN_SUPPORT_DEF).split("\\s*:\\s*"); + } + + public AbsAAFLur(AAFCon con, AbsUserCache auc) throws APIException { + super(auc); + aaf = con; + setLur(this); + supports = con.access.getProperty(Config.AAF_DOMAIN_SUPPORT, Config.AAF_DOMAIN_SUPPORT_DEF).split("\\s*:\\s*"); + } + + @Override + public void setDebug(String ids) { + this.debug = ids==null?null:Split.split(',', ids); + } + + public void setPreemptiveLur(Lur preemptive) { + this.preemptiveLur = preemptive; + } + + protected abstract User loadUser(Principal bait); + + @Override + public final boolean handles(Principal principal) { + if(preemptiveLur!=null) { + if(preemptiveLur.handles(principal)) { + return true; + } + } + String userName=principal.getName(); + if(userName!=null) { + for(String s : supports) { + if(userName.endsWith(s)) + return true; + } + } + return false; + } + + + protected abstract boolean isCorrectPermType(Permission pond); + + // This is where you build AAF CLient Code. Answer the question "Is principal "bait" in the "pond" + public boolean fish(Principal bait, Permission pond) { + if(preemptiveLur!=null && preemptiveLur.handles(bait)) { + return preemptiveLur.fish(bait, pond); + } else { + if(pond==null) { + return false; + } + if(isDebug(bait)) { + boolean rv = false; + StringBuilder sb = new StringBuilder("Log for "); + sb.append(bait); + if(handles(bait)) { + User user = getUser(bait); + if(user==null) { + sb.append("\n\tUser is not in Cache"); + } else { + if(user.noPerms()) { + sb.append("\n\tUser has no Perms"); + } + if(user.permExpired()) { + sb.append("\n\tUser's perm expired ["); + sb.append(new Date(user.permExpires())); + sb.append(']'); + } else { + sb.append("\n\tUser's perm expires ["); + sb.append(new Date(user.permExpires())); + sb.append(']'); + } + } + if(user==null || user.permsUnloaded() || user.permExpired()) { + user = loadUser(bait); + sb.append("\n\tloadUser called"); + } + if(user==null) { + sb.append("\n\tUser was not Loaded"); + } else if(user.contains(pond)) { + sb.append("\n\tUser contains "); + sb.append(pond.getKey()); + rv = true; + } else { + sb.append("\n\tUser does not contain "); + sb.append(pond.getKey()); + List perms = new ArrayList(); + user.copyPermsTo(perms); + for(Permission p : perms) { + sb.append("\n\t\t"); + sb.append(p.getKey()); + } + } + } else { + sb.append("AAF Lur does not support ["); + sb.append(bait); + sb.append("]"); + } + aaf.access.log(Level.INFO, sb); + return rv; + } else { + if(handles(bait)) { + User user = getUser(bait); + if(user==null || user.permsUnloaded() || user.permExpired()) { + user = loadUser(bait); + } + return user==null?false:user.contains(pond); + } + return false; + } + } + } + + public void fishAll(Principal bait, List perms) { + if(preemptiveLur!=null && preemptiveLur.handles(bait)) { + preemptiveLur.fishAll(bait, perms); + } else { + if(isDebug(bait)) { + StringBuilder sb = new StringBuilder("Log for "); + sb.append(bait); + if(handles(bait)) { + User user = getUser(bait); + if(user==null) { + sb.append("\n\tUser is not in Cache"); + } else { + if(user.noPerms()) { + sb.append("\n\tUser has no Perms"); + } + if(user.permExpired()) { + sb.append("\n\tUser's perm expired ["); + sb.append(new Date(user.permExpires())); + sb.append(']'); + } else { + sb.append("\n\tUser's perm expires ["); + sb.append(new Date(user.permExpires())); + sb.append(']'); + } + } + if(user==null || user.permsUnloaded() || user.permExpired()) { + user = loadUser(bait); + sb.append("\n\tloadUser called"); + } + if(user==null) { + sb.append("\n\tUser was not Loaded"); + } else { + sb.append("\n\tCopying Perms "); + user.copyPermsTo(perms); + for(Permission p : perms) { + sb.append("\n\t\t"); + sb.append(p.getKey()); + } + } + } else { + sb.append("AAF Lur does not support ["); + sb.append(bait); + sb.append("]"); + } + aaf.access.log(Level.INFO, sb); + } else { + if(handles(bait)) { + User user = getUser(bait); + if(user==null || user.permsUnloaded() || user.permExpired()) { + user = loadUser(bait); + } + if(user!=null) { + user.copyPermsTo(perms); + } + } + } + } + } + + @Override + public void remove(String user) { + super.remove(user); + } + + private boolean isDebug(Principal p) { + if(debug!=null) { + if(debug.length==1 && "all".equals(debug[0])) { + return true; + } + String name = p.getName(); + for(String s : debug) { + if(s.equals(name)) { + return true; + } + } + } + return false; + } + /** + * This special case minimizes loops, avoids multiple Set hits, and calls all the appropriate Actions found. + * + * @param bait + * @param obj + * @param type + * @param instance + * @param actions + */ + public void fishOneOf(Principal princ, A obj, String type, String instance, List> actions) { + User user = getUser(princ); + if(user==null || user.permsUnloaded() || user.permExpired()) { + user = loadUser(princ); + } + if(user!=null) { + ReuseAAFPermission perm = new ReuseAAFPermission(type,instance); + for(Action action : actions) { + perm.setAction(action.getName()); + if(user.contains(perm)) { + if(action.exec(obj))return; + } + } + } + } + + public static interface Action { + public String getName(); + /** + * Return false to continue, True to end now + * @return + */ + public boolean exec(A a); + } + + private class ReuseAAFPermission extends AAFPermission { + public ReuseAAFPermission(String type, String instance) { + super(type,instance,null,null); + } + + public void setAction(String s) { + action = s; + } + + /** + * This function understands that AAF Keys are hierarchical, :A:B:C, + * Cassandra follows a similar method, so we'll short circuit and do it more efficiently when there isn't a first hit + * @return + */ + } +} diff --git a/cadi/aaf/src/main/java/org/onap/aaf/cadi/cm/ArtifactDir.java b/cadi/aaf/src/main/java/org/onap/aaf/cadi/cm/ArtifactDir.java new file mode 100644 index 00000000..3669d04f --- /dev/null +++ b/cadi/aaf/src/main/java/org/onap/aaf/cadi/cm/ArtifactDir.java @@ -0,0 +1,286 @@ +/** + * ============LICENSE_START==================================================== + * org.onap.aaf + * =========================================================================== + * Copyright (c) 2018 AT&T Intellectual Property. All rights reserved. + * =========================================================================== + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * ============LICENSE_END==================================================== + * + */ + +package org.onap.aaf.cadi.cm; + +import java.io.File; +import java.io.FileOutputStream; +import java.io.FileWriter; +import java.io.IOException; +import java.io.PrintStream; +import java.io.PrintWriter; +import java.security.KeyStore; +import java.util.ArrayList; +import java.util.HashMap; +import java.util.List; +import java.util.Map; + +import org.onap.aaf.cadi.CadiException; +import org.onap.aaf.cadi.Symm; +import org.onap.aaf.cadi.config.Config; +import org.onap.aaf.cadi.util.Chmod; +import org.onap.aaf.misc.env.Trans; +import org.onap.aaf.misc.env.util.Chrono; + +import certman.v1_0.Artifacts.Artifact; +import certman.v1_0.CertInfo; + +public abstract class ArtifactDir implements PlaceArtifact { + + protected static final String C_R = "\n"; + protected File dir; + private List encodeds = new ArrayList(); + + private Symm symm; + // This checks for multiple passes of Dir on the same objects. Run clear after done. + protected static Map processed = new HashMap(); + + + /** + * Note: Derived Classes should ALWAYS call "super.place(cert,arti)" first, and + * then "placeProperties(arti)" just after they implement + */ + @Override + public final boolean place(Trans trans, CertInfo certInfo, Artifact arti, String machine) throws CadiException { + validate(arti); + + try { + // Obtain/setup directory as required + dir = new File(arti.getDir()); + if(processed.get("dir")==null) { + if(!dir.exists()) { + Chmod.to755.chmod(dir); + if(!dir.mkdirs()) { + throw new CadiException("Could not create " + dir); + } + } + + // Also place cm_url and Host Name + addProperty(Config.CM_URL,trans.getProperty(Config.CM_URL)); + addProperty(Config.HOSTNAME,machine); + addProperty(Config.AAF_ENV,certInfo.getEnv()); + // Obtain Issuers + boolean first = true; + StringBuilder issuers = new StringBuilder(); + for(String dn : certInfo.getCaIssuerDNs()) { + if(first) { + first=false; + } else { + issuers.append(':'); + } + issuers.append(dn); + } + addProperty(Config.CADI_X509_ISSUERS,issuers.toString()); + } + symm = (Symm)processed.get("symm"); + if(symm==null) { + // CADI Key Gen + File f = new File(dir,arti.getNs() + ".keyfile"); + if(!f.exists()) { + write(f,Chmod.to400,Symm.keygen()); + } + symm = Symm.obtain(f); + + addEncProperty("ChallengePassword", certInfo.getChallenge()); + + processed.put("symm",symm); + } + + _place(trans, certInfo,arti); + + placeProperties(arti); + + processed.put("dir",dir); + + } catch (Exception e) { + throw new CadiException(e); + } + return true; + } + + /** + * Derived Classes implement this instead, so Dir can process first, and write any Properties last + * @param cert + * @param arti + * @return + * @throws CadiException + */ + protected abstract boolean _place(Trans trans, CertInfo certInfo, Artifact arti) throws CadiException; + + protected void addProperty(String tag, String value) throws IOException { + StringBuilder sb = new StringBuilder(); + sb.append(tag); + sb.append('='); + sb.append(value); + encodeds.add(sb.toString()); + } + + protected void addEncProperty(String tag, String value) throws IOException { + StringBuilder sb = new StringBuilder(); + sb.append(tag); + sb.append('='); + sb.append("enc:"); + sb.append(symm.enpass(value)); + encodeds.add(sb.toString()); + } + + protected void write(File f, Chmod c, String ... data) throws IOException { + f.setWritable(true,true); + + FileOutputStream fos = new FileOutputStream(f); + PrintStream ps = new PrintStream(fos); + try { + for(String s : data) { + ps.print(s); + } + } finally { + ps.close(); + c.chmod(f); + } + } + + protected void write(File f, Chmod c, byte[] bytes) throws IOException { + f.setWritable(true,true); + + FileOutputStream fos = new FileOutputStream(f); + try { + fos.write(bytes); + } finally { + fos.close(); + c.chmod(f); + } + } + + protected void write(File f, Chmod c, KeyStore ks, char[] pass ) throws IOException, CadiException { + f.setWritable(true,true); + + FileOutputStream fos = new FileOutputStream(f); + try { + ks.store(fos, pass); + } catch (Exception e) { + throw new CadiException(e); + } finally { + fos.close(); + c.chmod(f); + } + } + + + private void validate(Artifact a) throws CadiException { + StringBuilder sb = new StringBuilder(); + if(a.getDir()==null) { + sb.append("File Artifacts require a path"); + } + + if(a.getNs()==null) { + if(sb.length()>0) { + sb.append('\n'); + } + sb.append("File Artifacts require an AAF Namespace"); + } + + if(sb.length()>0) { + throw new CadiException(sb.toString()); + } + } + + private boolean placeProperties(Artifact arti) throws CadiException { + if(encodeds.size()==0) { + return true; + } + boolean first=processed.get("dir")==null; + try { + File f = new File(dir,arti.getNs()+".props"); + if(f.exists()) { + if(first) { + f.delete(); + } else { + f.setWritable(true); + } + } + // Append if not first + PrintWriter pw = new PrintWriter(new FileWriter(f,!first)); + + // Write a Header + if(first) { + for(int i=0;i<60;++i) { + pw.print('#'); + } + pw.println(); + pw.println("# Properties Generated by AT&T Certificate Manager"); + pw.print("# by "); + pw.println(System.getProperty("user.name")); + pw.print("# on "); + pw.println(Chrono.dateStamp()); + pw.println("# @copyright 2016, AT&T"); + for(int i=0;i<60;++i) { + pw.print('#'); + } + pw.println(); + for(String prop : encodeds) { + if( prop.startsWith("cm_") + || prop.startsWith(Config.HOSTNAME) + || prop.startsWith(Config.AAF_ENV)) { + pw.println(prop); + } + } + } + + try { + for(String prop : encodeds) { + if(prop.startsWith("cadi")) { + pw.println(prop); + } + } + } finally { + pw.close(); + } + Chmod.to644.chmod(f); + + if(first) { + // Challenge + f = new File(dir,arti.getNs()+".chal"); + if(f.exists()) { + f.delete(); + } + pw = new PrintWriter(new FileWriter(f)); + try { + for(String prop : encodeds) { + if(prop.startsWith("Challenge")) { + pw.println(prop); + } + } + } finally { + pw.close(); + } + Chmod.to400.chmod(f); + } + } catch(Exception e) { + throw new CadiException(e); + } + return true; + } + + public static void clear() { + processed.clear(); + } + +} diff --git a/cadi/aaf/src/main/java/org/onap/aaf/cadi/cm/CertException.java b/cadi/aaf/src/main/java/org/onap/aaf/cadi/cm/CertException.java new file mode 100644 index 00000000..5c525ff2 --- /dev/null +++ b/cadi/aaf/src/main/java/org/onap/aaf/cadi/cm/CertException.java @@ -0,0 +1,45 @@ +/** + * ============LICENSE_START==================================================== + * org.onap.aaf + * =========================================================================== + * Copyright (c) 2018 AT&T Intellectual Property. All rights reserved. + * =========================================================================== + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * ============LICENSE_END==================================================== + * + */ + +package org.onap.aaf.cadi.cm; + +public class CertException extends Exception { + + /** + * + */ + private static final long serialVersionUID = 1373028409048516401L; + + public CertException() { + } + + public CertException(String message) { + super(message); + } + + public CertException(Throwable cause) { + super(cause); + } + + public CertException(String message, Throwable cause) { + super(message, cause); + } +} \ No newline at end of file diff --git a/cadi/aaf/src/main/java/org/onap/aaf/cadi/cm/CmAgent.java b/cadi/aaf/src/main/java/org/onap/aaf/cadi/cm/CmAgent.java new file mode 100644 index 00000000..14efd32c --- /dev/null +++ b/cadi/aaf/src/main/java/org/onap/aaf/cadi/cm/CmAgent.java @@ -0,0 +1,722 @@ +/** + * ============LICENSE_START==================================================== + * org.onap.aaf + * =========================================================================== + * Copyright (c) 2018 AT&T Intellectual Property. All rights reserved. + * =========================================================================== + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * ============LICENSE_END==================================================== + * + */ + +package org.onap.aaf.cadi.cm; + +import java.io.File; +import java.io.FileInputStream; +import java.io.FileOutputStream; +import java.net.InetAddress; +import java.net.UnknownHostException; +import java.security.KeyStore; +import java.security.cert.X509Certificate; +import java.util.ArrayDeque; +import java.util.Deque; +import java.util.GregorianCalendar; +import java.util.HashMap; +import java.util.Iterator; +import java.util.Map; +import java.util.Map.Entry; + +import org.onap.aaf.cadi.PropAccess; +import org.onap.aaf.cadi.Symm; +import org.onap.aaf.cadi.aaf.client.ErrMessage; +import org.onap.aaf.cadi.aaf.v2_0.AAFCon; +import org.onap.aaf.cadi.aaf.v2_0.AAFConHttp; +import org.onap.aaf.cadi.client.Future; +import org.onap.aaf.cadi.config.Config; +import org.onap.aaf.cadi.http.HBasicAuthSS; +import org.onap.aaf.cadi.sso.AAFSSO; +import org.onap.aaf.cadi.util.FQI; +import org.onap.aaf.misc.env.Env; +import org.onap.aaf.misc.env.TimeTaken; +import org.onap.aaf.misc.env.Trans; +import org.onap.aaf.misc.env.Data.TYPE; +import org.onap.aaf.misc.env.util.Chrono; +import org.onap.aaf.misc.env.util.Split; +import org.onap.aaf.misc.rosetta.env.RosettaDF; +import org.onap.aaf.misc.rosetta.env.RosettaEnv; + +import java.util.Properties; + +import certman.v1_0.Artifacts; +import certman.v1_0.Artifacts.Artifact; +import certman.v1_0.CertInfo; +import certman.v1_0.CertificateRequest; + +public class CmAgent { + private static final String PRINT = "print"; + private static final String FILE = "file"; + private static final String PKCS12 = "pkcs12"; + private static final String JKS = "jks"; + private static final String SCRIPT="script"; + + private static final String CM_VER = "1.0"; + public static final int PASS_SIZE = 24; + private static int TIMEOUT; + + private static RosettaDF reqDF; + private static RosettaDF certDF; + private static RosettaDF artifactsDF; + private static ErrMessage errMsg; + private static Map placeArtifact; + private static RosettaEnv env; + + public static void main(String[] args) { + int exitCode = 0; + try { + AAFSSO aafsso = new AAFSSO(args); + if(aafsso.loginOnly()) { + aafsso.setLogDefault(); + aafsso.writeFiles(); + System.out.println("AAF SSO information created in ~/.aaf"); + } else { + PropAccess access = aafsso.access(); + env = new RosettaEnv(access.getProperties()); + Deque cmds = new ArrayDeque(); + for(String p : args) { + if(p.indexOf('=')<0) { + cmds.add(p); + } + } + + if(cmds.size()==0) { + aafsso.setLogDefault(); + System.out.println("Usage: java -jar cmd []*"); + System.out.println(" create []"); + System.out.println(" read []"); + System.out.println(" update []"); + System.out.println(" delete []"); + System.out.println(" copy [,]*"); + System.out.println(" place []"); + System.out.println(" showpass []"); + System.out.println(" check []"); + System.out.println(" genkeypair"); + System.exit(1); + } + + TIMEOUT = Integer.parseInt(env.getProperty(Config.AAF_CONN_TIMEOUT, "5000")); + + reqDF = env.newDataFactory(CertificateRequest.class); + artifactsDF = env.newDataFactory(Artifacts.class); + certDF = env.newDataFactory(CertInfo.class); + errMsg = new ErrMessage(env); + + placeArtifact = new HashMap(); + placeArtifact.put(JKS, new PlaceArtifactInKeystore(JKS)); + placeArtifact.put(PKCS12, new PlaceArtifactInKeystore(PKCS12)); + placeArtifact.put(FILE, new PlaceArtifactInFiles()); + placeArtifact.put(PRINT, new PlaceArtifactOnStream(System.out)); + placeArtifact.put(SCRIPT, new PlaceArtifactScripts()); + + Trans trans = env.newTrans(); + String token; + if((token=access.getProperty("oauth_token"))!=null) { + trans.setProperty("oauth_token", token); + } + try { + // show Std out again + aafsso.setLogDefault(); + aafsso.setStdErrDefault(); + + // if CM_URL can be obtained, add to sso.props, if written + String cm_url = getProperty(access,env,false, Config.CM_URL,Config.CM_URL+": "); + if(cm_url!=null) { + aafsso.addProp(Config.CM_URL, cm_url); + } + aafsso.writeFiles(); + + AAFCon aafcon = new AAFConHttp(access,Config.CM_URL); + + String cmd = cmds.removeFirst(); + if("place".equals(cmd)) { + placeCerts(trans,aafcon,cmds); + } else if("create".equals(cmd)) { + createArtifact(trans, aafcon,cmds); + } else if("read".equals(cmd)) { + readArtifact(trans, aafcon, cmds); + } else if("copy".equals(cmd)) { + copyArtifact(trans, aafcon, cmds); + } else if("update".equals(cmd)) { + updateArtifact(trans, aafcon, cmds); + } else if("delete".equals(cmd)) { + deleteArtifact(trans, aafcon, cmds); + } else if("showpass".equals(cmd)) { + showPass(trans,aafcon,cmds); + } else if("check".equals(cmd)) { + try { + exitCode = check(trans,aafcon,cmds); + } catch (Exception e) { + exitCode = 1; + throw e; + } + } else { + AAFSSO.cons.printf("Unknown command \"%s\"\n", cmd); + } + } finally { + StringBuilder sb = new StringBuilder(); + trans.auditTrail(4, sb, Trans.REMOTE); + if(sb.length()>0) { + trans.info().log("Trans Info\n",sb); + } + } + aafsso.close(); + } + } catch (Exception e) { + e.printStackTrace(); + } + if(exitCode!=0) { + System.exit(exitCode); + } + } + + private static String getProperty(PropAccess pa, Env env, boolean secure, String tag, String prompt, Object ... def) { + String value; + if((value=pa.getProperty(tag))==null) { + if(secure) { + value = new String(AAFSSO.cons.readPassword(prompt, def)); + } else { + value = AAFSSO.cons.readLine(prompt,def).trim(); + } + if(value!=null) { + if(value.length()>0) { + pa.setProperty(tag,value); + env.setProperty(tag,value); + } else if(def.length==1) { + value=def[0].toString(); + pa.setProperty(tag,value); + env.setProperty(tag,value); + } + } + } + return value; + } + + private static String mechID(Deque cmds) { + if(cmds.size()<1) { + String alias = env.getProperty(Config.CADI_ALIAS); + return alias!=null?alias:AAFSSO.cons.readLine("MechID: "); + } + return cmds.removeFirst(); + } + + private static String machine(Deque cmds) throws UnknownHostException { + if(cmds.size()>0) { + return cmds.removeFirst(); + } else { + String mach = env.getProperty(Config.HOSTNAME); + return mach!=null?mach:InetAddress.getLocalHost().getHostName(); + } + } + + private static String[] machines(Deque cmds) { + String machines; + if(cmds.size()>0) { + machines = cmds.removeFirst(); + } else { + machines = AAFSSO.cons.readLine("Machines (sep by ','): "); + } + return Split.split(',', machines); + } + + private static void createArtifact(Trans trans, AAFCon aafcon, Deque cmds) throws Exception { + String mechID = mechID(cmds); + String machine = machine(cmds); + + Artifacts artifacts = new Artifacts(); + Artifact arti = new Artifact(); + artifacts.getArtifact().add(arti); + arti.setMechid(mechID!=null?mechID:AAFSSO.cons.readLine("MechID: ")); + arti.setMachine(machine!=null?machine:AAFSSO.cons.readLine("Machine (%s): ",InetAddress.getLocalHost().getHostName())); + arti.setCa(AAFSSO.cons.readLine("CA: (%s): ","aaf")); + + String resp = AAFSSO.cons.readLine("Types [file,jks,script] (%s): ", "jks"); + for(String s : Split.splitTrim(',', resp)) { + arti.getType().add(s); + } + // Always do Script + if(!resp.contains(SCRIPT)) { + arti.getType().add(SCRIPT); + } + + // Note: Sponsor is set on Creation by CM + String configRootName = FQI.reverseDomain(arti.getMechid()); + arti.setNs(AAFSSO.cons.readLine("Namespace (%s): ",configRootName)); + arti.setDir(AAFSSO.cons.readLine("Directory (%s): ", System.getProperty("user.dir"))); + arti.setOsUser(AAFSSO.cons.readLine("OS User (%s): ", System.getProperty("user.name"))); + arti.setRenewDays(Integer.parseInt(AAFSSO.cons.readLine("Renewal Days (%s):", "30"))); + arti.setNotification(toNotification(AAFSSO.cons.readLine("Notification (mailto owner):", ""))); + + TimeTaken tt = trans.start("Create Artifact", Env.REMOTE); + try { + Future future = aafcon.client(CM_VER).create("/cert/artifacts", artifactsDF, artifacts); + if(future.get(TIMEOUT)) { + trans.info().printf("Call to AAF Certman successful %s, %s",arti.getMechid(), arti.getMachine()); + } else { + trans.error().printf("Call to AAF Certman failed, %s", + errMsg.toMsg(future)); + } + } finally { + tt.done(); + } + } + + private static String toNotification(String notification) { + if(notification==null) { + notification=""; + } else if(notification.length()>0) { + if(notification.indexOf(':')<0) { + notification = "mailto:" + notification; + } + } + return notification; + } + + + private static void readArtifact(Trans trans, AAFCon aafcon, Deque cmds) throws Exception { + String mechID = mechID(cmds); + String machine = machine(cmds); + + TimeTaken tt = trans.start("Read Artifact", Env.SUB); + try { + Future future = aafcon.client(CM_VER) + .read("/cert/artifacts/"+mechID+'/'+machine, artifactsDF,"Authorization","Bearer " + trans.getProperty("oauth_token")); + + if(future.get(TIMEOUT)) { + boolean printed = false; + for(Artifact a : future.value.getArtifact()) { + AAFSSO.cons.printf("MechID: %s\n",a.getMechid()); + AAFSSO.cons.printf(" Sponsor: %s\n",a.getSponsor()); + AAFSSO.cons.printf("Machine: %s\n",a.getMachine()); + AAFSSO.cons.printf("CA: %s\n",a.getCa()); + StringBuilder sb = new StringBuilder(); + boolean first = true; + for(String t : a.getType()) { + if(first) {first=false;} + else{sb.append(',');} + sb.append(t); + } + AAFSSO.cons.printf("Types: %s\n",sb); + AAFSSO.cons.printf("Namespace: %s\n",a.getNs()); + AAFSSO.cons.printf("Directory: %s\n",a.getDir()); + AAFSSO.cons.printf("O/S User: %s\n",a.getOsUser()); + AAFSSO.cons.printf("Renew Days: %d\n",a.getRenewDays()); + AAFSSO.cons.printf("Notification %s\n",a.getNotification()); + printed = true; + } + if(!printed) { + AAFSSO.cons.printf("Artifact for %s %s does not exist\n", mechID, machine); + } + } else { + trans.error().log(errMsg.toMsg(future)); + } + } finally { + tt.done(); + } + } + + private static void copyArtifact(Trans trans, AAFCon aafcon, Deque cmds) throws Exception { + String mechID = mechID(cmds); + String machine = machine(cmds); + String[] newmachs = machines(cmds); + if(newmachs==null || newmachs == null) { + trans.error().log("No machines listed to copy to"); + } else { + TimeTaken tt = trans.start("Copy Artifact", Env.REMOTE); + try { + Future future = aafcon.client(CM_VER) + .read("/cert/artifacts/"+mechID+'/'+machine, artifactsDF); + + if(future.get(TIMEOUT)) { + boolean printed = false; + for(Artifact a : future.value.getArtifact()) { + for(String m : newmachs) { + a.setMachine(m); + Future fup = aafcon.client(CM_VER).update("/cert/artifacts", artifactsDF, future.value); + if(fup.get(TIMEOUT)) { + trans.info().printf("Copy of %s %s successful to %s",mechID,machine,m); + } else { + trans.error().printf("Call to AAF Certman failed, %s", + errMsg.toMsg(fup)); + } + + printed = true; + } + } + if(!printed) { + AAFSSO.cons.printf("Artifact for %s %s does not exist", mechID, machine); + } + } else { + trans.error().log(errMsg.toMsg(future)); + } + } finally { + tt.done(); + } + } + } + + private static void updateArtifact(Trans trans, AAFCon aafcon, Deque cmds) throws Exception { + String mechID = mechID(cmds); + String machine = machine(cmds); + + TimeTaken tt = trans.start("Update Artifact", Env.REMOTE); + try { + Future fread = aafcon.client(CM_VER) + .read("/cert/artifacts/"+mechID+'/'+machine, artifactsDF); + + if(fread.get(TIMEOUT)) { + Artifacts artifacts = new Artifacts(); + for(Artifact a : fread.value.getArtifact()) { + Artifact arti = new Artifact(); + artifacts.getArtifact().add(arti); + + AAFSSO.cons.printf("For %s on %s\n", a.getMechid(),a.getMachine()); + arti.setMechid(a.getMechid()); + arti.setMachine(a.getMachine()); + arti.setCa(AAFSSO.cons.readLine("CA: (%s): ",a.getCa())); + StringBuilder sb = new StringBuilder(); + boolean first = true; + for(String t : a.getType()) { + if(first) {first=false;} + else{sb.append(',');} + sb.append(t); + } + + String resp = AAFSSO.cons.readLine("Types [file,jks,pkcs12] (%s): ", sb); + for(String s : Split.splitTrim(',', resp)) { + arti.getType().add(s); + } + // Always do Script + if(!resp.contains(SCRIPT)) { + arti.getType().add(SCRIPT); + } + + // Note: Sponsor is set on Creation by CM + arti.setNs(AAFSSO.cons.readLine("Namespace (%s): ",a.getNs())); + arti.setDir(AAFSSO.cons.readLine("Directory (%s): ", a.getDir())); + arti.setOsUser(AAFSSO.cons.readLine("OS User (%s): ", a.getOsUser())); + arti.setRenewDays(Integer.parseInt(AAFSSO.cons.readLine("Renew Days (%s):", a.getRenewDays()))); + arti.setNotification(toNotification(AAFSSO.cons.readLine("Notification (%s):", a.getNotification()))); + + } + if(artifacts.getArtifact().size()==0) { + AAFSSO.cons.printf("Artifact for %s %s does not exist", mechID, machine); + } else { + Future fup = aafcon.client(CM_VER).update("/cert/artifacts", artifactsDF, artifacts); + if(fup.get(TIMEOUT)) { + trans.info().printf("Call to AAF Certman successful %s, %s",mechID,machine); + } else { + trans.error().printf("Call to AAF Certman failed, %s", + errMsg.toMsg(fup)); + } + } + } else { + trans.error().printf("Call to AAF Certman failed, %s %s, %s", + errMsg.toMsg(fread),mechID,machine); + } + } finally { + tt.done(); + } + } + + private static void deleteArtifact(Trans trans, AAFCon aafcon, Deque cmds) throws Exception { + String mechid = mechID(cmds); + String machine = machine(cmds); + + TimeTaken tt = trans.start("Delete Artifact", Env.REMOTE); + try { + Future future = aafcon.client(CM_VER) + .delete("/cert/artifacts/"+mechid+"/"+machine,"application/json" ); + + if(future.get(TIMEOUT)) { + trans.info().printf("Call to AAF Certman successful %s, %s",mechid,machine); + } else { + trans.error().printf("Call to AAF Certman failed, %s %s, %s", + errMsg.toMsg(future),mechid,machine); + } + } finally { + tt.done(); + } + } + + + + private static boolean placeCerts(Trans trans, AAFCon aafcon, Deque cmds) throws Exception { + boolean rv = false; + String mechID = mechID(cmds); + String machine = machine(cmds); + String[] fqdns = Split.split(':', machine); + String key; + if(fqdns.length>1) { + key = fqdns[0]; + machine = fqdns[1]; + } else { + key = machine; + } + + TimeTaken tt = trans.start("Place Artifact", Env.REMOTE); + try { + Future acf = aafcon.client(CM_VER) + .read("/cert/artifacts/"+mechID+'/'+key, artifactsDF); + if(acf.get(TIMEOUT)) { + if(acf.value.getArtifact()==null || acf.value.getArtifact().isEmpty()) { + AAFSSO.cons.printf("===> There are no artifacts for %s on machine '%s'\n", mechID, key); + } else { + for(Artifact a : acf.value.getArtifact()) { + String osID = System.getProperty("user.name"); + if(a.getOsUser().equals(osID)) { + CertificateRequest cr = new CertificateRequest(); + cr.setMechid(a.getMechid()); + cr.setSponsor(a.getSponsor()); + for(int i=0;i f = aafcon.client(CM_VER) + .setQueryParams("withTrust") + .updateRespondString("/cert/" + a.getCa(),reqDF, cr); + if(f.get(TIMEOUT)) { + CertInfo capi = certDF.newData().in(TYPE.JSON).load(f.body()).asObject(); + for(String type : a.getType()) { + PlaceArtifact pa = placeArtifact.get(type); + if(pa!=null) { + if(rv = pa.place(trans, capi, a,machine)) { + notifyPlaced(a,rv); + } + } + } + // Cover for the above multiple pass possibilities with some static Data, then clear per Artifact + } else { + trans.error().log(errMsg.toMsg(f)); + } + } else { + trans.error().log("You must be OS User \"" + a.getOsUser() +"\" to place Certificates on this box"); + } + } + } + } else { + trans.error().log(errMsg.toMsg(acf)); + } + } finally { + tt.done(); + } + return rv; + } + + private static void notifyPlaced(Artifact a, boolean rv) { + } + + private static void showPass(Trans trans, AAFCon aafcon, Deque cmds) throws Exception { + String mechID = mechID(cmds); + String machine = machine(cmds); + + TimeTaken tt = trans.start("Show Password", Env.REMOTE); + try { + Future acf = aafcon.client(CM_VER) + .read("/cert/artifacts/"+mechID+'/'+machine, artifactsDF); + if(acf.get(TIMEOUT)) { + // Have to wait for JDK 1.7 source... + //switch(artifact.getType()) { + if(acf.value.getArtifact()==null || acf.value.getArtifact().isEmpty()) { + AAFSSO.cons.printf("No Artifacts found for %s on %s", mechID, machine); + } else { + String id = aafcon.defID(); + boolean allowed; + for(Artifact a : acf.value.getArtifact()) { + allowed = id!=null && (id.equals(a.getSponsor()) || + (id.equals(a.getMechid()) + && aafcon.securityInfo().defSS.getClass().isAssignableFrom(HBasicAuthSS.class))); + if(!allowed) { + Future pf = aafcon.client(CM_VER).read("/cert/may/" + + a.getNs() + ".certman|"+a.getCa()+"|showpass","*/*"); + if(pf.get(TIMEOUT)) { + allowed = true; + } else { + trans.error().log(errMsg.toMsg(pf)); + } + } + if(allowed) { + File dir = new File(a.getDir()); + Properties props = new Properties(); + FileInputStream fis = new FileInputStream(new File(dir,a.getNs()+".props")); + try { + props.load(fis); + fis.close(); + fis = new FileInputStream(new File(dir,a.getNs()+".chal")); + props.load(fis); + } finally { + fis.close(); + } + + File f = new File(dir,a.getNs()+".keyfile"); + if(f.exists()) { + Symm symm = Symm.obtain(f); + + for(Iterator> iter = props.entrySet().iterator(); iter.hasNext();) { + Entry en = iter.next(); + if(en.getValue().toString().startsWith("enc:")) { + System.out.printf("%s=%s\n", en.getKey(), symm.depass(en.getValue().toString())); + } + } + } else { + trans.error().printf("%s.keyfile must exist to read passwords for %s on %s", + f.getAbsolutePath(),a.getMechid(), a.getMachine()); + } + } + } + } + } else { + trans.error().log(errMsg.toMsg(acf)); + } + } finally { + tt.done(); + } + + } + + + /** + * Check returns Error Codes, so that Scripts can know what to do + * + * 0 - Check Complete, nothing to do + * 1 - General Error + * 2 - Error for specific Artifact - read check.msg + * 10 - Certificate Updated - check.msg is email content + * + * @param trans + * @param aafcon + * @param cmds + * @return + * @throws Exception + */ + private static int check(Trans trans, AAFCon aafcon, Deque cmds) throws Exception { + int exitCode=1; + String mechID = mechID(cmds); + String machine = machine(cmds); + + TimeTaken tt = trans.start("Check Certificate", Env.REMOTE); + try { + + Future acf = aafcon.client(CM_VER) + .read("/cert/artifacts/"+mechID+'/'+machine, artifactsDF); + if(acf.get(TIMEOUT)) { + // Have to wait for JDK 1.7 source... + //switch(artifact.getType()) { + if(acf.value.getArtifact()==null || acf.value.getArtifact().isEmpty()) { + AAFSSO.cons.printf("No Artifacts found for %s on %s", mechID, machine); + } else { + String id = aafcon.defID(); + GregorianCalendar now = new GregorianCalendar(); + for(Artifact a : acf.value.getArtifact()) { + if(id.equals(a.getMechid())) { + File dir = new File(a.getDir()); + Properties props = new Properties(); + FileInputStream fis = new FileInputStream(new File(dir,a.getNs()+".props")); + try { + props.load(fis); + } finally { + fis.close(); + } + + String prop; + File f; + + if((prop=props.getProperty(Config.CADI_KEYFILE))==null || + !(f=new File(prop)).exists()) { + trans.error().printf("Keyfile must exist to check Certificates for %s on %s", + a.getMechid(), a.getMachine()); + } else { + String ksf = props.getProperty(Config.CADI_KEYSTORE); + String ksps = props.getProperty(Config.CADI_KEYSTORE_PASSWORD); + if(ksf==null || ksps == null) { + trans.error().printf("Properties %s and %s must exist to check Certificates for %s on %s", + Config.CADI_KEYSTORE, Config.CADI_KEYSTORE_PASSWORD,a.getMechid(), a.getMachine()); + } else { + KeyStore ks = KeyStore.getInstance("JKS"); + Symm symm = Symm.obtain(f); + + fis = new FileInputStream(ksf); + try { + ks.load(fis,symm.depass(ksps).toCharArray()); + } finally { + fis.close(); + } + X509Certificate cert = (X509Certificate)ks.getCertificate(mechID); + String msg = null; + + if(cert==null) { + msg = String.format("X509Certificate does not exist for %s on %s in %s", + a.getMechid(), a.getMachine(), ksf); + trans.error().log(msg); + exitCode = 2; + } else { + GregorianCalendar renew = new GregorianCalendar(); + renew.setTime(cert.getNotAfter()); + renew.add(GregorianCalendar.DAY_OF_MONTH,-1*a.getRenewDays()); + if(renew.after(now)) { + msg = String.format("X509Certificate for %s on %s has been checked on %s. It expires on %s; it will not be renewed until %s.\n", + a.getMechid(), a.getMachine(),Chrono.dateOnlyStamp(now),cert.getNotAfter(),Chrono.dateOnlyStamp(renew)); + trans.info().log(msg); + exitCode = 0; // OK + } else { + trans.info().printf("X509Certificate for %s on %s expiration, %s, needs Renewal.\n", + a.getMechid(), a.getMachine(),cert.getNotAfter()); + cmds.offerLast(mechID); + cmds.offerLast(machine); + if(placeCerts(trans,aafcon,cmds)) { + msg = String.format("X509Certificate for %s on %s has been renewed. Ensure services using are refreshed.\n", + a.getMechid(), a.getMachine()); + exitCode = 10; // Refreshed + } else { + msg = String.format("X509Certificate for %s on %s attempted renewal, but failed. Immediate Investigation is required!\n", + a.getMechid(), a.getMachine()); + exitCode = 1; // Error Renewing + } + } + } + if(msg!=null) { + FileOutputStream fos = new FileOutputStream(a.getDir()+'/'+a.getNs()+".msg"); + try { + fos.write(msg.getBytes()); + } finally { + fos.close(); + } + } + } + + } + } + } + } + } else { + trans.error().log(errMsg.toMsg(acf)); + exitCode=1; + } + } finally { + tt.done(); + } + return exitCode; + } + +} + + + + diff --git a/cadi/aaf/src/main/java/org/onap/aaf/cadi/cm/Factory.java b/cadi/aaf/src/main/java/org/onap/aaf/cadi/cm/Factory.java new file mode 100644 index 00000000..70111882 --- /dev/null +++ b/cadi/aaf/src/main/java/org/onap/aaf/cadi/cm/Factory.java @@ -0,0 +1,447 @@ +/** + * ============LICENSE_START==================================================== + * org.onap.aaf + * =========================================================================== + * Copyright (c) 2018 AT&T Intellectual Property. All rights reserved. + * =========================================================================== + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * ============LICENSE_END==================================================== + * + */ + +package org.onap.aaf.cadi.cm; + +import java.io.BufferedReader; +import java.io.ByteArrayInputStream; +import java.io.ByteArrayOutputStream; +import java.io.DataInputStream; +import java.io.File; +import java.io.FileInputStream; +import java.io.FileNotFoundException; +import java.io.FileReader; +import java.io.IOException; +import java.io.InputStream; +import java.io.InputStreamReader; +import java.io.Reader; +import java.io.StringReader; +import java.security.InvalidKeyException; +import java.security.Key; +import java.security.KeyFactory; +import java.security.KeyPair; +import java.security.KeyPairGenerator; +import java.security.NoSuchAlgorithmException; +import java.security.PrivateKey; +import java.security.PublicKey; +import java.security.SecureRandom; +import java.security.Signature; +import java.security.SignatureException; +import java.security.cert.Certificate; +import java.security.cert.CertificateEncodingException; +import java.security.cert.CertificateException; +import java.security.cert.CertificateFactory; +import java.security.cert.X509Certificate; +import java.security.spec.InvalidKeySpecException; +import java.security.spec.PKCS8EncodedKeySpec; +import java.security.spec.X509EncodedKeySpec; +import java.util.Collection; +import java.util.List; + +import javax.crypto.Cipher; +import javax.crypto.NoSuchPaddingException; + +import org.onap.aaf.cadi.Symm; +import org.onap.aaf.misc.env.Env; +import org.onap.aaf.misc.env.TimeTaken; +import org.onap.aaf.misc.env.Trans; + +public class Factory { + private static final String PRIVATE_KEY_HEADER = "PRIVATE KEY"; + public static final String KEY_ALGO = "RSA"; + public static final String SIG_ALGO = "SHA256withRSA"; + + public static final int KEY_LENGTH = 2048; + private static final KeyPairGenerator keygen; + private static final KeyFactory keyFactory; + private static final CertificateFactory certificateFactory; + private static final SecureRandom random; + + + private static final Symm base64 = Symm.base64.copy(64); + + static { + random = new SecureRandom(); + KeyPairGenerator tempKeygen; + try { + tempKeygen = KeyPairGenerator.getInstance(KEY_ALGO);//,"BC"); + tempKeygen.initialize(KEY_LENGTH, random); + } catch (NoSuchAlgorithmException e) { + tempKeygen = null; + e.printStackTrace(System.err); + } + keygen = tempKeygen; + + KeyFactory tempKeyFactory; + try { + tempKeyFactory=KeyFactory.getInstance(KEY_ALGO);//,"BC" + } catch (NoSuchAlgorithmException e) { + tempKeyFactory = null; + e.printStackTrace(System.err); + }; + keyFactory = tempKeyFactory; + + CertificateFactory tempCertificateFactory; + try { + tempCertificateFactory = CertificateFactory.getInstance("X.509"); + } catch (CertificateException e) { + tempCertificateFactory = null; + e.printStackTrace(System.err); + } + certificateFactory = tempCertificateFactory; + + + } + + + public static KeyPair generateKeyPair(Trans trans) { + TimeTaken tt; + if(trans!=null) { + tt = trans.start("Generate KeyPair", Env.SUB); + } else { + tt = null; + } + try { + return keygen.generateKeyPair(); + } finally { + if(tt!=null) { + tt.done(); + } + } + } + + private static final String LINE_END = "-----\n"; + + protected static String textBuilder(String kind, byte[] bytes) throws IOException { + StringBuilder sb = new StringBuilder(); + sb.append("-----BEGIN "); + sb.append(kind); + sb.append(LINE_END); + + ByteArrayInputStream bais = new ByteArrayInputStream(bytes); + ByteArrayOutputStream baos = new ByteArrayOutputStream(); + base64.encode(bais, baos); + sb.append(new String(baos.toByteArray())); + + if(sb.charAt(sb.length()-1)!='\n') { + sb.append('\n'); + } + sb.append("-----END "); + sb.append(kind); + sb.append(LINE_END); + return sb.toString(); + } + + public static PrivateKey toPrivateKey(Trans trans, String pk) throws IOException, CertException { + byte[] bytes = decode(new StringReader(pk)); + return toPrivateKey(trans, bytes); + } + + public static PrivateKey toPrivateKey(Trans trans, byte[] bytes) throws IOException, CertException { + TimeTaken tt=trans.start("Reconstitute Private Key", Env.SUB); + try { + return keyFactory.generatePrivate(new PKCS8EncodedKeySpec(bytes)); + } catch (InvalidKeySpecException e) { + throw new CertException("Translating Private Key from PKCS8 KeySpec",e); + } finally { + tt.done(); + } + } + + public static PrivateKey toPrivateKey(Trans trans, File file) throws IOException, CertException { + TimeTaken tt = trans.start("Decode Private Key File", Env.SUB); + try { + return toPrivateKey(trans,decode(file)); + }finally { + tt.done(); + } + } + + public static String toString(Trans trans, PrivateKey pk) throws IOException { +// PKCS8EncodedKeySpec pemContents = new PKCS8EncodedKeySpec(pk.getEncoded()); + trans.debug().log("Private Key to String"); + return textBuilder(PRIVATE_KEY_HEADER,pk.getEncoded()); + } + + public static PublicKey toPublicKey(Trans trans, String pk) throws IOException { + TimeTaken tt = trans.start("Reconstitute Public Key", Env.SUB); + try { + ByteArrayInputStream bais = new ByteArrayInputStream(pk.getBytes()); + ByteArrayOutputStream baos = new ByteArrayOutputStream(); + Symm.base64noSplit.decode(bais, baos); + + return keyFactory.generatePublic(new X509EncodedKeySpec(baos.toByteArray())); + } catch (InvalidKeySpecException e) { + trans.error().log(e,"Translating Public Key from X509 KeySpec"); + return null; + } finally { + tt.done(); + } + } + + public static String toString(Trans trans, PublicKey pk) throws IOException { + trans.debug().log("Public Key to String"); + return textBuilder("PUBLIC KEY",pk.getEncoded()); + } + + public static Collection toX509Certificate(String x509) throws CertificateException { + return toX509Certificate(x509.getBytes()); + } + + public static Collection toX509Certificate(List x509s) throws CertificateException { + ByteArrayOutputStream baos = new ByteArrayOutputStream(); + try { + for(String x509 : x509s) { + baos.write(x509.getBytes()); + } + } catch (IOException e) { + throw new CertificateException(e); + } + return toX509Certificate(new ByteArrayInputStream(baos.toByteArray())); + } + + public static Collection toX509Certificate(byte[] x509) throws CertificateException { + return certificateFactory.generateCertificates(new ByteArrayInputStream(x509)); + } + + public static Collection toX509Certificate(Trans trans, File file) throws CertificateException, FileNotFoundException { + FileInputStream fis = new FileInputStream(file); + try { + return toX509Certificate(fis); + } finally { + try { + fis.close(); + } catch (IOException e) { + throw new CertificateException(e); + } + } + } + + public static Collection toX509Certificate(InputStream is) throws CertificateException { + return certificateFactory.generateCertificates(is); + } + + public static String toString(Trans trans, Certificate cert) throws IOException, CertException { + if(trans.debug().isLoggable()) { + StringBuilder sb = new StringBuilder("Certificate to String"); + if(cert instanceof X509Certificate) { + sb.append(" - "); + sb.append(((X509Certificate)cert).getSubjectDN()); + } + trans.debug().log(sb); + } + try { + if(cert==null) { + throw new CertException("Certificate not built"); + } + return textBuilder("CERTIFICATE",cert.getEncoded()); + } catch (CertificateEncodingException e) { + throw new CertException(e); + } + } + + public static Cipher pkCipher() throws NoSuchAlgorithmException, NoSuchPaddingException { + return Cipher.getInstance(KEY_ALGO); + } + + public static Cipher pkCipher(Key key, boolean encrypt) throws InvalidKeyException, NoSuchAlgorithmException, NoSuchPaddingException { + Cipher cipher = Cipher.getInstance(KEY_ALGO); + cipher.init(encrypt?Cipher.ENCRYPT_MODE:Cipher.DECRYPT_MODE,key); + return cipher; + } + + public static byte[] strip(Reader rdr) throws IOException { + BufferedReader br = new BufferedReader(rdr); + ByteArrayOutputStream baos = new ByteArrayOutputStream(); + String line; + while((line=br.readLine())!=null) { + if(line.length()>0 && + !line.startsWith("-----") && + line.indexOf(':')<0) { // Header elements + baos.write(line.getBytes()); + } + } + return baos.toByteArray(); + } + + public static class StripperInputStream extends InputStream { + private Reader created; + private BufferedReader br; + private int idx; + private String line; + + public StripperInputStream(Reader rdr) { + if(rdr instanceof BufferedReader) { + br = (BufferedReader)rdr; + } else { + br = new BufferedReader(rdr); + } + created = null; + } + + public StripperInputStream(File file) throws FileNotFoundException { + this(new FileReader(file)); + created = br; + } + + public StripperInputStream(InputStream is) throws FileNotFoundException { + this(new InputStreamReader(is)); + created = br; + } + + @Override + public int read() throws IOException { + if(line==null || idx>=line.length()) { + while((line=br.readLine())!=null) { + if(line.length()>0 && + !line.startsWith("-----") && + line.indexOf(':')<0) { // Header elements + break; + } + } + + if(line==null) { + return -1; + } + idx = 0; + } + return line.charAt(idx++); + } + + /* (non-Javadoc) + * @see java.io.InputStream#close() + */ + @Override + public void close() throws IOException { + if(created!=null) { + created.close(); + } + } + } + + public static class Base64InputStream extends InputStream { + private InputStream created; + private InputStream is; + private byte trio[]; + private byte duo[]; + private int idx; + + + public Base64InputStream(File file) throws FileNotFoundException { + this(new FileInputStream(file)); + created = is; + } + + public Base64InputStream(InputStream is) throws FileNotFoundException { + this.is = is; + trio = new byte[3]; + idx = 4; + } + + @Override + public int read() throws IOException { + if(duo==null || idx>=duo.length) { + int read = is.read(trio); + if(read==-1) { + return -1; + } + duo = Symm.base64.decode(trio); + if(duo==null || duo.length==0) { + return -1; + } + idx=0; + } + + return duo[idx++]; + } + + /* (non-Javadoc) + * @see java.io.InputStream#close() + */ + @Override + public void close() throws IOException { + if(created!=null) { + created.close(); + } + } + } + + public static byte[] decode(byte[] bytes) throws IOException { + ByteArrayInputStream bais = new ByteArrayInputStream(bytes); + ByteArrayOutputStream baos = new ByteArrayOutputStream(); + Symm.base64.decode(bais, baos); + return baos.toByteArray(); + } + + public static byte[] decode(File f) throws IOException { + FileReader fr = new FileReader(f); + try { + return Factory.decode(fr); + } finally { + fr.close(); + } + + } + public static byte[] decode(Reader rdr) throws IOException { + return decode(strip(rdr)); + } + + + public static byte[] binary(File file) throws IOException { + DataInputStream dis = new DataInputStream(new FileInputStream(file)); + try { + byte[] bytes = new byte[(int)file.length()]; + dis.readFully(bytes); + return bytes; + } finally { + dis.close(); + } + } + + + public static byte[] sign(Trans trans, byte[] bytes, PrivateKey pk) throws IOException, InvalidKeyException, SignatureException, NoSuchAlgorithmException { + TimeTaken tt = trans.start("Sign Data", Env.SUB); + try { + Signature sig = Signature.getInstance(SIG_ALGO); + sig.initSign(pk, random); + sig.update(bytes); + return sig.sign(); + } finally { + tt.done(); + } + } + + public static String toSignatureString(byte[] signed) throws IOException { + return textBuilder("SIGNATURE", signed); + } + + public static boolean verify(Trans trans, byte[] bytes, byte[] signature, PublicKey pk) throws NoSuchAlgorithmException, InvalidKeyException, SignatureException { + TimeTaken tt = trans.start("Verify Data", Env.SUB); + try { + Signature sig = Signature.getInstance(SIG_ALGO); + sig.initVerify(pk); + sig.update(bytes); + return sig.verify(signature); + } finally { + tt.done(); + } + } +} diff --git a/cadi/aaf/src/main/java/org/onap/aaf/cadi/cm/PlaceArtifact.java b/cadi/aaf/src/main/java/org/onap/aaf/cadi/cm/PlaceArtifact.java new file mode 100644 index 00000000..369f48d0 --- /dev/null +++ b/cadi/aaf/src/main/java/org/onap/aaf/cadi/cm/PlaceArtifact.java @@ -0,0 +1,32 @@ +/** + * ============LICENSE_START==================================================== + * org.onap.aaf + * =========================================================================== + * Copyright (c) 2018 AT&T Intellectual Property. All rights reserved. + * =========================================================================== + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * ============LICENSE_END==================================================== + * + */ + +package org.onap.aaf.cadi.cm; + +import certman.v1_0.Artifacts.Artifact; +import certman.v1_0.CertInfo; + +import org.onap.aaf.cadi.CadiException; +import org.onap.aaf.misc.env.Trans; + +public interface PlaceArtifact { + public boolean place(Trans trans, CertInfo cert, Artifact arti, String machine) throws CadiException; +} diff --git a/cadi/aaf/src/main/java/org/onap/aaf/cadi/cm/PlaceArtifactInFiles.java b/cadi/aaf/src/main/java/org/onap/aaf/cadi/cm/PlaceArtifactInFiles.java new file mode 100644 index 00000000..f419577b --- /dev/null +++ b/cadi/aaf/src/main/java/org/onap/aaf/cadi/cm/PlaceArtifactInFiles.java @@ -0,0 +1,52 @@ +/** + * ============LICENSE_START==================================================== + * org.onap.aaf + * =========================================================================== + * Copyright (c) 2018 AT&T Intellectual Property. All rights reserved. + * =========================================================================== + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * ============LICENSE_END==================================================== + * + */ + +package org.onap.aaf.cadi.cm; + +import java.io.File; + +import org.onap.aaf.cadi.CadiException; +import org.onap.aaf.cadi.util.Chmod; +import org.onap.aaf.misc.env.Trans; + +import certman.v1_0.Artifacts.Artifact; +import certman.v1_0.CertInfo; + +public class PlaceArtifactInFiles extends ArtifactDir { + @Override + public boolean _place(Trans trans, CertInfo certInfo, Artifact arti) throws CadiException { + try { + // Setup Public Cert + File f = new File(dir,arti.getNs()+".crt"); + write(f,Chmod.to644,certInfo.getCerts().get(0),C_R); + + // Setup Private Key + f = new File(dir,arti.getNs()+".key"); + write(f,Chmod.to400,certInfo.getPrivatekey(),C_R); + + } catch (Exception e) { + throw new CadiException(e); + } + return true; + } +} + + diff --git a/cadi/aaf/src/main/java/org/onap/aaf/cadi/cm/PlaceArtifactInKeystore.java b/cadi/aaf/src/main/java/org/onap/aaf/cadi/cm/PlaceArtifactInKeystore.java new file mode 100644 index 00000000..a4d095ea --- /dev/null +++ b/cadi/aaf/src/main/java/org/onap/aaf/cadi/cm/PlaceArtifactInKeystore.java @@ -0,0 +1,147 @@ +/** + * ============LICENSE_START==================================================== + * org.onap.aaf + * =========================================================================== + * Copyright (c) 2018 AT&T Intellectual Property. All rights reserved. + * =========================================================================== + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * ============LICENSE_END==================================================== + * + */ + +package org.onap.aaf.cadi.cm; + +import java.io.File; +import java.security.KeyStore; +import java.security.PrivateKey; +import java.security.cert.Certificate; +import java.security.cert.X509Certificate; +import java.util.ArrayList; +import java.util.Collection; +import java.util.List; + +import org.onap.aaf.cadi.CadiException; +import org.onap.aaf.cadi.Symm; +import org.onap.aaf.cadi.config.Config; +import org.onap.aaf.cadi.util.Chmod; +import org.onap.aaf.misc.env.Trans; + +import certman.v1_0.Artifacts.Artifact; +import certman.v1_0.CertInfo; + +public class PlaceArtifactInKeystore extends ArtifactDir { + private String kst; + //TODO get ROOT DNs or Trusted DNs from Certificate Manager. +// private static String[] rootDNs = new String[]{ +// "CN=ATT CADI Root CA - Test, O=ATT, OU=CSO, C=US", // Lab. delete eventually +// "CN=ATT AAF CADI TEST CA, OU=CSO, O=ATT, C=US", +// "CN=ATT AAF CADI CA, OU=CSO, O=ATT, C=US" +// }; + + public PlaceArtifactInKeystore(String kst) { + this.kst = kst; + } + + @Override + public boolean _place(Trans trans, CertInfo certInfo, Artifact arti) throws CadiException { + File fks = new File(dir,arti.getNs()+'.'+kst); + try { + KeyStore jks = KeyStore.getInstance(kst); + if(fks.exists()) { + fks.delete(); + } + + // Get the Cert(s)... Might include Trust store + Collection certColl = Factory.toX509Certificate(certInfo.getCerts()); + // find where the trusts end in 1.0 API + + X509Certificate x509; + List certList = new ArrayList(); + Certificate[] trustChain = null; + Certificate[] trustCAs; + for(Certificate c : certColl) { + x509 = (X509Certificate)c; + if(trustChain==null && x509.getSubjectDN().equals(x509.getIssuerDN())) { + trustChain = new Certificate[certList.size()]; + certList.toArray(trustChain); + certList.clear(); // reuse + } + certList.add(x509); + } + + // remainder should be Trust CAs + trustCAs = new Certificate[certList.size()]; + certList.toArray(trustCAs); + + // Properties, etc + // Add CADI Keyfile Entry to Properties + addProperty(Config.CADI_KEYFILE,arti.getDir()+'/'+arti.getNs() + ".keyfile"); + // Set Keystore Password + addProperty(Config.CADI_KEYSTORE,fks.getAbsolutePath()); + String keystorePass = Symm.randomGen(CmAgent.PASS_SIZE); + addEncProperty(Config.CADI_KEYSTORE_PASSWORD,keystorePass); + char[] keystorePassArray = keystorePass.toCharArray(); + jks.load(null,keystorePassArray); // load in + + // Add Private Key/Cert Entry for App + // Note: Java SSL security classes, while having a separate key from keystore, + // is documented to not actually work. + // java.security.UnrecoverableKeyException: Cannot recover key + // You can create a custom Key Manager to make it work, but Practicality + // dictates that you live with the default, meaning, they are the same + String keyPass = keystorePass; //Symm.randomGen(CmAgent.PASS_SIZE); + PrivateKey pk = Factory.toPrivateKey(trans, certInfo.getPrivatekey()); + addEncProperty(Config.CADI_KEY_PASSWORD, keyPass); + addProperty(Config.CADI_ALIAS, arti.getMechid()); +// Set attribs = new HashSet(); +// if(kst.equals("pkcs12")) { +// // Friendly Name +// attribs.add(new PKCS12Attribute("1.2.840.113549.1.9.20", arti.getNs())); +// } +// + KeyStore.ProtectionParameter protParam = + new KeyStore.PasswordProtection(keyPass.toCharArray()); + + KeyStore.PrivateKeyEntry pkEntry = + new KeyStore.PrivateKeyEntry(pk, trustChain); + jks.setEntry(arti.getMechid(), + pkEntry, protParam); + + // Write out + write(fks,Chmod.to400,jks,keystorePassArray); + + // Change out to TrustStore + fks = new File(dir,arti.getNs()+".trust."+kst); + jks = KeyStore.getInstance(kst); + + // Set Truststore Password + addProperty(Config.CADI_TRUSTSTORE,fks.getAbsolutePath()); + String trustStorePass = Symm.randomGen(CmAgent.PASS_SIZE); + addEncProperty(Config.CADI_TRUSTSTORE_PASSWORD,trustStorePass); + char[] truststorePassArray = trustStorePass.toCharArray(); + jks.load(null,truststorePassArray); // load in + + // Add Trusted Certificates + for(int i=0; i0) { + trans.info().printf("Warning: %s\n",capi.getNotes()); + } + out.printf("Challenge: %s\n",capi.getChallenge()); + out.printf("PrivateKey:\n%s\n",capi.getPrivatekey()); + out.println("Certificate Chain:"); + for(String c : capi.getCerts()) { + out.println(c); + } + return true; + } +} diff --git a/cadi/aaf/src/main/java/org/onap/aaf/cadi/cm/PlaceArtifactScripts.java b/cadi/aaf/src/main/java/org/onap/aaf/cadi/cm/PlaceArtifactScripts.java new file mode 100644 index 00000000..9347f70e --- /dev/null +++ b/cadi/aaf/src/main/java/org/onap/aaf/cadi/cm/PlaceArtifactScripts.java @@ -0,0 +1,157 @@ +/** + * ============LICENSE_START==================================================== + * org.onap.aaf + * =========================================================================== + * Copyright (c) 2018 AT&T Intellectual Property. All rights reserved. + * =========================================================================== + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * ============LICENSE_END==================================================== + * + */ + +package org.onap.aaf.cadi.cm; + +import java.io.File; + +import org.onap.aaf.cadi.CadiException; +import org.onap.aaf.cadi.util.Chmod; +import org.onap.aaf.misc.env.Trans; +import org.onap.aaf.misc.env.util.Chrono; +import org.onap.aaf.misc.env.util.Split; + +import certman.v1_0.Artifacts.Artifact; +import certman.v1_0.CertInfo; + +public class PlaceArtifactScripts extends ArtifactDir { + @Override + public boolean _place(Trans trans, CertInfo certInfo, Artifact arti) throws CadiException { + try { + // Setup check.sh script + String filename = arti.getNs()+".check.sh"; + File f1 = new File(dir,filename); + String email = arti.getNotification() + '\n'; + if(email.startsWith("mailto:")) { + email=email.substring(7); + } else { + email=arti.getOsUser() + '\n'; + } + + StringBuilder classpath = new StringBuilder(); + boolean first = true; + for(String pth : Split.split(File.pathSeparatorChar, System.getProperty("java.class.path"))) { + if(first) { + first=false; + } else { + classpath.append(File.pathSeparatorChar); + } + File f = new File(pth); + classpath.append(f.getCanonicalPath().replaceAll("[0-9]+\\.[0-9]+\\.[0-9]+","*")); + } + + write(f1,Chmod.to644, + "#!/bin/bash " + f1.getCanonicalPath()+'\n', + "# Certificate Manager Check Script\n", + "# Check on Certificate, and renew if needed.\n", + "# Generated by Certificate Manager " + Chrono.timeStamp()+'\n', + "DIR="+arti.getDir()+'\n', + "APP="+arti.getNs()+'\n', + "EMAIL="+email, + "CP=\""+classpath.toString()+"\"\n", + checkScript + ); + + // Setup check.sh script + File f2 = new File(dir,arti.getNs()+".crontab.sh"); + write(f2,Chmod.to644, + "#!/bin/bash " + f2.getCanonicalPath()+'\n', + "# Certificate Manager Crontab Loading Script\n", + "# Add/Update a Crontab entry, that adds a check on Certificate Manager generated Certificate nightly.\n", + "# Generated by Certificate Manager " + Chrono.timeStamp()+'\n', + "TFILE=\"/tmp/cmcron$$.temp\"\n", + "DIR=\""+arti.getDir()+"\"\n", + "CF=\""+arti.getNs()+" Certificate Check Script\"\n", + "SCRIPT=\""+f1.getCanonicalPath()+"\"\n", + cronScript + ); + + } catch (Exception e) { + throw new CadiException(e); + } + return true; + } + + /** + * Note: java.home gets Absolute Path of Java, where we probably want soft links from + * JAVA_HOME + * @return + */ + private final static String javaHome() { + String rc = System.getenv("JAVA_HOME"); + return rc==null?System.getProperty("java.home"):rc; + } + private final static String checkScript = + "> $DIR/$APP.msg\n\n" + + "function mailit {\n" + + " if [ -e /bin/mail ]; then\n" + + " MAILER=/bin/mail\n" + + " elif [ -e /usr/bin/mail ]; then \n" + + " MAILER=/usr/bin/mail\n" + + " else \n" + + " MAILER=\"\"\n" + + " fi\n" + + " if [ \"$MAILER\" = \"\" ]; then\n" + + " printf \"$*\"\n" + + " else \n" + + " printf \"$*\" | $MAILER -s \"AAF Certman Notification for `uname -n`\" $EMAIL\n"+ + " fi\n" + + "}\n\n" + + javaHome() + "/bin/" +"java -cp $CP " + + CmAgent.class.getName() + + " cadi_prop_files=$DIR/$APP.props check 2> $DIR/$APP.STDERR > $DIR/$APP.STDOUT\n" + + "case \"$?\" in\n" + + " 0)\n" + + " # Note: Validation will be mailed only the first day after any modification\n" + + " if [ \"`find $DIR -mtime 0 -name $APP.check.sh`\" != \"\" ] ; then\n" + + " mailit `echo \"Certficate Validated:\\n\\n\" | cat - $DIR/$APP.msg`\n" + + " else\n" + + " cat $DIR/$APP.msg\n" + + " fi\n" + + " ;;\n" + + " 1) mailit \"Error with Certificate Check:\\\\n\\\\nCheck logs $DIR/$APP.STDOUT and $DIR/$APP.STDERR on `uname -n`\"\n" + + " ;;\n" + + " 2) mailit `echo \"Certificate Check Error\\\\n\\\\n\" | cat - $DIR/$APP.msg`\n" + + " ;;\n" + + " 10) mailit `echo \"Certificate Replaced\\\\n\\\\n\" | cat - $DIR/$APP.msg`\n" + + " if [ -e $DIR/$APP.restart.sh ]; then\n" + + " # Note: it is THIS SCRIPT'S RESPONSIBILITY to notify upon success or failure as necessary!!\n" + + " /bin/sh $DIR/$APP.restart.sh\n" + + " fi\n" + + " ;;\n" + + " *) mailit `echo \"Unknown Error code for CM Agent\\\\n\\\\n\" | cat - $DIR/$APP.msg`\n" + + " ;;\n" + + " esac\n\n" + + " # Note: make sure to cover this sripts' exit Code\n"; + + private final static String cronScript = + "crontab -l | sed -n \"/#### BEGIN $CF/,/END $CF ####/!p\" > $TFILE\n" + + "# Note: Randomize Minutes (0-60) and hours (1-4)\n" + + "echo \"#### BEGIN $CF ####\" >> $TFILE\n" + + "echo \"$(( $RANDOM % 60)) $(( $(( $RANDOM % 3 )) + 1 )) * * * /bin/bash $SCRIPT " + + ">> $DIR/cronlog 2>&1 \" >> $TFILE\n" + + "echo \"#### END $CF ####\" >> $TFILE\n" + + "crontab $TFILE\n" + + "rm $TFILE\n"; +} + + + diff --git a/cadi/aaf/src/main/java/org/onap/aaf/cadi/oauth/AAFToken.java b/cadi/aaf/src/main/java/org/onap/aaf/cadi/oauth/AAFToken.java new file mode 100644 index 00000000..16bd8669 --- /dev/null +++ b/cadi/aaf/src/main/java/org/onap/aaf/cadi/oauth/AAFToken.java @@ -0,0 +1,86 @@ +/** + * ============LICENSE_START==================================================== + * org.onap.aaf + * =========================================================================== + * Copyright (c) 2018 AT&T Intellectual Property. All rights reserved. + * =========================================================================== + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * ============LICENSE_END==================================================== + * + */ + +package org.onap.aaf.cadi.oauth; + +import java.nio.ByteBuffer; +import java.security.SecureRandom; +import java.util.UUID; + +import org.onap.aaf.cadi.Hash; + +public class AAFToken { + private static final int CAPACITY = (Long.SIZE*2+Byte.SIZE*3)/8; + private static final SecureRandom sr = new SecureRandom(); + + public static final String toToken(UUID uuid) { + long lsb = uuid.getLeastSignificantBits(); + long msb = uuid.getMostSignificantBits(); + int sum=35; // AAF + for(int i=0;i>i) & 0xFF); + } + for(int i=0;i>i) & 0xFF))<<0xB); + } + sum+=(sr.nextInt()&0xEFC00000); // this is just to not leave zeros laying around + + ByteBuffer bb = ByteBuffer.allocate(CAPACITY); + bb.put((byte)sum); + bb.putLong(msb); + bb.put((byte)(sum>>8)); + bb.putLong(lsb); + bb.put((byte)(sum>>16)); + return Hash.toHexNo0x(bb.array()); + } + + public static final UUID fromToken(String token) { + byte[] bytes = Hash.fromHexNo0x(token); + if(bytes==null) { + return null; + } + ByteBuffer bb = ByteBuffer.wrap(bytes); + if(bb.capacity()!=CAPACITY ) { + return null; // not a CADI Token + } + byte b1 = bb.get(); + long msb = bb.getLong(); + byte b2 = bb.get(); + long lsb = bb.getLong(); + byte b3 = (byte)(0x3F&bb.get()); + int sum=35; + + for(int i=0;i>i) & 0xFF); + } + for(int i=0;i>i) & 0xFF))<<0xB); + } + + if(b1!=((byte)sum) || + b2!=((byte)(sum>>8)) || + b3!=((byte)((sum>>16)))) { + return null; // not a CADI Token + } + return new UUID(msb, lsb); + } + +} diff --git a/cadi/aaf/src/main/java/org/onap/aaf/cadi/oauth/AbsOTafLur.java b/cadi/aaf/src/main/java/org/onap/aaf/cadi/oauth/AbsOTafLur.java new file mode 100644 index 00000000..616e2dc9 --- /dev/null +++ b/cadi/aaf/src/main/java/org/onap/aaf/cadi/oauth/AbsOTafLur.java @@ -0,0 +1,130 @@ +/** + * ============LICENSE_START==================================================== + * org.onap.aaf + * =========================================================================== + * Copyright (c) 2018 AT&T Intellectual Property. All rights reserved. + * =========================================================================== + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * ============LICENSE_END==================================================== + * + */ + +package org.onap.aaf.cadi.oauth; + +import java.io.IOException; +import java.security.GeneralSecurityException; +import java.security.Principal; + +import org.onap.aaf.cadi.CadiException; +import org.onap.aaf.cadi.LocatorException; +import org.onap.aaf.cadi.PropAccess; +import org.onap.aaf.cadi.config.Config; +import org.onap.aaf.misc.env.APIException; +import org.onap.aaf.misc.env.util.Pool; +import org.onap.aaf.misc.env.util.Pool.Creator; + +public abstract class AbsOTafLur { + protected static final String ERROR_GETTING_TOKEN_CLIENT = "Error getting TokenClient"; + protected static final String REQUIRED_FOR_OAUTH2 = " is required for OAuth Access"; + + protected final TokenMgr tkMgr; + protected final PropAccess access; + protected final String client_id; + protected static Pool tokenClientPool; + + protected AbsOTafLur(final PropAccess access, final String token_url, final String introspect_url) throws CadiException { + this.access = access; + if((client_id = access.getProperty(Config.AAF_APPID,null))==null) { + throw new CadiException(Config.AAF_APPID + REQUIRED_FOR_OAUTH2); + } + + synchronized(access) { + if(tokenClientPool==null) { + tokenClientPool = new Pool(new TCCreator(access)); + } + try { + tkMgr = TokenMgr.getInstance(access, token_url, introspect_url); + } catch (APIException e) { + throw new CadiException("Unable to create TokenManager",e); + } + } + } + + private class TCCreator implements Creator { + private TokenClientFactory tcf; + private final int timeout; + private final String url,enc_secret; + + public TCCreator(PropAccess access) throws CadiException { + try { + tcf = TokenClientFactory.instance(access); + } catch (APIException | GeneralSecurityException | IOException e1) { + throw new CadiException(e1); + } + + if((url = access.getProperty(Config.AAF_OAUTH2_TOKEN_URL,null))==null) { + throw new CadiException(Config.AAF_OAUTH2_TOKEN_URL + REQUIRED_FOR_OAUTH2); + } + + try { + timeout = Integer.parseInt(access.getProperty(Config.AAF_CONN_TIMEOUT, Config.AAF_CONN_TIMEOUT_DEF)); + } catch (NumberFormatException e) { + throw new CadiException("Bad format for " + Config.AAF_CONN_TIMEOUT, e); + } + if((enc_secret= access.getProperty(Config.AAF_APPPASS,null))==null) { + throw new CadiException(Config.AAF_APPPASS + REQUIRED_FOR_OAUTH2); + } + } + + @Override + public TokenClient create() throws APIException { + try { + TokenClient tc = tcf.newClient(url, timeout); + tc.client_creds(client_id, access.decrypt(enc_secret, true)); + return tc; + } catch (CadiException | LocatorException | IOException e) { + throw new APIException(e); + } + } + + @Override + public void destroy(TokenClient t) { + } + + @Override + public boolean isValid(TokenClient t) { + return t!=null && t.client_id()!=null; + } + + @Override + public void reuse(TokenClient t) { + } + }; + + /* (non-Javadoc) + * @see org.onap.aaf.cadi.Lur#destroy() + */ + public void destroy() { + tkMgr.close(); + } + + /* (non-Javadoc) + * @see org.onap.aaf.cadi.Lur#clear(java.security.Principal, java.lang.StringBuilder) + */ + public void clear(Principal p, StringBuilder report) { + tkMgr.clear(p, report); + } + + + +} diff --git a/cadi/aaf/src/main/java/org/onap/aaf/cadi/oauth/HRenewingTokenSS.java b/cadi/aaf/src/main/java/org/onap/aaf/cadi/oauth/HRenewingTokenSS.java new file mode 100644 index 00000000..dc6fe390 --- /dev/null +++ b/cadi/aaf/src/main/java/org/onap/aaf/cadi/oauth/HRenewingTokenSS.java @@ -0,0 +1,104 @@ +/** + * ============LICENSE_START==================================================== + * org.onap.aaf + * =========================================================================== + * Copyright (c) 2018 AT&T Intellectual Property. All rights reserved. + * =========================================================================== + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * ============LICENSE_END==================================================== + * + */ + +package org.onap.aaf.cadi.oauth; + +import java.io.IOException; +import java.net.HttpURLConnection; +import java.security.GeneralSecurityException; + +import org.onap.aaf.cadi.CadiException; +import org.onap.aaf.cadi.LocatorException; +import org.onap.aaf.cadi.PropAccess; +import org.onap.aaf.cadi.client.Result; +import org.onap.aaf.cadi.config.SecurityInfoC; +import org.onap.aaf.cadi.http.HAuthorizationHeader; +import org.onap.aaf.cadi.principal.Kind; +import org.onap.aaf.cadi.util.FQI; +import org.onap.aaf.misc.env.APIException; + +public class HRenewingTokenSS extends HAuthorizationHeader { + private TokenClientFactory tcf; + private final TokenClient tc; + private final String[] scopes; + private final String tokenURL; + + public HRenewingTokenSS(final PropAccess access, final String tokenURL, final String ... nss) throws CadiException, IOException, GeneralSecurityException { + this(access,SecurityInfoC.instance(access, HttpURLConnection.class),tokenURL,nss); + } + + public HRenewingTokenSS(final PropAccess access, final SecurityInfoC si, final String tokenURL, final String ... nss) throws CadiException, IOException, GeneralSecurityException { + super(si,null,null/*Note: HeadValue overloaded */); + this.tokenURL = tokenURL; + try { + tcf = TokenClientFactory.instance(access); + tc = tcf.newClient(tokenURL); + tc.client_creds(access); + setUser(tc.client_id()); + String defaultNS = FQI.reverseDomain(tc.client_id()); + if(nss.length>0) { + boolean hasDefault = false; + for(String ns : nss) { + if(ns.equals(defaultNS)) { + hasDefault = true; + } + } + if(hasDefault) { + scopes=nss; + } else { + String[] nssPlus = new String[nss.length+1]; + nssPlus[0]=defaultNS; + System.arraycopy(nss, 0, nssPlus, 1, nss.length); + scopes = nssPlus; + } + } else { + scopes = new String[] {defaultNS}; + } + + } catch (GeneralSecurityException | IOException | LocatorException | APIException e) { + throw new CadiException(e); + } + } + + /* (non-Javadoc) + * @see org.onap.aaf.cadi.client.AbsAuthentication#headValue() + */ + @Override + protected String headValue() throws IOException { + Result token; + try { + token = tc.getToken(Kind.OAUTH,scopes); + if(token.isOK()) { + return "Bearer " + token.value.getAccessToken(); + } else { + throw new IOException("Token cannot be obtained: " + token.code + '-' + token.error); + } + } catch (IOException e) { + throw e; + } catch (LocatorException | CadiException | APIException e) { + throw new IOException(e); + } + } + + public String tokenURL() { + return tokenURL; + } +} diff --git a/cadi/aaf/src/main/java/org/onap/aaf/cadi/oauth/OAuth2HttpTaf.java b/cadi/aaf/src/main/java/org/onap/aaf/cadi/oauth/OAuth2HttpTaf.java new file mode 100644 index 00000000..3d5f7d9a --- /dev/null +++ b/cadi/aaf/src/main/java/org/onap/aaf/cadi/oauth/OAuth2HttpTaf.java @@ -0,0 +1,82 @@ +/** + * ============LICENSE_START==================================================== + * org.onap.aaf + * =========================================================================== + * Copyright (c) 2018 AT&T Intellectual Property. All rights reserved. + * =========================================================================== + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * ============LICENSE_END==================================================== + * + */ + +package org.onap.aaf.cadi.oauth; + +import java.security.NoSuchAlgorithmException; + +import javax.servlet.http.HttpServletRequest; +import javax.servlet.http.HttpServletResponse; + +import org.onap.aaf.cadi.Access; +import org.onap.aaf.cadi.CachedPrincipal; +import org.onap.aaf.cadi.CadiException; +import org.onap.aaf.cadi.Hash; +import org.onap.aaf.cadi.LocatorException; +import org.onap.aaf.cadi.Access.Level; +import org.onap.aaf.cadi.CachedPrincipal.Resp; +import org.onap.aaf.cadi.Taf.LifeForm; +import org.onap.aaf.cadi.client.Result; +import org.onap.aaf.cadi.taf.HttpTaf; +import org.onap.aaf.cadi.taf.TafResp; +import org.onap.aaf.cadi.taf.TafResp.RESP; +import org.onap.aaf.misc.env.APIException; + +public class OAuth2HttpTaf implements HttpTaf { + final private Access access; + final private TokenMgr tmgr; + + public OAuth2HttpTaf(final Access access, final TokenMgr tmgr) { + this.tmgr = tmgr; + this.access = access; + } + + @Override + public TafResp validate(LifeForm reading, HttpServletRequest req, HttpServletResponse resp) { + String authz = req.getHeader("Authorization"); + if(authz != null && authz.length()>7 && authz.startsWith("Bearer ")) { + if(!req.isSecure()) { + access.log(Level.WARN,"WARNING! OAuth has been used over an insecure channel"); + } + try { + String tkn = authz.substring(7); + Result rp = tmgr.toPrincipal(tkn,Hash.hashSHA256(tkn.getBytes())); + if(rp.isOK()) { + return new OAuth2HttpTafResp(access,rp.value,rp.value.getName()+" authenticated by Bearer Token",RESP.IS_AUTHENTICATED,resp,false); + } else { + return new OAuth2HttpTafResp(access,null,rp.error,RESP.FAIL,resp,true); + } + } catch (APIException | CadiException | LocatorException e) { + return new OAuth2HttpTafResp(access,null,"Bearer Token invalid",RESP.FAIL,resp,true); + } catch (NoSuchAlgorithmException e) { + return new OAuth2HttpTafResp(access,null,"Security Algorithm not available",RESP.FAIL,resp,true); + } + } + return new OAuth2HttpTafResp(access,null,"No OAuth2 ",RESP.TRY_ANOTHER_TAF,resp,true); + } + + @Override + public Resp revalidate(CachedPrincipal prin,Object state) { + //TODO!!!! + return null; + } + +} diff --git a/cadi/aaf/src/main/java/org/onap/aaf/cadi/oauth/OAuth2HttpTafResp.java b/cadi/aaf/src/main/java/org/onap/aaf/cadi/oauth/OAuth2HttpTafResp.java new file mode 100644 index 00000000..7e1028a5 --- /dev/null +++ b/cadi/aaf/src/main/java/org/onap/aaf/cadi/oauth/OAuth2HttpTafResp.java @@ -0,0 +1,66 @@ +/** + * ============LICENSE_START==================================================== + * org.onap.aaf + * =========================================================================== + * Copyright (c) 2018 AT&T Intellectual Property. All rights reserved. + * =========================================================================== + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * ============LICENSE_END==================================================== + * + */ + +package org.onap.aaf.cadi.oauth; + +import java.io.IOException; + +import javax.servlet.http.HttpServletResponse; + +import org.onap.aaf.cadi.Access; +import org.onap.aaf.cadi.principal.TrustPrincipal; +import org.onap.aaf.cadi.taf.AbsTafResp; +import org.onap.aaf.cadi.taf.TafResp; + +public class OAuth2HttpTafResp extends AbsTafResp implements TafResp { + private HttpServletResponse httpResp; + private RESP status; + private final boolean wasFailed; + + public OAuth2HttpTafResp(Access access, OAuth2Principal principal, String desc, RESP status, HttpServletResponse resp, boolean wasFailed) { + super(access,principal, desc); + httpResp = resp; + this.status = status; + this.wasFailed = wasFailed; + } + + public OAuth2HttpTafResp(Access access, TrustPrincipal principal, String desc, RESP status,HttpServletResponse resp) { + super(access,principal, desc); + httpResp = resp; + this.status = status; + wasFailed = true; // if Trust Principal added, must be good + } + + public RESP authenticate() throws IOException { + httpResp.setStatus(401); // Unauthorized + return RESP.HTTP_REDIRECT_INVOKED; + } + + public RESP isAuthenticated() { + return status; + } + + public boolean isFailedAttempt() { + return wasFailed; + } + + +} diff --git a/cadi/aaf/src/main/java/org/onap/aaf/cadi/oauth/OAuth2Lur.java b/cadi/aaf/src/main/java/org/onap/aaf/cadi/oauth/OAuth2Lur.java new file mode 100644 index 00000000..89816a2c --- /dev/null +++ b/cadi/aaf/src/main/java/org/onap/aaf/cadi/oauth/OAuth2Lur.java @@ -0,0 +1,107 @@ +/** + * ============LICENSE_START==================================================== + * org.onap.aaf + * =========================================================================== + * Copyright (c) 2018 AT&T Intellectual Property. All rights reserved. + * =========================================================================== + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * ============LICENSE_END==================================================== + * + */ + +package org.onap.aaf.cadi.oauth; + +import java.security.Principal; +import java.util.List; + +import org.onap.aaf.cadi.Lur; +import org.onap.aaf.cadi.Permission; +import org.onap.aaf.cadi.aaf.AAFPermission; +import org.onap.aaf.cadi.lur.LocalPermission; +import org.onap.aaf.cadi.principal.BearerPrincipal; +import org.onap.aaf.misc.env.util.Split; + +public class OAuth2Lur implements Lur { + private TokenMgr tm; + + public OAuth2Lur(TokenMgr tm) { + this.tm = tm; + } + + @Override + public Permission createPerm(String p) { + String[] params = Split.split('|', p); + if(params.length==3) { + return new AAFPermission(params[0],params[1],params[2]); + } else { + return new LocalPermission(p); + } + } + + @Override + public boolean fish(Principal bait, Permission pond) { + AAFPermission apond = (AAFPermission)pond; + OAuth2Principal oap; + if(bait instanceof OAuth2Principal) { + oap = (OAuth2Principal)bait; + } else { + // Here is the spot to put in Principal Conversions + return false; + } + + TokenPerm tp = oap.tokenPerm(); + if(tp==null) { + } else { + for(Permission p : tp.perms()) { + if(p.match(apond)) { + return true; + } + } + } + return false; + } + + @Override + public void fishAll(Principal bait, List permissions) { + OAuth2Principal oap = (OAuth2Principal)bait; + TokenPerm tp = oap.tokenPerm(); + if(tp!=null) { + for(AAFPermission p : tp.perms()) { + permissions.add(p); + } + } + } + + @Override + public void destroy() { + } + + @Override + public boolean handlesExclusively(Permission pond) { + return false; + } + + @Override + public boolean handles(Principal p) { + if(p!=null && p instanceof BearerPrincipal) { + return ((BearerPrincipal)p).getBearer()!=null; + } + return false; + } + + @Override + public void clear(Principal p, StringBuilder report) { + tm.clear(p,report); + } + +} diff --git a/cadi/aaf/src/main/java/org/onap/aaf/cadi/oauth/OAuth2Principal.java b/cadi/aaf/src/main/java/org/onap/aaf/cadi/oauth/OAuth2Principal.java new file mode 100644 index 00000000..90d59635 --- /dev/null +++ b/cadi/aaf/src/main/java/org/onap/aaf/cadi/oauth/OAuth2Principal.java @@ -0,0 +1,54 @@ +/** + * ============LICENSE_START==================================================== + * org.onap.aaf + * =========================================================================== + * Copyright (c) 2018 AT&T Intellectual Property. All rights reserved. + * =========================================================================== + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * ============LICENSE_END==================================================== + * + */ + +package org.onap.aaf.cadi.oauth; + +import org.onap.aaf.cadi.principal.TaggedPrincipal; + +public class OAuth2Principal extends TaggedPrincipal { + private TokenPerm tp; +// private byte[] hash; // hashed cred for disk validation + + public OAuth2Principal(TokenPerm tp, byte[] hash) { + this.tp = tp; +// this.hash = hash; + } + + @Override + public String getName() { + return tp.getUsername(); + } + + public TokenPerm tokenPerm() { + return tp; + } + + @Override + public String tag() { + return "OAuth"; + } + + @Override + public String personalName() { + return tp.getUsername(); + } + +} diff --git a/cadi/aaf/src/main/java/org/onap/aaf/cadi/oauth/TimedToken.java b/cadi/aaf/src/main/java/org/onap/aaf/cadi/oauth/TimedToken.java new file mode 100644 index 00000000..d4f343f9 --- /dev/null +++ b/cadi/aaf/src/main/java/org/onap/aaf/cadi/oauth/TimedToken.java @@ -0,0 +1,132 @@ +/** + * ============LICENSE_START==================================================== + * org.onap.aaf + * =========================================================================== + * Copyright (c) 2018 AT&T Intellectual Property. All rights reserved. + * =========================================================================== + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * ============LICENSE_END==================================================== + * + */ + +package org.onap.aaf.cadi.oauth; + +import java.nio.file.Path; + +import org.onap.aaf.cadi.persist.Persist; +import org.onap.aaf.cadi.persist.Persistable; +import org.onap.aaf.cadi.persist.Persisting; + +import aafoauth.v2_0.Token; + +/** + * TimedToken + * Tokens come from the Token Server with an "Expired In" setting. This class will take that, and + * create a date from time of Creation, which works with local code. + * + * We create a Derived class, so that it can be used as is the originating Token type. + * + * "expired" is local computer time + * @author Jonathan + * + */ +// Package on purpose +public class TimedToken extends Token implements Persistable { + private Persisting cacheable; // no double inheritance... + +// public TimedToken(Token t, byte[] hash) { +// this(t,(System.currentTimeMillis()/1000)+t.getExpiresIn(),hash,null); +// } +// + public TimedToken(Persist p, Token t, byte[] hash, Path path){ + this(p,t,t.getExpiresIn()+(System.currentTimeMillis()/1000),hash, path); + } + + public TimedToken(Persist p, Token t, long expires_secsFrom1970, byte[] hash, Path path) { + cacheable = new Persisting(p, t,expires_secsFrom1970, hash, path); + accessToken=t.getAccessToken(); + expiresIn=t.getExpiresIn(); + refreshToken=t.getRefreshToken(); + scope = t.getScope(); + state = t.getState(); + tokenType = t.getTokenType(); + } + + + @Override + public Token get() { + return cacheable.get(); + } + + @Override + public boolean checkSyncTime() { + return cacheable.checkSyncTime(); + } + + @Override + public boolean checkReloadable() { + return cacheable.checkReloadable(); + } + + @Override + public boolean hasBeenTouched() { + return cacheable.hasBeenTouched(); + } + + @Override + public long expires() { + return cacheable.expires(); + } + + @Override + public boolean expired() { + return cacheable.expired(); + } + + @Override + public boolean match(byte[] hashIn) { + return cacheable.match(hashIn); + } + + @Override + public byte[] getHash() { + return cacheable.getHash(); + } + + @Override + public void inc() { + cacheable.inc(); + } + + @Override + public int count() { + return cacheable.count(); + } + + /* (non-Javadoc) + * @see org.onap.aaf.cadi.oauth.Persistable#clearCount() + */ + @Override + public void clearCount() { + cacheable.clearCount(); + } + + /* (non-Javadoc) + * @see org.onap.aaf.cadi.persist.Persistable#path() + */ + @Override + public Path path() { + return cacheable.path(); + } + +} diff --git a/cadi/aaf/src/main/java/org/onap/aaf/cadi/oauth/TokenClient.java b/cadi/aaf/src/main/java/org/onap/aaf/cadi/oauth/TokenClient.java new file mode 100644 index 00000000..4b0c944c --- /dev/null +++ b/cadi/aaf/src/main/java/org/onap/aaf/cadi/oauth/TokenClient.java @@ -0,0 +1,474 @@ +/** + * ============LICENSE_START==================================================== + * org.onap.aaf + * =========================================================================== + * Copyright (c) 2018 AT&T Intellectual Property. All rights reserved. + * =========================================================================== + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * ============LICENSE_END==================================================== + * + */ + +package org.onap.aaf.cadi.oauth; + +import java.io.IOException; +import java.net.ConnectException; +import java.net.URLEncoder; +import java.security.NoSuchAlgorithmException; +import java.util.ArrayList; +import java.util.List; + +import org.onap.aaf.cadi.Access; +import org.onap.aaf.cadi.CadiException; +import org.onap.aaf.cadi.Hash; +import org.onap.aaf.cadi.LocatorException; +import org.onap.aaf.cadi.SecuritySetter; +import org.onap.aaf.cadi.Access.Level; +import org.onap.aaf.cadi.aaf.v2_0.AAFCon; +import org.onap.aaf.cadi.aaf.v2_0.AAFCon.GetSetter; +import org.onap.aaf.cadi.client.Future; +import org.onap.aaf.cadi.client.Rcli; +import org.onap.aaf.cadi.client.Result; +import org.onap.aaf.cadi.client.Retryable; +import org.onap.aaf.cadi.config.Config; +import org.onap.aaf.cadi.persist.Persist.Loader; +import org.onap.aaf.cadi.principal.Kind; +import org.onap.aaf.cadi.util.FQI; +import org.onap.aaf.misc.env.APIException; +import org.onap.aaf.misc.rosetta.env.RosettaDF; + +import aafoauth.v2_0.Introspect; +import aafoauth.v2_0.Token; + +public class TokenClient { + private static final String UTF_8 = "UTF-8"; + + public enum AUTHN_METHOD {client_credentials,password,payload,basic_auth,certificate,refresh_token, none} + + private final TokenClientFactory factory; + private final AAFCon tkCon; + private static RosettaDF tokenDF; + protected static RosettaDF introspectDF; + + + private int timeout; + private String client_id, username; + private byte[] enc_client_secret, enc_password; + + private GetSetter ss; + private AUTHN_METHOD authn_method; + private byte[] hash; + private final char okind; + private String default_scope; + + // Package on Purpose + TokenClient(char okind, final TokenClientFactory tcf, final AAFCon tkCon, final int timeout, AUTHN_METHOD am) throws CadiException, APIException { + this.okind = okind; + factory = tcf; + this.tkCon = tkCon; + this.timeout = timeout; + ss = null; + authn_method = am; + synchronized(tcf) { + if(introspectDF==null) { + tokenDF = tkCon.env().newDataFactory(Token.class); + introspectDF = tkCon.env().newDataFactory(Introspect.class); + } + } + + } + + public void client_id(String client_id) { + this.client_id = client_id; + default_scope = FQI.reverseDomain(client_id); + } + + public String client_id() { + return client_id; + } + + /** + * This scope based on client_id... the App configured for call + * @return + */ + public String defaultScope() { + return default_scope; + } + + public void client_creds(Access access) throws CadiException { + if(okind=='A') { + client_creds(access.getProperty(Config.AAF_APPID, null),access.getProperty(Config.AAF_APPPASS, null)); + } else { + client_creds(access.getProperty(Config.AAF_ALT_CLIENT_ID, null),access.getProperty(Config.AAF_ALT_CLIENT_SECRET, null)); + } + } + + /** + * Note: OAuth2 provides for normal Authentication parameters when getting tokens. Basic Auth is one such valid + * way to get Credentials. However, support is up to the OAuth2 Implementation + * + * This method is for setting an App's creds (client) to another App. + * + * @param client_id + * @param client_secret + * @throws IOException + */ + public void client_creds(final String client_id, final String client_secret) throws CadiException { + if(client_id==null) { + throw new CadiException(Config.AAF_ALT_CLIENT_ID + " is null"); + } + this.client_id = client_id; + default_scope = FQI.reverseDomain(client_id); + + if(client_secret!=null) { + try { + if(client_secret.startsWith("enc:")) { + final String temp = factory.access.decrypt(client_secret, false); // this is a more powerful, but non-thread-safe encryption + hash = Hash.hashSHA256(temp.getBytes()); + this.enc_client_secret = factory.symm.encode(temp.getBytes()); + ss = new GetSetter() { + @Override + public SecuritySetter get(AAFCon con) throws CadiException { + return con.basicAuth(client_id, temp);// Base class encrypts password + } + }; + } else { + byte[] temp = client_secret.getBytes(); + hash = Hash.hashSHA256(temp); + this.enc_client_secret = factory.symm.encode(temp); + ss = new GetSetter() { + @Override + public SecuritySetter get(AAFCon con) throws CadiException { + return con.basicAuth(client_id, client_secret);// Base class encrypts password + } + }; + } + authn_method = AUTHN_METHOD.client_credentials; + } catch(IOException | NoSuchAlgorithmException e) { + throw new CadiException(e); + } + } + } + + public void username(String username) { + this.username = username; + } + + /** + * Note: OAuth2 provides for normal Authentication parameters when getting tokens. Basic Auth is one such valid + * way to get Credentials. However, support is up to the OAuth2 Implementation + * + * This method is for setting the End-User's Creds + * + * @param client_id + * @param client_secret + * @throws IOException + */ + public void password(final String user, final String password) throws CadiException { + this.username = user; + if(password!=null) { + try { + if(password.startsWith("enc:")) { + final String temp = factory.access.decrypt(password, false); // this is a more powerful, but non-thread-safe encryption + hash = Hash.hashSHA256(temp.getBytes()); + this.enc_password = factory.symm.encode(temp.getBytes()); + ss = new GetSetter() { + @Override + public SecuritySetter get(AAFCon con) throws CadiException { + return con.basicAuth(user, temp);// Base class encrypts password + } + }; + } else { + byte[] temp = password.getBytes(); + hash = Hash.hashSHA256(temp); + this.enc_password = factory.symm.encode(temp); + ss = new GetSetter() { + @Override + public SecuritySetter get(AAFCon con) throws CadiException { + return con.basicAuth(user, password);// Base class encrypts password + } + }; + } + authn_method = AUTHN_METHOD.password; + } catch (IOException | NoSuchAlgorithmException e) { + throw new CadiException(e); + } + } + } + + public void clearEndUser() { + username = null; + enc_password = null; + if(client_id!=null && enc_client_secret!=null) { + authn_method = AUTHN_METHOD.client_credentials; + } else { + authn_method = AUTHN_METHOD.password; + } + } + + public Result getToken(final String ... scopes) throws LocatorException, CadiException, APIException { + return getToken(Kind.OAUTH,scopes); + } + + public void clearToken(final String ... scopes) throws CadiException { + clearToken(Kind.OAUTH,scopes); + } + + public void clearToken(final char kind, final String ... scopes) throws CadiException { + final String scope = addScope(scopes); + char c; + if(kind==Kind.OAUTH) { + c = okind; + } else { + c = kind; + } + final String key = TokenClientFactory.getKey(c,client_id,username,hash,scope); + factory.delete(key); + } + /** + * Get AuthToken + * @throws APIException + * @throws CadiException + * @throws LocatorException + */ + public Result getToken(final char kind, final String ... scopes) throws LocatorException, CadiException, APIException { + final String scope = addScope(scopes); + char c; + if(kind==Kind.OAUTH) { + c = okind; + } else { + c = kind; + } + final String key = TokenClientFactory.getKey(c,client_id,username,hash,scope); + if(ss==null) { + throw new APIException("client_creds(...) must be set before obtaining Access Tokens"); + } + + Result rtt = factory.get(key,hash,new Loader() { + @Override + public Result load(final String key) throws APIException, CadiException, LocatorException { + final List params = new ArrayList(); + params.add(scope); + addSecurity(params,authn_method); + + final String paramsa[] = new String[params.size()]; + params.toArray(paramsa); + Result rt = tkCon.best(new Retryable>() { + @Override + public Result code(Rcli client) throws CadiException, ConnectException, APIException { + // /token?grant_type=client_credential&scope=com.att.aaf+com.att.test + Future f = client.postForm(null,tokenDF,paramsa); + if(f.get(timeout)) { + return Result.ok(f.code(),f.value); + } else { + return Result.err(f.code(), f.body()); + } + } + }); + + if(rt.isOK()) { + try { + return Result.ok(rt.code,factory.putTimedToken(key,rt.value, hash)); + } catch (IOException e) { + // TODO What to do here? + e.printStackTrace(); + return Result.err(999,e.getMessage()); + } + } else { + return Result.err(rt); + } + } + }); + if(rtt.isOK()) { // not validated for Expired + TimedToken tt = rtt.value; + if(tt.expired()) { + rtt = refreshToken(tt); + if(rtt.isOK()) { + tkCon.access.printf(Level.INFO, "Refreshed token %s to %s",tt.getAccessToken(),rtt.value.getAccessToken()); + return Result.ok(200,rtt.value); + } else { + tkCon.access.printf(Level.INFO, "Expired token %s cannot be renewed %d %s",tt.getAccessToken(),rtt.code,rtt.error); + factory.delete(key); + tt=null; + } + } else { + return Result.ok(200,tt); + } + } else { + Result.err(rtt); + } + return Result.err(404,"Not Found"); + } + + public Result refreshToken(Token token) throws APIException, LocatorException, CadiException { + if(ss==null) { + throw new APIException("client_creds(...) must be set before obtaining Access Tokens"); + } + final List params = new ArrayList(); + params.add("refresh_token="+token.getRefreshToken()); + addSecurity(params,AUTHN_METHOD.refresh_token); + final String scope="scope="+token.getScope().replace(' ', '+'); + params.add(scope); + + final String paramsa[] = new String[params.size()]; + params.toArray(paramsa); + Result rt = tkCon.best(new Retryable>() { + @Override + public Result code(Rcli client) throws CadiException, ConnectException, APIException { + // /token?grant_type=client_credential&scope=com.att.aaf+com.att.test + Future f = client.postForm(null,tokenDF,paramsa); + if(f.get(timeout)) { + return Result.ok(f.code(),f.value); + } else { + return Result.err(f.code(), f.body()); + } + } + }); + String key = TokenClientFactory.getKey(okind,client_id, username, hash, scope); + if(rt.isOK()) { + try { + return Result.ok(200,factory.putTimedToken(key, rt.value, hash)); + } catch (IOException e) { + //TODO what to do here? + return Result.err(999, e.getMessage()); + } + } else if(rt.code==404) { + factory.deleteFromDisk(key); + } + return Result.err(rt); + } + + public Result introspect(final String token) throws APIException, LocatorException, CadiException { + if(ss==null) { + throw new APIException("client_creds(...) must be set before introspecting Access Tokens"); + } + + return tkCon.best(new Retryable>() { + @Override + public Result code(Rcli client) throws CadiException, ConnectException, APIException { + final List params = new ArrayList(); + params.add("token="+token); + addSecurity(params,AUTHN_METHOD.client_credentials); + final String paramsa[] = new String[params.size()]; + params.toArray(paramsa); + // /token?grant_type=client_credential&scope=com.att.aaf+com.att.test + Future f = client.postForm(null,introspectDF,paramsa); + if(f.get(timeout)) { + return Result.ok(f.code(),f.value); + } else { + return Result.err(f.code(), f.body()); + } + } + } + ); + } + + private String addScope(String[] scopes) { + String rv = null; + StringBuilder scope=null; + boolean first = true; + for(String s : scopes) { + if(first) { + scope = new StringBuilder(); + scope.append("scope="); + first=false; + } else { + scope.append('+'); + } + scope.append(s); + } + if(scope!=null) { + rv=scope.toString(); + } + return rv; + } + + private void addSecurity(List params, AUTHN_METHOD authn) throws APIException { + // Set GrantType... different than Credentials + switch(authn) { + case client_credentials: + params.add("grant_type=client_credentials"); + break; + case password: + params.add("grant_type=password"); + break; + case refresh_token: + params.add("grant_type=refresh_token"); + break; + case none: + break; + default: + // Nothing to do + break; + } + + // Set Credentials appropriate + switch(authn_method) { + case client_credentials: + if(client_id!=null) { + params.add("client_id="+client_id); + } + + if(enc_client_secret!=null) { + try { + params.add("client_secret="+URLEncoder.encode(new String(factory.symm.decode(enc_client_secret)),UTF_8)); + } catch (IOException e) { + throw new APIException("Error Decrypting Password",e); + } + } + break; + case refresh_token: + if(client_id!=null) { + params.add("client_id="+client_id); + } + + if(enc_client_secret!=null) { + try { + params.add("client_secret="+URLEncoder.encode(new String(factory.symm.decode(enc_client_secret)),UTF_8)); + } catch (IOException e) { + throw new APIException("Error Decrypting Password",e); + } + } + break; + + case password: + if(client_id!=null) { + params.add("client_id="+client_id); + } + + if(enc_client_secret!=null) { + try { + params.add("client_secret="+ URLEncoder.encode(new String(factory.symm.decode(enc_client_secret)),UTF_8)); + } catch (IOException e) { + throw new APIException("Error Decrypting Password",e); + } + } + if(username!=null) { + params.add("username="+username); + } + + if(enc_password!=null) { + try { + params.add("password="+ URLEncoder.encode(new String(factory.symm.decode(enc_password)),UTF_8)); + } catch (IOException e) { + throw new APIException("Error Decrypting Password",e); + } + } + + break; + default: + // Nothing to do + break; + } + } +} diff --git a/cadi/aaf/src/main/java/org/onap/aaf/cadi/oauth/TokenClientFactory.java b/cadi/aaf/src/main/java/org/onap/aaf/cadi/oauth/TokenClientFactory.java new file mode 100644 index 00000000..3f6fa599 --- /dev/null +++ b/cadi/aaf/src/main/java/org/onap/aaf/cadi/oauth/TokenClientFactory.java @@ -0,0 +1,170 @@ +/** + * ============LICENSE_START==================================================== + * org.onap.aaf + * =========================================================================== + * Copyright (c) 2018 AT&T Intellectual Property. All rights reserved. + * =========================================================================== + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * ============LICENSE_END==================================================== + * + */ + +package org.onap.aaf.cadi.oauth; + +import java.io.IOException; +import java.net.HttpURLConnection; +import java.net.URI; +import java.net.URISyntaxException; +import java.nio.file.Path; +import java.security.GeneralSecurityException; +import java.security.NoSuchAlgorithmException; +import java.util.Map; +import java.util.concurrent.ConcurrentHashMap; +import java.util.regex.Pattern; + +import org.onap.aaf.cadi.Access; +import org.onap.aaf.cadi.CadiException; +import org.onap.aaf.cadi.Hash; +import org.onap.aaf.cadi.Locator; +import org.onap.aaf.cadi.LocatorException; +import org.onap.aaf.cadi.Symm; +import org.onap.aaf.cadi.aaf.v2_0.AAFConHttp; +import org.onap.aaf.cadi.aaf.v2_0.AAFLocator; +import org.onap.aaf.cadi.config.Config; +import org.onap.aaf.cadi.config.SecurityInfoC; +import org.onap.aaf.cadi.locator.PropertyLocator; +import org.onap.aaf.cadi.oauth.TokenClient.AUTHN_METHOD; +import org.onap.aaf.cadi.persist.Persist; +import org.onap.aaf.cadi.principal.Kind; +import org.onap.aaf.misc.env.APIException; +import org.onap.aaf.misc.rosetta.env.RosettaEnv; + +import aafoauth.v2_0.Token; + +public class TokenClientFactory extends Persist { + private static TokenClientFactory instance; + private Map aafcons = new ConcurrentHashMap(); + private SecurityInfoC hsi; + // Package on purpose + final Symm symm; + + private TokenClientFactory(Access pa) throws APIException, GeneralSecurityException, IOException, CadiException { + super(pa, new RosettaEnv(pa.getProperties()),Token.class,"outgoing"); + symm = Symm.encrypt.obtain(); + hsi = SecurityInfoC.instance(access, HttpURLConnection.class); + } + + public synchronized static final TokenClientFactory instance(Access access) throws APIException, GeneralSecurityException, IOException, CadiException { + if(instance==null) { + instance = new TokenClientFactory(access); + } + return instance; + } + + /** + * Pickup Timeout from Properties + * + * @param tagOrURL + * @return + * @throws CadiException + * @throws LocatorException + * @throws APIException + */ + public TokenClient newClient(final String tagOrURL) throws CadiException, LocatorException, APIException { + return newClient(tagOrURL,Integer.parseInt(access.getProperty(Config.AAF_CONN_TIMEOUT, Config.AAF_CONN_TIMEOUT_DEF))); + } + + public TokenClient newClient(final String tagOrURL, final int timeout) throws CadiException, LocatorException, APIException { + AAFConHttp ach; + if(tagOrURL==null) { + throw new CadiException("parameter tagOrURL cannot be null."); + } else { + ach = aafcons.get(tagOrURL); + if(ach==null) { + aafcons.put(tagOrURL, ach=new AAFConHttp(access,tagOrURL)); + } + } + char okind; + if(Config.AAF_OAUTH2_TOKEN_URL.equals(tagOrURL) || + tagOrURL.equals(access.getProperty(Config.AAF_OAUTH2_TOKEN_URL, null))) { + okind = Kind.AAF_OAUTH; + } else { + okind = Kind.OAUTH; + } + return new TokenClient( + okind, + this, + ach, + timeout, + AUTHN_METHOD.none); + } + + public TzClient newTzClient(final String locatorURL) throws CadiException, LocatorException { + try { + return new TzHClient(access,hsi,bestLocator(locatorURL)); + } catch (URISyntaxException e) { + throw new LocatorException(e); + } + } + + static String getKey(char tokenSource,String client_id, String username, byte[] hash, String scope) throws CadiException { + try { + StringBuilder sb = new StringBuilder(client_id); + sb.append('_'); + if(username!=null) { + sb.append(username); + } + sb.append('_'); + sb.append(tokenSource); + byte[] tohash=scope.getBytes(); + if(hash!=null && hash.length>0) { + byte temp[] = new byte[hash.length+tohash.length]; + System.arraycopy(tohash, 0, temp, 0, tohash.length); + System.arraycopy(hash, 0, temp, tohash.length, hash.length); + tohash = temp; + } + if(scope!=null && scope.length()>0) { + sb.append(Hash.toHexNo0x(Hash.hashSHA256(tohash))); + } + return sb.toString(); + } catch (NoSuchAlgorithmException e) { + throw new CadiException(e); + } + } + + @Override + protected TimedToken newCacheable(Token t, long expires, byte[] hash, Path path) throws IOException { + return new TimedToken(this,t,expires,hash,path); + } + + public TimedToken putTimedToken(String key, Token token, byte[] hash) throws IOException, CadiException { + TimedToken tt = new TimedToken(this,token,token.getExpiresIn()+(System.currentTimeMillis()/1000),hash,getPath(key)); + put(key,tt); + return tt; + } + + private static final Pattern locatePattern = Pattern.compile("https://.*/locate/.*"); + public Locator bestLocator(final String locatorURL ) throws LocatorException, URISyntaxException { + if(locatorURL==null) { + throw new LocatorException("Cannot have a null locatorURL in bestLocator"); + } + if(locatePattern.matcher(locatorURL).matches()) { + return new AAFLocator(hsi,new URI(locatorURL)); + } else if(locatorURL.contains("//DME2RESOLVE/")) { + throw new LocatorException("DME2Locator doesn't exist. Use DME2 specific Clients"); + } else { + return new PropertyLocator(locatorURL); + } + // Note: Removed DME2Locator... If DME2 client is needed, use DME2Clients + } +} diff --git a/cadi/aaf/src/main/java/org/onap/aaf/cadi/oauth/TokenMgr.java b/cadi/aaf/src/main/java/org/onap/aaf/cadi/oauth/TokenMgr.java new file mode 100644 index 00000000..d8fd88f6 --- /dev/null +++ b/cadi/aaf/src/main/java/org/onap/aaf/cadi/oauth/TokenMgr.java @@ -0,0 +1,193 @@ +/** + * ============LICENSE_START==================================================== + * org.onap.aaf + * =========================================================================== + * Copyright (c) 2018 AT&T Intellectual Property. All rights reserved. + * =========================================================================== + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * ============LICENSE_END==================================================== + * + */ + +package org.onap.aaf.cadi.oauth; + +import java.io.IOException; +import java.nio.file.Path; +import java.security.GeneralSecurityException; +import java.security.Principal; +import java.util.HashMap; +import java.util.Map; +import java.util.concurrent.ConcurrentHashMap; + +import org.onap.aaf.cadi.CadiException; +import org.onap.aaf.cadi.LocatorException; +import org.onap.aaf.cadi.PropAccess; +import org.onap.aaf.cadi.Access.Level; +import org.onap.aaf.cadi.client.Result; +import org.onap.aaf.cadi.config.Config; +import org.onap.aaf.cadi.persist.Persist; +import org.onap.aaf.misc.env.APIException; +import org.onap.aaf.misc.rosetta.env.RosettaDF; +import org.onap.aaf.misc.rosetta.env.RosettaEnv; + +import aaf.v2_0.Perms; +import aafoauth.v2_0.Introspect; + +public class TokenMgr extends Persist { + protected static Map tpmap = new ConcurrentHashMap(); + protected static Map tmmap = new HashMap(); // synchronized in getInstance + protected static Map currentToken = new HashMap(); // synchronized in getTP + public static RosettaDF permsDF; + public static RosettaDF introspectDF; + + private final TokenPermLoader tpLoader; + + private TokenMgr(PropAccess access, String tokenURL, String introspectURL) throws APIException, CadiException { + super(access,new RosettaEnv(access.getProperties()),Introspect.class,"introspect"); + synchronized(access) { + if(permsDF==null) { + permsDF = env.newDataFactory(Perms.class); + introspectDF = env.newDataFactory(Introspect.class); + } + } + if("dbToken".equals(tokenURL) && "dbIntrospect".equals(introspectURL)) { + tpLoader = new TokenPermLoader() { // null Loader + @Override + public Result load(String accessToken, byte[] cred) + throws APIException, CadiException, LocatorException { + return Result.err(404, "DBLoader"); + } + }; + } else { + RemoteTokenPermLoader rtpl = new RemoteTokenPermLoader(tokenURL, introspectURL); // default is remote + String i = access.getProperty(Config.AAF_APPID,null); + String p = access.getProperty(Config.AAF_APPPASS, null); + if(i==null || p==null) { + throw new CadiException(Config.AAF_APPID + " and " + Config.AAF_APPPASS + " must be set to initialize TokenMgr"); + } + rtpl.introCL.client_creds(i,p); + tpLoader = rtpl; + } + } + + private TokenMgr(PropAccess access, TokenPermLoader tpl) throws APIException, CadiException { + super(access,new RosettaEnv(access.getProperties()),Introspect.class,"incoming"); + synchronized(access) { + if(permsDF==null) { + permsDF = env.newDataFactory(Perms.class); + introspectDF = env.newDataFactory(Introspect.class); + } + } + tpLoader = tpl; + } + + public static synchronized TokenMgr getInstance(final PropAccess access, final String tokenURL, final String introspectURL) throws APIException, CadiException { + String key; + TokenMgr tm = tmmap.get(key=tokenURL+'/'+introspectURL); + if(tm==null) { + tmmap.put(key, tm=new TokenMgr(access,tokenURL,introspectURL)); + } + return tm; + } + + public Result toPrincipal(final String accessToken, final byte[] hash) throws APIException, CadiException, LocatorException { + Result tp = get(accessToken, hash, new Loader() { + @Override + public Result load(String key) throws APIException, CadiException, LocatorException { + try { + return tpLoader.load(accessToken,hash); + } catch (APIException | LocatorException e) { + throw new CadiException(e); + } + } + }); + if(tp.isOK()) { + return Result.ok(200, new OAuth2Principal(tp.value,hash)); + } else { + return Result.err(tp); + } + } + + public Result get(final String accessToken, final byte[] hash) throws APIException, CadiException, LocatorException { + return get(accessToken,hash,new Loader() { + @Override + public Result load(String key) throws APIException, CadiException, LocatorException { + return tpLoader.load(key,hash); + } + + }); +// return tpLoader.load(accessToken,hash); + } + + public interface TokenPermLoader{ + public Result load(final String accessToken, final byte[] cred) throws APIException, CadiException, LocatorException; + } + + private class RemoteTokenPermLoader implements TokenPermLoader { + private TokenClientFactory tcf; + private TokenClient tokenCL, introCL; + + public RemoteTokenPermLoader(final String tokenURL, final String introspectURL) throws APIException, CadiException { + try { + tcf = TokenClientFactory.instance(access); + int timeout = Integer.parseInt(access.getProperty(Config.AAF_CONN_TIMEOUT, Config.AAF_CONN_TIMEOUT_DEF)); + tokenCL = tcf.newClient(tokenURL, + timeout); + if(introspectURL.equals(tokenURL)) { + introCL = tokenCL; + } else { + introCL = tcf.newClient(introspectURL, + timeout); + } + + } catch (GeneralSecurityException | IOException | NumberFormatException | LocatorException e) { + throw new CadiException(e); + } + } + + public Result load(final String accessToken, final byte[] cred) throws APIException, CadiException, LocatorException { + long start = System.currentTimeMillis(); + try { + Result ri = introCL.introspect(accessToken); + if(ri.isOK()) { + return Result.ok(ri.code, new TokenPerm(TokenMgr.this,permsDF,ri.value,cred,getPath(accessToken))); + } else { + return Result.err(ri); + } + } finally { + access.printf(Level.INFO, "Token loaded in %d ms",System.currentTimeMillis()-start); + } + } + } + + public void clear(Principal p, StringBuilder report) { + TokenPerm tp = tpmap.remove(p.getName()); + if(tp==null) { + report.append("Nothing to clear"); + } else { + report.append("Cleared "); + report.append(p.getName()); + } + } + + @Override + protected TokenPerm newCacheable(Introspect i, long expires, byte[] hash, Path path) throws APIException { + // Note: Introspect drives the Expiration... ignoring expires. + return new TokenPerm(this,permsDF,i,hash,path); + } + + public TokenPerm putIntrospect(Introspect intro, byte[] cred) throws APIException { + return newCacheable(intro, intro.getExp(), cred, getPath(intro.getAccessToken())); + } + +} diff --git a/cadi/aaf/src/main/java/org/onap/aaf/cadi/oauth/TokenPerm.java b/cadi/aaf/src/main/java/org/onap/aaf/cadi/oauth/TokenPerm.java new file mode 100644 index 00000000..4a0259a4 --- /dev/null +++ b/cadi/aaf/src/main/java/org/onap/aaf/cadi/oauth/TokenPerm.java @@ -0,0 +1,171 @@ +/** + * ============LICENSE_START==================================================== + * org.onap.aaf + * =========================================================================== + * Copyright (c) 2018 AT&T Intellectual Property. All rights reserved. + * =========================================================================== + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * ============LICENSE_END==================================================== + * + */ + +package org.onap.aaf.cadi.oauth; + +import java.io.Reader; +import java.io.StringReader; +import java.nio.file.Path; +import java.util.ArrayList; +import java.util.List; + +import org.onap.aaf.cadi.aaf.AAFPermission; +import org.onap.aaf.cadi.persist.Persist; +import org.onap.aaf.cadi.persist.Persisting; +import org.onap.aaf.misc.env.APIException; +import org.onap.aaf.misc.rosetta.InJson; +import org.onap.aaf.misc.rosetta.Parse; +import org.onap.aaf.misc.rosetta.ParseException; +import org.onap.aaf.misc.rosetta.Parsed; +import org.onap.aaf.misc.rosetta.InJson.State; +import org.onap.aaf.misc.rosetta.env.RosettaDF; + +import aaf.v2_0.Perms; +import aafoauth.v2_0.Introspect; + +public class TokenPerm extends Persisting{ + private static final List NULL_PERMS = new ArrayList(); + private Introspect introspect; + private List perms; + private String scopes; + public TokenPerm(Persist p, RosettaDF permsDF, Introspect ti, byte[] hash, Path path) throws APIException { + super(p,ti,ti.getExp(),hash,path); // ti.getExp() is seconds after Jan 1, 1970 ) + this.introspect = ti; + if(ti.getContent()==null || ti.getContent().length()==0) { + perms = NULL_PERMS; + } else { + LoadPermissions lp; + try { + lp = new LoadPermissions(new StringReader(ti.getContent())); + perms = lp.perms; + } catch (ParseException e) { + throw new APIException("Error parsing Content",e); + } + } + scopes = ti.getScope(); + } + + public List perms() { + return perms; + } + + public String getClientId() { + return introspect.getClientId(); + } + + public String getUsername() { + return introspect.getUsername(); + } + + public String getToken() { + return introspect.getAccessToken(); + } + + public synchronized String getScopes() { + return scopes; + } + + public Introspect getIntrospect() { + return introspect; + } + + // Direct Parse Perms into List + public static class LoadPermissions { + public List perms; + + public LoadPermissions(Reader r) throws ParseException { + PermInfo pi = new PermInfo(); + InJson ij = new InJson(); + Parsed pd = ij.newParsed(); + boolean inPerms = false, inPerm = false; + while((pd = ij.parse(r,pd.reuse())).valid()) { + switch(pd.event) { + case Parse.START_DOC: + perms = new ArrayList(); + break; + case Parse.START_ARRAY: + inPerms = "perm".equals(pd.name); + break; + case '{': + if(inPerms) { + inPerm=true; + pi.clear(); + } + break; + case ',': + if(inPerm) { + pi.eval(pd); + } + break; + case '}': + if(inPerms) { + if(inPerm) { + pi.eval(pd); + AAFPermission perm = pi.create(); + if(perm!=null) { + perms.add(perm); + } + } + inPerm=false; + } + break; + case Parse.END_ARRAY: + if(inPerms) { + inPerms=false; + } + break; + case Parse.END_DOC: + break; + } + } + } + } + + // Gathering object for parsing objects, then creating AAF Permission + private static class PermInfo { + public String type,instance,action; + public void clear() { + type=instance=action=null; + } + public void eval(Parsed pd) { + if(pd.hasName()) { + switch(pd.name) { + case "type": + type=pd.sb.toString(); + break; + case "instance": + instance=pd.sb.toString(); + break; + case "action": + action=pd.sb.toString(); + break; + } + } + } + public AAFPermission create() { + if(type!=null && instance!=null && action !=null) { + return new AAFPermission(type, instance, action); + } else { + return null; + } + } + } +} \ No newline at end of file diff --git a/cadi/aaf/src/main/java/org/onap/aaf/cadi/oauth/TzClient.java b/cadi/aaf/src/main/java/org/onap/aaf/cadi/oauth/TzClient.java new file mode 100644 index 00000000..a14c0f8e --- /dev/null +++ b/cadi/aaf/src/main/java/org/onap/aaf/cadi/oauth/TzClient.java @@ -0,0 +1,40 @@ +/** + * ============LICENSE_START==================================================== + * org.onap.aaf + * =========================================================================== + * Copyright (c) 2018 AT&T Intellectual Property. All rights reserved. + * =========================================================================== + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * ============LICENSE_END==================================================== + * + */ + +package org.onap.aaf.cadi.oauth; + +import java.io.IOException; + +import org.onap.aaf.cadi.CadiException; +import org.onap.aaf.cadi.LocatorException; +import org.onap.aaf.cadi.client.Retryable; +import org.onap.aaf.misc.env.APIException; + +/** + * TimedToken Client + * + * @author Jonathan + * + */ +public abstract class TzClient { + public abstract void setToken(final String client_id, final TimedToken token) throws IOException; + public abstract RET best(Retryable rcode) throws CadiException, LocatorException, APIException; +} diff --git a/cadi/aaf/src/main/java/org/onap/aaf/cadi/oauth/TzHClient.java b/cadi/aaf/src/main/java/org/onap/aaf/cadi/oauth/TzHClient.java new file mode 100644 index 00000000..c565fa84 --- /dev/null +++ b/cadi/aaf/src/main/java/org/onap/aaf/cadi/oauth/TzHClient.java @@ -0,0 +1,82 @@ +/** + * ============LICENSE_START==================================================== + * org.onap.aaf + * =========================================================================== + * Copyright (c) 2018 AT&T Intellectual Property. All rights reserved. + * =========================================================================== + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * ============LICENSE_END==================================================== + * + */ + +package org.onap.aaf.cadi.oauth; + +import java.io.IOException; +import java.net.HttpURLConnection; +import java.net.URI; +import java.net.URISyntaxException; + +import org.onap.aaf.cadi.Access; +import org.onap.aaf.cadi.CadiException; +import org.onap.aaf.cadi.Locator; +import org.onap.aaf.cadi.LocatorException; +import org.onap.aaf.cadi.SecuritySetter; +import org.onap.aaf.cadi.aaf.v2_0.AAFLocator; +import org.onap.aaf.cadi.client.Retryable; +import org.onap.aaf.cadi.config.SecurityInfoC; +import org.onap.aaf.cadi.http.HMangr; +import org.onap.aaf.cadi.http.HTokenSS; +import org.onap.aaf.misc.env.APIException; + +/** + * Tokenized HClient + * + * @author Jonathan + * + */ +public class TzHClient extends TzClient { + private HMangr hman; + public SecurityInfoC si; + private TimedToken token; + private SecuritySetter tokenSS; + + public TzHClient(Access access, String tagOrURL) throws CadiException, LocatorException { + try { + si = SecurityInfoC.instance(access, HttpURLConnection.class); + hman = new HMangr(access, new AAFLocator(si,new URI(access.getProperty(tagOrURL, tagOrURL)))); + } catch (URISyntaxException e) { + throw new CadiException(e); + } + } + public TzHClient(Access access, SecurityInfoC hsi, Locator loc) throws LocatorException { + si = hsi; + hman = new HMangr(access, loc); + } + + public void setToken(final String client_id, TimedToken token) throws IOException { + this.token = token; + tokenSS = new HTokenSS(si, client_id, token.getAccessToken()); + } + + public RET best (Retryable retryable) throws CadiException, LocatorException, APIException { + if(token == null || tokenSS==null) { + throw new CadiException("OAuth2 Token has not been set"); + } + if(token.expired()) { + //TODO Refresh? + throw new CadiException("Expired Token"); + } else { + return hman.best(tokenSS, retryable); + } + } +} diff --git a/cadi/aaf/src/main/java/org/onap/aaf/cadi/obasic/OBasicHttpTaf.java b/cadi/aaf/src/main/java/org/onap/aaf/cadi/obasic/OBasicHttpTaf.java new file mode 100644 index 00000000..ff0c246b --- /dev/null +++ b/cadi/aaf/src/main/java/org/onap/aaf/cadi/obasic/OBasicHttpTaf.java @@ -0,0 +1,196 @@ +/** + * ============LICENSE_START==================================================== + * org.onap.aaf + * =========================================================================== + * Copyright (c) 2018 AT&T Intellectual Property. All rights reserved. + * =========================================================================== + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * ============LICENSE_END==================================================== + * + */ + +package org.onap.aaf.cadi.obasic; + +import java.io.IOException; +import java.security.NoSuchAlgorithmException; +import java.security.Principal; + +import javax.servlet.http.HttpServletRequest; +import javax.servlet.http.HttpServletResponse; + +import org.onap.aaf.cadi.BasicCred; +import org.onap.aaf.cadi.CachedPrincipal; +import org.onap.aaf.cadi.CadiException; +import org.onap.aaf.cadi.CredVal; +import org.onap.aaf.cadi.Hash; +import org.onap.aaf.cadi.LocatorException; +import org.onap.aaf.cadi.PropAccess; +import org.onap.aaf.cadi.Symm; +import org.onap.aaf.cadi.Taf; +import org.onap.aaf.cadi.Access.Level; +import org.onap.aaf.cadi.CachedPrincipal.Resp; +import org.onap.aaf.cadi.CredVal.Type; +import org.onap.aaf.cadi.client.Result; +import org.onap.aaf.cadi.oauth.AbsOTafLur; +import org.onap.aaf.cadi.oauth.OAuth2Principal; +import org.onap.aaf.cadi.oauth.TimedToken; +import org.onap.aaf.cadi.oauth.TokenClient; +import org.onap.aaf.cadi.taf.HttpTaf; +import org.onap.aaf.cadi.taf.TafResp; +import org.onap.aaf.cadi.taf.TafResp.RESP; +import org.onap.aaf.cadi.taf.basic.BasicHttpTafResp; +import org.onap.aaf.cadi.util.FQI; +import org.onap.aaf.misc.env.APIException; +import org.onap.aaf.misc.env.util.Pool.Pooled; + +/** + * BasicHttpTaf + * + * This TAF implements the "Basic Auth" protocol. + * + * WARNING! It is true for any implementation of "Basic Auth" that the password is passed unencrypted. + * This is because the expectation, when designed years ago, was that it would only be used in + * conjunction with SSL (https). It is common, however, for users to ignore this on the assumption that + * their internal network is secure, or just ignorance. Therefore, a WARNING will be printed + * when the HTTP Channel is not encrypted (unless explicitly turned off). + * + * @author Jonathan + * + */ +public class OBasicHttpTaf extends AbsOTafLur implements HttpTaf { + private final String realm; + private final CredVal rbac; + + + public OBasicHttpTaf(final PropAccess access, final CredVal rbac, final String realm, final String token_url, final String introspect_url) throws CadiException { + super(access, token_url,introspect_url); + this.rbac = rbac; + this.realm = realm; + } + + /** + * Note: BasicHttp works for either Carbon Based (Humans) or Silicon Based (machine) Lifeforms. + * @see Taf + */ + public TafResp validate(Taf.LifeForm reading, HttpServletRequest req, HttpServletResponse resp) { + // See if Request implements BasicCred (aka CadiWrap or other), and if User/Pass has already been set separately + final String user; + String password=null; + byte[] cred=null; + if(req instanceof BasicCred) { + BasicCred bc = (BasicCred)req; + user = bc.getUser(); + cred = bc.getCred(); + } else { + String authz = req.getHeader("Authorization"); + if(authz != null && authz.startsWith("Basic ")) { + if(!req.isSecure()) { + access.log(Level.WARN,"WARNING! BasicAuth has been used over an insecure channel"); + } + try { + String temp = Symm.base64noSplit.decode(authz.substring(6)); + int colon = temp.lastIndexOf(':'); + if(colon>0) { + user = temp.substring(0,colon); + password = temp.substring(colon+1); + } else { + access.printf(Level.AUDIT,"Malformed BasicAuth entry ip=%s, entry=%s",req.getRemoteAddr(), + access.encrypt(temp)); + return new BasicHttpTafResp(access,null,"Malformed BasicAuth entry",RESP.FAIL,resp,realm,false); + } + if(!rbac.validate(user,Type.PASSWORD,password.getBytes(),req)) { + return new BasicHttpTafResp(access,null,buildMsg(null,req,"user/pass combo invalid for ",user,"from",req.getRemoteAddr()), + RESP.TRY_AUTHENTICATING,resp,realm,true); + } + } catch (IOException e) { + access.log(e, ERROR_GETTING_TOKEN_CLIENT); + return new BasicHttpTafResp(access,null,ERROR_GETTING_TOKEN_CLIENT,RESP.FAIL,resp,realm,false); + } + } else { + return new BasicHttpTafResp(access,null,"Not a Basic Auth",RESP.TRY_ANOTHER_TAF,resp,realm,false); + } + } + + try { + if(password==null && cred!=null) { + password = new String(cred); + cred = Hash.hashSHA256(cred); + } else if(password!=null && cred==null) { + cred = Hash.hashSHA256(password.getBytes()); + } + Pooled pclient = tokenClientPool.get(); + try { + pclient.content.password(user, password); + String scope=FQI.reverseDomain(client_id); + Result rtt = pclient.content.getToken('B',scope); + if(rtt.isOK()) { + if(rtt.value.expired()) { + return new BasicHttpTafResp(access,null,"BasicAuth/OAuth Token: Token Expired",RESP.FAIL,resp,realm,true); + } else { + TimedToken tt = rtt.value; + Result prin = tkMgr.toPrincipal(tt.getAccessToken(), cred); + if(prin.isOK()) { + return new BasicHttpTafResp(access,prin.value,"BasicAuth/OAuth Token Authentication",RESP.IS_AUTHENTICATED,resp,realm,true); + } else { + return new BasicHttpTafResp(access,null,"BasicAuth/OAuth Token: " + prin.code + ' ' + prin.error,RESP.FAIL,resp,realm,true); + } + } + } else { + return new BasicHttpTafResp(access,null,"BasicAuth/OAuth Token: " + rtt.code + ' ' + rtt.error,RESP.FAIL,resp,realm,true); + } + } finally { + pclient.done(); + } + } catch (APIException | CadiException | LocatorException | NoSuchAlgorithmException e) { + access.log(e, ERROR_GETTING_TOKEN_CLIENT); + return new BasicHttpTafResp(access,null,ERROR_GETTING_TOKEN_CLIENT,RESP.TRY_ANOTHER_TAF,resp,realm,false); + } + } + + protected String buildMsg(Principal pr, HttpServletRequest req, Object ... msg) { + StringBuilder sb = new StringBuilder(); + if(pr!=null) { + sb.append("user="); + sb.append(pr.getName()); + sb.append(','); + } + sb.append("ip="); + sb.append(req.getRemoteAddr()); + sb.append(",port="); + sb.append(req.getRemotePort()); + if(msg.length>0) { + sb.append(",msg=\""); + for(Object s : msg) { + sb.append(s.toString()); + } + sb.append('"'); + } + return sb.toString(); + } + + @Override + public Resp revalidate(CachedPrincipal prin, Object state) { +// if(prin instanceof BasicPrincipal) { +// BasicPrincipal ba = (BasicPrincipal)prin; +// if(DenialOfServiceTaf.isDeniedID(ba.getName())!=null) { +// return Resp.UNVALIDATED; +// } +// return rbac.validate(ba.getName(), Type.PASSWORD, ba.getCred(), state)?Resp.REVALIDATED:Resp.UNVALIDATED; +// } + return Resp.NOT_MINE; + } + + public String toString() { + return "Basic Auth enabled on realm: " + realm; + } +} diff --git a/cadi/aaf/src/main/java/org/onap/aaf/cadi/olur/OLur.java b/cadi/aaf/src/main/java/org/onap/aaf/cadi/olur/OLur.java new file mode 100644 index 00000000..74d88fc2 --- /dev/null +++ b/cadi/aaf/src/main/java/org/onap/aaf/cadi/olur/OLur.java @@ -0,0 +1,150 @@ +/** + * ============LICENSE_START==================================================== + * org.onap.aaf + * =========================================================================== + * Copyright (c) 2018 AT&T Intellectual Property. All rights reserved. + * =========================================================================== + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * ============LICENSE_END==================================================== + * + */ + +package org.onap.aaf.cadi.olur; + +import java.security.Principal; +import java.util.List; + +import org.onap.aaf.cadi.CadiException; +import org.onap.aaf.cadi.LocatorException; +import org.onap.aaf.cadi.Lur; +import org.onap.aaf.cadi.Permission; +import org.onap.aaf.cadi.PropAccess; +import org.onap.aaf.cadi.Access.Level; +import org.onap.aaf.cadi.aaf.AAFPermission; +import org.onap.aaf.cadi.client.Result; +import org.onap.aaf.cadi.oauth.AbsOTafLur; +import org.onap.aaf.cadi.oauth.OAuth2Principal; +import org.onap.aaf.cadi.oauth.TimedToken; +import org.onap.aaf.cadi.oauth.TokenClient; +import org.onap.aaf.cadi.oauth.TokenPerm; +import org.onap.aaf.cadi.principal.Kind; +import org.onap.aaf.misc.env.APIException; +import org.onap.aaf.misc.env.util.Split; +import org.onap.aaf.misc.env.util.Pool.Pooled; + +public class OLur extends AbsOTafLur implements Lur { + public OLur(PropAccess access, final String token_url, final String introspect_url) throws APIException, CadiException { + super(access, token_url, introspect_url); + } + + /* (non-Javadoc) + * @see org.onap.aaf.cadi.Lur#fish(java.security.Principal, org.onap.aaf.cadi.Permission) + */ + @Override + public boolean fish(Principal bait, Permission pond) { + TokenPerm tp; + if(bait instanceof OAuth2Principal) { + OAuth2Principal oa2p = (OAuth2Principal)bait; + tp = oa2p.tokenPerm(); + } else { + tp=null; + } + if(tp==null) { + // if no Token Perm preset, get + try { + Pooled tcp = tokenClientPool.get(); + try { + TokenClient tc = tcp.content; + tc.username(bait.getName()); + Result rtt = tc.getToken(Kind.getKind(bait),tc.defaultScope()); + if(rtt.isOK()) { + Result rtp = tkMgr.get(rtt.value.getAccessToken(), bait.getName().getBytes()); + if(rtp.isOK()) { + tp = rtp.value; + } + } + } finally { + tcp.done(); + } + } catch (APIException | LocatorException | CadiException e) { + access.log(Level.ERROR, "Unable to Get a Token: " + e.getMessage()); + } + } + if(tp!=null) { + if(tkMgr.access.willLog(Level.DEBUG)) { + StringBuilder sb = new StringBuilder("AAF Permissions for user "); + sb.append(bait.getName()); + sb.append(", from token "); + sb.append(tp.get().getAccessToken()); + for (AAFPermission p : tp.perms()) { + sb.append("\n\t"); + sb.append(p.getName()); + sb.append('|'); + sb.append(p.getInstance()); + sb.append('|'); + sb.append(p.getAction()); + } + sb.append('\n'); + access.log(Level.DEBUG, sb); + } + for (AAFPermission p : tp.perms()) { + if (p.match(pond)) { + return true; + } + } + } + return false; + } + + /* (non-Javadoc) + * @see org.onap.aaf.cadi.Lur#fishAll(java.security.Principal, java.util.List) + */ + @Override + public void fishAll(Principal bait, List permissions) { + if(bait instanceof OAuth2Principal) { + for (AAFPermission p : ((OAuth2Principal)bait).tokenPerm().perms()) { + permissions.add(p); + } + } + } + + /* (non-Javadoc) + * @see org.onap.aaf.cadi.Lur#handlesExclusively(org.onap.aaf.cadi.Permission) + */ + @Override + public boolean handlesExclusively(Permission pond) { + return false; + } + + /* (non-Javadoc) + * @see org.onap.aaf.cadi.Lur#handles(java.security.Principal) + */ + @Override + public boolean handles(Principal principal) { + return principal instanceof OAuth2Principal; + } + + /* (non-Javadoc) + * @see org.onap.aaf.cadi.Lur#createPerm(java.lang.String) + */ + @Override + public Permission createPerm(final String p) { + String[] s = Split.split('|',p); + if(s!=null && s.length==3) { + return new AAFPermission(s[0],s[1],s[2]); + } else { + return null; + } + } + +} diff --git a/cadi/aaf/src/main/java/org/onap/aaf/cadi/persist/Persist.java b/cadi/aaf/src/main/java/org/onap/aaf/cadi/persist/Persist.java new file mode 100644 index 00000000..d9ea0170 --- /dev/null +++ b/cadi/aaf/src/main/java/org/onap/aaf/cadi/persist/Persist.java @@ -0,0 +1,301 @@ +/** + * ============LICENSE_START==================================================== + * org.onap.aaf + * =========================================================================== + * Copyright (c) 2018 AT&T Intellectual Property. All rights reserved. + * =========================================================================== + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * ============LICENSE_END==================================================== + * + */ + +package org.onap.aaf.cadi.persist; + +import java.io.IOException; +import java.nio.file.FileVisitResult; +import java.nio.file.FileVisitor; +import java.nio.file.Files; +import java.nio.file.Path; +import java.nio.file.attribute.BasicFileAttributes; +import java.util.Date; +import java.util.Map; +import java.util.Map.Entry; +import java.util.Queue; +import java.util.Timer; +import java.util.TimerTask; +import java.util.concurrent.ConcurrentHashMap; +import java.util.concurrent.ConcurrentLinkedQueue; + +import org.onap.aaf.cadi.Access; +import org.onap.aaf.cadi.CadiException; +import org.onap.aaf.cadi.LocatorException; +import org.onap.aaf.cadi.Access.Level; +import org.onap.aaf.cadi.client.Holder; +import org.onap.aaf.cadi.client.Result; +import org.onap.aaf.misc.env.APIException; +import org.onap.aaf.misc.env.util.Chrono; +import org.onap.aaf.misc.rosetta.env.RosettaDF; +import org.onap.aaf.misc.rosetta.env.RosettaEnv; + +public abstract class Persist> extends PersistFile { + private static final long ONE_DAY = 86400000; + private static final long CLEAN_CHECK = 2*60*1000; // check every 2 mins + private static Timer clean; + + // store all the directories to review + // No Concurrent HashSet, or at least, it is all implemented with HashMap in older versions + private static Queue> allPersists = new ConcurrentLinkedQueue>(); + + private Map tmap; + protected RosettaEnv env; + private RosettaDF df; + + + public Persist(Access access, RosettaEnv env, Class cls, String sub_dir) throws CadiException, APIException { + super(access, sub_dir); + this.env = env; + df = env.newDataFactory(cls); + tmap = new ConcurrentHashMap(); + synchronized(Persist.class) { + if(clean==null) { + clean = new Timer(true); + clean.schedule(new Clean(access), 20000, CLEAN_CHECK); + } + } + allPersists.add(this); + } + + public void close() { + allPersists.remove(this); + } + + protected abstract CT newCacheable(T t, long expires_secsFrom1970, byte[] hash, Path path) throws APIException, IOException; + + public RosettaDF getDF() { + return df; + } + public Result get(final String key, final byte[] hash, Loader rl) throws CadiException, APIException, LocatorException { + if(key==null) { + return null; + } + Holder hp = new Holder(null); + CT ct = tmap.get(key); + // Make sure cached Item is synced with Disk, but only even Minute to save Disk hits + if(ct!=null && ct.checkSyncTime()) { // check File Time only every SYNC Period (2 min) + if(ct.hasBeenTouched()) { + tmap.remove(key); + ct = null; + access.log(Level.DEBUG,"File for",key,"has been touched, removing memory entry"); + } + } + + // If not currently in memory, check with Disk (which might have been updated by other processes) + if(ct==null) { + Holder hl = new Holder(0L); + T t; + if((t = readDisk(df, hash, key, hp, hl))!=null) { + try { + if((ct = newCacheable(t,hl.get(),hash,hp.get()))!=null) { + tmap.put(key, ct); + } + access.log(Level.DEBUG,"Read Token from",key); + } catch (IOException e) { + access.log(e,"Reading Token from",key); + } + } // if not read, then ct still==null + + // If not in memory, or on disk, get from Remote... IF reloadable (meaning, isn't hitting too often, etc). + if(ct==null || ct.checkReloadable()) { + // Load from external (if makes sense) + Result rtp = rl.load(key); + if(rtp.isOK()) { + ct = rtp.value; + try { + Path p = getPath(key); + writeDisk(df, ct.get(),ct.getHash(),p,ct.expires()); + access.log(Level.DEBUG, "Writing token",key); + } catch(CadiException e) { + throw e; + } catch (Exception e) { + throw new CadiException(e); + } + } else { + return Result.err(rtp); + } + } + + if(ct!=null) { + tmap.put(key, ct); + } + } else { + access.log(Level.DEBUG,"Found token in memory",key); + } + // ct can only be not-null here + ct.inc(); + return Result.ok(200,ct); + } + + public void put(String key, CT ct) throws CadiException { + writeDisk(df, ct.get(), ct.getHash(), key, ct.expires()); + tmap.put(key,ct); + } + + public void delete(String key) { + tmap.remove(key); + deleteFromDisk(key); + } + + public interface Loader { + Result load(String key) throws APIException, CadiException, LocatorException; + } + + /** + * Clean will examine resources, and remove those that have expired. + * + * If "highs" have been exceeded, then we'll expire 10% more the next time. This will adjust after each run + * without checking contents more than once, making a good average "high" in the minimum speed. + * + * @author Jonathan + * + */ + private static final class Clean extends TimerTask { + private final Access access; + private long hourly; + + public Clean(Access access) { + this.access = access; + hourly=0; + } + + private static class Metrics { + public int mexists = 0, dexists=0; + public int mremoved = 0, dremoved=0; + } + + public void run() { + final long now = System.currentTimeMillis(); + final long dayFromNow = now + ONE_DAY; + final Metrics metrics = new Metrics(); + for(final Persist persist : allPersists) { + // Clear memory + if(access.willLog(Level.DEBUG)) { + access.log(Level.DEBUG, "Persist: Cleaning memory cache for",persist.tokenPath.toAbsolutePath()); + } + for(Entry es : persist.tmap.entrySet()) { + ++metrics.mexists; + Persistable p = (Persistable)es.getValue(); + if(p.checkSyncTime()) { + if(p.count()==0) { + ++metrics.mremoved; + persist.tmap.remove(es.getKey()); + access.printf(Level.DEBUG, "Persist: removed cached item %s from memory\n", es.getKey()); + } else { + p.clearCount(); + } + } else if(Files.exists(p.path())) { + + } + } + // Clear disk + try { + final StringBuilder sb = new StringBuilder(); + Files.walkFileTree(persist.tokenPath, new FileVisitor() { + @Override + public FileVisitResult preVisitDirectory(Path dir, BasicFileAttributes attrs) throws IOException { + sb.setLength(0); + sb.append("Persist: Cleaning files from "); + sb.append(dir.toAbsolutePath()); + return FileVisitResult.CONTINUE; + } + + @Override + public FileVisitResult visitFile(Path file, BasicFileAttributes attrs) throws IOException { + if(attrs.isRegularFile()) { + ++metrics.dexists; + try { + + long exp = persist.readExpiration(file)*1000; // readExpiration is seconds from 1970 + if(now > exp) { // cover for bad token + sb.append("\n\tFile "); + sb.append(file.getFileName()); + sb.append(" expired "); + sb.append(Chrono.dateTime(new Date(exp))); + persist.deleteFromDisk(file); + ++metrics.dremoved; + } else if(exp > dayFromNow) { + sb.append("\n\tFile "); + sb.append(file.toString()); + sb.append(" data corrupted."); + persist.deleteFromDisk(file); + ++metrics.dremoved; + } + } catch (CadiException e) { + sb.append("\n\tError reading File "); + sb.append(file.toString()); + sb.append(". "); + sb.append(e.getMessage()); + ++metrics.dremoved; + } + + } + return FileVisitResult.CONTINUE; + } + + @Override + public FileVisitResult visitFileFailed(Path file, IOException exc) throws IOException { + access.log(Level.ERROR,"Error visiting file %s (%s)\n",file.toString(),exc.getMessage()); + return FileVisitResult.CONTINUE; + } + + @Override + public FileVisitResult postVisitDirectory(Path dir, IOException exc) throws IOException { + access.log(Level.DEBUG, sb); + return FileVisitResult.CONTINUE; + } + + }); + } catch (IOException e) { + access.log(e, "Exception while cleaning Persistance"); + } + + } + + // We want to print some activity of Persistence Check at least hourly, even if no activity has occurred, but not litter the log if nothing is happening + boolean go=false; + Level level=Level.WARN; + if(access.willLog(Level.INFO)) { + go = true; + level=Level.INFO; + } else if(access.willLog(Level.WARN)) { + go = metrics.mremoved>0 || metrics.dremoved>0 || --hourly <= 0; + } + + if(go) { + access.printf(level, "Persist Cache: removed %d of %d items from memory and %d of %d from disk", + metrics.mremoved, metrics.mexists, metrics.dremoved, metrics.dexists); + hourly = 3600000/CLEAN_CHECK; + } + } + } + + /* (non-Javadoc) + * @see java.lang.Object#finalize() + */ + @Override + protected void finalize() throws Throwable { + close(); // can call twice. + } + + + +} diff --git a/cadi/aaf/src/main/java/org/onap/aaf/cadi/persist/PersistFile.java b/cadi/aaf/src/main/java/org/onap/aaf/cadi/persist/PersistFile.java new file mode 100644 index 00000000..1fcf043f --- /dev/null +++ b/cadi/aaf/src/main/java/org/onap/aaf/cadi/persist/PersistFile.java @@ -0,0 +1,252 @@ +/** + * ============LICENSE_START==================================================== + * org.onap.aaf + * =========================================================================== + * Copyright (c) 2018 AT&T Intellectual Property. All rights reserved. + * =========================================================================== + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * ============LICENSE_END==================================================== + * + */ + +package org.onap.aaf.cadi.persist; + +import java.io.IOException; +import java.io.InputStream; +import java.io.OutputStream; +import java.nio.file.Files; +import java.nio.file.NoSuchFileException; +import java.nio.file.Path; +import java.nio.file.Paths; +import java.nio.file.StandardCopyOption; +import java.nio.file.StandardOpenOption; +import java.nio.file.attribute.FileTime; +import java.nio.file.attribute.PosixFilePermission; +import java.nio.file.attribute.PosixFilePermissions; +import java.util.Set; + +import javax.crypto.CipherInputStream; +import javax.crypto.CipherOutputStream; + +import org.onap.aaf.cadi.Access; +import org.onap.aaf.cadi.CadiException; +import org.onap.aaf.cadi.Symm; +import org.onap.aaf.cadi.Access.Level; +import org.onap.aaf.cadi.Symm.Encryption; +import org.onap.aaf.cadi.client.Holder; +import org.onap.aaf.cadi.config.Config; +import org.onap.aaf.misc.env.APIException; +import org.onap.aaf.misc.rosetta.env.RosettaDF; + +public class PersistFile { + + private static final String HASH_NO_MATCH = "Hash does not match in Persistence"; + + protected static Symm symm; + public Access access; + protected final Path tokenPath; + protected final String tokenDir; + private static final boolean isWindows = System.getProperty("os.name").startsWith("Windows"); + + public PersistFile(Access access, String sub_dir) throws CadiException, APIException { + this.access = access; + tokenPath = Paths.get(access.getProperty(Config.CADI_TOKEN_DIR,"tokens"), sub_dir); + try { + if(!Files.exists(tokenPath)) { + if(isWindows) { + // Sorry Windows users, you need to secure your own paths + Files.createDirectories(tokenPath); + } else { + Set spfp = PosixFilePermissions.fromString("rwxr-x---"); + Files.createDirectories(tokenPath,PosixFilePermissions.asFileAttribute(spfp)); + } + } + tokenDir=tokenPath.toRealPath().toString(); + } catch (IOException e) { + throw new CadiException(e); + } + synchronized(HASH_NO_MATCH) { + if(symm==null) { + symm = Symm.obtain(access); + } + } + } + + public Path writeDisk(final RosettaDF df, final T t, final byte[] cred, final String filename, final long expires) throws CadiException { + return writeDisk(df,t,cred,Paths.get(tokenDir,filename),expires); + } + + public Path writeDisk(final RosettaDF df, final T t, final byte[] cred, final Path target, final long expires) throws CadiException { + // Make sure File is completely written before making accessible on disk... avoid corruption. + try { + Path tpath = Files.createTempFile(tokenPath,target.getFileName().toString(), ".tmp"); + final OutputStream dos = Files.newOutputStream(tpath, StandardOpenOption.CREATE,StandardOpenOption.WRITE); + try { + // Write Expires so that we can read unencrypted. + for(int i=0;i>i)&0xFF)); + } + + symm.exec(new Symm.SyncExec() { + @Override + public Void exec(Encryption enc) throws Exception { + CipherOutputStream os = enc.outputStream(dos, true); + try { + int size = cred==null?0:cred.length; + for(int i=0;i>i)&0xFF)); + } + if(cred!=null) { + os.write(cred); + } + df.newData().load(t).to(os); + } finally { + // Note: Someone on the Web noticed that using a DataOutputStream would not full close out without a flush first, + // leaving files open. + try { + os.flush(); + } catch (IOException e) { + access.log(Level.INFO, "Note: Caught Exeption while flushing CipherStream. Handled."); + } + try { + os.close(); + } catch (IOException e) { + access.log(Level.INFO, "Note: Caught Exeption while closing CipherStream. Handled."); + } + } + return null; + } + }); + } catch(Exception e) { + throw new CadiException(e); + } finally { + dos.close(); + } + return Files.move(tpath, target, StandardCopyOption.ATOMIC_MOVE,StandardCopyOption.REPLACE_EXISTING); + } catch (IOException e) { + throw new CadiException(e); + } + + } + + public T readDisk(final RosettaDF df, final byte[] cred, final String filename,final Holder hp, final Holder hl) throws CadiException { + if(hp.get()==null) { + hp.set(Paths.get(tokenDir,filename)); + } + return readDisk(df,cred,hp.get(),hl); + } + + public T readDisk(final RosettaDF df, final byte[] cred, final Path target, final Holder hexpired) throws CadiException { + // Try from Disk + T t = null; + if(Files.exists(target)) { + try { + final InputStream is = Files.newInputStream(target,StandardOpenOption.READ); + try { + // Read Expired unencrypted + long exp=0; + for(int i=0;i() { + @Override + public T exec(Encryption enc) throws Exception { + CipherInputStream dis = enc.inputStream(is,false); + try { + int size=0; + for(int i=0;i256) { + throw new CadiException("Invalid size in Token Persistence"); + } else if(cred!=null && size!=cred.length) { + throw new CadiException(HASH_NO_MATCH); + } + byte[] array = new byte[size]; + dis.read(array); + for(int i=0;i hp) throws IOException { + Path p = hp.get(); + if(p==null) { + hp.set(p=Paths.get(tokenDir,filename)); + } + return Files.getLastModifiedTime(p); + } + +} diff --git a/cadi/aaf/src/main/java/org/onap/aaf/cadi/persist/Persistable.java b/cadi/aaf/src/main/java/org/onap/aaf/cadi/persist/Persistable.java new file mode 100644 index 00000000..65437795 --- /dev/null +++ b/cadi/aaf/src/main/java/org/onap/aaf/cadi/persist/Persistable.java @@ -0,0 +1,39 @@ +/** + * ============LICENSE_START==================================================== + * org.onap.aaf + * =========================================================================== + * Copyright (c) 2018 AT&T Intellectual Property. All rights reserved. + * =========================================================================== + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * ============LICENSE_END==================================================== + * + */ + +package org.onap.aaf.cadi.persist; + +import java.nio.file.Path; + +public interface Persistable { + public boolean checkSyncTime(); + public boolean checkReloadable(); + public void inc(); + public int count(); + public void clearCount(); + public boolean hasBeenTouched(); + public long expires(); // seconds from 1970 + public boolean expired(); + public byte[] getHash(); + public boolean match(byte[] hashIn); + public T get(); + public Path path(); +} diff --git a/cadi/aaf/src/main/java/org/onap/aaf/cadi/persist/Persisting.java b/cadi/aaf/src/main/java/org/onap/aaf/cadi/persist/Persisting.java new file mode 100644 index 00000000..f75527d3 --- /dev/null +++ b/cadi/aaf/src/main/java/org/onap/aaf/cadi/persist/Persisting.java @@ -0,0 +1,167 @@ +/** + * ============LICENSE_START==================================================== + * org.onap.aaf + * =========================================================================== + * Copyright (c) 2018 AT&T Intellectual Property. All rights reserved. + * =========================================================================== + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * ============LICENSE_END==================================================== + * + */ + +package org.onap.aaf.cadi.persist; + +import java.io.IOException; +import java.nio.file.Files; +import java.nio.file.NoSuchFileException; +import java.nio.file.Path; +import java.nio.file.attribute.FileTime; + +import org.onap.aaf.cadi.Access.Level; + +public class Persisting implements Persistable { + private static final byte[] EMPTY = new byte[0]; + private final byte[] hash; // need to be able to validate disk entry + + private static final long SYNC_TIME = 1000*60*1; // Checking File change max 1 min + private FileTime lastTouched; + private int count; + private long expires; + private long nextCheck; + private T t; + private Path path; + private Persist persist; + + public Persisting(Persist p, T t, long expiresSecsFrom1970, byte[] hash, Path path) { + persist = p; + this.t=t; + expires = expiresSecsFrom1970; + this.path = path; + try { + lastTouched = Files.getLastModifiedTime(path); + } catch (IOException e) { + lastTouched = null; + } + count=0; + nextCheck=0; + if(hash==null) { + this.hash = EMPTY; + } else { + this.hash = hash; + } + } + + @Override + public T get() { + return t; + } + + @Override + public long expires() { + return expires; + } + + @Override + public boolean expired() { + return System.currentTimeMillis()/1000>expires; + } + + @Override + public boolean hasBeenTouched() { + try { + FileTime modT = Files.getLastModifiedTime(path); + if(lastTouched==null) { + lastTouched = modT; + return true; + } else { + return !modT.equals(lastTouched); + } + } catch (NoSuchFileException e) { + persist.access.log(Level.DEBUG, "File not found " + e.getMessage() + ", this is ok, marking as touched."); + return true; + } catch (IOException e) { + persist.access.log(e, "Accessing File Time"); + return true; + } + } + + @Override + public synchronized boolean checkSyncTime() { + long temp=System.currentTimeMillis(); + if(nextCheck==0 || nextCheck { + public Result update(ENV env); + public Result cancel(ENV env); +} diff --git a/cadi/aaf/src/main/java/org/onap/aaf/cadi/register/Registrar.java b/cadi/aaf/src/main/java/org/onap/aaf/cadi/register/Registrar.java new file mode 100644 index 00000000..e3ae85d3 --- /dev/null +++ b/cadi/aaf/src/main/java/org/onap/aaf/cadi/register/Registrar.java @@ -0,0 +1,101 @@ +/** + * ============LICENSE_START==================================================== + * org.onap.aaf + * =========================================================================== + * Copyright (c) 2018 AT&T Intellectual Property. All rights reserved. + * =========================================================================== + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * ============LICENSE_END==================================================== + * + */ + +package org.onap.aaf.cadi.register; + +import java.util.Deque; +import java.util.Iterator; +import java.util.Timer; +import java.util.TimerTask; +import java.util.concurrent.ConcurrentLinkedDeque; + +import org.onap.aaf.cadi.client.Result; +import org.onap.aaf.misc.env.impl.BasicEnv; + +public class Registrar { + private static final String REGISTRAR = "Registrar"; + private static final long INTERVAL = 15*60*1000; // 15 mins + private static final long START = 3000; // Start in 3 seconds + private Deque> registrants; + private Timer timer, erroringTimer; + + public Registrar(final ENV env, boolean shutdownHook) { + registrants = new ConcurrentLinkedDeque>(); + + erroringTimer = null; + timer = new Timer(REGISTRAR,true); + timer.schedule(new RegistrationTimerTask(env), START, INTERVAL); + + if(shutdownHook) { + Runtime.getRuntime().addShutdownHook(new Thread() { + public void run() { + close(env); + } + }); + } + } + + private class RegistrationTimerTask extends TimerTask { + private final ENV env; + public RegistrationTimerTask(ENV env) { + this.env = env; + } + @Override + public void run() { + for(Iterator> iter = registrants.iterator(); iter.hasNext();) { + Registrant reg = iter.next(); + Result rv = reg.update(env); + synchronized(REGISTRAR) { + if(rv.isOK()) { + if(erroringTimer!=null) { + erroringTimer.cancel(); + erroringTimer = null; + } + } else { + // Account for different Registrations not being to same place + if(erroringTimer==null) { + erroringTimer = new Timer(REGISTRAR + " error re-check ",true); + erroringTimer.schedule(new RegistrationTimerTask(env),20000,20000); + } + } + } + } + } + } + + public void register(Registrant r) { + registrants.addLast(r); + } + + public void deregister(Registrant r) { + registrants.remove(r); + } + + public void close(ENV env) { + timer.cancel(); + + Registrant r; + while(registrants.peek()!=null) { + r = registrants.pop(); + r.cancel(env); + } + } +} diff --git a/cadi/aaf/src/main/java/org/onap/aaf/cadi/register/RemoteRegistrant.java b/cadi/aaf/src/main/java/org/onap/aaf/cadi/register/RemoteRegistrant.java new file mode 100644 index 00000000..6c1d6682 --- /dev/null +++ b/cadi/aaf/src/main/java/org/onap/aaf/cadi/register/RemoteRegistrant.java @@ -0,0 +1,165 @@ +/** + * ============LICENSE_START==================================================== + * org.onap.aaf + * =========================================================================== + * Copyright (c) 2018 AT&T Intellectual Property. All rights reserved. + * =========================================================================== + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * ============LICENSE_END==================================================== + * + */ + +package org.onap.aaf.cadi.register; + +import java.net.HttpURLConnection; +import java.net.Inet4Address; +import java.net.URI; +import java.net.UnknownHostException; + +import org.onap.aaf.cadi.Access; +import org.onap.aaf.cadi.CadiException; +import org.onap.aaf.cadi.Locator; +import org.onap.aaf.cadi.LocatorException; +import org.onap.aaf.cadi.Access.Level; +import org.onap.aaf.cadi.aaf.v2_0.AAFCon; +import org.onap.aaf.cadi.client.Future; +import org.onap.aaf.cadi.client.Rcli; +import org.onap.aaf.cadi.client.Result; +import org.onap.aaf.cadi.config.Config; +import org.onap.aaf.cadi.locator.PropertyLocator; +import org.onap.aaf.cadi.util.Split; +import org.onap.aaf.misc.env.APIException; +import org.onap.aaf.misc.env.impl.BasicEnv; +import org.onap.aaf.misc.rosetta.env.RosettaDF; + +import locate.v1_0.MgmtEndpoint; +import locate.v1_0.MgmtEndpoints; + +public class RemoteRegistrant implements Registrant { + private final MgmtEndpoint mep; + private final MgmtEndpoints meps; + private final AAFCon aafcon; + private final RosettaDF mgmtEndpointsDF; + private final Locator locator; + private final Access access; + private final int timeout; + + @SafeVarargs + public RemoteRegistrant(AAFCon aafcon, String name, String version, int port, RemoteRegistrant ... others) throws CadiException, LocatorException { + this.aafcon = aafcon; + access = aafcon.access; + try { + mgmtEndpointsDF = aafcon.env.newDataFactory(MgmtEndpoints.class); + } catch (APIException e1) { + throw new CadiException(e1); + } + timeout = Integer.parseInt(access.getProperty(Config.AAF_CONN_TIMEOUT, Config.AAF_CONN_TIMEOUT_DEF)); + String aaf_locate = access.getProperty(Config.AAF_LOCATE_URL,null); + if(aaf_locate==null) { + throw new CadiException(Config.AAF_LOCATE_URL + " is required."); + } else { + // Note: want Property Locator, not AAFLocator, because we want the core service, not what it can find + locator = new PropertyLocator(aaf_locate); + } + + mep = new MgmtEndpoint(); + mep.setName(name); + mep.setPort(port); + + try { + String latitude = access.getProperty(Config.CADI_LATITUDE, null); + if(latitude==null) { + latitude = access.getProperty("AFT_LATITUDE", null); + } + String longitude = access.getProperty(Config.CADI_LONGITUDE, null); + if(longitude==null) { + longitude = access.getProperty("AFT_LONGITUDE", null); + } + if(latitude==null || longitude==null) { + throw new CadiException(Config.CADI_LATITUDE + " and " + Config.CADI_LONGITUDE + " is required"); + } else { + mep.setLatitude(Float.parseFloat(latitude)); + mep.setLongitude(Float.parseFloat(longitude)); + } + String split[] = Split.split('.', version); + mep.setPkg(split.length>3?Integer.parseInt(split[3]):0); + mep.setPatch(split.length>2?Integer.parseInt(split[2]):0); + mep.setMinor(split.length>1?Integer.parseInt(split[1]):0); + mep.setMajor(split.length>0?Integer.parseInt(split[0]):0); + + mep.setHostname(access.getProperty(Config.HOSTNAME, Inet4Address.getLocalHost().getHostName())); + String subprotocols = access.getProperty(Config.CADI_PROTOCOLS, null); + if(subprotocols==null) { + mep.setProtocol("http"); + } else { + mep.setProtocol("https"); + for(String s : Split.split(',', subprotocols)) { + mep.getSubprotocol().add(s); + } + } + } catch (NumberFormatException | UnknownHostException e) { + throw new CadiException("Error extracting Data from Properties for Registrar",e); + } + meps = new MgmtEndpoints(); + meps.getMgmtEndpoint().add(mep); + for(RemoteRegistrant rr : others) { + meps.getMgmtEndpoint().add(rr.mep); + } + } + + @Override + public Result update(ENV env) { + try { + Rcli client = aafcon.client(locator); + try { + Future fup = client.update("/registration",mgmtEndpointsDF,meps); + if(fup.get(timeout)) { + access.log(Level.INFO, "Registration complete to",client.getURI()); + return Result.ok(fup.code(),null); + } else { + access.log(Level.ERROR,"Error registering to AAF Locator on ", client.getURI()); + return Result.err(fup.code(),fup.body()); + } + } catch (APIException e) { + access.log(e, "Error registering service to AAF Locator"); + return Result.err(503,e.getMessage()); + } + + } catch (CadiException e) { + return Result.err(503,e.getMessage()); + } + } + + @Override + public Result cancel(ENV env) { + try { + Rcli client = aafcon.client(locator); + try { + Future fup = client.delete("/registration",mgmtEndpointsDF,meps); + if(fup.get(timeout)) { + access.log(Level.INFO, "Deregistration complete on",client.getURI()); + return Result.ok(fup.code(),null); + } else { + return Result.err(fup.code(),fup.body()); + } + } catch (APIException e) { + access.log(e, "Error deregistering service on AAF Locator"); + return Result.err(503,e.getMessage()); + } + + } catch (CadiException e) { + return Result.err(503,e.getMessage()); + } + } + +} diff --git a/cadi/aaf/src/main/java/org/onap/aaf/cadi/sso/AAFSSO.java b/cadi/aaf/src/main/java/org/onap/aaf/cadi/sso/AAFSSO.java new file mode 100644 index 00000000..0241fe5d --- /dev/null +++ b/cadi/aaf/src/main/java/org/onap/aaf/cadi/sso/AAFSSO.java @@ -0,0 +1,284 @@ +/** + * ============LICENSE_START==================================================== + * org.onap.aaf + * =========================================================================== + * Copyright (c) 2018 AT&T Intellectual Property. All rights reserved. + * =========================================================================== + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * ============LICENSE_END==================================================== + * + */ + +package org.onap.aaf.cadi.sso; + +import java.io.File; +import java.io.FileInputStream; +import java.io.FileOutputStream; +import java.io.IOException; +import java.io.PrintStream; +import java.lang.reflect.InvocationTargetException; +import java.lang.reflect.Method; +import java.util.ArrayList; +import java.util.List; +import java.util.Properties; + +import org.onap.aaf.cadi.CadiException; +import org.onap.aaf.cadi.PropAccess; +import org.onap.aaf.cadi.Symm; +import org.onap.aaf.cadi.Access.Level; +import org.onap.aaf.cadi.config.Config; +import org.onap.aaf.cadi.util.MyConsole; +import org.onap.aaf.cadi.util.SubStandardConsole; +import org.onap.aaf.cadi.util.TheConsole; + + +public class AAFSSO { + public static final MyConsole cons = TheConsole.implemented()?new TheConsole():new SubStandardConsole(); + + private Properties diskprops = null; // use for temp storing User/Password on disk + private File dot_aaf = null, sso=null; // instantiated, if ever, with diskprops + + boolean removeSSO=false; + boolean loginOnly = false; + private PropAccess access; + private StringBuilder err; + private String user,encrypted_pass; + private boolean use_X509; + + private PrintStream os, stdout=null,stderr=null; + + private Method close; + + public AAFSSO(String[] args) throws IOException, CadiException { + List larg = new ArrayList(args.length); + + // Cover for bash's need to escape *.. (\\*) + // also, remove SSO if required + for (int i = 0; i < args.length; ++i) { + if ("\\*".equals(args[i])) { + args[i] = "*"; + } + + if("-logout".equalsIgnoreCase(args[i])) { + removeSSO=true; + } else if("-login".equalsIgnoreCase(args[i])) { + loginOnly = true; + } else { + larg.add(args[i]); + } + } + + String[] nargs = new String[larg.size()]; + larg.toArray(nargs); + + dot_aaf = new File(System.getProperty("user.home")+"/.aaf"); + if(!dot_aaf.exists()) { + dot_aaf.mkdirs(); + } + File f = new File(dot_aaf,"sso.out"); + os = new PrintStream(new FileOutputStream(f,true)); + stdout = System.out; + stderr = System.err; + System.setOut(os); + System.setErr(os); + + access = new PropAccess(os,nargs); + Config.setDefaultRealm(access); + + user = access.getProperty(Config.AAF_APPID); + encrypted_pass = access.getProperty(Config.AAF_APPPASS); + + File dot_aaf_kf = new File(dot_aaf,"keyfile"); + + sso = new File(dot_aaf,"sso.props"); + if(removeSSO) { + if(dot_aaf_kf.exists()) { + dot_aaf_kf.setWritable(true,true); + dot_aaf_kf.delete(); + } + if(sso.exists()) { + sso.delete(); + } + System.out.println("AAF SSO information removed"); + System.exit(0); + } + + if(!dot_aaf_kf.exists()) { + FileOutputStream fos = new FileOutputStream(dot_aaf_kf); + try { + fos.write(Symm.keygen()); + dot_aaf_kf.setExecutable(false,false); + dot_aaf_kf.setWritable(false,false); + dot_aaf_kf.setReadable(false,false); + dot_aaf_kf.setReadable(true, true); + } finally { + fos.close(); + } + } + + String keyfile = access.getProperty(Config.CADI_KEYFILE); // in case it's CertificateMan props + if(keyfile==null) { + access.setProperty(Config.CADI_KEYFILE, dot_aaf_kf.getAbsolutePath()); + } + + String alias = access.getProperty(Config.CADI_ALIAS); + if(user==null && alias!=null && access.getProperty(Config.CADI_KEYSTORE_PASSWORD)!=null) { + user = alias; + access.setProperty(Config.AAF_APPID, user); + use_X509 = true; + } else { + use_X509 = false; + Symm decryptor = Symm.obtain(dot_aaf_kf); + if (user==null) { + if(sso.exists() && sso.lastModified()>System.currentTimeMillis()-(8*60*60*1000 /* 8 hours */)) { + String cm_url = access.getProperty(Config.CM_URL); // SSO might overwrite... + FileInputStream fos = new FileInputStream(sso); + try { + access.load(fos); + user = access.getProperty(Config.AAF_APPID); + encrypted_pass = access.getProperty(Config.AAF_APPPASS); + // decrypt with .aaf, and re-encrypt with regular Keyfile + access.setProperty(Config.AAF_APPPASS, + access.encrypt(decryptor.depass(encrypted_pass))); + if(cm_url!=null) { //Command line CM_URL Overwrites ssofile. + access.setProperty(Config.CM_URL, cm_url); + } + } finally { + fos.close(); + } + } else { + diskprops = new Properties(); + String realm = Config.getDefaultRealm(); + // Turn on Console Sysout + System.setOut(stdout); + user=cons.readLine("aaf_id(%s@%s): ",System.getProperty("user.name"),realm); + if(user==null) { + user = System.getProperty("user.name")+'@'+realm; + } else if(user.length()==0) { // + user = System.getProperty("user.name")+'@' + realm; + } else if(user.indexOf('@')<0 && realm!=null) { + user = user+'@'+realm; + } + access.setProperty(Config.AAF_APPID,user); + diskprops.setProperty(Config.AAF_APPID,user); + encrypted_pass = new String(cons.readPassword("aaf_password: ")); + System.setOut(os); + encrypted_pass = Symm.ENC+decryptor.enpass(encrypted_pass); + access.setProperty(Config.AAF_APPPASS,encrypted_pass); + diskprops.setProperty(Config.AAF_APPPASS,encrypted_pass); + diskprops.setProperty(Config.CADI_KEYFILE, access.getProperty(Config.CADI_KEYFILE)); + } + } + } + if (user == null) { + err = new StringBuilder("Add -D" + Config.AAF_APPID + "= "); + } + + if (encrypted_pass == null && alias==null) { + if (err == null) { + err = new StringBuilder(); + } else { + err.append("and "); + } + err.append("-D" + Config.AAF_APPPASS + "= "); + } + } + + public void setLogDefault() { + access.setLogLevel(PropAccess.DEFAULT); + if(stdout!=null) { + System.setOut(stdout); + } + } + + public void setStdErrDefault() { + access.setLogLevel(PropAccess.DEFAULT); + if(stderr!=null) { + System.setErr(stderr); + } + } + + public void setLogDefault(Level level) { + access.setLogLevel(level); + if(stdout!=null) { + System.setOut(stdout); + } + } + + public boolean loginOnly() { + return loginOnly; + } + + public void addProp(String key, String value) { + if(diskprops!=null) { + diskprops.setProperty(key, value); + } + } + + public void writeFiles() throws IOException { + // Store Creds, if they work + if(diskprops!=null) { + if(!dot_aaf.exists()) { + dot_aaf.mkdirs(); + } + FileOutputStream fos = new FileOutputStream(sso); + try { + diskprops.store(fos, "AAF Single Signon"); + } finally { + fos.close(); + sso.setWritable(false,false); + sso.setExecutable(false,false); + sso.setReadable(false,false); + sso.setReadable(true,true); + } + } + if(sso!=null) { + sso.setReadable(false,false); + sso.setWritable(false,false); + sso.setExecutable(false,false); + sso.setReadable(true,true); + sso.setWritable(true,true); + } + } + + public PropAccess access() { + return access; + } + + public StringBuilder err() { + return err; + } + + public String user() { + return user; + } + + public String enc_pass() { + return encrypted_pass; + } + + public boolean useX509() { + return use_X509; + } + + public void close() { + if(close!=null) { + try { + close.invoke(null); + } catch (IllegalAccessException | IllegalArgumentException | InvocationTargetException e) { + // nothing to do here. + } + close = null; + } + } +} diff --git a/cadi/aaf/src/test/java/org/onap/aaf/cadi/aaf/client/JU_ErrMessageTest.java b/cadi/aaf/src/test/java/org/onap/aaf/cadi/aaf/client/JU_ErrMessageTest.java new file mode 100644 index 00000000..15e11627 --- /dev/null +++ b/cadi/aaf/src/test/java/org/onap/aaf/cadi/aaf/client/JU_ErrMessageTest.java @@ -0,0 +1,128 @@ +/******************************************************************************* + * ============LICENSE_START==================================================== + * * org.onap.aaf + * * =========================================================================== + * * Copyright © 2017 AT&T Intellectual Property. All rights reserved. + * * =========================================================================== + * * Licensed under the Apache License, Version 2.0 (the "License"); + * * you may not use this file except in compliance with the License. + * * You may obtain a copy of the License at + * * + * * http://www.apache.org/licenses/LICENSE-2.0 + * * + * * Unless required by applicable law or agreed to in writing, software + * * distributed under the License is distributed on an "AS IS" BASIS, + * * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * * See the License for the specific language governing permissions and + * * limitations under the License. + * * ============LICENSE_END==================================================== + * * + * * + ******************************************************************************/ +package org.onap.aaf.cadi.aaf.client; + +import static org.junit.Assert.assertEquals; +import static org.mockito.Mockito.when; + +import org.junit.Before; +import org.junit.Test; +import org.mockito.Answers; +import org.mockito.Mock; +import org.mockito.MockitoAnnotations; +import org.onap.aaf.cadi.CadiException; +import org.onap.aaf.cadi.aaf.client.ErrMessage; +import org.onap.aaf.cadi.client.Future; +import org.onap.aaf.misc.env.APIException; +import org.onap.aaf.misc.env.Data.TYPE; +import org.onap.aaf.misc.rosetta.env.RosettaDF; +import org.onap.aaf.misc.rosetta.env.RosettaEnv; + +import aaf.v2_0.Error; + +public class JU_ErrMessageTest { + + @Mock + private RosettaEnv env; + + @Mock(answer=Answers.RETURNS_DEEP_STUBS) + private RosettaDF errDF; + + private ErrMessage errMessage; + + private String attErrJson = "key:value"; + + private Error error; + + private Future future; + + @Before + public void setUp() throws Exception { + MockitoAnnotations.initMocks(this); + + when(env.newDataFactory(Error.class)).thenReturn(errDF); + + future = new Future() { + + @Override + public boolean get(int timeout) throws CadiException { + return false; + } + + @Override + public int code() { + return 0; + } + + @Override + public String body() { + return "Body"; + } + + @Override + public String header(String tag) { + return "header"; + } + }; + + error = new Error(); + error.setMessageId("Error Message Id"); + error.setText("Error Text"); + errMessage = new ErrMessage(env); + + + } + + @Test + public void testPrintErrMessage() throws APIException { + when(errDF.newData().in(TYPE.JSON).load(attErrJson).asObject()).thenReturn(error); + + errMessage.printErr(System.out, attErrJson); + } + + @Test + public void testToMsgJsonErrAttribute() throws APIException { + when(errDF.newData().in(TYPE.JSON).load(attErrJson).asObject()).thenReturn(error); + + StringBuilder sb = new StringBuilder(); + errMessage.toMsg(sb,attErrJson); + + assertEquals(sb.toString(),"Error Message Id Error Text"); + } + + @Test + public void testToMsgFuture() { + StringBuilder sb = errMessage.toMsg(future); + + assertEquals(sb.toString(), "0: Body"); + } + + + @Test + public void testToMsgFutureWithoutException() throws APIException { + when(errDF.newData().in(TYPE.JSON).load(future.body()).asObject()).thenReturn(error); + + StringBuilder sb = errMessage.toMsg(future); + + assertEquals(sb.toString(), "Error Message Id Error Text"); + } +} diff --git a/cadi/aaf/src/test/java/org/onap/aaf/cadi/aaf/marshal/JU_CertsMarshalTest.java b/cadi/aaf/src/test/java/org/onap/aaf/cadi/aaf/marshal/JU_CertsMarshalTest.java new file mode 100644 index 00000000..9ac6b277 --- /dev/null +++ b/cadi/aaf/src/test/java/org/onap/aaf/cadi/aaf/marshal/JU_CertsMarshalTest.java @@ -0,0 +1,48 @@ +/******************************************************************************* + * ============LICENSE_START==================================================== + * * org.onap.aaf + * * =========================================================================== + * * Copyright © 2017 AT&T Intellectual Property. All rights reserved. + * * =========================================================================== + * * Licensed under the Apache License, Version 2.0 (the "License"); + * * you may not use this file except in compliance with the License. + * * You may obtain a copy of the License at + * * + * * http://www.apache.org/licenses/LICENSE-2.0 + * * + * * Unless required by applicable law or agreed to in writing, software + * * distributed under the License is distributed on an "AS IS" BASIS, + * * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * * See the License for the specific language governing permissions and + * * limitations under the License. + * * ============LICENSE_END==================================================== + * * + * * + ******************************************************************************/ +package org.onap.aaf.cadi.aaf.marshal; +import static org.junit.Assert.assertNotNull; + +import org.junit.Test; +import org.onap.aaf.cadi.aaf.marshal.CertsMarshal; +import org.onap.aaf.misc.rosetta.ParseException; + +public class JU_CertsMarshalTest { + + @Test + public void test() throws ParseException { + CertsMarshal marshal = new CertsMarshal(); + assertNotNull(marshal); + } + + @Test + public void test2() throws ParseException { + CertsMarshal marshal = new CertsMarshal(); + assertNotNull(marshal); + } + + @Test + public void test3() throws ParseException { + CertsMarshal marshal = new CertsMarshal(); + assertNotNull(marshal); + } +} diff --git a/cadi/aaf/src/test/java/org/onap/aaf/cadi/aaf/test/JU_AAFLocator.java b/cadi/aaf/src/test/java/org/onap/aaf/cadi/aaf/test/JU_AAFLocator.java new file mode 100644 index 00000000..71d22b8f --- /dev/null +++ b/cadi/aaf/src/test/java/org/onap/aaf/cadi/aaf/test/JU_AAFLocator.java @@ -0,0 +1,80 @@ +/** + * ============LICENSE_START==================================================== + * org.onap.aaf + * =========================================================================== + * Copyright (c) 2018 AT&T Intellectual Property. All rights reserved. + * =========================================================================== + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * ============LICENSE_END==================================================== + * + */ + +package org.onap.aaf.cadi.aaf.test; + +import java.net.HttpURLConnection; +import java.net.URI; + +import org.junit.After; +import org.junit.AfterClass; +import org.junit.Assert; +import org.junit.Before; +import org.junit.BeforeClass; +import org.junit.Test; +import org.onap.aaf.cadi.PropAccess; +import org.onap.aaf.cadi.Locator.Item; +import org.onap.aaf.cadi.aaf.v2_0.AAFLocator; +import org.onap.aaf.cadi.aaf.v2_0.AbsAAFLocator; +import org.onap.aaf.cadi.config.Config; +import org.onap.aaf.cadi.config.SecurityInfoC; +import org.onap.aaf.misc.env.impl.BasicTrans; +import org.onap.aaf.misc.rosetta.env.RosettaEnv; + +public class JU_AAFLocator { + + @BeforeClass + public static void setUpBeforeClass() throws Exception { + } + + @AfterClass + public static void tearDownAfterClass() throws Exception { + } + + @Before + public void setUp() throws Exception { + } + + @After + public void tearDown() throws Exception { + } + + @Test + public void test() { + try { + // TODO: Ian [JUnit] This fails because these files don't exist + PropAccess propAccess = new PropAccess("cadi_prop_files=/opt/app/aaf/common/com.att.aaf.common.props:/opt/app/aaf/common/com.att.aaf.props"); + SecurityInfoC si = SecurityInfoC.instance(propAccess, HttpURLConnection.class); + String alu = propAccess.getProperty(Config.AAF_LOCATE_URL,"https://mithrilcsp.sbc.com:8095/locate"); + URI locatorURI = new URI(alu+"/com.att.aaf.service/2.0"); + AbsAAFLocator al = new AAFLocator(si, locatorURI); + Assert.assertTrue(al.refresh()); + Item i = al.first(); + i = al.next(i); + i = al.best(); + System.out.println("hi"); + } catch (Exception e) { + e.printStackTrace(); + Assert.fail(); + } + } + +} diff --git a/cadi/aaf/src/test/java/org/onap/aaf/cadi/aaf/test/TestHClient.java b/cadi/aaf/src/test/java/org/onap/aaf/cadi/aaf/test/TestHClient.java new file mode 100644 index 00000000..9536cd90 --- /dev/null +++ b/cadi/aaf/src/test/java/org/onap/aaf/cadi/aaf/test/TestHClient.java @@ -0,0 +1,87 @@ +/** + * ============LICENSE_START==================================================== + * org.onap.aaf + * =========================================================================== + * Copyright (c) 2018 AT&T Intellectual Property. All rights reserved. + * =========================================================================== + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * ============LICENSE_END==================================================== + * + */ + +package org.onap.aaf.cadi.aaf.test; + +import java.net.HttpURLConnection; +import java.net.URI; + +import org.onap.aaf.cadi.CadiException; +import org.onap.aaf.cadi.PropAccess; +import org.onap.aaf.cadi.SecuritySetter; +import org.onap.aaf.cadi.Access.Level; +import org.onap.aaf.cadi.Locator.Item; +import org.onap.aaf.cadi.aaf.v2_0.AAFLocator; +import org.onap.aaf.cadi.aaf.v2_0.AbsAAFLocator; +import org.onap.aaf.cadi.client.Future; +import org.onap.aaf.cadi.client.Rcli; +import org.onap.aaf.cadi.client.Retryable; +import org.onap.aaf.cadi.config.Config; +import org.onap.aaf.cadi.config.SecurityInfoC; +import org.onap.aaf.cadi.http.HBasicAuthSS; +import org.onap.aaf.cadi.http.HMangr; +import org.onap.aaf.misc.env.APIException; +import org.onap.aaf.misc.env.impl.BasicTrans; + +public class TestHClient { + public static void main(String[] args) { + try { + PropAccess access = new PropAccess(args); + String aaf_url = access.getProperty(Config.AAF_URL); + if(aaf_url == null) { + access.log(Level.ERROR, Config.AAF_URL," is required"); + } else { + HMangr hman = null; + try { + SecurityInfoC si = SecurityInfoC.instance(access, HttpURLConnection.class); + AbsAAFLocator loc = new AAFLocator(si,new URI(aaf_url)); + for(Item item = loc.first(); item!=null; item=loc.next(item)) { + System.out.println(loc.get(item)); + } + SecuritySetter ss = new HBasicAuthSS(si); + // SecuritySetter ss = new X509SS(si, "aaf"); + + hman = new HMangr(access,loc); + final String path = String.format("/authz/perms/user/%s", + access.getProperty(Config.AAF_APPID,"xx9999@csp.att.com")); + hman.best(ss, new Retryable() { + @Override + public Void code(Rcli cli) throws APIException, CadiException { + Future ft = cli.read(path,"application/json"); + if(ft.get(10000)) { + System.out.println("Hurray,\n"+ft.body()); + } else { + System.out.println("not quite: " + ft.code()); + } + return null; + }}); + } finally { + if(hman!=null) { + hman.close(); + } + } + } + } catch (Exception e) { + e.printStackTrace(); + } + } + +} diff --git a/cadi/aaf/src/test/java/org/onap/aaf/cadi/aaf/v2_0/JU_AAFAuthnTest.java b/cadi/aaf/src/test/java/org/onap/aaf/cadi/aaf/v2_0/JU_AAFAuthnTest.java new file mode 100644 index 00000000..5bea1981 --- /dev/null +++ b/cadi/aaf/src/test/java/org/onap/aaf/cadi/aaf/v2_0/JU_AAFAuthnTest.java @@ -0,0 +1,154 @@ +/******************************************************************************* + * ============LICENSE_START==================================================== + * * org.onap.aaf + * * =========================================================================== + * * Copyright © 2017 AT&T Intellectual Property. All rights reserved. + * * =========================================================================== + * * Licensed under the Apache License, Version 2.0 (the "License"); + * * you may not use this file except in compliance with the License. + * * You may obtain a copy of the License at + * * + * * http://www.apache.org/licenses/LICENSE-2.0 + * * + * * Unless required by applicable law or agreed to in writing, software + * * distributed under the License is distributed on an "AS IS" BASIS, + * * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * * See the License for the specific language governing permissions and + * * limitations under the License. + * * ============LICENSE_END==================================================== + * * + * * + ******************************************************************************/ +package org.onap.aaf.cadi.aaf.v2_0; +import static org.junit.Assert.assertNotNull; +import static org.mockito.Matchers.anyInt; +import static org.mockito.Mockito.when; + +import javax.net.ssl.HttpsURLConnection; + +import org.junit.Before; +import org.junit.Test; +import org.mockito.Answers; +import org.mockito.Mock; +import org.mockito.MockitoAnnotations; +import org.onap.aaf.cadi.AbsUserCache; +import org.onap.aaf.cadi.CadiException; +import org.onap.aaf.cadi.aaf.AAFPermission; +import org.onap.aaf.cadi.client.Future; +import org.onap.aaf.cadi.config.Config; +import org.onap.aaf.misc.env.APIException; + +public class JU_AAFAuthnTest { + + @Mock(answer = Answers.RETURNS_DEEP_STUBS) + private AAFCon con; + + @Mock(answer = Answers.RETURNS_DEEP_STUBS) + private Future fp; + + @Mock(answer = Answers.RETURNS_DEEP_STUBS) + private AbsUserCache cache; + + + @Before + public void setup() throws APIException, CadiException { + MockitoAnnotations.initMocks(this); + when(con.client(Config.AAF_DEFAULT_VERSION).read("/authn/basicAuth", "text/plain")).thenReturn(fp); + } + /*TODO broken JUNIT with MOCKITO + * + * reduce size of this test file by looping thru conOfClient instead of copy pasta? + * + * These appear to receive data but cannot validate them. Maybe due to @before + * Possible fixes for tomorrow: look into auth,validate, @before mockito, @mock issues? + * + */ + @Test + public void testAAFAuthnAAFConOfCLIENT() throws Exception { + when(fp.get(anyInt())).thenReturn(false); + when(fp.code()).thenReturn(401); + when(fp.header("WWW-Authenticate")).thenReturn("Basic realm=\"Value\""); + AAFAuthn auth = con.newAuthn(); + assertNotNull(auth.validate("NewUser", "New Password"));; + } + + @Test + public void testAAFAuthnAAFConOfCLIENTAbsUserCacheOfAAFPermission() throws Exception { + AAFAuthn auth = con.newAuthn(cache); + } + //TODO broken JUNIT with MOCKITO + @Test + public void testAAFAuthnAAFConOfCLIENT1() throws Exception { + when(fp.get(anyInt())).thenReturn(false); + when(fp.code()).thenReturn(401); + when(fp.header("WWW-Authenticate")).thenReturn("Basic realm=\"Value\""); + AAFAuthn auth = con.newAuthn(); + + assertNotNull(auth.validate("NewUser1", "New Password1"));; + } + + @Test + public void testAAFAuthnAAFConOfCLIENTAbsUserCacheOfAAFPermission1() throws Exception { + AAFAuthn auth = con.newAuthn(cache); + } + //TODO broken JUNIT with MOCKITO + @Test + public void testAAFAuthnAAFConOfCLIENT2() throws Exception { + when(fp.get(anyInt())).thenReturn(false); + when(fp.code()).thenReturn(401); + when(fp.header("WWW-Authenticate")).thenReturn("Basic realm=\"Value\""); + AAFAuthn auth = con.newAuthn(); + + assertNotNull(auth.validate("NewUser2", "New Password2"));; + } + + @Test + public void testAAFAuthnAAFConOfCLIENTAbsUserCacheOfAAFPermission2() throws Exception { + AAFAuthn auth = con.newAuthn(cache); + } + //TODO broken JUNIT with MOCKITO + @Test + public void testAAFAuthnAAFConOfCLIENT3() throws Exception { + when(fp.get(anyInt())).thenReturn(false); + when(fp.code()).thenReturn(401); + when(fp.header("WWW-Authenticate")).thenReturn("Basic realm=\"Value\""); + AAFAuthn auth = con.newAuthn(); + + assertNotNull(auth.validate("NewUser3", "New Password3"));; + } + + @Test + public void testAAFAuthnAAFConOfCLIENTAbsUserCacheOfAAFPermission3() throws Exception { + AAFAuthn auth = con.newAuthn(cache); + } + //TODO broken JUNIT with MOCKITO + @Test + public void testAAFAuthnAAFConOfCLIENT4() throws Exception { + when(fp.get(anyInt())).thenReturn(false); + when(fp.code()).thenReturn(401); + when(fp.header("WWW-Authenticate")).thenReturn("Basic realm=\"Value\""); + AAFAuthn auth = con.newAuthn(); + + assertNotNull(auth.validate("NewUser4", "New Password4"));; + } + + @Test + public void testAAFAuthnAAFConOfCLIENTAbsUserCacheOfAAFPermission4() throws Exception { + AAFAuthn auth = con.newAuthn(cache); + } + //TODO broken JUNIT with MOCKITO + @Test + public void testAAFAuthnAAFConOfCLIENT5() throws Exception { + when(fp.get(anyInt())).thenReturn(false); + when(fp.code()).thenReturn(401); + when(fp.header("WWW-Authenticate")).thenReturn("Basic realm=\"Value\""); + AAFAuthn auth = con.newAuthn(); + + assertNotNull(auth.validate("NewUser5", "New Password5"));; + } + + @Test + public void testAAFAuthnAAFConOfCLIENTAbsUserCacheOfAAFPermission5() throws Exception { + AAFAuthn auth = con.newAuthn(cache); + } +} diff --git a/cadi/aaf/src/test/java/org/onap/aaf/cadi/lur/aaf/test/JU_JMeter.java b/cadi/aaf/src/test/java/org/onap/aaf/cadi/lur/aaf/test/JU_JMeter.java new file mode 100644 index 00000000..187a4b7e --- /dev/null +++ b/cadi/aaf/src/test/java/org/onap/aaf/cadi/lur/aaf/test/JU_JMeter.java @@ -0,0 +1,143 @@ +/******************************************************************************* + * ============LICENSE_START==================================================== + * * org.onap.aaf + * * =========================================================================== + * * Copyright © 2017 AT&T Intellectual Property. All rights reserved. + * * =========================================================================== + * * Licensed under the Apache License, Version 2.0 (the "License"); + * * you may not use this file except in compliance with the License. + * * You may obtain a copy of the License at + * * + * * http://www.apache.org/licenses/LICENSE-2.0 + * * + * * Unless required by applicable law or agreed to in writing, software + * * distributed under the License is distributed on an "AS IS" BASIS, + * * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * * See the License for the specific language governing permissions and + * * limitations under the License. + * * ============LICENSE_END==================================================== + * * + * * + ******************************************************************************/ +package org.onap.aaf.cadi.lur.aaf.test; + +import java.io.BufferedReader; +import java.io.File; +import java.io.FileReader; +import java.io.PrintWriter; +import java.io.StringWriter; +import java.net.HttpURLConnection; +import java.security.Principal; +import java.util.ArrayList; +import java.util.List; +import java.util.Properties; + +import org.junit.BeforeClass; +import org.junit.Test; +import org.onap.aaf.cadi.Permission; +import org.onap.aaf.cadi.PropAccess; +import org.onap.aaf.cadi.aaf.v2_0.AAFAuthn; +import org.onap.aaf.cadi.aaf.v2_0.AAFConHttp; +import org.onap.aaf.cadi.aaf.v2_0.AAFLurPerm; +import org.onap.aaf.cadi.aaf.v2_0.AAFTaf; +import org.onap.aaf.cadi.config.Config; +import org.onap.aaf.cadi.locator.DNSLocator; +import org.onap.aaf.cadi.principal.CachedBasicPrincipal; + +import junit.framework.Assert; + +public class JU_JMeter { + private static AAFConHttp aaf; + private static AAFAuthn aafAuthn; + private static AAFLurPerm aafLur; + private static ArrayList perfIDs; + + private static AAFTaf aafTaf; + private static PropAccess access; + + @BeforeClass + public static void before() throws Exception { + if(aafLur==null) { + Properties props = System.getProperties(); + props.setProperty("AFT_LATITUDE", "32.780140"); + props.setProperty("AFT_LONGITUDE", "-96.800451"); + props.setProperty("DME2_EP_REGISTRY_CLASS","DME2FS"); + props.setProperty("AFT_DME2_EP_REGISTRY_FS_DIR","/Volumes/Data/src/authz/dme2reg"); + props.setProperty("AFT_ENVIRONMENT", "AFTUAT"); + props.setProperty("SCLD_PLATFORM", "NON-PROD"); + props.setProperty(Config.AAF_URL,"https://DME2RESOLVE/service=com.att.authz.AuthorizationService/version=2.0/envContext=DEV/routeOffer=BAU_SE"); + props.setProperty(Config.AAF_CALL_TIMEOUT, "2000"); + int timeToLive = 3000; + props.setProperty(Config.AAF_CLEAN_INTERVAL, Integer.toString(timeToLive)); + props.setProperty(Config.AAF_HIGH_COUNT, "4"); + + String aafPerfIDs = props.getProperty("AAF_PERF_IDS"); + perfIDs = new ArrayList(); + File perfFile = null; + if(aafPerfIDs!=null) { + perfFile = new File(aafPerfIDs); + } + + access = new PropAccess(); + aaf = new AAFConHttp(access, new DNSLocator(access,"https","localhost","8100")); + aafTaf = new AAFTaf(aaf,false); + aafLur = aaf.newLur(aafTaf); + aafAuthn = aaf.newAuthn(aafTaf); + aaf.basicAuth("testid@aaf.att.com", "whatever"); + + if(perfFile==null||!perfFile.exists()) { + perfIDs.add(new CachedBasicPrincipal(aafTaf, + "Basic dGVzdGlkOndoYXRldmVy", + "aaf.att.com",timeToLive)); + perfIDs.add(new Princ("ab1234@aaf.att.com")); // Example of Local ID, which isn't looked up + } else { + BufferedReader ir = new BufferedReader(new FileReader(perfFile)); + try { + String line; + while((line = ir.readLine())!=null) { + if((line=line.trim()).length()>0) + perfIDs.add(new Princ(line)); + } + } finally { + ir.close(); + } + } + Assert.assertNotNull(aafLur); + } + } + + private static class Princ implements Principal { + private String name; + public Princ(String name) { + this.name = name; + } + public String getName() { + return name; + } + + }; + + private static int index = -1; + + private synchronized Principal getIndex() { + if(perfIDs.size()<=++index)index=0; + return perfIDs.get(index); + } + @Test + public void test() { + try { + aafAuthn.validate("testid@aaf.att.com", "whatever"); + List perms = new ArrayList(); + aafLur.fishAll(getIndex(), perms); +// Assert.assertFalse(perms.isEmpty()); +// for(Permission p : perms) { +// //access.log(Access.Level.AUDIT, p.permType()); +// } + } catch (Exception e) { + StringWriter sw = new StringWriter(); + e.printStackTrace(new PrintWriter(sw)); + Assert.assertFalse(sw.toString(),true); + } + } + +} diff --git a/cadi/aaf/src/test/java/org/onap/aaf/cadi/lur/aaf/test/JU_Lur2_0Call.java b/cadi/aaf/src/test/java/org/onap/aaf/cadi/lur/aaf/test/JU_Lur2_0Call.java new file mode 100644 index 00000000..ddc7f001 --- /dev/null +++ b/cadi/aaf/src/test/java/org/onap/aaf/cadi/lur/aaf/test/JU_Lur2_0Call.java @@ -0,0 +1,573 @@ +/******************************************************************************* + * ============LICENSE_START==================================================== + * * org.onap.aaf + * * =========================================================================== + * * Copyright © 2017 AT&T Intellectual Property. All rights reserved. + * * =========================================================================== + * * Licensed under the Apache License, Version 2.0 (the "License"); + * * you may not use this file except in compliance with the License. + * * You may obtain a copy of the License at + * * + * * http://www.apache.org/licenses/LICENSE-2.0 + * * + * * Unless required by applicable law or agreed to in writing, software + * * distributed under the License is distributed on an "AS IS" BASIS, + * * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * * See the License for the specific language governing permissions and + * * limitations under the License. + * * ============LICENSE_END==================================================== + * * + * * + ******************************************************************************/ +package org.onap.aaf.cadi.lur.aaf.test; + +import static org.junit.Assert.assertEquals; + +import java.io.BufferedReader; +import java.io.IOException; +import java.io.UnsupportedEncodingException; +import java.net.HttpURLConnection; +import java.security.Principal; +import java.util.Collection; +import java.util.Enumeration; +import java.util.Locale; +import java.util.Map; + +import javax.servlet.AsyncContext; +import javax.servlet.DispatcherType; +import javax.servlet.RequestDispatcher; +import javax.servlet.ServletContext; +import javax.servlet.ServletException; +import javax.servlet.ServletInputStream; +import javax.servlet.ServletRequest; +import javax.servlet.ServletResponse; +import javax.servlet.http.Cookie; +import javax.servlet.http.HttpServletRequest; +import javax.servlet.http.HttpServletResponse; +import javax.servlet.http.HttpSession; +import javax.servlet.http.Part; + +import org.junit.BeforeClass; +import org.junit.Test; +import org.onap.aaf.cadi.CadiException; +import org.onap.aaf.cadi.Lur; +import org.onap.aaf.cadi.Permission; +import org.onap.aaf.cadi.PropAccess; +import org.onap.aaf.cadi.Symm; +import org.onap.aaf.cadi.Taf.LifeForm; +import org.onap.aaf.cadi.aaf.AAFPermission; +import org.onap.aaf.cadi.aaf.v2_0.AAFConHttp; +import org.onap.aaf.cadi.aaf.v2_0.AAFLurPerm; +import org.onap.aaf.cadi.aaf.v2_0.AAFTaf; +import org.onap.aaf.cadi.locator.DNSLocator; +import org.onap.aaf.cadi.lur.ConfigPrincipal; +import org.onap.aaf.cadi.lur.LocalPermission; +import org.onap.aaf.cadi.taf.TafResp; + +public class JU_Lur2_0Call { + private static AAFConHttp aaf; + private static PropAccess access; + + @BeforeClass + public static void setUpBeforeClass() throws Exception { + access = new PropAccess(); + aaf = new AAFConHttp(access,new DNSLocator(access,"https","localhost","8100")); + aaf.basicAuth("testid", "whatever"); + } + + @Test + public void test() throws Exception { + + AAFLurPerm aafLur = aaf.newLur(); + + Principal pri = new ConfigPrincipal("testid@aaf.att.com","whatever"); + for (int i = 0; i < 10; ++i) { + print(aafLur, pri, new LocalPermission("com.test.JU_Lur2_0Call.service|myInstance|write"),true); + print(aafLur, pri, new LocalPermission("com.test.JU_Lur2_0Call.service|kumquat|write"),false); + print(aafLur, pri, new LocalPermission("com.test.JU_Lur2_0Call.service|myInstance|read"),true); + print(aafLur, pri, new LocalPermission("com.test.JU_Lur2_0Call.service|kumquat|read"),true); + + print(aafLur, pri, new AAFPermission("com.test.JU_Lur2_0Call.service","myInstance","write"),true); + print(aafLur, pri, new AAFPermission("com.test.JU_Lur2_0Call.service","kumquat","write"),false); + print(aafLur, pri, new AAFPermission("com.test.JU_Lur2_0Call.service","myInstance","read"),true); + print(aafLur, pri, new AAFPermission("com.test.JU_Lur2_0Call.service","kumquat","read"),true); + + print(aafLur, pri, new LocalPermission("com.test.JU_Lur2_0Call.service|!kum.*|read"),true); + print(aafLur, pri, new LocalPermission("com.test.JU_Lur2_0Call.service|myInstance|!wr*"),true); + print(aafLur, pri, new LocalPermission("com.test.JU_Lur2_0Call.service|myInstance"),true); + + print(aafLur, pri, new AAFPermission("com.test.JU_Lur2_0Call.service","!kum.*","read"),true); + print(aafLur, pri, new AAFPermission("com.test.JU_Lur2_0Call.service","myInstance","!wr*"),true); + + print(aafLur, pri, new LocalPermission("com.test.JU_Lur2_0Call.service|!kum[Qq]uat|read"),true); + print(aafLur, pri, new LocalPermission("com.test.JU_Lur2_0Call.service|!my[iI]nstance|!wr*"),true); + print(aafLur, pri, new LocalPermission("com.test.JU_Lur2_0Call.service|!my[iI]nstance|!wr*"),true); + print(aafLur, pri, new LocalPermission("com.test.JU_Lur2_0Call.service|myInstance|!wr*"),true); + + print(aafLur, pri, new AAFPermission("com.test.JU_Lur2_0Call.service","!kum[Qq]uat","read"),true); + print(aafLur, pri, new AAFPermission("com.test.JU_Lur2_0Call.service","!my[iI]nstance","!wr*"),true); + print(aafLur, pri, new AAFPermission("com.test.JU_Lur2_0Call.service","!my[iI]nstance","!wr*"),true); + print(aafLur, pri, new AAFPermission("com.test.JU_Lur2_0Call.service","myInstance","!wr*"),true); + + + print(aafLur, pri, new LocalPermission("com.test.JU_Lur2_0Call.service|!my.nstance|!wr*"),true); + print(aafLur, pri, new LocalPermission("com.test.JU_Lur2_0Call.service|my.nstance|!wr*"),false); + + print(aafLur, pri, new LocalPermission("com.test.JU_Lur2_0Call.service|my.nstance|!wr*"),false); + + //Maitrayee, aren't we going to have issues if we do RegExp with "."? + //Is it too expensive to only do Reg Ex in presence of special characters, []{}*, etc? Not sure this helps for GRID. + print(aafLur, pri, new LocalPermission("com.test.JU_Lur2_0Call.service|kum.quat|read"),true); + print(aafLur, pri, new LocalPermission("com.test.JU_Lur2_0Call.service|!kum..uat|read"),true); + + print(aafLur, pri, new LocalPermission("com.test.JU_Lur2_0Call.service|myInstance"),true); // ok if Stored Action is "*" + + // Key Evaluations + print(aafLur, pri, new LocalPermission("com.test.JU_Lur2_0Call.service|:myCluster:*:!my.*|write"),true); // ok if Stored Action is "*" + print(aafLur, pri, new LocalPermission("com.test.JU_Lur2_0Call.service|:myCluster:*|write"),false); // not ok if key lengths don't match "*" + print(aafLur, pri, new LocalPermission("com.test.JU_Lur2_0Call.service|:myCluster:*:myCF|write"),true); // ok if Stored Action is "*" + print(aafLur, pri, new AAFPermission("com.test.JU_Lur2_0Call.service",":myCluster:*:!my.*","write"),true); // ok if Stored Action is "*" + print(aafLur, pri, new AAFPermission("com.test.JU_Lur2_0Call.service",":myCluster:*:myCF","write"),true); // ok if Stored Action is "*" + print(aafLur, pri, new AAFPermission("com.test.JU_Lur2_0Call.service",":myCluster:*","write"),false); // not ok if key lengths don't match + + } + + print(aafLur, pri, new LocalPermission("bogus"),false); + +// try { +// Thread.sleep(7000); +// } catch (InterruptedException e) { +// e.printStackTrace(); +// } + for (int i = 0; i < 10; ++i) + print(aafLur, pri, new LocalPermission("supergroup"),false); + + System.out.println("All Done"); + } + @Test + public void testTaf() throws Exception { + AAFTaf aaft = new AAFTaf(aaf,true); + + TafResp resp; + // No Header + resp = aaft.validate(LifeForm.CBLF, new Req(), null); + assertEquals(TafResp.RESP.TRY_AUTHENTICATING, resp.isAuthenticated()); + + String auth = "Basic " + Symm.base64.encode("testid:whatever"); + resp = aaft.validate(LifeForm.CBLF, new Req("Authorization",auth), null); + assertEquals(TafResp.RESP.IS_AUTHENTICATED, resp.isAuthenticated()); + + } +// @Test +// public void testRole() throws CadiException { +// TestAccess ta = new TestAccess(); +// AAFLurRole1_0 aafLur = new AAFLurRole1_0( +// ta, +//// "http://DME2RESOLVE/service=com.att.authz.AuthorizationService/version=1.0.0/envContext=UAT/routeOffer=BAU_SE", +// "http://DME2RESOLVE/service=com.att.authz.AuthorizationService/version=1.0.0/envContext=DEV/routeOffer=D1", +// "m12345", "m12345pass", 50000, // dme Time +// // 5*60000); // 5 minutes User Expiration +// 50000, // 5 seconds after Expiration +// 200); // High Count of items.. These do not take much memory +// +// Principal pri = new ConfigPrincipal("xy1234","whatever"); +// for (int i = 0; i < 10; ++i) { +//// print(aafLur, pri, new LocalPermission("*|*|*|com.att.authz")); +// print(aafLur, pri, new LocalPermission("service|myInstance|write"),false); +// print(aafLur, pri, new LocalPermission("com.test.JU_Lur2_0Call.service|myInstance|write"),false); +// print(aafLur, pri, new LocalPermission("org.osaaf.cadi"),true); +// print(aafLur, pri, new LocalPermission("global"),true); +// print(aafLur, pri, new LocalPermission("kumquat"),false); +// } +// +// print(aafLur, pri, new LocalPermission("bogus"),false); +// +// for (int i = 0; i < 10; ++i) +// print(aafLur, pri, new LocalPermission("supergroup"),false); +// +// System.out.println("All Done"); +// } + + + private void print(Lur aafLur, Principal pri, Permission perm, boolean shouldBe) + throws CadiException { + long start = System.nanoTime(); + + // The Call + boolean ok = aafLur.fish(pri, perm); + + assertEquals(shouldBe,ok); + float ms = (System.nanoTime() - start) / 1000000f; + if (ok) { + System.out.println("Yes, part of " + perm.getKey() + " (" + ms + + "ms)"); + } else { + System.out.println("No, not part of " + perm.getKey() + " (" + ms + + "ms)"); + } + } + + @SuppressWarnings("rawtypes") + public class Req implements HttpServletRequest { + private String[] headers; + + public Req(String ... headers) { + this.headers = headers; + } + + public Object getAttribute(String name) { + // TODO Auto-generated method stub + return null; + } + + @SuppressWarnings("unchecked") + public Enumeration getAttributeNames() { + // TODO Auto-generated method stub + return null; + } + + public String getCharacterEncoding() { + // TODO Auto-generated method stub + return null; + } + + public void setCharacterEncoding(String env) + throws UnsupportedEncodingException { + // TODO Auto-generated method stub + + } + + public int getContentLength() { + // TODO Auto-generated method stub + return 0; + } + + public String getContentType() { + // TODO Auto-generated method stub + return null; + } + + public ServletInputStream getInputStream() throws IOException { + // TODO Auto-generated method stub + return null; + } + + public String getParameter(String name) { + // TODO Auto-generated method stub + return null; + } + + @SuppressWarnings("unchecked") + public Enumeration getParameterNames() { + // TODO Auto-generated method stub + return null; + } + + public String[] getParameterValues(String name) { + // TODO Auto-generated method stub + return null; + } + + @SuppressWarnings("unchecked") + public Map getParameterMap() { + // TODO Auto-generated method stub + return null; + } + + public String getProtocol() { + // TODO Auto-generated method stub + return null; + } + + public String getScheme() { + // TODO Auto-generated method stub + return null; + } + + public String getServerName() { + // TODO Auto-generated method stub + return null; + } + + public int getServerPort() { + // TODO Auto-generated method stub + return 0; + } + + public BufferedReader getReader() throws IOException { + // TODO Auto-generated method stub + return null; + } + + public String getRemoteAddr() { + // TODO Auto-generated method stub + return null; + } + + public String getRemoteHost() { + // TODO Auto-generated method stub + return null; + } + + public void setAttribute(String name, Object o) { + // TODO Auto-generated method stub + + } + + public void removeAttribute(String name) { + // TODO Auto-generated method stub + + } + + public Locale getLocale() { + // TODO Auto-generated method stub + return null; + } + + @SuppressWarnings("unchecked") + public Enumeration getLocales() { + // TODO Auto-generated method stub + return null; + } + + public boolean isSecure() { + // TODO Auto-generated method stub + return false; + } + + public RequestDispatcher getRequestDispatcher(String path) { + // TODO Auto-generated method stub + return null; + } + + public String getRealPath(String path) { + // TODO Auto-generated method stub + return null; + } + + public int getRemotePort() { + // TODO Auto-generated method stub + return 0; + } + + public String getLocalName() { + // TODO Auto-generated method stub + return null; + } + + public String getLocalAddr() { + // TODO Auto-generated method stub + return null; + } + + public int getLocalPort() { + // TODO Auto-generated method stub + return 0; + } + + public String getAuthType() { + // TODO Auto-generated method stub + return null; + } + + public Cookie[] getCookies() { + // TODO Auto-generated method stub + return null; + } + + public long getDateHeader(String name) { + // TODO Auto-generated method stub + return 0; + } + + public String getHeader(String name) { + for(int i=1;i getParts() throws IOException, ServletException { + // TODO Auto-generated method stub + return null; + } + + @Override + public Part getPart(String name) throws IOException, ServletException { + // TODO Auto-generated method stub + return null; + } + + } +} diff --git a/cadi/aaf/src/test/java/org/onap/aaf/cadi/lur/aaf/test/JU_MultiThreadPermHit.java b/cadi/aaf/src/test/java/org/onap/aaf/cadi/lur/aaf/test/JU_MultiThreadPermHit.java new file mode 100644 index 00000000..46c1064b --- /dev/null +++ b/cadi/aaf/src/test/java/org/onap/aaf/cadi/lur/aaf/test/JU_MultiThreadPermHit.java @@ -0,0 +1,148 @@ +/******************************************************************************* + * ============LICENSE_START==================================================== + * * org.onap.aaf + * * =========================================================================== + * * Copyright © 2017 AT&T Intellectual Property. All rights reserved. + * * =========================================================================== + * * Licensed under the Apache License, Version 2.0 (the "License"); + * * you may not use this file except in compliance with the License. + * * You may obtain a copy of the License at + * * + * * http://www.apache.org/licenses/LICENSE-2.0 + * * + * * Unless required by applicable law or agreed to in writing, software + * * distributed under the License is distributed on an "AS IS" BASIS, + * * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * * See the License for the specific language governing permissions and + * * limitations under the License. + * * ============LICENSE_END==================================================== + * * + * * + ******************************************************************************/ +package org.onap.aaf.cadi.lur.aaf.test; + +import java.security.Principal; +import java.util.ArrayList; +import java.util.List; + +import org.onap.aaf.cadi.Permission; +import org.onap.aaf.cadi.PropAccess; +import org.onap.aaf.cadi.aaf.AAFPermission; +import org.onap.aaf.cadi.aaf.v2_0.AAFAuthn; +import org.onap.aaf.cadi.aaf.v2_0.AAFConHttp; +import org.onap.aaf.cadi.aaf.v2_0.AAFLurPerm; +import org.onap.aaf.cadi.config.Config; +import org.onap.aaf.cadi.locator.PropertyLocator; +import org.onap.aaf.stillNeed.TestPrincipal; + +public class JU_MultiThreadPermHit { + public static void main(String args[]) { + // Link or reuse to your Logging mechanism + PropAccess myAccess = new PropAccess(); // + + // + try { + AAFConHttp con = new AAFConHttp(myAccess,new PropertyLocator("https://mithrilcsp.sbc.com:8100")); + + // AAFLur has pool of DME clients as needed, and Caches Client lookups + final AAFLurPerm aafLur = con.newLur(); + aafLur.setDebug("m12345@aaf.att.com"); + + // Note: If you need both Authn and Authz construct the following: + AAFAuthn aafAuthn = con.newAuthn(aafLur); + + // Do not set Mech ID until after you construct AAFAuthn, + // because we initiate "401" info to determine the Realm of + // of the service we're after. + final String id = myAccess.getProperty(Config.AAF_APPID,null); + final String pass = myAccess.decrypt(myAccess.getProperty(Config.AAF_APPPASS,null),false); + if(id!=null && pass!=null) { + try { + + // Normally, you obtain Principal from Authentication System. + // // For J2EE, you can ask the HttpServletRequest for getUserPrincipal() + // // If you use CADI as Authenticator, it will get you these Principals from + // // CSP or BasicAuth mechanisms. + // String id = "cluster_admin@gridcore.att.com"; + // + // // If Validate succeeds, you will get a Null, otherwise, you will a String for the reason. + String ok; + ok = aafAuthn.validate(id, pass); + if(ok!=null) { + System.out.println(ok); + } + + List pond = new ArrayList(); + for(int i=0;i<20;++i) { + pond.clear(); + Principal p = new TestPrincipal(i+id); + aafLur.fishAll(p, pond); + if(ok!=null && i%1000==0) { + System.out.println(i + " " + ok); + } + } + + for(int i=0;i<1000000;++i) { + ok = aafAuthn.validate( i+ id, "wrongPass"); + if(ok!=null && i%1000==0) { + System.out.println(i + " " + ok); + } + } + + final AAFPermission perm = new AAFPermission("org.osaaf.aaf.access","*","*"); + + // Now you can ask the LUR (Local Representative of the User Repository about Authorization + // With CADI, in J2EE, you can call isUserInRole("org.osaaf.mygroup|mytype|write") on the Request Object + // instead of creating your own LUR + for(int i=0;i<4;++i) { + Principal p = new TestPrincipal(i+id); + + if(aafLur.fish(p, perm)) { + System.out.println("Yes, " + id + " has permission for " + perm.getKey()); + } else { + System.out.println("No, " + id + " does not have permission for " + perm.getKey()); + } + } + + + // Or you can all for all the Permissions available + List perms = new ArrayList(); + + Principal p = new TestPrincipal(id); + aafLur.fishAll(p,perms); + System.out.println("Perms for " + id); + for(Permission prm : perms) { + System.out.println(prm.getKey()); + } + + System.out.println("Press any key to continue"); + System.in.read(); + + for(int j=0;j<5;++j) { + new Thread(new Runnable() { + @Override + public void run() { + for(int i=0;i<20;++i) { + Principal p = new TestPrincipal(id); + if(aafLur.fish(p, perm)) { + System.out.println("Yes, " + id + " has permission for " + perm.getKey()); + } else { + System.out.println("No, " + id + " does not have permission for " + perm.getKey()); + } + } + } + }).start(); + } + + + } finally { + aafLur.destroy(); + } + } else { // checked on IDs + System.err.println(Config.AAF_APPID + " and/or " + Config.AAF_APPPASS + " are not set."); + } + } catch (Exception e) { + e.printStackTrace(); + } + } +} diff --git a/cadi/aaf/src/test/java/org/onap/aaf/cadi/lur/aaf/test/JU_PermEval.java b/cadi/aaf/src/test/java/org/onap/aaf/cadi/lur/aaf/test/JU_PermEval.java new file mode 100644 index 00000000..b95fbd33 --- /dev/null +++ b/cadi/aaf/src/test/java/org/onap/aaf/cadi/lur/aaf/test/JU_PermEval.java @@ -0,0 +1,107 @@ +/******************************************************************************* + * ============LICENSE_START==================================================== + * * org.onap.aaf + * * =========================================================================== + * * Copyright © 2017 AT&T Intellectual Property. All rights reserved. + * * =========================================================================== + * * Licensed under the Apache License, Version 2.0 (the "License"); + * * you may not use this file except in compliance with the License. + * * You may obtain a copy of the License at + * * + * * http://www.apache.org/licenses/LICENSE-2.0 + * * + * * Unless required by applicable law or agreed to in writing, software + * * distributed under the License is distributed on an "AS IS" BASIS, + * * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * * See the License for the specific language governing permissions and + * * limitations under the License. + * * ============LICENSE_END==================================================== + * * + * * + ******************************************************************************/ +package org.onap.aaf.cadi.lur.aaf.test; + +import static org.junit.Assert.assertFalse; +import static org.junit.Assert.assertTrue; + +import org.junit.AfterClass; +import org.junit.Test; +import org.onap.aaf.cadi.aaf.PermEval; + +public class JU_PermEval { + + @AfterClass + public static void tearDownAfterClass() throws Exception { + } + + @Test + public void test() { + assertTrue(PermEval.evalInstance(":com.att.temp:role:write",":!com.att.*:role:write")); + + // TRUE + assertTrue(PermEval.evalAction("fred","fred")); + assertTrue(PermEval.evalAction("fred,wilma","fred")); + assertTrue(PermEval.evalAction("barney,betty,fred,wilma","fred")); + assertTrue(PermEval.evalAction("*","fred")); + + assertTrue(PermEval.evalInstance("fred","fred")); + assertTrue(PermEval.evalInstance("fred,wilma","fred")); + assertTrue(PermEval.evalInstance("barney,betty,fred,wilma","fred")); + assertTrue(PermEval.evalInstance("*","fred")); + + assertTrue(PermEval.evalInstance(":fred:fred",":fred:fred")); + assertTrue(PermEval.evalInstance(":fred:fred,wilma",":fred:fred")); + assertTrue(PermEval.evalInstance(":fred:barney,betty,fred,wilma",":fred:fred")); + assertTrue(PermEval.evalInstance("*","fred")); + assertTrue(PermEval.evalInstance(":*:fred",":fred:fred")); + assertTrue(PermEval.evalInstance(":fred:*",":fred:fred")); + assertTrue(PermEval.evalInstance(":fred:fred",":!f.*:fred")); + assertTrue(PermEval.evalInstance(":fred:fred",":fred:!f.*")); + + /// FALSE + assertFalse(PermEval.evalInstance("fred","wilma")); + assertFalse(PermEval.evalInstance("fred,barney,betty","wilma")); + assertFalse(PermEval.evalInstance(":fred:fred",":fred:wilma")); + assertFalse(PermEval.evalInstance(":fred:fred",":wilma:fred")); + assertFalse(PermEval.evalInstance(":fred:fred",":wilma:!f.*")); + assertFalse(PermEval.evalInstance(":fred:fred",":!f.*:wilma")); + assertFalse(PermEval.evalInstance(":fred:fred",":!w.*:!f.*")); + assertFalse(PermEval.evalInstance(":fred:fred",":!f.*:!w.*")); + + assertFalse(PermEval.evalInstance(":fred:fred",":fred:!x.*")); + + // MSO Tests 12/3/2015 + assertFalse(PermEval.evalInstance("/v1/services/features/*","/v1/services/features")); + assertFalse(PermEval.evalInstance(":v1:services:features:*",":v1:services:features")); + assertTrue(PermEval.evalInstance("/v1/services/features/*","/v1/services/features/api1")); + assertTrue(PermEval.evalInstance(":v1:services:features:*",":v1:services:features:api2")); + // MSO - Xue Gao + assertTrue(PermEval.evalInstance(":v1:requests:*",":v1:requests:test0-service")); + + + + // Same tests, with Slashes + assertTrue(PermEval.evalInstance("/fred/fred","/fred/fred")); + assertTrue(PermEval.evalInstance("/fred/fred,wilma","/fred/fred")); + assertTrue(PermEval.evalInstance("/fred/barney,betty,fred,wilma","/fred/fred")); + assertTrue(PermEval.evalInstance("*","fred")); + assertTrue(PermEval.evalInstance("/*/fred","/fred/fred")); + assertTrue(PermEval.evalInstance("/fred/*","/fred/fred")); + assertTrue(PermEval.evalInstance("/fred/fred","/!f.*/fred")); + assertTrue(PermEval.evalInstance("/fred/fred","/fred/!f.*")); + + /// FALSE + assertFalse(PermEval.evalInstance("fred","wilma")); + assertFalse(PermEval.evalInstance("fred,barney,betty","wilma")); + assertFalse(PermEval.evalInstance("/fred/fred","/fred/wilma")); + assertFalse(PermEval.evalInstance("/fred/fred","/wilma/fred")); + assertFalse(PermEval.evalInstance("/fred/fred","/wilma/!f.*")); + assertFalse(PermEval.evalInstance("/fred/fred","/!f.*/wilma")); + assertFalse(PermEval.evalInstance("/fred/fred","/!w.*/!f.*")); + assertFalse(PermEval.evalInstance("/fred/fred","/!f.*/!w.*")); + + assertFalse(PermEval.evalInstance("/fred/fred","/fred/!x.*")); + + } + +} diff --git a/cadi/aaf/src/test/java/org/onap/aaf/cadi/lur/aaf/test/JU_TestAccess.java b/cadi/aaf/src/test/java/org/onap/aaf/cadi/lur/aaf/test/JU_TestAccess.java new file mode 100644 index 00000000..1d19a425 --- /dev/null +++ b/cadi/aaf/src/test/java/org/onap/aaf/cadi/lur/aaf/test/JU_TestAccess.java @@ -0,0 +1,127 @@ +/******************************************************************************* + * ============LICENSE_START==================================================== + * * org.onap.aaf + * * =========================================================================== + * * Copyright © 2017 AT&T Intellectual Property. All rights reserved. + * * =========================================================================== + * * Licensed under the Apache License, Version 2.0 (the "License"); + * * you may not use this file except in compliance with the License. + * * You may obtain a copy of the License at + * * + * * http://www.apache.org/licenses/LICENSE-2.0 + * * + * * Unless required by applicable law or agreed to in writing, software + * * distributed under the License is distributed on an "AS IS" BASIS, + * * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * * See the License for the specific language governing permissions and + * * limitations under the License. + * * ============LICENSE_END==================================================== + * * + * * + ******************************************************************************/ +package org.onap.aaf.cadi.lur.aaf.test; + +import java.io.FileInputStream; +import java.io.IOException; +import java.io.InputStream; +import java.io.PrintStream; +import java.util.Properties; + +import org.onap.aaf.cadi.Access; +import org.onap.aaf.cadi.Symm; +import org.onap.aaf.cadi.config.Config; + +public class JU_TestAccess implements Access { + private Symm symm; + private PrintStream out; + + public JU_TestAccess(PrintStream out) { + this.out = out; + InputStream is = ClassLoader.getSystemResourceAsStream("cadi.properties"); + try { + System.getProperties().load(is); + } catch (IOException e) { + e.printStackTrace(out); + } finally { + try { + is.close(); + } catch (IOException e) { + e.printStackTrace(out); + } + } + + String keyfile = System.getProperty(Config.CADI_KEYFILE); + if(keyfile==null) { + System.err.println("No " + Config.CADI_KEYFILE + " in Classpath"); + } else { + try { + is = new FileInputStream(keyfile); + try { + symm = Symm.obtain(is); + } finally { + is.close(); + } + } catch (IOException e) { + e.printStackTrace(out); + } + } + + + + } + + public void log(Level level, Object... elements) { + boolean first = true; + for(int i=0;i aafAuthn = con.newAuthn(aafLur); + + // Do not set Mech ID until after you construct AAFAuthn, + // because we initiate "401" info to determine the Realm of + // of the service we're after. + final String id = myAccess.getProperty(Config.AAF_APPID,null); + final String pass = myAccess.decrypt(myAccess.getProperty(Config.AAF_APPPASS,null),false); + if(id!=null && pass!=null) { + try { + + // Normally, you obtain Principal from Authentication System. + // // For J2EE, you can ask the HttpServletRequest for getUserPrincipal() + // // If you use CADI as Authenticator, it will get you these Principals from + // // CSP or BasicAuth mechanisms. + // String id = "cluster_admin@gridcore.att.com"; + // + // // If Validate succeeds, you will get a Null, otherwise, you will a String for the reason. + String ok; + ok = aafAuthn.validate(id, pass,null /* use AuthzTrans or HttpServlet, if you have it */); + if(ok!=null) { + System.out.println(ok); + } + + List pond = new ArrayList(); + for(int i=0;i<20;++i) { + pond.clear(); + aafLur.fishAll(new TestPrincipal(i+id), pond); + if(ok!=null && i%1000==0) { + System.out.println(i + " " + ok); + } + } + + for(int i=0;i<1000000;++i) { + ok = aafAuthn.validate( i+ id, "wrongPass",null /* use AuthzTrans or HttpServlet, if you have it */); + if(ok!=null && i%1000==0) { + System.out.println(i + " " + ok); + } + } + + final AAFPermission perm = new AAFPermission("org.osaaf.aaf.access","*","*"); + + // Now you can ask the LUR (Local Representative of the User Repository about Authorization + // With CADI, in J2EE, you can call isUserInRole("org.osaaf.mygroup|mytype|write") on the Request Object + // instead of creating your own LUR + final Principal p = new TestPrincipal(id); + for(int i=0;i<4;++i) { + if(aafLur.fish(p, perm)) { + System.out.println("Yes, " + id + " has permission for " + perm.getKey()); + } else { + System.out.println("No, " + id + " does not have permission for " + perm.getKey()); + } + } + + + // Or you can all for all the Permissions available + List perms = new ArrayList(); + + + aafLur.fishAll(p,perms); + System.out.println("Perms for " + id); + for(Permission prm : perms) { + System.out.println(prm.getKey()); + } + + System.out.println("Press any key to continue"); + System.in.read(); + + for(int j=0;j<5;++j) { + new Thread(new Runnable() { + @Override + public void run() { + for(int i=0;i<20;++i) { + if(aafLur.fish(p, perm)) { + System.out.println("Yes, " + id + " has permission for " + perm.getKey()); + } else { + System.out.println("No, " + id + " does not have permission for " + perm.getKey()); + } + } + } + }).start(); + } + + + } finally { + aafLur.destroy(); + } + } else { // checked on IDs + System.err.println(Config.AAF_APPID + " and/or " + Config.AAF_APPPASS + " are not set."); + } + } catch (Exception e) { + e.printStackTrace(); + } + } +} diff --git a/cadi/aaf/src/test/java/org/onap/aaf/cadi/oauth/test/JU_FastPerms.java b/cadi/aaf/src/test/java/org/onap/aaf/cadi/oauth/test/JU_FastPerms.java new file mode 100644 index 00000000..523bbc58 --- /dev/null +++ b/cadi/aaf/src/test/java/org/onap/aaf/cadi/oauth/test/JU_FastPerms.java @@ -0,0 +1,106 @@ +/** + * ============LICENSE_START==================================================== + * org.onap.aaf + * =========================================================================== + * Copyright (c) 2018 AT&T Intellectual Property. All rights reserved. + * =========================================================================== + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * ============LICENSE_END==================================================== + * + */ + +package org.onap.aaf.cadi.oauth.test; + +import java.io.StringReader; + +import org.junit.After; +import org.junit.AfterClass; +import org.junit.Before; +import org.junit.BeforeClass; +import org.junit.Test; +import org.onap.aaf.cadi.Permission; +import org.onap.aaf.cadi.oauth.TokenPerm.LoadPermissions; +import org.onap.aaf.misc.rosetta.ParseException; + +public class JU_FastPerms { + + @BeforeClass + public static void setUpBeforeClass() throws Exception { + } + + @AfterClass + public static void tearDownAfterClass() throws Exception { + } + + @Before + public void setUp() throws Exception { + } + + @After + public void tearDown() throws Exception { + } + + @Test + public void test() { + String json = "{\"perm\":[" + + " {\"type\":\"com.access\",\"instance\":\"*\",\"action\":\"read,approve\"}," + + " {\"type\":\"org.osaaf.aaf.access\",\"instance\":\"*\",\"action\":\"*\"}," + + " {\"type\":\"org.osaaf.aaf.access\",\"instance\":\"*\",\"action\":\"read\"}," + + " {\"type\":\"org.osaaf.aaf.attrib\",\"instance\":\":com.att.*:swm\",\"action\":\"*\"}," + + " {\"type\":\"org.osaaf.aaf.bogus\",\"instance\":\"sample\",\"action\":\"read\"}," + + " {\"type\":\"org.osaaf.aaf.ca\",\"instance\":\"aaf\",\"action\":\"ip\"}," + + " {\"type\":\"org.osaaf.aaf.ca\",\"instance\":\"local\",\"action\":\"domain\"}," + + " {\"type\":\"org.osaaf.aaf.cache\",\"instance\":\"*\",\"action\":\"clear\"}," + + " {\"type\":\"org.osaaf.aaf.cass\",\"instance\":\":mithril\",\"action\":\"*\"}," + + " {\"type\":\"org.osaaf.aaf.certman\",\"instance\":\"local\",\"action\":\"read,request,showpass\"}," + + " {\"type\":\"org.osaaf.aaf.db\",\"instance\":\"pool\",\"action\":\"clear\"}," + + " {\"type\":\"org.osaaf.aaf.deny\",\"instance\":\"com.att\",\"action\":\"*\"}," + + " {\"type\":\"org.osaaf.aaf.jenkins\",\"instance\":\"mithrilcsp.sbc.com\",\"action\":\"admin\"}," + + " {\"type\":\"org.osaaf.aaf.log\",\"instance\":\"com.att\",\"action\":\"id\"}," + + " {\"type\":\"org.osaaf.aaf.myPerm\",\"instance\":\"myInstance\",\"action\":\"myAction\"}," + + " {\"type\":\"org.osaaf.aaf.ns\",\"instance\":\":com.att.*:ns\",\"action\":\"write\"}," + + " {\"type\":\"org.osaaf.aaf.ns\",\"instance\":\":com.att:ns\",\"action\":\"write\"}," + + " {\"type\":\"org.osaaf.aaf.password\",\"instance\":\"com.att\",\"action\":\"extend\"}," + + " {\"type\":\"org.osaaf.access\",\"instance\":\"*\",\"action\":\"read\"}," + + " {\"type\":\"org.osaaf.authz.access\",\"instance\":\"*\",\"action\":\"read\"}," + + " {\"type\":\"org.osaaf.authz.dev.access\",\"instance\":\"*\",\"action\":\"*\"}," + + " {\"type\":\"org.osaaf.authz.swm.star\",\"instance\":\"*\",\"action\":\"*\"}," + + " {\"type\":\"org.osaaf.cadi.access\",\"instance\":\"*\",\"action\":\"*\"}," + + " {\"type\":\"org.osaaf.chris.access\",\"instance\":\"*\",\"action\":\"*\"}," + + " {\"type\":\"org.osaaf.csid.lab.swm.node\",\"instance\":\"*\",\"action\":\"*\"}," + + " {\"type\":\"org.osaaf.myapp.access\",\"instance\":\"*\",\"action\":\"*\"}," + + " {\"type\":\"org.osaaf.myapp.access\",\"instance\":\"*\",\"action\":\"read\"}," + + " {\"type\":\"org.osaaf.sample.access\",\"instance\":\"*\",\"action\":\"read\"}," + + " {\"type\":\"org.osaaf.sample.swm.myPerm\",\"instance\":\"*\",\"action\":\"read\"}," + + " {\"type\":\"org.osaaf.temp.access\",\"instance\":\"*\",\"action\":\"read\"}," + + " {\"type\":\"org.osaaf.test.access\",\"instance\":\"*\",\"action\":\"*\"}," + + " {\"type\":\"org.osaaf.test.access\",\"instance\":\"*\",\"action\":\"read\"}," + + " {\"type\":\"com.test.access\",\"instance\":\"*\",\"action\":\"read\"}," + + " {\"type\":\"com.test.access\",\"instance\":\"*\",\"action\":\"read\"}" + + "]}"; + + try { + LoadPermissions lp = new LoadPermissions(new StringReader(json)); + for(Permission p : lp.perms) { + System.out.println(p.toString()); + } + System.out.println("done"); + } catch (ParseException e) { + System.err.println(e); + } + + + } + + +} diff --git a/cadi/aaf/src/test/java/org/onap/aaf/cadi/oauth/test/JU_OAuthTest.java b/cadi/aaf/src/test/java/org/onap/aaf/cadi/oauth/test/JU_OAuthTest.java new file mode 100644 index 00000000..cc458f28 --- /dev/null +++ b/cadi/aaf/src/test/java/org/onap/aaf/cadi/oauth/test/JU_OAuthTest.java @@ -0,0 +1,277 @@ +/** + * ============LICENSE_START==================================================== + * org.onap.aaf + * =========================================================================== + * Copyright (c) 2018 AT&T Intellectual Property. All rights reserved. + * =========================================================================== + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * ============LICENSE_END==================================================== + * + */ + +package org.onap.aaf.cadi.oauth.test; + +import java.net.ConnectException; +import java.util.Date; +import java.util.GregorianCalendar; + +import org.junit.After; +import org.junit.AfterClass; +import org.junit.Before; +import org.junit.BeforeClass; +import org.junit.Test; +import org.onap.aaf.cadi.CadiException; +import org.onap.aaf.cadi.PropAccess; +import org.onap.aaf.cadi.client.Future; +import org.onap.aaf.cadi.client.Rcli; +import org.onap.aaf.cadi.client.Result; +import org.onap.aaf.cadi.client.Retryable; +import org.onap.aaf.cadi.config.Config; +import org.onap.aaf.cadi.oauth.TimedToken; +import org.onap.aaf.cadi.oauth.TokenClient; +import org.onap.aaf.cadi.oauth.TokenClientFactory; +import org.onap.aaf.cadi.oauth.TzClient; +import org.onap.aaf.cadi.principal.Kind; +import org.onap.aaf.misc.env.APIException; +import org.onap.aaf.misc.env.util.Chrono; + +import aafoauth.v2_0.Introspect; +import aafoauth.v2_0.Token; +import junit.framework.Assert; + +public class JU_OAuthTest { + + private static PropAccess access; + private static TokenClientFactory tcf; + + @BeforeClass + public static void setUpBeforeClass() { + access = new PropAccess(); + try { + tcf = TokenClientFactory.instance(access); + } catch (Exception e) { + e.printStackTrace(); + Assert.fail(); + } + } + + @AfterClass + public static void tearDownAfterClass() throws Exception { + } + + @Before + public void setUp() throws Exception { + } + + @After + public void tearDown() throws Exception { + } + + @Test + public void testROPCFlowHappy() { + try { + // AAF OAuth + String client_id = access.getProperty(Config.AAF_APPID); + String client_secret = access.getProperty(Config.AAF_APPPASS); + String tokenServiceURL = access.getProperty(Config.AAF_OAUTH2_TOKEN_URL); + Assert.assertNotNull(tokenServiceURL); + String tokenIntrospectURL = access.getProperty(Config.AAF_OAUTH2_INTROSPECT_URL); + String tokenAltIntrospectURL = access.getProperty(Config.AAF_ALT_OAUTH2_INTROSPECT_URL); + Assert.assertNotNull(tokenIntrospectURL); + final String endServicesURL = access.getProperty(Config.AAF_OAUTH2_HELLO_URL); + String username = access.getProperty("cadi_username"); + + TokenClient tc; + Result rtt; + if(true) { + tc = tcf.newClient(tokenServiceURL, 3000); + tc.client_creds(client_id,client_secret); + tc.password(access.getProperty("cadi_username"),access.getProperty("cadi_password")); + rtt = tc.getToken(Kind.BASIC_AUTH,"org.osaaf.aaf","org.osaaf.test"); + if(rtt.isOK()) { + print(rtt.value); + rtt = tc.refreshToken(rtt.value); + if(rtt.isOK()) { + print(rtt.value); + TokenClient ic = tcf.newClient(tokenIntrospectURL,3000); + ic.client_creds(client_id,client_secret); + + Result ri = ic.introspect(rtt.value.getAccessToken()); + if(ri.isOK()) { + print(ri.value); + } else { + System.out.println(ri.code + ' ' + ri.error); + Assert.fail(ri.code + ' ' + ri.error); + } + TzClient helloClient = tcf.newTzClient(endServicesURL); + helloClient.setToken(client_id, rtt.value); +// String rv = serviceCall(helloClient); +// System.out.println(rv); + // Assert.assertEquals("Hello AAF OAuth2\n",rv); + } else { + System.out.println(rtt.code + ' ' + rtt.error); + Assert.fail(rtt.code + ' ' + rtt.error); + } + } else { + System.out.println(rtt.code + ' ' + rtt.error); + Assert.fail(rtt.code + ' ' + rtt.error); + } + } + + // ISAM Test + if(true) { + System.out.println("**** ISAM TEST ****"); + tokenServiceURL=access.getProperty(Config.AAF_ALT_OAUTH2_TOKEN_URL); + client_id=access.getProperty(Config.AAF_ALT_CLIENT_ID); + client_secret=access.getProperty(Config.AAF_ALT_CLIENT_SECRET); + if(tokenServiceURL!=null) { + tc = tcf.newClient(tokenServiceURL, 3000); + tc.client_creds(client_id, client_secret); + int at = username.indexOf('@'); + + tc.password(at>=0?username.substring(0, at):username,access.getProperty("cadi_password")); + rtt = tc.getToken("org.osaaf.aaf","org.osaaf.test"); + if(rtt.isOK()) { + print(rtt.value); + rtt = tc.refreshToken(rtt.value); + if(rtt.isOK()) { + print(rtt.value); + + tc = tcf.newClient(tokenAltIntrospectURL, 3000); + tc.client_creds(client_id, client_secret); + Result rti = tc.introspect(rtt.value.getAccessToken()); + if(rti.isOK()) { + System.out.print("Normal ISAM "); + print(rti.value); + } else { + System.out.println(rti.code + ' ' + rti.error); + Assert.fail(rtt.code + ' ' + rtt.error); + } + + tc = tcf.newClient(tokenIntrospectURL, 3000); + tc.client_creds(client_id, client_secret); + rti = tc.introspect(rtt.value.getAccessToken()); + if(rti.isOK()) { + System.out.print("AAF with ISAM Token "); + print(rti.value); + } else { + System.out.println(rti.code + ' ' + rti.error); + if(rti.code!=404) { + Assert.fail(rti.code + ' ' + rti.error); + } + } + + TzClient tzClient = tcf.newTzClient(endServicesURL); + tzClient.setToken(client_id, rtt.value); + // Note: this is AAF's "Hello" server + String rv = serviceCall(tzClient); + System.out.println(rv); + // Assert.assertEquals("Hello AAF OAuth2\n",rv); + } else { + System.out.println(rtt.code + ' ' + rtt.error); + Assert.fail(rtt.code + ' ' + rtt.error); + } + } else { + System.out.println(rtt.code + ' ' + rtt.error); + Assert.fail(rtt.code + ' ' + rtt.error); + } + } else { + Assert.fail(Config.AAF_ALT_OAUTH2_TOKEN_URL + " is required"); + } + } + } catch (Exception e) { + e.printStackTrace(); + Assert.fail(); + } + } + + + private TokenClient testROPCFlow(final String url, final String client_id, final String client_secret, String user, String password, final String ... scope) throws Exception { + TokenClient tclient = tcf.newClient(url,3000); + tclient.client_creds(client_id, client_secret); + if(user!=null && password!=null) { + tclient.password(user,password); + } + Result rt = tclient.getToken(scope); + if(rt.isOK()) { + print(rt.value); + Result rti = tclient.introspect(rt.value.getAccessToken()); + if(rti.isOK()) { + print(rti.value); + } else { + printAndFail(rti); + } + } else { + printAndFail(rt); + } + return tclient; + } + + private String serviceCall(TzClient tzClient) throws Exception { + return tzClient.best(new Retryable() { + @Override + public String code(Rcli client) throws CadiException, ConnectException, APIException { + Future future = client.read(null,"text/plain"); + if(future.get(3000)) { + return future.value; + } else { + throw new APIException(future.code() + future.body()); + } + } + }); + } + private void printAndFail(Result rt) { + System.out.printf("HTTP Code %d: %s\n", rt.code, rt.error); + Assert.fail(rt.toString()); + } + + private void print(Token t) { + GregorianCalendar exp_date = new GregorianCalendar(); + exp_date.add(GregorianCalendar.SECOND, t.getExpiresIn()); + System.out.printf("Access Token\n\tToken:\t\t%s\n\tToken Type:\t%s\n\tExpires In:\t%d (%s)\n\tScope:\t\t%s\n\tRefresh Token:\t%s\n", + t.getAccessToken(), + t.getTokenType(), + t.getExpiresIn(), + Chrono.timeStamp(new Date(System.currentTimeMillis()+(t.getExpiresIn()*1000))), + t.getScope(), + t.getRefreshToken()); + } + + private void print(Introspect ti) { + if(ti==null || ti.getClientId()==null) { + System.out.println("Empty Introspect"); + return; + } + Date exp = new Date(ti.getExp()*1000); // seconds + System.out.printf("Introspect\n" + + "\tAccessToken:\t%s\n" + + "\tClient-id:\t%s\n" + + "\tClient Type:\t%s\n" + + "\tActive: \t%s\n" + + "\tUserName:\t%s\n" + + "\tExpires: \t%d (%s)\n" + + "\tScope:\t\t%s\n" + + "\tContent:\t\t%s\n", + ti.getAccessToken(), + ti.getClientId(), + ti.getClientType(), + ti.isActive()?Boolean.TRUE.toString():Boolean.FALSE.toString(), + ti.getUsername(), + ti.getExp(), + Chrono.timeStamp(exp), + ti.getScope(), + ti.getContent()==null?"":ti.getContent()); + + System.out.println(); + } +} diff --git a/cadi/aaf/src/test/java/org/onap/aaf/cadi/oauth/test/JU_OAuthToken.java b/cadi/aaf/src/test/java/org/onap/aaf/cadi/oauth/test/JU_OAuthToken.java new file mode 100644 index 00000000..0ddb3f4d --- /dev/null +++ b/cadi/aaf/src/test/java/org/onap/aaf/cadi/oauth/test/JU_OAuthToken.java @@ -0,0 +1,86 @@ +/** + * ============LICENSE_START==================================================== + * org.onap.aaf + * =========================================================================== + * Copyright (c) 2018 AT&T Intellectual Property. All rights reserved. + * =========================================================================== + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * ============LICENSE_END==================================================== + * + */ + +package org.onap.aaf.cadi.oauth.test; + +import static org.junit.Assert.*; + +import java.util.UUID; + +import org.junit.After; +import org.junit.AfterClass; +import org.junit.Before; +import org.junit.BeforeClass; +import org.junit.Test; +import org.onap.aaf.cadi.CadiException; +import org.onap.aaf.cadi.oauth.AAFToken; + +import junit.framework.Assert; + +public class JU_OAuthToken { + + @BeforeClass + public static void setUpBeforeClass() throws Exception { + } + + @AfterClass + public static void tearDownAfterClass() throws Exception { + } + + @Before + public void setUp() throws Exception { + } + + @After + public void tearDown() throws Exception { + } + + @Test + public void testMax() throws CadiException { + UUID uuid = new UUID(Long.MAX_VALUE,Long.MAX_VALUE); + String token = AAFToken.toToken(uuid); + System.out.println(token); + UUID uuid2 = AAFToken.fromToken(token); + Assert.assertEquals(uuid, uuid2); + } + + @Test + public void testMin() throws CadiException { + UUID uuid = new UUID(Long.MIN_VALUE,Long.MIN_VALUE); + String token = AAFToken.toToken(uuid); + System.out.println(token); + UUID uuid2 = AAFToken.fromToken(token); + Assert.assertEquals(uuid, uuid2); + } + + @Test + public void testRandom() throws CadiException { + for(int i=0;i<100;++i) { + UUID uuid = UUID.randomUUID(); + String token = AAFToken.toToken(uuid); + System.out.println(token); + UUID uuid2 = AAFToken.fromToken(token); + Assert.assertEquals(uuid, uuid2); + } + } + + +} diff --git a/cadi/aaf/src/test/java/org/onap/aaf/content/JU_Content.java b/cadi/aaf/src/test/java/org/onap/aaf/content/JU_Content.java new file mode 100644 index 00000000..21012e68 --- /dev/null +++ b/cadi/aaf/src/test/java/org/onap/aaf/content/JU_Content.java @@ -0,0 +1,81 @@ +/******************************************************************************* + * ============LICENSE_START==================================================== + * * org.onap.aaf + * * =========================================================================== + * * Copyright © 2017 AT&T Intellectual Property. All rights reserved. + * * =========================================================================== + * * Licensed under the Apache License, Version 2.0 (the "License"); + * * you may not use this file except in compliance with the License. + * * You may obtain a copy of the License at + * * + * * http://www.apache.org/licenses/LICENSE-2.0 + * * + * * Unless required by applicable law or agreed to in writing, software + * * distributed under the License is distributed on an "AS IS" BASIS, + * * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * * See the License for the specific language governing permissions and + * * limitations under the License. + * * ============LICENSE_END==================================================== + * * + * * + ******************************************************************************/ +package org.onap.aaf.content; + +import java.io.StringReader; + +import org.junit.AfterClass; +import org.junit.BeforeClass; +import org.junit.Test; +import org.onap.aaf.misc.rosetta.env.RosettaDF; +import org.onap.aaf.misc.rosetta.env.RosettaData; +import org.onap.aaf.misc.rosetta.env.RosettaEnv; + +import aaf.v2_0.Error; + +public class JU_Content { + + @BeforeClass + public static void setUpBeforeClass() throws Exception { + } + + @AfterClass + public static void tearDownAfterClass() throws Exception { + } + + + @Test + public void parseErrorJSON() throws Exception { + final String msg = "{\"messageId\":\"SVC2000\",\"text\":\"Select which cred to delete (or 0 to delete all):" + + "1) %1" + + "2) %2" + + "3) %3" + + "4) %4" + + "Run same command again with chosen entry as last parameter\"," + + "\"variables\":[" + + "\"m55555@jr583u.cred.test.com 1 Wed Oct 08 11:48:08 CDT 2014\"," + + "\"m55555@jr583u.cred.test.com 1 Thu Oct 09 12:54:46 CDT 2014\"," + + "\"m55555@jr583u.cred.test.com 1 Tue Jan 06 05:00:00 CST 2015\"," + + "\"m55555@jr583u.cred.test.com 1 Wed Jan 07 05:00:00 CST 2015\"]}"; + + Error err = new Error(); + err.setText("Hello"); + err.getVariables().add("I'm a teapot"); + err.setMessageId("12"); + + +// System.out.println(msg); + RosettaEnv env = new RosettaEnv(); + RosettaDF errDF = env.newDataFactory(aaf.v2_0.Error.class); + errDF.in(RosettaData.TYPE.JSON); + errDF.out(RosettaData.TYPE.JSON); + RosettaData data = errDF.newData(); + data.load(err); + System.out.println(data.asString()); + + data.load(new StringReader(msg)); + err = data.asObject(); + System.out.println(err.getText()); + } + + +} diff --git a/cadi/aaf/src/test/java/org/onap/aaf/example/JU_ExampleAuthCheck.java b/cadi/aaf/src/test/java/org/onap/aaf/example/JU_ExampleAuthCheck.java new file mode 100644 index 00000000..387c4d1a --- /dev/null +++ b/cadi/aaf/src/test/java/org/onap/aaf/example/JU_ExampleAuthCheck.java @@ -0,0 +1,56 @@ +/******************************************************************************* + * ============LICENSE_START==================================================== + * * org.onap.aaf + * * =========================================================================== + * * Copyright © 2017 AT&T Intellectual Property. All rights reserved. + * * =========================================================================== + * * Licensed under the Apache License, Version 2.0 (the "License"); + * * you may not use this file except in compliance with the License. + * * You may obtain a copy of the License at + * * + * * http://www.apache.org/licenses/LICENSE-2.0 + * * + * * Unless required by applicable law or agreed to in writing, software + * * distributed under the License is distributed on an "AS IS" BASIS, + * * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * * See the License for the specific language governing permissions and + * * limitations under the License. + * * ============LICENSE_END==================================================== + * * + * * + ******************************************************************************/ +package org.onap.aaf.example; + +import org.onap.aaf.cadi.PropAccess; +import org.onap.aaf.cadi.aaf.v2_0.AAFAuthn; +import org.onap.aaf.cadi.aaf.v2_0.AAFConHttp; +import org.onap.aaf.cadi.locator.DNSLocator; + +public class JU_ExampleAuthCheck { + public static void main(String args[]) { + // Link or reuse to your Logging mechanism + PropAccess myAccess = new PropAccess(); // + + try { + AAFConHttp acon = new AAFConHttp(myAccess, new DNSLocator( + myAccess,"https","localhost","8100")); + AAFAuthn authn = acon.newAuthn(); + long start; + for (int i=0;i<10;++i) { + start = System.nanoTime(); + String err = authn.validate("", "gritty"); + if(err!=null) System.err.println(err); + else System.out.println("I'm ok"); + + err = authn.validate("bogus", "gritty"); + if(err!=null) System.err.println(err + " (correct error)"); + else System.out.println("I'm ok"); + + System.out.println((System.nanoTime()-start)/1000000f + " ms"); + } + } catch (Exception e) { + e.printStackTrace(); + } + + } +} diff --git a/cadi/aaf/src/test/java/org/onap/aaf/example/JU_X509Test.java b/cadi/aaf/src/test/java/org/onap/aaf/example/JU_X509Test.java new file mode 100644 index 00000000..732ea811 --- /dev/null +++ b/cadi/aaf/src/test/java/org/onap/aaf/example/JU_X509Test.java @@ -0,0 +1,88 @@ +/******************************************************************************* + * ============LICENSE_START==================================================== + * * org.onap.aaf + * * =========================================================================== + * * Copyright © 2017 AT&T Intellectual Property. All rights reserved. + * * =========================================================================== + * * Licensed under the Apache License, Version 2.0 (the "License"); + * * you may not use this file except in compliance with the License. + * * You may obtain a copy of the License at + * * + * * http://www.apache.org/licenses/LICENSE-2.0 + * * + * * Unless required by applicable law or agreed to in writing, software + * * distributed under the License is distributed on an "AS IS" BASIS, + * * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * * See the License for the specific language governing permissions and + * * limitations under the License. + * * ============LICENSE_END==================================================== + * * + * * + ******************************************************************************/ +package org.onap.aaf.example; + +import java.security.Principal; + +import org.onap.aaf.cadi.PropAccess; +import org.onap.aaf.cadi.aaf.v2_0.AAFConHttp; +import org.onap.aaf.cadi.aaf.v2_0.AAFLurPerm; +import org.onap.aaf.cadi.client.Future; +import org.onap.aaf.cadi.locator.DNSLocator; +import org.onap.aaf.cadi.lur.LocalPermission; + +public class JU_X509Test { + public static void main(String args[]) { + // Link or reuse to your Logging mechanism + + PropAccess myAccess = new PropAccess(); + + // + try { + AAFConHttp con = new AAFConHttp(myAccess, + new DNSLocator(myAccess,"https","mithrilcsp.sbc.com","8100")); + + // AAFLur has pool of DME clients as needed, and Caches Client lookups + AAFLurPerm aafLur = con.newLur(); + + // Note: If you need both Authn and Authz construct the following: +// AAFAuthn aafAuthn = con.newAuthn(aafLur); + + // con.x509Alias("aaf.att"); // alias in keystore + + try { + + // Normally, you obtain Principal from Authentication System. +// // For J2EE, you can ask the HttpServletRequest for getUserPrincipal() +// // If you use CADI as Authenticator, it will get you these Principals from +// // CSP or BasicAuth mechanisms. +// String id = "cluster_admin@gridcore.att.com"; +// +// // If Validate succeeds, you will get a Null, otherwise, you will a String for the reason. + Future fs = + con.client("2.0").read("/authz/perms/com.att.aaf.ca","application/Perms+json"); + if(fs.get(3000)) { + System.out.println(fs.value); + } else { + System.out.println("Error: " + fs.code() + ':' + fs.body()); + } + + // Check on Perms with LUR + if(aafLur.fish(new Principal() { + @Override + public String getName() { + return "m12345@aaf.att.com"; + } + }, new LocalPermission("org.osaaf.aaf.ca|aaf|request"))) { + System.out.println("Has Perm"); + } else { + System.out.println("Does NOT Have Perm"); + } + } finally { + aafLur.destroy(); + } + } catch (Exception e) { + e.printStackTrace(); + } + + } +} diff --git a/cadi/aaf/src/test/java/org/onap/aaf/stillNeed/CadiTest.java b/cadi/aaf/src/test/java/org/onap/aaf/stillNeed/CadiTest.java new file mode 100644 index 00000000..960ea069 --- /dev/null +++ b/cadi/aaf/src/test/java/org/onap/aaf/stillNeed/CadiTest.java @@ -0,0 +1,63 @@ +/** + * ============LICENSE_START==================================================== + * org.onap.aaf + * =========================================================================== + * Copyright (c) 2018 AT&T Intellectual Property. All rights reserved. + * =========================================================================== + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * ============LICENSE_END==================================================== + * + */ +package org.onap.aaf.stillNeed; + +import java.net.HttpURLConnection; +import java.net.URI; + +import org.onap.aaf.cadi.Access; +import org.onap.aaf.cadi.PropAccess; +import org.onap.aaf.cadi.SecuritySetter; +import org.onap.aaf.cadi.client.Future; +import org.onap.aaf.cadi.config.Config; +import org.onap.aaf.cadi.config.SecurityInfoC; +import org.onap.aaf.cadi.http.HBasicAuthSS; +import org.onap.aaf.cadi.http.HClient; +import org.onap.aaf.cadi.http.HX509SS; + +public class CadiTest { + public static void main(String args[]) { + Access access = new PropAccess(); + try { + SecurityInfoC si = SecurityInfoC.instance(access, HttpURLConnection.class); + SecuritySetter ss; + if(access.getProperty(Config.CADI_ALIAS,null)!=null) { + ss = new HX509SS(si); + } else { + ss = new HBasicAuthSS(si); + } + HClient hclient = new HClient(ss,new URI("https://zlp08851.vci.att.com:8095"),3000); + hclient.setMethod("OPTIONS"); + hclient.setPathInfo("/cadi/log/set/WARN"); + hclient.send(); + Future future = hclient.futureReadString(); + if(future.get(5000)) { + System.out.printf("Success %s",future.value); + } else { + System.out.printf("Error: %d-%s", future.code(),future.body()); + } + + } catch (Exception e) { + e.printStackTrace(); + } + + } +} diff --git a/cadi/aaf/src/test/java/org/onap/aaf/stillNeed/ExampleAuthCheck.java b/cadi/aaf/src/test/java/org/onap/aaf/stillNeed/ExampleAuthCheck.java new file mode 100644 index 00000000..a4b1cf1b --- /dev/null +++ b/cadi/aaf/src/test/java/org/onap/aaf/stillNeed/ExampleAuthCheck.java @@ -0,0 +1,55 @@ +/** + * ============LICENSE_START==================================================== + * org.onap.aaf + * =========================================================================== + * Copyright (c) 2018 AT&T Intellectual Property. All rights reserved. + * =========================================================================== + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * ============LICENSE_END==================================================== + * + */ +package org.onap.aaf.stillNeed; + +import org.onap.aaf.cadi.PropAccess; +import org.onap.aaf.cadi.aaf.v2_0.AAFAuthn; +import org.onap.aaf.cadi.aaf.v2_0.AAFConHttp; +import org.onap.aaf.cadi.locator.DNSLocator; + +public class ExampleAuthCheck { + public static void main(String args[]) { + // Link or reuse to your Logging mechanism + PropAccess myAccess = new PropAccess(); // + + try { + AAFConHttp acon = new AAFConHttp(myAccess, new DNSLocator( + myAccess,"https","localhost","8100")); + AAFAuthn authn = acon.newAuthn(); + long start; + for (int i=0;i<10;++i) { + start = System.nanoTime(); + String err = authn.validate("", "gritty",null); + if(err!=null) System.err.println(err); + else System.out.println("I'm ok"); + + err = authn.validate("bogus", "gritty",null); + if(err!=null) System.err.println(err + " (correct error)"); + else System.out.println("I'm ok"); + + System.out.println((System.nanoTime()-start)/1000000f + " ms"); + } + } catch (Exception e) { + e.printStackTrace(); + } + + } +} diff --git a/cadi/aaf/src/test/java/org/onap/aaf/stillNeed/TestPrincipal.java b/cadi/aaf/src/test/java/org/onap/aaf/stillNeed/TestPrincipal.java new file mode 100644 index 00000000..12569023 --- /dev/null +++ b/cadi/aaf/src/test/java/org/onap/aaf/stillNeed/TestPrincipal.java @@ -0,0 +1,35 @@ +/** + * ============LICENSE_START==================================================== + * org.onap.aaf + * =========================================================================== + * Copyright (c) 2018 AT&T Intellectual Property. All rights reserved. + * =========================================================================== + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * ============LICENSE_END==================================================== + * + */ +package org.onap.aaf.stillNeed; + +import java.security.Principal; + +public class TestPrincipal implements Principal { + private String name; + public TestPrincipal(String name) { + this.name = name; + } + @Override + public String getName() { + return name; + } + +} diff --git a/cadi/aaf/src/test/java/org/onap/aaf/stillNeed/X509Test.java b/cadi/aaf/src/test/java/org/onap/aaf/stillNeed/X509Test.java new file mode 100644 index 00000000..290f573e --- /dev/null +++ b/cadi/aaf/src/test/java/org/onap/aaf/stillNeed/X509Test.java @@ -0,0 +1,89 @@ +/** + * ============LICENSE_START==================================================== + * org.onap.aaf + * =========================================================================== + * Copyright (c) 2018 AT&T Intellectual Property. All rights reserved. + * =========================================================================== + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * ============LICENSE_END==================================================== + * + */ +package org.onap.aaf.stillNeed; + +import java.security.Principal; + +import org.onap.aaf.cadi.PropAccess; +import org.onap.aaf.cadi.aaf.v2_0.AAFConHttp; +import org.onap.aaf.cadi.aaf.v2_0.AAFLurPerm; +import org.onap.aaf.cadi.client.Future; +import org.onap.aaf.cadi.locator.DNSLocator; +import org.onap.aaf.cadi.lur.LocalPermission; + +//TODO Needs running service to TEST + +public class X509Test { + public static void main(String args[]) { + // Link or reuse to your Logging mechanism + + PropAccess myAccess = new PropAccess(); + + // + try { + AAFConHttp con = new AAFConHttp(myAccess, + new DNSLocator(myAccess,"https","mithrilcsp.sbc.com","8100")); + + // AAFLur has pool of DME clients as needed, and Caches Client lookups + AAFLurPerm aafLur = con.newLur(); + + // Note: If you need both Authn and Authz construct the following: +// AAFAuthn aafAuthn = con.newAuthn(aafLur); + + // con.x509Alias("aaf.att"); // alias in keystore + + try { + + // Normally, you obtain Principal from Authentication System. +// // For J2EE, you can ask the HttpServletRequest for getUserPrincipal() +// // If you use CADI as Authenticator, it will get you these Principals from +// // CSP or BasicAuth mechanisms. +// String id = "cluster_admin@gridcore.att.com"; +// +// // If Validate succeeds, you will get a Null, otherwise, you will a String for the reason. + Future fs = + con.client("2.0").read("/authz/perms/com.att.aaf.ca","application/Perms+json"); + if(fs.get(3000)) { + System.out.println(fs.value); + } else { + System.out.println("Error: " + fs.code() + ':' + fs.body()); + } + + // Check on Perms with LUR + if(aafLur.fish(new Principal() { + @Override + public String getName() { + return "m12345@aaf.att.com"; + } + }, new LocalPermission("org.osaaf.aaf.ca|aaf|request"))) { + System.out.println("Has Perm"); + } else { + System.out.println("Does NOT Have Perm"); + } + } finally { + aafLur.destroy(); + } + } catch (Exception e) { + e.printStackTrace(); + } + + } +} diff --git a/cadi/aaf/src/test/resources/cadi.properties b/cadi/aaf/src/test/resources/cadi.properties new file mode 100644 index 00000000..810df571 --- /dev/null +++ b/cadi/aaf/src/test/resources/cadi.properties @@ -0,0 +1,37 @@ +## +## AUTHZ API (authz-service) Properties +## +AFT_LATITUDE=32.780140 +AFT_LONGITUDE=-96.800451 +AFT_ENVIRONMENT=AFTUAT +DEPLOYED_VERSION=2.0.MITHRIL +cadi_prop_files=/opt/app/aaf/common/com.att.aaf.props + +#cadi_keystore=/Volumes/Data/src/authz/common/cadiaaf.jks +#cadi_truststore=/Volumes/Data/src/authz/common/caditrust.jks +#cadi_keystore_password=enc:4s9TVkWDpUhjgimeXEDL7fE7gaTvppkGwiU7arrtu504ol9uB51swkZkqW7qTr_T +#cadi_key_password=enc:4s9TVkWDpUhjgimeXEDL7fE7gaTvppkGwiU7arrtu504ol9uB51swkZkqW7qTr_T +#cadi_truststore_password=enc:HHFqU-eYs2653Ifsm4m-m4TkehxB13x4kZxQqsf-ydz +# cadi_trust_all_x509=true +#cadi_alias=aaf.att +https.protocols=TLSv1.1,TLSv1.2 + +# cm_url=https://mithrilcsp.sbc.com:8150 + +#basic_realm=localized +#basic_warn=false +#localhost_deny=false + +#cass_group_name=com.att.aaf +#cass_cluster_name=mithrilcsp.sbc.com +#aaf_default_realm=com.att.csp + +#aaf_url=https://135.110.241.35:8100 +#aaf_url=https://mithrilcsp.sbc.com:8095/proxy +aaf_url=https://DME2RESOLVE/service=com.att.authz.AuthorizationService/version=2.0/envContext=DEV/routeOffer=BAU_SE +#aaf_id=m12345@aaf.att.com +#aaf_password=enc:mH3t-3tBYXrf8RUhGP6unXH9z75Ba-kBDQTiAHblMju + +aaf_user_expires=3000 +aaf_clean_interval=4000 + diff --git a/cadi/aaf/src/test/resources/log4j.properties b/cadi/aaf/src/test/resources/log4j.properties new file mode 100644 index 00000000..5ec63883 --- /dev/null +++ b/cadi/aaf/src/test/resources/log4j.properties @@ -0,0 +1,32 @@ +# +# Licensed to the Apache Software Foundation (ASF) under one +# or more contributor license agreements. See the NOTICE file +# distributed with this work for additional information +# regarding copyright ownership. The ASF licenses this file +# to you under the Apache License, Version 2.0 (the +# "License"); you may not use this file except in compliance +# with the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, +# software distributed under the License is distributed on an +# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +# KIND, either express or implied. See the License for the +# specific language governing permissions and limitations +# under the License. +# +log4j.appender.stdout=org.apache.log4j.ConsoleAppender +log4j.appender.stdout.layout=org.apache.log4j.PatternLayout +log4j.appender.stdout.layout.ConversionPattern=%d %p [%c] %m %n + +# General Apache libraries +log4j.rootLogger=WARN,stdout +log4j.logger.org.apache=WARN,stdout +log4j.logger.dme2=WARN,stdout +log4j.logger.init=INFO,stdout +log4j.logger.authz=INFO,stdout +log4j.logger.audit=WARN,stdout + + + diff --git a/cadi/cass/.gitignore b/cadi/cass/.gitignore new file mode 100644 index 00000000..2fd21f99 --- /dev/null +++ b/cadi/cass/.gitignore @@ -0,0 +1,4 @@ +/target/ +/.classpath +/.settings/ +/target/ diff --git a/cadi/cass/.project b/cadi/cass/.project new file mode 100644 index 00000000..8efd1f6e --- /dev/null +++ b/cadi/cass/.project @@ -0,0 +1,23 @@ + + + cadi_cass + + + + + + org.eclipse.jdt.core.javabuilder + + + + + org.eclipse.m2e.core.maven2Builder + + + + + + org.eclipse.jdt.core.javanature + org.eclipse.m2e.core.maven2Nature + + diff --git a/cadi/cass/etc/cadi.properties b/cadi/cass/etc/cadi.properties new file mode 100644 index 00000000..767fe5c2 --- /dev/null +++ b/cadi/cass/etc/cadi.properties @@ -0,0 +1,45 @@ +## +## AUTHZ API (authz-service) Properties +## + +## DISCOVERY (DME2) Parameters on the Command Line +AFT_LATITUDE=38.627345 +AFT_LONGITUDE=-90.193774 +AFT_ENVIRONMENT=AFTUAT + +# CADI +cadi_keyfile=/opt/app/aaf/common/com.att.aaf.keyfile +cadi_loglevel=WARN + +# CASSANDRA Required for APP +cass_group_name=com.att.aaf + +# CASSANDRA Optional +cass_cluster_name=mithril + +# AAF Required for APP +aaf_url=https://DME2RESOLVE/service=com.att.authz.AuthorizationService/version=2.0/envContext=DEV/routeOffer=BAU_SE +DME2_EP_REGISTRY_CLASS=DME2FS +AFT_DME2_EP_REGISTRY_FS_DIR=/Volumes/Data/src/authz/dme2reg + +aaf_default_realm=aaf.localized +aaf_id=m12345@aaf.att.com +aaf_password=enc:DuADW3_Y26NdHgDvN7Prt7vtDwYJM3Kvw9AOQ30lPV1 +cadi_loglevel=DEBUG + +# AAF Optional +# Connection Time Out (milliseconds) +aaf_conn_timeout=10000 +# User Cache Expiration (milliseconds) +aaf_user_expires=600000 +# High count... Rough top number of objects held in Cache per cycle. If high is reached, more are +# recycled next time. +aaf_high_count=1000 + +## +## Localized Passwords +## +basic_realm=aaf.localized +local_users=m01891@aaf.localized%DuADW3_Y26NdHgDvN7Prt7vtDwYJM3Kvw9AOQ30lPV1:/mithril/authz;\ + m12345@aaf.localized%DuADW3_Y26NdHgDvN7Prt7vtDwYJM3Kvw9AOQ30lPV1:/mithril/authz;\ + root@aaf.localized%DuADW3_Y26NdHgDvN7Prt7vtDwYJM3Kvw9AOQ30lPV1:/mithril diff --git a/cadi/cass/pom.xml b/cadi/cass/pom.xml new file mode 100644 index 00000000..9db57a48 --- /dev/null +++ b/cadi/cass/pom.xml @@ -0,0 +1,96 @@ + + + + + org.onap.aaf.cadi + parent + 1.5.0-SNAPSHOT + .. + + + 4.0.0 + aaf-cadi-cass + AAF CADI Cassandra Library + jar + + + + Jonathan Gathman + jonathan.gathman@att.com + ATT + + Architect + Lead Developer + + + + Gabe Maurer + gabe.maurer@att.com + ATT + + Developer + + + + Ian Howell + ian.howell@att.com + ATT + + Developer + + + + + + + org.onap.aaf.cadi + aaf-cadi-core + + + + org.onap.aaf.cadi + aaf-cadi-aaf + + + + org.apache.cassandra + cassandra-all + 2.1.14 + compile + + + org.slf4j + slf4j-log4j12 + + + log4j + log4j + + + + + + + + + diff --git a/cadi/cass/src/main/java/com/att/aaf/cadi/cass/AAFAuthenticatedUser.java b/cadi/cass/src/main/java/com/att/aaf/cadi/cass/AAFAuthenticatedUser.java new file mode 100644 index 00000000..3f08b1e9 --- /dev/null +++ b/cadi/cass/src/main/java/com/att/aaf/cadi/cass/AAFAuthenticatedUser.java @@ -0,0 +1,109 @@ +/** + * ============LICENSE_START==================================================== + * org.onap.aaf + * =========================================================================== + * Copyright (c) 2018 AT&T Intellectual Property. All rights reserved. + * =========================================================================== + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * ============LICENSE_END==================================================== + * + */ + +package com.att.aaf.cadi.cass; + +import java.security.Principal; + +import org.apache.cassandra.auth.AuthenticatedUser; +import org.onap.aaf.cadi.Access; + +public class AAFAuthenticatedUser extends AuthenticatedUser implements Principal { + private boolean anonymous = false, supr=false, local=false; + private String fullName; +// private Access access; + + public AAFAuthenticatedUser(Access access, String name) { + super(name); +// this.access = access; + int endIndex = name.indexOf("@"); + if(endIndex >= 0) { + fullName = name; + } else { + fullName = name + '@' + AAFBase.default_realm; + } + } + + public String getFullName() { + return fullName; + } + + public String getName() { + return fullName; + } + + /* (non-Javadoc) + * @see org.apache.cassandra.auth.AuthenticatedUser#isAnonymous() + */ + @Override + public boolean isAnonymous() { + return anonymous; + } + + public void setAnonymous(boolean anon) { + anonymous = anon; + } + + public boolean getAnonymous() { + return anonymous; + } + + /* (non-Javadoc) + * @see org.apache.cassandra.auth.AuthenticatedUser#isSuper() + */ + @Override + public boolean isSuper() { + return supr; + } + + public void setSuper(boolean supr) { + this.supr = supr; + } + + public boolean getSuper() { + return supr; + } + + /** + * We check Local so we can compare with the right Lur. This is AAF Plugin only. + * @return + */ + public boolean isLocal() { + return local; + } + + public void setLocal(boolean val) { + local = val; + } + + @Override + public boolean equals(Object o) { + if (this == o) return true; + if (!(o instanceof AAFAuthenticatedUser)) return false; + return ((AuthenticatedUser)o).getName().equals(this.getName()); + } + + @Override + public int hashCode() { + //access.log(Level.DEBUG, "AAFAuthentication hashcode ",getName().hashCode()); + return getName().hashCode(); + } +} diff --git a/cadi/cass/src/main/java/com/att/aaf/cadi/cass/AAFAuthenticator.java b/cadi/cass/src/main/java/com/att/aaf/cadi/cass/AAFAuthenticator.java new file mode 100644 index 00000000..1f50280c --- /dev/null +++ b/cadi/cass/src/main/java/com/att/aaf/cadi/cass/AAFAuthenticator.java @@ -0,0 +1,173 @@ +/** + * ============LICENSE_START==================================================== + * org.onap.aaf + * =========================================================================== + * Copyright (c) 2018 AT&T Intellectual Property. All rights reserved. + * =========================================================================== + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * ============LICENSE_END==================================================== + * + */ + +package com.att.aaf.cadi.cass; + +import java.io.IOException; +import java.io.UnsupportedEncodingException; +import java.util.Arrays; +import java.util.HashMap; +import java.util.Map; + +import org.apache.cassandra.auth.AuthenticatedUser; +import org.apache.cassandra.auth.IAuthenticator; +import org.apache.cassandra.auth.ISaslAwareAuthenticator; +import org.apache.cassandra.exceptions.AuthenticationException; +import org.apache.cassandra.exceptions.InvalidRequestException; +import org.apache.cassandra.exceptions.RequestExecutionException; +import org.onap.aaf.cadi.Symm; +import org.onap.aaf.cadi.Access.Level; +import org.onap.aaf.cadi.CredVal.Type; +import org.onap.aaf.cadi.config.Config; + +public class AAFAuthenticator extends AAFBase implements ISaslAwareAuthenticator { + + public boolean requireAuthentication() { + return true; + } + + /** + * Invoked to authenticate an user + */ + public AuthenticatedUser authenticate(Map credentials) throws AuthenticationException { + String username = (String)credentials.get("username"); + if (username == null) { + throw new AuthenticationException("'username' is missing"); + } + + AAFAuthenticatedUser aau = new AAFAuthenticatedUser(access,username); + String fullName=aau.getFullName(); + access.log(Level.DEBUG, "Authenticating", aau.getName(),"(", fullName,")"); + + String password = (String)credentials.get("password"); + if (password == null) { + throw new AuthenticationException("'password' is missing"); + } else if(password.startsWith("bsf:")) { + try { + password = Symm.base64noSplit.depass(password); + } catch (IOException e) { + throw new AuthenticationException("AAF bnf: Password cannot be decoded"); + } + } else if(password.startsWith("enc:")) { + try { + password = access.decrypt(password, true); + } catch (IOException e) { + throw new AuthenticationException("AAF Encrypted Password cannot be decrypted"); + } + } + + if(localLur!=null) { + access.log(Level.DEBUG, "Validating",fullName, "with LocalTaf", password); + if(localLur.validate(fullName, Type.PASSWORD, password.getBytes(),null)) { + aau.setAnonymous(true); + aau.setLocal(true); + access.log(Level.DEBUG, fullName, "is authenticated locally"); + return aau; + } + } + + String aafResponse; + try { + access.log(Level.DEBUG, "Validating",fullName, "with AAF");//, password); + aafResponse = aafAuthn.validate(fullName, password,null); + if(aafResponse != null) { // Reason for failing. + access.log(Level.AUDIT, "AAF reports ",fullName,":",aafResponse); + throw new AuthenticationException(aafResponse); + } + access.log(Level.AUDIT, fullName, "is authenticated"); //,password); + // This tells Cassandra to skip checking it's own tables for User Entries. + aau.setAnonymous(true); + } catch (AuthenticationException ex) { + throw ex; + } catch(Exception ex) { + access.log(ex,"Exception validating user"); + throw new AuthenticationException("Exception validating user"); + } + + return aau; + } + + public void create(String username, Map options) throws InvalidRequestException, RequestExecutionException { + access.log(Level.INFO,"Use AAF CLI to create user"); + } + + public void alter(String username, Map options) throws RequestExecutionException { + access.log(Level.INFO,"Use AAF CLI to alter user"); + } + + public void drop(String username) throws RequestExecutionException { + access.log(Level.INFO,"Use AAF CLI to delete user"); + } + + public SaslAuthenticator newAuthenticator() { + return new ISaslAwareAuthenticator.SaslAuthenticator() { + private boolean complete = false; + private Map credentials; + + public byte[] evaluateResponse(byte[] clientResponse) throws AuthenticationException { + this.credentials = decodeCredentials(clientResponse); + this.complete = true; + return null; + } + + public boolean isComplete() { + return this.complete; + } + + public AuthenticatedUser getAuthenticatedUser() throws AuthenticationException { + return AAFAuthenticator.this.authenticate(this.credentials); + } + + private Map decodeCredentials(byte[] bytes) throws AuthenticationException { + access.log(Level.DEBUG,"Decoding credentials from client token"); + byte[] user = null; + byte[] pass = null; + int end = bytes.length; + for (int i = bytes.length - 1; i >= 0; i--) + { + if (bytes[i] != 0) + continue; + if (pass == null) + pass = Arrays.copyOfRange(bytes, i + 1, end); + else if (user == null) + user = Arrays.copyOfRange(bytes, i + 1, end); + end = i; + } + + if (user == null) + throw new AuthenticationException("Authentication ID must not be null"); + if (pass == null) { + throw new AuthenticationException("Password must not be null"); + } + Map credentials = new HashMap(); + try { + credentials.put(IAuthenticator.USERNAME_KEY, new String(user, Config.UTF_8)); + credentials.put(IAuthenticator.PASSWORD_KEY, new String(pass, Config.UTF_8)); + } catch (UnsupportedEncodingException e) { + throw new AuthenticationException(e.getMessage()); + } + return credentials; + } + }; + } + +} + diff --git a/cadi/cass/src/main/java/com/att/aaf/cadi/cass/AAFAuthorizer.java b/cadi/cass/src/main/java/com/att/aaf/cadi/cass/AAFAuthorizer.java new file mode 100644 index 00000000..7353ee33 --- /dev/null +++ b/cadi/cass/src/main/java/com/att/aaf/cadi/cass/AAFAuthorizer.java @@ -0,0 +1,224 @@ +/** + * ============LICENSE_START==================================================== + * org.onap.aaf + * =========================================================================== + * Copyright (c) 2018 AT&T Intellectual Property. All rights reserved. + * =========================================================================== + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * ============LICENSE_END==================================================== + * + */ + +package com.att.aaf.cadi.cass; + +import java.util.ArrayList; +import java.util.HashSet; +import java.util.Set; + +import org.apache.cassandra.auth.AuthenticatedUser; +import org.apache.cassandra.auth.IAuthorizer; +import org.apache.cassandra.auth.IResource; +import org.apache.cassandra.auth.Permission; +import org.apache.cassandra.auth.PermissionDetails; +import org.apache.cassandra.exceptions.RequestExecutionException; +import org.apache.cassandra.exceptions.RequestValidationException; +import org.onap.aaf.cadi.Access.Level; +import org.onap.aaf.cadi.aaf.v2_0.AbsAAFLur; +import org.onap.aaf.cadi.lur.LocalPermission; + +public class AAFAuthorizer extends AAFBase implements IAuthorizer { + // Returns every permission on the resource granted to the user. + public Set authorize(AuthenticatedUser user, IResource resource) { + String uname, rname; + access.log(Level.DEBUG,"Authorizing",uname=user.getName(),"for",rname=resource.getName()); + + Set permissions; + + if(user instanceof AAFAuthenticatedUser) { + AAFAuthenticatedUser aafUser = (AAFAuthenticatedUser) user; + aafUser.setAnonymous(false); + + if(aafUser.isLocal()) { + permissions = checkPermissions(aafUser, new LocalPermission( + rname.replaceFirst("data", cluster_name) + )); + } else { + permissions = checkPermissions( + aafUser, + perm_type, + ':'+rname.replaceFirst("data", cluster_name).replace('/', ':')); + } + } else { + permissions = Permission.NONE; + } + + access.log(Level.INFO,"Permissions on",rname,"for",uname,':', permissions); + + return permissions; + } + + /** + * Check only for Localized IDs (see cadi.properties) + * @param aau + * @param perm + * @return + */ + private Set checkPermissions(AAFAuthenticatedUser aau, LocalPermission perm) { + if(localLur.fish(aau, perm)) { +// aau.setSuper(true); + return Permission.ALL; + } else { + return Permission.NONE; + } + } + + /** + * Check remoted AAF Permissions + * @param aau + * @param type + * @param instance + * @return + */ + private Set checkPermissions(AAFAuthenticatedUser aau, String type, String instance) { + // Can perform ALL actions + PermHolder ph = new PermHolder(aau); + aafLur.fishOneOf(aau,ph,type,instance,actions); + return ph.permissions; + } + + private class PermHolder { + private AAFAuthenticatedUser aau; + public PermHolder(AAFAuthenticatedUser aau) { + this.aau = aau; + } + public Set permissions = Permission.NONE; + public void mutable() { + if(permissions==Permission.NONE) { + permissions = new HashSet(); + } + } + }; + + /** + * This specialty List avoid extra Object Creation, and allows the Lur to do a Vistor on all appropriate Perms + */ + private static final ArrayList> actions = new ArrayList>(); + static { + actions.add(new AbsAAFLur.Action() { + public String getName() { + return "*"; + } + + public boolean exec(PermHolder a) { + a.aau.setSuper(true); + a.permissions = Permission.ALL; + return true; + } + }); + + actions.add(new AbsAAFLur.Action() { + public String getName() { + return "SELECT"; + } + + public boolean exec(PermHolder ph) { + ph.mutable(); + ph.permissions.add(Permission.SELECT); + return false; + } + }); + actions.add(new AbsAAFLur.Action() { + public String getName() { + return "MODIFY"; + } + + public boolean exec(PermHolder ph) { + ph.mutable(); + ph.permissions.add(Permission.MODIFY); + return false; + } + }); + actions.add(new AbsAAFLur.Action() { + public String getName() { + return "CREATE"; + } + + public boolean exec(PermHolder ph) { + ph.mutable(); + ph.permissions.add(Permission.CREATE); + return false; + } + }); + + actions.add(new AbsAAFLur.Action() { + public String getName() { + return "ALTER"; + } + + public boolean exec(PermHolder ph) { + ph.mutable(); + ph.permissions.add(Permission.ALTER); + return false; + } + }); + actions.add(new AbsAAFLur.Action() { + public String getName() { + return "DROP"; + } + + public boolean exec(PermHolder ph) { + ph.mutable(); + ph.permissions.add(Permission.DROP); + return false; + } + }); + actions.add(new AbsAAFLur.Action() { + public String getName() { + return "AUTHORIZE"; + } + + public boolean exec(PermHolder ph) { + ph.mutable(); + ph.permissions.add(Permission.AUTHORIZE); + return false; + } + }); + + + }; + + + public void grant(AuthenticatedUser performer, Set permissions, IResource resource, String to) throws RequestExecutionException { + access.log(Level.INFO, "Use AAF CLI to grant permission(s) to user/role"); + } + + public void revoke(AuthenticatedUser performer, Set permissions, IResource resource, String from) throws RequestExecutionException { + access.log(Level.INFO,"Use AAF CLI to revoke permission(s) for user/role"); + } + + public Set list(AuthenticatedUser performer, Set permissions, IResource resource, String of) throws RequestValidationException, RequestExecutionException { + access.log(Level.INFO,"Use AAF CLI to find the list of permissions"); + return null; + } + + // Called prior to deleting the user with DROP USER query. Internal hook, so no permission checks are needed here. + public void revokeAll(String droppedUser) { + access.log(Level.INFO,"Use AAF CLI to revoke permission(s) for user/role"); + } + + // Called after a resource is removed (DROP KEYSPACE, DROP TABLE, etc.). + public void revokeAll(IResource droppedResource) { + access.log(Level.INFO,"Use AAF CLI to delete the unused permission", droppedResource.getName()); + } + +} diff --git a/cadi/cass/src/main/java/com/att/aaf/cadi/cass/AAFBase.java b/cadi/cass/src/main/java/com/att/aaf/cadi/cass/AAFBase.java new file mode 100644 index 00000000..b091cc95 --- /dev/null +++ b/cadi/cass/src/main/java/com/att/aaf/cadi/cass/AAFBase.java @@ -0,0 +1,193 @@ +/** + * ============LICENSE_START==================================================== + * org.onap.aaf + * =========================================================================== + * Copyright (c) 2018 AT&T Intellectual Property. All rights reserved. + * =========================================================================== + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * ============LICENSE_END==================================================== + * + */ + +package com.att.aaf.cadi.cass; + +import java.io.File; +import java.io.FileInputStream; +import java.io.InputStream; +import java.net.HttpURLConnection; +import java.net.URL; +import java.util.HashSet; +import java.util.Properties; +import java.util.Set; + +import org.apache.cassandra.auth.DataResource; +import org.apache.cassandra.auth.IAuthenticator; +import org.apache.cassandra.config.DatabaseDescriptor; +import org.apache.cassandra.exceptions.ConfigurationException; +import org.onap.aaf.cadi.Access; +import org.onap.aaf.cadi.Lur; +import org.onap.aaf.cadi.PropAccess; +import org.onap.aaf.cadi.Access.Level; +import org.onap.aaf.cadi.aaf.AAFPermission; +import org.onap.aaf.cadi.aaf.v2_0.AAFAuthn; +import org.onap.aaf.cadi.aaf.v2_0.AAFCon; +import org.onap.aaf.cadi.aaf.v2_0.AbsAAFLur; +import org.onap.aaf.cadi.config.Config; +import org.onap.aaf.cadi.config.SecurityInfoC; +import org.onap.aaf.cadi.lur.EpiLur; +import org.onap.aaf.cadi.lur.LocalLur; + +public abstract class AAFBase { + protected static final Set options; + protected static final Set dataResource; + + static { + options = new HashSet(); + options.add(IAuthenticator.Option.PASSWORD); + + dataResource = new HashSet(); + dataResource.add(DataResource.columnFamily("system_auth", "credentials")); + } + + protected static Access access; + protected static LocalLur localLur; + protected static AAFCon aafcon; + protected static AAFAuthn aafAuthn; + protected static AbsAAFLur aafLur; + protected static String default_realm; + protected static String cluster_name; + protected static String perm_type; + private static boolean props_ok = false; + + /** + * If you use your own Access Class, this must be called before + * "setup()" is invoked by Cassandra. + * + * Otherwise, it will default to reading Properties CADI style. + * + * @param access + */ + public static void setAccess(Access access) { + AAFBase.access = access; + } + + + public void validateConfiguration() throws ConfigurationException { + setup(); + if(!props_ok) { + throw new ConfigurationException("AAF not initialized"); + } + } + + @SuppressWarnings("unchecked") + public synchronized void setup() { + if(aafAuthn == null) { + try { + if(access==null) { + String value = System.getProperty(Config.CADI_PROP_FILES, "cadi.properties"); + Properties initial = new Properties(); + URL cadi_props = ClassLoader.getSystemResource(value); + if(cadi_props == null) { + File cp = new File(value); + if(cp.exists()) { + InputStream is = new FileInputStream(cp); + try { + initial.load(is); + } finally { + is.close(); + } + } else { + System.out.printf("%s does not exist as File or in Classpath\n",value); + initial.setProperty(Config.CADI_PROP_FILES, value); + } + } else { + InputStream is = cadi_props.openStream(); + try { + initial.load(is); + } finally { + is.close(); + } + } + access = new PropAccess(initial); + } + props_ok = true; + if((perm_type = Config.logProp(access, "cass_group_name",null))==null) { + props_ok=false; + } else { + perm_type = perm_type + ".cass"; + } + + if((cluster_name = Config.logProp(access,"cass_cluster_name",null))==null) { + if((cluster_name = DatabaseDescriptor.getClusterName())==null) { + props_ok=false; + } + } + + if((default_realm = Config.logProp(access, Config.AAF_DEFAULT_REALM, null))==null) { + props_ok=false; + } + + if(props_ok==false) { + return; + } + + // AAFLur has pool of DME clients as needed, and Caches Client lookups + SecurityInfoC si = SecurityInfoC.instance(access, HttpURLConnection.class); + Lur lur = Config.configLur(si,aafcon); + // Loop through to find AAFLur out of possible Lurs, to reuse AAFCon + if(lur instanceof EpiLur) { + EpiLur elur = (EpiLur)lur; + for(int i=0; (lur = elur.get(i))!=null;++i) { + if(lur instanceof AbsAAFLur) { + aafLur=(AbsAAFLur)lur; + aafcon = aafLur.aaf; + aafAuthn = aafLur.aaf.newAuthn(aafLur); + break; + } else if(lur instanceof LocalLur) { + localLur = (LocalLur)lur; + } + } + } else if(lur instanceof AbsAAFLur) { + aafLur=(AbsAAFLur)lur; + aafcon = aafLur.aaf; + aafAuthn = aafLur.aaf.newAuthn(aafLur); + } + if(aafAuthn==null) { + access.log(Level.INIT,"Failed to instantiate full AAF access"); + props_ok = false; + } + } catch (Exception e) { + aafAuthn=null; + if(access!=null)access.log(e, "Failed to initialize AAF"); + props_ok = false; + } + } + } + + public Set protectedResources() { + access.log(Level.DEBUG, "Data Resource asked for: it's",dataResource.isEmpty()?"":"not","empty"); + return dataResource; + } + + public Set supportedOptions() { + access.log(Level.DEBUG, "supportedOptions() called"); + return options; + } + + public Set alterableOptions() { + access.log(Level.DEBUG, "alterableOptions() called"); + return options; + } + + +} diff --git a/cadi/cass/src/test/java/org/onap/aaf/cadi/cass/JU_AAFAuthenticatedUserTest.java b/cadi/cass/src/test/java/org/onap/aaf/cadi/cass/JU_AAFAuthenticatedUserTest.java new file mode 100644 index 00000000..2f196720 --- /dev/null +++ b/cadi/cass/src/test/java/org/onap/aaf/cadi/cass/JU_AAFAuthenticatedUserTest.java @@ -0,0 +1,90 @@ +/******************************************************************************* + * ============LICENSE_START==================================================== + * * org.onap.aaf + * * =========================================================================== + * * Copyright © 2017 AT&T Intellectual Property. All rights reserved. + * * =========================================================================== + * * Licensed under the Apache License, Version 2.0 (the "License"); + * * you may not use this file except in compliance with the License. + * * You may obtain a copy of the License at + * * + * * http://www.apache.org/licenses/LICENSE-2.0 + * * + * * Unless required by applicable law or agreed to in writing, software + * * distributed under the License is distributed on an "AS IS" BASIS, + * * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * * See the License for the specific language governing permissions and + * * limitations under the License. + * * ============LICENSE_END==================================================== + * * + * * + ******************************************************************************/ +package org.onap.aaf.cadi.cass; + +import static org.junit.Assert.*; + +import org.apache.cassandra.auth.AuthenticatedUser; +import org.junit.Before; +import org.junit.Test; + +import com.att.aaf.cadi.cass.AAFAuthenticatedUser; + +public class JU_AAFAuthenticatedUserTest { + + @Before + public void setUp() throws Exception { + } + + @Test + public void test() { + AAFAuthenticatedUser user = new AAFAuthenticatedUser(null, "User1@aaf"); + assertEquals(user.getFullName(),"User1@aaf"); + assertEquals(user.getName(),"User1@aaf"); + assertFalse(user.isAnonymous()); + assertFalse(user.isSuper()); + assertFalse(user.isLocal()); + + + + } + + @Test + public void testone() { + AAFAuthenticatedUser user = new AAFAuthenticatedUser(null, "User2@aaf"); + assertEquals(user.getFullName(),"User2@aaf"); + assertEquals(user.getName(),"User2@aaf"); + assertFalse(user.isAnonymous()); + assertFalse(user.isSuper()); + assertFalse(user.isLocal()); + + + + } + + @Test + public void testtwo() { + AAFAuthenticatedUser user = new AAFAuthenticatedUser(null, "onap@aaf"); + assertEquals(user.getFullName(),"onap@aaf"); + assertEquals(user.getName(),"onap@aaf"); + assertFalse(user.isAnonymous()); + assertFalse(user.isSuper()); + assertFalse(user.isLocal()); + + + + } + + @Test + public void testthree() { + AAFAuthenticatedUser user = new AAFAuthenticatedUser(null, "openecomp@aaf"); + assertEquals(user.getFullName(),"openecomp@aaf"); + assertEquals(user.getName(),"openecomp@aaf"); + assertFalse(user.isAnonymous()); + assertFalse(user.isSuper()); + assertFalse(user.isLocal()); + + + + } + +} diff --git a/cadi/cass/src/test/java/org/onap/aaf/cadi/cass/JU_AAFAuthenticator.java b/cadi/cass/src/test/java/org/onap/aaf/cadi/cass/JU_AAFAuthenticator.java new file mode 100644 index 00000000..2dcb033e --- /dev/null +++ b/cadi/cass/src/test/java/org/onap/aaf/cadi/cass/JU_AAFAuthenticator.java @@ -0,0 +1,110 @@ +/******************************************************************************* + * ============LICENSE_START==================================================== + * * org.onap.aaf + * * =========================================================================== + * * Copyright © 2017 AT&T Intellectual Property. All rights reserved. + * * =========================================================================== + * * Licensed under the Apache License, Version 2.0 (the "License"); + * * you may not use this file except in compliance with the License. + * * You may obtain a copy of the License at + * * + * * http://www.apache.org/licenses/LICENSE-2.0 + * * + * * Unless required by applicable law or agreed to in writing, software + * * distributed under the License is distributed on an "AS IS" BASIS, + * * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * * See the License for the specific language governing permissions and + * * limitations under the License. + * * ============LICENSE_END==================================================== + * * + * * + ******************************************************************************/ +package org.onap.aaf.cadi.cass; + +import static org.junit.Assert.*; + +import java.util.HashMap; +import java.util.Map; + +import org.junit.Test; +import org.onap.aaf.cadi.Access; +import org.onap.aaf.cadi.PropAccess; +import org.onap.aaf.cadi.Access.Level; +import org.apache.cassandra.auth.AuthenticatedUser; +import org.apache.cassandra.exceptions.AuthenticationException; +import org.junit.After; +import org.junit.Before; +import org.junit.Test; +import static org.junit.Assert.*; + +import com.att.aaf.cadi.cass.AAFAuthenticatedUser; +import com.att.aaf.cadi.cass.AAFAuthenticator; +import com.att.aaf.cadi.cass.AAFBase; + +import junit.framework.Assert; + +public class JU_AAFAuthenticator extends AAFBase +{ + + + @Before + public void setUp() + { + + } + + @After + public void tearDown() + { + + } + + @Test + public void checkRequiredAuth() { + AAFAuthenticator test = new AAFAuthenticator(); + Assert.assertTrue(test.requireAuthentication()); + } + //TODO: Call may be broken due to missing ATT specific code + @Test + public void checkAuthenticate() throws AuthenticationException { + AuthenticatedUser user = new AuthenticatedUser("testUser"); + AAFAuthenticator test = new AAFAuthenticator(); + Map cred = new HashMap(); + cred.put("username", "testUser"); + cred.put("password", "testPass"); + String username = (String)cred.get("username"); + Access access = new PropAccess(); + AAFAuthenticatedUser aau = new AAFAuthenticatedUser(access,username); + String fullName=aau.getFullName(); + access.log(Level.DEBUG, "Authenticating", aau.getName(),"(", fullName,")"); + //test.authenticate(cred); + //Assert.assert + + } + + @Test(expected = AuthenticationException.class) + public void checkThrowsUser() throws AuthenticationException { + AAFAuthenticator test = new AAFAuthenticator(); + Map cred = new HashMap(); + cred.put("username", null); + Assert.assertNull(cred.get("username")); + test.authenticate(cred); + } + + @Test(expected = AuthenticationException.class) + public void checkThrowsPass() throws AuthenticationException { + AAFAuthenticator test = new AAFAuthenticator(); + Map cred = new HashMap(); + cred.put("username", "testUser"); + cred.put("password", "bsf:"); + Assert.assertNotNull(cred.get("password")); + test.authenticate(cred); + + cred.put("password", null); + Assert.assertNull(cred.get("password")); + test.authenticate(cred); + } + + + +} diff --git a/cadi/cass/src/test/java/org/onap/aaf/cadi/cass/JU_AAFAuthorizerTest.java b/cadi/cass/src/test/java/org/onap/aaf/cadi/cass/JU_AAFAuthorizerTest.java new file mode 100644 index 00000000..6f2e9da8 --- /dev/null +++ b/cadi/cass/src/test/java/org/onap/aaf/cadi/cass/JU_AAFAuthorizerTest.java @@ -0,0 +1,109 @@ +/******************************************************************************* + * ============LICENSE_START==================================================== + * * org.onap.aaf + * * =========================================================================== + * * Copyright © 2017 AT&T Intellectual Property. All rights reserved. + * * =========================================================================== + * * Licensed under the Apache License, Version 2.0 (the "License"); + * * you may not use this file except in compliance with the License. + * * You may obtain a copy of the License at + * * + * * http://www.apache.org/licenses/LICENSE-2.0 + * * + * * Unless required by applicable law or agreed to in writing, software + * * distributed under the License is distributed on an "AS IS" BASIS, + * * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * * See the License for the specific language governing permissions and + * * limitations under the License. + * * ============LICENSE_END==================================================== + * * + * * + ******************************************************************************/ +package org.onap.aaf.cadi.cass; + +import static org.junit.Assert.*; + +import java.util.HashMap; +import java.util.Map; + +import org.junit.Test; +import org.onap.aaf.cadi.Access; +import org.onap.aaf.cadi.PropAccess; +import org.onap.aaf.cadi.Access.Level; +import org.apache.cassandra.auth.AuthenticatedUser; +import org.apache.cassandra.exceptions.AuthenticationException; +import org.junit.After; +import org.junit.Before; +import org.junit.Test; +import static org.junit.Assert.*; + +import com.att.aaf.cadi.cass.AAFAuthenticatedUser; +import com.att.aaf.cadi.cass.AAFAuthenticator; +import com.att.aaf.cadi.cass.AAFBase; + +import junit.framework.Assert; +//TODO:DELETE THIS OLD TEST +public class JU_AAFAuthorizerTest extends AAFBase +{ + + + @Before + public void setUp() + { + + } + + @After + public void tearDown() + { + + } + + @Test + public void checkRequiredAuth() { + AAFAuthenticator test = new AAFAuthenticator(); + Assert.assertTrue(test.requireAuthentication()); + } + + @Test + public void checkAuthenticate() throws AuthenticationException { + AuthenticatedUser user = new AuthenticatedUser("testUser"); + AAFAuthenticator test = new AAFAuthenticator(); + Map cred = new HashMap(); + cred.put("username", "testUser"); + cred.put("password", "testPass"); + String username = (String)cred.get("username"); + AAFAuthenticatedUser aau = new AAFAuthenticatedUser(access,username); + String fullName=aau.getFullName(); + //access.log(Level.DEBUG, "Authenticating", aau.getName(),"(", fullName,")"); + test.authenticate(cred); + //Assert.assert + + } + + @Test(expected = AuthenticationException.class) + public void checkThrowsUser() throws AuthenticationException { + AAFAuthenticator test = new AAFAuthenticator(); + Map cred = new HashMap(); + cred.put("username", null); + Assert.assertNull(cred.get("username")); + test.authenticate(cred); + } + + @Test(expected = AuthenticationException.class) + public void checkThrowsPass() throws AuthenticationException { + AAFAuthenticator test = new AAFAuthenticator(); + Map cred = new HashMap(); + cred.put("username", "testUser"); + cred.put("password", "bsf:"); + Assert.assertNotNull(cred.get("password")); + test.authenticate(cred); + + cred.put("password", null); + Assert.assertNull(cred.get("password")); + test.authenticate(cred); + } + + + +} diff --git a/cadi/cass/src/test/java/org/onap/aaf/cadi/cass/JU_AAFBaseTest.java b/cadi/cass/src/test/java/org/onap/aaf/cadi/cass/JU_AAFBaseTest.java new file mode 100644 index 00000000..49854865 --- /dev/null +++ b/cadi/cass/src/test/java/org/onap/aaf/cadi/cass/JU_AAFBaseTest.java @@ -0,0 +1,70 @@ +/******************************************************************************* + * ============LICENSE_START==================================================== + * * org.onap.aaf + * * =========================================================================== + * * Copyright © 2017 AT&T Intellectual Property. All rights reserved. + * * =========================================================================== + * * Licensed under the Apache License, Version 2.0 (the "License"); + * * you may not use this file except in compliance with the License. + * * You may obtain a copy of the License at + * * + * * http://www.apache.org/licenses/LICENSE-2.0 + * * + * * Unless required by applicable law or agreed to in writing, software + * * distributed under the License is distributed on an "AS IS" BASIS, + * * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * * See the License for the specific language governing permissions and + * * limitations under the License. + * * ============LICENSE_END==================================================== + * * + * * + ******************************************************************************/ +package org.onap.aaf.cadi.cass; + +import org.junit.After; +import org.junit.Before; +import org.junit.Test; +import org.onap.aaf.cadi.Access; +import org.onap.aaf.cadi.Lur; +import org.onap.aaf.cadi.PropAccess; +import org.onap.aaf.cadi.Access.Level; + +import junit.framework.Assert; + +import com.att.aaf.cadi.cass.AAFBase; + +import static org.junit.Assert.*; + +import org.apache.cassandra.exceptions.ConfigurationException; + +public class JU_AAFBaseTest +{ + + //TODO: REmove this file, no need for junit for abstract class + @Before + public void setUp() + { + + } + + @After + public void tearDown() + { + + } + + + @Test + public void test_method_setAccess_0_branch_0() + { + System.out.println("Now Testing Method:setAccess Branch:0"); + + //Call Method + AAFBase.setAccess(null); + + } + + + + +} diff --git a/cadi/cass/src/test/java/org/onap/aaf/cadi/cass/JU_CASS.java b/cadi/cass/src/test/java/org/onap/aaf/cadi/cass/JU_CASS.java new file mode 100644 index 00000000..60fd5487 --- /dev/null +++ b/cadi/cass/src/test/java/org/onap/aaf/cadi/cass/JU_CASS.java @@ -0,0 +1,106 @@ +/******************************************************************************* + * ============LICENSE_START==================================================== + * * org.onap.aaf + * * =========================================================================== + * * Copyright © 2017 AT&T Intellectual Property. All rights reserved. + * * =========================================================================== + * * Licensed under the Apache License, Version 2.0 (the "License"); + * * you may not use this file except in compliance with the License. + * * You may obtain a copy of the License at + * * + * * http://www.apache.org/licenses/LICENSE-2.0 + * * + * * Unless required by applicable law or agreed to in writing, software + * * distributed under the License is distributed on an "AS IS" BASIS, + * * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * * See the License for the specific language governing permissions and + * * limitations under the License. + * * ============LICENSE_END==================================================== + * * + * * + ******************************************************************************/ +package org.onap.aaf.cadi.cass; + +import java.util.HashMap; +import java.util.Map; +import java.util.Set; + +import org.apache.cassandra.auth.AuthenticatedUser; +import org.apache.cassandra.auth.IResource; +import org.apache.cassandra.auth.Permission; +import org.junit.AfterClass; +import org.junit.Assert; +import org.junit.BeforeClass; +import org.junit.Test; + +import com.att.aaf.cadi.cass.AAFAuthenticator; +import com.att.aaf.cadi.cass.AAFAuthorizer; + +public class JU_CASS { + + private static AAFAuthenticator aa; + private static AAFAuthorizer an; + + @BeforeClass + public static void setUpBeforeClass() throws Exception { + System.setProperty("cadi_prop_files", "etc/cadi.properties"); + + aa = new AAFAuthenticator(); + an = new AAFAuthorizer(); + + aa.setup(); + an.setup(); // does nothing after aa. + + aa.validateConfiguration(); + + } + + @AfterClass + public static void tearDownAfterClass() throws Exception { + } + + @Test + public void test() throws Exception { + Map creds = new HashMap(); + creds.put("username", "XXX@NS"); + creds.put("password", "enc:???"); + AuthenticatedUser aaf = aa.authenticate(creds); + + // Test out "aaf_default_domain + creds.put("username", "XX"); + aaf = aa.authenticate(creds); + + IResource resource = new IResource() { + public String getName() { + return "data/authz"; + } + + public IResource getParent() { + return null; + } + + public boolean hasParent() { + return false; + } + + public boolean exists() { + return true; + } + + }; + + Set perms = an.authorize(aaf, resource); + + // Test out "AAF" access + creds.put("username", "XXX@NS"); + creds.put("password", "enc:???"); + aaf = aa.authenticate(creds); + perms = an.authorize(aaf, resource); + Assert.assertFalse(perms.isEmpty()); + + perms = an.authorize(aaf, resource); + Assert.assertFalse(perms.isEmpty()); + + } + +} diff --git a/cadi/client/.gitignore b/cadi/client/.gitignore new file mode 100644 index 00000000..8f9d9622 --- /dev/null +++ b/cadi/client/.gitignore @@ -0,0 +1,5 @@ +/.project +/.settings/ +/target/ +/logs/ +/.classpath diff --git a/cadi/client/pom.xml b/cadi/client/pom.xml new file mode 100644 index 00000000..1081ab09 --- /dev/null +++ b/cadi/client/pom.xml @@ -0,0 +1,89 @@ + + + + org.onap.aaf.cadi + parent + 1.5.0-SNAPSHOT + .. + + + aaf-cadi-client + AAF CADI Client + jar + 4.0.0 + + + + Jonathan Gathman + jonathan.gathman@att.com + ATT + + Architect + Lead Developer + + + + Gabe Maurer + gabe.maurer@att.com + ATT + + Developer + + + + Ian Howell + ian.howell@att.com + ATT + + Developer + + + + + + + org.onap.aaf.misc + aaf-misc-rosetta + + + + org.onap.aaf.cadi + aaf-cadi-core + + + + javax.servlet + javax.servlet-api + compile + + + + + + + org.apache.maven.plugins + maven-jarsigner-plugin + + + + + diff --git a/cadi/client/src/main/java/org/onap/aaf/cadi/client/AbsAuthentication.java b/cadi/client/src/main/java/org/onap/aaf/cadi/client/AbsAuthentication.java new file mode 100644 index 00000000..7a32473c --- /dev/null +++ b/cadi/client/src/main/java/org/onap/aaf/cadi/client/AbsAuthentication.java @@ -0,0 +1,130 @@ +/** + * ============LICENSE_START==================================================== + * org.onap.aaf + * =========================================================================== + * Copyright (c) 2018 AT&T Intellectual Property. All rights reserved. + * =========================================================================== + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * ============LICENSE_END==================================================== + * + */ + +package org.onap.aaf.cadi.client; + +import java.io.IOException; + +import org.onap.aaf.cadi.SecuritySetter; +import org.onap.aaf.cadi.Symm; +import org.onap.aaf.cadi.config.SecurityInfoC; + +/** + * AbsAuthentication is a class representing how to Authenticate onto a Client. + * + * Methods of setting Authentication on a Client vary, so CLIENT is a Generic Type + * This allows the ability to apply security onto Different Client Types, as they come + * into vogue, or change over time. + * + * Password is encrypted at rest. + * + * @author Jonathan + * + * @param + */ +public abstract class AbsAuthentication implements SecuritySetter { + // HTTP Header for Authentication is "Authorization". This was from an early stage of internet where + // Access by Credential "Authorized" you for everything on the site. Since those early days, it became + // clear that "full access" wasn't appropriate, so the split between Authentication and Authorization + // came into being... But the Header remains. + public static final String AUTHORIZATION = "Authorization"; + private static final Symm symm; + + protected static final String REPEAT_OFFENDER = "This call is aborted because of repeated usage of invalid Passwords"; + private static final int MAX_TEMP_COUNT = 10; + private static final int MAX_SPAM_COUNT = 10000; + private static final long WAIT_TIME = 1000*60*4; + private final byte[] headValue; + private String user; + protected final SecurityInfoC securityInfo; + protected long lastMiss; + protected int count; + + static { + try { + symm = Symm.encrypt.obtain(); + } catch (IOException e) { + throw new RuntimeException("Cannot create critical internal encryption key",e); + } + + } + + public AbsAuthentication(final SecurityInfoC securityInfo, final String user, final byte[] headValue) throws IOException { + this.headValue = headValue==null?null:symm.encode(headValue); + this.user = user; + this.securityInfo = securityInfo; + lastMiss=0L; + count=0; + } + + protected String headValue() throws IOException { + if(headValue==null) { + return ""; + } else { + return new String(symm.decode(headValue)); + } + } + + protected void setUser(String id) { + user = id; + } + + @Override + public String getID() { + return user; + } + + public boolean isDenied() { + if(lastMiss>0 && lastMiss>System.currentTimeMillis()) { + return true; + } else { + lastMiss=0L; + return false; + } + } + + public synchronized int setLastResponse(int httpcode) { + if(httpcode == 401) { + ++count; + if(lastMiss==0L && count>MAX_TEMP_COUNT) { + lastMiss=System.currentTimeMillis()+WAIT_TIME; + } + // if(count>MAX_SPAM_COUNT) { + // System.err.printf("Your service has %d consecutive bad service logins to AAF. \nIt will now exit\n", + // count); + // System.exit(401); + // } + if(count%1000==0) { + System.err.printf("Your service has %d consecutive bad service logins to AAF. AAF Access will be disabled after %d\n", + count,MAX_SPAM_COUNT); + } + + } else { + lastMiss=0; + } + return count; + } + + public int count() { + return count; + } + +} \ No newline at end of file diff --git a/cadi/client/src/main/java/org/onap/aaf/cadi/client/AbsTransferSS.java b/cadi/client/src/main/java/org/onap/aaf/cadi/client/AbsTransferSS.java new file mode 100644 index 00000000..3815bc67 --- /dev/null +++ b/cadi/client/src/main/java/org/onap/aaf/cadi/client/AbsTransferSS.java @@ -0,0 +1,76 @@ +/** + * ============LICENSE_START==================================================== + * org.onap.aaf + * =========================================================================== + * Copyright (c) 2018 AT&T Intellectual Property. All rights reserved. + * =========================================================================== + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * ============LICENSE_END==================================================== + * + */ + +package org.onap.aaf.cadi.client; + +import java.security.Principal; + +import org.onap.aaf.cadi.SecuritySetter; +import org.onap.aaf.cadi.config.SecurityInfoC; +import org.onap.aaf.cadi.principal.TaggedPrincipal; + +/** + * This client represents the ability to Transfer the Identity of the caller to the authenticated + * user being transferred to. This ability is critical for App-to-App communication to ensure that + * Authorization can happen on the End-Users' credentials when appropriate, even though Authentication + * to App1 by App2 must be by App2's credentials. + * + * @author Jonathan + * + * @param + */ +public abstract class AbsTransferSS implements SecuritySetter { + protected String value; + protected SecurityInfoC securityInfo; + protected SecuritySetter defSS; + private Principal principal; + + //Format:::[:AS][,::]* + public AbsTransferSS(TaggedPrincipal principal, String app) { + init(principal, app); + } + + public AbsTransferSS(TaggedPrincipal principal, String app, SecurityInfoC si) { + init(principal,app); + securityInfo = si; + this.defSS = si.defSS; + } + + private void init(TaggedPrincipal principal, String app) { + this.principal=principal; + if(principal==null) { + return; + } else { + value = principal.getName() + ':' + + app + ':' + + principal.tag() + ':' + + "AS"; + } + } + + /* (non-Javadoc) + * @see org.onap.aaf.cadi.SecuritySetter#getID() + */ + @Override + public String getID() { + return principal==null?"":principal.getName(); + } +} diff --git a/cadi/client/src/main/java/org/onap/aaf/cadi/client/BasicAuth.java b/cadi/client/src/main/java/org/onap/aaf/cadi/client/BasicAuth.java new file mode 100644 index 00000000..1eb8d7c4 --- /dev/null +++ b/cadi/client/src/main/java/org/onap/aaf/cadi/client/BasicAuth.java @@ -0,0 +1,28 @@ +/** + * ============LICENSE_START==================================================== + * org.onap.aaf + * =========================================================================== + * Copyright (c) 2018 AT&T Intellectual Property. All rights reserved. + * =========================================================================== + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * ============LICENSE_END==================================================== + * + */ + +package org.onap.aaf.cadi.client; + +/** + * Basic Auth is a marker Interface, because certain kinds of behaviors apply only to User/Password Combinations + */ +public interface BasicAuth { +} diff --git a/cadi/client/src/main/java/org/onap/aaf/cadi/client/EClient.java b/cadi/client/src/main/java/org/onap/aaf/cadi/client/EClient.java new file mode 100644 index 00000000..d5dfebf5 --- /dev/null +++ b/cadi/client/src/main/java/org/onap/aaf/cadi/client/EClient.java @@ -0,0 +1,51 @@ +/** + * ============LICENSE_START==================================================== + * org.onap.aaf + * =========================================================================== + * Copyright (c) 2018 AT&T Intellectual Property. All rights reserved. + * =========================================================================== + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * ============LICENSE_END==================================================== + * + */ + +package org.onap.aaf.cadi.client; + +import java.io.IOException; +import java.io.OutputStream; + +import javax.servlet.http.HttpServletResponse; + +import org.onap.aaf.misc.env.APIException; +import org.onap.aaf.misc.env.Data; +import org.onap.aaf.misc.rosetta.env.RosettaDF; + + +public interface EClient { + public void setMethod(String meth); + public void setPathInfo(String pathinfo); + public void setPayload(Transfer transfer); + public void addHeader(String tag, String value); + public void setQueryParams(String q); + public void setFragment(String f); + public void send() throws APIException; + public Future futureCreate(Class t); + public Future futureReadString(); + public Future futureRead(RosettaDF df,Data.TYPE type); + public Future future(T t); + public Future future(HttpServletResponse resp, int expected) throws APIException; + + public interface Transfer { + public void transfer(OutputStream os) throws IOException, APIException; + } +} diff --git a/cadi/client/src/main/java/org/onap/aaf/cadi/client/Future.java b/cadi/client/src/main/java/org/onap/aaf/cadi/client/Future.java new file mode 100644 index 00000000..2579dc11 --- /dev/null +++ b/cadi/client/src/main/java/org/onap/aaf/cadi/client/Future.java @@ -0,0 +1,33 @@ +/** + * ============LICENSE_START==================================================== + * org.onap.aaf + * =========================================================================== + * Copyright (c) 2018 AT&T Intellectual Property. All rights reserved. + * =========================================================================== + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * ============LICENSE_END==================================================== + * + */ + +package org.onap.aaf.cadi.client; + +import org.onap.aaf.cadi.CadiException; + +public abstract class Future { + public T value; + public abstract boolean get(int timeout) throws CadiException; + + public abstract int code(); + public abstract String body(); + public abstract String header(String tag); +} \ No newline at end of file diff --git a/cadi/client/src/main/java/org/onap/aaf/cadi/client/Holder.java b/cadi/client/src/main/java/org/onap/aaf/cadi/client/Holder.java new file mode 100644 index 00000000..c13afc25 --- /dev/null +++ b/cadi/client/src/main/java/org/onap/aaf/cadi/client/Holder.java @@ -0,0 +1,46 @@ +/** + * ============LICENSE_START==================================================== + * org.onap.aaf + * =========================================================================== + * Copyright (c) 2018 AT&T Intellectual Property. All rights reserved. + * =========================================================================== + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * ============LICENSE_END==================================================== + * + */ + +package org.onap.aaf.cadi.client; + +/** + * Use to set Variables outside of Anonymous classes. + * @author Jonathan + * + * @param + */ +public class Holder { + private T value; + public Holder(T t) { + value = t; + } + public T set(T t) { + value = t; + return t; + } + + public T get() { + return value; + } + public String toString() { + return value.toString(); + } +} diff --git a/cadi/client/src/main/java/org/onap/aaf/cadi/client/Rcli.java b/cadi/client/src/main/java/org/onap/aaf/cadi/client/Rcli.java new file mode 100644 index 00000000..5ebc017e --- /dev/null +++ b/cadi/client/src/main/java/org/onap/aaf/cadi/client/Rcli.java @@ -0,0 +1,974 @@ +/** + * ============LICENSE_START==================================================== + * org.onap.aaf + * =========================================================================== + * Copyright (c) 2018 AT&T Intellectual Property. All rights reserved. + * =========================================================================== + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * ============LICENSE_END==================================================== + * + */ + +package org.onap.aaf.cadi.client; + +import java.io.IOException; +import java.io.OutputStream; +import java.io.PrintStream; +import java.net.URI; +import java.util.Enumeration; + +import javax.servlet.ServletInputStream; +import javax.servlet.http.HttpServletRequest; +import javax.servlet.http.HttpServletResponse; + +import org.onap.aaf.cadi.CadiException; +import org.onap.aaf.cadi.SecuritySetter; +import org.onap.aaf.cadi.client.EClient.Transfer; +import org.onap.aaf.misc.env.APIException; +import org.onap.aaf.misc.env.Data.TYPE; +import org.onap.aaf.misc.env.util.Pool; +import org.onap.aaf.misc.env.util.Pool.Pooled; +import org.onap.aaf.misc.rosetta.env.RosettaDF; + +public abstract class Rcli { + public static final String FORM_ENCODED = "application/x-www-form-urlencoded"; + public static final String APPL_JSON = "application/json"; + public static final String APPL_XML = "application/xml"; + public static final String BLANK = ""; + public static final String CONTENT_TYPE = "Content-Type"; + public static final String ACCEPT = "Accept"; + + protected static final String POST = "POST"; + protected static final String GET = "GET"; + protected static final String PUT = "PUT"; + protected static final String DELETE = "DELETE"; + protected TYPE type; + protected String apiVersion; + protected int readTimeout = 5000; + protected int connectionTimeout = 3000; + protected URI uri; + private String queryParams, fragment; + public static Pool buffPool = new Pool(new Pool.Creator() { + @Override + public byte[] create() throws APIException { + return new byte[1024]; + } + + @Override + public void destroy(byte[] t) { + } + + @Override + public boolean isValid(byte[] t) { + return true; + } + + @Override + public void reuse(byte[] t) { + } + }); + + + public Rcli() { + super(); + } + + public abstract void setSecuritySetter(SecuritySetter ss); + public abstract SecuritySetter getSecuritySetter(); + + + public Rcli forUser(SecuritySetter ss) { + Rcli rv = clone(uri==null?this.uri:uri,ss); + setSecuritySetter(ss); + rv.type = type; + rv.apiVersion = apiVersion; + return rv; + } + + protected abstract Rcli clone(URI uri, SecuritySetter ss); + + public abstract void invalidate() throws CadiException; + + public Rcli readTimeout(int millis) { + readTimeout = millis; + return this; + } + + public Rcli connectionTimeout(int millis) { + connectionTimeout = millis; + return this; + } + + public Rcli type(TYPE type) { + this.type=type; + return this; + } + + public Rcli apiVersion(String apiVersion) { + this.apiVersion = apiVersion; + return this; + } + + public boolean isApiVersion(String prospective) { + return apiVersion.equals(prospective); + } + + + public String typeString(Class cls) { + return "application/"+cls.getSimpleName()+"+"+type.name().toLowerCase()+ + (apiVersion==null?BLANK:";version="+apiVersion); + } + + protected abstract EClient client() throws CadiException; + + + public Future create(String pathinfo, String contentType, final RosettaDF df, final T t) throws APIException, CadiException { + final String qp; + if(pathinfo==null) { + qp=queryParams; + } else { + final int idx = pathinfo.indexOf('?'); + if(idx>=0) { + qp=pathinfo.substring(idx+1); + pathinfo=pathinfo.substring(0,idx); + } else { + qp=queryParams; + } + } + + EClient client = client(); + client.setMethod(POST); + client.addHeader(CONTENT_TYPE,contentType); + client.setPathInfo(pathinfo); + client.setQueryParams(qp); + client.setFragment(fragment); + client.setPayload(new EClient.Transfer() { + @Override + public void transfer(OutputStream os) throws IOException, APIException { + df.newData().out(type).direct(t,os); + } + }); + client.send(); + queryParams = fragment = null; + return client.futureCreate(df.getTypeClass()); + } + + public Future create(String pathinfo, final RosettaDF df, final T t) throws APIException, CadiException { + final String qp; + if(pathinfo==null) { + qp=queryParams; + } else { + final int idx = pathinfo.indexOf('?'); + if(idx>=0) { + qp=pathinfo.substring(idx+1); + pathinfo=pathinfo.substring(0,idx); + } else { + qp=queryParams; + } + } + + EClient client = client(); + client.setMethod(POST); + client.addHeader(CONTENT_TYPE,typeString(df.getTypeClass())); + client.setPathInfo(pathinfo); + client.setQueryParams(qp); + client.setFragment(fragment); + client.setPayload(new EClient.Transfer() { + @Override + public void transfer(OutputStream os) throws IOException, APIException { + df.newData().out(type).direct(t,os); + } + }); + client.send(); + queryParams = fragment = null; + return client.futureCreate(df.getTypeClass()); + } + + public Future create(String pathinfo, Class cls, final RosettaDF df, final T t) throws APIException, CadiException { + final String qp; + if(pathinfo==null) { + qp=queryParams; + } else { + final int idx = pathinfo.indexOf('?'); + if(idx>=0) { + qp=pathinfo.substring(idx+1); + pathinfo=pathinfo.substring(0,idx); + } else { + qp=queryParams; + } + } + + EClient client = client(); + client.setMethod(POST); + client.addHeader(CONTENT_TYPE,typeString(cls)); + client.setPathInfo(pathinfo); + client.setQueryParams(qp); + client.setFragment(fragment); + client.setPayload(new EClient.Transfer() { + @Override + public void transfer(OutputStream os) throws IOException, APIException { + df.newData().out(type).direct(t,os); + } + }); + client.send(); + queryParams = fragment = null; + return client.futureCreate(df.getTypeClass()); + } + + public Future create(String pathinfo, Class cls) throws APIException, CadiException { + final String qp; + if(pathinfo==null) { + qp=queryParams; + } else { + final int idx = pathinfo.indexOf('?'); + if(idx>=0) { + qp=pathinfo.substring(idx+1); + pathinfo=pathinfo.substring(0,idx); + } else { + qp=queryParams; + } + } + + + EClient client = client(); + client.setMethod(POST); + client.addHeader(CONTENT_TYPE,typeString(cls)); + client.setPathInfo(pathinfo); + client.setQueryParams(qp); + client.setFragment(fragment); + client.setPayload(null); + client.send(); + queryParams = fragment = null; + return client.futureCreate(cls); + } + + public Future create(String pathinfo, String contentType) throws APIException, CadiException { + final String qp; + if(pathinfo==null) { + qp=queryParams; + } else { + final int idx = pathinfo.indexOf('?'); + if(idx>=0) { + qp=pathinfo.substring(idx+1); + pathinfo=pathinfo.substring(0,idx); + } else { + qp=queryParams; + } + } + + + EClient client = client(); + client.setMethod(POST); + client.addHeader(CONTENT_TYPE,contentType); + client.setPathInfo(pathinfo); + client.setQueryParams(qp); + client.setFragment(fragment); + client.setPayload(null); + client.send(); + queryParams = fragment = null; + return client.futureCreate(Void.class); + } + + + /** + * Post Data in WWW expected format, with the format tag1=value1&tag2=value2, etc + * Note Shortcut: + * Because typically, you will want to have a variable as value, you can type, as long as tag ends with "=" + * postForm(..., "tag1=value1","tag2=",var2); + * @param pathinfo + * @param df + * @param cls + * @param formParam + * @return + * @throws APIException + * @throws CadiException + */ + public Future postForm(String pathinfo, final RosettaDF df, final String ... formParam) throws APIException, CadiException { + final String qp; + if(pathinfo==null) { + qp=queryParams; + } else { + final int idx = pathinfo.indexOf('?'); + if(idx>=0) { + qp=pathinfo.substring(idx+1); + pathinfo=pathinfo.substring(0,idx); + } else { + qp=queryParams; + } + } + + EClient client = client(); + client.setMethod(POST); + client.addHeader(CONTENT_TYPE,FORM_ENCODED); + switch(type) { + case JSON: + client.addHeader(ACCEPT, APPL_JSON); + break; + case XML: + client.addHeader(ACCEPT, APPL_XML); + break; + default: + break; + } + client.setPathInfo(pathinfo); + client.setQueryParams(qp); + client.setFragment(fragment); + client.setPayload(new Transfer() { + @Override + public void transfer(OutputStream os) throws IOException, APIException { + PrintStream ps; + if(os instanceof PrintStream) { + ps = (PrintStream)os; + } else { + ps = new PrintStream(os); + } + boolean first = true; + for(String fp : formParam) { + if(fp!=null) { + if(first) { + first = false; + } else { + ps.print('&'); + } + if(fp.endsWith("=")) { + first = true; + } + ps.print(fp); + } + } + }}); + client.send(); + queryParams = fragment = null; + return client.futureRead(df,TYPE.JSON); + } + + /** + * Read String, using POST for keyInfo + * + * @param pathinfo + * @param df + * @param t + * @param resp + * @return + * @throws APIException + * @throws CadiException + */ + public Future readPost(String pathinfo, final RosettaDF df, final T t) throws APIException, CadiException { + final String qp; + if(pathinfo==null) { + qp=queryParams; + } else { + final int idx = pathinfo.indexOf('?'); + if(idx>=0) { + qp=pathinfo.substring(idx+1); + pathinfo=pathinfo.substring(0,idx); + } else { + qp=queryParams; + } + } + + EClient client = client(); + client.setMethod(POST); + client.addHeader(CONTENT_TYPE,typeString(df.getTypeClass())); + client.setPathInfo(pathinfo); + client.setQueryParams(qp); + client.setFragment(fragment); + client.setPayload(new EClient.Transfer() { + @Override + public void transfer(OutputStream os) throws IOException, APIException { + df.newData().out(type).direct(t,os); + } + }); + client.send(); + queryParams = fragment = null; + return client.futureReadString(); + } + + /** + * Read using POST for keyInfo, responding with marshaled Objects + * + * @param pathinfo + * @param df + * @param t + * @param resp + * @return + * @throws APIException + * @throws CadiException + */ + public Future readPost(String pathinfo, final RosettaDF df, final T t, final RosettaDF resp) throws APIException, CadiException { + final String qp; + if(pathinfo==null) { + qp=queryParams; + } else { + final int idx = pathinfo.indexOf('?'); + if(idx>=0) { + qp=pathinfo.substring(idx+1); + pathinfo=pathinfo.substring(0,idx); + } else { + qp=queryParams; + } + } + + EClient client = client(); + client.setMethod(POST); + client.addHeader(CONTENT_TYPE,typeString(df.getTypeClass())); + client.setPathInfo(pathinfo); + client.setQueryParams(qp); + client.setFragment(fragment); + client.setPayload(new EClient.Transfer() { + @Override + public void transfer(OutputStream os) throws IOException, APIException { + df.newData().out(type).direct(t,os); + } + }); + client.send(); + queryParams = fragment = null; + return client.futureRead(resp,resp.getOutType()); + } + + public Future readPost(String pathinfo, String contentType, String ... headers) throws CadiException, APIException { + final String qp; + if(pathinfo==null) { + qp=queryParams; + } else { + final int idx = pathinfo.indexOf('?'); + if(idx>=0) { + qp=pathinfo.substring(idx+1); + pathinfo=pathinfo.substring(0,idx); + } else { + qp=queryParams; + } + } + + EClient client = client(); + client.setMethod(POST); + client.addHeader(CONTENT_TYPE,contentType); + client.setPathInfo(pathinfo); + client.setQueryParams(qp); + client.setFragment(fragment); + client.setPayload(new EClient.Transfer() { + @Override + public void transfer(OutputStream os) throws IOException, APIException { + }}); + client.send(); + queryParams = fragment = null; + return client.futureReadString(); + } + + public Future read(String pathinfo, String accept, String ... headers) throws APIException, CadiException { + final String qp; + if(pathinfo==null) { + qp=queryParams; + } else { + final int idx = pathinfo.indexOf('?'); + if(idx>=0) { + qp=pathinfo.substring(idx+1); + pathinfo=pathinfo.substring(0,idx); + } else { + qp=queryParams; + } + } + + EClient client = client(); + client.setMethod(GET); + client.addHeader(ACCEPT, accept); + + for(int i=1;i Future read(String pathinfo, String accept, RosettaDF df, String ... headers) throws APIException, CadiException { + final String qp; + if(pathinfo==null) { + qp=queryParams; + } else { + final int idx = pathinfo.indexOf('?'); + if(idx>=0) { + qp=pathinfo.substring(idx+1); + pathinfo=pathinfo.substring(0,idx); + } else { + qp=queryParams; + } + } + + + EClient client = client(); + client.setMethod(GET); + client.addHeader(ACCEPT, accept); + for(int i=1;i Future read(String pathinfo, RosettaDF df,String ... headers) throws APIException, CadiException { + final String qp; + if(pathinfo==null) { + qp=queryParams; + } else { + final int idx = pathinfo.indexOf('?'); + if(idx>=0) { + qp=pathinfo.substring(idx+1); + pathinfo=pathinfo.substring(0,idx); + } else { + qp=queryParams; + } + } + + + EClient client = client(); + client.setMethod(GET); + client.addHeader(ACCEPT, typeString(df.getTypeClass())); + for(int i=1;i Future read(String pathinfo, Class cls, RosettaDF df) throws APIException, CadiException { + final String qp; + if(pathinfo==null) { + qp=queryParams; + } else { + final int idx = pathinfo.indexOf('?'); + if(idx>=0) { + qp=pathinfo.substring(idx+1); + pathinfo=pathinfo.substring(0,idx); + } else { + qp=queryParams; + } + } + + EClient client = client(); + client.setMethod(GET); + client.addHeader(ACCEPT, typeString(cls)); + client.setQueryParams(qp); + client.setFragment(fragment); + client.setPathInfo(pathinfo); + + client.setPayload(null); + client.send(); + queryParams = fragment = null; + return client.futureRead(df,type); + } + + public Future update(String pathinfo, String contentType, final RosettaDF df, final T t) throws APIException, CadiException { + final String qp; + if(pathinfo==null) { + qp=queryParams; + } else { + final int idx = pathinfo.indexOf('?'); + if(idx>=0) { + qp=pathinfo.substring(idx+1); + pathinfo=pathinfo.substring(0,idx); + } else { + qp=queryParams; + } + } + + + EClient client = client(); + client.setMethod(PUT); + client.addHeader(CONTENT_TYPE,contentType); + client.setQueryParams(qp); + client.setFragment(fragment); + client.setPathInfo(pathinfo); + client.setPayload(new EClient.Transfer() { + @Override + public void transfer(OutputStream os) throws IOException, APIException { + df.newData().out(type).direct(t,os); + } + }); + client.send(); + queryParams = fragment = null; + return client.future(t); + } + + public Future updateRespondString(String pathinfo, final RosettaDF df, final T t) throws APIException, CadiException { + final String qp; + if(pathinfo==null) { + qp=queryParams; + } else { + final int idx = pathinfo.indexOf('?'); + if(idx>=0) { + qp=pathinfo.substring(idx+1); + pathinfo=pathinfo.substring(0,idx); + } else { + qp=queryParams; + } + } + + + EClient client = client(); + client.setMethod(PUT); + client.addHeader(CONTENT_TYPE, typeString(df.getTypeClass())); + client.setQueryParams(qp); + client.setFragment(fragment); + client.setPathInfo(pathinfo); + client.setPayload(new EClient.Transfer() { + @Override + public void transfer(OutputStream os) throws IOException, APIException { + df.newData().out(type).direct(t,os); + } + }); + client.send(); + queryParams = fragment = null; + return client.futureReadString(); + } + + + public Future update(String pathinfo, final RosettaDF df, final T t) throws APIException, CadiException { + final String qp; + if(pathinfo==null) { + qp=queryParams; + } else { + final int idx = pathinfo.indexOf('?'); + if(idx>=0) { + qp=pathinfo.substring(idx+1); + pathinfo=pathinfo.substring(0,idx); + } else { + qp=queryParams; + } + } + + EClient client = client(); + client.setMethod(PUT); + client.addHeader(CONTENT_TYPE, typeString(df.getTypeClass())); + client.setQueryParams(qp); + client.setFragment(fragment); + client.setPathInfo(pathinfo); + client.setPayload(new EClient.Transfer() { + @Override + public void transfer(OutputStream os) throws IOException, APIException { + df.newData().out(type).direct(t,os); + } + }); + client.send(); + queryParams = fragment = null; + return client.future(t); + } + + public Future update(String pathinfo, Class cls, final RosettaDF df, final T t) throws APIException, CadiException { + final String qp; + if(pathinfo==null) { + qp=queryParams; + } else { + final int idx = pathinfo.indexOf('?'); + if(idx>=0) { + qp=pathinfo.substring(idx+1); + pathinfo=pathinfo.substring(0,idx); + } else { + qp=queryParams; + } + } + + + EClient client = client(); + client.setMethod(PUT); + client.addHeader(CONTENT_TYPE, typeString(cls)); + client.setQueryParams(qp); + client.setFragment(fragment); + client.setPathInfo(pathinfo); + client.setPayload(new EClient.Transfer() { + @Override + public void transfer(OutputStream os) throws IOException, APIException { + df.newData().out(type).direct(t,os); + } + }); + client.send(); + queryParams = fragment = null; + return client.future(t); + } + + /** + * A method to update with a VOID + * @param pathinfo + * @param resp + * @param expected + * @return + * @throws APIException + * @throws CadiException + */ + public Future update(String pathinfo) throws APIException, CadiException { + final String qp; + if(pathinfo==null) { + qp=queryParams; + } else { + final int idx = pathinfo.indexOf('?'); + if(idx>=0) { + qp=pathinfo.substring(idx+1); + pathinfo=pathinfo.substring(0,idx); + } else { + qp=queryParams; + } + } + + + EClient client = client(); + client.setMethod(PUT); + client.addHeader(CONTENT_TYPE, typeString(Void.class)); + client.setQueryParams(qp); + client.setFragment(fragment); + client.setPathInfo(pathinfo); +// client.setPayload(new EClient.Transfer() { +// @Override +// public void transfer(OutputStream os) throws IOException, APIException { +// } +// }); + client.send(); + queryParams = fragment = null; + return client.future(null); + } + + public Future delete(String pathinfo, String contentType, final RosettaDF df, final T t) throws APIException, CadiException { + final String qp; + if(pathinfo==null) { + qp=queryParams; + } else { + final int idx = pathinfo.indexOf('?'); + if(idx>=0) { + qp=pathinfo.substring(idx+1); + pathinfo=pathinfo.substring(0,idx); + } else { + qp=queryParams; + } + } + + + EClient client = client(); + client.setMethod(DELETE); + client.addHeader(CONTENT_TYPE, contentType); + client.setQueryParams(qp); + client.setFragment(fragment); + client.setPathInfo(pathinfo); + client.setPayload(new EClient.Transfer() { + @Override + public void transfer(OutputStream os) throws IOException, APIException { + df.newData().out(type).direct(t,os); + } + }); + client.send(); + queryParams = fragment = null; + return client.future(t); + } + + public Future delete(String pathinfo, Class cls, final RosettaDF df, final T t) throws APIException, CadiException { + final String qp; + if(pathinfo==null) { + qp=queryParams; + } else { + final int idx = pathinfo.indexOf('?'); + if(idx>=0) { + qp=pathinfo.substring(idx+1); + pathinfo=pathinfo.substring(0,idx); + } else { + qp=queryParams; + } + } + + + EClient client = client(); + client.setMethod(DELETE); + client.addHeader(CONTENT_TYPE, typeString(cls)); + client.setQueryParams(qp); + client.setFragment(fragment); + client.setPathInfo(pathinfo); + client.setPayload(new EClient.Transfer() { + @Override + public void transfer(OutputStream os) throws IOException, APIException { + df.newData().out(type).direct(t,os); + } + }); + client.send(); + queryParams = fragment = null; + return client.future(t); + } + + public Future delete(String pathinfo, final RosettaDF df, final T t) throws APIException, CadiException { + final String qp; + if(pathinfo==null) { + qp=queryParams; + } else { + final int idx = pathinfo.indexOf('?'); + if(idx>=0) { + qp=pathinfo.substring(idx+1); + pathinfo=pathinfo.substring(0,idx); + } else { + qp=queryParams; + } + } + + EClient client = client(); + client.setMethod(DELETE); + client.addHeader(CONTENT_TYPE, typeString(df.getTypeClass())); + client.setQueryParams(qp); + client.setFragment(fragment); + client.setPathInfo(pathinfo); + client.setPayload(new EClient.Transfer() { + @Override + public void transfer(OutputStream os) throws IOException, APIException { + df.newData().out(type).direct(t,os); + } + }); + + client.send(); + queryParams = fragment = null; + return client.future(t); + } + + + public Future delete(String pathinfo, Class cls) throws APIException, CadiException { + final String qp; + if(pathinfo==null) { + qp=queryParams; + } else { + final int idx = pathinfo.indexOf('?'); + if(idx>=0) { + qp=pathinfo.substring(idx+1); + pathinfo=pathinfo.substring(0,idx); + } else { + qp=queryParams; + } + } + + + EClient client = client(); + client.setMethod(DELETE); + client.addHeader(CONTENT_TYPE, typeString(cls)); + client.setQueryParams(qp); + client.setFragment(fragment); + client.setPathInfo(pathinfo); + client.setPayload(null); + client.send(); + queryParams = fragment = null; + return client.future((T)null); + } + + public Future delete(String pathinfo, String contentType) throws APIException, CadiException { + final String qp; + if(pathinfo==null) { + qp=queryParams; + } else { + final int idx = pathinfo.indexOf('?'); + if(idx>=0) { + qp=pathinfo.substring(idx+1); + pathinfo=pathinfo.substring(0,idx); + } else { + qp=queryParams; + } + } + + EClient client = client(); + client.setMethod(DELETE); + client.addHeader(CONTENT_TYPE, contentType); + client.setQueryParams(qp); + client.setFragment(fragment); + client.setPathInfo(pathinfo); + client.setPayload(null); + client.send(); + queryParams = fragment = null; + return client.future(null); + } + + public Future transfer(final HttpServletRequest req, final HttpServletResponse resp, final String pathParam, final int expected) throws CadiException, APIException { + EClient client = client(); + URI uri; + try { + uri = new URI(req.getRequestURI()); + } catch (Exception e) { + throw new CadiException("Invalid incoming URI",e); + } + String name; + for(Enumeration en = req.getHeaderNames();en.hasMoreElements();) { + name = en.nextElement(); + client.addHeader(name,req.getHeader(name)); + } + client.setQueryParams(req.getQueryString()); + client.setFragment(uri.getFragment()); + client.setPathInfo(pathParam); + String meth = req.getMethod(); + client.setMethod(meth); + if(!"GET".equals(meth)) { + client.setPayload(new EClient.Transfer() { + @Override + public void transfer(OutputStream os) throws IOException, APIException { + final ServletInputStream is = req.getInputStream(); + int read; + // reuse Buffers + Pooled pbuff = buffPool.get(); + try { + while((read=is.read(pbuff.content))>=0) { + os.write(pbuff.content,0,read); + } + } finally { + pbuff.done(); + } + } + }); + } + client.send(); + return client.future(resp, expected); + } + + public String toString() { + return uri.toString(); + } + + /** + * @param queryParams the queryParams to set + * @return + */ + public Rcli setQueryParams(String queryParams) { + this.queryParams = queryParams; + return this; + } + + + /** + * @param fragment the fragment to set + * @return + */ + public Rcli setFragment(String fragment) { + this.fragment = fragment; + return this; + } + + public URI getURI() { + return uri; + } + +} \ No newline at end of file diff --git a/cadi/client/src/main/java/org/onap/aaf/cadi/client/Result.java b/cadi/client/src/main/java/org/onap/aaf/cadi/client/Result.java new file mode 100644 index 00000000..fecb847b --- /dev/null +++ b/cadi/client/src/main/java/org/onap/aaf/cadi/client/Result.java @@ -0,0 +1,60 @@ +/** + * ============LICENSE_START==================================================== + * org.onap.aaf + * =========================================================================== + * Copyright (c) 2018 AT&T Intellectual Property. All rights reserved. + * =========================================================================== + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * ============LICENSE_END==================================================== + * + */ + +package org.onap.aaf.cadi.client; + +public class Result { + public final int code; + public final T value; + public final String error; + + private Result(int code, T value, String error) { + this.code = code; + this.value = value; + this.error = error; + } + + public static Result ok(int code,T t) { + return new Result(code,t,null); + } + + public static Result err(int code,String body) { + return new Result(code,null,body); + } + + public static Result err(Result r) { + return new Result(r.code,null,r.error); + } + + public boolean isOK() { + return error==null; + } + + public String toString() { + StringBuilder sb = new StringBuilder("Code: "); + sb.append(code); + if(error!=null) { + sb.append(" = "); + sb.append(error); + } + return sb.toString(); + } +} \ No newline at end of file diff --git a/cadi/client/src/main/java/org/onap/aaf/cadi/client/Retryable.java b/cadi/client/src/main/java/org/onap/aaf/cadi/client/Retryable.java new file mode 100644 index 00000000..8208efe1 --- /dev/null +++ b/cadi/client/src/main/java/org/onap/aaf/cadi/client/Retryable.java @@ -0,0 +1,71 @@ +/** + * ============LICENSE_START==================================================== + * org.onap.aaf + * =========================================================================== + * Copyright (c) 2018 AT&T Intellectual Property. All rights reserved. + * =========================================================================== + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * ============LICENSE_END==================================================== + * + */ + +package org.onap.aaf.cadi.client; + +import java.net.ConnectException; + +import org.onap.aaf.cadi.CadiException; +import org.onap.aaf.cadi.Locator; +import org.onap.aaf.misc.env.APIException; + +/** + * + * @author Jonathan + * + * @param + * @param + */ +public abstract class Retryable { + // be able to hold state for consistent Connections. Not required for all connection types. + public Rcli lastClient; + private Locator.Item item; + + public Retryable() { + lastClient = null; + item = null; + } + + public Retryable(Retryable ret) { + lastClient = ret.lastClient; + item = ret.item; + } + + public Locator.Item item(Locator.Item item) { + lastClient = null; + this.item = item; + return item; + } + public Locator.Item item() { + return item; + } + + public abstract RET code(Rcli client) throws CadiException, ConnectException, APIException; + + /** + * Note, Retryable is tightly coupled to the Client Utilizing. It will not be the wrong type. + * @return + */ + @SuppressWarnings("unchecked") + public Rcli lastClient() { + return (Rcli)lastClient; + } +} diff --git a/cadi/client/src/main/java/org/onap/aaf/cadi/http/HAuthorizationHeader.java b/cadi/client/src/main/java/org/onap/aaf/cadi/http/HAuthorizationHeader.java new file mode 100644 index 00000000..787c5c29 --- /dev/null +++ b/cadi/client/src/main/java/org/onap/aaf/cadi/http/HAuthorizationHeader.java @@ -0,0 +1,54 @@ +/** + * ============LICENSE_START==================================================== + * org.onap.aaf + * =========================================================================== + * Copyright (c) 2018 AT&T Intellectual Property. All rights reserved. + * =========================================================================== + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * ============LICENSE_END==================================================== + * + */ + +package org.onap.aaf.cadi.http; + +import java.io.IOException; +import java.net.HttpURLConnection; + +import javax.net.ssl.HttpsURLConnection; + +import org.onap.aaf.cadi.CadiException; +import org.onap.aaf.cadi.client.AbsAuthentication; +import org.onap.aaf.cadi.config.SecurityInfoC; + +public class HAuthorizationHeader extends AbsAuthentication { + + public HAuthorizationHeader(SecurityInfoC si, String user, String headValue) throws IOException { + super(si,user,headValue==null?null:headValue.getBytes()); + } + + @Override + public void setSecurity(HttpURLConnection huc) throws CadiException { + if(isDenied()) { + throw new CadiException(REPEAT_OFFENDER); + } + try { + huc.addRequestProperty(AUTHORIZATION , headValue()); + } catch (IOException e) { + throw new CadiException(e); + } + if(securityInfo!=null && huc instanceof HttpsURLConnection) { + securityInfo.setSocketFactoryOn((HttpsURLConnection)huc); + } + } + +} diff --git a/cadi/client/src/main/java/org/onap/aaf/cadi/http/HBasicAuthSS.java b/cadi/client/src/main/java/org/onap/aaf/cadi/http/HBasicAuthSS.java new file mode 100644 index 00000000..9e86c7fb --- /dev/null +++ b/cadi/client/src/main/java/org/onap/aaf/cadi/http/HBasicAuthSS.java @@ -0,0 +1,68 @@ +/** + * ============LICENSE_START==================================================== + * org.onap.aaf + * =========================================================================== + * Copyright (c) 2018 AT&T Intellectual Property. All rights reserved. + * =========================================================================== + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * ============LICENSE_END==================================================== + * + */ + +package org.onap.aaf.cadi.http; + +import java.io.IOException; +import java.net.HttpURLConnection; + +import org.onap.aaf.cadi.Symm; +import org.onap.aaf.cadi.client.BasicAuth; +import org.onap.aaf.cadi.config.Config; +import org.onap.aaf.cadi.config.SecurityInfoC; +import org.onap.aaf.cadi.principal.BasicPrincipal; + +public class HBasicAuthSS extends HAuthorizationHeader implements BasicAuth { + public HBasicAuthSS(SecurityInfoC si, String user, String password) throws IOException { + super(si, user, "Basic " + Symm.base64noSplit.encode(user + ':' + password)); + } + + public HBasicAuthSS(SecurityInfoC si) throws IOException { + this(si,si.access.getProperty(Config.AAF_APPID, null), + si.access.decrypt(si.access.getProperty(Config.AAF_APPPASS, null), false)); + } + + public HBasicAuthSS(SecurityInfoC si, boolean setDefault) throws IOException { + this(si,si.access.getProperty(Config.AAF_APPID, null), + si.access.decrypt(si.access.getProperty(Config.AAF_APPPASS, null), false),setDefault); + } + + + public HBasicAuthSS(SecurityInfoC si, String user, String pass, boolean asDefault) throws IOException { + this(si, user,pass); + if(asDefault) { + si.set(this); + } + } + + public HBasicAuthSS(BasicPrincipal bp, SecurityInfoC si) throws IOException { + this(si, bp.getName(),new String(bp.getCred())); + } + + public HBasicAuthSS(BasicPrincipal bp, SecurityInfoC si, boolean asDefault) throws IOException { + this(si, bp.getName(),new String(bp.getCred())); + if(asDefault) { + si.set(this); + } + } + + +} diff --git a/cadi/client/src/main/java/org/onap/aaf/cadi/http/HClient.java b/cadi/client/src/main/java/org/onap/aaf/cadi/http/HClient.java new file mode 100644 index 00000000..46099887 --- /dev/null +++ b/cadi/client/src/main/java/org/onap/aaf/cadi/http/HClient.java @@ -0,0 +1,444 @@ +/** + * ============LICENSE_START==================================================== + * org.onap.aaf + * =========================================================================== + * Copyright (c) 2018 AT&T Intellectual Property. All rights reserved. + * =========================================================================== + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * ============LICENSE_END==================================================== + * + */ + +package org.onap.aaf.cadi.http; + +import java.io.IOException; +import java.io.InputStream; +import java.io.InputStreamReader; +import java.io.OutputStream; +import java.io.Reader; +import java.net.HttpURLConnection; +import java.net.URI; +import java.net.URL; +import java.util.ArrayList; + +import javax.servlet.http.HttpServletResponse; + +import org.onap.aaf.cadi.CadiException; +import org.onap.aaf.cadi.LocatorException; +import org.onap.aaf.cadi.SecuritySetter; +import org.onap.aaf.cadi.client.EClient; +import org.onap.aaf.cadi.client.Future; +import org.onap.aaf.cadi.client.Rcli; +import org.onap.aaf.misc.env.APIException; +import org.onap.aaf.misc.env.Data; +import org.onap.aaf.misc.env.Data.TYPE; +import org.onap.aaf.misc.env.util.Pool.Pooled; +import org.onap.aaf.misc.rosetta.env.RosettaDF; + +/** + * Low Level Http Client Mechanism. Chances are, you want the high level "HRcli" + * for Rosetta Object Translation + * + * @author Jonathan + * + */ +public class HClient implements EClient { + private URI uri; + private ArrayList
headers; + private String meth; + private String pathinfo; + private String query; + private String fragment; + private Transfer transfer; + private SecuritySetter ss; + private HttpURLConnection huc; + private int connectTimeout; + + public HClient(SecuritySetter ss, URI uri,int connectTimeout) throws LocatorException { + if (uri == null) { + throw new LocatorException("No Service available to call"); + } + this.uri = uri; + this.ss = ss; + this.connectTimeout = connectTimeout; + pathinfo = query = fragment = null; + } + + @Override + public void setMethod(String meth) { + this.meth = meth; + } + + @Override + public void setPathInfo(String pathinfo) { + this.pathinfo = pathinfo; + } + + @Override + public void setPayload(Transfer transfer) { + this.transfer = transfer; + } + + @Override + public void addHeader(String tag, String value) { + if (headers == null) + headers = new ArrayList
(); + headers.add(new Header(tag, value)); + } + + @Override + public void setQueryParams(String q) { + query = q; + } + + @Override + public void setFragment(String f) { + fragment = f; + } + + @Override + public void send() throws APIException { + try { + // Build URL from given URI plus current Settings + if(uri.getPath()==null) { + throw new APIException("Invalid URL entered for HClient"); + } + StringBuilder pi=null; + if(pathinfo!=null) { // additional pathinfo + pi = new StringBuilder(uri.getPath()); + if(!pathinfo.startsWith("/")) { + pi.append('/'); + } + pi.append(pathinfo); + } + URL url = new URI( + uri.getScheme(), + uri.getUserInfo(), + uri.getHost(), + uri.getPort(), + pi==null?uri.getPath():pi.toString(), + query, + fragment).toURL(); + pathinfo=null; + query=null; + fragment=null; + huc = (HttpURLConnection) url.openConnection(); + huc.setRequestMethod(meth); + if(ss!=null) { + ss.setSecurity(huc); + } + if (headers != null) + for (Header d : headers) { + huc.addRequestProperty(d.tag, d.value); + } + huc.setDoInput(true); + huc.setDoOutput(true); + huc.setUseCaches(false); + huc.setConnectTimeout(connectTimeout); + huc.connect(); + if (transfer != null) { + transfer.transfer(huc.getOutputStream()); + } + // TODO other settings? There's a bunch here. + } catch (Exception e) { + throw new APIException(e); + } finally { // ensure all these are reset after sends + meth=pathinfo=null; + if(headers!=null) { + headers.clear(); + } + pathinfo = query = fragment = ""; + } + } + + public URI getURI() { + return uri; + } + + public int timeout() { + return connectTimeout; + } + + public abstract class HFuture extends Future { + protected HttpURLConnection huc; + protected int respCode; + protected String respMessage; + protected IOException exception; + protected StringBuilder errContent; + + public HFuture(final HttpURLConnection huc) { + this.huc = huc; + } + + protected boolean evalInfo(HttpURLConnection huc) throws APIException, IOException{ + return respCode == 200; + }; + + @Override + public final boolean get(int timeout) throws CadiException { + try { + huc.setReadTimeout(timeout); + respCode = huc.getResponseCode(); + ss.setLastResponse(respCode); + if(evalInfo(huc)) { + return true; + } else { + extractError(); + return false; + } + } catch (IOException | APIException e) { + throw new CadiException(e); + } finally { + close(); + } + } + + private void extractError() { + InputStream is = huc.getErrorStream(); + try { + if(is==null) { + is = huc.getInputStream(); + } + if(is!=null) { + errContent = new StringBuilder(); + int c; + while((c=is.read())>=0) { + errContent.append((char)c); + } + } + } catch (IOException e) { + exception = e; + } + } + + // Typically only used by Read + public StringBuilder inputStreamToString(InputStream is) { + // Avoids Carriage returns, and is reasonably efficient, given + // the buffer reads. + try { + StringBuilder sb = new StringBuilder(); + Reader rdr = new InputStreamReader(is); + try { + char[] buf = new char[256]; + int read; + while ((read = rdr.read(buf)) >= 0) { + sb.append(buf, 0, read); + } + } finally { + rdr.close(); + } + return sb; + } catch (IOException e) { + exception = e; + return null; + } + } + + + @Override + public int code() { + return respCode; + } + + public HttpURLConnection huc() { + return huc; + } + + public IOException exception() { + return exception; + } + + public String respMessage() { + return respMessage; + } + + @Override + public String header(String tag) { + return huc.getHeaderField(tag); + } + + public void close() { + if(huc!=null) { + huc.disconnect(); + } + } + } + + @Override + public Future futureCreate(Class t) { + return new HFuture(huc) { + public boolean evalInfo(HttpURLConnection huc) { + return respCode==201; + } + + @Override + public String body() { + if (errContent != null) { + return errContent.toString(); + + } else if (respMessage != null) { + return respMessage; + } + return ""; + } + }; + } + + @Override + public Future futureReadString() { + return new HFuture(huc) { + public boolean evalInfo(HttpURLConnection huc) throws IOException { + if (respCode == 200) { + StringBuilder sb = inputStreamToString(huc.getInputStream()); + if (sb != null) { + value = sb.toString(); + } + return true; + } + return false; + } + + @Override + public String body() { + if (value != null) { + return value; + } else if (errContent != null) { + return errContent.toString(); + } else if (respMessage != null) { + return respMessage; + } + return ""; + } + + }; + } + + @Override + public Future futureRead(final RosettaDF df, final TYPE type) { + return new HFuture(huc) { + private Data data; + + public boolean evalInfo(HttpURLConnection huc) throws APIException, IOException { + if (respCode == 200) { + data = df.newData().in(type).load(huc.getInputStream()); + value = data.asObject(); + return true; + } + return false; + } + + @Override + public String body() { + if (data != null) { + try { + return data.asString(); + } catch (APIException e) { + } + } else if (errContent != null) { + return errContent.toString(); + } else if (respMessage != null) { + return respMessage; + } + return ""; + } + }; + } + + @Override + public Future future(final T t) { + return new HFuture(huc) { + public boolean evalInfo(HttpURLConnection huc) { + if (respCode == 200) { + value = t; + return true; + } + return false; + } + + @Override + public String body() { + if (errContent != null) { + return errContent.toString(); + } else if (respMessage != null) { + return respMessage; + } + return Integer.toString(respCode); + } + }; + } + + @Override + public Future future(final HttpServletResponse resp, final int expected) throws APIException { + return new HFuture(huc) { + public boolean evalInfo(HttpURLConnection huc) throws IOException, APIException { + resp.setStatus(respCode); + int read; + InputStream is; + OutputStream os = resp.getOutputStream(); + if(respCode==expected) { + is = huc.getInputStream(); + // reuse Buffers + Pooled pbuff = Rcli.buffPool.get(); + try { + while((read=is.read(pbuff.content))>=0) { + os.write(pbuff.content,0,read); + } + } finally { + pbuff.done(); + } + return true; + } else { + is = huc.getErrorStream(); + if(is==null) { + is = huc.getInputStream(); + } + if(is!=null) { + errContent = new StringBuilder(); + Pooled pbuff = Rcli.buffPool.get(); + try { + while((read=is.read(pbuff.content))>=0) { + os.write(pbuff.content,0,read); + } + } finally { + pbuff.done(); + } + } + } + return false; + } + + @Override + public String body() { + return errContent==null?respMessage:errContent.toString(); + } + }; + } + + private static class Header { + public final String tag; + public final String value; + + public Header(String t, String v) { + this.tag = t; + this.value = v; + } + + public String toString() { + return tag + '=' + value; + } + } + + public String toString() { + return "HttpURLConnection Client configured to " + uri.toString(); + } +} diff --git a/cadi/client/src/main/java/org/onap/aaf/cadi/http/HMangr.java b/cadi/client/src/main/java/org/onap/aaf/cadi/http/HMangr.java new file mode 100644 index 00000000..2aa10ac3 --- /dev/null +++ b/cadi/client/src/main/java/org/onap/aaf/cadi/http/HMangr.java @@ -0,0 +1,248 @@ +/** + * ============LICENSE_START==================================================== + * org.onap.aaf + * =========================================================================== + * Copyright (c) 2018 AT&T Intellectual Property. All rights reserved. + * =========================================================================== + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * ============LICENSE_END==================================================== + * + */ + +package org.onap.aaf.cadi.http; + +import java.net.ConnectException; +import java.net.HttpURLConnection; +import java.net.SocketException; +import java.net.URI; +import java.net.URISyntaxException; + +import javax.net.ssl.SSLHandshakeException; + +import org.onap.aaf.cadi.Access; +import org.onap.aaf.cadi.CadiException; +import org.onap.aaf.cadi.Locator; +import org.onap.aaf.cadi.LocatorException; +import org.onap.aaf.cadi.SecuritySetter; +import org.onap.aaf.cadi.Access.Level; +import org.onap.aaf.cadi.Locator.Item; +import org.onap.aaf.cadi.client.Rcli; +import org.onap.aaf.cadi.client.Retryable; +import org.onap.aaf.misc.env.APIException; + +public class HMangr { + private String apiVersion; + private int readTimeout, connectionTimeout; + public final Locator loc; + private Access access; + + public HMangr(Access access, Locator loc) throws LocatorException { + readTimeout = 10000; + connectionTimeout=3000; + if(loc == null) { + throw new LocatorException("Null Locator passed"); + } + this.loc = loc; + this.access = access; + } + + /** + * Reuse the same service. This is helpful for multiple calls that change service side cached data so that + * there is not a speed issue. + * + * If the service goes down, another service will be substituted, if available. + * + * @param access + * @param loc + * @param ss + * @param item + * @param retryable + * @return + * @throws URISyntaxException + * @throws Exception + */ + public RET same(SecuritySetter ss, Retryable retryable) throws APIException, CadiException, LocatorException { + RET ret = null; + boolean retry = true; + Rcli client = retryable.lastClient(); + try { + do { + Item item; + // if no previous state, get the best + if(retryable.item()==null) { + item = loc.best(); + if(item==null) { + throw new LocatorException("No Services Found for " + loc); + } + retryable.item(item); + retryable.lastClient = null; + } + if(client==null) { + item = retryable.item(); + URI uri=loc.get(item); + if(uri==null) { + loc.invalidate(retryable.item()); + if(loc.hasItems()) { + retryable.item(loc.next(retryable.item())); + continue; + } else { + throw new LocatorException("No clients available for " + loc.toString()); + } + } + client = new HRcli(this, uri,item,ss) + .connectionTimeout(connectionTimeout) + .readTimeout(readTimeout) + .apiVersion(apiVersion); + } else { + client.setSecuritySetter(ss); + } + + retry = false; + try { + ret = retryable.code(client); + } catch (APIException | CadiException e) { + item = retryable.item(); + loc.invalidate(item); + retryable.item(loc.next(item)); + try { + Throwable ec = e.getCause(); + if(ec instanceof java.net.ConnectException) { + if(client!=null && loc.hasItems()) { + access.log(Level.WARN,"Connection refused, trying next available service"); + retry = true; + } else { + throw new CadiException("Connection refused, no more services to try"); + } + } else if(ec instanceof java.net.SocketException) { + if(client!=null && loc.hasItems()) { + access.log(Level.WARN,"Socket prematurely closed, trying next available service"); + retry = true; + } else { + throw new CadiException("Socket prematurely closed, no more services to try"); + } + } else if(ec instanceof SSLHandshakeException) { + retryable.item(null); + throw e; + } else if(ec instanceof SocketException) { + if("java.net.SocketException: Connection reset".equals(ec.getMessage())) { + access.log(Level.ERROR, ec.getMessage(), " can mean Certificate Expiration or TLS Protocol issues"); + } + retryable.item(null); + throw e; + } else { + retryable.item(null); + throw e; + } + } finally { + client = null; + } + } catch (ConnectException e) { + item = retryable.item(); + loc.invalidate(item); + retryable.item(loc.next(item)); + } + } while(retry); + } finally { + retryable.lastClient = client; + } + return ret; + } + + + public RET best(SecuritySetter ss, Retryable retryable) throws LocatorException, CadiException, APIException { + if(loc==null) { + throw new LocatorException("No Locator Configured"); + } + retryable.item(loc.best()); + return same(ss,retryable); + } + public RET all(SecuritySetter ss, Retryable retryable) throws LocatorException, CadiException, APIException { + return oneOf(ss,retryable,true,null); + } + + public RET all(SecuritySetter ss, Retryable retryable,boolean notify) throws LocatorException, CadiException, APIException { + return oneOf(ss,retryable,notify,null); + } + + public RET oneOf(SecuritySetter ss, Retryable retryable,boolean notify,String host) throws LocatorException, CadiException, APIException { + RET ret = null; + // make sure we have all current references: + loc.refresh(); + for(Item li=loc.first();li!=null;li=loc.next(li)) { + URI uri=loc.get(li); + if(host!=null && !host.equals(uri.getHost())) { + break; + } + try { + ret = retryable.code(new HRcli(this,uri,li,ss)); + access.log(Level.DEBUG,"Success calling",uri,"during call to all services"); + } catch (APIException | CadiException e) { + Throwable t = e.getCause(); + if(t!=null && t instanceof ConnectException) { + loc.invalidate(li); + access.log(Level.ERROR,"Connection to",uri,"refused during call to all services"); + } else if(t instanceof SSLHandshakeException) { + access.log(Level.ERROR,t.getMessage()); + loc.invalidate(li); + } else if(t instanceof SocketException) { + if("java.net.SocketException: Connection reset".equals(t.getMessage())) { + access.log(Level.ERROR, t.getMessage(), " can mean Certificate Expiration or TLS Protocol issues"); + } + retryable.item(null); + throw e; + } else { + throw e; + } + } catch (ConnectException e) { + loc.invalidate(li); + access.log(Level.ERROR,"Connection to",uri,"refused during call to all services"); + } + } + + if(ret == null && notify) + throw new LocatorException("No available clients to call"); + return ret; + } + + + public void close() { + // TODO Anything here? + } + + public HMangr readTimeout(int timeout) { + this.readTimeout = timeout; + return this; + } + + public int readTimeout() { + return readTimeout; + } + + public void connectionTimeout(int t) { + connectionTimeout = t; + } + + public int connectionTimout() { + return connectionTimeout; + } + + public HMangr apiVersion(String version) { + apiVersion = version; + return this; + } + + public String apiVersion() { + return apiVersion; + } + +} diff --git a/cadi/client/src/main/java/org/onap/aaf/cadi/http/HNoAuthSS.java b/cadi/client/src/main/java/org/onap/aaf/cadi/http/HNoAuthSS.java new file mode 100644 index 00000000..b857f3ad --- /dev/null +++ b/cadi/client/src/main/java/org/onap/aaf/cadi/http/HNoAuthSS.java @@ -0,0 +1,45 @@ +/** + * ============LICENSE_START==================================================== + * org.onap.aaf + * =========================================================================== + * Copyright (c) 2018 AT&T Intellectual Property. All rights reserved. + * =========================================================================== + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * ============LICENSE_END==================================================== + * + */ + +package org.onap.aaf.cadi.http; + +import java.io.IOException; +import java.net.HttpURLConnection; + +import javax.net.ssl.HttpsURLConnection; + +import org.onap.aaf.cadi.CadiException; +import org.onap.aaf.cadi.client.AbsAuthentication; +import org.onap.aaf.cadi.config.SecurityInfoC; + +public class HNoAuthSS extends AbsAuthentication { + public HNoAuthSS(SecurityInfoC si) throws IOException { + super(si,"noauth",null); + } + + @Override + public void setSecurity(HttpURLConnection client) throws CadiException { + if(securityInfo!=null && client instanceof HttpsURLConnection) { + securityInfo.setSocketFactoryOn((HttpsURLConnection)client); + } + } + +} diff --git a/cadi/client/src/main/java/org/onap/aaf/cadi/http/HRcli.java b/cadi/client/src/main/java/org/onap/aaf/cadi/http/HRcli.java new file mode 100644 index 00000000..f289b0e3 --- /dev/null +++ b/cadi/client/src/main/java/org/onap/aaf/cadi/http/HRcli.java @@ -0,0 +1,130 @@ +/** + * ============LICENSE_START==================================================== + * org.onap.aaf + * =========================================================================== + * Copyright (c) 2018 AT&T Intellectual Property. All rights reserved. + * =========================================================================== + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * ============LICENSE_END==================================================== + * + */ + +package org.onap.aaf.cadi.http; + +import java.net.HttpURLConnection; +import java.net.URI; +import java.net.URISyntaxException; + +import org.onap.aaf.cadi.CadiException; +import org.onap.aaf.cadi.LocatorException; +import org.onap.aaf.cadi.SecuritySetter; +import org.onap.aaf.cadi.Locator.Item; +import org.onap.aaf.cadi.client.EClient; +import org.onap.aaf.cadi.client.Rcli; +import org.onap.aaf.misc.env.APIException; +import org.onap.aaf.misc.env.Data.TYPE; + +/** + * Rosetta Client + * + * JAXB defined JSON or XML over HTTP/S + * + * @author Jonathan + * + * @param + */ +public class HRcli extends Rcli { + private HMangr hman; + private Item item; + private SecuritySetter ss; + + public HRcli(HMangr hman, Item locItem, SecuritySetter secSet) throws URISyntaxException, LocatorException { + item=locItem; + uri=hman.loc.get(locItem); + this.hman = hman; + ss=secSet; + type = TYPE.JSON; + apiVersion = hman.apiVersion(); + } + + public HRcli(HMangr hman, URI uri, Item locItem, SecuritySetter secSet) { + locItem=item; + this.uri = uri; + this.hman = hman; + ss=secSet; + type = TYPE.JSON; + apiVersion = hman.apiVersion(); + } + + @Override + protected HRcli clone(URI uri, SecuritySetter ss) { + return new HRcli(hman,uri,item,ss); + } + + + + /** + * + * @return + * @throws APIException + * @throws DME2Exception + */ + protected EClient client() throws CadiException { + try { + if(uri==null) { + Item item = hman.loc.best(); + if(item==null) { + throw new CadiException("No service available for " + hman.loc.toString()); + } + uri = hman.loc.get(item); + } + return new HClient(ss,uri,connectionTimeout); + } catch (Exception e) { + throw new CadiException(e); + } + } + + /* (non-Javadoc) + * @see org.onap.aaf.cadi.client.Rcli#setSecuritySetter(org.onap.aaf.cadi.SecuritySetter) + */ + @Override + public void setSecuritySetter(SecuritySetter ss) { + this.ss = ss; + } + + /* (non-Javadoc) + * @see org.onap.aaf.cadi.client.Rcli#getSecuritySetter() + */ + @Override + public SecuritySetter getSecuritySetter() { + return ss; + } + + public void invalidate() throws CadiException { + try { + hman.loc.invalidate(item); + } catch (Exception e) { + throw new CadiException(e); + } + } + + public HRcli setManager(HMangr hman) { + this.hman = hman; + return this; + } + + public String toString() { + return uri.toString(); + } + +} diff --git a/cadi/client/src/main/java/org/onap/aaf/cadi/http/HTokenSS.java b/cadi/client/src/main/java/org/onap/aaf/cadi/http/HTokenSS.java new file mode 100644 index 00000000..873e0fe7 --- /dev/null +++ b/cadi/client/src/main/java/org/onap/aaf/cadi/http/HTokenSS.java @@ -0,0 +1,34 @@ +/** + * ============LICENSE_START==================================================== + * org.onap.aaf + * =========================================================================== + * Copyright (c) 2018 AT&T Intellectual Property. All rights reserved. + * =========================================================================== + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * ============LICENSE_END==================================================== + * + */ + +package org.onap.aaf.cadi.http; + +import java.io.IOException; +import java.net.HttpURLConnection; + +import org.onap.aaf.cadi.config.SecurityInfoC; + +public class HTokenSS extends HAuthorizationHeader { + public HTokenSS(final SecurityInfoC si, final String client_id, final String token) throws IOException { + super(si, client_id,"Bearer " + token); + } + +} diff --git a/cadi/client/src/main/java/org/onap/aaf/cadi/http/HTransferSS.java b/cadi/client/src/main/java/org/onap/aaf/cadi/http/HTransferSS.java new file mode 100644 index 00000000..d19c42e9 --- /dev/null +++ b/cadi/client/src/main/java/org/onap/aaf/cadi/http/HTransferSS.java @@ -0,0 +1,64 @@ +/** + * ============LICENSE_START==================================================== + * org.onap.aaf + * =========================================================================== + * Copyright (c) 2018 AT&T Intellectual Property. All rights reserved. + * =========================================================================== + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * ============LICENSE_END==================================================== + * + */ + +package org.onap.aaf.cadi.http; + +import java.io.IOException; +import java.net.HttpURLConnection; + +import javax.net.ssl.HttpsURLConnection; + +import org.onap.aaf.cadi.CadiException; +import org.onap.aaf.cadi.client.AbsTransferSS; +import org.onap.aaf.cadi.config.Config; +import org.onap.aaf.cadi.config.SecurityInfoC; +import org.onap.aaf.cadi.principal.TaggedPrincipal; + + +public class HTransferSS extends AbsTransferSS { + public HTransferSS(TaggedPrincipal principal, String app) throws IOException { + super(principal, app); + } + + public HTransferSS(TaggedPrincipal principal, String app, SecurityInfoC si) { + super(principal, app, si); + } + + @Override + public void setSecurity(HttpURLConnection huc) throws CadiException { + if(defSS==null) { + throw new CadiException("Need App Credentials to send message"); + } + defSS.setSecurity(huc); + if(value!=null) { + huc.addRequestProperty(Config.CADI_USER_CHAIN, value); + } + if(securityInfo!=null) { + securityInfo.setSocketFactoryOn((HttpsURLConnection)huc); + } + } + + @Override + public int setLastResponse(int respCode) { + return 0; + } + +} diff --git a/cadi/client/src/main/java/org/onap/aaf/cadi/http/HX509SS.java b/cadi/client/src/main/java/org/onap/aaf/cadi/http/HX509SS.java new file mode 100644 index 00000000..9d555f62 --- /dev/null +++ b/cadi/client/src/main/java/org/onap/aaf/cadi/http/HX509SS.java @@ -0,0 +1,152 @@ +/** + * ============LICENSE_START==================================================== + * org.onap.aaf + * =========================================================================== + * Copyright (c) 2018 AT&T Intellectual Property. All rights reserved. + * =========================================================================== + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * ============LICENSE_END==================================================== + * + */ + +package org.onap.aaf.cadi.http; + +import java.io.ByteArrayInputStream; +import java.io.ByteArrayOutputStream; +import java.io.IOException; +import java.net.HttpURLConnection; +import java.security.PrivateKey; +import java.security.SecureRandom; +import java.security.Signature; +import java.security.cert.CertificateEncodingException; +import java.security.cert.X509Certificate; + +import javax.net.ssl.HttpsURLConnection; +import javax.net.ssl.X509KeyManager; + +import org.onap.aaf.cadi.CadiException; +import org.onap.aaf.cadi.SecuritySetter; +import org.onap.aaf.cadi.Symm; +import org.onap.aaf.cadi.client.AbsAuthentication; +import org.onap.aaf.cadi.config.Config; +import org.onap.aaf.cadi.config.SecurityInfoC; +import org.onap.aaf.misc.env.APIException; +import org.onap.aaf.misc.env.util.Chrono; + + +public class HX509SS implements SecuritySetter { + private static final byte[] X509 = "x509 ".getBytes(); + private PrivateKey priv; + private byte[] pub; + private String cert; + private SecurityInfoC securityInfo; + private String algo; + private String alias; + private static int count = new SecureRandom().nextInt(); + + public HX509SS(SecurityInfoC si) throws APIException, CadiException { + this(null,si,false); + } + + public HX509SS(SecurityInfoC si, boolean asDefault) throws APIException, CadiException { + this(null,si,asDefault); + } + + public HX509SS(final String sendAlias, SecurityInfoC si) throws APIException, CadiException { + this(sendAlias, si, false); + } + + public HX509SS(final String sendAlias, SecurityInfoC si, boolean asDefault) throws APIException, CadiException { + securityInfo = si; + if((alias=sendAlias) == null) { + if(si.default_alias == null) { + throw new APIException("JKS Alias is required to use X509SS Security. Use " + Config.CADI_ALIAS +" to set default alias"); + } else { + alias = si.default_alias; + } + } + + priv=null; + X509KeyManager[] xkms = si.getKeyManagers(); + if(xkms==null || xkms.length==0) { + throw new APIException("There are no valid keys available in given Keystores. Wrong Keypass? Expired?"); + } + for(int i=0;priv==null&&i0) { + algo = chain[0].getSigAlgName(); + pub = chain[0].getEncoded(); + ByteArrayOutputStream baos = new ByteArrayOutputStream(pub.length*2); + ByteArrayInputStream bais = new ByteArrayInputStream(pub); + Symm.base64noSplit.encode(bais,baos,X509); + cert = baos.toString(); + } + } + } catch (CertificateEncodingException | IOException e) { + throw new CadiException(e); + } + if(algo==null) { + throw new APIException("X509 Security Setter not configured"); + } + } + + @Override + public void setSecurity(HttpURLConnection huc) throws CadiException { + if(huc instanceof HttpsURLConnection) { + securityInfo.setSocketFactoryOn((HttpsURLConnection)huc); + } + if(alias==null) { // must be a one-way + huc.setRequestProperty(AbsAuthentication.AUTHORIZATION, cert); + + // Test Signed content + try { + String data = "SignedContent["+ inc() + ']' + Chrono.dateTime(); + huc.setRequestProperty("Data", data); + + Signature sig = Signature.getInstance(algo); + sig.initSign(priv); + sig.update(data.getBytes()); + byte[] signature = sig.sign(); + + ByteArrayOutputStream baos = new ByteArrayOutputStream((int)(signature.length*1.3)); + ByteArrayInputStream bais = new ByteArrayInputStream(signature); + Symm.base64noSplit.encode(bais, baos); + huc.setRequestProperty("Signature", new String(baos.toByteArray())); + + } catch (Exception e) { + throw new CadiException(e); + } + } + } + + private synchronized int inc() { + return ++count; + } + + /* (non-Javadoc) + * @see org.onap.aaf.cadi.SecuritySetter#getID() + */ + @Override + public String getID() { + return alias; + } + + @Override + public int setLastResponse(int respCode) { + return 0; + } +} diff --git a/cadi/client/src/main/java/org/onap/aaf/cadi/locator/DNSLocator.java b/cadi/client/src/main/java/org/onap/aaf/cadi/locator/DNSLocator.java new file mode 100644 index 00000000..655a0c22 --- /dev/null +++ b/cadi/client/src/main/java/org/onap/aaf/cadi/locator/DNSLocator.java @@ -0,0 +1,210 @@ +/** + * ============LICENSE_START==================================================== + * org.onap.aaf + * =========================================================================== + * Copyright (c) 2018 AT&T Intellectual Property. All rights reserved. + * =========================================================================== + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * ============LICENSE_END==================================================== + * + */ + +package org.onap.aaf.cadi.locator; + +import java.io.IOException; +import java.net.InetAddress; +import java.net.URI; +import java.net.URISyntaxException; + +import org.onap.aaf.cadi.Access; +import org.onap.aaf.cadi.Locator; +import org.onap.aaf.cadi.LocatorException; +import org.onap.aaf.cadi.Access.Level; + +public class DNSLocator implements Locator { + private static enum Status {UNTRIED, OK, INVALID, SLOW}; + private static final int CHECK_TIME = 3000; + + private String host, protocol; + private Access access; + private Host[] hosts; + private int startPort, endPort; + private String suffix; + + public DNSLocator(Access access, String protocol, String host, String range) { + this.host = host; + this.protocol = protocol; + this.access = access; + int dash = range.indexOf('-'); + if(dash<0) { + startPort = endPort = Integer.parseInt(range); + } else { + startPort = Integer.parseInt(range.substring(0,dash)); + endPort = Integer.parseInt(range.substring(dash + 1)); + } + refresh(); + } + + public DNSLocator(Access access, String aaf_locate) throws LocatorException { + this.access = access; + if(aaf_locate==null) { + throw new LocatorException("Null passed into DNSLocator constructor"); + } + int start, port; + if(aaf_locate.startsWith("https:")) { + protocol = "https:"; + start = 9; // https:// + port = 443; + } else if(aaf_locate.startsWith("http:")) { + protocol = "http:"; + start = 8; // http:// + port = 80; + } else { + throw new LocatorException("DNSLocator accepts only https or http protocols. (requested URL " + aaf_locate + ')'); + } + + int colon = aaf_locate.indexOf(':',start); + int slash; + if(colon>0) { + start = colon+1; + int left = aaf_locate.indexOf('[',start); + if(left>0) { + int right = aaf_locate.indexOf(']',left+1); + if(right>0) { + int dash = aaf_locate.indexOf('-',left+1); + if(dash<0) { + startPort = endPort = Integer.parseInt(aaf_locate.substring(left+1,right)); + } else { + startPort = Integer.parseInt(aaf_locate.substring(left+1,dash)); + endPort = Integer.parseInt(aaf_locate.substring(dash + 1,right)); + } + } + + } else { + slash = aaf_locate.indexOf('/',colon+1); + if(slash<0) { + startPort = endPort = Integer.parseInt(aaf_locate.substring(start)); + } else { + startPort = endPort = Integer.parseInt(aaf_locate.substring(start,slash)); + } + } + } else { + startPort = endPort = port; + } + } + + @Override + public URI get(Item item) throws LocatorException { + return hosts[((DLItem)item).cnt].uri; + } + + @Override + public boolean hasItems() { + for(Host h : hosts) { + if(h.status==Status.OK) { + return true; + } + } + return false; + } + + @Override + public void invalidate(Item item) { + DLItem di = (DLItem)item; + hosts[di.cnt].status = Status.INVALID; + } + + @Override + public Item best() throws LocatorException { + // not a good "best" + for(int i=0;i { + private final HX509SS ss; + + public HClientHotPeerLocator(Access access, String urlstr, long invalidateTime, String localLatitude, + String localLongitude, HX509SS ss) throws LocatorException { + super(access, urlstr, invalidateTime, localLatitude, localLongitude); + + this.ss = ss; + } + + @Override + protected HClient _newClient(String clientInfo) throws LocatorException { + try { + int idx = clientInfo.indexOf('/'); + return new HClient(ss,new URI("https://"+(idx<0?clientInfo:clientInfo.substring(0, idx))),3000); + } catch (URISyntaxException e) { + throw new LocatorException(e); + } + } + + @Override + protected HClient _invalidate(HClient client) { + return null; + } + + @Override + protected void _destroy(HClient client) { + } +} \ No newline at end of file diff --git a/cadi/client/src/main/java/org/onap/aaf/cadi/locator/HotPeerLocator.java b/cadi/client/src/main/java/org/onap/aaf/cadi/locator/HotPeerLocator.java new file mode 100644 index 00000000..17f9bafb --- /dev/null +++ b/cadi/client/src/main/java/org/onap/aaf/cadi/locator/HotPeerLocator.java @@ -0,0 +1,302 @@ +/** + * ============LICENSE_START==================================================== + * org.onap.aaf + * =========================================================================== + * Copyright (c) 2018 AT&T Intellectual Property. All rights reserved. + * =========================================================================== + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * ============LICENSE_END==================================================== + * + */ + +package org.onap.aaf.cadi.locator; + +import org.onap.aaf.cadi.Access; +import org.onap.aaf.cadi.Locator; +import org.onap.aaf.cadi.LocatorException; +import org.onap.aaf.cadi.Access.Level; +import org.onap.aaf.cadi.routing.GreatCircle; +import org.onap.aaf.misc.env.util.Split; + +/** + * This Locator is to handle Hot Peer load protection, when the Servers are + * 1) Static + * 2) Well known client URL + * + * The intention is to change traffic over to the Hot Peer, if a server goes down, and reinstate + * when it is back up. + * + * Example of this kind of Service is a MS Certificate Server + * + * @author Jonathan + * + * @param + */ +public abstract class HotPeerLocator implements Locator { + private final String[] urlstrs; + private final CLIENT[] clients; + private final long[] failures; + private final double[] distances; + private int preferred; + private long invalidateTime; + private Thread refreshThread; + protected Access access; + + /** + * Construct: Expect one or more Strings in the form: + * 192.555.112.223:39/38.88087/-77.30122 + * separated by commas + * + * @param trans + * @param urlstr + * @param invalidateTime + * @param localLatitude + * @param localLongitude + * @throws LocatorException + */ + @SuppressWarnings("unchecked") + protected HotPeerLocator(Access access, final String urlstr, final long invalidateTime, final String localLatitude, final String localLongitude) throws LocatorException { + this.access = access; + urlstrs = Split.split(',', urlstr); + clients = (CLIENT[])new Object[urlstrs.length]; + failures = new long[urlstrs.length]; + distances= new double[urlstrs.length]; + this.invalidateTime = invalidateTime; + + double distance = Double.MAX_VALUE; + for(int i=0;iSystem.currentTimeMillis()) { + throw new LocatorException("Client requested is invalid"); + } else { + synchronized(clients) { + c = _newClient(urlstrs[hpi.idx]); + failures[hpi.idx]=0L; + } + } + } else if(failures[hpi.idx]>0){ + throw new LocatorException("Client requested is invalid"); + } + return c; + } + + public String info(Item item) { + HPItem hpi = (HPItem)item; + if(hpi!=null && hpi.idx=clients.length) { + return null; + } + return hpi; + } + + @Override + public boolean refresh() { + boolean force = !hasItems(); // If no Items at all, reset + boolean rv = true; + long now = System.currentTimeMillis(); + for(int i=0;i0L && (failures[i] { + private final URI [] orig; + private PLItem[] current; + private int end; + private final SecureRandom random; + private URI[] resolved; + private long lastRefreshed; + private long minRefresh; + private long backgroundRefresh; + + public PropertyLocator(String locList) throws LocatorException { + this(locList,10000L, 1000*60*20); // defaults, do not refresh more than once in 10 seconds, Refresh Locator every 20 mins. + } + /** + * comma delimited root url list + * + * @param locList + * @throws LocatorException + */ + public PropertyLocator(String locList, long minRefreshMillis, long backgroundRefreshMillis) throws LocatorException { + minRefresh = minRefreshMillis; + backgroundRefresh = backgroundRefreshMillis; + lastRefreshed=0L; + if(locList==null) { + throw new LocatorException("No Location List given for PropertyLocator"); + } + String[] locarray = Split.split(',',locList); + List uriList = new ArrayList(); + + random = new SecureRandom(); + + for(int i=0;i=0?locarray[i].substring(slash):""))); + } + } + } catch (NumberFormatException nf) { + throw new LocatorException("Invalid URI format: " + locarray[i]); + } catch (URISyntaxException e) { + throw new LocatorException(e); + } + } + orig = new URI[uriList.size()]; + uriList.toArray(orig); + + refresh(); + new Timer("PropertyLocator Refresh Timer",true).scheduleAtFixedRate(new TimerTask() { + @Override + public void run() { + refresh(); + } + }, backgroundRefresh,backgroundRefresh); + } + + @Override + public URI get(Item item) throws LocatorException { + synchronized(orig) { + if(item==null) { + return null; + } else { + return resolved[((PLItem)item).idx]; + } + } + } + + @Override + public Item first() throws LocatorException { + return end>0?current[0]:null; + } + + @Override + public boolean hasItems() { + return end>0; + } + + @Override + public Item next(Item item) throws LocatorException { + if(item==null) { + return null; + } else { + int spot; + if((spot=(((PLItem)item).order+1))>=end)return null; + return current[spot]; + } + } + + @Override + public synchronized void invalidate(Item item) throws LocatorException { + if(--end<=0) { + refresh(); + return; + } + if(item==null) { + return; + } + PLItem pli = (PLItem)item; + int i,order; + for(i=0;ilastRefreshed) { + // Build up list + List resolve = new ArrayList(); + String realname; + for(int i = 0; i < orig.length ; ++i) { + try { + InetAddress ia[] = InetAddress.getAllByName(orig[i].getHost()); + + URI o,n; + for(int j=0;j holder = new Holder("StringHolder"); + assertEquals(holder.get(), "StringHolder"); + + holder.set("New String"); + assertEquals(holder.get(), "New String"); + } + + @Test + public void testSet4() { + Holder holder = new Holder("StringHolder"); + assertEquals(holder.get(), "StringHolder"); + + holder.set("New String1"); + assertEquals(holder.get(), "New String1"); + } + @Test + public void testSet1() { + Holder holder = new Holder("StringHolder"); + assertEquals(holder.get(), "StringHolder"); + + holder.set("New String2"); + assertEquals(holder.get(), "New String2"); + } + + @Test + public void testSet2() { + Holder holder = new Holder("StringHolder"); + assertEquals(holder.get(), "StringHolder"); + + holder.set("New String3"); + assertEquals(holder.get(), "New String3"); + } + + @Test + public void testSet3() { + Holder holder = new Holder("StringHolder"); + assertEquals(holder.get(), "StringHolder"); + + holder.set("New String4"); + assertEquals(holder.get(), "New String4"); + } +} diff --git a/cadi/client/src/test/java/org/onap/aaf/client/test/JU_PropertyLocator.java b/cadi/client/src/test/java/org/onap/aaf/client/test/JU_PropertyLocator.java new file mode 100644 index 00000000..2b3793ca --- /dev/null +++ b/cadi/client/src/test/java/org/onap/aaf/client/test/JU_PropertyLocator.java @@ -0,0 +1,96 @@ +/******************************************************************************* + * ============LICENSE_START==================================================== + * * org.onap.aaf + * * =========================================================================== + * * Copyright © 2017 AT&T Intellectual Property. All rights reserved. + * * =========================================================================== + * * Licensed under the Apache License, Version 2.0 (the "License"); + * * you may not use this file except in compliance with the License. + * * You may obtain a copy of the License at + * * + * * http://www.apache.org/licenses/LICENSE-2.0 + * * + * * Unless required by applicable law or agreed to in writing, software + * * distributed under the License is distributed on an "AS IS" BASIS, + * * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * * See the License for the specific language governing permissions and + * * limitations under the License. + * * ============LICENSE_END==================================================== + * * + * * + ******************************************************************************/ +package org.onap.aaf.client.test; + +import java.net.URI; + +import org.junit.AfterClass; +import org.junit.Test; +import org.onap.aaf.cadi.Locator.Item; +import org.onap.aaf.cadi.locator.PropertyLocator; + +import static org.junit.Assert.*; + +public class JU_PropertyLocator { + + @AfterClass + public static void tearDownAfterClass() throws Exception { + } + + @Test + public void test() throws Exception { + PropertyLocator pl = new PropertyLocator("https://localhost:2345,https://fred.wilma.com:26444,https://tom.jerry.com:534"); + + Item i; + int count; + boolean print = false; + for(int j=0;j<900000;++j) { + count = 0; + for(i = pl.first();i!=null;i=pl.next(i)) { + URI loc = pl.get(i); + if(print)System.out.println(loc.toString()); + ++count; + } + assertEquals(3,count); + assertTrue(pl.hasItems()); + if(print)System.out.println("---"); + pl.invalidate(pl.best()); + + count = 0; + for(i = pl.first();i!=null;i=pl.next(i)) { + URI loc = pl.get(i); + if(print)System.out.println(loc.toString()); + ++count; + } + + assertEquals(2,count); + assertTrue(pl.hasItems()); + if(print)System.out.println("---"); + pl.invalidate(pl.best()); + + count = 0; + for(i = pl.first();i!=null;i=pl.next(i)) { + URI loc = pl.get(i); + if(print)System.out.println(loc.toString()); + ++count; + } + + assertEquals(1,count); + assertTrue(pl.hasItems()); + if(print)System.out.println("---"); + pl.invalidate(pl.best()); + + count = 0; + for(i = pl.first();i!=null;i=pl.next(i)) { + URI loc = pl.get(i); + if(print)System.out.println(loc.toString()); + ++count; + } + + assertEquals(0,count); + assertFalse(pl.hasItems()); + + pl.refresh(); + } + } + +} diff --git a/cadi/client/src/test/java/org/onap/aaf/client/test/JU_ResultTest.java b/cadi/client/src/test/java/org/onap/aaf/client/test/JU_ResultTest.java new file mode 100644 index 00000000..b0ac5a0c --- /dev/null +++ b/cadi/client/src/test/java/org/onap/aaf/client/test/JU_ResultTest.java @@ -0,0 +1,108 @@ +/******************************************************************************* + * ============LICENSE_START==================================================== + * * org.onap.aaf + * * =========================================================================== + * * Copyright © 2017 AT&T Intellectual Property. All rights reserved. + * * =========================================================================== + * * Licensed under the Apache License, Version 2.0 (the "License"); + * * you may not use this file except in compliance with the License. + * * You may obtain a copy of the License at + * * + * * http://www.apache.org/licenses/LICENSE-2.0 + * * + * * Unless required by applicable law or agreed to in writing, software + * * distributed under the License is distributed on an "AS IS" BASIS, + * * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * * See the License for the specific language governing permissions and + * * limitations under the License. + * * ============LICENSE_END==================================================== + * * + * * + ******************************************************************************/ +package org.onap.aaf.client.test; + +import static org.hamcrest.CoreMatchers.is; +import static org.junit.Assert.*; + +import org.junit.Before; +import org.junit.Test; +import org.onap.aaf.cadi.client.Result; + +public class JU_ResultTest { + + @Before + public void setUp() throws Exception { + } + + @Test + public void testOk() { + Result t = Result.ok(1, "Ok"); + assertNotNull(t); + assertThat(t.code, is(1)); + assertTrue(t.isOK()); + assertThat(t.toString(), is("Code: 1")); + } + + @Test + public void testErr() { + Result t = Result.err(1, "Error Body"); + assertNotNull(t); + assertThat(t.error, is("Error Body")); + assertFalse(t.isOK()); + assertThat(t.toString(), is("Code: 1 = Error Body")); + } + + @Test + public void testOk1() { + Result t = Result.ok(1, "Ok"); + assertNotNull(t); + assertThat(t.code, is(1)); + assertTrue(t.isOK()); + assertThat(t.toString(), is("Code: 1")); + } + + @Test + public void testErr1() { + Result t = Result.err(1, "Error Body"); + assertNotNull(t); + assertThat(t.error, is("Error Body")); + assertFalse(t.isOK()); + assertThat(t.toString(), is("Code: 1 = Error Body")); + } + + @Test + public void testOk2() { + Result t = Result.ok(1, "Ok"); + assertNotNull(t); + assertThat(t.code, is(1)); + assertTrue(t.isOK()); + assertThat(t.toString(), is("Code: 1")); + } + + @Test + public void testErr2() { + Result t = Result.err(1, "Error Body"); + assertNotNull(t); + assertThat(t.error, is("Error Body")); + assertFalse(t.isOK()); + assertThat(t.toString(), is("Code: 1 = Error Body")); + } + + @Test + public void testOk3() { + Result t = Result.ok(1, "Ok"); + assertNotNull(t); + assertThat(t.code, is(1)); + assertTrue(t.isOK()); + assertThat(t.toString(), is("Code: 1")); + } + + @Test + public void testErr3() { + Result t = Result.err(1, "Error Body"); + assertNotNull(t); + assertThat(t.error, is("Error Body")); + assertFalse(t.isOK()); + assertThat(t.toString(), is("Code: 1 = Error Body")); + } +} diff --git a/cadi/client/src/test/java/org/onap/aaf/client/test/JU_TestAccess.java b/cadi/client/src/test/java/org/onap/aaf/client/test/JU_TestAccess.java new file mode 100644 index 00000000..7c65fd0c --- /dev/null +++ b/cadi/client/src/test/java/org/onap/aaf/client/test/JU_TestAccess.java @@ -0,0 +1,98 @@ +/******************************************************************************* + * ============LICENSE_START==================================================== + * * org.onap.aaf + * * =========================================================================== + * * Copyright © 2017 AT&T Intellectual Property. All rights reserved. + * * =========================================================================== + * * Licensed under the Apache License, Version 2.0 (the "License"); + * * you may not use this file except in compliance with the License. + * * You may obtain a copy of the License at + * * + * * http://www.apache.org/licenses/LICENSE-2.0 + * * + * * Unless required by applicable law or agreed to in writing, software + * * distributed under the License is distributed on an "AS IS" BASIS, + * * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * * See the License for the specific language governing permissions and + * * limitations under the License. + * * ============LICENSE_END==================================================== + * * + * * + ******************************************************************************/ +package org.onap.aaf.client.test; + +import java.io.IOException; +import java.io.InputStream; +import java.util.Properties; + +import org.onap.aaf.cadi.Access; +import org.onap.aaf.cadi.CadiException; +import org.onap.aaf.cadi.Symm; + +// TODO: Ian [JUnit] JU_TestAccess isn't implementing all abstract methdods of Access +public class JU_TestAccess implements Access { + private Symm symm; + + public JU_TestAccess() throws CadiException { + symm = Symm.obtain(this); + } + + public void log(Level level, Object... elements) { + boolean first = true; + for(int i=0;i + + cadi_core + + + + + + org.eclipse.jdt.core.javabuilder + + + + + org.eclipse.m2e.core.maven2Builder + + + + + + org.eclipse.jdt.core.javanature + org.eclipse.m2e.core.maven2Nature + + diff --git a/cadi/core/conf/.gitignore b/cadi/core/conf/.gitignore new file mode 100644 index 00000000..06efae87 --- /dev/null +++ b/cadi/core/conf/.gitignore @@ -0,0 +1 @@ +/keyfile diff --git a/cadi/core/conf/cadi.properties b/cadi/core/conf/cadi.properties new file mode 100644 index 00000000..09c79254 --- /dev/null +++ b/cadi/core/conf/cadi.properties @@ -0,0 +1,34 @@ +# This is a normal Java Properties File +# Comments are with Pound Signs at beginning of lines, +# and multi-line expression of properties can be obtained by backslash at end of line + +# Certain machines have several possible machine names, and +# the right one may not be reported. This is especially +# important for CSP Authorization, which will only +# function on official AT&T domains. +hostname=veeger.mo.sbc.com + +port=2533 + +# CSP has Production mode (active users) or DEVL mode (for +# Testing purposes... Bogus users) +#csp_domain=DEVL +csp_domain=PROD + +# Report all AUTHN and AUTHZ activity +loglevel=AUDIT + +# +# BasicAuth and other User/Password support +# +# The realm reported on BasicAuth callbacks +basic_realm=spiderman.agile.att.com +users=ks%xiVUs_25_1jqGdJ24hqy43Gi; +groups=aaf:Jd8bb3jslg88b@spiderman.agile.att.com%7sZCPBZ_8iWbslqdjWFIDLgTZlm9ung0ym-G,\ + jg1555,lg2384,rd8227,tp007s,pe3617; + + +# Keyfile (with relative path) for encryption. This file +# should be marked as ReadOnly by Only the running process +# for security's sake +keyfile=conf/keyfile diff --git a/cadi/core/pom.xml b/cadi/core/pom.xml new file mode 100644 index 00000000..1e8ea1c9 --- /dev/null +++ b/cadi/core/pom.xml @@ -0,0 +1,95 @@ + + + + org.onap.aaf.cadi + parent + .. + 1.5.0-SNAPSHOT + + + 4.0.0 + AAF CADI Core Framework + aaf-cadi-core + jar + + + + Jonathan Gathman + jonathan.gathman@att.com + ATT + + Architect + Lead Developer + + + + Gabe Maurer + gabe.maurer@att.com + ATT + + Developer + + + + Ian Howell + ian.howell@att.com + ATT + + Developer + + + + + + javax.servlet + javax.servlet-api + provided + + + + + + + org.apache.maven.plugins + maven-jarsigner-plugin + + + org.apache.maven.plugins + maven-jar-plugin + + + + org.onap.aaf.cadi.CmdLine + + + true + + + + + + test-jar + package + + test-jar + + + + + + + + diff --git a/cadi/core/src/main/java/org/onap/aaf/cadi/AES.java b/cadi/core/src/main/java/org/onap/aaf/cadi/AES.java new file mode 100644 index 00000000..3ef3355a --- /dev/null +++ b/cadi/core/src/main/java/org/onap/aaf/cadi/AES.java @@ -0,0 +1,131 @@ +/** + * ============LICENSE_START==================================================== + * org.onap.aaf + * =========================================================================== + * Copyright (c) 2018 AT&T Intellectual Property. All rights reserved. + * =========================================================================== + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * ============LICENSE_END==================================================== + * + */ + +package org.onap.aaf.cadi; + +import java.io.File; +import java.io.FileOutputStream; +import java.io.IOException; +import java.io.InputStream; +import java.io.OutputStream; +import java.security.InvalidKeyException; +import java.security.NoSuchAlgorithmException; + +import javax.crypto.BadPaddingException; +import javax.crypto.Cipher; +import javax.crypto.CipherInputStream; +import javax.crypto.CipherOutputStream; +import javax.crypto.IllegalBlockSizeException; +import javax.crypto.KeyGenerator; +import javax.crypto.NoSuchPaddingException; +import javax.crypto.SecretKey; +import javax.crypto.spec.SecretKeySpec; + +import org.onap.aaf.cadi.Symm.Encryption; +import org.onap.aaf.cadi.util.Chmod; + + +/** + * AES Class wraps Cipher AES, 128 + * NOTE: While not explicitly stated in JavaDocs, Ciphers AND SecretKeySpecs are NOT ThreadSafe + * Ciphers take time to create, therefore, we have pooled them. + * + * @author Jonathan + * + */ +public class AES implements Encryption { + public static final String AES = AES.class.getSimpleName(); + public static final int AES_KEY_SIZE = 128; // 256 isn't supported on all JDKs. + + private SecretKeySpec aeskeySpec; + + public static SecretKey newKey() throws NoSuchAlgorithmException { + KeyGenerator kgen = KeyGenerator.getInstance(AES); + kgen.init(AES_KEY_SIZE); + return kgen.generateKey(); + } + + public AES(byte[] aeskey, int offset, int len) throws IOException, NoSuchAlgorithmException, NoSuchPaddingException { + aeskeySpec = new SecretKeySpec(aeskey,offset,len,AES); + } + + public byte[] encrypt(byte[] in) throws CadiException { + try { + Cipher c = Cipher.getInstance(AES); + c.init(Cipher.ENCRYPT_MODE,aeskeySpec); + return c.doFinal(in); + } catch (InvalidKeyException | IllegalBlockSizeException | BadPaddingException | NoSuchAlgorithmException | NoSuchPaddingException e) { + throw new CadiException(e); + } + } + + public byte[] decrypt(byte[] in) throws CadiException { + try { + Cipher c = Cipher.getInstance(AES); + c.init(Cipher.DECRYPT_MODE,aeskeySpec); + return c.doFinal(in); + } catch (InvalidKeyException | IllegalBlockSizeException | BadPaddingException | NoSuchAlgorithmException | NoSuchPaddingException e) { + throw new CadiException(e); + } + } + + public void save(File keyfile) throws IOException { + FileOutputStream fis = new FileOutputStream(keyfile); + try { + fis.write(aeskeySpec.getEncoded()); + } finally { + fis.close(); + } + Chmod.to400.chmod(keyfile); + } + + public CipherOutputStream outputStream(OutputStream os, boolean encrypt) { + try { + Cipher c = Cipher.getInstance(AES); + if(encrypt) { + c.init(Cipher.ENCRYPT_MODE,aeskeySpec); + } else { + c.init(Cipher.DECRYPT_MODE,aeskeySpec); + } + return new CipherOutputStream(os,c); + } catch (InvalidKeyException | NoSuchAlgorithmException | NoSuchPaddingException e) { + // Cannot add Exception to this API. throw Runtime + System.err.println("Error creating Aes CipherOutputStream"); + return null; // should never get here. + } + } + + public CipherInputStream inputStream(InputStream is, boolean encrypt) { + try { + Cipher c = Cipher.getInstance(AES); + if(encrypt) { + c.init(Cipher.ENCRYPT_MODE,aeskeySpec); + } else { + c.init(Cipher.DECRYPT_MODE,aeskeySpec); + } + return new CipherInputStream(is,c); + } catch (InvalidKeyException | NoSuchAlgorithmException | NoSuchPaddingException e) { + // Cannot add Exception to this API. throw Runtime + System.err.println("Error creating Aes CipherInputStream"); + return null; // should never get here. + } + } +} diff --git a/cadi/core/src/main/java/org/onap/aaf/cadi/AbsUserCache.java b/cadi/core/src/main/java/org/onap/aaf/cadi/AbsUserCache.java new file mode 100644 index 00000000..be1e739b --- /dev/null +++ b/cadi/core/src/main/java/org/onap/aaf/cadi/AbsUserCache.java @@ -0,0 +1,463 @@ +/** + * ============LICENSE_START==================================================== + * org.onap.aaf + * =========================================================================== + * Copyright (c) 2018 AT&T Intellectual Property. All rights reserved. + * =========================================================================== + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * ============LICENSE_END==================================================== + * + */ + +package org.onap.aaf.cadi; + + +import java.io.ByteArrayInputStream; +import java.io.IOException; +import java.security.Principal; +import java.util.ArrayList; +import java.util.List; +import java.util.Map; +import java.util.Timer; +import java.util.TimerTask; +import java.util.TreeMap; +import java.util.concurrent.ConcurrentHashMap; + +import org.onap.aaf.cadi.Access.Level; +import org.onap.aaf.cadi.CachedPrincipal.Resp; +import org.onap.aaf.cadi.principal.CachedBasicPrincipal; + +/** + * Implement Fast lookup and Cache for Local User Info + * + * Include ability to add and remove Users + * + * Also includes a Timer Thread (when necessary) to invoke cleanup on expiring Credentials + * + * @author Jonathan + * + */ +public abstract class AbsUserCache { + // Need an obvious key for when there is no Authentication Cred + private static final String NO_CRED = "NoCred"; + static final int MIN_INTERVAL = 1000*60; // Min 1 min + static final int MAX_INTERVAL = 1000*60*60*4; // 4 hour max + private static Timer timer; + // Map of userName to User + private final Map> userMap; + private static final Map missMap = new TreeMap(); + private final Symm missEncrypt; + + private Clean clean; + protected Access access; +// private final static Permission teaser = new LocalPermission("***NoPERM****"); + + protected AbsUserCache(Access access, long cleanInterval, int highCount, int usageCount) { + this.access = access; + Symm s; + try { + byte[] gennedKey = Symm.keygen(); + s = Symm.obtain(new ByteArrayInputStream(gennedKey)); + } catch (IOException e) { + access.log(e); + s = Symm.base64noSplit; + } + missEncrypt = s; + + userMap = new ConcurrentHashMap>(); + + + if(cleanInterval>0) { + cleanInterval = Math.max(MIN_INTERVAL, cleanInterval); + synchronized(AbsUserCache.class) { // Lazy instantiate.. in case there is no cleanup needed + if(timer==null) { + timer = new Timer("CADI Cleanup Timer",true); + } + + timer.schedule(clean = new Clean(access, cleanInterval, highCount, usageCount), cleanInterval, cleanInterval); + access.log(Access.Level.INIT, "Cleaning Thread initialized with interval of",cleanInterval, "ms and max objects of", highCount); + } + } + } + + @SuppressWarnings("unchecked") + public AbsUserCache(AbsUserCache cache) { + this.access = cache.access; + userMap = cache.userMap; + missEncrypt = cache.missEncrypt; + + synchronized(AbsUserCache.class) { + if(cache.clean!=null && cache.clean.lur==null && this instanceof CachingLur) { + cache.clean.lur=(CachingLur)this; + } + } + } + + protected void setLur(CachingLur lur) { + if(clean!=null)clean.lur = lur; + + } + + protected void addUser(User user) { + Principal p = user.principal; + String key; + try { + if(p instanceof GetCred) { + key = missKey(p.getName(), ((GetCred)p).getCred()); + } else { + byte[] cred; + if((cred=user.getCred())==null) { + key = user.name + NO_CRED; + } else { + key = missKey(user.name,cred); + } + } + } catch (IOException e) { + access.log(e); + return; + } + userMap.put(key, user); + } + + // Useful for looking up by WebToken, etc. + protected void addUser(String key, User user) { + userMap.put(key, user); + } + + /** + * Add miss to missMap. If Miss exists, or too many tries, returns false. + * + * otherwise, returns true to allow another attempt. + * + * @param key + * @param bs + * @return + * @throws IOException + */ + protected synchronized boolean addMiss(String key, byte[] bs) { + String mkey; + try { + mkey = missKey(key,bs); + } catch (IOException e) { + access.log(e); + return false; + } + Miss miss = missMap.get(mkey); + if(miss==null) { + missMap.put(mkey, new Miss(bs,clean==null?MIN_INTERVAL:clean.timeInterval)); + return true; + } + return miss.mayContinue(); + } + + protected Miss missed(String key, byte[] bs) throws IOException { + return missMap.get(missKey(key,bs)); + } + + protected User getUser(Principal principal) { + String key; + if(principal instanceof GetCred) { + GetCred gc = (GetCred)principal; + try { + key = missKey(principal.getName(), gc.getCred()); + } catch (IOException e) { + access.log(e, "Error getting key from Principal"); + key = principal.getName(); + } + } else { + key = principal.getName()+NO_CRED; + } + User u = userMap.get(key); + if(u!=null) { + u.incCount(); + } + return u; + } + + protected User getUser(CachedBasicPrincipal cbp) { + return getUser(cbp.getName(), cbp.getCred()); + } + + protected User getUser(String user, byte[] cred) { + User u; + String key=null; + try { + key =missKey(user,cred); + } catch (IOException e) { + access.log(e); + return null; + } + u = userMap.get(key); + if(u!=null) { + if(u.permExpired()) { + userMap.remove(key); + u=null; + } else { + u.incCount(); + } + } + return u; + } + + /** + * Removes User from the Cache + * @param user + */ + protected void remove(User user) { + userMap.remove(user.principal.getName()); + } + + /** + * Removes user from the Cache + * + * @param user + */ + public void remove(String user) { + Object o = userMap.remove(user); + if(o!=null) { + access.log(Level.INFO, user,"removed from Client Cache by Request"); + } + } + + /** + * Clear all Users from the Client Cache + */ + public void clearAll() { + userMap.clear(); + } + + public final List dumpInfo() { + List rv = new ArrayList(); + for(User user : userMap.values()) { + rv.add(new DumpInfo(user)); + } + return rv; + } + + /** + * The default behavior of a LUR is to not handle something exclusively. + */ + public boolean handlesExclusively(Permission pond) { + return false; + } + + /** + * Container calls when cleaning up... + * + * If overloading in Derived class, be sure to call "super.destroy()" + */ + public void destroy() { + if(timer!=null) { + timer.purge(); + timer.cancel(); + } + } + + + + // Simple map of Group name to a set of User Names + // private Map> groupMap = new HashMap>(); + + /** + * Class to hold a small subset of the data, because we don't want to expose actual Permission or User Objects + */ + public final class DumpInfo { + public String user; + public List perms; + + public DumpInfo(User user) { + this.user = user.principal.getName(); + perms = new ArrayList(user.perms.keySet()); + } + } + + /** + * Clean will examine resources, and remove those that have expired. + * + * If "highs" have been exceeded, then we'll expire 10% more the next time. This will adjust after each run + * without checking contents more than once, making a good average "high" in the minimum speed. + * + * @author Jonathan + * + */ + private final class Clean extends TimerTask { + private final Access access; + private CachingLur lur; + + // The idea here is to not be too restrictive on a high, but to Expire more items by + // shortening the time to expire. This is done by judiciously incrementing "advance" + // when the "highs" are exceeded. This effectively reduces numbers of cached items quickly. + private final int high; + private long advance; + private final long timeInterval; + private final int usageTriggerCount; + + public Clean(Access access, long cleanInterval, int highCount, int usageTriggerCount) { + this.access = access; + lur = null; + high = highCount; + timeInterval = cleanInterval; + advance = 0; + this.usageTriggerCount=usageTriggerCount; + } + public void run() { + int renewed = 0; + int count = 0; + int total = 0; + try { + // look at now. If we need to expire more by increasing "now" by "advance" + ArrayList> al = new ArrayList>(userMap.values().size()); + al.addAll(0, userMap.values()); + long now = System.currentTimeMillis() + advance; + for(User user : al) { + ++total; + if(user.count>usageTriggerCount) { + // access.log(Level.AUDIT, "Checking Thread", new Date(now)); + boolean touched = false, removed=false; + if(user.principal instanceof CachedPrincipal) { + CachedPrincipal cp = (CachedPrincipal)user.principal; + if(cp.expires() < now) { + switch(cp.revalidate(null)) { + case INACCESSIBLE: + access.log(Level.AUDIT, "AAF Inaccessible. Keeping credentials"); + break; + case REVALIDATED: + user.resetCount(); + // access.log(Level.AUDIT, "CACHE revalidated credentials"); + touched = true; + break; + default: + user.resetCount(); + remove(user); + ++count; + removed = true; + break; + } + } + } + + // access.log(Level.AUDIT, "User Perm Expires", new Date(user.permExpires)); + if(!removed && lur!=null && user.permExpires<= now ) { + // access.log(Level.AUDIT, "Reloading"); + if(lur.reload(user).equals(Resp.REVALIDATED)) { + user.renewPerm(); + access.log(Level.DEBUG, "Reloaded Perms for",user); + touched = true; + } + } + user.resetCount(); + if(touched) { + ++renewed; + } + + } else { + if(user.permExpired()) { + remove(user); + ++count; + } + } + } + + // Clean out Misses + int missTotal = missMap.keySet().size(); + int miss = 0; + if(missTotal>0) { + ArrayList keys = new ArrayList(missTotal); + keys.addAll(missMap.keySet()); + for(String key : keys) { + Miss m = missMap.get(key); + if(m!=null && m.timestamp0) { + access.log(Level.INFO, (lur==null?"Cache":lur.getClass().getSimpleName()), "removed",count, + "and renewed",renewed,"expired Permissions out of", total,"and removed", miss, "password misses out of",missTotal); + } + + // If High (total) is reached during this period, increase the number of expired services removed for next time. + // There's no point doing it again here, as there should have been cleaned items. + if(total>high) { + // advance cleanup by 10%, without getting greater than timeInterval. + advance = Math.min(timeInterval, advance+(timeInterval/10)); + } else { + // reduce advance by 10%, without getting lower than 0. + advance = Math.max(0, advance-(timeInterval/10)); + } + } catch (Exception e) { + access.log(Level.ERROR,e.getMessage()); + } + } + } + + + private String missKey(String name, byte[] bs) throws IOException { + return name + Hash.toHex(missEncrypt.encode(bs)); + } + + protected static class Miss { + private static final int MAX_TRIES = 3; + + long timestamp; + + private long timetolive; + + private long tries; + + public Miss(byte[] first, long timeInterval) { + timestamp = System.currentTimeMillis() + timeInterval; + this.timetolive = timeInterval; + tries = 0L; + } + + + public synchronized boolean mayContinue() { + long ts = System.currentTimeMillis(); + if(ts>timestamp) { + tries = 0; + timestamp = ts + timetolive; + } else if(MAX_TRIES <= ++tries) { + return false; + } + return true; + } + } + + /** + * Report on state + */ + public String toString() { + return getClass().getSimpleName() + + " Cache:\n Users Cached: " + + userMap.size() + + "\n Misses Saved: " + + missMap.size() + + '\n'; + + } + + public void clear(Principal p, StringBuilder sb) { + sb.append(toString()); + userMap.clear(); + missMap.clear(); + access.log(Level.AUDIT, p.getName(),"has cleared User Cache in",getClass().getSimpleName()); + sb.append("Now cleared\n"); + } + +} \ No newline at end of file diff --git a/cadi/core/src/main/java/org/onap/aaf/cadi/Access.java b/cadi/core/src/main/java/org/onap/aaf/cadi/Access.java new file mode 100644 index 00000000..7a9e63be --- /dev/null +++ b/cadi/core/src/main/java/org/onap/aaf/cadi/Access.java @@ -0,0 +1,180 @@ +/** + * ============LICENSE_START==================================================== + * org.onap.aaf + * =========================================================================== + * Copyright (c) 2018 AT&T Intellectual Property. All rights reserved. + * =========================================================================== + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * ============LICENSE_END==================================================== + * + */ + +package org.onap.aaf.cadi; + +import java.io.IOException; +import java.io.InputStream; +import java.util.Properties; + +/** + * Various Environments require different logging mechanisms, or at least allow + * for different ones. We need the Framework to be able to hook into any particular instance of logging + * mechanism, whether it be a Logging Object within a Servlet Context, or a direct library like log4j. + * This interface, therefore, allows maximum pluggability in a variety of different app styles. + * + * @author Jonathan + * + */ +public interface Access { + // levels to use + public enum Level { + DEBUG(0x1), INFO(0x10), AUDIT(0x100), WARN(0x2000), ERROR(0x4000), INIT(0x8000),NONE(0XFFFF); + private final int bit; + + Level(int ord) { + bit = ord; + } + + public boolean inMask(int mask) { + return (mask & bit) == bit; + } + + public int addToMask(int mask) { + return mask | bit; + } + + public int delFromMask(int mask) { + return mask & ~bit; + } + + public int toggle(int mask) { + if(inMask(mask)) { + return delFromMask(mask); + } else { + return addToMask(mask); + } + } + + + public int maskOf() { + int mask=0; + for(Level l : values()) { + if(ordinal()<=l.ordinal() && l!=NONE) { + mask|=l.bit; + } + } + return mask; + } + } + + /** + * Write a variable list of Object's text via the toString() method with appropriate space, etc. + * @param elements + */ + public void log(Level level, Object ... elements); + + /** + * Printf mechanism for Access + * @param level + * @param fmt + * @param elements + */ + public void printf(Level level, String fmt, Object ... elements); + + /** + * Check if message will log before constructing + * @param level + * @return + */ + public boolean willLog(Level level); + + /** + * Write the contents of an exception, followed by a variable list of Object's text via the + * toString() method with appropriate space, etc. + * + * The Loglevel is always "ERROR" + * + * @param elements + */ + public void log(Exception e, Object ... elements); + + /** + * Set the Level to compare logging too + */ + public void setLogLevel(Level level); + + /** + * It is important in some cases to create a class from within the same Classloader that created + * Security Objects. Specifically, it's pretty typical for Web Containers to separate classloaders + * so as to allow Apps with different dependencies. + * @return + */ + public ClassLoader classLoader(); + + public String getProperty(String string, String def); + + public Properties getProperties(); + + public void load(InputStream is) throws IOException; + + /** + * if "anytext" is true, then decryption will always be attempted. Otherwise, only if starts with + * Symm.ENC + * @param encrypted + * @param anytext + * @return + * @throws IOException + */ + public String decrypt(String encrypted, boolean anytext) throws IOException; + + public static final Access NULL = new Access() { + public void log(Level level, Object... elements) { + } + + @Override + public void printf(Level level, String fmt, Object... elements) { + } + + public void log(Exception e, Object... elements) { + } + + public ClassLoader classLoader() { + return ClassLoader.getSystemClassLoader(); + } + + public String getProperty(String string, String def) { + return null; + } + + public void load(InputStream is) throws IOException { + } + + public void setLogLevel(Level level) { + } + + public String decrypt(String encrypted, boolean anytext) throws IOException { + return encrypted; + } + + @Override + public boolean willLog(Level level) { + return false; + } + + @Override + public Properties getProperties() { + return new Properties(); + } + }; + + +} diff --git a/cadi/core/src/main/java/org/onap/aaf/cadi/BasicCred.java b/cadi/core/src/main/java/org/onap/aaf/cadi/BasicCred.java new file mode 100644 index 00000000..b80cda89 --- /dev/null +++ b/cadi/core/src/main/java/org/onap/aaf/cadi/BasicCred.java @@ -0,0 +1,36 @@ +/** + * ============LICENSE_START==================================================== + * org.onap.aaf + * =========================================================================== + * Copyright (c) 2018 AT&T Intellectual Property. All rights reserved. + * =========================================================================== + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * ============LICENSE_END==================================================== + * + */ + +package org.onap.aaf.cadi; + +/** + * An Interface for testing on Requests to see if we can get a User and Password + * It works for CadiWrap, but also, Container Specific Wraps (aka Tomcat) should also + * implement. + * + * @author Jonathan + * + */ +public interface BasicCred extends GetCred { + public void setUser(String user); + public void setCred(byte[] passwd); + public String getUser(); +} diff --git a/cadi/core/src/main/java/org/onap/aaf/cadi/BufferedServletInputStream.java b/cadi/core/src/main/java/org/onap/aaf/cadi/BufferedServletInputStream.java new file mode 100644 index 00000000..2df01cda --- /dev/null +++ b/cadi/core/src/main/java/org/onap/aaf/cadi/BufferedServletInputStream.java @@ -0,0 +1,200 @@ +/** + * ============LICENSE_START==================================================== + * org.onap.aaf + * =========================================================================== + * Copyright (c) 2018 AT&T Intellectual Property. All rights reserved. + * =========================================================================== + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * ============LICENSE_END==================================================== + * + */ + +package org.onap.aaf.cadi; + +import java.io.IOException; +import java.io.InputStream; + +import javax.servlet.ServletInputStream; + +/** + * BufferedServletInputStream + * + * There are cases in brain-dead middleware (SOAP) where they store routing information in the content. + * + * In HTTP, this requires reading the content from the InputStream which, of course, cannot be re-read. + * + * BufferedInputStream exists to implement the "Mark" protocols for Streaming, which will enable being + * re-read. Unfortunately, J2EE chose to require a "ServletInputStream" as an abstract class, rather than + * an interface, which requires we create a delegating pattern, rather than the preferred inheriting pattern. + * + * Unfortunately, the standard "BufferedInputStream" cannot be used, because it simply creates a byte array + * in the "mark(int)" method of that size. This is not appropriate for this application, because the Header + * can be potentially huge, and if a buffer was allocated to accommodate all possibilities, the cost of memory + * allocation would be too large for high performance transactions. + * + * + * @author Jonathan + * + */ +public class BufferedServletInputStream extends ServletInputStream { + private static final int NONE = 0; + private static final int STORE = 1; + private static final int READ = 2; + + private InputStream is; + private int state = NONE; + private Capacitor capacitor; + + public BufferedServletInputStream(InputStream is) { + this.is = is; + capacitor = null; + } + + + public int read() throws IOException { + int value=-1; + if(capacitor==null) { + value=is.read(); + } else { + switch(state) { + case STORE: + value = is.read(); + if(value>=0) { + capacitor.put((byte)value); + } + break; + case READ: + value = capacitor.read(); + if(value<0) { + capacitor.done(); + capacitor=null; // all done with buffer + value = is.read(); + } + } + } + return value; + } + + public int read(byte[] b) throws IOException { + return read(b,0,b.length); + } + + + public int read(byte[] b, int off, int len) throws IOException { + int count = -1; + if(capacitor==null) { + count = is.read(b,off,len); + } else { + switch(state) { + case STORE: + count = is.read(b, off, len); + if(count>0) { + capacitor.put(b, off, count); + } + break; + case READ: + count = capacitor.read(b, off, len); + if(count<=0) { + capacitor.done(); + capacitor=null; // all done with buffer + } + if(count0) { // watch for -1 + count+=temp; + } else if(count<=0) { + count = temp; // must account for Stream coming back -1 + } + } + break; + } + } + return count; + } + + public long skip(long n) throws IOException { + long skipped = capacitor.skip(n); + if(skipped extends Lur { + public abstract void remove(String user); + public abstract Resp reload(User user); + public abstract void setDebug(String commaDelimIDsOrNull); + public abstract void clear(Principal p, StringBuilder sb); +} diff --git a/cadi/core/src/main/java/org/onap/aaf/cadi/CadiException.java b/cadi/core/src/main/java/org/onap/aaf/cadi/CadiException.java new file mode 100644 index 00000000..0f250b36 --- /dev/null +++ b/cadi/core/src/main/java/org/onap/aaf/cadi/CadiException.java @@ -0,0 +1,50 @@ +/** + * ============LICENSE_START==================================================== + * org.onap.aaf + * =========================================================================== + * Copyright (c) 2018 AT&T Intellectual Property. All rights reserved. + * =========================================================================== + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * ============LICENSE_END==================================================== + * + */ + +package org.onap.aaf.cadi; + +/** + * CADI Specific Exception + * @author Jonathan + */ +public class CadiException extends Exception { + /** + * Generated ID + */ + private static final long serialVersionUID = -4180145363107742619L; + + public CadiException() { + super(); + } + + public CadiException(String message) { + super(message); + } + + public CadiException(Throwable cause) { + super(cause); + } + + public CadiException(String message, Throwable cause) { + super(message, cause); + } + +} diff --git a/cadi/core/src/main/java/org/onap/aaf/cadi/CadiWrap.java b/cadi/core/src/main/java/org/onap/aaf/cadi/CadiWrap.java new file mode 100644 index 00000000..49572f4c --- /dev/null +++ b/cadi/core/src/main/java/org/onap/aaf/cadi/CadiWrap.java @@ -0,0 +1,198 @@ +/** + * ============LICENSE_START==================================================== + * org.onap.aaf + * =========================================================================== + * Copyright (c) 2018 AT&T Intellectual Property. All rights reserved. + * =========================================================================== + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * ============LICENSE_END==================================================== + * + */ + +package org.onap.aaf.cadi; + +import java.security.Principal; +import java.util.ArrayList; +import java.util.List; + +import javax.servlet.http.HttpServletRequest; +import javax.servlet.http.HttpServletRequestWrapper; + +import org.onap.aaf.cadi.Access.Level; +import org.onap.aaf.cadi.filter.NullPermConverter; +import org.onap.aaf.cadi.filter.PermConverter; +import org.onap.aaf.cadi.lur.EpiLur; +import org.onap.aaf.cadi.principal.TaggedPrincipal; +import org.onap.aaf.cadi.taf.TafResp; + + + +/** + * Inherit the HttpServletRequestWrapper, which calls methods of delegate it's created with, but + * overload the key security mechanisms with CADI mechanisms + * + * This works with mechanisms working strictly with HttpServletRequest (i.e. Servlet Filters) + * + * Specialty cases, i.e. Tomcat, which for their containers utilize their own mechanisms and Wrappers, you may + * need something similar. See AppServer specific code (i.e. tomcat) for these. + * + * @author Jonathan + * + */ +public class CadiWrap extends HttpServletRequestWrapper implements HttpServletRequest, BasicCred { + private TaggedPrincipal principal; + private Lur lur; + private String user; // used to set user/pass from brain-dead protocols like WSSE + private byte[] password; + private PermConverter pconv; + private Access access; + + /** + * Standard Wrapper constructor for Delegate pattern + * @param request + */ + public CadiWrap(HttpServletRequest request, TafResp tafResp, Lur lur) { + super(request); + principal = tafResp.getPrincipal(); + access = tafResp.getAccess(); + this.lur = lur; + pconv = NullPermConverter.singleton(); + } + + /** + * Standard Wrapper constructor for Delegate pattern, with PermConverter + * @param request + */ + public CadiWrap(HttpServletRequest request, TafResp tafResp, Lur lur, PermConverter pc) { + super(request); + principal = tafResp.getPrincipal(); + access = tafResp.getAccess(); + this.lur = lur; + pconv = pc; + } + + + /** + * Part of the HTTP Security API. Declare the User associated with this HTTP Transaction. + * CADI does this by reporting the name associated with the Principal obtained, if any. + */ + @Override + public String getRemoteUser() { + return principal==null?null:principal.getName(); + } + + /** + * Part of the HTTP Security API. Return the User Principal associated with this HTTP + * Transaction. + */ + @Override + public Principal getUserPrincipal() { + return principal; + } + + /** + * This is the key API call for AUTHZ in J2EE. Given a Role (String passed in), is the user + * associated with this HTTP Transaction allowed to function in this Role? + * + * For CADI, we pass the responsibility for determining this to the "LUR", which may be + * determined by the Enterprise. + * + * Note: Role check is also done in "CadiRealm" in certain cases... + * + * + */ + @Override + public boolean isUserInRole(String perm) { + return perm==null?false:checkPerm(access,"(HttpRequest)",principal,pconv,lur,perm); + } + + public static boolean checkPerm(Access access, String caller, Principal principal, PermConverter pconv, Lur lur, String perm) { + if(principal== null) { + access.log(Level.AUDIT,caller, "No Principal in Transaction"); + return false; + } else { + perm = pconv.convert(perm); + if(lur.fish(principal,lur.createPerm(perm))) { + access.log(Level.DEBUG,caller, principal.getName(), "has", perm); + return true; + } else { + access.log(Level.DEBUG,caller, principal.getName(), "does not have", perm); + return false; + } + } + + } + + /** + * CADI Function (Non J2EE standard). GetPermissions will read the Permissions from AAF (if configured) and Roles from Local Lur, etc + * as implemented with lur.fishAll + * + * To utilize, the Request must be a "CadiWrap" object, then call. + */ + public List getPermissions(Principal p) { + List perms = new ArrayList(); + lur.fishAll(p, perms); + return perms; + } + /** + * Allow setting of tafResp and lur after construction + * + * This can happen if the CadiWrap is constructed in a Valve other than CadiValve + */ + public void set(TafResp tafResp, Lur lur) { + principal = tafResp.getPrincipal(); + access = tafResp.getAccess(); + this.lur = lur; + } + + public String getUser() { + if(user==null && principal!=null) { + user = principal.getName(); + } + return user; + } + + public byte[] getCred() { + return password; + } + + public void setUser(String user) { + this.user = user; + } + + public void setCred(byte[] passwd) { + password = passwd; + } + + public CadiWrap setPermConverter(PermConverter pc) { + pconv = pc; + return this; + } + + // Add a feature + public void invalidate(String id) { + if(lur instanceof EpiLur) { + ((EpiLur)lur).remove(id); + } else if(lur instanceof CachingLur) { + ((CachingLur)lur).remove(id); + } + } + + public Lur getLur() { + return lur; + } + + public Access access() { + return access; + } +} diff --git a/cadi/core/src/main/java/org/onap/aaf/cadi/Capacitor.java b/cadi/core/src/main/java/org/onap/aaf/cadi/Capacitor.java new file mode 100644 index 00000000..00383851 --- /dev/null +++ b/cadi/core/src/main/java/org/onap/aaf/cadi/Capacitor.java @@ -0,0 +1,241 @@ +/** + * ============LICENSE_START==================================================== + * org.onap.aaf + * =========================================================================== + * Copyright (c) 2018 AT&T Intellectual Property. All rights reserved. + * =========================================================================== + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * ============LICENSE_END==================================================== + * + */ + +package org.onap.aaf.cadi; + +import java.nio.ByteBuffer; +import java.util.ArrayList; + +/** + * Capacitor + * + * Storage mechanism for read data, specifically designed for InputStreams. + * + * The Standard BufferedInputStream requires a limit to be set for buffered reading, which is + * impractical for reading SOAP headers, which can be quite large. + * @author Jonathan + * + */ +public class Capacitor { + private static final int DEFAULT_CHUNK = 256; + private ArrayList bbs = new ArrayList(); + private ByteBuffer curr = null; + private int idx; + + // Maintain a private RingBuffer for Memory, for efficiency + private static ByteBuffer[] ring = new ByteBuffer[16]; + private static int start, end; + + + public void put(byte b) { + if(curr == null || curr.remaining()==0) { // ensure we have a "curr" buffer ready for data + curr = ringGet(); + bbs.add(curr); + } + curr.put(b); + } + + public int read() { + if(curr!=null) { + if(curr.remaining()>0) { // have a buffer, use it! + return curr.get(); + } else if(idx0) { // loop through while there's data needed + if((len=curr.remaining())>length) { // if enough data in curr buffer, use this code + curr.get(array,offset,length); + count+=length; + length=0; + } else { // get data from curr, mark how much is needed to fulfil, and loop for next curr. + curr.get(array,offset,len); + count+=len; + offset+=len; + length-=len; + if(idx0) { + if((len=curr.remaining())>length) { + curr.put(array,offset,length); + length=0; + } else { +// System.out.println(new String(array)); + curr.put(array,offset,len); + length-=len; + offset+=len; + curr = ringGet(); + bbs.add(curr); + } + } + } + + /** + * Move state from Storage mode into Read mode, changing all internal buffers to read mode, etc + */ + public void setForRead() { + for(ByteBuffer bb : bbs) { + bb.flip(); + } + if(bbs.isEmpty()) { + curr = null; + idx = 0; + } else { + curr=bbs.get(0); + idx=1; + } + } + + /** + * reuse all the buffers + */ + public void done() { + for(ByteBuffer bb : bbs) { + ringPut(bb); + } + bbs.clear(); + curr = null; + } + + /** + * Declare amount of data available to be read at once. + * + * @return + */ + public int available() { + int count = 0; + for(ByteBuffer bb : bbs) { + count+=bb.remaining(); + } + return count; + } + + /** + * Returns how many are left that were not skipped + * @param n + * @return + */ + public long skip(long n) { + long skipped=0L; + int skip; + if(curr==null) { + return 0; + } + while(n>0) { + if(n<(skip=curr.remaining())) { + curr.position(curr.position()+(int)n); + skipped+=skip; + n=0; + } else { + curr.position(curr.limit()); + + skipped-=skip; + if(idx 0 ? skipped : 0; + } + /** + * Be able to re-read data that is stored that has already been re-read. This is not a standard Stream behavior, but can be useful + * in a standalone mode. + */ + public void reset() { + for(ByteBuffer bb : bbs) { + bb.position(0); + } + if(bbs.isEmpty()) { + curr = null; + idx = 0; + } else { + curr=bbs.get(0); + idx=1; + } + } + + /* + * Ring Functions. Reuse allocated memory + */ + private ByteBuffer ringGet() { + ByteBuffer bb = null; + synchronized(ring) { + bb=ring[start]; + ring[start]=null; + if(bb!=null && ++start>15)start=0; + } + if(bb==null) { + bb=ByteBuffer.allocate(DEFAULT_CHUNK); + } else { + bb.clear();// refresh reused buffer + } + return bb; + } + + private void ringPut(ByteBuffer bb) { + synchronized(ring) { + ring[end]=bb; // if null or not, BB will just be Garbage collected + if(++end>15)end=0; + } + } + +} diff --git a/cadi/core/src/main/java/org/onap/aaf/cadi/CmdLine.java b/cadi/core/src/main/java/org/onap/aaf/cadi/CmdLine.java new file mode 100644 index 00000000..90f14405 --- /dev/null +++ b/cadi/core/src/main/java/org/onap/aaf/cadi/CmdLine.java @@ -0,0 +1,361 @@ +/** + * ============LICENSE_START==================================================== + * org.onap.aaf + * =========================================================================== + * Copyright (c) 2018 AT&T Intellectual Property. All rights reserved. + * =========================================================================== + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * ============LICENSE_END==================================================== + * + */ + +package org.onap.aaf.cadi; + +import java.io.BufferedReader; +import java.io.File; +import java.io.FileInputStream; +import java.io.FileOutputStream; +import java.io.FileReader; +import java.io.IOException; +import java.io.InputStreamReader; +import java.net.InetAddress; +import java.net.UnknownHostException; +import java.security.NoSuchAlgorithmException; + +import org.onap.aaf.cadi.util.Chmod; +import org.onap.aaf.cadi.util.JsonOutputStream; + + + +/** + * A Class to run on command line to determine suitability of environment for certain TAFs. + * + * For instance, CSP supports services only in certain domains, and while dynamic host + * lookups on the machine work in most cases, sometimes, names and IPs are unexpected (and + * invalid) for CSP because of multiple NetworkInterfaces, etc + * + * @author Jonathan + * + */ +public class CmdLine { + + public static Access access; + + /** + * @param args + */ + public static void main(String[] args) { + if(args.length>0) { + if("digest".equalsIgnoreCase(args[0]) && (args.length>2 || (args.length>1 && System.console()!=null))) { + String keyfile; + String password; + if(args.length>2) { + password = args[1]; + keyfile = args[2]; + if("-i".equals(password)) { + int c; + StringBuilder sb = new StringBuilder(); + try { + while((c=System.in.read())>=0) { + sb.append((char)c); + } + } catch (IOException e) { + e.printStackTrace(); + } + password = sb.toString(); + } + } else { + keyfile = args[1]; + password = new String(System.console().readPassword("Type here (keystrokes hidden): ")); + } + + try { + Symm symm; + FileInputStream fis = new FileInputStream(keyfile); + try { + symm = Symm.obtain(fis); + } finally { + fis.close(); + } + symm.enpass(password, System.out); + System.out.println(); + System.out.flush(); + return; + /* testing code... don't want it exposed + System.out.println(" ******** Testing *********"); + for(int i=0;i<100000;++i) { + System.out.println(args[1]); + ByteArrayOutputStream baos = new ByteArrayOutputStream(); + b64.enpass(args[1], baos); + String pass; + System.out.println(pass=new String(baos.toByteArray())); + ByteArrayOutputStream reconstituted = new ByteArrayOutputStream(); + b64.depass(pass, reconstituted); + String r = reconstituted.toString(); + System.out.println(r); + if(!r.equals(args[1])) { + System.err.println("!!!!! STOP - ERROR !!!!!"); + return; + } + System.out.println(); + } + System.out.flush(); + */ + + } catch (IOException e) { + System.err.println("Cannot digest password"); + System.err.println(" \""+ e.getMessage() + '"'); + } +// DO NOT LEAVE THIS METHOD Compiled IN CODE... Do not want looking at passwords on disk too easy +// Jonathan. Oh, well, Deployment services need this behavior. I will put this code in, but leave it undocumented. +// One still needs access to the keyfile to read. +// July 2016 - thought of a tool "CMPass" to regurgitate from properties, but only if allowed. + } else if("regurgitate".equalsIgnoreCase(args[0]) && args.length>2) { + try { + Symm symm; + FileInputStream fis = new FileInputStream(args[2]); + try { + symm = Symm.obtain(fis); + } finally { + fis.close(); + } + boolean isFile = false; + if("-i".equals(args[1]) || (isFile="-f".equals(args[1]))) { + BufferedReader br; + if(isFile) { + if(args.length<4) { + System.err.println("Filename in 4th position"); + return; + } + br = new BufferedReader(new FileReader(args[3])); + } else { + br = new BufferedReader(new InputStreamReader(System.in)); + } + try { + String line; + boolean cont = false; + StringBuffer sb = new StringBuffer(); + JsonOutputStream jw = new JsonOutputStream(System.out); + while((line=br.readLine())!=null) { + if(cont) { + int end; + if((end=line.indexOf('"'))>=0) { + sb.append(line,0,end); + cont=false; + } else { + sb.append(line); + } + } else { + int idx; + if((idx = line.indexOf(' '))>=0 + && (idx = line.indexOf(' ',++idx))>0 + && (idx = line.indexOf('=',++idx))>0 + && (idx = line.indexOf('=',++idx))>0 + ) { + System.out.println(line.substring(0, idx-5)); + int start = idx+2; + int end; + if((end=line.indexOf('"',start))<0) { + end = line.length(); + cont = true; + } + sb.append(line,start,end); + } + } + if(sb.length()>0) { + symm.depass(sb.toString(),jw); + if(!cont) { + System.out.println(); + } + } + System.out.flush(); + sb.setLength(0); + if(!cont) { + jw.resetIndent(); + } + } + } finally { + if(isFile) { + br.close(); + } + } + } else { + symm.depass(args[1], System.out); + } + System.out.println(); + System.out.flush(); + return; + } catch (IOException e) { + System.err.println("Cannot regurgitate password"); + System.err.println(" \""+ e.getMessage() + '"'); + } + } else if("encode64".equalsIgnoreCase(args[0]) && args.length>1) { + try { + Symm.base64.encode(args[1], System.out); + System.out.println(); + System.out.flush(); + return; + } catch (IOException e) { + System.err.println("Cannot encode Base64 with " + args[1]); + System.err.println(" \""+ e.getMessage() + '"'); + } + } else if("decode64".equalsIgnoreCase(args[0]) && args.length>1) { + try { + Symm.base64.decode(args[1], System.out); + System.out.println(); + System.out.flush(); + return; + } catch (IOException e) { + System.err.println("Cannot decode Base64 text from " + args[1]); + System.err.println(" \""+ e.getMessage() + '"'); + } + } else if("encode64url".equalsIgnoreCase(args[0]) && args.length>1) { + try { + Symm.base64url.encode(args[1], System.out); + System.out.println(); + System.out.flush(); + return; + } catch (IOException e) { + System.err.println("Cannot encode Base64url with " + args[1]); + System.err.println(" \""+ e.getMessage() + '"'); + } + } else if("decode64url".equalsIgnoreCase(args[0]) && args.length>1) { + try { + Symm.base64url.decode(args[1], System.out); + System.out.println(); + System.out.flush(); + return; + } catch (IOException e) { + System.err.println("Cannot decode Base64url text from " + args[1]); + System.err.println(" \""+ e.getMessage() + '"'); + } + } else if("md5".equalsIgnoreCase(args[0]) && args.length>1) { + try { + System.out.println(Hash.hashMD5asStringHex(args[1])); + System.out.flush(); + } catch (NoSuchAlgorithmException e) { + System.err.println("Cannot hash MD5 from " + args[1]); + System.err.println(" \""+ e.getMessage() + '"'); + } + return; + } else if("sha256".equalsIgnoreCase(args[0]) && args.length>1) { + try { + if(args.length>2) { + int max = args.length>7?7:args.length; + for(int i=2;i1) { + File f = new File(args[1]); + FileOutputStream fos = new FileOutputStream(f); + try { + fos.write(Symm.keygen()); + fos.flush(); + } finally { + fos.close(); + Chmod.to400.chmod(f); + } + } else { + // create a Symmetric Key out of same characters found in base64 + System.out.write(Symm.keygen()); + System.out.flush(); + } + return; + } catch (IOException e) { + System.err.println("Cannot create a key " + args[0]); + System.err.println(" \""+ e.getMessage() + '"'); + } + + } else if("passgen".equalsIgnoreCase(args[0])) { + int numDigits; + if(args.length <= 1) { + numDigits = 24; + } else { + numDigits = Integer.parseInt(args[1]); + if(numDigits<8)numDigits = 8; + } + String pass; + boolean noLower,noUpper,noDigits,noSpecial,repeatingChars,missingChars; + do { + pass = Symm.randomGen(numDigits); + missingChars=noLower=noUpper=noDigits=noSpecial=true; + repeatingChars=false; + int c=-1,last; + for(int i=0;i=0x61 && c<=0x7A); + } + if(noUpper) { + noUpper=!(c>=0x41 && c<=0x5A); + } + if(noDigits) { + noDigits=!(c>=0x30 && c<=0x39); + } + if(noSpecial) { + noSpecial = "+!@#$%^&*(){}[]?:;,.".indexOf(c)<0; + } + + missingChars = (noLower || noUpper || noDigits || noSpecial); + } + } while(missingChars || repeatingChars); + System.out.println(pass.substring(0,numDigits)); + } else if("urlgen".equalsIgnoreCase(args[0])) { + int numDigits; + if(args.length <= 1) { + numDigits = 24; + } else { + numDigits = Integer.parseInt(args[1]); + } + System.out.println(Symm.randomGen(Symm.base64url.codeset, numDigits).substring(0,numDigits)); + } + } else { + System.out.println("Usage: java -jar ..."); + System.out.println(" keygen [] (Generates Key on file, or Std Out)"); + System.out.println(" digest [|-i|] (Encrypts Password with \"keyfile\""); + System.out.println(" if passwd = -i, will read StdIin"); + System.out.println(" if passwd is blank, will ask securely)"); + System.out.println(" passgen (Generate Password of given size)"); + System.out.println(" urlgen (Generate URL field of given size)"); + System.out.println(" csptest (Tests for CSP compatibility)"); + System.out.println(" encode64 (Encodes to Base64)"); + System.out.println(" decode64 (Decodes from Base64)"); + System.out.println(" encode64url (Encodes to Base64 URL charset)"); + System.out.println(" decode64url (Decodes from Base64 URL charset)"); + System.out.println(" sha256 (Digest String into SHA256 Hash)"); + System.out.println(" md5 (Digest String into MD5 Hash)"); + } + String forceExit = access.getProperty("force_exit", null); + if (forceExit == null) { + System.exit(1); + } + } + +} diff --git a/cadi/core/src/main/java/org/onap/aaf/cadi/Connector.java b/cadi/core/src/main/java/org/onap/aaf/cadi/Connector.java new file mode 100644 index 00000000..7f47ce78 --- /dev/null +++ b/cadi/core/src/main/java/org/onap/aaf/cadi/Connector.java @@ -0,0 +1,26 @@ +/** + * ============LICENSE_START==================================================== + * org.onap.aaf + * =========================================================================== + * Copyright (c) 2018 AT&T Intellectual Property. All rights reserved. + * =========================================================================== + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * ============LICENSE_END==================================================== + * + */ + +package org.onap.aaf.cadi; + +public interface Connector { + public Lur newLur() throws CadiException; +} diff --git a/cadi/core/src/main/java/org/onap/aaf/cadi/CredVal.java b/cadi/core/src/main/java/org/onap/aaf/cadi/CredVal.java new file mode 100644 index 00000000..4e42a5fb --- /dev/null +++ b/cadi/core/src/main/java/org/onap/aaf/cadi/CredVal.java @@ -0,0 +1,42 @@ +/** + * ============LICENSE_START==================================================== + * org.onap.aaf + * =========================================================================== + * Copyright (c) 2018 AT&T Intellectual Property. All rights reserved. + * =========================================================================== + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * ============LICENSE_END==================================================== + * + */ + +package org.onap.aaf.cadi; + + +/** + * UserPass + * + * The essential interface required by BasicAuth to determine if a given User/Password combination is + * valid. This is done as an interface. + * + * @author Jonathan + */ +public interface CredVal { + public enum Type{PASSWORD}; + /** + * Validate if the User/Password combination matches records + * @param user + * @param pass + * @return + */ + public boolean validate(String user, Type type, byte[] cred, Object state); +} diff --git a/cadi/core/src/main/java/org/onap/aaf/cadi/GetCred.java b/cadi/core/src/main/java/org/onap/aaf/cadi/GetCred.java new file mode 100644 index 00000000..e64f0dd4 --- /dev/null +++ b/cadi/core/src/main/java/org/onap/aaf/cadi/GetCred.java @@ -0,0 +1,26 @@ +/** + * ============LICENSE_START==================================================== + * org.onap.aaf + * =========================================================================== + * Copyright (c) 2018 AT&T Intellectual Property. All rights reserved. + * =========================================================================== + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * ============LICENSE_END==================================================== + * + */ + +package org.onap.aaf.cadi; + +public interface GetCred { + byte[] getCred(); +} diff --git a/cadi/core/src/main/java/org/onap/aaf/cadi/Hash.java b/cadi/core/src/main/java/org/onap/aaf/cadi/Hash.java new file mode 100644 index 00000000..6babb4c9 --- /dev/null +++ b/cadi/core/src/main/java/org/onap/aaf/cadi/Hash.java @@ -0,0 +1,258 @@ +/** + * ============LICENSE_START==================================================== + * org.onap.aaf + * =========================================================================== + * Copyright (c) 2018 AT&T Intellectual Property. All rights reserved. + * =========================================================================== + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * ============LICENSE_END==================================================== + * + */ + +package org.onap.aaf.cadi; + +import java.nio.ByteBuffer; +import java.security.MessageDigest; +import java.security.NoSuchAlgorithmException; + +public class Hash { + private static char hexDigit[] = "0123456789abcdef".toCharArray(); + +///////////////////////////////// +// MD5 +///////////////////////////////// + /** + * Encrypt MD5 from Byte Array to Byte Array + * @param input + * @return + * @throws NoSuchAlgorithmException + */ + public static byte[] hashMD5 (byte[] input) throws NoSuchAlgorithmException { + // Note: Protect against Multi-thread issues with new MessageDigest + MessageDigest md = MessageDigest.getInstance("MD5"); + md.update(input); + return md.digest(); + } + + /** + * Encrypt MD5 from Byte Array to Byte Array + * @param input + * @return + * @throws NoSuchAlgorithmException + */ + public static byte[] hashMD5 (byte[] input, int offset, int length) throws NoSuchAlgorithmException { + // Note: Protect against Multi-thread issues with new MessageDigest + MessageDigest md = MessageDigest.getInstance("MD5"); + md.update(input,offset,length); + return md.digest(); + } + + + + /** + * Convenience Function: Encrypt MD5 from String to String Hex representation + * + * @param input + * @return + * @throws NoSuchAlgorithmException + */ + public static String hashMD5asStringHex(String input) throws NoSuchAlgorithmException { + byte[] output = hashMD5(input.getBytes()); + StringBuilder sb = new StringBuilder("0x"); + for (byte b : output) { + sb.append(hexDigit[(b >> 4) & 0x0f]); + sb.append(hexDigit[b & 0x0f]); + } + return sb.toString(); + } + +///////////////////////////////// +// SHA256 +///////////////////////////////// + /** + * SHA256 Hashing + */ + public static byte[] hashSHA256(byte[] input) throws NoSuchAlgorithmException { + // Note: Protect against Multi-thread issues with new MessageDigest + MessageDigest md = MessageDigest.getInstance("SHA-256"); + md.update(input); + return md.digest(); + } + + /** + * SHA256 Hashing + */ + public static byte[] hashSHA256(byte[] input, int offset, int length) throws NoSuchAlgorithmException { + // Note: Protect against Multi-thread issues with new MessageDigest + MessageDigest md = MessageDigest.getInstance("SHA-256"); + md.update(input,offset,length); + return md.digest(); + } + + /** + * Convenience Function: Hash from String to String Hex representation + * + * @param input + * @return + * @throws NoSuchAlgorithmException + */ + public static String hashSHA256asStringHex(String input) throws NoSuchAlgorithmException { + return toHex(hashSHA256(input.getBytes())); + } + + /** + * Convenience Function: Hash from String to String Hex representation + * + * @param input + * @return + * @throws NoSuchAlgorithmException + */ + public static String hashSHA256asStringHex(String input, int salt) throws NoSuchAlgorithmException { + byte[] in = input.getBytes(); + ByteBuffer bb = ByteBuffer.allocate(Integer.SIZE + in.length); + bb.putInt(salt); + bb.put(input.getBytes()); + return toHex(Hash.hashSHA256(bb.array())); + } + + /** + * Compare two byte arrays for equivalency + * @param ba1 + * @param ba2 + * @return + */ + public static boolean isEqual(byte ba1[], byte ba2[]) { + if(ba1.length!=ba2.length)return false; + for(int i = 0;i> 4) & 0x0f]); + sb.append(hexDigit[b & 0x0f]); + } + return sb.toString(); + } + + public static String toHex(byte[] ba) { + StringBuilder sb = new StringBuilder("0x"); + for (byte b : ba) { + sb.append(hexDigit[(b >> 4) & 0x0f]); + sb.append(hexDigit[b & 0x0f]); + } + return sb.toString(); + } + + public static String toHex(byte[] ba, int start, int length) { + StringBuilder sb = new StringBuilder("0x"); + for (int i=start;i> 4) & 0x0f]); + sb.append(hexDigit[ba[i] & 0x0f]); + } + return sb.toString(); + } + + + public static byte[] fromHex(String s) throws CadiException{ + if(!s.startsWith("0x")) { + throw new CadiException("HexString must start with \"0x\""); + } + boolean high = true; + int c; + byte b; + byte[] ba = new byte[(s.length()-2)/2]; + int idx; + for(int i=2;i=0x30 && c<=0x39) { + b=(byte)(c-0x30); + } else if(c>=0x61 && c<=0x66) { + b=(byte)(c-0x57); // account for "A" + } else if(c>=0x41 && c<=0x46) { + b=(byte)(c-0x37); + } else { + throw new CadiException("Invalid char '" + c + "' in HexString"); + } + idx = (i-2)/2; + if(high) { + ba[idx]=(byte)(b<<4); + high = false; + } else { + ba[idx]|=b; + high = true; + } + } + return ba; + } + + /** + * Does not expect to start with "0x" + * if Any Character doesn't match, it returns null; + * + * @param s + * @return + */ + public static byte[] fromHexNo0x(String s) { + int c; + byte b; + byte[] ba; + boolean high; + int start; + if(s.length()%2==0) { + ba = new byte[s.length()/2]; + high=true; + start=0; + } else { + ba = new byte[(s.length()/2)+1]; + high = false; + start=1; + } + int idx; + for(int i=start;i=0x30 && c<=0x39) { + b=(byte)(c-0x30); + } else if(c>=0x61 && c<=0x66) { + b=(byte)(c-0x57); // account for "A" + } else if(c>=0x41 && c<=0x46) { + b=(byte)(c-0x37); + } else { + return null; + } + idx = i/2; + if(high) { + ba[idx]=(byte)(b<<4); + high = false; + } else { + ba[idx]|=b; + high = true; + } + } + return ba; + } + +} diff --git a/cadi/core/src/main/java/org/onap/aaf/cadi/Locator.java b/cadi/core/src/main/java/org/onap/aaf/cadi/Locator.java new file mode 100644 index 00000000..22258d12 --- /dev/null +++ b/cadi/core/src/main/java/org/onap/aaf/cadi/Locator.java @@ -0,0 +1,36 @@ +/** + * ============LICENSE_START==================================================== + * org.onap.aaf + * =========================================================================== + * Copyright (c) 2018 AT&T Intellectual Property. All rights reserved. + * =========================================================================== + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * ============LICENSE_END==================================================== + * + */ + +package org.onap.aaf.cadi; + +public interface Locator { + public T get(Locator.Item item) throws LocatorException; + public boolean hasItems(); + public void invalidate(Locator.Item item) throws LocatorException; + public Locator.Item best() throws LocatorException; + public Item first() throws LocatorException; + public Item next(Item item) throws LocatorException; + public boolean refresh(); + public void destroy(); + + public interface Item {} + +} diff --git a/cadi/core/src/main/java/org/onap/aaf/cadi/LocatorException.java b/cadi/core/src/main/java/org/onap/aaf/cadi/LocatorException.java new file mode 100644 index 00000000..f14fba70 --- /dev/null +++ b/cadi/core/src/main/java/org/onap/aaf/cadi/LocatorException.java @@ -0,0 +1,46 @@ +/** + * ============LICENSE_START==================================================== + * org.onap.aaf + * =========================================================================== + * Copyright (c) 2018 AT&T Intellectual Property. All rights reserved. + * =========================================================================== + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * ============LICENSE_END==================================================== + * + */ + +package org.onap.aaf.cadi; + +public class LocatorException extends Exception { + /** + * + */ + private static final long serialVersionUID = -4267929804321134469L; + + public LocatorException(String arg0) { + super(arg0); + } + + public LocatorException(Throwable arg0) { + super(arg0); + } + + public LocatorException(String arg0, Throwable arg1) { + super(arg0, arg1); + } + + public LocatorException(CharSequence cs) { + super(cs.toString()); + } + +} diff --git a/cadi/core/src/main/java/org/onap/aaf/cadi/Lur.java b/cadi/core/src/main/java/org/onap/aaf/cadi/Lur.java new file mode 100644 index 00000000..fd73d00b --- /dev/null +++ b/cadi/core/src/main/java/org/onap/aaf/cadi/Lur.java @@ -0,0 +1,92 @@ +/** + * ============LICENSE_START==================================================== + * org.onap.aaf + * =========================================================================== + * Copyright (c) 2018 AT&T Intellectual Property. All rights reserved. + * =========================================================================== + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * ============LICENSE_END==================================================== + * + */ + +package org.onap.aaf.cadi; + +import java.security.Principal; +import java.util.List; + + + +/** + * LUR: Local User Registry + * + * Concept by Robert Garskof, Implementation by Jonathan Gathman + * + * Where we can keep local copies of users and roles for faster Authorization when asked. + * + * Note: Author cannot resist the mental image of using a Fishing Lure to this LUR pattern + * + * @author Jonathan + * + */ +public interface Lur { + /** + * Allow the Lur, which has correct Permission access, to create and hand back. + */ + public Permission createPerm(String p); + + /** + * Fish for Principals in a Pond + * + * or more boringly, is the User identified within a named collection representing permission. + * + * @param principalName + * @return + */ + public boolean fish(Principal bait, Permission pond); + + /** + * Fish all the Principals out a Pond + * + * For additional humor, pronounce the following with a Southern Drawl, "FishOil" + * + * or more boringly, load the List with Permissions found for Principal + * + * @param principalName + * @return + */ + public void fishAll(Principal bait, List permissions); + + /** + * Allow implementations to disconnect, or cleanup resources if unneeded + */ + public void destroy(); + + /** + * Does this LUR handle this pond exclusively? Important for EpiLUR to determine whether + * to try another (more expensive) LUR + * @param pond + * @return + */ + public boolean handlesExclusively(Permission pond); + + /** + * Does the LUR support a particular kind of Principal + * This can be used to check name's domain, like above, or Principal type + */ + public boolean handles(Principal principal); + + /** + * Clear: Clear any Caching, if exists + */ + public void clear(Principal p, StringBuilder report); +} diff --git a/cadi/core/src/main/java/org/onap/aaf/cadi/Permission.java b/cadi/core/src/main/java/org/onap/aaf/cadi/Permission.java new file mode 100644 index 00000000..f8061290 --- /dev/null +++ b/cadi/core/src/main/java/org/onap/aaf/cadi/Permission.java @@ -0,0 +1,28 @@ +/** + * ============LICENSE_START==================================================== + * org.onap.aaf + * =========================================================================== + * Copyright (c) 2018 AT&T Intellectual Property. All rights reserved. + * =========================================================================== + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * ============LICENSE_END==================================================== + * + */ + +package org.onap.aaf.cadi; + +public interface Permission { + public String permType(); + public String getKey(); + public boolean match(Permission p); +} diff --git a/cadi/core/src/main/java/org/onap/aaf/cadi/PropAccess.java b/cadi/core/src/main/java/org/onap/aaf/cadi/PropAccess.java new file mode 100644 index 00000000..07e9b592 --- /dev/null +++ b/cadi/core/src/main/java/org/onap/aaf/cadi/PropAccess.java @@ -0,0 +1,387 @@ +/** + * ============LICENSE_START==================================================== + * org.onap.aaf + * =========================================================================== + * Copyright (c) 2018 AT&T Intellectual Property. All rights reserved. + * =========================================================================== + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * ============LICENSE_END==================================================== + * + */ + +package org.onap.aaf.cadi; + +import java.io.File; +import java.io.FileInputStream; +import java.io.IOException; +import java.io.InputStream; +import java.io.PrintStream; +import java.text.SimpleDateFormat; +import java.util.ArrayList; +import java.util.Date; +import java.util.List; +import java.util.Map.Entry; + +import org.onap.aaf.cadi.config.Config; +import org.onap.aaf.cadi.config.SecurityInfo; + +import java.util.Properties; + +public class PropAccess implements Access { + private static final SimpleDateFormat iso8601 = new SimpleDateFormat("yyyy-MM-dd'T'HH:mm:ss.SSSZ"); + + public static Level DEFAULT = Level.AUDIT; + + private Symm symm; + private int level; + private Properties props; + private List recursionProtection = null; + private LogIt logIt; + private String name; + + public PropAccess() { + logIt = new StreamLogIt(System.out); + init(null); + } + + /** + * This Constructor soly exists to instantiate Servlet Context Based Logging that will call "init" later. + * @param sc + */ + protected PropAccess(Object o) { + logIt = new StreamLogIt(System.out); + props = new Properties(); + } + + public PropAccess(String ... args) { + this(System.out,args); + } + + public PropAccess(PrintStream ps, String[] args) { + logIt = new StreamLogIt(ps==null?System.out:ps); + Properties nprops=new Properties(); + int eq; + for(String arg : args) { + if((eq=arg.indexOf('='))>0) { + nprops.setProperty(arg.substring(0, eq),arg.substring(eq+1)); + } + } + init(nprops); + } + + public PropAccess(LogIt logit, String[] args) { + logIt = logit; + } + + public PropAccess(Properties p) { + this(System.out,p); + } + + public PropAccess(PrintStream ps, Properties p) { + logIt = new StreamLogIt(ps==null?System.out:ps); + init(p); + } + + protected void init(Properties p) { + // Make sure these two are set before any changes in Logging + name = "cadi"; + level=DEFAULT.maskOf(); + + props = new Properties(); + // First, load related System Properties + for(Entry es : System.getProperties().entrySet()) { + String key = es.getKey().toString(); + for(String start : new String[] {"cadi_","aaf_","cm_"}) { + if(key.startsWith(start)) { + props.put(key, es.getValue()); + } + } + } + // Second, overlay or fill in with Passed in Props + if(p!=null) { + props.putAll(p); + } + + // Third, load any Chained Property Files + load(props.getProperty(Config.CADI_PROP_FILES)); + + String sLevel = props.getProperty(Config.CADI_LOGLEVEL); + if(sLevel!=null) { + level=Level.valueOf(sLevel).maskOf(); + } + // Setup local Symmetrical key encryption + if(symm==null) { + try { + symm = Symm.obtain(this); + } catch (CadiException e) { + System.err.append("FATAL ERROR: Cannot obtain Key Information."); + e.printStackTrace(System.err); + System.exit(1); + } + } + + name = props.getProperty(Config.CADI_LOGNAME, name); + + specialConversions(); + } + + private void specialConversions() { + // Critical - if no Security Protocols set, then set it. We'll just get messed up if not + if(props.get(Config.CADI_PROTOCOLS)==null) { + props.setProperty(Config.CADI_PROTOCOLS, SecurityInfo.HTTPS_PROTOCOLS_DEFAULT); + } + + Object temp; + temp=props.get(Config.CADI_PROTOCOLS); + if(props.get(Config.HTTPS_PROTOCOLS)==null && temp!=null) { + props.put(Config.HTTPS_PROTOCOLS, temp); + } + + if(temp!=null) { + if("1.7".equals(System.getProperty("java.specification.version")) + && (temp==null || (temp instanceof String && ((String)temp).contains("TLSv1.2")))) { + System.setProperty(Config.HTTPS_CIPHER_SUITES, Config.HTTPS_CIPHER_SUITES_DEFAULT); + } + } + } + + private void load(String cadi_prop_files) { + if(cadi_prop_files==null) { + return; + } + String prevKeyFile = props.getProperty(Config.CADI_KEYFILE); + int prev = 0, end = cadi_prop_files.length(); + int idx; + String filename; + while(prev(); + recursionProtection.add(cadi_prop_files); + } + if(!recursionProtection.contains(chainProp)) { + recursionProtection.add(chainProp); + load(chainProp); // recurse + } + } + } finally { + fis.close(); + } + } catch (Exception e) { + log(e,filename,"cannot be opened"); + } + } else { + printf(Level.WARN,"Warning: recursive CADI Property %s does not exist",file.getAbsolutePath()); + } + prev = idx+1; + } + + // Trim + for(Entry es : props.entrySet()) { + Object value = es.getValue(); + if(value instanceof String) { + String trim = ((String)value).trim(); + if(trim!=value) { // Yes, I want OBJECT equals + props.setProperty((String)es.getKey(), trim); + } + } + } + // Reset Symm if Keyfile Changes: + String newKeyFile = props.getProperty(Config.CADI_KEYFILE); + if((prevKeyFile!=null && newKeyFile!=null) || (newKeyFile!=null && !newKeyFile.equals(prevKeyFile))) { + try { + symm = Symm.obtain(this); + } catch (CadiException e) { + System.err.append("FATAL ERROR: Cannot obtain Key Information."); + e.printStackTrace(System.err); + System.exit(1); + } + + prevKeyFile=newKeyFile; + } + + String loglevel = props.getProperty(Config.CADI_LOGLEVEL); + if(loglevel!=null) { + try { + level=Level.valueOf(loglevel).maskOf(); + } catch (IllegalArgumentException e) { + printf(Level.ERROR,"%s=%s is an Invalid Log Level",Config.CADI_LOGLEVEL,loglevel); + } + } + + specialConversions(); + } + + @Override + public void load(InputStream is) throws IOException { + props.load(is); + load(props.getProperty(Config.CADI_PROP_FILES)); + } + + @Override + public void log(Level level, Object ... elements) { + if(willLog(level)) { + logIt.push(level,elements); + } + } + + protected StringBuilder buildMsg(Level level, Object[] elements) { + StringBuilder sb = new StringBuilder(iso8601.format(new Date())); + sb.append(' '); + sb.append(level.name()); + sb.append(" ["); + sb.append(name); + + int end = elements.length; + if(end<=0) { + sb.append("] "); + } else { + int idx = 0; + if(elements[idx] instanceof Integer) { + sb.append('-'); + sb.append(elements[idx]); + ++idx; + } + sb.append("] "); + String s; + boolean first = true; + for(Object o : elements) { + if(o!=null) { + s=o.toString(); + if(first) { + first = false; + } else { + int l = s.length(); + if(l>0) { + switch(s.charAt(l-1)) { + case ' ': + break; + default: + sb.append(' '); + } + } + } + sb.append(s); + } + } + } + return sb; + } + + @Override + public void log(Exception e, Object... elements) { + log(Level.ERROR,e.getMessage(),elements); + e.printStackTrace(System.err); + } + + @Override + public void printf(Level level, String fmt, Object... elements) { + if(willLog(level)) { + log(level,String.format(fmt, elements)); + } + } + + @Override + public void setLogLevel(Level level) { + this.level = level.maskOf(); + } + + @Override + public boolean willLog(Level level) { + return level.inMask(this.level); + } + + @Override + public ClassLoader classLoader() { + return ClassLoader.getSystemClassLoader(); + } + + @Override + public String getProperty(String tag, String def) { + return props.getProperty(tag,def); + } + + @Override + public String decrypt(String encrypted, boolean anytext) throws IOException { + return (encrypted!=null && (anytext==true || encrypted.startsWith(Symm.ENC))) + ? symm.depass(encrypted) + : encrypted; + } + + public String encrypt(String unencrypted) throws IOException { + return Symm.ENC+symm.enpass(unencrypted); + } + + ////////////////// + // Additional + ////////////////// + public String getProperty(String tag) { + return props.getProperty(tag); + } + + + public Properties getProperties() { + return props; + } + + public void setProperty(String tag, String value) { + if(value!=null) { + props.put(tag, value); + if(Config.CADI_KEYFILE.equals(tag)) { + // reset decryption too + try { + symm = Symm.obtain(this); + } catch (CadiException e) { + System.err.append("FATAL ERROR: Cannot obtain Key Information."); + e.printStackTrace(System.err); + System.exit(1); + } + } + } + } + + public interface LogIt { + public void push(Level level, Object ... elements) ; + } + + private class StreamLogIt implements LogIt { + private PrintStream ps; + + public StreamLogIt(PrintStream ps) { + this.ps = ps; + } + @Override + public void push(Level level, Object ... elements) { + ps.println(buildMsg(level,elements)); + ps.flush(); + } + + } + + public void set(LogIt logit) { + logIt = logit; + } +} diff --git a/cadi/core/src/main/java/org/onap/aaf/cadi/Revalidator.java b/cadi/core/src/main/java/org/onap/aaf/cadi/Revalidator.java new file mode 100644 index 00000000..125ac24c --- /dev/null +++ b/cadi/core/src/main/java/org/onap/aaf/cadi/Revalidator.java @@ -0,0 +1,34 @@ +/** + * ============LICENSE_START==================================================== + * org.onap.aaf + * =========================================================================== + * Copyright (c) 2018 AT&T Intellectual Property. All rights reserved. + * =========================================================================== + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * ============LICENSE_END==================================================== + * + */ + +package org.onap.aaf.cadi; + + +public interface Revalidator { + /** + * Re-Validate Credential + * + * @param prin + * @return + */ + public CachedPrincipal.Resp revalidate(TRANS trans, CachedPrincipal prin); + +} diff --git a/cadi/core/src/main/java/org/onap/aaf/cadi/SecuritySetter.java b/cadi/core/src/main/java/org/onap/aaf/cadi/SecuritySetter.java new file mode 100644 index 00000000..31563017 --- /dev/null +++ b/cadi/core/src/main/java/org/onap/aaf/cadi/SecuritySetter.java @@ -0,0 +1,44 @@ +/** + * ============LICENSE_START==================================================== + * org.onap.aaf + * =========================================================================== + * Copyright (c) 2018 AT&T Intellectual Property. All rights reserved. + * =========================================================================== + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * ============LICENSE_END==================================================== + * + */ + +package org.onap.aaf.cadi; + + +/** + * Apply any particular security mechanism + * + * This allows the definition of various mechanisms involved outside of DRcli jars + * + * @author Jonathan + * + */ +public interface SecuritySetter { + public String getID(); + + public void setSecurity(CT client) throws CadiException; + + /** + * Returns number of bad logins registered + * @param respCode + * @return + */ + public int setLastResponse(int respCode); +} diff --git a/cadi/core/src/main/java/org/onap/aaf/cadi/ServletContextAccess.java b/cadi/core/src/main/java/org/onap/aaf/cadi/ServletContextAccess.java new file mode 100644 index 00000000..38a01a09 --- /dev/null +++ b/cadi/core/src/main/java/org/onap/aaf/cadi/ServletContextAccess.java @@ -0,0 +1,67 @@ +/** + * ============LICENSE_START==================================================== + * org.onap.aaf + * =========================================================================== + * Copyright (c) 2018 AT&T Intellectual Property. All rights reserved. + * =========================================================================== + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * ============LICENSE_END==================================================== + * + */ + +package org.onap.aaf.cadi; + +import java.util.Enumeration; + +import javax.servlet.FilterConfig; +import javax.servlet.ServletContext; + +public class ServletContextAccess extends PropAccess { + + private ServletContext context; + + public ServletContextAccess(FilterConfig filterConfig) { + super(filterConfig); // protected constructor... does not have "init" called. + context = filterConfig.getServletContext(); + + for(Enumeration en = filterConfig.getInitParameterNames();en.hasMoreElements();) { + String name = (String)en.nextElement(); + setProperty(name, filterConfig.getInitParameter(name)); + } + init(getProperties()); + } + + /* (non-Javadoc) + * @see org.onap.aaf.cadi.PropAccess#log(org.onap.aaf.cadi.Access.Level, java.lang.Object[]) + */ + @Override + public void log(Level level, Object... elements) { + if(willLog(level)) { + StringBuilder sb = buildMsg(level, elements); + context.log(sb.toString()); + } + } + + /* (non-Javadoc) + * @see org.onap.aaf.cadi.PropAccess#log(java.lang.Exception, java.lang.Object[]) + */ + @Override + public void log(Exception e, Object... elements) { + StringBuilder sb = buildMsg(Level.ERROR, elements); + context.log(sb.toString(),e); + } + + public ServletContext context() { + return context; + } +} diff --git a/cadi/core/src/main/java/org/onap/aaf/cadi/Symm.java b/cadi/core/src/main/java/org/onap/aaf/cadi/Symm.java new file mode 100644 index 00000000..095f6e97 --- /dev/null +++ b/cadi/core/src/main/java/org/onap/aaf/cadi/Symm.java @@ -0,0 +1,854 @@ +/** + * ============LICENSE_START==================================================== + * org.onap.aaf + * =========================================================================== + * Copyright (c) 2018 AT&T Intellectual Property. All rights reserved. + * =========================================================================== + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * ============LICENSE_END==================================================== + * + */ + +package org.onap.aaf.cadi; + +import java.io.ByteArrayInputStream; +import java.io.ByteArrayOutputStream; +import java.io.DataInputStream; +import java.io.DataOutputStream; +import java.io.File; +import java.io.FileInputStream; +import java.io.IOException; +import java.io.InputStream; +import java.io.OutputStream; +import java.security.SecureRandom; +import java.util.ArrayList; +import java.util.Random; + +import javax.crypto.CipherInputStream; +import javax.crypto.CipherOutputStream; + +import org.onap.aaf.cadi.Access.Level; +import org.onap.aaf.cadi.config.Config; + +/** + * Key Conversion, primarily "Base64" + * + * Base64 is required for "Basic Authorization", which is an important part of the overall CADI Package. + * + * Note: This author found that there is not a "standard" library for Base64 conversion within Java. + * The source code implementations available elsewhere were surprisingly inefficient, requiring, for + * instance, multiple string creation, on a transaction pass. Integrating other packages that might be + * efficient enough would put undue Jar File Dependencies given this Framework should have none-but-Java + * dependencies. + * + * The essential algorithm is good for a symmetrical key system, as Base64 is really just + * a symmetrical key that everyone knows the values. + * + * This code is quite fast, taking about .016 ms for encrypting, decrypting and even .08 for key + * generation. The speed quality, especially of key generation makes this a candidate for a short term token + * used for identity. + * + * It may be used to easily avoid placing Clear-Text passwords in configurations, etc. and contains + * supporting functions such as 2048 keyfile generation (see keygen). This keyfile should, of course, + * be set to "400" (Unix) and protected as any other mechanism requires. + * + * However, this algorithm has not been tested against hackers. Until such a time, utilize more tested + * packages to protect Data, especially sensitive data at rest (long term). + * + * @author Jonathan + * + */ +public class Symm { + private static final byte[] DOUBLE_EQ = new byte[] {'=','='}; + public static final String ENC = "enc:"; + private static final SecureRandom random = new SecureRandom(); + + public final char[] codeset; + private final int splitLinesAt; + private final String encoding; + private final Convert convert; + private final boolean endEquals; + private byte[] keyBytes = null; + //Note: AES Encryption is not Thread Safe. It is Synchronized + //private AES aes = null; // only initialized from File, and only if needed for Passwords + + /** + * This is the standard base64 Key Set. + * RFC 2045 + */ + public static final Symm base64 = new Symm( + "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/".toCharArray() + ,76, Config.UTF_8,true); + + public static final Symm base64noSplit = new Symm( + "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/".toCharArray() + ,Integer.MAX_VALUE, Config.UTF_8,true); + + /** + * This is the standard base64 set suitable for URLs and Filenames + * RFC 4648 + */ + public static final Symm base64url = new Symm( + "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789-_".toCharArray() + ,76, Config.UTF_8,true); + + /** + * A Password set, using US-ASCII + * RFC 4648 + */ + public static final Symm encrypt = new Symm(base64url.codeset,1024, "US-ASCII", false); + private static final byte[] EMPTY = new byte[0]; + + /** + * A typical set of Password Chars + * Note, this is too large to fit into the algorithm. Only use with PassGen + */ + private static char passChars[] = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+!@#$%^&*(){}[]?:;,.".toCharArray(); + + + + /** + * Use this to create special case Case Sets and/or Line breaks + * + * If you don't know why you need this, use the Singleton Method + * + * @param codeset + * @param split + */ + public Symm(char[] codeset, int split, String charset, boolean useEndEquals) { + this.codeset = codeset; + splitLinesAt = split; + encoding = charset; + endEquals = useEndEquals; + char prev = 0, curr=0, first = 0; + int offset=Integer.SIZE; // something that's out of range for integer array + + // There can be time efficiencies gained when the underlying keyset consists mainly of ordered + // data (i.e. abcde...). Therefore, we'll quickly analyze the keyset. If it proves to have + // too much entropy, the "Unordered" algorithm, which is faster in such cases is used. + ArrayList la = new ArrayList(); + for(int i=0;icodeset.length/3) { + convert = new Unordered(codeset); + } else { // too random to get speed enhancement from range algorithm + int[][] range = new int[la.size()][]; + la.toArray(range); + convert = new Ordered(range); + } + } + + public Symm copy(int lines) { + return new Symm(codeset,lines,encoding,endEquals); + } + + // Only used by keygen, which is intentionally randomized. Therefore, always use unordered + private Symm(char[] codeset, Symm parent) { + this.codeset = codeset; + splitLinesAt = parent.splitLinesAt; + endEquals = parent.endEquals; + encoding = parent.encoding; + convert = new Unordered(codeset); + } + + /** + * Obtain the base64() behavior of this class, for use in standard BASIC AUTH mechanism, etc. + * @return + */ + @Deprecated + public static final Symm base64() { + return base64; + } + + /** + * Obtain the base64() behavior of this class, for use in standard BASIC AUTH mechanism, etc. + * No Line Splitting + * @return + */ + @Deprecated + public static final Symm base64noSplit() { + return base64noSplit; + } + + /** + * Obtain the base64 "URL" behavior of this class, for use in File Names, etc. (no "/") + */ + @Deprecated + public static final Symm base64url() { + return base64url; + } + + /** + * Obtain a special ASCII version for Scripting, with base set of base64url use in File Names, etc. (no "/") + */ + public static final Symm baseCrypt() { + return encrypt; + } + + public T exec(SyncExec exec) throws Exception { + synchronized(ENC) { + if(keyBytes == null) { + keyBytes = new byte[AES.AES_KEY_SIZE/8]; + int offset = (Math.abs(codeset[0])+47)%(codeset.length-keyBytes.length); + for(int i=0;i { + public T exec(Encryption enc) throws IOException, Exception; + } + + public byte[] encode(byte[] toEncrypt) throws IOException { + if(toEncrypt==null) { + return EMPTY; + } else { + ByteArrayOutputStream baos = new ByteArrayOutputStream((int)(toEncrypt.length*1.25)); + encode(new ByteArrayInputStream(toEncrypt),baos); + return baos.toByteArray(); + } + } + + public byte[] decode(byte[] encrypted) throws IOException { + ByteArrayOutputStream baos = new ByteArrayOutputStream((int)(encrypted.length*1.25)); + decode(new ByteArrayInputStream(encrypted),baos); + return baos.toByteArray(); + } + + /** + * Helper function for String API of "Encode" + * use "getBytes" with appropriate char encoding, etc. + * + * @param str + * @return + * @throws IOException + */ + public String encode(String str) throws IOException { + byte[] array; + boolean useDefaultEncoding = false; + try { + array = str.getBytes(encoding); + } catch (IOException e) { + array = str.getBytes(); // take default + useDefaultEncoding = true; + } + // Calculate expected size to avoid any buffer expansion copies within the ByteArrayOutput code + ByteArrayOutputStream baos = new ByteArrayOutputStream((int)(array.length*1.363)); // account for 4 bytes for 3 and a byte or two more + + encode(new ByteArrayInputStream(array),baos); + if (useDefaultEncoding) { + return baos.toString(); + } + return baos.toString(encoding); + } + + /** + * Helper function for the String API of "Decode" + * use "getBytes" with appropriate char encoding, etc. + * @param str + * @return + * @throws IOException + */ + public String decode(String str) throws IOException { + byte[] array; + boolean useDefaultEncoding = false; + try { + array = str.getBytes(encoding); + } catch (IOException e) { + array = str.getBytes(); // take default + useDefaultEncoding = true; + } + // Calculate expected size to avoid any buffer expansion copies within the ByteArrayOutput code + ByteArrayOutputStream baos = new ByteArrayOutputStream((int)(array.length*.76)); // Decoding is 3 bytes for 4. Allocate slightly more than 3/4s + decode(new ByteArrayInputStream(array), baos); + if (useDefaultEncoding) { + return baos.toString(); + } + return baos.toString(encoding); + } + + /** + * Convenience Function + * + * encode String into InputStream and call encode(InputStream, OutputStream) + * + * @param string + * @param out + * @throws IOException + */ + public void encode(String string, OutputStream out) throws IOException { + encode(new ByteArrayInputStream(string.getBytes()),out); + } + + /** + * Convenience Function + * + * encode String into InputStream and call decode(InputStream, OutputStream) + * + * @param string + * @param out + * @throws IOException + */ + public void decode(String string, OutputStream out) throws IOException { + decode(new ByteArrayInputStream(string.getBytes()),out); + } + + public void encode(InputStream is, OutputStream os, byte[] prefix) throws IOException { + os.write(prefix); + encode(is,os); + } + + /** + * encode InputStream onto Output Stream + * + * @param is + * @param estimate + * @return + * @throws IOException + */ + public void encode(InputStream is, OutputStream os) throws IOException { + // StringBuilder sb = new StringBuilder((int)(estimate*1.255)); // try to get the right size of StringBuilder from start.. slightly more than 1.25 times + int prev=0; + int read, idx=0, line=0; + boolean go; + do { + read = is.read(); + if(go = read>=0) { + if(line>=splitLinesAt) { + os.write('\n'); + line = 0; + } + switch(++idx) { // 1 based reading, slightly faster ++ + case 1: // ptr is the first 6 bits of read + os.write(codeset[read>>2]); + prev = read; + break; + case 2: // ptr is the last 2 bits of prev followed by the first 4 bits of read + os.write(codeset[((prev & 0x03)<<4) | (read>>4)]); + prev = read; + break; + default: //(3+) + // Char 1 is last 4 bits of prev plus the first 2 bits of read + // Char 2 is the last 6 bits of read + os.write(codeset[(((prev & 0xF)<<2) | (read>>6))]); + if(line==splitLinesAt) { // deal with line splitting for two characters + os.write('\n'); + line=0; + } + os.write(codeset[(read & 0x3F)]); + ++line; + idx = 0; + prev = 0; + } + ++line; + } else { // deal with any remaining bits from Prev, then pad + switch(idx) { + case 1: // just the last 2 bits of prev + os.write(codeset[(prev & 0x03)<<4]); + if(endEquals)os.write(DOUBLE_EQ); + break; + case 2: // just the last 4 bits of prev + os.write(codeset[(prev & 0xF)<<2]); + if(endEquals)os.write('='); + break; + } + idx = 0; + } + + } while(go); + } + + public void decode(InputStream is, OutputStream os, int skip) throws IOException { + is.skip(skip); + decode(is,os); + } + + /** + * Decode InputStream onto OutputStream + * @param is + * @param os + * @throws IOException + */ + public void decode(InputStream is, OutputStream os) throws IOException { + int read, idx=0; + int prev=0, index; + while((read = is.read())>=0) { + index = convert.convert(read); + if(index>=0) { + switch(++idx) { // 1 based cases, slightly faster ++ + case 1: // index goes into first 6 bits of prev + prev = index<<2; + break; + case 2: // write second 2 bits of into prev, write byte, last 4 bits go into prev + os.write((byte)(prev|(index>>4))); + prev = index<<4; + break; + case 3: // first 4 bits of index goes into prev, write byte, last 2 bits go into prev + os.write((byte)(prev|(index>>2))); + prev = index<<6; + break; + default: // (3+) | prev and last six of index + os.write((byte)(prev|(index&0x3F))); + idx = prev = 0; + } + } + }; + os.flush(); + } + + /** + * Interface to allow this class to choose which algorithm to find index of character in Key + * @author Jonathan + * + */ + private interface Convert { + public int convert(int read) throws IOException; + } + + /** + * Ordered uses a range of orders to compare against, rather than requiring the investigation + * of every character needed. + * @author Jonathan + * + */ + private static final class Ordered implements Convert { + private int[][] range; + public Ordered(int[][] range) { + this.range = range; + } + public int convert(int read) throws IOException { + switch(read) { + case -1: + case '=': + case '\n': + return -1; + } + for(int i=0;i= range[i][0] && read<=range[i][1]) { + return read-range[i][2]; + } + } + throw new IOException("Unacceptable Character in Stream"); + } + } + + /** + * Unordered, i.e. the key is purposely randomized, simply has to investigate each character + * until we find a match. + * @author Jonathan + * + */ + private static final class Unordered implements Convert { + private char[] codec; + public Unordered(char[] codec) { + this.codec = codec; + } + public int convert(int read) throws IOException { + switch(read) { + case -1: + case '=': + case '\n': + return -1; + } + for(int i=0;i() { + @Override + public Void exec(Encryption enc) throws Exception { + CipherInputStream cis = enc.inputStream(new ByteArrayInputStream(baos.toByteArray()), true); + try { + encode(cis,os); + } finally { + os.flush(); + cis.close(); + } + return null; + } + }); + } catch (IOException e) { + throw e; + } catch (Exception e) { + throw new IOException(e); + } + } + + /** + * Decrypt a password into a String + * + * Convenience method + * + * @param password + * @return + * @throws IOException + */ + public String depass(String password) throws IOException { + if(password==null)return null; + ByteArrayOutputStream baos = new ByteArrayOutputStream(); + depass(password,baos); + return new String(baos.toByteArray()); + } + + /** + * Decrypt a password + * + * Skip Symm.ENC + * + * @param password + * @param os + * @return + * @throws IOException + */ + public long depass(final String password, final OutputStream os) throws IOException { + int offset = password.startsWith(ENC)?4:0; + final ByteArrayOutputStream baos = new ByteArrayOutputStream(); + final ByteArrayInputStream bais = new ByteArrayInputStream(password.getBytes(),offset,password.length()-offset); + try { + exec(new SyncExec() { + @Override + public Void exec(Encryption enc) throws IOException { + CipherOutputStream cos = enc.outputStream(baos, false); + decode(bais,cos); + cos.close(); // flush + return null; + } + }); + } catch (IOException e) { + throw e; + } catch (Exception e) { + throw new IOException(e); + } + + byte[] bytes = baos.toByteArray(); + DataInputStream dis = new DataInputStream(new ByteArrayInputStream(bytes)); + long time; + if(this.getClass().getSimpleName().startsWith("base64")) { // don't expose randomization + os.write(bytes); + time = 0L; + } else { + int start=0; + for(int i=0;i<3;++i) { + start+=Math.abs(dis.readByte()); + } + start%=0x7; + for(int i=0;i=0) { + index = o.next(); + if(index<0 || index>=codeset.length) { + System.out.println("uh, oh"); + } + if(right) { // alternate going left or right to find the next open slot (keeps it from taking too long to hit something) + for(int j=index;j=0;--j) { + if(seq[j]==0) { + seq[j]=codeset[filled]; + --filled; + break; + } + } + right = true; + } + } + Symm newSymm = new Symm(seq,this); + // Set the KeyBytes + try { + newSymm.keyBytes = new byte[AES.AES_KEY_SIZE/8]; + int offset = (Math.abs(key[(47%key.length)])+137)%(key.length-newSymm.keyBytes.length); + for(int i=0;i { + /** + * Mutate the (assumed validated) Principal into the expected Principal name to be used to construct + * + * @param p + * @return + */ + public T mutate(Principal p); +} diff --git a/cadi/core/src/main/java/org/onap/aaf/cadi/TrustChecker.java b/cadi/core/src/main/java/org/onap/aaf/cadi/TrustChecker.java new file mode 100644 index 00000000..fabec0b0 --- /dev/null +++ b/cadi/core/src/main/java/org/onap/aaf/cadi/TrustChecker.java @@ -0,0 +1,52 @@ +/** + * ============LICENSE_START==================================================== + * org.onap.aaf + * =========================================================================== + * Copyright (c) 2018 AT&T Intellectual Property. All rights reserved. + * =========================================================================== + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * ============LICENSE_END==================================================== + * + */ + +package org.onap.aaf.cadi; + +import javax.servlet.http.HttpServletRequest; + +import org.onap.aaf.cadi.taf.TafResp; + +/** + * Change to another Principal based on Trust of caller and User Chain (if desired) + * + * @author Jonathan + * + */ +public interface TrustChecker { + public TafResp mayTrust(TafResp tresp, HttpServletRequest req); + + /** + * A class that trusts no-one else, so just return same TResp + */ + public static TrustChecker NOTRUST = new TrustChecker() { + @Override + public TafResp mayTrust(TafResp tresp, HttpServletRequest req) { + return tresp; + } + + @Override + public void setLur(Lur lur) { + } + }; + + public void setLur(Lur lur); +} diff --git a/cadi/core/src/main/java/org/onap/aaf/cadi/User.java b/cadi/core/src/main/java/org/onap/aaf/cadi/User.java new file mode 100644 index 00000000..5e9f8a58 --- /dev/null +++ b/cadi/core/src/main/java/org/onap/aaf/cadi/User.java @@ -0,0 +1,177 @@ +/** + * ============LICENSE_START==================================================== + * org.onap.aaf + * =========================================================================== + * Copyright (c) 2018 AT&T Intellectual Property. All rights reserved. + * =========================================================================== + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * ============LICENSE_END==================================================== + * + */ + +package org.onap.aaf.cadi; + +import java.security.Principal; +import java.util.HashMap; +import java.util.List; +import java.util.Map; +import java.util.concurrent.ConcurrentHashMap; + +import org.onap.aaf.cadi.lur.LocalPermission; + +/** + * Class to hold info from the User Perspective. + * + * @author Jonathan + * + */ +public final class User { + private static final Map NULL_MAP = new HashMap(); + public String name; + private byte[] cred; + public Principal principal; + Map perms ; + long permExpires; + private final long interval; + int count; + + // Note: This should only be used for Local RBAC (in memory) + public User(Principal principal) { + this.principal = principal; + name = principal.getName(); + perms = NULL_MAP; + permExpires = Long.MAX_VALUE; // Never. Well, until 64 bits of millis since 1970 expires... + interval = 0L; + count = 0; + } + + public User(String name, byte[] cred) { + this.principal = null; + this.name = name; + this.cred = cred; + perms = NULL_MAP; + permExpires = Long.MAX_VALUE; // Never. Well, until 64 bits of millis since 1970 expires... + interval = 0L; + count = 0; + } + + public User(Principal principal, long expireInterval) { + this.principal = principal; + this.name = principal.getName(); + perms = NULL_MAP; + expireInterval = Math.max(expireInterval, 0); // avoid < 1 + interval = Math.max(AbsUserCache.MIN_INTERVAL,Math.min(expireInterval,AbsUserCache.MAX_INTERVAL)); + count = 0; + renewPerm(); + renewPerm(); + } + + public User(String name, byte[] cred, long expireInterval) { + this.principal = null; + this.name = name; + this.cred = cred; + perms = NULL_MAP; + expireInterval = Math.max(expireInterval, 0); // avoid < 1 + interval = Math.max(AbsUserCache.MIN_INTERVAL,Math.min(expireInterval,AbsUserCache.MAX_INTERVAL)); + count = 0; + renewPerm(); + } + + public void renewPerm() { + permExpires = System.currentTimeMillis()+interval; + } + + public long permExpires() { + return permExpires; + } + + public boolean permExpired() { + return System.currentTimeMillis() > permExpires; + } + + public boolean noPerms() { + return perms==null || perms==NULL_MAP || perms.values().size()==0; + } + + public synchronized void setNoPerms() { + perms=NULL_MAP; + renewPerm(); + } + + public boolean permsUnloaded() { + return perms==null || perms==NULL_MAP; + } + + public synchronized void incCount() { + ++count; + } + + public synchronized void resetCount() { + count=0; + } + + public Map newMap() { + return new ConcurrentHashMap(); + } + + public void add(LocalPermission permission) { + if(perms==NULL_MAP) { + perms=newMap(); + } + perms.put(permission.getKey(),permission); + } + + public void add(Map newMap, PERM permission) { + newMap.put(permission.getKey(),permission); + } + + public synchronized void setMap(Map newMap) { + perms = newMap; + renewPerm(); + } + + public boolean contains(Permission perm) { + for (Permission p : perms.values()) { + if (p.match(perm)) return true; + } + return false; + } + + public void copyPermsTo(List sink) { + sink.addAll(perms.values()); + } + + public String toString() { + StringBuilder sb = new StringBuilder(); + sb.append(principal.getName()); + sb.append('|'); + boolean first = true; + synchronized(perms) { + for(Permission gp : perms.values()) { + if(first) { + first = false; + sb.append(':'); + } else { + sb.append(','); + } + sb.append(gp.getKey()); + } + } + return sb.toString(); + } + + public byte[] getCred() { + return cred; + } + +} diff --git a/cadi/core/src/main/java/org/onap/aaf/cadi/UserChain.java b/cadi/core/src/main/java/org/onap/aaf/cadi/UserChain.java new file mode 100644 index 00000000..e423b8b1 --- /dev/null +++ b/cadi/core/src/main/java/org/onap/aaf/cadi/UserChain.java @@ -0,0 +1,43 @@ +/** + * ============LICENSE_START==================================================== + * org.onap.aaf + * =========================================================================== + * Copyright (c) 2018 AT&T Intellectual Property. All rights reserved. + * =========================================================================== + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * ============LICENSE_END==================================================== + * + */ + +package org.onap.aaf.cadi; + +/** + * Interface to add a User Chain String to Principal + * + * + * + * Where + * APP is name suitable for Logging (i.e. official App Acronym) + * ID is official User or MechID, best if includes Identity Source (i.e. ab1234@csp.att.com) + * Protocol is the Security protocol, + * + * Format:::[:AS][,::]* + * + * + * @author Jonathan + * + */ +public interface UserChain { + public enum Protocol {BasicAuth,Cookie,Cert,OAuth}; + public String userChain(); +} diff --git a/cadi/core/src/main/java/org/onap/aaf/cadi/config/Config.java b/cadi/core/src/main/java/org/onap/aaf/cadi/config/Config.java new file mode 100644 index 00000000..dda4b6cd --- /dev/null +++ b/cadi/core/src/main/java/org/onap/aaf/cadi/config/Config.java @@ -0,0 +1,728 @@ +/** + * ============LICENSE_START==================================================== + * org.onap.aaf + * =========================================================================== + * Copyright (c) 2018 AT&T Intellectual Property. All rights reserved. + * =========================================================================== + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * ============LICENSE_END==================================================== + * + */ + +package org.onap.aaf.cadi.config; + +import java.io.IOException; +import java.lang.reflect.Constructor; +import java.lang.reflect.Field; +import java.lang.reflect.InvocationTargetException; +import java.lang.reflect.Method; +import java.net.HttpURLConnection; +import java.net.InetAddress; +import java.net.URI; +import java.net.UnknownHostException; +import java.security.NoSuchAlgorithmException; +import java.security.cert.CertificateException; +import java.util.ArrayList; +import java.util.List; + +import org.onap.aaf.cadi.AbsUserCache; +import org.onap.aaf.cadi.Access; +import org.onap.aaf.cadi.Access.Level; +import org.onap.aaf.cadi.CachingLur; +import org.onap.aaf.cadi.CadiException; +import org.onap.aaf.cadi.Connector; +import org.onap.aaf.cadi.CredVal; +import org.onap.aaf.cadi.Locator; +import org.onap.aaf.cadi.Lur; +import org.onap.aaf.cadi.PropAccess; +import org.onap.aaf.cadi.Symm; +import org.onap.aaf.cadi.TrustChecker; +import org.onap.aaf.cadi.lur.EpiLur; +import org.onap.aaf.cadi.lur.LocalLur; +import org.onap.aaf.cadi.lur.NullLur; +import org.onap.aaf.cadi.taf.HttpEpiTaf; +import org.onap.aaf.cadi.taf.HttpTaf; +import org.onap.aaf.cadi.taf.basic.BasicHttpTaf; +import org.onap.aaf.cadi.taf.cert.X509Taf; +import org.onap.aaf.cadi.taf.dos.DenialOfServiceTaf; + +/** + * Create a Consistent Configuration mechanism, even when configuration styles are as vastly different as + * Properties vs JavaBeans vs FilterConfigs... + * + * @author Jonathan + * + */ +public class Config { + + public static final String UTF_8 = "UTF-8"; + + // Property Names associated with configurations. + // As of 1.0.2, these have had the dots removed so as to be compatible with JavaBean style + // configurations as well as property list style. + public static final String HOSTNAME = "hostname"; + public static final String CADI_PROP_FILES = "cadi_prop_files"; // Additional Properties files (separate with ;) + public static final String CADI_LOGLEVEL = "cadi_loglevel"; + public static final String CADI_LOGNAME = "cadi_logname"; + public static final String CADI_KEYFILE = "cadi_keyfile"; + public static final String CADI_KEYSTORE = "cadi_keystore"; + public static final String CADI_KEYSTORE_PASSWORD = "cadi_keystore_password"; + public static final String CADI_ALIAS = "cadi_alias"; + public static final String CADI_LOGINPAGE_URL = "cadi_loginpage_url"; + public static final String CADI_LATITUDE = "cadi_latitude"; + public static final String CADI_LONGITUDE = "cadi_longitude"; + + public static final String CADI_KEY_PASSWORD = "cadi_key_password"; + public static final String CADI_TRUSTSTORE = "cadi_truststore"; + public static final String CADI_TRUSTSTORE_PASSWORD = "cadi_truststore_password"; + public static final String CADI_X509_ISSUERS = "cadi_x509_issuers"; + public static final String CADI_TRUST_MASKS="cadi_trust_masks"; + public static final String CADI_TRUST_PERM="cadi_trust_perm"; // IDs with this perm can utilize the "AS " user concept + public static final String CADI_PROTOCOLS = "cadi_protocols"; + public static final String CADI_NOAUTHN = "cadi_noauthn"; + public static final String CADI_LOC_LIST = "cadi_loc_list"; + + public static final String CADI_USER_CHAIN_TAG = "cadi_user_chain"; + public static final String CADI_USER_CHAIN = "USER_CHAIN"; + + public static final String CADI_OAUTH2_URL="cadi_oauth2_url"; + public static final String CADI_TOKEN_DIR = "cadi_token_dir"; + + public static final String CSP_DOMAIN = "csp_domain"; + public static final String CSP_HOSTNAME = "csp_hostname"; + public static final String CSP_DEVL_LOCALHOST = "csp_devl_localhost"; + public static final String CSP_USER_HEADER = "CSP_USER"; + public static final String CSP_SYSTEMS_CONF = "CSPSystems.conf"; + public static final String CSP_SYSTEMS_CONF_FILE = "csp_systems_conf_file"; + + public static final String HTTPS_PROTOCOLS = "https.protocols"; + public static final String HTTPS_CIPHER_SUITES = "https.cipherSuites"; + public static final String HTTPS_CLIENT_PROTOCOLS="jdk.tls.client.protocols"; + public static final String HTTPS_CIPHER_SUITES_DEFAULT="TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA," + + "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA," + + "TLS_ECDH_RSA_WITH_AES_128_CBC_SHA,TLS_DHE_RSA_WITH_AES_128_CBC_SHA,TLS_DHE_DSS_WITH_AES_128_CBC_SHA," + + "TLS_ECDHE_ECDSA_WITH_RC4_128_SHA,TLS_ECDHE_RSA_WITH_RC4_128_SHA,TLS_ECDH_ECDSA_WITH_RC4_128_SHA," + + "TLS_ECDH_RSA_WITH_RC4_128_SHA,TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA,TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA," + + "TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA,TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA,TLS_EMPTY_RENEGOTIATION_INFO_SCSV"; + + + public static final String LOCALHOST_ALLOW = "localhost_allow"; + public static final String LOCALHOST_DENY = "localhost_deny"; + + public static final String BASIC_REALM = "basic_realm"; // what is sent to the client + public static final String BASIC_WARN = "basic_warn"; // Warning of insecure channel + public static final String USERS = "local_users"; + public static final String GROUPS = "local_groups"; + public static final String WRITE_TO = "local_writeto"; // dump RBAC to local file in Tomcat Style (some apps use) + + public static final String OAUTH_CLIENT_ID="client_id"; + public static final String OAUTH_CLIENT_SECRET="client_secret"; + + public static final String AAF_ENV = "aaf_env"; + public static final String AAF_URL = "aaf_url"; //URL for AAF... Use to trigger AAF configuration + public static final String AAF_ROOT_NS = "aaf_root_ns"; + public static final String AAF_ROOT_COMPANY = "aaf_root_company"; + public static final String AAF_LOCATE_URL = "aaf_locate_url"; //URL for AAF locator + private static final String AAF_LOCATE_URL_TAG = "AAF_LOCATE_URL"; // Name of Above for use in Config Variables. + public static final String AAF_APPID = "aaf_id"; + public static final String AAF_APPPASS = "aaf_password"; + public static final String AAF_LUR_CLASS = "aaf_lur_class"; + public static final String AAF_TAF_CLASS = "aaf_taf_class"; + public static final String AAF_TAF_CLASS_DEF = "org.osaaf.cadi.aaf.v2_0.AAFTaf"; + public static final String AAF_CONNECTOR_CLASS = "aaf_connector_class"; + public static final String AAF_LOCATOR_CLASS = "aaf_locator_class"; + public static final String AAF_CONN_TIMEOUT = "aaf_conn_timeout"; + public static final String AAF_CONN_TIMEOUT_DEF = "3000"; + public static final String AAF_CONN_IDLE_TIMEOUT = "aaf_conn_idle_timeout"; // only for Direct Jetty Access. + public static final String AAF_CONN_IDLE_TIMEOUT_DEF = "10000"; // only for Direct Jetty Access. + + public static final String AAF_CALL_TIMEOUT = "aaf_timeout"; + public static final String AAF_CALL_TIMEOUT_DEF = "5000"; + public static final String AAF_USER_EXPIRES = "aaf_user_expires"; + public static final String AAF_USER_EXPIRES_DEF = "600000"; // Default is 10 mins + public static final String AAF_CLEAN_INTERVAL = "aaf_clean_interval"; + public static final String AAF_CLEAN_INTERVAL_DEF = "30000"; // Default is 30 seconds + public static final String AAF_REFRESH_TRIGGER_COUNT = "aaf_refresh_trigger_count"; + public static final String AAF_REFRESH_TRIGGER_COUNT_DEF = "3"; // Default is 10 mins + + public static final String AAF_HIGH_COUNT = "aaf_high_count"; + public static final String AAF_HIGH_COUNT_DEF = "1000"; // Default is 1000 entries + public static final String AAF_PERM_MAP = "aaf_perm_map"; + public static final String AAF_COMPONENT = "aaf_component"; + public static final String AAF_CERT_IDS = "aaf_cert_ids"; + public static final String AAF_DEBUG_IDS = "aaf_debug_ids"; // comma delimited + public static final String AAF_DEFAULT_VERSION = "2.0"; + public static final String AAF_DATA_DIR = "aaf_data_dir"; // AAF processes and Components only. + + + + public static final String GW_URL = "gw_url"; + public static final String CM_URL = "cm_url"; + public static final String CM_TRUSTED_CAS = "cm_trusted_cas"; + + public static final String PATHFILTER_URLPATTERN = "pathfilter_urlpattern"; + public static final String PATHFILTER_STACK = "pathfilter_stack"; + public static final String PATHFILTER_NS = "pathfilter_ns"; + public static final String PATHFILTER_NOT_AUTHORIZED_MSG = "pathfilter_not_authorized_msg"; + + // This one should go unpublic + public static final String AAF_DEFAULT_REALM = "aaf_default_realm"; + private static String defaultRealm="none"; + + public static final String AAF_DOMAIN_SUPPORT = "aaf_domain_support"; + public static final String AAF_DOMAIN_SUPPORT_DEF = ".com"; + + // OAUTH2 + public static final String AAF_OAUTH2_TOKEN_URL = "aaf_oauth2_token_url"; + public static final String AAF_OAUTH2_INTROSPECT_URL = "aaf_oauth2_introspect_url"; + public static final String AAF_ALT_OAUTH2_TOKEN_URL = "aaf_alt_oauth2_token_url"; + public static final String AAF_ALT_OAUTH2_INTROSPECT_URL = "aaf_alt_oauth2_introspect_url"; + public static final String AAF_ALT_OAUTH2_DOMAIN = "aaf_alt_oauth2_domain"; + public static final String AAF_ALT_CLIENT_ID = "aaf_alt_oauth2_client_id"; + public static final String AAF_ALT_CLIENT_SECRET = "aaf_alt_oauth2_client_secret"; + public static final String AAF_OAUTH2_HELLO_URL = "aaf_oauth2_hello_url"; + + + + public static void setDefaultRealm(Access access) throws CadiException { + try { + boolean hasCSP; + try { + Class.forName("org.osaaf.cadi.taf.csp.CSPTaf"); + hasCSP=true; + } catch(ClassNotFoundException e) { + hasCSP = logProp(access,Config.CSP_DOMAIN, null)!=null; + } + defaultRealm = logProp(access,Config.AAF_DEFAULT_REALM, + hasCSP?"csp.att.com": + logProp(access,Config.BASIC_REALM, + logProp(access,HOSTNAME,InetAddress.getLocalHost().getHostName()) + ) + ); + } catch (UnknownHostException e) { + //defaultRealm="none"; + } + } + + public static HttpTaf configHttpTaf(Connector con, SecurityInfoC si, TrustChecker tc, CredVal up, Lur lur, Object ... additionalTafLurs) throws CadiException { + Access access = si.access; + ///////////////////////////////////////////////////// + // Setup AAFCon for any following + ///////////////////////////////////////////////////// + Class aafConClass = loadClass(access,"org.onap.aaf.cadi.aaf.v2_0.AAFCon"); + Object aafcon = null; + if(con!=null && aafConClass!=null && aafConClass.isAssignableFrom(con.getClass())) { + aafcon = con; + } else if(lur != null) { + Field f = null; + try { + f = lur.getClass().getField("aaf"); + aafcon = f.get(lur); + } catch (Exception nsfe) { + } + } + + + boolean hasDirectAAF = hasDirect("DirectAAFLur",additionalTafLurs); + // IMPORTANT! Don't attempt to load AAF Connector if there is no AAF URL + String aafURL = access.getProperty(AAF_URL,null); + if(!hasDirectAAF && aafcon==null && aafURL!=null) { + aafcon = loadAAFConnector(si, aafURL); + } + + HttpTaf taf; + // Setup Host, in case Network reports an unusable Hostname (i.e. VTiers, VPNs, etc) + String hostname = logProp(access, HOSTNAME,null); + if(hostname==null) { + try { + hostname = InetAddress.getLocalHost().getHostName(); + } catch (UnknownHostException e1) { + throw new CadiException("Unable to determine Hostname",e1); + } + } + + access.log(Level.INIT, "Hostname set to",hostname); + // Get appropriate TAFs + ArrayList htlist = new ArrayList(); + + ///////////////////////////////////////////////////// + // Add a Denial of Service TAF + // Note: how IPs and IDs are added are up to service type. + // They call "DenialOfServiceTaf.denyIP(String) or denyID(String) + ///////////////////////////////////////////////////// + htlist.add(new DenialOfServiceTaf(access)); + + ///////////////////////////////////////////////////// + // Configure Client Cert TAF + ///////////////////////////////////////////////////// + + String truststore = logProp(access, CADI_TRUSTSTORE,null); + if(truststore!=null) { + String truststore_pwd = access.getProperty(CADI_TRUSTSTORE_PASSWORD,null); + if(truststore_pwd!=null) { + if(truststore_pwd.startsWith(Symm.ENC)) { + try { + truststore_pwd = access.decrypt(truststore_pwd,false); + } catch (IOException e) { + throw new CadiException(CADI_TRUSTSTORE_PASSWORD + " cannot be decrypted",e); + } + } + try { + htlist.add(new X509Taf(access,lur)); + access.log(Level.INIT,"Certificate Authorization enabled"); + } catch (SecurityException e) { + access.log(Level.INIT,"AAFListedCertIdentity cannot be instantiated. Certificate Authorization is now disabled",e); + } catch (IllegalArgumentException e) { + access.log(Level.INIT,"AAFListedCertIdentity cannot be instantiated. Certificate Authorization is now disabled",e); + } catch (CertificateException e) { + access.log(Level.INIT,"Certificate Authorization failed, it is disabled",e); + } catch (NoSuchAlgorithmException e) { + access.log(Level.INIT,"Certificate Authorization failed, wrong Security Algorithm",e); + } + } + } else { + access.log(Level.INIT,"Certificate Authorization not enabled"); + } + + ///////////////////////////////////////////////////// + // Configure Basic Auth (local content) + ///////////////////////////////////////////////////// + boolean hasOAuthDirectTAF = hasDirect("DirectOAuthTAF", additionalTafLurs); + String basic_realm = logProp(access, BASIC_REALM,null); + String aafCleanup = logProp(access, AAF_USER_EXPIRES,AAF_USER_EXPIRES_DEF); // Default is 10 mins + long userExp = Long.parseLong(aafCleanup); + boolean basic_warn = "TRUE".equals(access.getProperty(BASIC_WARN,"FALSE")); + + if(!hasDirectAAF) { + HttpTaf aaftaf=null; + if(!hasOAuthDirectTAF) { + if(basic_realm!=null) { + @SuppressWarnings("unchecked") + Class obasicCls = (Class)loadClass(access,"org.osaaf.cadi.obasic.OBasicHttpTaf"); + if(obasicCls!=null) { + try { + String tokenurl = logProp(access,Config.AAF_OAUTH2_TOKEN_URL, null); + String introspecturl = logProp(access,Config.AAF_OAUTH2_INTROSPECT_URL, null); + if(tokenurl==null || introspecturl==null) { + access.log(Level.INIT,"Both tokenurl and introspecturl are required. Oauth Authorization is disabled."); + } + Constructor obasicConst = obasicCls.getConstructor(PropAccess.class,String.class, String.class, String.class); + htlist.add(obasicConst.newInstance(access,basic_realm,tokenurl,introspecturl)); + access.log(Level.INIT,"Oauth supported Basic Authorization is enabled"); + } catch (NoSuchMethodException | SecurityException | InstantiationException | IllegalAccessException | IllegalArgumentException | InvocationTargetException e) { + } + } else if(up!=null) { + access.log(Level.INIT,"Basic Authorization is enabled using realm",basic_realm); + // Allow warning about insecure channel to be turned off + if(!basic_warn)access.log(Level.INIT,"WARNING! The basic_warn property has been set to false.", + " There will be no additional warning if Basic Auth is used on an insecure channel" + ); + htlist.add(new BasicHttpTaf(access, up, basic_realm, userExp, basic_warn)); + access.log(Level.INIT,"Basic Authorization is enabled"); + } + } else { + access.log(Level.INIT,"Local Basic Authorization is disabled. Enable by setting basic_realm="); + } + + ///////////////////////////////////////////////////// + // Configure AAF Driven Basic Auth + ///////////////////////////////////////////////////// + if(aafcon==null) { + access.log(Level.INIT,"AAF Connection (AAFcon) is null. Cannot create an AAF TAF"); + } else if(aafURL==null) { + access.log(Level.INIT,"No AAF URL in properties, Cannot create an AAF TAF"); + } else {// There's an AAF_URL... try to configure an AAF + String aafTafClassName = logProp(access, AAF_TAF_CLASS,AAF_TAF_CLASS_DEF); + // Only 2.0 available at this time + if(AAF_TAF_CLASS_DEF.equals(aafTafClassName)) { + try { + Class aafTafClass = loadClass(access,aafTafClassName); + + Constructor cstr = aafTafClass.getConstructor(Connector.class,boolean.class,AbsUserCache.class); + if(cstr!=null) { + if(lur instanceof AbsUserCache) { + aaftaf = (HttpTaf)cstr.newInstance(aafcon,basic_warn,lur); + } else { + cstr = aafTafClass.getConstructor(Connector.class,boolean.class); + if(cstr!=null) { + aaftaf = (HttpTaf)cstr.newInstance(aafcon,basic_warn); + } + } + if(aaftaf==null) { + access.log(Level.INIT,"ERROR! AAF TAF Failed construction. NOT Configured"); + } else { + access.log(Level.INIT,"AAF TAF Configured to ",aafURL); + // Note: will add later, after all others configured + } + } + } catch(Exception e) { + access.log(Level.INIT,"ERROR! AAF TAF Failed construction. NOT Configured",e); + } + } + } + } + + ///////////////////////////////////////////////////// + // Configure OAuth TAF + ///////////////////////////////////////////////////// + if(!hasOAuthDirectTAF) { + String oauth_token_url = logProp(access,Config.AAF_OAUTH2_TOKEN_URL,null); + if(additionalTafLurs!=null && additionalTafLurs.length>0 && additionalTafLurs[0].getClass().getName().equals("org.osaaf.authz.oauth.OAuthDirectTAF")) { + htlist.add((HttpTaf)additionalTafLurs[0]); + String array[] = new String[additionalTafLurs.length-1]; + if(array.length>0) { + System.arraycopy(htlist, 1, array, 0, array.length); + } + additionalTafLurs = array; + access.log(Level.INIT,"OAuth2 Direct is enabled"); + } else if(oauth_token_url!=null) { + String oauth_introspect_url = logProp(access,Config.AAF_OAUTH2_INTROSPECT_URL,null); + @SuppressWarnings("unchecked") + Class oaTCls = (Class)loadClass(access,"org.osaaf.cadi.oauth.OAuth2HttpTaf"); + if(oaTCls!=null) { + Class oaTTmgrCls = loadClass(access, "org.osaaf.cadi.oauth.TokenMgr"); + if(oaTTmgrCls!=null) { + try { + Method oaTTmgrGI = oaTTmgrCls.getMethod("getInstance",PropAccess.class,String.class,String.class); + Object oaTTmgr = oaTTmgrGI.invoke(null /*this is static method*/,access,oauth_token_url,oauth_introspect_url); + Constructor oaTConst = oaTCls.getConstructor(Access.class,oaTTmgrCls); + htlist.add(oaTConst.newInstance(access,oaTTmgr)); + access.log(Level.INIT,"OAuth2 TAF is enabled"); + } catch (NoSuchMethodException | SecurityException | IllegalAccessException | IllegalArgumentException | InvocationTargetException | InstantiationException e) { + access.log(Level.INIT,"OAuth2HttpTaf cannot be instantiated. OAuth2 is disabled",e); + } + } + } + } else { + access.log(Level.INIT,"OAuth TAF is not configured"); + } + } + + ///////////////////////////////////////////////////// + // Adding BasicAuth (AAF) last, after other primary Cookie Based + // Needs to be before Cert... see below + ///////////////////////////////////////////////////// + if(aaftaf!=null) { + htlist.add(aaftaf); + } + } + + ///////////////////////////////////////////////////// + // Any Additional Lurs passed in Constructor + ///////////////////////////////////////////////////// + if(additionalTafLurs!=null) { + for(Object additional : additionalTafLurs) { + if(additional instanceof HttpTaf) { + htlist.add((HttpTaf)additional); + access.printf(Level.INIT,"%s Authentication is enabled",additional.getClass().getSimpleName()); + } else if(hasOAuthDirectTAF && additional.getClass().getSimpleName().equals("DirectAAFUserPass")) { + htlist.add(new BasicHttpTaf(access, (CredVal)additional , basic_realm, userExp, basic_warn)); + access.printf(Level.INIT,"Direct BasicAuth Authentication is enabled",additional.getClass().getSimpleName()); + } + } + } + + ///////////////////////////////////////////////////// + // Create EpiTaf from configured TAFs + ///////////////////////////////////////////////////// + if(htlist.size()==1) { + // just return the one + taf = htlist.get(0); + } else { + HttpTaf[] htarray = new HttpTaf[htlist.size()]; + htlist.toArray(htarray); + Locator locator = loadLocator(si, logProp(access, AAF_LOCATE_URL, null)); + + taf = new HttpEpiTaf(access,locator, tc, htarray); // ok to pass locator == null + String level = logProp(access, CADI_LOGLEVEL, null); + if(level!=null) { + access.setLogLevel(Level.valueOf(level)); + } + } + + return taf; + } + + public static String logProp(Access access,String tag, String def) { + String rv = access.getProperty(tag, def); + if(rv == null) { + access.log(Level.INIT,tag,"is not set"); + } else { + access.log(Level.INIT,tag,"is set to",rv); + } + return rv; + } + + public static Lur configLur(SecurityInfoC si, Connector con, Object ... additionalTafLurs) throws CadiException { + Access access = si.access; + List lurs = new ArrayList(); + + ///////////////////////////////////////////////////// + // Configure a Local Property Based RBAC/LUR + ///////////////////////////////////////////////////// + try { + String users = access.getProperty(USERS,null); + String groups = access.getProperty(GROUPS,null); + + if(groups!=null || users!=null) { + LocalLur ll; + lurs.add(ll = new LocalLur(access, users, groups)); // note b64==null is ok.. just means no encryption. + + String writeto = access.getProperty(WRITE_TO,null); + if(writeto!=null) { + String msg = UsersDump.updateUsers(writeto, ll); + if(msg!=null) access.log(Level.INIT,"ERROR! Error Updating ",writeto,"with roles and users:",msg); + } + } + } catch (IOException e) { + throw new CadiException(e); + } + + ///////////////////////////////////////////////////// + // Configure the OAuth Lur (if any) + ///////////////////////////////////////////////////// + String token_url = logProp(access,AAF_OAUTH2_TOKEN_URL, null); + String introspect_url = logProp(access,AAF_OAUTH2_INTROSPECT_URL, null); + if(token_url!=null && introspect_url !=null) { + try { + Class olurCls = loadClass(access, "org.osaaf.cadi.olur.OLur"); + if(olurCls!=null) { + Constructor olurCnst = olurCls.getConstructor(PropAccess.class,String.class,String.class); + Lur olur = (Lur)olurCnst.newInstance(access,token_url,introspect_url); + lurs.add(olur); + access.log(Level.INIT, "OAuth2 LUR enabled"); + } else { + access.log(Level.INIT,"AAF/OAuth LUR plugin is not available."); + } + } catch (NoSuchMethodException| SecurityException | InstantiationException | IllegalAccessException | IllegalArgumentException | InvocationTargetException e) { + access.log(e,"AAF/OAuth LUR could not be constructed with given Constructors."); + } + } else { + access.log(Level.INIT, "OAuth2 Lur disabled"); + } + + if(con!=null) { // try to reutilize connector + lurs.add(con.newLur()); + } else { + ///////////////////////////////////////////////////// + // Configure the AAF Lur (if any) + ///////////////////////////////////////////////////// + String aafURL = logProp(access,AAF_URL,null); // Trigger Property + String aaf_env = access.getProperty(AAF_ENV,null); + if(aaf_env == null && aafURL!=null && access instanceof PropAccess) { // set AAF_ENV from AAF_URL + int ec = aafURL.indexOf("envContext="); + if(ec>0) { + ec += 11; // length of envContext= + int slash = aafURL.indexOf('/', ec); + if(slash>0) { + aaf_env = aafURL.substring(ec, slash); + ((PropAccess)access).setProperty(AAF_ENV, aaf_env); + access.printf(Level.INIT, "Setting aaf_env to %s from aaf_url value",aaf_env); + } + } + } + + // Don't configure AAF if it is using DirectAccess + if(!hasDirect("DirectAAFLur",additionalTafLurs)) { + if(aafURL==null) { + access.log(Level.INIT,"No AAF LUR properties, AAF will not be loaded"); + } else {// There's an AAF_URL... try to configure an AAF + String aafLurClassStr = logProp(access,AAF_LUR_CLASS,"org.osaaf.cadi.aaf.v2_0.AAFLurPerm"); + ////////////AAF Lur 2.0 ///////////// + if(aafLurClassStr.startsWith("org.osaaf.cadi.aaf.v2_0")) { + try { + Object aafcon = loadAAFConnector(si, aafURL); + if(aafcon==null) { + access.log(Level.INIT,"AAF LUR class,",aafLurClassStr,"cannot be constructed without valid AAFCon object."); + } else { + Class aafAbsAAFCon = loadClass(access, "org.osaaf.cadi.aaf.v2_0.AAFCon"); + Method mNewLur = aafAbsAAFCon.getMethod("newLur"); + Object aaflur = mNewLur.invoke(aafcon); + + if(aaflur==null) { + access.log(Level.INIT,"ERROR! AAF LUR Failed construction. NOT Configured"); + } else { + access.log(Level.INIT,"AAF LUR Configured to ",aafURL); + lurs.add((Lur)aaflur); + String debugIDs = logProp(access,Config.AAF_DEBUG_IDS, null); + if(debugIDs !=null && aaflur instanceof CachingLur) { + ((CachingLur)aaflur).setDebug(debugIDs); + } + } + } + } catch (Exception e) { + access.log(e,"AAF LUR class,",aafLurClassStr,"could not be constructed with given Constructors."); + } + } + } + } + } + + ///////////////////////////////////////////////////// + // Any Additional passed in Constructor + ///////////////////////////////////////////////////// + if(additionalTafLurs!=null) { + for(Object additional : additionalTafLurs) { + if(additional instanceof Lur) { + lurs.add((Lur)additional); + access.log(Level.INIT, additional); + } + } + } + + ///////////////////////////////////////////////////// + // Return a Lur based on how many there are... + ///////////////////////////////////////////////////// + switch(lurs.size()) { + case 0: + access.log(Level.INIT,"WARNING! No CADI LURs configured"); + // Return a NULL Lur that does nothing. + return new NullLur(); + case 1: + return lurs.get(0); // Only one, just return it, save processing + default: + // Multiple Lurs, use EpiLUR to handle + Lur[] la = new Lur[lurs.size()]; + lurs.toArray(la); + return new EpiLur(la); + } + } + + private static boolean hasDirect(String simpleClassName, Object[] additionalTafLurs) { + if(additionalTafLurs!=null) { + for(Object tf : additionalTafLurs) { + if(tf.getClass().getSimpleName().equals(simpleClassName)) { + return true; + } + } + } + return false; + } + + private static final String COM_ATT_CADI_AAF_V2_0_AAF_CON_HTTP = "org.osaaf.cadi.aaf.v2_0.AAFConHttp"; + public static Object loadAAFConnector(SecurityInfoC si, String aafURL) { + Access access = si.access; + Object aafcon = null; + Class aafConClass = null; + + try { + if(aafURL!=null) { + String aafConnector = access.getProperty(AAF_CONNECTOR_CLASS, COM_ATT_CADI_AAF_V2_0_AAF_CON_HTTP); + if(COM_ATT_CADI_AAF_V2_0_AAF_CON_HTTP.equals(aafConnector)) { + aafConClass = loadClass(access, COM_ATT_CADI_AAF_V2_0_AAF_CON_HTTP); + for(Constructor c : aafConClass.getConstructors()) { + List lo = new ArrayList(); + for(Class pc : c.getParameterTypes()) { + if(pc.equals(PropAccess.class)) { + lo.add(access); + } else if(pc.equals(Locator.class)) { + lo.add(loadLocator(si, aafURL)); + } else { + continue; + } + } + if(c.getParameterTypes().length!=lo.size()) { + continue; // back to another Constructor + } else { + aafcon = c.newInstance(lo.toArray()); + } + break; + } + } + if(aafcon!=null) { + String mechid = logProp(access,Config.AAF_APPID, null); + String pass = access.getProperty(Config.AAF_APPPASS, null); + if(mechid!=null && pass!=null) { + try { + Method basicAuth = aafConClass.getMethod("basicAuth", String.class, String.class); + basicAuth.invoke(aafcon, mechid,pass); + } catch (NoSuchMethodException nsme) { + // it's ok, don't use + } + } + } + } + } catch (Exception e) { + access.log(e,"AAF Connector could not be constructed with given Constructors."); + } + + return aafcon; + } + + public static Class loadClass(Access access, String className) { + Class cls=null; + try { + cls = access.classLoader().loadClass(className); + } catch (ClassNotFoundException cnfe) { + try { + cls = access.getClass().getClassLoader().loadClass(className); + } catch (ClassNotFoundException cnfe2) { + // just return null + } + } + return cls; + } + + + @SuppressWarnings("unchecked") + public static Locator loadLocator(SecurityInfoC si, final String _url) { + Access access = si.access; + String url = _url, replacement; + int idxAAF_LOCATE_URL; + if((idxAAF_LOCATE_URL=_url.indexOf(AAF_LOCATE_URL_TAG))>0 && ((replacement=access.getProperty(AAF_LOCATE_URL, null))!=null)) { + url = replacement + "/locate" + _url.substring(idxAAF_LOCATE_URL+AAF_LOCATE_URL_TAG.length()); + } + + Locator locator = null; + if(url==null) { + access.log(Level.INIT,"No URL passed to 'loadLocator'. Disabled"); + } else { + try { + Class lcls = loadClass(access,"org.onap.aaf.cadi.aaf.v2_0.AAFLocator"); + if(lcls==null) { + throw new CadiException("Need to include aaf-cadi-aaf jar for AAFLocator"); + } + // First check for preloaded + try { + Method meth = lcls.getMethod("create",String.class); + locator = (Locator)meth.invoke(null,url); + } catch (Exception e) { + locator = null; + } + if(locator==null) { + URI locatorURI = new URI(url); + Constructor cnst = lcls.getConstructor(new Class[] {SecurityInfoC.class,URI.class}); + locator = (Locator)cnst.newInstance(new Object[] {si,locatorURI}); + int port = locatorURI.getPort(); + String portS = port<0?"":(":"+locatorURI.getPort()); + + access.log(Level.INFO, "AAFLocator enabled using " + locatorURI.getScheme() +"://"+locatorURI.getHost() + portS); + } else { + access.log(Level.INFO, "AAFLocator enabled using preloaded " + locator.getClass().getSimpleName()); + } + } catch (InvocationTargetException e) { + access.log(Level.INIT,e.getTargetException().getMessage(),"AAFLocator for",url,"could not be created.",e); + } catch (Exception e) { + access.log(Level.INIT,"AAFLocator for",url,"could not be created.",e); + } + } + return locator; + } + + // Set by CSP, or is hostname. + public static String getDefaultRealm() { + return defaultRealm; + } + +} + diff --git a/cadi/core/src/main/java/org/onap/aaf/cadi/config/Get.java b/cadi/core/src/main/java/org/onap/aaf/cadi/config/Get.java new file mode 100644 index 00000000..dfb7b4d3 --- /dev/null +++ b/cadi/core/src/main/java/org/onap/aaf/cadi/config/Get.java @@ -0,0 +1,97 @@ +/** + * ============LICENSE_START==================================================== + * org.onap.aaf + * =========================================================================== + * Copyright (c) 2018 AT&T Intellectual Property. All rights reserved. + * =========================================================================== + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * ============LICENSE_END==================================================== + * + */ + +package org.onap.aaf.cadi.config; + +import java.lang.reflect.Method; + +import org.onap.aaf.cadi.Access; +import org.onap.aaf.cadi.Access.Level; + +public interface Get { + public String get(String name, String def, boolean print); + + + /** + * A class for Getting info out of "JavaBean" format + * @author Jonathan + * + */ + public static class Bean implements Get { + private Object bean; + private Class bc; + private Class[] params; + private Object[] args; + + public Bean(Object bean) { + this.bean = bean; + bc = bean.getClass(); + params = new Class[0]; // note, this will allow to go out of scope after config + args = new Object[0]; + } + + public String get(String name, String def, boolean print) { + String str = null; + String gname = "get"+Character.toUpperCase(name.charAt(0))+name.substring(1); + try { + Method meth = bc.getMethod(gname, params); + Object obj = meth.invoke(bean, args); + str = obj==null?null:obj.toString(); // easy string convert... + } catch (Exception e) { + } + + // Take def if nothing else + if(str==null) { + str = def; + // don't log defaults + } else { + str = str.trim(); // this is vital in Property File based values, as spaces can hide easily + } + // Note: Can't log during configuration + return str; + } + } + + public static Get NULL = new Get() { + public String get(String name, String def, boolean print) { + return def; + } + }; + + public static class AccessGet implements Get { + private Access access; + public AccessGet(Access access) { + this.access = access; + } + public String get(String name, String def, boolean print) { + String gotten = access.getProperty(name, def); + if(print) { + if(gotten == null) { + access.log(Level.INIT,name, "is not set"); + } else { + access.log(Level.INIT,name, "is set to", gotten); + } + } + return gotten; + } + } + +} diff --git a/cadi/core/src/main/java/org/onap/aaf/cadi/config/GetAccess.java b/cadi/core/src/main/java/org/onap/aaf/cadi/config/GetAccess.java new file mode 100644 index 00000000..05ee90cd --- /dev/null +++ b/cadi/core/src/main/java/org/onap/aaf/cadi/config/GetAccess.java @@ -0,0 +1,62 @@ +/** + * ============LICENSE_START==================================================== + * org.onap.aaf + * =========================================================================== + * Copyright (c) 2018 AT&T Intellectual Property. All rights reserved. + * =========================================================================== + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * ============LICENSE_END==================================================== + * + */ + +package org.onap.aaf.cadi.config; + +import org.onap.aaf.cadi.PropAccess; + +public class GetAccess extends PropAccess { + private final Get getter; + + public GetAccess(Get getter) { + super(new String[]{"cadi_prop_files="+getter.get("cadi_prop_files", null, true)}); + this.getter = getter; + } + + /* (non-Javadoc) + * @see org.onap.aaf.cadi.PropAccess#getProperty(java.lang.String, java.lang.String) + */ + @Override + public String getProperty(String tag, String def) { + String rv; + rv = super.getProperty(tag, null); + if(rv==null && getter!=null) { + rv = getter.get(tag, null, true); + } + return rv==null?def:rv; + } + /* (non-Javadoc) + * @see org.onap.aaf.cadi.PropAccess#getProperty(java.lang.String) + */ + @Override + public String getProperty(String tag) { + String rv; + rv = super.getProperty(tag, null); + if(rv==null && getter!=null) { + rv = getter.get(tag, null, true); + } + return rv; + } + + public Get get() { + return getter; + } +} diff --git a/cadi/core/src/main/java/org/onap/aaf/cadi/config/MultiGet.java b/cadi/core/src/main/java/org/onap/aaf/cadi/config/MultiGet.java new file mode 100644 index 00000000..a73df14e --- /dev/null +++ b/cadi/core/src/main/java/org/onap/aaf/cadi/config/MultiGet.java @@ -0,0 +1,42 @@ +/** + * ============LICENSE_START==================================================== + * org.onap.aaf + * =========================================================================== + * Copyright (c) 2018 AT&T Intellectual Property. All rights reserved. + * =========================================================================== + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * ============LICENSE_END==================================================== + * + */ + +package org.onap.aaf.cadi.config; + +public class MultiGet implements Get { + private Get[] getters; + + public MultiGet(Get ... getters) { + this.getters = getters; + } + + @Override + public String get(String name, String def, boolean print) { + String str; + for(Get getter : getters) { + str = getter.get(name, null, print); + if(str!=null) + return str; + } + return def; + } + +} diff --git a/cadi/core/src/main/java/org/onap/aaf/cadi/config/SecurityInfo.java b/cadi/core/src/main/java/org/onap/aaf/cadi/config/SecurityInfo.java new file mode 100644 index 00000000..99f41362 --- /dev/null +++ b/cadi/core/src/main/java/org/onap/aaf/cadi/config/SecurityInfo.java @@ -0,0 +1,255 @@ +/** + * ============LICENSE_START==================================================== + * org.onap.aaf + * =========================================================================== + * Copyright (c) 2018 AT&T Intellectual Property. All rights reserved. + * =========================================================================== + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * ============LICENSE_END==================================================== + * + */ + +package org.onap.aaf.cadi.config; + +import java.io.File; +import java.io.FileInputStream; +import java.io.IOException; +import java.net.InetAddress; +import java.net.UnknownHostException; +import java.rmi.AccessException; +import java.security.KeyManagementException; +import java.security.KeyStore; +import java.security.KeyStoreException; +import java.security.NoSuchAlgorithmException; +import java.security.UnrecoverableKeyException; +import java.security.cert.CertificateException; +import java.security.cert.X509Certificate; +import java.util.ArrayList; + +import javax.net.ssl.HostnameVerifier; +import javax.net.ssl.HttpsURLConnection; +import javax.net.ssl.KeyManager; +import javax.net.ssl.KeyManagerFactory; +import javax.net.ssl.SSLContext; +import javax.net.ssl.SSLSession; +import javax.net.ssl.SSLSocketFactory; +import javax.net.ssl.TrustManager; +import javax.net.ssl.TrustManagerFactory; +import javax.net.ssl.X509KeyManager; +import javax.net.ssl.X509TrustManager; + +import org.onap.aaf.cadi.Access; +import org.onap.aaf.cadi.CadiException; +import org.onap.aaf.cadi.Access.Level; +import org.onap.aaf.cadi.util.MaskFormatException; +import org.onap.aaf.cadi.util.NetMask; + +public class SecurityInfo { + private static final String SECURITY_ALGO = "RSA"; + private static final String HTTPS_PROTOCOLS = "https.protocols"; + private static final String JDK_TLS_CLIENT_PROTOCOLS = "jdk.tls.client.protocols"; + + public static final String HTTPS_PROTOCOLS_DEFAULT = "TLSv1.1,TLSv1.2"; + public static final String REGEX_COMMA = "\\s*,\\s*"; + public static final String SslKeyManagerFactoryAlgorithm; + + private SSLSocketFactory scf; + private X509KeyManager[] km; + private X509TrustManager[] tm; + public final String default_alias; + private NetMask[] trustMasks; + private SSLContext ctx; + private HostnameVerifier maskHV; + public final Access access; + + // Change Key Algorithms for IBM's VM. Could put in others, if needed. + static { + if(System.getProperty("java.vm.vendor").equalsIgnoreCase("IBM Corporation")) { + SslKeyManagerFactoryAlgorithm = "IbmX509"; + } else { + SslKeyManagerFactoryAlgorithm = "SunX509"; + } + } + + + public SecurityInfo(final Access access) throws CadiException { + try { + this.access = access; + // reuse DME2 Properties for convenience if specific Properties don't exist + String keyStore = access.getProperty(Config.CADI_KEYSTORE,null); + if(keyStore!=null && !new File(keyStore).exists()) { + throw new CadiException(keyStore + " does not exist"); + } + String keyStorePasswd = access.getProperty(Config.CADI_KEYSTORE_PASSWORD, null); + keyStorePasswd = keyStorePasswd==null?null:access.decrypt(keyStorePasswd,false); + String trustStore = access.getProperty(Config.CADI_TRUSTSTORE, null); + if(trustStore!=null && !new File(trustStore).exists()) { + throw new CadiException(trustStore + " does not exist"); + } + String trustStorePasswd = access.getProperty(Config.CADI_TRUSTSTORE_PASSWORD, null); + trustStorePasswd = trustStorePasswd==null?"changeit"/*defacto Java Trust Pass*/:access.decrypt(trustStorePasswd,false); + default_alias = access.getProperty(Config.CADI_ALIAS,null); + + String keyPasswd = access.getProperty(Config.CADI_KEY_PASSWORD,null); + keyPasswd = keyPasswd==null?keyStorePasswd:access.decrypt(keyPasswd,false); + String tips=access.getProperty(Config.CADI_TRUST_MASKS, null); + if(tips!=null) { + access.log(Level.INIT,"Explicitly accepting valid X509s from",tips); + String[] ipsplit = tips.split(REGEX_COMMA); + trustMasks = new NetMask[ipsplit.length]; + for(int i=0;i kmal = new ArrayList(); + for(String ksname : keyStore.split(REGEX_COMMA)) { + file = new File(ksname); + String keystoreFormat; + if(ksname.endsWith(".p12") || ksname.endsWith(".pkcs12")) { + keystoreFormat = "PKCS12"; + } else { + keystoreFormat = "JKS"; + } + if(file.exists()) { + FileInputStream fis = new FileInputStream(file); + try { + KeyStore ks = KeyStore.getInstance(keystoreFormat); + ks.load(fis, keyStorePasswd.toCharArray()); + kmf.init(ks, keyPasswd.toCharArray()); + } finally { + fis.close(); + } + } + } + for(KeyManager km : kmf.getKeyManagers()) { + if(km instanceof X509KeyManager) { + kmal.add((X509KeyManager)km); + } + } + km = new X509KeyManager[kmal.size()]; + kmal.toArray(km); + } + + TrustManagerFactory tmf = TrustManagerFactory.getInstance(SslKeyManagerFactoryAlgorithm); + if(trustStore!=null) { + for(String tsname : trustStore.split(REGEX_COMMA)) { + file = new File(tsname); + if(file.exists()) { + FileInputStream fis = new FileInputStream(file); + try { + KeyStore ts = KeyStore.getInstance("JKS"); + ts.load(fis, trustStorePasswd.toCharArray()); + tmf.init(ts); + } finally { + fis.close(); + } + } + } + TrustManager tms[] = tmf.getTrustManagers(); + tm = new X509TrustManager[tms==null?0:tms.length]; + for(int i=0;i extends SecurityInfo { + public static final String DEF_ID = "ID not Set"; + private static Map,SecurityInfoC> sicMap = new HashMap,SecurityInfoC>(); + public SecuritySetter defSS; + + private SecurityInfoC(Access access) throws CadiException { + super(access); + defSS = new SecuritySetter() { + @Override + public String getID() { + return DEF_ID; + } + + @Override + public void setSecurity(CLIENT client) throws CadiException { + throw new CadiException("No Client Credentials set."); + } + + @Override + public int setLastResponse(int respCode) { + return 0; + } + }; + } + + @SuppressWarnings("unchecked") + public static synchronized SecurityInfoC instance(Access access, Class cls) throws CadiException { + SecurityInfoC sic = sicMap.get(cls); + if(sic==null) { + sic = new SecurityInfoC(access); + sicMap.put(cls, sic); + } + return (SecurityInfoC)sic; + } + + public SecurityInfoC set(SecuritySetter defSS) { + this.defSS = defSS; + return this; + } + +} diff --git a/cadi/core/src/main/java/org/onap/aaf/cadi/config/UsersDump.java b/cadi/core/src/main/java/org/onap/aaf/cadi/config/UsersDump.java new file mode 100644 index 00000000..c03be1fa --- /dev/null +++ b/cadi/core/src/main/java/org/onap/aaf/cadi/config/UsersDump.java @@ -0,0 +1,157 @@ +/** + * ============LICENSE_START==================================================== + * org.onap.aaf + * =========================================================================== + * Copyright (c) 2018 AT&T Intellectual Property. All rights reserved. + * =========================================================================== + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * ============LICENSE_END==================================================== + * + */ + +package org.onap.aaf.cadi.config; + +import java.io.ByteArrayOutputStream; +import java.io.File; +import java.io.FileInputStream; +import java.io.FileOutputStream; +import java.io.IOException; +import java.io.OutputStream; +import java.io.PrintStream; +import java.util.Date; +import java.util.HashSet; + +import org.onap.aaf.cadi.AbsUserCache; +import org.onap.aaf.cadi.lur.LocalLur; + +public class UsersDump { + + /** + * @param args + */ + public static boolean write(OutputStream os, AbsUserCache lur) { + PrintStream ps; + if(os instanceof PrintStream) { + ps = (PrintStream)os; + } else { + ps = new PrintStream(os); + } + try { + ps.println(""); + ps.println(""); + ps.println(""); + + // We loop through Users, but want to write Groups first... therefore, save off print + StringBuilder sb = new StringBuilder(); + + // Obtain all unique role names + HashSet groups = new HashSet(); + for(AbsUserCache.DumpInfo di : lur.dumpInfo()) { + sb.append("\n "); + + } + + // Print roles + for(String group : groups) { + ps.print(" "); + } + + ps.println(sb); + + ps.println(""); + ps.flush(); + } catch (Throwable t) { + t.printStackTrace(ps); + return false; + } + return true; + } + + /** + * + * Note: This method returns a String if there's an error, or null if ok. + * This unusual style is necessitated by the fact that any Exceptions thrown are likely to + * be unlogged and hidden from view, making debugging almost impossible. + * + * @param writeto + * @param up + * @return + */ + public static String updateUsers(String writeto, LocalLur up) { + // Dump a Tomcat-user.xml lookalike (anywhere) + if(writeto!=null) { + // First read content + ByteArrayOutputStream baos = new ByteArrayOutputStream(); + if(UsersDump.write(baos, up)) { + byte[] postulate = baos.toByteArray(); + // now get contents of file + File file = new File(writeto); + boolean writeIt; + if(file.exists()) { + try { + FileInputStream fis = new FileInputStream(file); + byte[] orig = new byte[(int)file.length()]; + try { + fis.read(orig); + } finally { + fis.close(); + } + // Starting at third "<" ( line) + int startA=0, startB=0; + for(int i=0;startA value(); +} diff --git a/cadi/core/src/main/java/org/onap/aaf/cadi/filter/AUTHZServlet.java b/cadi/core/src/main/java/org/onap/aaf/cadi/filter/AUTHZServlet.java new file mode 100644 index 00000000..f7c4b7f1 --- /dev/null +++ b/cadi/core/src/main/java/org/onap/aaf/cadi/filter/AUTHZServlet.java @@ -0,0 +1,100 @@ +/** + * ============LICENSE_START==================================================== + * org.onap.aaf + * =========================================================================== + * Copyright (c) 2018 AT&T Intellectual Property. All rights reserved. + * =========================================================================== + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * ============LICENSE_END==================================================== + * + */ + +package org.onap.aaf.cadi.filter; + +import java.io.IOException; + +import javax.servlet.Servlet; +import javax.servlet.ServletConfig; +import javax.servlet.ServletException; +import javax.servlet.ServletRequest; +import javax.servlet.ServletResponse; +import javax.servlet.http.HttpServletRequest; +import javax.servlet.http.HttpServletResponse; + +/** + * + * @author Jonathan + * + */ +public class AUTHZServlet implements Servlet { + private String[] roles; + private Servlet delegate; + + protected AUTHZServlet(Class cls) { + try { + delegate = cls.newInstance(); + } catch (Exception e) { + delegate = null; + } + RolesAllowed rolesAllowed = cls.getAnnotation(RolesAllowed.class); + if(rolesAllowed == null) { + roles = null; + } else { + roles = rolesAllowed.value(); + } + } + + public void init(ServletConfig sc) throws ServletException { + if(delegate == null) throw new ServletException("Invalid Servlet Delegate"); + delegate.init(sc); + } + + public ServletConfig getServletConfig() { + return delegate.getServletConfig(); + } + + public String getServletInfo() { + return delegate.getServletInfo(); + } + + public void service(ServletRequest req, ServletResponse resp) throws ServletException, IOException { + if(roles==null) { + delegate.service(req,resp); + } else { // Validate + try { + HttpServletRequest hreq = (HttpServletRequest)req; + boolean proceed = false; + for(String role : roles) { + if(hreq.isUserInRole(role)) { + proceed = true; + break; + } + } + if(proceed) { + delegate.service(req,resp); + } else { + //baseRequest.getServletContext().log(hreq.getUserPrincipal().getName()+" Refused " + roles); + ((HttpServletResponse)resp).sendError(403); // forbidden + } + } catch(ClassCastException e) { + throw new ServletException("JASPIServlet only supports HTTPServletRequest/HttpServletResponse"); + } + } + } + + public void destroy() { + delegate.destroy(); + } + + +} diff --git a/cadi/core/src/main/java/org/onap/aaf/cadi/filter/AccessGetter.java b/cadi/core/src/main/java/org/onap/aaf/cadi/filter/AccessGetter.java new file mode 100644 index 00000000..ab34a0a4 --- /dev/null +++ b/cadi/core/src/main/java/org/onap/aaf/cadi/filter/AccessGetter.java @@ -0,0 +1,35 @@ +/** + * ============LICENSE_START==================================================== + * org.onap.aaf + * =========================================================================== + * Copyright (c) 2018 AT&T Intellectual Property. All rights reserved. + * =========================================================================== + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * ============LICENSE_END==================================================== + * + */ +package org.onap.aaf.cadi.filter; + +import org.onap.aaf.cadi.Access; +import org.onap.aaf.cadi.config.Get; + +public class AccessGetter implements Get { + private final Access access; + public AccessGetter(Access access) { + this.access = access; + } + public String get(String name, String def, boolean print) { + return access.getProperty(name, def); + } + +} diff --git a/cadi/core/src/main/java/org/onap/aaf/cadi/filter/CadiFilter.java b/cadi/core/src/main/java/org/onap/aaf/cadi/filter/CadiFilter.java new file mode 100644 index 00000000..8577d55c --- /dev/null +++ b/cadi/core/src/main/java/org/onap/aaf/cadi/filter/CadiFilter.java @@ -0,0 +1,332 @@ +/** + * ============LICENSE_START==================================================== + * org.onap.aaf + * =========================================================================== + * Copyright (c) 2018 AT&T Intellectual Property. All rights reserved. + * =========================================================================== + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * ============LICENSE_END==================================================== + * + */ + +package org.onap.aaf.cadi.filter; + +import java.io.IOException; +import java.lang.reflect.Constructor; +import java.util.ArrayList; +import java.util.List; + +import javax.servlet.Filter; +import javax.servlet.FilterChain; +import javax.servlet.FilterConfig; +import javax.servlet.ServletException; +import javax.servlet.ServletRequest; +import javax.servlet.ServletResponse; +import javax.servlet.http.HttpServletRequest; +import javax.servlet.http.HttpServletResponse; + +import org.onap.aaf.cadi.Access; +import org.onap.aaf.cadi.CadiException; +import org.onap.aaf.cadi.CadiWrap; +import org.onap.aaf.cadi.Lur; +import org.onap.aaf.cadi.PropAccess; +import org.onap.aaf.cadi.ServletContextAccess; +import org.onap.aaf.cadi.TrustChecker; +import org.onap.aaf.cadi.Access.Level; +import org.onap.aaf.cadi.config.Config; +import org.onap.aaf.cadi.config.Get; +import org.onap.aaf.cadi.taf.TafResp; +import org.onap.aaf.cadi.taf.TafResp.RESP; + +/** + * CadiFilter + * + * This class implements Servlet Filter, and ties together CADI implementations + * + * This class can be used in a standard J2EE Servlet manner. Optimal usage is for POJO operations, where + * one can enforce this Filter being first and primary. Depending on the Container, it + * may be more effective, in some cases, to utilize features that allow earlier determination of + * AUTHN (Authorization). An example would be "Tomcat Valve". These implementations, however, should + * be modeled after the "init" and "doFilter" functions, and be kept up to date as this class changes. + * + * + * @author Jonathan + * + */ +public class CadiFilter implements Filter { + private static CadiHTTPManip httpChecker; + private static String[] pathExceptions; + private static List mapPairs; + private Access access; + private Object[] additionalTafLurs; + private Filter oauthFilter; + private static int count=0; + + public Lur getLur() { + return httpChecker.getLur(); + } + + /** + * Construct a viable Filter + * + * Due to the vagaries of many containers, there is a tendency to create Objects and call "Init" on + * them at a later time. Therefore, this object creates with an object that denies all access + * until appropriate Init happens, just in case the container lets something slip by in the meantime. + * + */ + public CadiFilter() { + additionalTafLurs = CadiHTTPManip.noAdditional; + } + + /** + * This constructor to be used when directly constructing and placing in HTTP Engine + * + * @param access + * @param moreTafLurs + * @throws ServletException + */ + public CadiFilter(Access access, Object ... moreTafLurs) throws ServletException { + additionalTafLurs = moreTafLurs; + init(new AccessGetter(this.access = access)); + } + + + /** + * Use this to pass in a PreContructed CADI Filter, but with initializing... let Servlet do it + * @param init + * @param access + * @param moreTafLurs + * @throws ServletException + */ + public CadiFilter(boolean init, PropAccess access, Object ... moreTafLurs) throws ServletException { + this.access = access; + additionalTafLurs = moreTafLurs; + if(init) { + init(new AccessGetter(access)); + } + } + + /** + * Init + * + * Standard Filter "init" call with FilterConfig to obtain properties. POJOs can construct a + * FilterConfig with the mechanism of their choice, and standard J2EE Servlet engines utilize this + * mechanism already. + */ + //TODO Always validate changes against Tomcat AbsCadiValve and Jaspi CadiSAM Init functions + public void init(FilterConfig filterConfig) throws ServletException { + // need the Context for Logging, instantiating ClassLoader, etc + ServletContextAccess sca=new ServletContextAccess(filterConfig); + if(access==null) { + access = sca; + } + + // Set Protected getter with base Access, for internal class instantiations + init(new FCGet(access, sca.context(), filterConfig)); + } + + + @SuppressWarnings("unchecked") + private void init(Get getter) throws ServletException { + // Start with the assumption of "Don't trust anyone". + TrustChecker tc = TrustChecker.NOTRUST; // default position + try { + Class ctc = (Class) Class.forName("org.onap.aaf.cadi.aaf.v2_0.AAFTrustChecker"); + if(ctc!=null) { + Constructor contc = ctc.getConstructor(Access.class); + if(contc!=null) { + tc = contc.newInstance(access); + } + } + } catch (Exception e) { + access.log(Level.INIT, "AAFTrustChecker cannot be loaded",e.getMessage()); + } + + try { + Class cf=null; + try { + cf= (Class) Class.forName("org.onap.aaf.cadi.oauth.OAuthFilter"); + oauthFilter = cf.newInstance(); + } catch (ClassNotFoundException e) { + oauthFilter = new Filter() { // Null Filter + @Override + public void destroy() { + } + + @Override + public void doFilter(ServletRequest req, ServletResponse resp, FilterChain chain)throws IOException, ServletException { + chain.doFilter(req, resp); + } + + @Override + public void init(FilterConfig arg0) throws ServletException { + } + }; + } + } catch (Exception e) { + access.log(Level.INIT, "AAFTrustChecker cannot be loaded",e.getMessage()); + } + + + // Synchronize, because some instantiations call init several times on the same object + // In this case, the epiTaf will be changed to a non-NullTaf, and thus not instantiate twice. + synchronized(CadiHTTPManip.noAdditional /*will always remain same Object*/) { + ++count; + if(httpChecker == null) { + if(access==null) { + access = new PropAccess(); + } + try { + httpChecker = new CadiHTTPManip(access,null /*reuseable Con*/,tc, additionalTafLurs); + } catch (CadiException e1) { + throw new ServletException(e1); + } + } else if(access==null) { + access= httpChecker.getAccess(); + } + + /* + * Setup Authn Path Exceptions + */ + if(pathExceptions==null) { + String str = getter.get(Config.CADI_NOAUTHN, null, true); + if(str!=null) { + pathExceptions = str.split("\\s*:\\s*"); + } + } + + /* + * SETUP Permission Converters... those that can take Strings from a Vendor Product, and convert to appropriate AAF Permissions + */ + if(mapPairs==null) { + String str = getter.get(Config.AAF_PERM_MAP, null, true); + if(str!=null) { + String mstr = getter.get(Config.AAF_PERM_MAP, null, true); + if(mstr!=null) { + String map[] = mstr.split("\\s*:\\s*"); + if(map.length>0) { + MapPermConverter mpc=null; + int idx; + mapPairs = new ArrayList(); + for(String entry : map) { + if((idx=entry.indexOf('='))<0) { // it's a Path, so create a new converter + access.log(Level.INIT,"Loading Perm Conversions for:",entry); + mapPairs.add(new Pair(entry,mpc=new MapPermConverter())); + } else { + if(mpc!=null) { + mpc.map().put(entry.substring(0,idx),entry.substring(idx+1)); + } else { + access.log(Level.ERROR,"cadi_perm_map is malformed; ",entry, "is skipped"); + } + } + } + } + } + } + } + } + + // Remove Getter + getter = Get.NULL; + } + + /** + * Containers call "destroy" when time to cleanup + */ + public void destroy() { + // Synchronize, in case multiCadiFilters are used. + synchronized(CadiHTTPManip.noAdditional) { + if(--count<=0 && httpChecker!=null) { + httpChecker.destroy(); + httpChecker=null; + access=null; + pathExceptions=null; + } + } + } + + /** + * doFilter + * + * This is the standard J2EE invocation. Analyze the request, modify response as necessary, and + * only call the next item in the filterChain if request is suitably Authenticated. + */ + //TODO Always validate changes against Tomcat AbsCadiValve and Jaspi CadiSAM functions + public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException { + try { + HttpServletRequest hreq = (HttpServletRequest)request; + if(noAuthn(hreq)) { + chain.doFilter(request, response); + } else { + HttpServletResponse hresp = (HttpServletResponse)response; + TafResp tresp = httpChecker.validate(hreq, hresp, hreq); + if(tresp.isAuthenticated()==RESP.IS_AUTHENTICATED) { + CadiWrap cw = new CadiWrap(hreq, tresp, httpChecker.getLur(),getConverter(hreq)); + if(httpChecker.notCadi(cw, hresp)) { + oauthFilter.doFilter(cw,response,chain); + } + } + } + } catch (ClassCastException e) { + throw new ServletException("CadiFilter expects Servlet to be an HTTP Servlet",e); + } + } + + + /** + * If PathExceptions exist, report if these should not have Authn applied. + * @param hreq + * @return + */ + private boolean noAuthn(HttpServletRequest hreq) { + if(pathExceptions!=null) { + String pi = hreq.getPathInfo(); + if(pi==null) return false; // JBoss sometimes leaves null + for(String pe : pathExceptions) { + if(pi.startsWith(pe))return true; + } + } + return false; + } + + /** + * Get Converter by Path + */ + private PermConverter getConverter(HttpServletRequest hreq) { + if(mapPairs!=null) { + String pi = hreq.getPathInfo(); + if(pi !=null) { + for(Pair p: mapPairs) { + if(pi.startsWith(p.name))return p.pc; + } + } + } + return NullPermConverter.singleton(); + } + + /** + * store PermConverters by Path prefix + * @author Jonathan + * + */ + private class Pair { + public Pair(String key, PermConverter pc) { + name = key; + this.pc = pc; + } + public String name; + public PermConverter pc; + } + +} + diff --git a/cadi/core/src/main/java/org/onap/aaf/cadi/filter/CadiHTTPManip.java b/cadi/core/src/main/java/org/onap/aaf/cadi/filter/CadiHTTPManip.java new file mode 100644 index 00000000..094c21b0 --- /dev/null +++ b/cadi/core/src/main/java/org/onap/aaf/cadi/filter/CadiHTTPManip.java @@ -0,0 +1,210 @@ +/** + * ============LICENSE_START==================================================== + * org.onap.aaf + * =========================================================================== + * Copyright (c) 2018 AT&T Intellectual Property. All rights reserved. + * =========================================================================== + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * ============LICENSE_END==================================================== + * + */ + +package org.onap.aaf.cadi.filter; + +import java.io.IOException; +import java.net.HttpURLConnection; + +import javax.servlet.http.HttpServletRequest; +import javax.servlet.http.HttpServletResponse; + +import org.onap.aaf.cadi.Access; +import org.onap.aaf.cadi.CadiException; +import org.onap.aaf.cadi.CadiWrap; +import org.onap.aaf.cadi.Connector; +import org.onap.aaf.cadi.CredVal; +import org.onap.aaf.cadi.Lur; +import org.onap.aaf.cadi.Taf; +import org.onap.aaf.cadi.TrustChecker; +import org.onap.aaf.cadi.Access.Level; +import org.onap.aaf.cadi.config.Config; +import org.onap.aaf.cadi.config.SecurityInfoC; +import org.onap.aaf.cadi.lur.EpiLur; +import org.onap.aaf.cadi.taf.HttpTaf; +import org.onap.aaf.cadi.taf.TafResp; +import org.onap.aaf.cadi.util.UserChainManip; + +/** + * Encapsulate common HTTP Manipulation Behavior. It will appropriately set + * HTTPServletResponse for Redirect or Forbidden, as needed. + * + * Further, this is useful, because it avoids multiple creates of Connections, where some Filters + * are created and destroyed regularly. + * + * @author Jonathan + * + */ +public class CadiHTTPManip { + private static final String ACCESS_CADI_CONTROL = ".access|cadi|control"; + private static final String METH = "OPTIONS"; + private static final String CADI = "/cadi/"; + private static final String CADI_CACHE_PRINT = "/cadi/cache/print"; + private static final String CADI_CACHE_CLEAR = "/cadi/cache/clear"; + private static final String CADI_LOG_SET = "/cadi/log/set/"; + private Access access; + private HttpTaf taf; + private CredVal up; + private Lur lur; + private String thisPerm,companyPerm,aaf_id; + + public static final Object[] noAdditional = new Object[0]; // CadiFilter can be created each call in some systems + + + public CadiHTTPManip(Access access, Connector con, TrustChecker tc, Object ... additionalTafLurs) throws CadiException { + synchronized(CADI) { + this.access = access; +// Get getter = new AccessGetter(access); + Config.setDefaultRealm(access); + + aaf_id = access.getProperty(Config.CADI_ALIAS,access.getProperty(Config.AAF_APPID, null)); + if(aaf_id==null) { + access.printf(Level.INIT, "%s is not set. %s can be used instead",Config.AAF_APPID,Config.CADI_ALIAS); + } else { + access.printf(Level.INIT, "%s is set to %s",Config.AAF_APPID,aaf_id); + } + String ns = aaf_id==null?null:UserChainManip.idToNS(aaf_id); + if(ns!=null) { + thisPerm = ns+ACCESS_CADI_CONTROL; + int dot = ns.indexOf('.'); + if(dot>=0) { + int dot2=ns.indexOf('.',dot+1); + if(dot2<0) { + dot2=dot; + } + companyPerm = ns.substring(0, dot2)+ACCESS_CADI_CONTROL; + } else { + companyPerm = "com"+ACCESS_CADI_CONTROL; + } + } else { + thisPerm = companyPerm = "com"+ACCESS_CADI_CONTROL; + } + SecurityInfoC si; + si = SecurityInfoC.instance(access, HttpURLConnection.class); + lur = Config.configLur(si, con, additionalTafLurs); + + tc.setLur(lur); + if(lur instanceof EpiLur) { + up = ((EpiLur)lur).getUserPassImpl(); + } else if(lur instanceof CredVal) { + up = (CredVal)lur; + } else { + up = null; + } + taf = Config.configHttpTaf(con,si, tc, up, lur, additionalTafLurs); + } + } + + public TafResp validate(HttpServletRequest hreq, HttpServletResponse hresp, Object state) throws IOException { + TafResp tresp = taf.validate(Taf.LifeForm.LFN, hreq, hresp); + switch(tresp.isAuthenticated()) { + case IS_AUTHENTICATED: + access.printf(Level.INFO,"Authenticated: %s from %s:%d", + tresp.desc(), hreq.getRemoteAddr(), hreq.getRemotePort()); + break; + case TRY_AUTHENTICATING: + switch (tresp.authenticate()) { + case IS_AUTHENTICATED: + access.printf(Level.INFO,"Authenticated: %s from %s:%d", + tresp.desc(), hreq.getRemoteAddr(), hreq.getRemotePort()); + break; + case HTTP_REDIRECT_INVOKED: + access.log(Level.INFO,"Authenticating via redirection: ", tresp.desc()); + break; + case NO_FURTHER_PROCESSING: + access.printf(Level.AUDIT,"Authentication Failure: %s from %s:%d" + , tresp.desc(), hreq.getRemoteAddr(), hreq.getRemotePort()); + hresp.sendError(403, tresp.desc()); // Forbidden + break; + + default: + access.printf(Level.AUDIT,"No TAF will authorize for request from %s:%d" + , hreq.getRemoteAddr(), hreq.getRemotePort()); + hresp.sendError(403, tresp.desc()); // Forbidden + } + break; + case NO_FURTHER_PROCESSING: + access.printf(Level.AUDIT,"Authentication Failure: %s from %s:%d", + tresp.desc(), hreq.getRemoteAddr(), hreq.getRemotePort()); + hresp.sendError(403, "Access Denied"); // FORBIDDEN + break; + default: + access.printf(Level.AUDIT,"No TAF will authorize for request from %s:%d" + , hreq.getRemoteAddr(), hreq.getRemotePort()); + hresp.sendError(403, "Access Denied"); // FORBIDDEN + } + return tresp; + } + + public boolean notCadi(CadiWrap req, HttpServletResponse resp) { + + String pathInfo = req.getPathInfo(); + if(METH.equalsIgnoreCase(req.getMethod()) && pathInfo!=null && pathInfo.contains(CADI)) { + if(req.getUser().equals(aaf_id) || req.isUserInRole(thisPerm) || req.isUserInRole(companyPerm)) { + try { + if(pathInfo.contains(CADI_CACHE_PRINT)) { + resp.getOutputStream().println(lur.toString()); + resp.setStatus(200); + return false; + } else if(pathInfo.contains(CADI_CACHE_CLEAR)) { + StringBuilder report = new StringBuilder(); + lur.clear(req.getUserPrincipal(), report); + resp.getOutputStream().println(report.toString()); + resp.setStatus(200); + return false; + } else if(pathInfo.contains(CADI_LOG_SET)) { + Level l; + int slash = pathInfo.lastIndexOf('/'); + String level = pathInfo.substring(slash+1); + try { + l = Level.valueOf(level); + access.printf(Level.AUDIT, "%s has set CADI Log Level to '%s'",req.getUser(),l.name()); + access.setLogLevel(l); + } catch (IllegalArgumentException e) { + access.printf(Level.AUDIT, "'%s' is not a valid CADI Log Level",level); + } + return false; + } + } catch (IOException e) { + access.log(e); + } + } + } + return true; + } + + public Lur getLur() { + return lur; + } + + public void destroy() { + access.log(Level.INFO,"CadiHttpChecker destroyed."); + if(lur!=null) { + lur.destroy(); + lur=null; + } + } + + public Access getAccess() { + return access; + } + +} diff --git a/cadi/core/src/main/java/org/onap/aaf/cadi/filter/FCGet.java b/cadi/core/src/main/java/org/onap/aaf/cadi/filter/FCGet.java new file mode 100644 index 00000000..9c4cca10 --- /dev/null +++ b/cadi/core/src/main/java/org/onap/aaf/cadi/filter/FCGet.java @@ -0,0 +1,76 @@ +/** + * ============LICENSE_START==================================================== + * org.onap.aaf + * =========================================================================== + * Copyright (c) 2018 AT&T Intellectual Property. All rights reserved. + * =========================================================================== + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * ============LICENSE_END==================================================== + * + */ + +package org.onap.aaf.cadi.filter; + +import javax.servlet.FilterConfig; +import javax.servlet.ServletContext; + +import org.onap.aaf.cadi.Access; +import org.onap.aaf.cadi.Access.Level; +import org.onap.aaf.cadi.config.Get; + +/* + * A private method to query the Filter config and if not exists, return the default. This + * cleans up the initialization code. + */ +class FCGet implements Get { + /** + * + */ + private final Access access; + private FilterConfig filterConfig; + private ServletContext context; + + public FCGet(Access access, ServletContext context, FilterConfig filterConfig) { + this.access = access; + this.context = context; + this.filterConfig = filterConfig; + } + + public String get(String name, String def, boolean print) { + String str = null; + // Try Server Context First + if(context!=null) { + str = context.getInitParameter(name); + } + + // Try Filter Context next + if(str==null && filterConfig != null) { + str = filterConfig.getInitParameter(name); + } + + if(str==null) { + str = access.getProperty(name, def); + } + // Take def if nothing else + if(str==null) { + str = def; + // don't log defaults + } else { + str = str.trim(); // this is vital in Property File based values, as spaces can hide easily + if(print) { + access.log(Level.INFO,"Setting", name, "to", str); + } + } + return str; + } +} diff --git a/cadi/core/src/main/java/org/onap/aaf/cadi/filter/MapPermConverter.java b/cadi/core/src/main/java/org/onap/aaf/cadi/filter/MapPermConverter.java new file mode 100644 index 00000000..052b9ff1 --- /dev/null +++ b/cadi/core/src/main/java/org/onap/aaf/cadi/filter/MapPermConverter.java @@ -0,0 +1,54 @@ +/** + * ============LICENSE_START==================================================== + * org.onap.aaf + * =========================================================================== + * Copyright (c) 2018 AT&T Intellectual Property. All rights reserved. + * =========================================================================== + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * ============LICENSE_END==================================================== + * + */ + +package org.onap.aaf.cadi.filter; + +import java.util.HashMap; +import java.util.Map; + +public class MapPermConverter implements PermConverter { + private HashMap map; + + /** + * Create with colon separated name value pairs + * i.e. teAdmin=com.att.myNS.myPerm|*|*:teUser=... + * + * @param value + */ + public MapPermConverter() { + map = new HashMap(); + } + + /** + * use to instantiate entries + * + * @return + */ + public Map map() { + return map; + } + + public String convert(String minimal) { + String rv = map.get(minimal); + return rv==null?minimal:rv; + } + +} diff --git a/cadi/core/src/main/java/org/onap/aaf/cadi/filter/NullPermConverter.java b/cadi/core/src/main/java/org/onap/aaf/cadi/filter/NullPermConverter.java new file mode 100644 index 00000000..211a4bfe --- /dev/null +++ b/cadi/core/src/main/java/org/onap/aaf/cadi/filter/NullPermConverter.java @@ -0,0 +1,43 @@ +/** + * ============LICENSE_START==================================================== + * org.onap.aaf + * =========================================================================== + * Copyright (c) 2018 AT&T Intellectual Property. All rights reserved. + * =========================================================================== + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * ============LICENSE_END==================================================== + * + */ + +package org.onap.aaf.cadi.filter; + + +/** + * A NullPermConverter + * + * Obey the PermConverter Interface, but passed in "minimal" String is not converted. + * + * @author Jonathan + * + */ +public class NullPermConverter implements PermConverter { + + private NullPermConverter() {} + private static final NullPermConverter singleton = new NullPermConverter(); + public static NullPermConverter singleton() {return singleton;} + + public String convert(String minimal) { + return minimal; + } + +} diff --git a/cadi/core/src/main/java/org/onap/aaf/cadi/filter/PathFilter.java b/cadi/core/src/main/java/org/onap/aaf/cadi/filter/PathFilter.java new file mode 100644 index 00000000..c508a5ce --- /dev/null +++ b/cadi/core/src/main/java/org/onap/aaf/cadi/filter/PathFilter.java @@ -0,0 +1,183 @@ +/** + * ============LICENSE_START==================================================== + * org.onap.aaf + * =========================================================================== + * Copyright (c) 2018 AT&T Intellectual Property. All rights reserved. + * =========================================================================== + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * ============LICENSE_END==================================================== + * + */ + +package org.onap.aaf.cadi.filter; + +import java.io.IOException; + +import javax.servlet.Filter; +import javax.servlet.FilterChain; +import javax.servlet.FilterConfig; +import javax.servlet.ServletContext; +import javax.servlet.ServletException; +import javax.servlet.ServletRequest; +import javax.servlet.ServletResponse; +import javax.servlet.http.HttpServletRequest; +import javax.servlet.http.HttpServletResponse; + +import org.onap.aaf.cadi.Access; +import org.onap.aaf.cadi.Access.Level; +import org.onap.aaf.cadi.config.Config; + +/** + * PathFilter + * + * This class implements Servlet Filter, and uses AAF to validate access to a Path. + * + * This class can be used in a standard J2EE Servlet manner. + * + * @author Jonathan, collaborating with Xue Gao + * + */ +public class PathFilter implements Filter { + private ServletContext context; + private String aaf_type; + private String not_authorized_msg; + private final Log log; + + /** + * Construct a viable Filter for installing in Container WEB.XML, etc. + * + */ + public PathFilter() { + log = new Log() { + public void info(String ... msg) { + context.log(build("INFO:",msg)); + } + public void audit(String ... msg) { + context.log(build("AUDIT:",msg)); + } + private String build(String type, String []msg) { + StringBuilder sb = new StringBuilder(type); + for(String s : msg) { + sb.append(' '); + sb.append(s); + } + return sb.toString(); + } + + }; + } + + /** + * Filter that can be constructed within Java + * @param access + */ + public PathFilter(final Access access) { + log = new Log() { + public void info(String ... msg) { + access.log(Level.INFO, (Object[])msg); + } + public void audit(String ... msg) { + access.log(Level.AUDIT, (Object[])msg); + } + }; + } + + /** + * Init + * + * Standard Filter "init" call with FilterConfig to obtain properties. POJOs can construct a + * FilterConfig with the mechanism of their choice, and standard J2EE Servlet engines utilize this + * mechanism already. + */ + public void init(FilterConfig filterConfig) throws ServletException { + // need the Context for Logging, instantiating ClassLoader, etc + context = filterConfig.getServletContext(); + StringBuilder sb = new StringBuilder(); + StringBuilder err = new StringBuilder(); + Object attr = context.getAttribute(Config.PATHFILTER_NS); + if(attr==null) { + err.append("PathFilter - pathfilter_ns is not set"); + } else { + sb.append(attr.toString()); + } + + attr = context.getAttribute(Config.PATHFILTER_STACK); + if(attr==null) { + log.info("PathFilter - No pathfilter_stack set, ignoring"); + } else { + sb.append('.'); + sb.append(attr.toString()); + } + + attr = context.getAttribute(Config.PATHFILTER_URLPATTERN); + if(attr==null) { + log.info("PathFilter - No pathfilter_urlpattern set, defaulting to 'urlpattern'"); + sb.append(".urlpattern"); + } else { + sb.append('.'); + sb.append(attr.toString()); + } + + log.info("PathFilter - AAF Permission Type is",sb.toString()); + + sb.append('|'); + + aaf_type = sb.toString(); + + attr = context.getAttribute(Config.PATHFILTER_NOT_AUTHORIZED_MSG); + if(attr==null) { + not_authorized_msg = "Forbidden - Not Authorized to access this Path"; + } else { + not_authorized_msg = attr.toString(); + } + + if(err.length()>0) { + throw new ServletException(err.toString()); + } + } + + private interface Log { + public void info(String ... msg); + public void audit(String ... msg); + } + + /** + * doFilter + * + * This is the standard J2EE invocation. Analyze the request, modify response as necessary, and + * only call the next item in the filterChain if request is suitably Authenticated. + */ + //TODO Always validate changes against Tomcat AbsCadiValve and Jaspi CadiSAM functions + public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException { + HttpServletRequest hreq = (HttpServletRequest)request; + HttpServletResponse hresp = (HttpServletResponse)response; + String perm = aaf_type+hreq.getPathInfo()+'|'+hreq.getMethod(); + if(hreq.isUserInRole(perm)) { + chain.doFilter(request, response); + } else { + log.audit("PathFilter has denied",hreq.getUserPrincipal().getName(),"access to",perm); + hresp.sendError(403,not_authorized_msg); + } + } + + /** + * Containers call "destroy" when time to cleanup + */ + public void destroy() { + log.info("PathFilter destroyed."); + } + + + +} + diff --git a/cadi/core/src/main/java/org/onap/aaf/cadi/filter/PermConverter.java b/cadi/core/src/main/java/org/onap/aaf/cadi/filter/PermConverter.java new file mode 100644 index 00000000..bb97894b --- /dev/null +++ b/cadi/core/src/main/java/org/onap/aaf/cadi/filter/PermConverter.java @@ -0,0 +1,32 @@ +/** + * ============LICENSE_START==================================================== + * org.onap.aaf + * =========================================================================== + * Copyright (c) 2018 AT&T Intellectual Property. All rights reserved. + * =========================================================================== + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * ============LICENSE_END==================================================== + * + */ + +package org.onap.aaf.cadi.filter; + +/** + * Convert a simplistic, single string Permission into an Enterprise Scoped Perm + * + * @author Jonathan + * + */ +public interface PermConverter { + public String convert(String minimal); +} diff --git a/cadi/core/src/main/java/org/onap/aaf/cadi/filter/RolesAllowed.java b/cadi/core/src/main/java/org/onap/aaf/cadi/filter/RolesAllowed.java new file mode 100644 index 00000000..5f709f12 --- /dev/null +++ b/cadi/core/src/main/java/org/onap/aaf/cadi/filter/RolesAllowed.java @@ -0,0 +1,56 @@ +/** + * ============LICENSE_START==================================================== + * org.onap.aaf + * =========================================================================== + * Copyright (c) 2018 AT&T Intellectual Property. All rights reserved. + * =========================================================================== + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * ============LICENSE_END==================================================== + * + */ + +/** + * RolesAllowed + * + * @author Jonathan + * + * Similar to Java EE's Spec from Annotations 1.1, 2.8 + * + * That Spec, however, was geared towards being able to route calls to Methods on Objects, and thus needed a more refined + * sense of permissions hierarchy. The same mechanism, however, can easily be achieved on single Servlet/Handlers in + * POJOs like Jetty by simply adding the Roles Allowed in a similar Annotation + * + */ +package org.onap.aaf.cadi.filter; +import static java.lang.annotation.ElementType.TYPE; +import static java.lang.annotation.RetentionPolicy.RUNTIME; + +import java.lang.annotation.Retention; +import java.lang.annotation.Target; + +/** + * JASPI Style Annotation of RolesAllowed when the coding style is desired but actually including all + * JEE jars is not. If using actual JASPI, use official @interface classes, not this one... + * + * @author Jonathan + */ +@Target({TYPE}) +@Retention(RUNTIME) +public @interface RolesAllowed { + /** + * Security role of the implementation, which doesn't have to be an EJB or CORBA like object. Can be just a + * Handler + * @return + */ + String[] value(); +} diff --git a/cadi/core/src/main/java/org/onap/aaf/cadi/filter/ServletImpl.java b/cadi/core/src/main/java/org/onap/aaf/cadi/filter/ServletImpl.java new file mode 100644 index 00000000..02c2600f --- /dev/null +++ b/cadi/core/src/main/java/org/onap/aaf/cadi/filter/ServletImpl.java @@ -0,0 +1,56 @@ +/** + * ============LICENSE_START==================================================== + * org.onap.aaf + * =========================================================================== + * Copyright (c) 2018 AT&T Intellectual Property. All rights reserved. + * =========================================================================== + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * ============LICENSE_END==================================================== + * + */ + +/** + * RolesAllowed + * + * @author Jonathan + * + * Similar to Java EE's Spec from Annotations 1.1, 2.8 + * + * That Spec, however, was geared towards being able to route calls to Methods on Objects, and thus needed a more refined + * sense of permissions hierarchy. The same mechanism, however, can easily be achieved on single Servlet/Handlers in + * POJOs like Jetty by simply adding the Roles Allowed in a similar Annotation + * + */ +package org.onap.aaf.cadi.filter; +import static java.lang.annotation.ElementType.TYPE; +import static java.lang.annotation.RetentionPolicy.RUNTIME; + +import java.lang.annotation.Retention; +import java.lang.annotation.Target; + +import javax.servlet.Servlet; + +/** + * + * @author Jonathan + */ +@Target({TYPE}) +@Retention(RUNTIME) +public @interface ServletImpl { + /** + * Security role of the implementation, which doesn't have to be an EJB or CORBA like object. Can be just a + * Handler + * @return + */ + Class value(); +} diff --git a/cadi/core/src/main/java/org/onap/aaf/cadi/lur/ConfigPrincipal.java b/cadi/core/src/main/java/org/onap/aaf/cadi/lur/ConfigPrincipal.java new file mode 100644 index 00000000..43dd1018 --- /dev/null +++ b/cadi/core/src/main/java/org/onap/aaf/cadi/lur/ConfigPrincipal.java @@ -0,0 +1,69 @@ +/** + * ============LICENSE_START==================================================== + * org.onap.aaf + * =========================================================================== + * Copyright (c) 2018 AT&T Intellectual Property. All rights reserved. + * =========================================================================== + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * ============LICENSE_END==================================================== + * + */ + +package org.onap.aaf.cadi.lur; + +import java.io.IOException; +import java.security.Principal; + +import org.onap.aaf.cadi.GetCred; +import org.onap.aaf.cadi.Symm; + +public class ConfigPrincipal implements Principal, GetCred { + private String name; + private byte[] cred; + private String content; + + public ConfigPrincipal(String name, String passwd) { + this.name = name; + this.cred = passwd.getBytes(); + content = null; + } + + public ConfigPrincipal(String name, byte[] cred) { + this.name = name; + this.cred = cred; + content = null; + } + + public String getName() { + return name; + } + + public byte[] getCred() { + return cred; + } + + public String toString() { + return name; + } + + public String getAsBasicAuthHeader() throws IOException { + if(content ==null) { + String s = name + ':' + new String(cred); + content = "Basic " + Symm.base64.encode(s); + } else if(!content.startsWith("Basic ")) { // content is the saved password from construction + String s = name + ':' + content; + content = "Basic " + Symm.base64.encode(s); + } + return content; + } +} diff --git a/cadi/core/src/main/java/org/onap/aaf/cadi/lur/EpiLur.java b/cadi/core/src/main/java/org/onap/aaf/cadi/lur/EpiLur.java new file mode 100644 index 00000000..2813dca8 --- /dev/null +++ b/cadi/core/src/main/java/org/onap/aaf/cadi/lur/EpiLur.java @@ -0,0 +1,169 @@ +/** + * ============LICENSE_START==================================================== + * org.onap.aaf + * =========================================================================== + * Copyright (c) 2018 AT&T Intellectual Property. All rights reserved. + * =========================================================================== + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * ============LICENSE_END==================================================== + * + */ + +package org.onap.aaf.cadi.lur; + +import java.security.Principal; +import java.util.List; + +import org.onap.aaf.cadi.CachingLur; +import org.onap.aaf.cadi.CadiException; +import org.onap.aaf.cadi.CredVal; +import org.onap.aaf.cadi.Lur; +import org.onap.aaf.cadi.Permission; + +/** + * EpiLUR + * + * Short for "Epic LUR". Be able to run through a series of LURs to obtain the validation needed. + * + * The pun is better for the other pattern... "TAF" (aka EpiTaf), but it's still the larger picture of + * LURs that will be accomplished. + * + * FYI, the reason we separate LURs, rather than combine, is that Various User Repository Resources have + * different Caching requirements. For instance, the Local User Repo (with stand alone names), never expire, but might be + * refreshed with a change in Configuration File, while the Remote Service based LURs will need to expire at prescribed intervals + * + * @author Jonathan + * + */ +public final class EpiLur implements Lur { + private final Lur[] lurs; + + /** + * EpiLur constructor + * + * Construct the EpiLur from variable TAF parameters + * @param lurs + * @throws CadiException + */ + public EpiLur(Lur ... lurs) throws CadiException{ + this.lurs = lurs; + if(lurs.length==0) throw new CadiException("Need at least one Lur implementation in constructor"); + } + + public boolean fish(Principal bait, Permission pond) { + if(pond==null) { + return false; + } + boolean rv = false; + Lur lur; + for(int i=0;!rv && i permissions) { + for(Lur lur : lurs) { + lur.fishAll(bait, permissions); + } + } + + public void destroy() { + for(Lur lur : lurs) { + lur.destroy(); + } + } + + /** + * Return the first Lur (if any) which also implements UserPass + * @return + */ + public CredVal getUserPassImpl() { + for(Lur lur : lurs) { + if(lur instanceof CredVal) { + return (CredVal)lur; + } + } + return null; + } + + // Never needed... Only EpiLur uses... + public boolean handlesExclusively(Permission pond) { + return false; + } + + /** + * Get Lur for index. Returns null if out of range + * @param idx + * @return + */ + public Lur get(int idx) { + if(idx>=0 && idx)l).remove(id); + } + } + } + + public Lur subLur(Class cls ) { + for(Lur l : lurs) { + if(l.getClass().isAssignableFrom(cls)) { + return l; + } + } + return null; + } + + @Override + public Permission createPerm(String p) { + return new LocalPermission(p); + } + + /* (non-Javadoc) + * @see org.onap.aaf.cadi.Lur#clear(java.security.Principal, java.lang.StringBuilder) + */ + @Override + public void clear(Principal p, StringBuilder report) { + for(Lur lur : lurs) { + lur.clear(p, report); + } + } + + public String toString() { + StringBuilder sb = new StringBuilder(); + for(Lur lur : lurs) { + sb.append(lur.getClass().getSimpleName()); + sb.append(": Report\n"); + sb.append(lur.toString()); + sb.append('\n'); + } + return sb.toString(); + } +} diff --git a/cadi/core/src/main/java/org/onap/aaf/cadi/lur/LocalLur.java b/cadi/core/src/main/java/org/onap/aaf/cadi/lur/LocalLur.java new file mode 100644 index 00000000..c1a27fa7 --- /dev/null +++ b/cadi/core/src/main/java/org/onap/aaf/cadi/lur/LocalLur.java @@ -0,0 +1,196 @@ +/** + * ============LICENSE_START==================================================== + * org.onap.aaf + * =========================================================================== + * Copyright (c) 2018 AT&T Intellectual Property. All rights reserved. + * =========================================================================== + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * ============LICENSE_END==================================================== + * + */ + +package org.onap.aaf.cadi.lur; + +import java.io.IOException; +import java.security.Principal; +import java.util.List; +import java.util.Map; +import java.util.Set; +import java.util.TreeSet; + +import org.onap.aaf.cadi.AbsUserCache; +import org.onap.aaf.cadi.Access; +import org.onap.aaf.cadi.CredVal; +import org.onap.aaf.cadi.Hash; +import org.onap.aaf.cadi.Lur; +import org.onap.aaf.cadi.Permission; +import org.onap.aaf.cadi.User; +import org.onap.aaf.cadi.Access.Level; +import org.onap.aaf.cadi.config.Config; + + +/** + * An in-memory Lur that can be configured locally with User info via properties, similar to Tomcat-users.xml mechanisms. + * + * @author Jonathan + * + */ +public final class LocalLur extends AbsUserCache implements Lur, CredVal { + public static final String SEMI = "\\s*;\\s*"; + public static final String COLON = "\\s*:\\s*"; + public static final String COMMA = "\\s*,\\s*"; + public static final String PERCENT = "\\s*%\\s*"; + + // Use to quickly determine whether any given group is supported by this LUR + private final Set supportingGroups; + private String supportedRealm; + + /** + * Construct by building structure, see "build" + * + * Reconstruct with "build" + * + * @param userProperty + * @param groupProperty + * @param decryptor + * @throws IOException + */ + public LocalLur(Access access, String userProperty, String groupProperty) throws IOException { + super(access, 0, 0, Integer.MAX_VALUE); // data doesn't expire + supportedRealm = access.getProperty(Config.BASIC_REALM, "localized"); + supportingGroups = new TreeSet(); + + if(userProperty!=null) { + // For each User name... + for(String user : userProperty.trim().split(SEMI)) { + String[] us = user.split(COLON,2); + String[] userpass = us[0].split(PERCENT,2); + String u; + User usr; + if(userpass.length>1) { + if(userpass.length>0 && userpass[0].indexOf('@')<0) { + userpass[0]=userpass[0] + '@' + access.getProperty(Config.AAF_DEFAULT_REALM,Config.getDefaultRealm()); + } + + u = userpass[0]; + byte[] pass = access.decrypt(userpass[1], true).getBytes(); + usr = new User(new ConfigPrincipal(u, pass)); + } else { + u = us[0]; + usr = new User(new ConfigPrincipal(u, (byte[])null)); + } + addUser(usr); + access.log(Level.INIT, "Local User:",usr.principal); + + if(us.length>1) { + Map newMap = usr.newMap(); + for(String group : us[1].split(COMMA)) { + supportingGroups.add(group); + usr.add(newMap,new LocalPermission(group)); + } + usr.setMap(newMap); + } + } + } + if(groupProperty!=null) { + // For each Group name... + for(String group : groupProperty.trim().split(SEMI)) { + String[] gs = group.split(COLON,2); + if(gs.length>1) { + supportingGroups.add(gs[0]); + LocalPermission p = new LocalPermission(gs[0]); + // Add all users (known by comma separators) + + for(String grpMem : gs[1].split(COMMA)) { + // look for password, if so, put in passMap + String[] userpass = grpMem.split(PERCENT,2); + if(userpass.length>0 && userpass[0].indexOf('@')<0) { + userpass[0]=userpass[0] + '@' + access.getProperty(Config.AAF_DEFAULT_REALM,Config.getDefaultRealm()); + } + User usr = null; + if(userpass.length>1) { + byte[] pass = access.decrypt(userpass[1], true).getBytes(); + usr = getUser(userpass[0],pass); + if(usr==null)addUser(usr=new User(new ConfigPrincipal(userpass[0],pass))); + else usr.principal=new ConfigPrincipal(userpass[0],pass); + } else { + addUser(usr=new User(new ConfigPrincipal(userpass[0],(byte[])null))); + } + usr.add(p); + access.log(Level.INIT, "Local User:",usr.principal); + } + } + } + } + } + + public boolean validate(String user, CredVal.Type type, byte[] cred, Object state) { + User usr = getUser(user,cred); + switch(type) { + case PASSWORD: + // covers null as well as bad pass + if(usr!=null && cred!=null && usr.principal instanceof ConfigPrincipal) { + return Hash.isEqual(cred,((ConfigPrincipal)usr.principal).getCred()); + } + break; + } + return false; + } + + // @Override + public boolean fish(Principal bait, Permission pond) { + if(pond == null) { + return false; + } + if(handles(bait) && pond instanceof LocalPermission) { // local Users only have LocalPermissions + User user = getUser(bait); + return user==null?false:user.contains((LocalPermission)pond); + } + return false; + } + + // We do not want to expose the actual Group, so make a copy. + public void fishAll(Principal bait, List perms) { + if(handles(bait)) { + User user = getUser(bait); + if(user!=null) { + user.copyPermsTo(perms); + } + } + } + + /* (non-Javadoc) + * @see org.onap.aaf.cadi.Lur#handles(java.security.Principal) + */ + @Override + public boolean handles(Principal principal) { + return principal!=null && principal.getName().endsWith(supportedRealm); + } + +// public boolean supports(String userName) { +// return userName!=null && userName.endsWith(supportedRealm); +// } +// + public boolean handlesExclusively(Permission pond) { + return supportingGroups.contains(pond.getKey()); + } + + /* (non-Javadoc) + * @see org.onap.aaf.cadi.Lur#createPerm(java.lang.String) + */ + @Override + public Permission createPerm(String p) { + return new LocalPermission(p); + } + +} diff --git a/cadi/core/src/main/java/org/onap/aaf/cadi/lur/LocalPermission.java b/cadi/core/src/main/java/org/onap/aaf/cadi/lur/LocalPermission.java new file mode 100644 index 00000000..8d6f9698 --- /dev/null +++ b/cadi/core/src/main/java/org/onap/aaf/cadi/lur/LocalPermission.java @@ -0,0 +1,50 @@ +/** + * ============LICENSE_START==================================================== + * org.onap.aaf + * =========================================================================== + * Copyright (c) 2018 AT&T Intellectual Property. All rights reserved. + * =========================================================================== + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * ============LICENSE_END==================================================== + * + */ + +package org.onap.aaf.cadi.lur; + +import org.onap.aaf.cadi.Permission; + +public class LocalPermission implements Permission { + private String key; + + public LocalPermission(String role) { + this.key = role; + } + + public String getKey() { + return key; + } + + public String toString() { + return key; + } + + public boolean match(Permission p) { + return key.equals(p.getKey()); + } + + public String permType() { + return "LOCAL"; + } + + +} diff --git a/cadi/core/src/main/java/org/onap/aaf/cadi/lur/NullLur.java b/cadi/core/src/main/java/org/onap/aaf/cadi/lur/NullLur.java new file mode 100644 index 00000000..1e44726a --- /dev/null +++ b/cadi/core/src/main/java/org/onap/aaf/cadi/lur/NullLur.java @@ -0,0 +1,87 @@ +/** + * ============LICENSE_START==================================================== + * org.onap.aaf + * =========================================================================== + * Copyright (c) 2018 AT&T Intellectual Property. All rights reserved. + * =========================================================================== + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * ============LICENSE_END==================================================== + * + */ + +package org.onap.aaf.cadi.lur; + +import java.security.Principal; +import java.util.List; + +import org.onap.aaf.cadi.Lur; +import org.onap.aaf.cadi.Permission; + +public class NullLur implements Lur { + private static final Permission NULL = new Permission() { + @Override + public String permType() { + return ""; + } + + @Override + public String getKey() { + return ""; + } + + @Override + public boolean match(Permission p) { + return false; + }}; + + public boolean fish(Principal bait, Permission pond) { + // Well, for Jenkins, this is ok... It finds out it can't do J2EE Security, and then looks at it's own +// System.err.println("CADI's LUR has not been configured, but is still being called. Access is being denied"); + return false; + } + + public void fishAll(Principal bait, List permissions) { + } + + public void destroy() { + } + + public boolean handlesExclusively(Permission pond) { + return false; + } + + public boolean handles(Principal p) { + return false; + } + + /* (non-Javadoc) + * @see org.onap.aaf.cadi.Lur#createPerm(java.lang.String) + */ + @Override + public Permission createPerm(String p) { + return NULL; + } + + /* (non-Javadoc) + * @see org.onap.aaf.cadi.Lur#clear(java.security.Principal, java.lang.StringBuilder) + */ + @Override + public void clear(Principal p, StringBuilder report) { + report.append(NullLur.class.getSimpleName()); + report.append('\n'); + } + + public String toString() { + return NullLur.class.getSimpleName() + '\n'; + } +} \ No newline at end of file diff --git a/cadi/core/src/main/java/org/onap/aaf/cadi/principal/BasicPrincipal.java b/cadi/core/src/main/java/org/onap/aaf/cadi/principal/BasicPrincipal.java new file mode 100644 index 00000000..6a49401c --- /dev/null +++ b/cadi/core/src/main/java/org/onap/aaf/cadi/principal/BasicPrincipal.java @@ -0,0 +1,126 @@ +/** + * ============LICENSE_START==================================================== + * org.onap.aaf + * =========================================================================== + * Copyright (c) 2018 AT&T Intellectual Property. All rights reserved. + * =========================================================================== + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * ============LICENSE_END==================================================== + * + */ + +package org.onap.aaf.cadi.principal; + +import java.io.ByteArrayInputStream; +import java.io.ByteArrayOutputStream; +import java.io.IOException; +import java.io.OutputStream; +import java.util.Date; + +import org.onap.aaf.cadi.BasicCred; +import org.onap.aaf.cadi.GetCred; +import org.onap.aaf.cadi.Symm; + +public class BasicPrincipal extends BearerPrincipal implements GetCred { + private static byte[] basic = "Basic ".getBytes(); + + private String name = null; + private String shortName = null; + private byte[] cred = null; + + private long created; + + public BasicPrincipal(String content,String domain) throws IOException { + created = System.currentTimeMillis(); + ByteArrayInputStream bis = new ByteArrayInputStream(content.getBytes()); + // Read past "Basic ", ensuring it starts with it. + for(int i=0;i0) { + domain=name.substring(at+1); + shortName=name.substring(0, at); + } else { + shortName = name; + name = name + '@' + domain; + } + } + + public BasicPrincipal(BasicCred bc, String domain) { + name = bc.getUser(); + cred = bc.getCred(); + } + + private class BasicOS extends OutputStream { + private boolean first = true; + private ByteArrayOutputStream baos; + + public BasicOS(int size) { + baos = new ByteArrayOutputStream(size); + } + + @Override + public void write(int b) throws IOException { + if(b==':' && first) { + first = false; + name = new String(baos.toByteArray()); + baos.reset(); // + } else { + baos.write(b); + } + } + + private byte[] toCred() { + return baos.toByteArray(); + } + } + + public String getName() { + return name; + } + + public String getShortName() { + return shortName; + } + + public byte[] getCred() { + return cred; + } + + public long created() { + return created; + } + + public String toString() { + return "Basic Authorization for " + name + " evaluated on " + new Date(created).toString(); + } + + @Override + public String tag() { + return "BAth"; + } + + @Override + public String personalName() { + return null; // personalName not available with Basic Auth + } +} diff --git a/cadi/core/src/main/java/org/onap/aaf/cadi/principal/BearerPrincipal.java b/cadi/core/src/main/java/org/onap/aaf/cadi/principal/BearerPrincipal.java new file mode 100644 index 00000000..ea0ff2fe --- /dev/null +++ b/cadi/core/src/main/java/org/onap/aaf/cadi/principal/BearerPrincipal.java @@ -0,0 +1,33 @@ +/** + * ============LICENSE_START==================================================== + * org.onap.aaf + * =========================================================================== + * Copyright (c) 2018 AT&T Intellectual Property. All rights reserved. + * =========================================================================== + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * ============LICENSE_END==================================================== + * + */ + +package org.onap.aaf.cadi.principal; + +public abstract class BearerPrincipal extends TaggedPrincipal { + private String bearer = null; + public BearerPrincipal setBearer(String bearer) { + this.bearer = bearer; + return this; + } + public String getBearer() { + return bearer; + } +} diff --git a/cadi/core/src/main/java/org/onap/aaf/cadi/principal/CachedBasicPrincipal.java b/cadi/core/src/main/java/org/onap/aaf/cadi/principal/CachedBasicPrincipal.java new file mode 100644 index 00000000..68229d3d --- /dev/null +++ b/cadi/core/src/main/java/org/onap/aaf/cadi/principal/CachedBasicPrincipal.java @@ -0,0 +1,65 @@ +/** + * ============LICENSE_START==================================================== + * org.onap.aaf + * =========================================================================== + * Copyright (c) 2018 AT&T Intellectual Property. All rights reserved. + * =========================================================================== + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * ============LICENSE_END==================================================== + * + */ + +package org.onap.aaf.cadi.principal; + +import java.io.IOException; + +import org.onap.aaf.cadi.BasicCred; +import org.onap.aaf.cadi.CachedPrincipal; +import org.onap.aaf.cadi.taf.HttpTaf; + +/** + * Cached Principals need to be able to revalidate in the Background + * + * @author Jonathan + * + */ +public class CachedBasicPrincipal extends BasicPrincipal implements CachedPrincipal { + private final HttpTaf creator; + private long timeToLive; + private long expires; + + public CachedBasicPrincipal(HttpTaf creator, BasicCred bc, String domain, long timeToLive) { + super(bc, domain); + this.creator = creator; + this.timeToLive = timeToLive; + expires = System.currentTimeMillis()+timeToLive; + } + + public CachedBasicPrincipal(HttpTaf creator, String content, String domain, long timeToLive) throws IOException { + super(content, domain); + this.creator = creator; + this.timeToLive = timeToLive; + expires = System.currentTimeMillis()+timeToLive; + } + + public CachedPrincipal.Resp revalidate(Object state) { + Resp resp = creator.revalidate(this, state); + if(resp.equals(Resp.REVALIDATED))expires = System.currentTimeMillis()+timeToLive; + return resp; + } + + public long expires() { + return expires; + } + +} diff --git a/cadi/core/src/main/java/org/onap/aaf/cadi/principal/Kind.java b/cadi/core/src/main/java/org/onap/aaf/cadi/principal/Kind.java new file mode 100644 index 00000000..bb6dc673 --- /dev/null +++ b/cadi/core/src/main/java/org/onap/aaf/cadi/principal/Kind.java @@ -0,0 +1,53 @@ +/** + * ============LICENSE_START==================================================== + * org.onap.aaf + * =========================================================================== + * Copyright (c) 2018 AT&T Intellectual Property. All rights reserved. + * =========================================================================== + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * ============LICENSE_END==================================================== + * + */ + +package org.onap.aaf.cadi.principal; + +import java.security.Principal; + +public class Kind { + public static final char X509 = 'X'; + public static final char OAUTH = 'O'; + public static final char AAF_OAUTH='A'; + public static final char BASIC_AUTH = 'B'; + public static final char UNKNOWN = 'U'; + + + public static char getKind(final Principal principal) { + Principal check; + if(principal instanceof TrustPrincipal) { + check = ((TrustPrincipal)principal).original(); + } else { + check = principal; + } + if(check instanceof X509Principal) { + return X509; + } + if(check instanceof OAuth2FormPrincipal) { + // Note: if AAF, will turn into 'A' + return OAUTH; + } + if(check instanceof BasicPrincipal) { + return BASIC_AUTH; + } + return UNKNOWN; + } +} diff --git a/cadi/core/src/main/java/org/onap/aaf/cadi/principal/OAuth2FormPrincipal.java b/cadi/core/src/main/java/org/onap/aaf/cadi/principal/OAuth2FormPrincipal.java new file mode 100644 index 00000000..1df2bd3e --- /dev/null +++ b/cadi/core/src/main/java/org/onap/aaf/cadi/principal/OAuth2FormPrincipal.java @@ -0,0 +1,61 @@ +/** + * ============LICENSE_START==================================================== + * org.onap.aaf + * =========================================================================== + * Copyright (c) 2018 AT&T Intellectual Property. All rights reserved. + * =========================================================================== + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * ============LICENSE_END==================================================== + * + */ + +package org.onap.aaf.cadi.principal; + +public class OAuth2FormPrincipal extends TaggedPrincipal { + private final String username; + private final String client_id; + + /* + * Note: client_id and username might be the same, if only authenticating the Client_ID + */ + public OAuth2FormPrincipal(final String client_id, final String username) { + this.username = username; + this.client_id = client_id; + } + + @Override + public String getName() { + return username; + } + + public String client_id() { + return client_id; + } + + @Override + public String tag() { + return "OAuth"; + } + + @Override + public String personalName() { + if(username!=null && username!=client_id) { + StringBuilder sb = new StringBuilder(); + sb.append(username); + sb.append('|'); + sb.append(client_id); + return sb.toString(); + } + return client_id; + } +} diff --git a/cadi/core/src/main/java/org/onap/aaf/cadi/principal/StringTagLookup.java b/cadi/core/src/main/java/org/onap/aaf/cadi/principal/StringTagLookup.java new file mode 100644 index 00000000..a3927168 --- /dev/null +++ b/cadi/core/src/main/java/org/onap/aaf/cadi/principal/StringTagLookup.java @@ -0,0 +1,35 @@ +/** + * ============LICENSE_START==================================================== + * org.onap.aaf + * =========================================================================== + * Copyright (c) 2018 AT&T Intellectual Property. All rights reserved. + * =========================================================================== + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * ============LICENSE_END==================================================== + * + */ +package org.onap.aaf.cadi.principal; + +import org.onap.aaf.cadi.CadiException; +import org.onap.aaf.cadi.principal.TaggedPrincipal.TagLookup; + +public class StringTagLookup implements TagLookup { + private String tag; + public StringTagLookup(final String tag) { + this.tag = tag; + } + @Override + public String lookup() throws CadiException { + return tag; + } +} diff --git a/cadi/core/src/main/java/org/onap/aaf/cadi/principal/TaggedPrincipal.java b/cadi/core/src/main/java/org/onap/aaf/cadi/principal/TaggedPrincipal.java new file mode 100644 index 00000000..a3b07c6c --- /dev/null +++ b/cadi/core/src/main/java/org/onap/aaf/cadi/principal/TaggedPrincipal.java @@ -0,0 +1,60 @@ +/** + * ============LICENSE_START==================================================== + * org.onap.aaf + * =========================================================================== + * Copyright (c) 2018 AT&T Intellectual Property. All rights reserved. + * =========================================================================== + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * ============LICENSE_END==================================================== + * + */ +package org.onap.aaf.cadi.principal; + +import java.security.Principal; + +import org.onap.aaf.cadi.CadiException; + +public abstract class TaggedPrincipal implements Principal { + + public TaggedPrincipal() { + tagLookup = null; + } + + public TaggedPrincipal(final TagLookup tl) { + tagLookup = tl; + } + + public abstract String tag(); // String representing what kind of Authentication occurred. + + public interface TagLookup { + public String lookup() throws CadiException; + } + + private TagLookup tagLookup; + + public void setTagLookup(TagLookup tl) { + tagLookup = tl; + } + + public String personalName() { + if(tagLookup == null) { + return getName(); + } + try { + return tagLookup.lookup(); + } catch (CadiException e) { + return getName(); + } + } + +} diff --git a/cadi/core/src/main/java/org/onap/aaf/cadi/principal/TrustPrincipal.java b/cadi/core/src/main/java/org/onap/aaf/cadi/principal/TrustPrincipal.java new file mode 100644 index 00000000..09083316 --- /dev/null +++ b/cadi/core/src/main/java/org/onap/aaf/cadi/principal/TrustPrincipal.java @@ -0,0 +1,70 @@ +/** + * ============LICENSE_START==================================================== + * org.onap.aaf + * =========================================================================== + * Copyright (c) 2018 AT&T Intellectual Property. All rights reserved. + * =========================================================================== + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * ============LICENSE_END==================================================== + * + */ + +package org.onap.aaf.cadi.principal; + +import java.security.Principal; + +import org.onap.aaf.cadi.UserChain; + +public class TrustPrincipal extends BearerPrincipal implements UserChain { + private final String name; + private final Principal original; + private String userChain; + + public TrustPrincipal(final Principal actual, final String asName) { + this.original = actual; + name = asName.trim(); + if(actual instanceof UserChain) { + UserChain uc = (UserChain)actual; + userChain = uc.userChain(); + } else if(actual instanceof TaggedPrincipal) { + userChain=((TaggedPrincipal)actual).tag(); + } else { + userChain = actual.getClass().getSimpleName(); + } + } + + @Override + public String getName() { + return name; + } + + @Override + public String userChain() { + return userChain; + } + + public Principal original() { + return original; + } + + @Override + public String tag() { + return userChain; + } + + @Override + public String personalName() { + return original.getName() + '[' + userChain + ']'; + } + +} diff --git a/cadi/core/src/main/java/org/onap/aaf/cadi/principal/UnAuthPrincipal.java b/cadi/core/src/main/java/org/onap/aaf/cadi/principal/UnAuthPrincipal.java new file mode 100644 index 00000000..52f78e80 --- /dev/null +++ b/cadi/core/src/main/java/org/onap/aaf/cadi/principal/UnAuthPrincipal.java @@ -0,0 +1,37 @@ +/** + * ============LICENSE_START==================================================== + * org.onap.aaf + * =========================================================================== + * Copyright (c) 2018 AT&T Intellectual Property. All rights reserved. + * =========================================================================== + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * ============LICENSE_END==================================================== + * + */ + +package org.onap.aaf.cadi.principal; + +import java.security.Principal; + +public class UnAuthPrincipal implements Principal { + private String name; + + public UnAuthPrincipal(final String name) { + this.name = name; + } + @Override + public String getName() { + return name; + } + +} diff --git a/cadi/core/src/main/java/org/onap/aaf/cadi/principal/X509Principal.java b/cadi/core/src/main/java/org/onap/aaf/cadi/principal/X509Principal.java new file mode 100644 index 00000000..16f62171 --- /dev/null +++ b/cadi/core/src/main/java/org/onap/aaf/cadi/principal/X509Principal.java @@ -0,0 +1,109 @@ +/** + * ============LICENSE_START==================================================== + * org.onap.aaf + * =========================================================================== + * Copyright (c) 2018 AT&T Intellectual Property. All rights reserved. + * =========================================================================== + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * ============LICENSE_END==================================================== + * + */ + +package org.onap.aaf.cadi.principal; + +import java.io.IOException; +import java.security.cert.CertificateEncodingException; +import java.security.cert.X509Certificate; +import java.util.regex.Pattern; + +import org.onap.aaf.cadi.CadiException; +import org.onap.aaf.cadi.GetCred; + +public class X509Principal extends BearerPrincipal implements GetCred { + private static final Pattern pattern = Pattern.compile("[a-zA-Z0-9]*\\@[a-zA-Z0-9.]*"); + private final X509Certificate cert; + private final String name; + private TagLookup tagLookup; + private byte[] content; + + public X509Principal(String identity, X509Certificate cert) { + name = identity; + content = null; + this.cert = cert; + tagLookup = null; + } + + public X509Principal(String identity, X509Certificate cert, byte[] content) { + name = identity; + this.content = content; + this.cert = cert; + tagLookup = null; + } + + public X509Principal(X509Certificate cert, byte[] content) throws IOException { + this.content=content; + this.cert = cert; + String _name = null; + String subj = cert.getSubjectDN().getName(); + int cn = subj.indexOf("OU="); + if(cn>=0) { + cn+=3; + int space = subj.indexOf(',',cn); + if(space>=0) { + String id = subj.substring(cn, space); + if(pattern.matcher(id).matches()) { + _name = id; + } + } + } + if(_name==null) { + throw new IOException("X509 does not have Identity as CN"); + } + name = _name; + tagLookup = null; + } + + public String getAsHeader() throws IOException { + try { + if(content==null) { + content=cert.getEncoded(); + } + } catch (CertificateEncodingException e) { + throw new IOException(e); + } + return "X509 " + content; + } + + public String toString() { + return "X509 Authentication for " + name; + } + + + public byte[] getCred() { + try { + return content==null?(content=cert.getEncoded()):content; + } catch (CertificateEncodingException e) { + return null; + } + } + + public String getName() { + return name; + } + + @Override + public String tag() { + return "x509"; + } + +} diff --git a/cadi/core/src/main/java/org/onap/aaf/cadi/taf/AbsTafResp.java b/cadi/core/src/main/java/org/onap/aaf/cadi/taf/AbsTafResp.java new file mode 100644 index 00000000..a2fc730e --- /dev/null +++ b/cadi/core/src/main/java/org/onap/aaf/cadi/taf/AbsTafResp.java @@ -0,0 +1,116 @@ +/** + * ============LICENSE_START==================================================== + * org.onap.aaf + * =========================================================================== + * Copyright (c) 2018 AT&T Intellectual Property. All rights reserved. + * =========================================================================== + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * ============LICENSE_END==================================================== + * + */ + +package org.onap.aaf.cadi.taf; + +import org.onap.aaf.cadi.Access; +import org.onap.aaf.cadi.principal.TaggedPrincipal; + +/** + * AbsTafResp + * + * Base class for TafResp (TAF Response Objects) + * + * @author Jonathan + * + */ +public abstract class AbsTafResp implements TafResp { + + protected final String desc; + protected final TaggedPrincipal principal; + protected final Access access; + + /** + * AbsTafResp + * + * Set and hold + * Description (for logging) + * Principal (as created by derived class) + * Access (for access to underlying container, i.e. for Logging, auditing, ClassLoaders, etc) + * + * @param access + * @param principal + * @param description + */ + public AbsTafResp(Access access, TaggedPrincipal principal, String description) { + this.access = access; + this.principal = principal; + this.desc = description; + } + + /** + * isValid() + * + * Respond in the affirmative if the TAF was able to Authenticate + */ + public boolean isValid() { + return principal!=null; + } + + /** + * desc() + * + * Respond with description of response as given by the TAF + */ + public String desc() { + return desc; + } + + /** + * isAuthenticated() + * + * Respond with the TAF's code of whether Authenticated, or suggested next steps + * default is either IS_AUTHENTICATED, or TRY_ANOTHER_TAF. The TAF can overload + * and suggest others, such as "NO_FURTHER_PROCESSING", if it can detect that this + * is some sort of security breach (i.e. Denial of Service) + */ + public RESP isAuthenticated() { + return principal==null?RESP.TRY_ANOTHER_TAF:RESP.IS_AUTHENTICATED; + } + + /** + * getPrincipal() + * + * Return the principal created by the TAF based on Authentication. + * + * Returns "null" if Authentication failed (no principal) + */ + public TaggedPrincipal getPrincipal() { + return principal; + } + + /** + * getAccess() + * + * Get the Access object from the TAF, so that appropriate Logging, etc can be coordinated. + */ + public Access getAccess() { + return access; + } + + /* (non-Javadoc) + * @see org.onap.aaf.cadi.taf.TafResp#isFailedAttempt() + */ + public boolean isFailedAttempt() { + return false; + } + +} diff --git a/cadi/core/src/main/java/org/onap/aaf/cadi/taf/EpiTaf.java b/cadi/core/src/main/java/org/onap/aaf/cadi/taf/EpiTaf.java new file mode 100644 index 00000000..d772d493 --- /dev/null +++ b/cadi/core/src/main/java/org/onap/aaf/cadi/taf/EpiTaf.java @@ -0,0 +1,84 @@ +/** + * ============LICENSE_START==================================================== + * org.onap.aaf + * =========================================================================== + * Copyright (c) 2018 AT&T Intellectual Property. All rights reserved. + * =========================================================================== + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * ============LICENSE_END==================================================== + * + */ + +package org.onap.aaf.cadi.taf; + +import org.onap.aaf.cadi.CadiException; +import org.onap.aaf.cadi.Taf; + +/** + * EpiTAF + * + * Short for "Epic TAF". Be able to run through a series of TAFs to obtain the validation needed. + * + * OK, the name could probably be better as "Tafs", like it was originally, but the pun was too + * irresistible for this author to pass up. + * + * @author Jonathan + * + */ +public class EpiTaf implements Taf { + private Taf[] tafs; + + /** + * EpiTaf constructor + * + * Construct the EpiTaf from variable TAF parameters + * @param tafs + * @throws CadiException + */ + public EpiTaf(Taf ... tafs) throws CadiException{ + this.tafs = tafs; + if(tafs.length==0) throw new CadiException("Need at least one Taf implementation in constructor"); + } + + /** + * validate + * + * Respond with the first TAF to authenticate user based on variable info and "LifeForm" (is it + * a human behind an interface, or a server behind a protocol). + * + * If there is no TAF that can authenticate, respond with the first TAF that suggests it can + * establish an Authentication conversation (TRY_AUTHENTICATING). + * + * If no TAF declares either, respond with NullTafResp (which denies all questions) + */ + public TafResp validate(LifeForm reading, String... info) { + TafResp tresp,firstTryAuth=null; + for(Taf taf : tafs) { + tresp = taf.validate(reading, info); + switch(tresp.isAuthenticated()) { + case TRY_ANOTHER_TAF: + break; + case TRY_AUTHENTICATING: + if(firstTryAuth==null)firstTryAuth=tresp; + break; + default: + return tresp; + } + } + + // No TAFs configured, at this point. It is safer at this point to be "not validated", + // rather than "let it go" + return firstTryAuth == null?NullTafResp.singleton():firstTryAuth; + } + +} diff --git a/cadi/core/src/main/java/org/onap/aaf/cadi/taf/HttpEpiTaf.java b/cadi/core/src/main/java/org/onap/aaf/cadi/taf/HttpEpiTaf.java new file mode 100644 index 00000000..e575be14 --- /dev/null +++ b/cadi/core/src/main/java/org/onap/aaf/cadi/taf/HttpEpiTaf.java @@ -0,0 +1,197 @@ +/** + * ============LICENSE_START==================================================== + * org.onap.aaf + * =========================================================================== + * Copyright (c) 2018 AT&T Intellectual Property. All rights reserved. + * =========================================================================== + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * ============LICENSE_END==================================================== + * + */ + +package org.onap.aaf.cadi.taf; + +import java.net.URI; +import java.security.Principal; +import java.util.ArrayList; +import java.util.List; + +import javax.servlet.http.HttpServletRequest; +import javax.servlet.http.HttpServletResponse; + +import org.onap.aaf.cadi.Access; +import org.onap.aaf.cadi.CachedPrincipal; +import org.onap.aaf.cadi.CadiException; +import org.onap.aaf.cadi.Locator; +import org.onap.aaf.cadi.TrustChecker; +import org.onap.aaf.cadi.Access.Level; +import org.onap.aaf.cadi.CachedPrincipal.Resp; +import org.onap.aaf.cadi.Taf.LifeForm; + +/** + * HttpEpiTaf + * + * An extension of the basic "EpiTAF" concept, check known HTTP Related TAFs for valid credentials + * + * @author Jonathan + * + */ +public class HttpEpiTaf implements HttpTaf { + private HttpTaf[] tafs; + private Access access; + private Locator locator; + private TrustChecker trustChecker; + + /** + * HttpEpiTaf constructor + * + * Construct the HttpEpiTaf from variable Http specific TAF parameters + + * @param tafs + * @throws CadiException + */ + public HttpEpiTaf(Access access, Locator locator, TrustChecker tc, HttpTaf ... tafs) throws CadiException{ + this.tafs = tafs; + this.access = access; + this.locator = locator; + this.trustChecker = tc; + // Establish what Header Property to look for UserChain/Trust Props +// trustChainProp = access.getProperty(Config.CADI_TRUST_PROP, Config.CADI_TRUST_PROP_DEFAULT); + + if(tafs.length==0) throw new CadiException("Need at least one HttpTaf implementation in constructor"); + } + + /** + * validate + * + * Respond with the first Http specific TAF to authenticate user based on variable info + * and "LifeForm" (is it a human behind a browser, or a server utilizing HTTP Protocol). + * + * If there is no HttpTAF that can authenticate, respond with the first TAF that suggests it can + * establish an Authentication conversation (TRY_AUTHENTICATING) (Examples include a redirect to CSP + * Servers for CSP Cookie, or BasicAuth 401 response, suggesting User/Password for given Realm + * submission + * + * If no TAF declares either, respond with NullTafResp (which denies all questions) + */ + public TafResp validate(LifeForm reading, HttpServletRequest req, HttpServletResponse resp) { + // Given a LifeForm Neutral, for HTTP, we need to discover true Life-Form Readings + if(reading==LifeForm.LFN) { + reading = tricorderScan(req); + } + TafResp tresp=null, firstTry = null; + List redirectables = null; + List trlog = access.willLog(Level.DEBUG)?new ArrayList():null; + try { + for(HttpTaf taf : tafs) { + tresp = taf.validate(reading, req, resp); + if(trlog!=null) { + trlog.add(tresp); + } + switch(tresp.isAuthenticated()) { + case TRY_ANOTHER_TAF: + break; // and loop + case TRY_AUTHENTICATING: + if(tresp instanceof Redirectable) { + if(redirectables==null) { + redirectables = new ArrayList(); + } + redirectables.add((Redirectable)tresp); + } else if(firstTry==null) { + firstTry = tresp; + } + break; + case IS_AUTHENTICATED: + tresp = trustChecker.mayTrust(tresp, req); + return tresp; + default: + return tresp; + } + } + } finally { + if(trlog!=null) { + for( TafResp tr : trlog) { + access.log(Level.DEBUG, tr.desc()); + } + } + } + + // If No TAFs configured, at this point. It is safer at this point to be "not validated", + // rather than "let it go" + // Note: if exists, there will always be more than 0 entries, according to above code + if(redirectables==null) { + return firstTry!=null?firstTry:NullTafResp.singleton(); + } + + // If there is one Tryable entry then return it + if(redirectables.size()>1) { + return LoginPageTafResp.create(access,locator,resp,redirectables); + } else { + return redirectables.get(0); + } + } + + public boolean revalidate(Principal prin) throws Exception { + return false; + } + + /* + * Since this is internal, we use a little Star Trek humor to indicate looking in the HTTP Request to see if we can determine what kind + * of "LifeForm" reading we can determine, i.e. is there a Human (CarbonBasedLifeForm) behind a browser, or is it mechanical + * id (SiliconBasedLifeForm)? This makes a difference in some Authentication, i.e CSP, which doesn't work well for SBLFs + */ + private LifeForm tricorderScan(HttpServletRequest req) { + // For simplicity's sake, we'll say Humans use FQDNs, not IPs. + + String auth = req.getParameter("Authentication"); + if(auth!=null) { + if("BasicAuth".equals(auth)) { + return LifeForm.SBLF; + } + } + // Current guess that only Browsers bother to set "Agent" codes that identify the kind of browser they are. + // If mechanical frameworks are found that populate this, then more advanced analysis may be required + // Jonathan 1/22/2013 + String agent = req.getHeader("User-Agent"); + if(agent!=null && agent.startsWith("Mozilla")) // covers I.E./Firefox/Safari/probably any other "advanced" Browser see http://en.wikipedia.org/wiki/User_agent + return LifeForm.CBLF; + return LifeForm.SBLF; // notably skips "curl","wget", (which is desired behavior. We don't want to try CSP, etc on these) + } + + public Resp revalidate(CachedPrincipal prin, Object state) { + Resp resp; + for(HttpTaf taf : tafs) { + resp = taf.revalidate(prin,state); + switch(resp) { + case NOT_MINE: + break; + default: + return resp; + } + } + return Resp.NOT_MINE; + } + + /** + * List HttpTafs with their "toString" representations... primarily useful for Debugging in an IDE + * like Eclipse. + */ + public String toString() { + StringBuilder sb = new StringBuilder(); + for(HttpTaf ht : tafs) { + sb.append(ht.toString()); + sb.append(". "); + } + return sb.toString(); + } +} diff --git a/cadi/core/src/main/java/org/onap/aaf/cadi/taf/HttpTaf.java b/cadi/core/src/main/java/org/onap/aaf/cadi/taf/HttpTaf.java new file mode 100644 index 00000000..9484458c --- /dev/null +++ b/cadi/core/src/main/java/org/onap/aaf/cadi/taf/HttpTaf.java @@ -0,0 +1,60 @@ +/** + * ============LICENSE_START==================================================== + * org.onap.aaf + * =========================================================================== + * Copyright (c) 2018 AT&T Intellectual Property. All rights reserved. + * =========================================================================== + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * ============LICENSE_END==================================================== + * + */ + +package org.onap.aaf.cadi.taf; + +import javax.servlet.http.HttpServletRequest; +import javax.servlet.http.HttpServletResponse; + +import org.onap.aaf.cadi.CachedPrincipal; +import org.onap.aaf.cadi.Taf.LifeForm; + +/** + * A TAF which is in a specific HTTP environment in which the engine implements + * javax Servlet. + * + * Using the Http Request and Response interfaces takes the effort out of implementing in almost any kind of + * HTTP Container or Engine. + * + * @author Jonathan + * + */ +public interface HttpTaf { + /** + * validate + * + * Validate the Request, and respond with created TafResp object. + * + * @param reading + * @param req + * @param resp + * @return + */ + public TafResp validate(LifeForm reading, HttpServletRequest req, HttpServletResponse resp); + + /** + * Re-Validate Credential + * + * @param prin + * @return + */ + public CachedPrincipal.Resp revalidate(CachedPrincipal prin,Object state); +} diff --git a/cadi/core/src/main/java/org/onap/aaf/cadi/taf/LoginPageTafResp.java b/cadi/core/src/main/java/org/onap/aaf/cadi/taf/LoginPageTafResp.java new file mode 100644 index 00000000..9c9cbc22 --- /dev/null +++ b/cadi/core/src/main/java/org/onap/aaf/cadi/taf/LoginPageTafResp.java @@ -0,0 +1,86 @@ +/** + * ============LICENSE_START==================================================== + * org.onap.aaf + * =========================================================================== + * Copyright (c) 2018 AT&T Intellectual Property. All rights reserved. + * =========================================================================== + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * ============LICENSE_END==================================================== + * + */ + +package org.onap.aaf.cadi.taf; + +import java.io.IOException; +import java.net.URI; +import java.util.List; + +import javax.servlet.http.HttpServletResponse; + +import org.onap.aaf.cadi.Access; +import org.onap.aaf.cadi.Locator; +import org.onap.aaf.cadi.Access.Level; +import org.onap.aaf.cadi.Locator.Item; + +public class LoginPageTafResp extends AbsTafResp { + private final HttpServletResponse httpResp; + private final String loginPageURL; + + private LoginPageTafResp(Access access, final HttpServletResponse resp, String loginPageURL) { + super(access, null, "Multiple Possible HTTP Logins available. Redirecting to Login Choice Page"); + httpResp = resp; + this.loginPageURL = loginPageURL; + } + + @Override + public RESP authenticate() throws IOException { + httpResp.sendRedirect(loginPageURL); + return RESP.HTTP_REDIRECT_INVOKED; + } + + @Override + public RESP isAuthenticated() { + return RESP.TRY_AUTHENTICATING; + } + + public static TafResp create(Access access, Locator locator, final HttpServletResponse resp, List redir) { + if(locator!=null) { + try { + Item item = locator.best(); + URI uri = locator.get(item); + if(uri!=null) { + StringBuilder sb = new StringBuilder(uri.toString()); + String query = uri.getQuery(); + boolean first = query==null || query.length()==0; + int count=0; + for(Redirectable t : redir) { + if(first) { + sb.append('?'); + first=false; + } + else sb.append('&'); + sb.append(t.get()); + ++count; + } + if(count>0)return new LoginPageTafResp(access, resp, sb.toString()); + } + } catch (Exception e) { + access.log(e, "Error deriving Login Page location"); + } + } else if(!redir.isEmpty()) { + access.log(Level.DEBUG,"LoginPage Locator is not configured. Taking first Redirectable Taf"); + return redir.get(0); + } + return NullTafResp.singleton(); + } +} diff --git a/cadi/core/src/main/java/org/onap/aaf/cadi/taf/NullTaf.java b/cadi/core/src/main/java/org/onap/aaf/cadi/taf/NullTaf.java new file mode 100644 index 00000000..e8293faa --- /dev/null +++ b/cadi/core/src/main/java/org/onap/aaf/cadi/taf/NullTaf.java @@ -0,0 +1,64 @@ +/** + * ============LICENSE_START==================================================== + * org.onap.aaf + * =========================================================================== + * Copyright (c) 2018 AT&T Intellectual Property. All rights reserved. + * =========================================================================== + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * ============LICENSE_END==================================================== + * + */ + +package org.onap.aaf.cadi.taf; + +import javax.servlet.http.HttpServletRequest; +import javax.servlet.http.HttpServletResponse; + +import org.onap.aaf.cadi.CachedPrincipal; +import org.onap.aaf.cadi.Taf; +import org.onap.aaf.cadi.CachedPrincipal.Resp; + + +/** + * This TAF is set at the very beginning of Filters and Valves so that if any configuration issues hit while + * starting, the default behavior is to shut down traffic rather than leaving an open hole + * + * @author Jonathan + * + */ +public class NullTaf implements Taf, HttpTaf { + // Singleton Pattern + public NullTaf() {} + + /** + * validate + * + * Always Respond with a NullTafResp, which declares it is unauthenticated, and unauthorized + */ + public TafResp validate(LifeForm reading, String... info) { + return NullTafResp.singleton(); + } + + /** + * validate + * + * Always Respond with a NullTafResp, which declares it is unauthenticated, and unauthorized + */ + public TafResp validate(LifeForm reading, HttpServletRequest req, HttpServletResponse resp) { + return NullTafResp.singleton(); + } + + public Resp revalidate(CachedPrincipal prin, Object state) { + return Resp.NOT_MINE; + } +} diff --git a/cadi/core/src/main/java/org/onap/aaf/cadi/taf/NullTafResp.java b/cadi/core/src/main/java/org/onap/aaf/cadi/taf/NullTafResp.java new file mode 100644 index 00000000..20fc944a --- /dev/null +++ b/cadi/core/src/main/java/org/onap/aaf/cadi/taf/NullTafResp.java @@ -0,0 +1,73 @@ +/** + * ============LICENSE_START==================================================== + * org.onap.aaf + * =========================================================================== + * Copyright (c) 2018 AT&T Intellectual Property. All rights reserved. + * =========================================================================== + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * ============LICENSE_END==================================================== + * + */ + +package org.onap.aaf.cadi.taf; + +import java.io.IOException; + +import org.onap.aaf.cadi.Access; +import org.onap.aaf.cadi.principal.TaggedPrincipal; + +/** + * A Null Pattern for setting responses to "Deny" before configuration is setup. + * @author Jonathan + * + */ +class NullTafResp implements TafResp { + private NullTafResp(){} + + private static TafResp singleton = new NullTafResp(); + + public static TafResp singleton() { + return singleton; + } + + public boolean isValid() { + return false; + } + + public RESP isAuthenticated() { + return RESP.NO_FURTHER_PROCESSING; + } + + public String desc() { + return "All Authentication denied"; + } + + public RESP authenticate() throws IOException { + return RESP.NO_FURTHER_PROCESSING; + } + + public TaggedPrincipal getPrincipal() { + return null; + } + + public Access getAccess() { + return Access.NULL; + } + + /* (non-Javadoc) + * @see org.onap.aaf.cadi.taf.TafResp#isFailedAttempt() + */ + public boolean isFailedAttempt() { + return true; + } +} diff --git a/cadi/core/src/main/java/org/onap/aaf/cadi/taf/PuntTafResp.java b/cadi/core/src/main/java/org/onap/aaf/cadi/taf/PuntTafResp.java new file mode 100644 index 00000000..f496581b --- /dev/null +++ b/cadi/core/src/main/java/org/onap/aaf/cadi/taf/PuntTafResp.java @@ -0,0 +1,69 @@ +/** + * ============LICENSE_START==================================================== + * org.onap.aaf + * =========================================================================== + * Copyright (c) 2018 AT&T Intellectual Property. All rights reserved. + * =========================================================================== + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * ============LICENSE_END==================================================== + * + */ + +package org.onap.aaf.cadi.taf; + +import java.io.IOException; + +import org.onap.aaf.cadi.Access; +import org.onap.aaf.cadi.principal.TaggedPrincipal; + +/** + * A Punt Resp to make it fast and easy for a Taf to respond that it cannot handle a particular kind of + * request. It is always the same object, so there is no cost for memory, etc. + * @author Jonathan + * + */ +public class PuntTafResp implements TafResp { + private final String desc; + + public PuntTafResp(String name, String explanation) { + desc = name + " is not processing this transaction: " + explanation; + } + + public boolean isValid() { + return false; + } + + public RESP isAuthenticated() { + return RESP.TRY_ANOTHER_TAF; + } + + public String desc() { + return desc; + } + + public RESP authenticate() throws IOException { + return RESP.TRY_ANOTHER_TAF; + } + + public TaggedPrincipal getPrincipal() { + return null; + } + + public Access getAccess() { + return NullTafResp.singleton().getAccess(); + } + + public boolean isFailedAttempt() { + return false; + } +} diff --git a/cadi/core/src/main/java/org/onap/aaf/cadi/taf/Redirectable.java b/cadi/core/src/main/java/org/onap/aaf/cadi/taf/Redirectable.java new file mode 100644 index 00000000..8dc5c118 --- /dev/null +++ b/cadi/core/src/main/java/org/onap/aaf/cadi/taf/Redirectable.java @@ -0,0 +1,31 @@ +/** + * ============LICENSE_START==================================================== + * org.onap.aaf + * =========================================================================== + * Copyright (c) 2018 AT&T Intellectual Property. All rights reserved. + * =========================================================================== + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * ============LICENSE_END==================================================== + * + */ + +package org.onap.aaf.cadi.taf; + +public interface Redirectable extends TafResp { + /** + * Create a Redirectable URL entry prefaced by a URLEncoder.String for a Menu + * example: + * "Global Login=https://xxxx....." + */ + public String get(); +} diff --git a/cadi/core/src/main/java/org/onap/aaf/cadi/taf/TafResp.java b/cadi/core/src/main/java/org/onap/aaf/cadi/taf/TafResp.java new file mode 100644 index 00000000..a679d994 --- /dev/null +++ b/cadi/core/src/main/java/org/onap/aaf/cadi/taf/TafResp.java @@ -0,0 +1,94 @@ +/** + * ============LICENSE_START==================================================== + * org.onap.aaf + * =========================================================================== + * Copyright (c) 2018 AT&T Intellectual Property. All rights reserved. + * =========================================================================== + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * ============LICENSE_END==================================================== + * + */ + +package org.onap.aaf.cadi.taf; + +import java.io.IOException; + +import org.onap.aaf.cadi.Access; +import org.onap.aaf.cadi.CadiException; +import org.onap.aaf.cadi.principal.TaggedPrincipal; + +/** + * Response from Taf objects, which inform users what has happened and/or what should be done + * + * @author Jonathan + * + */ +public interface TafResp { + public static enum RESP { + IS_AUTHENTICATED, + NO_FURTHER_PROCESSING, + TRY_AUTHENTICATING, + TRY_ANOTHER_TAF, + FAIL, + // A note was made to avoid the response REDIRECT. However, I have deemed that it is + // unavoidable when the underlying TAF did do a REDIRECT, because it requires a HTTP + // Service code to exit without modifying the Response any further. + // Therefore, I have changed this to indicate what HAS happened, with should accommodate + // both positions. Jonathan 10/18/2012 +// public static final int HTTP_REDIRECT_INVOKED = 11; + HTTP_REDIRECT_INVOKED, + HAS_PROCESSED}; + + /** + * Basic success check + * @return + */ + public boolean isValid(); + + /** + * String description of what has occurred (for logging/exceptions) + * @return + */ + public String desc(); + + /** + * Check Response + * @return + */ + public RESP isAuthenticated(); + + /** + * Authenticate, returning FAIL or Other Valid indication + * + * HTTP implementations should watch for "HTTP_REDIRECT_INVOKED", and end the HTTP call appropriately. + * @return + * @throws CadiException + */ + public RESP authenticate() throws IOException; + + /** + * Once authenticated, this object should hold a Principal created from the authorization + * @return + */ + public TaggedPrincipal getPrincipal(); + + /** + * get the Access object which created this object, allowing the responder to appropriate Log, etc + */ + public Access getAccess(); + + /** + * Be able to check if part of a Failed attempt + */ + public boolean isFailedAttempt(); +} diff --git a/cadi/core/src/main/java/org/onap/aaf/cadi/taf/TrustNotTafResp.java b/cadi/core/src/main/java/org/onap/aaf/cadi/taf/TrustNotTafResp.java new file mode 100644 index 00000000..24a79cf3 --- /dev/null +++ b/cadi/core/src/main/java/org/onap/aaf/cadi/taf/TrustNotTafResp.java @@ -0,0 +1,76 @@ +/** + * ============LICENSE_START==================================================== + * org.onap.aaf + * =========================================================================== + * Copyright (c) 2018 AT&T Intellectual Property. All rights reserved. + * =========================================================================== + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * ============LICENSE_END==================================================== + * + */ + +package org.onap.aaf.cadi.taf; + +import java.io.IOException; + +import org.onap.aaf.cadi.Access; +import org.onap.aaf.cadi.principal.TaggedPrincipal; + +public class TrustNotTafResp implements TafResp { + private final TafResp delegate; + private final String desc; + + public TrustNotTafResp(final TafResp delegate, final String desc) { + this.delegate = delegate; + this.desc = desc; + } + + @Override + public boolean isValid() { + return false; + } + + @Override + public String desc() { + return desc; + } + + @Override + public RESP isAuthenticated() { + return RESP.NO_FURTHER_PROCESSING; + } + + @Override + public RESP authenticate() throws IOException { + return RESP.NO_FURTHER_PROCESSING; + } + + @Override + public TaggedPrincipal getPrincipal() { + return delegate.getPrincipal(); + } + + @Override + public Access getAccess() { + return delegate.getAccess(); + } + + @Override + public boolean isFailedAttempt() { + return true; + } + + public String toString() { + return desc(); + } +} diff --git a/cadi/core/src/main/java/org/onap/aaf/cadi/taf/TrustTafResp.java b/cadi/core/src/main/java/org/onap/aaf/cadi/taf/TrustTafResp.java new file mode 100644 index 00000000..bc5e8db6 --- /dev/null +++ b/cadi/core/src/main/java/org/onap/aaf/cadi/taf/TrustTafResp.java @@ -0,0 +1,78 @@ +/** + * ============LICENSE_START==================================================== + * org.onap.aaf + * =========================================================================== + * Copyright (c) 2018 AT&T Intellectual Property. All rights reserved. + * =========================================================================== + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * ============LICENSE_END==================================================== + * + */ + +package org.onap.aaf.cadi.taf; + +import java.io.IOException; + +import org.onap.aaf.cadi.Access; +import org.onap.aaf.cadi.principal.TaggedPrincipal; + +public class TrustTafResp implements TafResp { + private final TafResp delegate; + private final TaggedPrincipal principal; + private final String desc; + + public TrustTafResp(final TafResp delegate, final TaggedPrincipal principal, final String desc) { + this.delegate = delegate; + this.principal = principal; + this.desc = desc + ' ' + delegate.desc(); + } + + @Override + public boolean isValid() { + return delegate.isValid(); + } + + @Override + public String desc() { + return desc; + } + + @Override + public RESP isAuthenticated() { + return delegate.isAuthenticated(); + } + + @Override + public RESP authenticate() throws IOException { + return delegate.authenticate(); + } + + @Override + public TaggedPrincipal getPrincipal() { + return principal; + } + + @Override + public Access getAccess() { + return delegate.getAccess(); + } + + @Override + public boolean isFailedAttempt() { + return delegate.isFailedAttempt(); + } + + public String toString() { + return principal.getName() + " by trust of " + desc(); + } +} diff --git a/cadi/core/src/main/java/org/onap/aaf/cadi/taf/basic/BasicHttpTaf.java b/cadi/core/src/main/java/org/onap/aaf/cadi/taf/basic/BasicHttpTaf.java new file mode 100644 index 00000000..6d516f00 --- /dev/null +++ b/cadi/core/src/main/java/org/onap/aaf/cadi/taf/basic/BasicHttpTaf.java @@ -0,0 +1,165 @@ +/** + * ============LICENSE_START==================================================== + * org.onap.aaf + * =========================================================================== + * Copyright (c) 2018 AT&T Intellectual Property. All rights reserved. + * =========================================================================== + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * ============LICENSE_END==================================================== + * + */ + +package org.onap.aaf.cadi.taf.basic; + +import java.io.IOException; +import java.security.Principal; + +import javax.servlet.http.HttpServletRequest; +import javax.servlet.http.HttpServletResponse; + +import org.onap.aaf.cadi.Access; +import org.onap.aaf.cadi.BasicCred; +import org.onap.aaf.cadi.CachedPrincipal; +import org.onap.aaf.cadi.CredVal; +import org.onap.aaf.cadi.Taf; +import org.onap.aaf.cadi.Access.Level; +import org.onap.aaf.cadi.CachedPrincipal.Resp; +import org.onap.aaf.cadi.CredVal.Type; +import org.onap.aaf.cadi.principal.BasicPrincipal; +import org.onap.aaf.cadi.principal.CachedBasicPrincipal; +import org.onap.aaf.cadi.taf.HttpTaf; +import org.onap.aaf.cadi.taf.TafResp; +import org.onap.aaf.cadi.taf.TafResp.RESP; +import org.onap.aaf.cadi.taf.dos.DenialOfServiceTaf; + +/** + * BasicHttpTaf + * + * This TAF implements the "Basic Auth" protocol. + * + * WARNING! It is true for any implementation of "Basic Auth" that the password is passed unencrypted. + * This is because the expectation, when designed years ago, was that it would only be used in + * conjunction with SSL (https). It is common, however, for users to ignore this on the assumption that + * their internal network is secure, or just ignorance. Therefore, a WARNING will be printed + * when the HTTP Channel is not encrypted (unless explicitly turned off). + * + * @author Jonathan + * + */ +public class BasicHttpTaf implements HttpTaf { + private Access access; + private String realm; + private CredVal rbac; + private boolean warn; + private long timeToLive; + + public BasicHttpTaf(Access access, CredVal rbac, String realm, long timeToLive, boolean turnOnWarning) { + this.access = access; + this.realm = realm; + this.rbac = rbac; + this.warn = turnOnWarning; + this.timeToLive = timeToLive; + } + + /** + * Note: BasicHttp works for either Carbon Based (Humans) or Silicon Based (machine) Lifeforms. + * @see Taf + */ + public TafResp validate(Taf.LifeForm reading, HttpServletRequest req, HttpServletResponse resp) { + // See if Request implements BasicCred (aka CadiWrap or other), and if User/Pass has already been set separately + if(req instanceof BasicCred) { + BasicCred bc = (BasicCred)req; + if(bc.getUser()!=null) { // CadiWrap, if set, makes sure User & Password are both valid, or both null + if(DenialOfServiceTaf.isDeniedID(bc.getUser())!=null) { + return DenialOfServiceTaf.respDenyID(access,bc.getUser()); + } + CachedBasicPrincipal bp = new CachedBasicPrincipal(this,bc,realm,timeToLive); + // ONLY FOR Last Ditch DEBUGGING... + // access.log(Level.WARN,bp.getName() + ":" + new String(bp.getCred())); + + if(rbac.validate(bp.getName(),Type.PASSWORD,bp.getCred(),req)) { + return new BasicHttpTafResp(access,bp,bp.getName()+" authenticated by password",RESP.IS_AUTHENTICATED,resp,realm,false); + } else { + //TODO may need timed retries in a given time period + return new BasicHttpTafResp(access,null,buildMsg(bp,req,"user/pass combo invalid for ",bc.getUser(),"from",req.getRemoteAddr()), + RESP.TRY_AUTHENTICATING,resp,realm,true); + } + } + } + // Get User/Password from Authorization Header value + String authz = req.getHeader("Authorization"); + if(authz != null && authz.startsWith("Basic ")) { + if(warn&&!req.isSecure()) { + access.log(Level.WARN,"WARNING! BasicAuth has been used over an insecure channel"); + } + try { + CachedBasicPrincipal ba = new CachedBasicPrincipal(this,authz,realm,timeToLive); + if(DenialOfServiceTaf.isDeniedID(ba.getName())!=null) { + return DenialOfServiceTaf.respDenyID(access,ba.getName()); + } + + // ONLY FOR Last Ditch DEBUGGING... + // access.log(Level.WARN,ba.getName() + ":" + new String(ba.getCred())); + if(rbac.validate(ba.getName(), Type.PASSWORD, ba.getCred(), req)) { + return new BasicHttpTafResp(access,ba, ba.getName()+" authenticated by BasicAuth password",RESP.IS_AUTHENTICATED,resp,realm,false); + } else { + //TODO may need timed retries in a given time period + return new BasicHttpTafResp(access,null,buildMsg(ba,req,"user/pass combo invalid"), + RESP.TRY_AUTHENTICATING,resp,realm,true); + } + } catch (IOException e) { + String msg = buildMsg(null,req,"Failed HTTP Basic Authorization (", e.getMessage(), ')'); + access.log(Level.INFO,msg); + return new BasicHttpTafResp(access,null,msg, RESP.TRY_AUTHENTICATING, resp, realm,true); + } + } + return new BasicHttpTafResp(access,null,"Requesting HTTP Basic Authorization",RESP.TRY_AUTHENTICATING,resp,realm,false); + } + + protected String buildMsg(Principal pr, HttpServletRequest req, Object ... msg) { + StringBuilder sb = new StringBuilder(); + if(pr!=null) { + sb.append("user="); + sb.append(pr.getName()); + sb.append(','); + } + sb.append("ip="); + sb.append(req.getRemoteAddr()); + sb.append(",port="); + sb.append(req.getRemotePort()); + if(msg.length>0) { + sb.append(",msg=\""); + for(Object s : msg) { + sb.append(s.toString()); + } + sb.append('"'); + } + return sb.toString(); + } + + @Override + public Resp revalidate(CachedPrincipal prin, Object state) { + if(prin instanceof BasicPrincipal) { + BasicPrincipal ba = (BasicPrincipal)prin; + if(DenialOfServiceTaf.isDeniedID(ba.getName())!=null) { + return Resp.UNVALIDATED; + } + return rbac.validate(ba.getName(), Type.PASSWORD, ba.getCred(), state)?Resp.REVALIDATED:Resp.UNVALIDATED; + } + return Resp.NOT_MINE; + } + + public String toString() { + return "Basic Auth enabled on realm: " + realm; + } +} diff --git a/cadi/core/src/main/java/org/onap/aaf/cadi/taf/basic/BasicHttpTafResp.java b/cadi/core/src/main/java/org/onap/aaf/cadi/taf/basic/BasicHttpTafResp.java new file mode 100644 index 00000000..c17797b8 --- /dev/null +++ b/cadi/core/src/main/java/org/onap/aaf/cadi/taf/basic/BasicHttpTafResp.java @@ -0,0 +1,62 @@ +/** + * ============LICENSE_START==================================================== + * org.onap.aaf + * =========================================================================== + * Copyright (c) 2018 AT&T Intellectual Property. All rights reserved. + * =========================================================================== + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * ============LICENSE_END==================================================== + * + */ + +package org.onap.aaf.cadi.taf.basic; + +import java.io.IOException; + +import javax.servlet.http.HttpServletResponse; + +import org.onap.aaf.cadi.Access; +import org.onap.aaf.cadi.principal.TaggedPrincipal; +import org.onap.aaf.cadi.taf.AbsTafResp; +import org.onap.aaf.cadi.taf.TafResp; + +public class BasicHttpTafResp extends AbsTafResp implements TafResp { + private HttpServletResponse httpResp; + private String realm; + private RESP status; + private final boolean wasFailed; + + public BasicHttpTafResp(Access access, TaggedPrincipal principal, String description, RESP status, HttpServletResponse resp, String realm, boolean wasFailed) { + super(access,principal, description); + httpResp = resp; + this.realm = realm; + this.status = status; + this.wasFailed = wasFailed; + } + + public RESP authenticate() throws IOException { + httpResp.setStatus(401); // Unauthorized + httpResp.setHeader("WWW-Authenticate", "Basic realm=\""+realm+'"'); + return RESP.HTTP_REDIRECT_INVOKED; + } + + public RESP isAuthenticated() { + return status; + } + + public boolean isFailedAttempt() { + return wasFailed; + } + + +} diff --git a/cadi/core/src/main/java/org/onap/aaf/cadi/taf/cert/CertIdentity.java b/cadi/core/src/main/java/org/onap/aaf/cadi/taf/cert/CertIdentity.java new file mode 100644 index 00000000..0da41b81 --- /dev/null +++ b/cadi/core/src/main/java/org/onap/aaf/cadi/taf/cert/CertIdentity.java @@ -0,0 +1,46 @@ +/** + * ============LICENSE_START==================================================== + * org.onap.aaf + * =========================================================================== + * Copyright (c) 2018 AT&T Intellectual Property. All rights reserved. + * =========================================================================== + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * ============LICENSE_END==================================================== + * + */ + +package org.onap.aaf.cadi.taf.cert; + +import java.security.cert.CertificateException; +import java.security.cert.X509Certificate; + +import javax.servlet.http.HttpServletRequest; + +import org.onap.aaf.cadi.principal.TaggedPrincipal; + +public interface CertIdentity { + /** + * identity from X509Certificate Object and/or certBytes + * + * If you have both, include them. If you only have one, leave the other null, and it will be generated if needed + * + * The Request is there to obtain Header or Attribute info of ultimate user + * + * @param req + * @param cert + * @param certBytes + * @return + * @throws CertificateException + */ + public TaggedPrincipal identity(HttpServletRequest req, X509Certificate cert, byte[] certBytes) throws CertificateException; +} diff --git a/cadi/core/src/main/java/org/onap/aaf/cadi/taf/cert/X509HttpTafResp.java b/cadi/core/src/main/java/org/onap/aaf/cadi/taf/cert/X509HttpTafResp.java new file mode 100644 index 00000000..b7f63b8e --- /dev/null +++ b/cadi/core/src/main/java/org/onap/aaf/cadi/taf/cert/X509HttpTafResp.java @@ -0,0 +1,51 @@ +/** + * ============LICENSE_START==================================================== + * org.onap.aaf + * =========================================================================== + * Copyright (c) 2018 AT&T Intellectual Property. All rights reserved. + * =========================================================================== + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * ============LICENSE_END==================================================== + * + */ + +package org.onap.aaf.cadi.taf.cert; + +import java.io.IOException; + +import org.onap.aaf.cadi.Access; +import org.onap.aaf.cadi.principal.TaggedPrincipal; +import org.onap.aaf.cadi.taf.AbsTafResp; +import org.onap.aaf.cadi.taf.TafResp; + +public class X509HttpTafResp extends AbsTafResp implements TafResp { + private RESP status; + + public X509HttpTafResp(Access access, TaggedPrincipal principal, String description, RESP status) { + super(access, principal, description); + this.status = status; + } + + public RESP authenticate() throws IOException { + return RESP.TRY_ANOTHER_TAF; + } + + public RESP isAuthenticated() { + return status; + } + + public String toString() { + return status.name(); + } + +} diff --git a/cadi/core/src/main/java/org/onap/aaf/cadi/taf/cert/X509Taf.java b/cadi/core/src/main/java/org/onap/aaf/cadi/taf/cert/X509Taf.java new file mode 100644 index 00000000..b5ed7ad1 --- /dev/null +++ b/cadi/core/src/main/java/org/onap/aaf/cadi/taf/cert/X509Taf.java @@ -0,0 +1,261 @@ +/** + * ============LICENSE_START==================================================== + * org.onap.aaf + * =========================================================================== + * Copyright (c) 2018 AT&T Intellectual Property. All rights reserved. + * =========================================================================== + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * ============LICENSE_END==================================================== + * + */ + +package org.onap.aaf.cadi.taf.cert; + +import java.io.ByteArrayInputStream; +import java.io.ByteArrayOutputStream; +import java.security.MessageDigest; +import java.security.NoSuchAlgorithmException; +import java.security.Signature; +import java.security.cert.CertificateException; +import java.security.cert.CertificateFactory; +import java.security.cert.X509Certificate; +import java.util.ArrayList; + +import javax.net.ssl.TrustManagerFactory; +import javax.servlet.http.HttpServletRequest; +import javax.servlet.http.HttpServletResponse; + +import org.onap.aaf.cadi.Access; +import org.onap.aaf.cadi.CachedPrincipal; +import org.onap.aaf.cadi.CadiException; +import org.onap.aaf.cadi.Lur; +import org.onap.aaf.cadi.Symm; +import org.onap.aaf.cadi.Access.Level; +import org.onap.aaf.cadi.CachedPrincipal.Resp; +import org.onap.aaf.cadi.Taf.LifeForm; +import org.onap.aaf.cadi.config.Config; +import org.onap.aaf.cadi.config.SecurityInfo; +import org.onap.aaf.cadi.config.SecurityInfoC; +import org.onap.aaf.cadi.principal.TaggedPrincipal; +import org.onap.aaf.cadi.principal.X509Principal; +import org.onap.aaf.cadi.taf.HttpTaf; +import org.onap.aaf.cadi.taf.TafResp; +import org.onap.aaf.cadi.taf.TafResp.RESP; +import org.onap.aaf.cadi.util.Split; + +public class X509Taf implements HttpTaf { + + private static final String CERTIFICATE_NOT_VALID_FOR_AUTHENTICATION = "Certificate NOT valid for Authentication"; + public static final CertificateFactory certFactory; + public static final MessageDigest messageDigest; + public static final TrustManagerFactory tmf; + private Access access; + private CertIdentity[] certIdents; +// private Lur lur; + private ArrayList cadiIssuers; + private String env; + private SecurityInfo si; + + static { + try { + certFactory = CertificateFactory.getInstance("X.509"); + messageDigest = MessageDigest.getInstance("SHA-256"); // use this to clone + tmf = TrustManagerFactory.getInstance(SecurityInfoC.SslKeyManagerFactoryAlgorithm); + } catch (Exception e) { + throw new RuntimeException("X.509 and SHA-256 are required for X509Taf",e); + } + } + + public X509Taf(Access access, Lur lur, CertIdentity ... cis) throws CertificateException, NoSuchAlgorithmException, CadiException { + this.access = access; + env = access.getProperty(Config.AAF_ENV,null); + if(env==null) { + throw new CadiException("X509Taf requires Environment ("+Config.AAF_ENV+") to be set."); + } +// this.lur = lur; + this.cadiIssuers = new ArrayList(); + for(String ci : access.getProperty(Config.CADI_X509_ISSUERS, "").split(":")) { + access.printf(Level.INIT, "Trusting Identity for Certificates signed by \"%s\"",ci); + cadiIssuers.add(ci); + } + try { + Class dci = access.classLoader().loadClass("org.onap.aaf.auth.direct.DirectCertIdentity"); + if(dci==null) { + certIdents = cis; + } else { + CertIdentity temp[] = new CertIdentity[cis.length+1]; + System.arraycopy(cis, 0, temp, 1, cis.length); + temp[0] = (CertIdentity) dci.newInstance(); + certIdents=temp; + } + } catch (Exception e) { + certIdents = cis; + } + + si = new SecurityInfo(access); + } + + public static final X509Certificate getCert(byte[] certBytes) throws CertificateException { + ByteArrayInputStream bais = new ByteArrayInputStream(certBytes); + return (X509Certificate)certFactory.generateCertificate(bais); + } + + public static final byte[] getFingerPrint(byte[] ba) { + MessageDigest md; + try { + md = (MessageDigest)messageDigest.clone(); + } catch (CloneNotSupportedException e) { + // should never get here + return new byte[0]; + } + md.update(ba); + return md.digest(); + } + + @Override + public TafResp validate(LifeForm reading, HttpServletRequest req, HttpServletResponse resp) { + // Check for Mutual SSL + try { + X509Certificate[] certarr = (X509Certificate[])req.getAttribute("javax.servlet.request.X509Certificate"); + if(certarr!=null && certarr.length>0) { + si.checkClientTrusted(certarr); + // Note: If the Issuer is not in the TrustStore, it's not added to the Cert list + if(cadiIssuers.contains(certarr[0].getIssuerDN().toString())) { + String subject = certarr[0].getSubjectDN().getName(); + // avoiding extra object creation, since this is validated EVERY transaction with a Cert + int at = subject.indexOf('@'); + if(at>=0) { + int start = subject.lastIndexOf(',', at); + if(start<0) { + start = 0; + } + int end = subject.indexOf(',', at); + if(end<0) { + end=subject.length(); + } + int temp; + if(((temp=subject.indexOf("OU=",start))>=0 && temp=0 && temp1 && env!=null && env.equals(sa[1]))) { // Check Environment + return new X509HttpTafResp(access, + new X509Principal(sa[0], certarr[0],(byte[])null), + "X509Taf validated " + sa[0] + (sa.length<2?"":" for aaf_env " + env ), RESP.IS_AUTHENTICATED); + } + } + + } + } + } + + + byte[] array = null; + byte[] certBytes = null; + X509Certificate cert=null; + String responseText=null; + String authHeader = req.getHeader("Authorization"); + + if(certarr!=null) { // If cert !=null, Cert is Tested by Mutual Protocol. + if(authHeader!=null) { // This is only intended to be a Secure Connection, not an Identity + for(String auth : Split.split(',',authHeader)) { + if(auth.startsWith("Bearer ")) { // Bearer = OAuth... Don't use as Authenication + return new X509HttpTafResp(access, null, "Certificate verified, but Bearer Token is presented", RESP.TRY_ANOTHER_TAF); + } + } + } + cert = certarr[0]; + responseText = ", validated by Mutual SSL Protocol"; + } else { // If cert == null, Get Declared Cert (in header), but validate by having them sign something + if(authHeader != null) { + for(String auth : Split.splitTrim(',',authHeader)) { + if(auth.startsWith("x509 ")) { + ByteArrayOutputStream baos = new ByteArrayOutputStream(auth.length()); + try { + array = auth.getBytes(); + ByteArrayInputStream bais = new ByteArrayInputStream(array); + Symm.base64noSplit.decode(bais, baos, 5); + certBytes = baos.toByteArray(); + cert = getCert(certBytes); + + /** + * Identity from CERT if well know CA and specific encoded information + */ + // If found Identity doesn't work, try SignedStuff Protocol + // cert.checkValidity(); + // cert.--- GET FINGERPRINT? + String stuff = req.getHeader("Signature"); + if(stuff==null) + return new X509HttpTafResp(access, null, "Header entry 'Signature' required to validate One way X509 Certificate", RESP.TRY_ANOTHER_TAF); + String data = req.getHeader("Data"); + // if(data==null) + // return new X509HttpTafResp(access, null, "No signed Data to validate with X509 Certificate", RESP.TRY_ANOTHER_TAF); + + // Note: Data Pos shows is " " + // int dataPos = (stuff.indexOf(' ')); // determine what is Algorithm + // Get Signature + bais = new ByteArrayInputStream(stuff.getBytes()); + baos = new ByteArrayOutputStream(stuff.length()); + Symm.base64noSplit.decode(bais, baos); + array = baos.toByteArray(); + // Signature sig = Signature.getInstance(stuff.substring(0, dataPos)); // get Algorithm from first part of Signature + + Signature sig = Signature.getInstance(cert.getSigAlgName()); + sig.initVerify(cert.getPublicKey()); + sig.update(data.getBytes()); + if(!sig.verify(array)) { + access.log(Level.ERROR, "Signature doesn't Match"); + return new X509HttpTafResp(access, null, CERTIFICATE_NOT_VALID_FOR_AUTHENTICATION, RESP.TRY_ANOTHER_TAF); + } + responseText = ", validated by Signed Data"; + } catch (Exception e) { + access.log(e, "Exception while validating Cert"); + return new X509HttpTafResp(access, null, CERTIFICATE_NOT_VALID_FOR_AUTHENTICATION, RESP.TRY_ANOTHER_TAF); + } + } + } + } + if(cert==null) { + return new X509HttpTafResp(access, null, "No Certificate Info on Transaction", RESP.TRY_ANOTHER_TAF); + } + + // A cert has been found, match Identify + TaggedPrincipal prin=null; + + for(int i=0;prin==null && i deniedIP=null, deniedID=null; + private Access access; + private final TafResp puntNotDenied; + private static File dosIP, dosID; + + /** + * + * @param hostname + * @param prod + * @throws CadiException + */ + public DenialOfServiceTaf(Access access) throws CadiException { + puntNotDenied = new PuntTafResp("DenialOfServiceTaf", "This Transaction is not denied"); + this.access = access; + if(dosIP==null || dosID == null) { + String dirStr; + if((dirStr = access.getProperty(Config.AAF_DATA_DIR, null))!=null) { + dosIP = new File(dirStr+"/dosIP"); + readIP(); + dosID = new File(dirStr+"/dosID"); + readID(); + } + } + } + + @Override + public TafResp validate(LifeForm reading, HttpServletRequest req, final HttpServletResponse resp) { + // Performance, when not needed + if(deniedIP != null) { + String ip; + Counter c = deniedIP.get(ip=req.getRemoteAddr()); + if(c!=null) { + c.inc(); + return respDenyIP(access,ip); + } + } + + // Note: Can't process Principal, because this is the first TAF, and no Principal is created. + // Other TAFs use "isDenied()" on this Object to validate. + return puntNotDenied; + } + + @Override + public Resp revalidate(CachedPrincipal prin, Object state) { + // We always return NOT MINE, because DOS Taf does not ever validate + return Resp.NOT_MINE; + } + + /* + * for use in Other TAFs, before they attempt backend validation of + */ + public static Counter isDeniedID(String identity) { + if(deniedID!=null) { + return deniedID.get(identity); + } + return null; + } + + /** + * + */ + public static Counter isDeniedIP(String ipvX) { + if(deniedID!=null) { + return deniedID.get(ipvX); + } + return null; + } + + /** + * Return of "True" means IP has been added. + * Return of "False" means IP already added. + * + * @param ip + * @return + */ + public static synchronized boolean denyIP(String ip) { + boolean rv = false; + if(deniedIP==null) { + deniedIP = new HashMap(); + deniedIP.put(ip, new Counter(ip)); // Noted duplicated for minimum time spent + rv= true; + } else if(deniedIP.get(ip)==null) { + deniedIP.put(ip, new Counter(ip)); + rv = true; + } + if(rv) { + writeIP(); + } + return rv; + } + + private static void writeIP() { + if(dosIP!=null && deniedIP!=null) { + if(deniedIP.isEmpty()) { + if(dosIP.exists()) { + dosIP.delete(); + } + } else { + PrintStream fos; + try { + fos = new PrintStream(new FileOutputStream(dosIP,false)); + try { + for(String ip: deniedIP.keySet()) { + fos.println(ip); + } + } finally { + fos.close(); + } + } catch (IOException e) { + e.printStackTrace(System.err); + } + } + } + } + + private static void readIP() { + if(dosIP!=null && dosIP.exists()) { + BufferedReader br; + try { + br = new BufferedReader(new FileReader(dosIP)); + if(deniedIP==null) { + deniedIP=new HashMap(); + } + + try { + String line; + while((line=br.readLine())!=null) { + deniedIP.put(line, new Counter(line)); + } + } finally { + br.close(); + } + } catch (IOException e) { + e.printStackTrace(System.err); + } + } + } + + + /** + * Return of "True" means IP has was removed. + * Return of "False" means IP wasn't being denied. + * + * @param ip + * @return + */ + public static synchronized boolean removeDenyIP(String ip) { + if(deniedIP!=null && deniedIP.remove(ip)!=null) { + writeIP(); + if(deniedIP.isEmpty()) { + deniedIP=null; + } + return true; + } + return false; + } + + /** + * Return of "True" means ID has been added. + * Return of "False" means ID already added. + * + * @param ip + * @return + */ + public static synchronized boolean denyID(String id) { + boolean rv = false; + if(deniedID==null) { + deniedID = new HashMap(); + deniedID.put(id, new Counter(id)); // Noted duplicated for minimum time spent + rv = true; + } else if(deniedID.get(id)==null) { + deniedID.put(id, new Counter(id)); + rv = true; + } + if(rv) { + writeID(); + } + return rv; + + } + + private static void writeID() { + if(dosID!=null && deniedID!=null) { + if(deniedID.isEmpty()) { + if(dosID.exists()) { + dosID.delete(); + } + } else { + PrintStream fos; + try { + fos = new PrintStream(new FileOutputStream(dosID,false)); + try { + for(String ip: deniedID.keySet()) { + fos.println(ip); + } + } finally { + fos.close(); + } + } catch (IOException e) { + e.printStackTrace(System.err); + } + } + } + } + + private static void readID() { + if(dosID!=null && dosID.exists()) { + BufferedReader br; + try { + br = new BufferedReader(new FileReader(dosID)); + if(deniedID==null) { + deniedID=new HashMap(); + } + try { + String line; + while((line=br.readLine())!=null) { + deniedID.put(line, new Counter(line)); + } + } finally { + br.close(); + } + } catch (IOException e) { + e.printStackTrace(System.err); + } + } + } + + /** + * Return of "True" means ID has was removed. + * Return of "False" means ID wasn't being denied. + * + * @param ip + * @return + */ + public static synchronized boolean removeDenyID(String id) { + if(deniedID!=null && deniedID.remove(id)!=null) { + writeID(); + if(deniedID.isEmpty()) { + deniedID=null; + } + + return true; + } + return false; + } + + public List report() { + int initSize = 0; + if(deniedIP!=null)initSize+=deniedIP.size(); + if(deniedID!=null)initSize+=deniedID.size(); + ArrayList al = new ArrayList(initSize); + if(deniedID!=null) { + for(Counter c : deniedID.values()) { + al.add(c.toString()); + } + } + if(deniedIP!=null) { + for(Counter c : deniedIP.values()) { + al.add(c.toString()); + } + } + return al; + } + + public static class Counter { + private final String name; + private int count = 0; + private Date first; + private long last; // note, we use "last" as long, to avoid popping useless dates on Heap. + + public Counter(String name) { + this.name = name; + first = null; + last = 0L; + count = 0; + } + + public String getName() { + return name; + } + + public int getCount() { + return count; + } + + public long getLast() { + return last; + } + + /* + * Only allow Denial of ServiceTaf to increment + */ + private synchronized void inc() { + ++count; + last = System.currentTimeMillis(); + if(first==null) { + first = new Date(last); + } + } + + public String toString() { + if(count==0) + return name + " is on the denied list, but has not attempted Access"; + else + return + name + + " has been denied " + + count + + " times since " + + first + + ". Last denial was " + + new Date(last); + } + } + + public static TafResp respDenyID(Access access, String identity) { + return new DenialOfServiceTafResp(access, RESP.NO_FURTHER_PROCESSING, identity + " is on the Identity Denial list"); + } + + public static TafResp respDenyIP(Access access, String ip) { + return new DenialOfServiceTafResp(access, RESP.NO_FURTHER_PROCESSING, ip + " is on the IP Denial list"); + } + +} diff --git a/cadi/core/src/main/java/org/onap/aaf/cadi/taf/dos/DenialOfServiceTafResp.java b/cadi/core/src/main/java/org/onap/aaf/cadi/taf/dos/DenialOfServiceTafResp.java new file mode 100644 index 00000000..b156392d --- /dev/null +++ b/cadi/core/src/main/java/org/onap/aaf/cadi/taf/dos/DenialOfServiceTafResp.java @@ -0,0 +1,47 @@ +/** + * ============LICENSE_START==================================================== + * org.onap.aaf + * =========================================================================== + * Copyright (c) 2018 AT&T Intellectual Property. All rights reserved. + * =========================================================================== + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * ============LICENSE_END==================================================== + * + */ + +package org.onap.aaf.cadi.taf.dos; + +import java.io.IOException; + +import org.onap.aaf.cadi.Access; +import org.onap.aaf.cadi.taf.AbsTafResp; + +public class DenialOfServiceTafResp extends AbsTafResp { + private RESP ect; // Homage to Arethra Franklin + + public DenialOfServiceTafResp(Access access, RESP resp, String description ) { + super(access, null, description); + ect = resp; + } + + // Override base behavior of checking Principal and trying another TAF + @Override + public RESP isAuthenticated() { + return ect; + } + + + public RESP authenticate() throws IOException { + return ect; + } +} diff --git a/cadi/core/src/main/java/org/onap/aaf/cadi/util/Chmod.java b/cadi/core/src/main/java/org/onap/aaf/cadi/util/Chmod.java new file mode 100644 index 00000000..74bf805d --- /dev/null +++ b/cadi/core/src/main/java/org/onap/aaf/cadi/util/Chmod.java @@ -0,0 +1,62 @@ +/** + * ============LICENSE_START==================================================== + * org.onap.aaf + * =========================================================================== + * Copyright (c) 2018 AT&T Intellectual Property. All rights reserved. + * =========================================================================== + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * ============LICENSE_END==================================================== + * + */ + +package org.onap.aaf.cadi.util; + +import java.io.File; +import java.io.IOException; + +public interface Chmod { + public void chmod(File f) throws IOException; + + public static final Chmod to755 = new Chmod() { + public void chmod(File f) throws IOException { + f.setExecutable(true, false); + f.setExecutable(true, true); + f.setReadable(true, false); + f.setReadable(true, true); + f.setWritable(false, false); + f.setWritable(true, true); + } + }; + + public static final Chmod to644 = new Chmod() { + public void chmod(File f) throws IOException { + f.setExecutable(false, false); + f.setExecutable(false, true); + f.setReadable(true, false); + f.setReadable(true, true); + f.setWritable(false, false); + f.setWritable(true, true); + } + }; + + public static final Chmod to400 = new Chmod() { + public void chmod(File f) throws IOException { + f.setExecutable(false, false); + f.setExecutable(false, true); + f.setReadable(false, false); + f.setReadable(true, true); + f.setWritable(false, false); + f.setWritable(false, true); + } + }; +} \ No newline at end of file diff --git a/cadi/core/src/main/java/org/onap/aaf/cadi/util/FQI.java b/cadi/core/src/main/java/org/onap/aaf/cadi/util/FQI.java new file mode 100644 index 00000000..b953c871 --- /dev/null +++ b/cadi/core/src/main/java/org/onap/aaf/cadi/util/FQI.java @@ -0,0 +1,51 @@ +/** + * ============LICENSE_START==================================================== + * org.onap.aaf + * =========================================================================== + * Copyright (c) 2018 AT&T Intellectual Property. All rights reserved. + * =========================================================================== + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * ============LICENSE_END==================================================== + * + */ + +package org.onap.aaf.cadi.util; + +public class FQI { + /** + * Take a Fully Qualified User, and get a Namespace from it. + * @param fqi + * @return + */ + public final static String reverseDomain(final String fqi) { + StringBuilder sb = null; + String[] split = Split.split('.',fqi); + int at; + for(int i=split.length-1;i>=0;--i) { + if(sb == null) { + sb = new StringBuilder(); + } else { + sb.append('.'); + } + + if((at = split[i].indexOf('@'))>0) { + sb.append(split[i].subSequence(at+1, split[i].length())); + } else { + sb.append(split[i]); + } + } + + return sb.toString(); + } + +} diff --git a/cadi/core/src/main/java/org/onap/aaf/cadi/util/JsonOutputStream.java b/cadi/core/src/main/java/org/onap/aaf/cadi/util/JsonOutputStream.java new file mode 100644 index 00000000..7b04942f --- /dev/null +++ b/cadi/core/src/main/java/org/onap/aaf/cadi/util/JsonOutputStream.java @@ -0,0 +1,89 @@ +/** + * ============LICENSE_START==================================================== + * org.onap.aaf + * =========================================================================== + * Copyright (c) 2018 AT&T Intellectual Property. All rights reserved. + * =========================================================================== + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * ============LICENSE_END==================================================== + * + */ + +package org.onap.aaf.cadi.util; + +import java.io.IOException; +import java.io.OutputStream; + +public class JsonOutputStream extends OutputStream { + private static final byte[] TWO_SPACE = " ".getBytes(); + private OutputStream os; + private boolean closeable; + private int indent = 0; + private int prev,ret=0; + + public JsonOutputStream(OutputStream os) { + // Don't close these, or dire consequences. + closeable = !os.equals(System.out) && !os.equals(System.err); + this.os = os; + } + + @Override + public void write(int b) throws IOException { + if(ret=='\n') { + ret = 0; + if(prev!=',' || (b!='{' && b!='[')) { + os.write('\n'); + for(int i=0;i=0?slash:str.length(); + int bits = slash>=0?Integer.parseInt(str.substring(slash+1)):32; + if(check && bits>32) { + throw new MaskFormatException("Invalid Mask Offset in IPV4 Address"); + } + int prev = 0; + long lbyte; + while(prev255 || lbyte<0)) { + throw new MaskFormatException("Invalid Byte in IPV4 Address"); + } + rv|=lbyte<>bits; + } + return rv; + } + +} diff --git a/cadi/core/src/main/java/org/onap/aaf/cadi/util/Pool.java b/cadi/core/src/main/java/org/onap/aaf/cadi/util/Pool.java new file mode 100644 index 00000000..d61aee21 --- /dev/null +++ b/cadi/core/src/main/java/org/onap/aaf/cadi/util/Pool.java @@ -0,0 +1,380 @@ +/** + * ============LICENSE_START==================================================== + * org.onap.aaf + * =========================================================================== + * Copyright (c) 2018 AT&T Intellectual Property. All rights reserved. + * =========================================================================== + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * ============LICENSE_END==================================================== + * + */ + +/* + * Pool + * + * Author: Jonathan + * 5/27/2011 + */ +package org.onap.aaf.cadi.util; + +import java.util.LinkedList; + +import org.onap.aaf.cadi.CadiException; + +/** + * This Class pools on an As-Needed-Basis any particular kind of class, which is + * quite suitable for expensive operations. + * + * The user calls "get" on a Pool, and if a waiting resource (T) is available, + * it will be returned. Otherwise, one will be created with the "Creator" class + * (must be defined for (T)). + * + * You can Prime the instances to avoid huge startup costs + * + * The returned "Pooled" object simply has to call "done()" and the object is + * returned to the pool. If the developer does not return the object, a memory + * leak does not occur. There are no references to the object once "get" is + * called. However, the developer who does not return the object when done + * obviates the point of the pool, as new Objects are created in place of the + * Object not returned when another call to "get" is made. + * + * There is a cushion of extra objects, currently defaulted to MAX_RANGE. If the + * items returned become higher than the MAX_RANGE, the object is allowed to go + * out of scope, and be cleaned up. the default can be changed on a per-pool + * basis. + * + * Class revamped for CadiExceptions and Access logging 10/4/2017 + * + * @author Jonathan + * + * @param + */ +public class Pool { + /** + * This is a constant which specified the default maximum number of unused + * objects to be held at any given time. + */ + private static final int MAX_RANGE = 6; // safety + + /** + * only Simple List needed. + * + * NOTE TO MAINTAINERS: THIS OBJECT DOES IT'S OWN SYNCHRONIZATION. All + * changes that touch list must account for correctly synchronizing list. + */ + private LinkedList> list; + + /** + * keep track of how many elements exist, to avoid asking list. + */ + private int count; + + /** + * Spares are those Object that are primed and ready to go. + */ + private int spares; + + /** + * Actual MAX number of spares allowed to hang around. Can be set to + * something besides the default MAX_RANGE. + */ + private int max_range = MAX_RANGE; + + /** + * The Creator for this particular pool. It must work for type T. + */ + private Creator creator; + + private Log logger; + + /** + * Create a new Pool, given the implementation of Creator, which must be + * able to create/destroy T objects at will. + * + * @param creator + */ + public Pool(Creator creator) { + count = spares = 0; + this.creator = creator; + list = new LinkedList>(); + logger = Log.NULL; + } + + /** + * Attach Pool Logging activities to any other Logging Mechanism. + * @param logger + */ + public void setLogger(Log logger) { + this.logger = logger; + } + + public void log(Object ...objects) { + logger.log(objects); + } + + /** + * Preallocate a certain number of T Objects. Useful for services so that + * the first transactions don't get hit with all the Object creation costs + * + * @param lt + * @param prime + * @throws CadiException + */ + public void prime(int prime) throws CadiException { + for (int i = 0; i < prime; ++i) { + Pooled pt = new Pooled(creator.create(), this); + synchronized (list) { + list.addFirst(pt); + ++count; + } + } + + } + + /** + * Destroy and remove all remaining objects. This is valuable for closing + * down all Allocated objects cleanly for exiting. It is also a good method + * for removing objects when, for instance, all Objects are invalid because + * of broken connections, etc. + */ + public void drain() { + synchronized (list) { + for (int i = 0; i < list.size(); ++i) { + Pooled pt = list.remove(); + creator.destroy(pt.content); + logger.log("Pool drained ", creator.toString()); + } + count = spares = 0; + } + + } + + /** + * This is the essential function for Pool. Get an Object "T" inside a + * "Pooled" object. If there is a spare Object, then use it. If not, then + * create and pass back. + * + * This one uses a Null LogTarget + * + * IMPORTANT: When the use of this object is done (and the object is still + * in a valid state), then "done()" should be called immediately to allow + * the object to be reused. That is the point of the Pool... + * + * If the Object is in an invalid state, then "toss()" should be used so the + * Pool doesn't pass on invalid objects to others. + * + * @param lt + * @return + * @throws CadiException + */ + public Pooled get() throws CadiException { + Pooled pt; + synchronized (list) { + if (list.isEmpty()) { + pt = null; + } else { + pt = list.removeLast(); + --count; + creator.reuse(pt.content); + } + } + if (pt == null) { + if (spares < max_range) + ++spares; + pt = new Pooled(creator.create(), this); + } else { + if (spares > 1) + --spares; + } + return pt; + } + + /** + * This function will validate whether the Objects are still in a usable + * state. If not, they are tossed from the Pool. This is valuable to have + * when Remote Connections go down, and there is a question on whether the + * Pooled Objects are still functional. + * + * @return + */ + public boolean validate() { + boolean rv = true; + synchronized (list) { + for (Pooled t : list) { + if (!creator.isValid(t.content)) { + rv = false; + t.toss(); + list.remove(t); + } + } + } + return rv; + } + + /** + * This is an internal method, used only by the Internal Pooled class. + * + * The Pooled class "offers" it's Object back after use. It is an + * "offer", because Pool will simply destroy and remove the object if it has + * more than enough spares. + * + * @param lt + * @param used + * @return + */ + // Used only by Pooled + private boolean offer(Pooled used) { + if (count < spares) { + synchronized (list) { + list.addFirst(used); + ++count; + } + logger.log("Pool recovered ", creator); + } else { + logger.log("Pool destroyed ", creator); + creator.destroy(used.content); + } + return false; + } + + /** + * The Creator Interface give the Pool the ability to Create, Destroy and + * Validate the Objects it is maintaining. Thus, it is a specially written + * Implementation for each type. + * + * @author Jonathan + * + * @param + */ + public interface Creator { + public T create() throws CadiException; + + public void destroy(T t); + + public boolean isValid(T t); + + public void reuse(T t); + } + + public interface Log { + public void log(Object ... o); + + public final static Log NULL = new Log() { + @Override + public void log(Object ... o) { + } + }; + } + /** + * The "Pooled" class is the transient class that wraps the actual Object + * T for API use/ It gives the ability to return ("done()", or "toss()") the + * Object to the Pool when processing is finished. + * + * For Safety, i.e. to avoid memory leaks and invalid Object States, there + * is a "finalize" method. It is strictly for when coder forgets to return + * the object, or perhaps hasn't covered the case during Exceptions or + * Runtime Exceptions with finally (preferred). This should not be + * considered normal procedure, as finalize() is called at an undetermined + * time during garbage collection, and is thus rather useless for a Pool. + * However, we don't want Coding Mistakes to put the whole program in an + * invalid state, so if something happened such that "done()" or "toss()" + * were not called, the resource is still cleaned up as well as possible. + * + * @author Jonathan + * + * @param + */ + public static class Pooled { + public final T content; + private Pool pool; + + /** + * Create the Wrapping Object Pooled. + * + * @param t + * @param pool + * @param logTarget + */ + public Pooled(T t, Pool pool) { + content = t; + this.pool = pool; + + } + + /** + * This is the key API for the Pool, as calling "done()" offers this + * object back to the Pool for reuse. + * + * Do not use the Pooled object again after calling "done()". + */ + public void done() { + if (pool != null) { + pool.offer(this); + } + } + + /** + * The user of the Object may discover that the Object t is no longer in + * a valid state. Don't put Garbage back in the Refrigerator... Toss it, + * if it's no longer valid. + * + * toss() is also used for draining the Pool, etc. + * + * toss() will attempt to destroy the Object by using the Creator + * Interface. + * + */ + public void toss() { + if (pool != null) { + pool.creator.destroy(content); + } + // Don't allow finalize to put it back in. + pool = null; + } + + /** + * Just in case someone neglected to offer back object... Do not rely on + * this, as there is no specific time when finalize is called, which + * rather defeats the purpose of a Pool. + */ + @Override + protected void finalize() throws Throwable { + if (pool != null) { + done(); + pool = null; + } + } + } + + /** + * Get the maximum number of spare objects allowed at any moment + * + * @return + */ + public int getMaxRange() { + return max_range; + } + + /** + * Set a Max Range for numbers of spare objects waiting to be used. + * + * No negative numbers are allowed + * + * @return + */ + public void setMaxRange(int max_range) { + // Do not allow negative numbers + this.max_range = Math.max(0, max_range); + } + +} diff --git a/cadi/core/src/main/java/org/onap/aaf/cadi/util/Split.java b/cadi/core/src/main/java/org/onap/aaf/cadi/util/Split.java new file mode 100644 index 00000000..3fa9a3f1 --- /dev/null +++ b/cadi/core/src/main/java/org/onap/aaf/cadi/util/Split.java @@ -0,0 +1,114 @@ +/** + * ============LICENSE_START==================================================== + * org.onap.aaf + * =========================================================================== + * Copyright (c) 2018 AT&T Intellectual Property. All rights reserved. + * =========================================================================== + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * ============LICENSE_END==================================================== + * + */ + +package org.onap.aaf.cadi.util; + +/** + * Split by Char, optional Trim + * + * Note: Copied from Inno to avoid linking issues. + * Note: I read the String split and Pattern split code, and we can do this more efficiently for a single Character + * + * 8/20/2015 + */ + +public class Split { + public static String[] split(char c, String value) { + return split(c,value,0,value.length()); + } + + public static String[] split(char c, String value, int start, int end) { + if(value==null) { + return new String[0]; + } + + // Count items to preallocate Array (memory alloc is more expensive than counting twice) + int count,idx; + for(count=1,idx=value.indexOf(c,start);idx>=0 && idx=0 && idx=0 && idx=0 && idx=0 && count0) { + rv[++count]=value.substring(last,idx).trim(); + } else { + rv[++count]=value.substring(last).trim(); + } + } + return rv; + } + +} diff --git a/cadi/core/src/main/java/org/onap/aaf/cadi/util/SubStandardConsole.java b/cadi/core/src/main/java/org/onap/aaf/cadi/util/SubStandardConsole.java new file mode 100644 index 00000000..8d528119 --- /dev/null +++ b/cadi/core/src/main/java/org/onap/aaf/cadi/util/SubStandardConsole.java @@ -0,0 +1,62 @@ +/** + * ============LICENSE_START==================================================== + * org.onap.aaf + * =========================================================================== + * Copyright (c) 2018 AT&T Intellectual Property. All rights reserved. + * =========================================================================== + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * ============LICENSE_END==================================================== + * + */ + +package org.onap.aaf.cadi.util; + +import java.io.BufferedReader; +import java.io.IOException; +import java.io.InputStreamReader; + +// Substandard, because System.in doesn't do Passwords.. +public class SubStandardConsole implements MyConsole { + BufferedReader br = new BufferedReader(new InputStreamReader(System.in)); + @Override + public String readLine(String fmt, Object... args) { + String rv; + try { + System.out.printf(fmt,args); + rv = br.readLine(); + if(args.length==1 && rv.length()==0) { + rv = args[0].toString(); + } + } catch (IOException e) { + System.err.println("uh oh..."); + rv = ""; + } + return rv; + } + + @Override + public char[] readPassword(String fmt, Object... args) { + try { + System.out.printf(fmt,args); + return br.readLine().toCharArray(); + } catch (IOException e) { + System.err.println("uh oh..."); + return new char[0]; + } + } + + @Override + public void printf(String fmt, Object... args) { + System.out.printf(fmt, args); + } +} \ No newline at end of file diff --git a/cadi/core/src/main/java/org/onap/aaf/cadi/util/TheConsole.java b/cadi/core/src/main/java/org/onap/aaf/cadi/util/TheConsole.java new file mode 100644 index 00000000..4c5d35b7 --- /dev/null +++ b/cadi/core/src/main/java/org/onap/aaf/cadi/util/TheConsole.java @@ -0,0 +1,47 @@ +/** + * ============LICENSE_START==================================================== + * org.onap.aaf + * =========================================================================== + * Copyright (c) 2018 AT&T Intellectual Property. All rights reserved. + * =========================================================================== + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * ============LICENSE_END==================================================== + * + */ + +package org.onap.aaf.cadi.util; + +public class TheConsole implements MyConsole { + @Override + public String readLine(String fmt, Object... args) { + String rv = System.console().readLine(fmt, args); + if(args.length>0 && args[0]!=null && rv.length()==0) { + rv = args[0].toString(); + } + return rv; + } + + @Override + public char[] readPassword(String fmt, Object... args) { + return System.console().readPassword(fmt, args); + } + + public static boolean implemented() { + return System.console()!=null; + } + + @Override + public void printf(String fmt, Object... args) { + System.console().printf(fmt, args); + } +} \ No newline at end of file diff --git a/cadi/core/src/main/java/org/onap/aaf/cadi/util/UserChainManip.java b/cadi/core/src/main/java/org/onap/aaf/cadi/util/UserChainManip.java new file mode 100644 index 00000000..a8c0690f --- /dev/null +++ b/cadi/core/src/main/java/org/onap/aaf/cadi/util/UserChainManip.java @@ -0,0 +1,77 @@ +/** + * ============LICENSE_START==================================================== + * org.onap.aaf + * =========================================================================== + * Copyright (c) 2018 AT&T Intellectual Property. All rights reserved. + * =========================================================================== + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * ============LICENSE_END==================================================== + * + */ + +package org.onap.aaf.cadi.util; + +import org.onap.aaf.cadi.UserChain; + +public class UserChainManip { + /** + Build an element in the correct format for UserChain. + Format:::[:AS][,::]* + @see UserChain + */ + public static StringBuilder build(StringBuilder sb, String app, String id, UserChain.Protocol proto, boolean as) { + boolean mayAs; + if(!(mayAs=sb.length()==0)) { + sb.append(','); + } + sb.append(app); + sb.append(':'); + sb.append(id); + sb.append(':'); + sb.append(proto.name()); + if(as && mayAs) { + sb.append(":AS"); + } + return sb; + } + + public static String idToNS(String id) { + if(id==null) { + return ""; + } else { + StringBuilder sb = new StringBuilder(); + char c; + int end; + boolean first = true; + for(int idx = end = id.length()-1;idx>=0;--idx) { + if((c = id.charAt(idx))=='@' || c=='.') { + if(idx vars) { + String[] array = new String[vars.size()]; + StringBuilder sb = new StringBuilder(); + convert(sb,text,vars.toArray(array)); + return sb.toString(); + } + /** + * Convert a format string with "%s" into AT&T RESTful Error %1 %2 (number) format + * If "holder" is passed in, it is built with full Message extracted (typically for Logging) + * @param holder + * @param text + * @param vars + * @return + */ + public static String convert(final StringBuilder holder, final String text, final String ... vars) { + StringBuilder sb = null; + int idx,index=0,prev = 0; + + if(text.contains("%s")) { + sb = new StringBuilder(); + } + + StringBuilder[] sbs = new StringBuilder[] {sb,holder}; + boolean replace, clearIndex = false; + int c; + while((idx=text.indexOf('%',prev))>=0) { + replace = false; + if(clearIndex) { + index=0; + } + if(sb!=null) { + sb.append(text,prev,idx); + } + if(holder!=null) { + holder.append(text,prev,idx); + } + + boolean go = true; + while(go) { + if(text.length()>++idx) { + switch(c=text.charAt(idx)) { + case '0': case '1': case '2': case '3': case '4': + case '5': case '6': case '7': case '8': case '9': + index *=10; + index +=(c-'0'); + clearIndex=replace=true; + continue; + case 's': + ++index; + replace = true; + continue; + default: + break; + } + } + prev = idx; + go=false; + if(replace) { + if(sb!=null) { + sb.append('%'); + sb.append(index); + } + if(index<=vars.length) { + if(holder!=null) { + holder.append(vars[index-1]); + } + } + } else { + for(StringBuilder s : sbs) { + if(s!=null) { + s.append("%"); + } + } + } + } + } + + if(sb!=null) { + sb.append(text,prev,text.length()); + } + if(holder!=null) { + holder.append(text,prev,text.length()); + } + + return sb==null?text:sb.toString(); + } + +} diff --git a/cadi/core/src/main/java/org/onap/aaf/cadi/wsse/Action.java b/cadi/core/src/main/java/org/onap/aaf/cadi/wsse/Action.java new file mode 100644 index 00000000..dff18acd --- /dev/null +++ b/cadi/core/src/main/java/org/onap/aaf/cadi/wsse/Action.java @@ -0,0 +1,37 @@ +/** + * ============LICENSE_START==================================================== + * org.onap.aaf + * =========================================================================== + * Copyright (c) 2018 AT&T Intellectual Property. All rights reserved. + * =========================================================================== + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * ============LICENSE_END==================================================== + * + */ + +package org.onap.aaf.cadi.wsse; + +/** + * Interface to specify an action deep within a parsing tree on a local object + * + * We use a Generic so as to be flexible on create what that object actually is. This is passed in at the + * root "parse" call of Match. Similar to a "Visitor" Pattern, this object is passed upon reaching the right + * point in a parse tree. + * + * @author Jonathan + * + * @param + */ +interface Action { + public boolean content(OUTPUT output, String text); +} \ No newline at end of file diff --git a/cadi/core/src/main/java/org/onap/aaf/cadi/wsse/Match.java b/cadi/core/src/main/java/org/onap/aaf/cadi/wsse/Match.java new file mode 100644 index 00000000..2582bc17 --- /dev/null +++ b/cadi/core/src/main/java/org/onap/aaf/cadi/wsse/Match.java @@ -0,0 +1,130 @@ +/** + * ============LICENSE_START==================================================== + * org.onap.aaf + * =========================================================================== + * Copyright (c) 2018 AT&T Intellectual Property. All rights reserved. + * =========================================================================== + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * ============LICENSE_END==================================================== + * + */ + +package org.onap.aaf.cadi.wsse; + +import javax.xml.namespace.QName; +import javax.xml.stream.XMLStreamException; +import javax.xml.stream.events.XMLEvent; + +/** + * Match Class allows you to build an automatic Tree of StAX (or StAX like) + * Objects for frequent use. + * + * OBJECT is a type which you which to do some end Actions on, similar to a Visitor pattern, see Action + * + * Note: We have implemented with XReader and XEvent, rather than StAX for performance reasons. + * + * @see Action + * @see Match + * @see XEvent + * @see XReader + * + * @author Jonathan + * + * @param + */ +//@SuppressWarnings("restriction") +public class Match { + private QName qname; + private Match[] next; + private Match prev; + private Action action = null; + private boolean stopAfter; + private boolean exclusive; + + + @SafeVarargs + public Match(String ns, String name, Match ... next) { + this.qname = new QName(ns,name); + this.next = next; + stopAfter = exclusive = false; + for(Match m : next) { // add the possible tags to look for + if(!m.stopAfter)m.prev = this; + } + } + + public Match onMatch(OUTPUT output, XReader reader) throws XMLStreamException { + while(reader.hasNext()) { + XEvent event = reader.nextEvent(); + switch(event.getEventType()) { + case XMLEvent.START_ELEMENT: + QName e_qname = event.asStartElement().getName(); + //System.out.println("Start - " + e_qname); + boolean match = false; + for(Match m : next) { + if(e_qname.equals(m.qname)) { + match=true; + if(m.onMatch(output, reader)==null) { + return null; // short circuit Parsing + } + break; + } + } + if(exclusive && !match) // When Tag MUST be present, i.e. the Root Tag, versus info we're not interested in + return null; + break; + case XMLEvent.CHARACTERS: + //System.out.println("Data - " +event.asCharacters().getData()); + if(action!=null) { + if(!action.content(output,event.asCharacters().getData())) { + return null; + } + } + break; + case XMLEvent.END_ELEMENT: + //System.out.println("End - " + event.asEndElement().getName()); + if(event.asEndElement().getName().equals(qname)) { + return prev; + } + break; + case XMLEvent.END_DOCUMENT: + return null; // Exit Chain + } + } + return this; + } + + /** + * When this Matched Tag has completed, Stop parsing and end + * @return + */ + public Match stopAfter() { + stopAfter = true; + return this; + } + + /** + * Mark that this Object MUST be matched at this level or stop parsing and end + * + * @param action + * @return + */ + public Match exclusive() { + exclusive = true; + return this; + } + + public Match set(Action action) { + this.action = action; + return this; + } +} \ No newline at end of file diff --git a/cadi/core/src/main/java/org/onap/aaf/cadi/wsse/WSSEParser.java b/cadi/core/src/main/java/org/onap/aaf/cadi/wsse/WSSEParser.java new file mode 100644 index 00000000..9e36c11f --- /dev/null +++ b/cadi/core/src/main/java/org/onap/aaf/cadi/wsse/WSSEParser.java @@ -0,0 +1,86 @@ +/** + * ============LICENSE_START==================================================== + * org.onap.aaf + * =========================================================================== + * Copyright (c) 2018 AT&T Intellectual Property. All rights reserved. + * =========================================================================== + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * ============LICENSE_END==================================================== + * + */ + +package org.onap.aaf.cadi.wsse; + +import java.io.IOException; +import java.io.InputStream; + +import javax.xml.stream.XMLStreamException; + +import org.onap.aaf.cadi.BasicCred; + + +/** + * WSSE Parser + * + * Read the User and Password from WSSE Formatted SOAP Messages + * + * This class uses StAX so that processing is stopped as soon as the Security User/Password are read into BasicCred, or the Header Ends + * + * This class is intended to be created once (or very few times) and reused as much as possible. + * + * It is as thread safe as StAX parsing is. + * + * @author Jonathan + */ +public class WSSEParser { + private static final String SOAP_NS = "http://schemas.xmlsoap.org/soap/envelope/"; + private static final String WSSE_NS = "http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"; + private Match parseTree; + //private XMLInputFactory inputFactory; + + public WSSEParser() { + // soap:Envelope/soap:Header/wsse:Security/wsse:UsernameToken/[wsse:Password&wsse:Username] + parseTree = new Match(SOAP_NS,"root", // need a root level to start from... Doesn't matter what the tag is + new Match(SOAP_NS,"Envelope", + new Match(SOAP_NS,"Header", + new Match(WSSE_NS,"Security", + new Match(WSSE_NS,"UsernameToken", + new Match(WSSE_NS,"Password").set(new Action() { + public boolean content(BasicCred bc,String text) { + bc.setCred(text.getBytes()); + return true; + } + }), + new Match(WSSE_NS,"Username").set(new Action() { + public boolean content(BasicCred bc,String text) { + bc.setUser(text); + return true; + } + }) + ).stopAfter() // if found, end when UsernameToken ends (no further processing needed) + ) + ).stopAfter() // Stop Processing when Header Ends + ).exclusive()// Envelope must match Header, and no other. FYI, Body comes after Header short circuits (see above), so it's ok + ).exclusive(); // root must be Envelope + //inputFactory = XMLInputFactory.newInstance(); + } + + public XMLStreamException parse(BasicCred bc, InputStream is) throws IOException { + try { + parseTree.onMatch(bc, new XReader(is)); + return null; + } catch (XMLStreamException e) { + return e; + } + } +} diff --git a/cadi/core/src/main/java/org/onap/aaf/cadi/wsse/XEvent.java b/cadi/core/src/main/java/org/onap/aaf/cadi/wsse/XEvent.java new file mode 100644 index 00000000..12de366e --- /dev/null +++ b/cadi/core/src/main/java/org/onap/aaf/cadi/wsse/XEvent.java @@ -0,0 +1,135 @@ +/** + * ============LICENSE_START==================================================== + * org.onap.aaf + * =========================================================================== + * Copyright (c) 2018 AT&T Intellectual Property. All rights reserved. + * =========================================================================== + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * ============LICENSE_END==================================================== + * + */ + +package org.onap.aaf.cadi.wsse; + +import javax.xml.namespace.QName; +import javax.xml.stream.events.XMLEvent; + +/** + * XEvent + * + * This mechanism mimics a minimal portion of StAX "XMLEvent", enough to work with minimal XReader. + * + * We implement the same interface, as much as minimally necessary, as XMLEvent for these small usages so as to + * be interchangeable in the future, if so desired + * + * @author Jonathan + * + */ +// @SuppressWarnings("restriction") +public abstract class XEvent { + + public abstract int getEventType(); + + public StartElement asStartElement() { + return (StartElement)this; + } + + public Characters asCharacters() { + return (Characters)this; + } + + public EndElement asEndElement() { + return (EndElement)this; + } + + public static abstract class NamedXEvent extends XEvent { + private QName qname; + + public NamedXEvent(QName qname) { + this.qname = qname; + } + + public QName getName() { + return qname; + } + } + public static class StartElement extends NamedXEvent { + + public StartElement(String ns, String tag) { + super(new QName(ns,tag)); + } + + @Override + public int getEventType() { + return XMLEvent.START_ELEMENT; + } + } + + public static class EndElement extends NamedXEvent { + public EndElement(String ns, String tag) { + super(new QName(ns,tag)); + } + + @Override + public int getEventType() { + return XMLEvent.END_ELEMENT; + } + } + + public static class Characters extends XEvent { + private String data; + + public Characters(String data) { + this.data = data; + } + @Override + public int getEventType() { + return XMLEvent.CHARACTERS; + } + + public String getData() { + return data; + } + } + + public static class StartDocument extends XEvent { + + @Override + public int getEventType() { + return XMLEvent.START_DOCUMENT; + } + + } + + public static class EndDocument extends XEvent { + + @Override + public int getEventType() { + return XMLEvent.END_DOCUMENT; + } + + } + public static class Comment extends XEvent { + public final String value; + public Comment(String value) { + this.value = value; + } + + @Override + public int getEventType() { + return XMLEvent.COMMENT; + } + + } + +} diff --git a/cadi/core/src/main/java/org/onap/aaf/cadi/wsse/XReader.java b/cadi/core/src/main/java/org/onap/aaf/cadi/wsse/XReader.java new file mode 100644 index 00000000..4e5048b8 --- /dev/null +++ b/cadi/core/src/main/java/org/onap/aaf/cadi/wsse/XReader.java @@ -0,0 +1,417 @@ +/** + * ============LICENSE_START==================================================== + * org.onap.aaf + * =========================================================================== + * Copyright (c) 2018 AT&T Intellectual Property. All rights reserved. + * =========================================================================== + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * ============LICENSE_END==================================================== + * + */ + +package org.onap.aaf.cadi.wsse; + +import java.io.ByteArrayOutputStream; +import java.io.IOException; +import java.io.InputStream; +import java.util.ArrayList; +import java.util.HashMap; +import java.util.List; +import java.util.Map; +import java.util.Stack; + +import javax.xml.stream.XMLStreamException; + +/** + * XReader + * This class works similarly as StAX, except StAX has more behavior than is needed. That would be ok, but + * StAX also was Buffering in their code in such as way as to read most if not all the incoming stream into memory, + * defeating the purpose of pre-reading only the Header + * + * This Reader does no back-tracking, but is able to create events based on syntax and given state only, leaving the + * Read-ahead mode of the InputStream up to the other classes. + * + * At this time, we only implement the important events, though if this is good enough, it could be expanded, perhaps to + * replace the original XMLReader from StAX. + * + * @author Jonathan + * + */ +// @SuppressWarnings("restriction") +public class XReader { + private XEvent curr,another; + private InputStream is; + private ByteArrayOutputStream baos; + private int state, count, last; + + private Stack> nsses; + + public XReader(InputStream is) { + this.is = is; + curr = another = null; + baos = new ByteArrayOutputStream(); + state = BEGIN_DOC; + count = 0; + nsses = new Stack>(); + } + + public boolean hasNext() throws XMLStreamException { + if(curr==null) { + curr = parse(); + } + return curr!=null; + } + + public XEvent nextEvent() { + XEvent xe = curr; + curr = null; + return xe; + } + + // + // State Flags + // + // Note: The State of parsing XML can be complicated. There are too many to cleanly keep in "booleans". Additionally, + // there are certain checks that can be better made with Bitwise operations within switches + // Keeping track of state this way also helps us to accomplish logic without storing any back characters except one + private final static int BEGIN_DOC= 0x000001; + private final static int DOC_TYPE= 0x000002; + private final static int QUESTION_F= 0x000004; + private final static int QUESTION = 0x000008; + private final static int START_TAG = 0x000010; + private final static int END_TAG = 0x000020; + private final static int VALUE= 0x000040; + private final static int COMMENT = 0x001000; + private final static int COMMENT_E = 0x002000; + private final static int COMMENT_D1 =0x010000; + private final static int COMMENT_D2 =0x020000; + private final static int COMMENT_D3 =0x040000; + private final static int COMMENT_D4 =0x080000; + // useful combined Comment states + private final static int IN_COMMENT=COMMENT|COMMENT_E|COMMENT_D1|COMMENT_D2; + private final static int COMPLETE_COMMENT = COMMENT|COMMENT_E|COMMENT_D1|COMMENT_D2|COMMENT_D3|COMMENT_D4; + + + private XEvent parse() throws XMLStreamException { + Map nss = nsses.isEmpty()?null:nsses.peek(); + + XEvent rv; + if((rv=another)!=null) { // "another" is a tag that may have needed to be created, but not + // immediately returned. Save for next parse. If necessary, this could be turned into + // a FIFO storage, but a single reference is enough for now. + another = null; // "rv" is now set for the Event, and will be returned. Set to Null. + } else { + boolean go = true; + int c=0; + + try { + while(go && (c=is.read())>=0) { + ++count; + switch(c) { + case '<': // Tag is opening + state|=~BEGIN_DOC; // remove BEGIN_DOC flag, this is possibly an XML Doc + XEvent cxe = null; + if(baos.size()>0) { // If there are any characters between tags, we send as Character Event + String chars = baos.toString().trim(); // Trim out WhiteSpace before and after + if(chars.length()>0) { // don't send if Characters were only whitespace + cxe = new XEvent.Characters(chars); + baos.reset(); + go = false; + } + } + last = c; // make sure "last" character is set for use in "ParseTag" + Tag t = parseTag(); // call subroutine to process the tag as a unit + String ns; + switch(t.state&(START_TAG|END_TAG)) { + case START_TAG: + nss = getNss(nss,t); // Only Start Tags might have NS Attributes + // Get any NameSpace elements from tag. If there are, nss will become + // a new Map with all the previous NSs plus the new. This provides + // scoping behavior when used with the Stack + // drop through on purpose + case END_TAG: + ns = t.prefix==null?"":nss.get(t.prefix); // Get the namespace from prefix (if exists) + break; + default: + ns = ""; + } + if(ns==null) + throw new XMLStreamException("Invalid Namespace Prefix at " + count); + go = false; + switch(t.state) { // based on + case DOC_TYPE: + rv = new XEvent.StartDocument(); + break; + case COMMENT: + rv = new XEvent.Comment(t.value); + break; + case START_TAG: + rv = new XEvent.StartElement(ns,t.name); + nsses.push(nss); // Change potential scope for Namespace + break; + case END_TAG: + rv = new XEvent.EndElement(ns,t.name); + nss = nsses.pop(); // End potential scope for Namespace + break; + case START_TAG|END_TAG: // This tag is both start/end aka + rv = new XEvent.StartElement(ns,t.name); + if(last=='/')another = new XEvent.EndElement(ns,t.name); + } + if(cxe!=null) { // if there is a Character Event, it actually should go first. ow. + another = rv; // Make current Event the "another" or next event, and + rv = cxe; // send Character Event now + } + break; + case ' ': + case '\t': + case '\n': + if((state&BEGIN_DOC)==BEGIN_DOC) { // if Whitespace before doc, just ignore + break; + } + // fallthrough on purpose + default: + if((state&BEGIN_DOC)==BEGIN_DOC) { // if there is any data at the start other than XML Tag, it's not XML + throw new XMLStreamException("Parse Error: This is not an XML Doc"); + } + baos.write(c); // save off Characters + } + last = c; // Some processing needs to know what the last character was, aka Escaped characters... ex \" + } + } catch (IOException e) { + throw new XMLStreamException(e); // all errors parsing will be treated as XMLStreamErrors (like StAX) + } + if(c==-1 && (state&BEGIN_DOC)==BEGIN_DOC) { // Normally, end of stream is ok, however, we need to know if the + throw new XMLStreamException("Premature End of File"); // document isn't an XML document, so we throw exception if it + } // hasn't yet been determined to be an XML Doc + } + return rv; + } + + /** + * parseTag + * + * Parsing a Tag is somewhat complicated, so it's helpful to separate this process from the + * higher level Parsing effort + * @return + * @throws IOException + * @throws XMLStreamException + */ + private Tag parseTag() throws IOException, XMLStreamException { + Tag tag = null; + boolean go = true; + state = 0; + int c, quote=0; // If "quote" is 0, then we're not in a quote. We set ' (in pretag) or " in attribs accordingly to denote quoted + String prefix=null,name=null,value=null; + baos.reset(); + + while(go && (c=is.read())>=0) { + ++count; + if(quote!=0) { // If we're in a quote, we only end if we hit another quote of the same time, not preceded by \ + if(c==quote && last!='\\') { + quote=0; + } else { + baos.write(c); + } + } else if((state&COMMENT)==COMMENT) { // similar to Quote is being in a comment + switch(c) { + case '-': + switch(state) { // XML has a complicated Quote set... ... we keep track if each has been met with flags. + case COMMENT|COMMENT_E: + state|=COMMENT_D1; + break; + case COMMENT|COMMENT_E|COMMENT_D1: + state|=COMMENT_D2; + baos.reset(); // clear out "!--", it's a Comment + break; + case COMMENT|COMMENT_E|COMMENT_D1|COMMENT_D2: + state|=COMMENT_D3; + baos.write(c); + break; + case COMMENT|COMMENT_E|COMMENT_D1|COMMENT_D2|COMMENT_D3: + state|=COMMENT_D4; + baos.write(c); + break; + } + break; + case '>': // Tag indicator has been found, do we have all the comment characters in line? + if((state&COMPLETE_COMMENT)==COMPLETE_COMMENT) { + byte ba[] = baos.toByteArray(); + tag = new Tag(null,null, new String(ba,0,ba.length-2)); + baos.reset(); + go = false; + break; + } + // fall through on purpose + default: + state&=~(COMMENT_D3|COMMENT_D4); + if((state&IN_COMMENT)!=IN_COMMENT) state&=~IN_COMMENT; // false alarm, it's not actually a comment + baos.write(c); + } + } else { // Normal Tag Processing loop + switch(c) { + case '?': + switch(state & (QUESTION_F|QUESTION)) { // Validate the state of Doc tag... + case QUESTION_F: + state |= DOC_TYPE; + state &= ~QUESTION_F; + break; + case 0: + state |=QUESTION_F; + break; + default: + throw new IOException("Bad character [?] at " + count); + } + break; + case '!': + if(last=='<') { + state|=COMMENT|COMMENT_E; // likely a comment, continue processing in Comment Loop + } + baos.write(c); + break; + case '/': + state|=(last=='<'?END_TAG:(END_TAG|START_TAG)); // end tag indicator , ,or both + break; + case ':': + prefix=baos.toString(); // prefix indicator + baos.reset(); + break; + case '=': // used in Attributes + name=baos.toString(); + baos.reset(); + state|=VALUE; + break; + case '>': // end the tag, which causes end of this subprocess as well as formulation of the found data + go = false; + // passthrough on purpose + case ' ': + case '\t': + case '\n': // white space indicates change in internal tag state, ex between name and between attributes + if((state&VALUE)==VALUE) { + value = baos.toString(); // we're in VALUE state, add characters to Value + } else if(name==null) { + name = baos.toString(); // we're in Name state (default) add characters to Name + } + baos.reset(); // we've assigned chars, reset buffer + if(name!=null) { // Name is not null, there's a tag in the offing here... + Tag t = new Tag(prefix,name,value); + if(tag==null) { // Set as the tag to return, if not exists + tag = t; + } else { // if we already have a Tag, then we'll treat this one as an attribute + tag.add(t); + } + } + prefix=name=value=null; // reset these values in case we loop for attributes. + break; + case '\'': // is the character one of two kinds of quote? + case '"': + if(last!='\\') { + quote=c; + break; + } + // Fallthrough ok + default: + baos.write(c); // write any unprocessed bytes into buffer + + } + } + last = c; + } + int type = state&(DOC_TYPE|COMMENT|END_TAG|START_TAG); // get just the Tag states and turn into Type for Tag + if(type==0) { + type=START_TAG; + } + tag.state|=type; // add the appropriate Tag States + return tag; + } + + /** + * getNSS + * + * If the tag contains some Namespace attributes, create a new nss from the passed in one, copy all into it, then add + * This provides Scoping behavior + * + * if Nss is null in the first place, create an new nss, so we don't have to deal with null Maps. + * + * @param nss + * @param t + * @return + */ + private Map getNss(Map nss, Tag t) { + Map newnss = null; + if(t.attribs!=null) { + for(Tag tag : t.attribs) { + if("xmlns".equals(tag.prefix)) { + if(newnss==null) { + newnss = new HashMap(); + if(nss!=null)newnss.putAll(nss); + } + newnss.put(tag.name, tag.value); + } + } + } + return newnss==null?(nss==null?new HashMap():nss):newnss; + } + + /** + * The result of the parseTag method + * + * Data is split up into prefix, name and value portions. "Tags" with Values that are inside a Tag are known in XLM + * as Attributes. + * + * @author Jonathan + * + */ + public class Tag { + public int state; + public String prefix,name,value; + public List attribs; + + public Tag(String prefix, String name, String value) { + this.prefix = prefix; + this.name = name; + this.value = value; + attribs = null; + } + + /** + * add an attribute + * Not all tags need attributes... lazy instantiate to save time and memory + * @param tag + */ + public void add(Tag attrib) { + if(attribs == null) { + attribs = new ArrayList(); + } + attribs.add(attrib); + } + + public String toString() { + StringBuffer sb = new StringBuffer(); + if(prefix!=null) { + sb.append(prefix); + sb.append(':'); + } + sb.append(name==null?"!!ERROR!!":name); + + char quote = ((state&DOC_TYPE)==DOC_TYPE)?'\'':'"'; + if(value!=null) { + sb.append('='); + sb.append(quote); + sb.append(value); + sb.append(quote); + } + return sb.toString(); + } + } + +} diff --git a/cadi/core/src/test/java/.gitignore b/cadi/core/src/test/java/.gitignore new file mode 100644 index 00000000..e69de29b diff --git a/cadi/core/src/test/java/org/onap/aaf/cadi/test/JU_AES.java b/cadi/core/src/test/java/org/onap/aaf/cadi/test/JU_AES.java new file mode 100644 index 00000000..4fb92429 --- /dev/null +++ b/cadi/core/src/test/java/org/onap/aaf/cadi/test/JU_AES.java @@ -0,0 +1,180 @@ +/******************************************************************************* + * ============LICENSE_START==================================================== + * * org.onap.aaf + * * =========================================================================== + * * Copyright © 2017 AT&T Intellectual Property. All rights reserved. + * * =========================================================================== + * * Licensed under the Apache License, Version 2.0 (the "License"); + * * you may not use this file except in compliance with the License. + * * You may obtain a copy of the License at + * * + * * http://www.apache.org/licenses/LICENSE-2.0 + * * + * * Unless required by applicable law or agreed to in writing, software + * * distributed under the License is distributed on an "AS IS" BASIS, + * * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * * See the License for the specific language governing permissions and + * * limitations under the License. + * * ============LICENSE_END==================================================== + * * + * * + ******************************************************************************/ +package org.onap.aaf.cadi.test; + +import static org.junit.Assert.*; + +import java.io.ByteArrayInputStream; +import java.io.ByteArrayOutputStream; +import java.io.File; +import java.io.IOException; +import java.io.InputStream; +import java.io.OutputStream; +import java.lang.reflect.Field; +import java.nio.file.Files; +import java.nio.file.Paths; + +import javax.crypto.CipherInputStream; +import javax.crypto.CipherOutputStream; +import javax.crypto.SecretKey; + +import org.junit.Test; +import org.onap.aaf.cadi.AES; +import org.onap.aaf.cadi.CadiException; +import org.onap.aaf.cadi.Symm; +import org.junit.Before; + +public class JU_AES { + private AES aes; + private ByteArrayInputStream baisEncrypt; + private ByteArrayInputStream baisDecrypt; + private ByteArrayOutputStream baosEncrypt; + private ByteArrayOutputStream baosDecrypt; + + @Before + public void setup() throws Exception { + byte[] keyBytes = new byte[AES.AES_KEY_SIZE/8]; + char[] codeset = Symm.base64.codeset; + int offset = (Math.abs(codeset[0])+47)%(codeset.length-keyBytes.length); + for(int i=0;i 0; i <<= 1) { + assertFalse(Level.DEBUG.inMask(i)); + } + assertFalse(Level.DEBUG.inMask(0x80000000)); + + assertThat(Level.DEBUG.addToMask(0x2), is(0x3)); + assertThat(Level.DEBUG.delFromMask(0x1), is(0x0)); + assertThat(Level.DEBUG.toggle(0x2), is(0x3)); + assertThat(Level.DEBUG.toggle(0x1), is(0x0)); + assertThat(Level.DEBUG.maskOf(), is(57617)); + assertThat(Level.NONE.maskOf(), is(0)); + } + + @Test + public void nullTests() throws IOException { + // These are entirely for coverage + Access.NULL.log(Level.DEBUG); + Access.NULL.printf(Level.DEBUG, ""); + Access.NULL.log(new Exception()); + Access.NULL.classLoader(); + assertThat(Access.NULL.getProperty("", ""), is(nullValue())); + Access.NULL.load(System.in); + Access.NULL.setLogLevel(Level.DEBUG); + assertThat(Access.NULL.decrypt("test", true), is("test")); + assertFalse(Access.NULL.willLog(Level.DEBUG)); + assertThat(Access.NULL.getProperties(), is(not(nullValue()))); + } + +} diff --git a/cadi/core/src/test/java/org/onap/aaf/cadi/test/JU_Base64.java b/cadi/core/src/test/java/org/onap/aaf/cadi/test/JU_Base64.java new file mode 100644 index 00000000..801259d4 --- /dev/null +++ b/cadi/core/src/test/java/org/onap/aaf/cadi/test/JU_Base64.java @@ -0,0 +1,92 @@ +/******************************************************************************* + * ============LICENSE_START==================================================== + * * org.onap.aaf + * * =========================================================================== + * * Copyright © 2017 AT&T Intellectual Property. All rights reserved. + * * =========================================================================== + * * Licensed under the Apache License, Version 2.0 (the "License"); + * * you may not use this file except in compliance with the License. + * * You may obtain a copy of the License at + * * + * * http://www.apache.org/licenses/LICENSE-2.0 + * * + * * Unless required by applicable law or agreed to in writing, software + * * distributed under the License is distributed on an "AS IS" BASIS, + * * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * * See the License for the specific language governing permissions and + * * limitations under the License. + * * ============LICENSE_END==================================================== + * * + * * + ******************************************************************************/ +package org.onap.aaf.cadi.test; + +import static org.junit.Assert.*; +import static org.hamcrest.CoreMatchers.*; + +import java.io.ByteArrayInputStream; +import java.io.ByteArrayOutputStream; +import java.io.IOException; +import java.security.SecureRandom; + +import org.junit.Test; +import org.onap.aaf.cadi.Symm; +import org.onap.aaf.cadi.config.Config; + +public class JU_Base64 { + private static final String encoding = "Man is distinguished, not only by his reason, but by this singular " + + "passion from other animals, which is a lust of the mind, that by a " + + "perseverance of delight in the continued and indefatigable generation of " + + "knowledge, exceeds the short vehemence of any carnal pleasure."; + + private static final String expected = + "TWFuIGlzIGRpc3Rpbmd1aXNoZWQsIG5vdCBvbmx5IGJ5IGhpcyByZWFzb24sIGJ1dCBieSB0aGlz\n" + + "IHNpbmd1bGFyIHBhc3Npb24gZnJvbSBvdGhlciBhbmltYWxzLCB3aGljaCBpcyBhIGx1c3Qgb2Yg\n" + + "dGhlIG1pbmQsIHRoYXQgYnkgYSBwZXJzZXZlcmFuY2Ugb2YgZGVsaWdodCBpbiB0aGUgY29udGlu\n" + + "dWVkIGFuZCBpbmRlZmF0aWdhYmxlIGdlbmVyYXRpb24gb2Yga25vd2xlZGdlLCBleGNlZWRzIHRo\n" + + "ZSBzaG9ydCB2ZWhlbWVuY2Ugb2YgYW55IGNhcm5hbCBwbGVhc3VyZS4="; + + @Test + public void test() throws Exception { + // Test with different Padding + assertEncoded("leas", "bGVhcw=="); + assertEncoded("leasu", "bGVhc3U="); + assertEncoded("leasur", "bGVhc3Vy"); + assertEncoded("leasure", "bGVhc3VyZQ=="); + assertEncoded("leasure.", "bGVhc3VyZS4="); + + // Test with line ends + assertEncoded(encoding, expected); + } + + @Test + public void symmetric() throws IOException { + String symmetric = new String(Symm.keygen()); + Symm bsym = Symm.obtain(symmetric); + String result = bsym.encode(encoding); + assertThat(bsym.decode(result), is(encoding)); + + char[] manipulate = symmetric.toCharArray(); + int spot = new SecureRandom().nextInt(manipulate.length); + manipulate[spot]|=0xFF; + String newsymmetric = new String(manipulate); + assertThat(symmetric, is(not(newsymmetric))); + try { + bsym = Symm.obtain(newsymmetric); + result = bsym.decode(result); + assertThat(result, is(encoding)); + } catch (IOException e) { + // this is what we want to see if key wrong + } + } + + private void assertEncoded(String toEncode, String expected) throws IOException { + String result = Symm.base64.encode(toEncode); + assertThat(result, is(expected)); + ByteArrayOutputStream baos = new ByteArrayOutputStream(); + Symm.base64.decode(new ByteArrayInputStream(result.getBytes()), baos); + result = baos.toString(Config.UTF_8); + assertThat(result, is(toEncode)); + } + +} diff --git a/cadi/core/src/test/java/org/onap/aaf/cadi/test/JU_BufferedCadiWrap.java b/cadi/core/src/test/java/org/onap/aaf/cadi/test/JU_BufferedCadiWrap.java new file mode 100644 index 00000000..172270da --- /dev/null +++ b/cadi/core/src/test/java/org/onap/aaf/cadi/test/JU_BufferedCadiWrap.java @@ -0,0 +1,45 @@ +/** + * ============LICENSE_START==================================================== + * org.onap.aaf + * =========================================================================== + * Copyright (c) 2018 AT&T Intellectual Property. All rights reserved. + * =========================================================================== + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * ============LICENSE_END==================================================== + * + */ +package org.onap.aaf.cadi.test; + +import javax.servlet.http.HttpServletRequest; + +import org.junit.Before; +import org.junit.Test; +import org.mockito.Mock; +import org.mockito.MockitoAnnotations; + +public class JU_BufferedCadiWrap { + @Mock + private HttpServletRequest request; + + @Before + public void setUp() throws Exception { + MockitoAnnotations.initMocks(this); + } + + @Test + public void constructorTest() { + // TODO: Ian - This will always fail beacuse the constructor is invalid + // BufferedCadiWrap bcw = new BufferedCadiWrap(request); + } + +} diff --git a/cadi/core/src/test/java/org/onap/aaf/cadi/test/JU_BufferedServletInputStream.java b/cadi/core/src/test/java/org/onap/aaf/cadi/test/JU_BufferedServletInputStream.java new file mode 100644 index 00000000..66ac3610 --- /dev/null +++ b/cadi/core/src/test/java/org/onap/aaf/cadi/test/JU_BufferedServletInputStream.java @@ -0,0 +1,320 @@ +/******************************************************************************* + * ============LICENSE_START==================================================== + * * org.onap.aaf + * * =========================================================================== + * * Copyright © 2017 AT&T Intellectual Property. All rights reserved. + * * =========================================================================== + * * Licensed under the Apache License, Version 2.0 (the "License"); + * * you may not use this file except in compliance with the License. + * * You may obtain a copy of the License at + * * + * * http://www.apache.org/licenses/LICENSE-2.0 + * * + * * Unless required by applicable law or agreed to in writing, software + * * distributed under the License is distributed on an "AS IS" BASIS, + * * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * * See the License for the specific language governing permissions and + * * limitations under the License. + * * ============LICENSE_END==================================================== + * * + * * + ******************************************************************************/ +package org.onap.aaf.cadi.test; + +import java.io.ByteArrayInputStream; +import java.io.FileNotFoundException; +import java.io.IOException; +import java.lang.reflect.*; +import junit.framework.Assert; +import org.junit.After; +import org.junit.Before; +import org.junit.Test; +import org.onap.aaf.cadi.BufferedServletInputStream; + +import static junit.framework.Assert.assertEquals; + +public class JU_BufferedServletInputStream { + private BufferedServletInputStream bsis; + private String expected; + + @Before + public void setup() throws FileNotFoundException { + expected = new String("This is the expected output"); + bsis = new BufferedServletInputStream(new ByteArrayInputStream(expected.getBytes())); + } + + @After + public void tearDown() throws IOException { + bsis.close(); + } + + @Test + public void ByteReadNoMarkTest() throws Exception { + int c; + int i = 0; + byte output[] = new byte[100]; + while ((c = bsis.read()) != -1) { + output[i++] = (byte)c; + } + Assert.assertEquals(new String(output, 0, i), expected); + } + + @Test + public void ByteReadMarkTest() throws Exception { + bsis.mark(0); + int c; + int i = 0; + byte output[] = new byte[100]; + while ((c = bsis.read()) != -1) { + output[i++] = (byte)c; + } + Assert.assertEquals(new String(output, 0, i), expected); + } + + @Test + public void ByteReadStateIsStoreTest() throws Exception { + Field state_field = BufferedServletInputStream.class.getDeclaredField("state"); + state_field.setAccessible(true); + bsis.mark(0); + int c; + int i = 0; + byte output[] = new byte[100]; + while ((c = bsis.read()) != -1) { + output[i++] = (byte)c; + } + bsis.reset(); + Assert.assertEquals(state_field.get(bsis), 2); // state == READ + } + + @Test + public void ByteReadStateIsReadTest() throws Exception { + bsis.mark(0); // Initialize the capacitor + boolean isReset = false; + int c; + int i = 0; + byte output[] = new byte[100]; + while ((c = bsis.read()) != -1) { + output[i++] = (byte)c; + if ((i > 5) && !isReset) { + // Close the capacitor and start over. This is done for coverage purposes + i = 0; + isReset = true; + bsis.reset(); // Sets state to READ + } + } + Assert.assertEquals(new String(output, 0, i), expected); + } + + @Test + public void ByteReadStateIsNoneTest() throws Exception { + Field state_field = BufferedServletInputStream.class.getDeclaredField("state"); + state_field.setAccessible(true); + bsis.mark(0); // Initialize the capacitor + int c; + c = bsis.read(); + // Close the capacitor. This is done for coverage purposes + bsis.reset(); // Sets state to READ + state_field.setInt(bsis, 0); // state == NONE + c = bsis.read(); + Assert.assertEquals(c, -1); + } + + @Test + public void ByteArrayReadNoMarkTest() throws Exception { + byte output[] = new byte[100]; + int count = bsis.read(output, 0, expected.length()); + Assert.assertEquals(new String(output, 0, count), expected); + Assert.assertEquals(count, expected.length()); + } + + @Test + public void ByteArrayReadTest() throws Exception { + byte[] output = new byte[100]; + bsis.mark(0); + bsis.read(output); + Assert.assertEquals(new String(output, 0, expected.length()), expected); + } + + @Test + public void ByteArrayReadStateIsStoreTest() throws Exception { + byte output[] = new byte[100]; + bsis.mark(0); + int count = bsis.read(output, 0, expected.length()); + Assert.assertEquals(new String(output, 0, count), expected); + Assert.assertEquals(count, expected.length()); + + count = bsis.read(output, 0, 0); + Assert.assertEquals(count, -1); + } + + @Test + public void ByteArrayReadStateIsReadTest() throws Exception { + byte output[] = new byte[200]; + for(int i = 0; i < 2; ++i) { + bsis.mark(0); + bsis.read(output, 0, 100); + Assert.assertEquals(new String(output, 0, expected.length()), expected); + + bsis.reset(); + bsis.read(output, 0, output.length); + Assert.assertEquals(new String(output, 0, expected.length()), expected); + bsis = new BufferedServletInputStream(new ByteArrayInputStream(output)); + if(i == 0) { + output = new byte[200]; + } + } + + Assert.assertEquals(new String(output, 0, expected.length()), expected); + } + + @Test + public void ByteArrayReadStateIsNoneTest() throws Exception { + byte output[] = new byte[100]; + bsis.mark(0); + + Field state_field = BufferedServletInputStream.class.getDeclaredField("state"); + state_field.setAccessible(true); + state_field.setInt(bsis, 0); // state == NONE + + int count = bsis.read(output, 0, 100); + Assert.assertEquals(count, -1); + } + + @Test + public void skipTest() throws Exception { + byte output[] = new byte[100]; + bsis.mark(0); + bsis.read(output, 0, 10); + long count = bsis.skip(200); + // skip returns the number left _before_ skipping. that number starts at 256 + Assert.assertEquals(count, 246); + + count = bsis.skip(200); + Assert.assertEquals(count, 17); + } + + @Test + public void availableTest() throws Exception { + int count = bsis.available(); + Assert.assertEquals(count, 27); + bsis.mark(0); + count = bsis.available(); + Assert.assertEquals(count, 27); + } + + @Test + public void bufferedTest() throws Exception { + bsis.mark(0); + Assert.assertEquals(bsis.buffered(), 0); + } + + @Test + public void closeTest() throws Exception { + Field capacitor_field = BufferedServletInputStream.class.getDeclaredField("capacitor"); + capacitor_field.setAccessible(true); + bsis.mark(0); + Assert.assertNotNull(capacitor_field.get(bsis)); + bsis.close(); + Assert.assertNull(capacitor_field.get(bsis)); + } + + @Test + public void markTest() throws NoSuchFieldException, SecurityException, IllegalArgumentException, IllegalAccessException { + Field state_field = BufferedServletInputStream.class.getDeclaredField("state"); + Field capacitor_field = BufferedServletInputStream.class.getDeclaredField("capacitor"); + capacitor_field.setAccessible(true); + state_field.setAccessible(true); + + // capacitor is null initially + Assert.assertNull(capacitor_field.get(bsis)); + + state_field.setInt(bsis, 0); // state == NONE + bsis.mark(0); // the value passed into mark is ignored + Assert.assertNotNull(capacitor_field.get(bsis)); + Assert.assertEquals(state_field.get(bsis), 1); // state == STORE + + state_field.setInt(bsis, 1); // state == STORE + bsis.mark(0); // the value passed into mark is ignored + Assert.assertEquals(state_field.get(bsis), 1); // state == STORE + + state_field.setInt(bsis, 2); // state == READ + bsis.mark(0); // the value passed into mark is ignored + Assert.assertEquals(state_field.get(bsis), 1); // state == STORE + } + + @Test + public void resetTest() throws Exception { + Field state_field = BufferedServletInputStream.class.getDeclaredField("state"); + state_field.setAccessible(true); + + bsis.mark(0); + Assert.assertEquals(state_field.get(bsis), 1); // state == STORE + bsis.reset(); + Assert.assertEquals(state_field.get(bsis), 2); // state == READ + bsis.reset(); + Assert.assertEquals(state_field.get(bsis), 2); // state == READ + + state_field.setInt(bsis, -1); // state is invalid + bsis.reset(); // This call does nothing. It is for coverage alone + Assert.assertEquals(state_field.get(bsis), -1); // state doesn't change + + try { + state_field.setInt(bsis, 0); // state == NONE + bsis.reset(); + } catch (IOException e) { + Assert.assertEquals(e.getMessage(), "InputStream has not been marked"); + } + } + + @Test + public void markSupportedTest() { + Assert.assertTrue(bsis.markSupported()); + } + + // "Bug" 4/22/2013 + // Some XML code expects Buffered InputStream can never return 0... This isn't actually true, but we'll accommodate as far + // as we can. + // Here, we make sure we set and read the Buffered data, making sure the buffer is empty on the last test... + @Test + public void issue04_22_2013() throws IOException { + String testString = "We want to read in and get out with a Buffered Stream seamlessly."; + ByteArrayInputStream bais = new ByteArrayInputStream(testString.getBytes()); + BufferedServletInputStream bsis = new BufferedServletInputStream(bais); + try { + bsis.mark(0); + byte aa[] = new byte[testString.length()]; // 65 count... important for our test (divisible by 5); + + int read; + for(int i=0;i=0;i+=read) { + read = bsis.read(bb,i,5); + switch(i) { + case 65: + assertEquals(read,-1); + break; + default: + assertEquals(read,5); + } + } + // System.out.println(new String(bb)); + assertEquals(testString,new String(aa)); + assertEquals(testString,new String(bb)); + + } finally { + bsis.close(); + bais.close(); + } + + } + + +} diff --git a/cadi/core/src/test/java/org/onap/aaf/cadi/test/JU_CadiExceptionTest.java b/cadi/core/src/test/java/org/onap/aaf/cadi/test/JU_CadiExceptionTest.java new file mode 100644 index 00000000..03b20375 --- /dev/null +++ b/cadi/core/src/test/java/org/onap/aaf/cadi/test/JU_CadiExceptionTest.java @@ -0,0 +1,121 @@ +/******************************************************************************* + * ============LICENSE_START==================================================== + * * org.onap.aaf + * * =========================================================================== + * * Copyright © 2017 AT&T Intellectual Property. All rights reserved. + * * =========================================================================== + * * Licensed under the Apache License, Version 2.0 (the "License"); + * * you may not use this file except in compliance with the License. + * * You may obtain a copy of the License at + * * + * * http://www.apache.org/licenses/LICENSE-2.0 + * * + * * Unless required by applicable law or agreed to in writing, software + * * distributed under the License is distributed on an "AS IS" BASIS, + * * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * * See the License for the specific language governing permissions and + * * limitations under the License. + * * ============LICENSE_END==================================================== + * * + * * + ******************************************************************************/ +package org.onap.aaf.cadi.test; + +import static org.junit.Assert.*; + +import org.junit.Test; +import org.onap.aaf.cadi.CadiException; + +import static org.hamcrest.CoreMatchers.is; + +public class JU_CadiExceptionTest { + @Test + public void testCadiException() { + CadiException exception = new CadiException(); + + assertNotNull(exception); + } + + @Test + public void testCadiExceptionString() { + CadiException exception = new CadiException("New Exception"); + assertNotNull(exception); + assertThat(exception.getMessage(), is("New Exception")); + } + + @Test + public void testCadiExceptionThrowable() { + CadiException exception = new CadiException(new Throwable("New Exception")); + assertNotNull(exception); + assertThat(exception.getMessage(), is("java.lang.Throwable: New Exception")); + } + + @Test + public void testCadiExceptionStringThrowable() { + CadiException exception = new CadiException("New Exception",new Throwable("New Exception")); + assertNotNull(exception); + assertThat(exception.getMessage(), is("New Exception")); + + } + + @Test + public void testCadiException1() { + CadiException exception = new CadiException(); + + assertNotNull(exception); + } + + @Test + public void testCadiExceptionString1() { + CadiException exception = new CadiException("New Exception"); + assertNotNull(exception); + assertThat(exception.getMessage(), is("New Exception")); + } + + @Test + public void testCadiExceptionThrowable1() { + CadiException exception = new CadiException(new Throwable("New Exception")); + assertNotNull(exception); + assertThat(exception.getMessage(), is("java.lang.Throwable: New Exception")); + } + + @Test + public void testCadiExceptionStringThrowable1() { + CadiException exception = new CadiException("New Exception",new Throwable("New Exception")); + assertNotNull(exception); + assertThat(exception.getMessage(), is("New Exception")); + + } + + @Test + public void testCadiException2() { + CadiException exception = new CadiException(); + + assertNotNull(exception); + } + + @Test + public void testCadiExceptionString2() { + CadiException exception = new CadiException("New Exception"); + assertNotNull(exception); + assertThat(exception.getMessage(), is("New Exception")); + } + + @Test + public void testCadiExceptionThrowable2() { + CadiException exception = new CadiException(new Throwable("New Exception")); + assertNotNull(exception); + assertThat(exception.getMessage(), is("java.lang.Throwable: New Exception")); + } + + @Test + public void testCadiExceptionStringThrowable2() { + CadiException exception = new CadiException("New Exception",new Throwable("New Exception")); + assertNotNull(exception); + assertThat(exception.getMessage(), is("New Exception")); + + } + + + +} diff --git a/cadi/core/src/test/java/org/onap/aaf/cadi/test/JU_CadiWrapTest.java b/cadi/core/src/test/java/org/onap/aaf/cadi/test/JU_CadiWrapTest.java new file mode 100644 index 00000000..14b2999a --- /dev/null +++ b/cadi/core/src/test/java/org/onap/aaf/cadi/test/JU_CadiWrapTest.java @@ -0,0 +1,155 @@ +/******************************************************************************* + * ============LICENSE_START==================================================== + * * org.onap.aaf + * * =========================================================================== + * * Copyright © 2017 AT&T Intellectual Property. All rights reserved. + * * =========================================================================== + * * Licensed under the Apache License, Version 2.0 (the "License"); + * * you may not use this file except in compliance with the License. + * * You may obtain a copy of the License at + * * + * * http://www.apache.org/licenses/LICENSE-2.0 + * * + * * Unless required by applicable law or agreed to in writing, software + * * distributed under the License is distributed on an "AS IS" BASIS, + * * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * * See the License for the specific language governing permissions and + * * limitations under the License. + * * ============LICENSE_END==================================================== + * * + * * + ******************************************************************************/ +package org.onap.aaf.cadi.test; + +import static org.junit.Assert.assertEquals; +import static org.junit.Assert.assertFalse; +import static org.junit.Assert.assertNotNull; +import static org.junit.Assert.assertNull; +import static org.junit.Assert.assertTrue; +import static org.mockito.Matchers.isA; +import static org.mockito.Mockito.when; + +import java.security.Principal; +import java.util.List; + +import javax.servlet.http.HttpServletRequest; + +import org.junit.Before; +import org.junit.Test; +import org.mockito.Mock; +import org.mockito.MockitoAnnotations; +import org.onap.aaf.cadi.Access; +import org.onap.aaf.cadi.CachingLur; +import org.onap.aaf.cadi.CadiException; +import org.onap.aaf.cadi.CadiWrap; +import org.onap.aaf.cadi.Lur; +import org.onap.aaf.cadi.Permission; +import org.onap.aaf.cadi.PropAccess; +import org.onap.aaf.cadi.User; +import org.onap.aaf.cadi.CachedPrincipal.Resp; +import org.onap.aaf.cadi.filter.MapPermConverter; +import org.onap.aaf.cadi.lur.EpiLur; +import org.onap.aaf.cadi.principal.TaggedPrincipal; +import org.onap.aaf.cadi.taf.TafResp; + +public class JU_CadiWrapTest { + + @Mock + private HttpServletRequest request; + + @Mock + private TafResp tafResp; + + @Mock + private TaggedPrincipal principle; + + @Mock + private Lur lur; + + @Before + public void setUp() throws Exception { + MockitoAnnotations.initMocks(this); + } + + @Test + public void testInstantiate() throws CadiException { + Access a = new PropAccess(); + when(tafResp.getAccess()).thenReturn(a); + + lur.fishAll(isA(Principal.class), isA(List.class)); + + EpiLur lur1 = new EpiLur(lur); + + CadiWrap wrap = new CadiWrap(request, tafResp, lur1); + + assertNull(wrap.getUserPrincipal()); + assertNull(wrap.getRemoteUser()); + assertNull(wrap.getUser()); + assertEquals(wrap.getPermissions(principle).size(), 0); + assertTrue(wrap.access() instanceof PropAccess); + + byte[] arr = {'1','2'}; + wrap.setCred(arr); + + assertEquals(arr, wrap.getCred()); + + wrap.setUser("User1"); + assertEquals("User1", wrap.getUser()); + + wrap.invalidate("1"); + + assertFalse(wrap.isUserInRole(null)); + + wrap.set(tafResp, lur); + + wrap.invalidate("2"); + + wrap.isUserInRole("User1"); + } + + @Test + public void testInstantiateWithPermConverter() throws CadiException { + Access a = new PropAccess(); + when(tafResp.getAccess()).thenReturn(a); + when(tafResp.getPrincipal()).thenReturn(principle); + + // Anonymous object for testing purposes + CachingLur lur1 = new CachingLur() { + @Override public Permission createPerm(String p) { return null; } + @Override public boolean fish(Principal bait, Permission pond) { return true; } + @Override public void fishAll(Principal bait, List permissions) { } + @Override public void destroy() { } + @Override public boolean handlesExclusively(Permission pond) { return false; } + @Override public boolean handles(Principal principal) { return false; } + @Override public void remove(String user) { } + @Override public Resp reload(User user) { return null; } + @Override public void setDebug(String commaDelimIDsOrNull) { } + @Override public void clear(Principal p, StringBuilder sb) { } + }; + + MapPermConverter pc = new MapPermConverter(); + + CadiWrap wrap = new CadiWrap(request, tafResp, lur1, pc); + + assertNotNull(wrap.getUserPrincipal()); + assertNull(wrap.getRemoteUser()); + assertNull(wrap.getUser()); + + byte[] arr = {'1','2'}; + wrap.setCred(arr); + + assertEquals(arr, wrap.getCred()); + + wrap.setUser("User1"); + assertEquals("User1", wrap.getUser()); + + wrap.invalidate("1"); + wrap.setPermConverter(new MapPermConverter()); + + assertTrue(wrap.getLur() instanceof CachingLur); + assertTrue(wrap.isUserInRole("User1")); + + wrap.set(tafResp, lur); + assertFalse(wrap.isUserInRole("Perm1")); + } +} diff --git a/cadi/core/src/test/java/org/onap/aaf/cadi/test/JU_Capacitor.java b/cadi/core/src/test/java/org/onap/aaf/cadi/test/JU_Capacitor.java new file mode 100644 index 00000000..e9bceccd --- /dev/null +++ b/cadi/core/src/test/java/org/onap/aaf/cadi/test/JU_Capacitor.java @@ -0,0 +1,155 @@ +/******************************************************************************* + * ============LICENSE_START==================================================== + * * org.onap.aaf + * * =========================================================================== + * * Copyright © 2017 AT&T Intellectual Property. All rights reserved. + * * =========================================================================== + * * Licensed under the Apache License, Version 2.0 (the "License"); + * * you may not use this file except in compliance with the License. + * * You may obtain a copy of the License at + * * + * * http://www.apache.org/licenses/LICENSE-2.0 + * * + * * Unless required by applicable law or agreed to in writing, software + * * distributed under the License is distributed on an "AS IS" BASIS, + * * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * * See the License for the specific language governing permissions and + * * limitations under the License. + * * ============LICENSE_END==================================================== + * * + * * + ******************************************************************************/ +package org.onap.aaf.cadi.test; + +import static junit.framework.Assert.assertEquals; +import static org.junit.Assert.assertNotNull; +import static org.junit.Assert.assertNull; + +import org.junit.Before; +import org.junit.Test; +import org.onap.aaf.cadi.Capacitor; + +import java.lang.reflect.*; + +public class JU_Capacitor { + private Capacitor cap; + public final static String TEST_DATA = + "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" + + "bbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbb" + + "cccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccc" + + "dddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddd" + + "eeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeee" + + "ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff"; + + @Before + public void setup() { + cap = new Capacitor(); + } + + @Test + public void singleByteTest() throws Exception { + assertEquals(cap.read(), -1); + cap.setForRead(); + Field curr_field = Capacitor.class.getDeclaredField("curr"); + curr_field.setAccessible(true); + Field idx_field = Capacitor.class.getDeclaredField("idx"); + idx_field.setAccessible(true); + assertNull(curr_field.get(cap)); + assertEquals(idx_field.get(cap), 0); + + for(int iter = 0; iter < 20; ++iter) { + for(int i = 0; i < 20; ++i) { + cap.put((byte)('a' + i)); + } + cap.setForRead(); + byte[] array = new byte[20]; + for(int i = 0; i < 20; ++i) { + array[i]=(byte)cap.read(); + } + assertEquals("abcdefghijklmnopqrst", new String(array)); + assertEquals(-1, cap.read()); + + cap.done(); + } + + for(int i = 0; i < 500; i++) { + cap.put((byte)'a'); + } + cap.setForRead(); + byte[] array = new byte[500]; + for(int i = 0; i < 500; ++i) { + array[i]=(byte)cap.read(); + } + assertEquals((new String(array)).length(), 500); + assertEquals(-1, cap.read()); + } + + @Test + public void availableTest() { + assertEquals(cap.available(), 0); + for(int i = 0; i < 100; ++i) { + cap.put((byte)'a'); + } + // The Capacitor can hold 256 bytes. After reading 100 bytes, + // it should have 156 available + assertEquals(cap.available(), 156); + } + + @Test + public void byteArrayTest() { + byte[] arrayA = TEST_DATA.getBytes(); + assertEquals(cap.read(arrayA, 0, arrayA.length), -1); + + cap.put(arrayA, 0, arrayA.length); + + byte[] arrayB = new byte[arrayA.length]; + cap.setForRead(); + assertEquals(arrayA.length, cap.read(arrayB, 0, arrayB.length)); + assertEquals(TEST_DATA, new String(arrayB)); + assertEquals(-1, cap.read()); + cap.done(); + + String b = "This is some content that we want to read"; + byte[] a = b.getBytes(); + byte[] c = new byte[b.length()]; // we want to use this to test reading offsets, etc + + for(int i = 0; i < a.length; i += 11) { + cap.put(a, i, Math.min(11, a.length-i)); + } + cap.reset(); + int read; + for(int i = 0; i < c.length; i += read) { + read = cap.read(c, i, Math.min(3, c.length-i)); + } + assertEquals(b, new String(c)); + } + + @Test + public void resetTest() throws Exception { + cap.reset(); + Field curr_field = Capacitor.class.getDeclaredField("curr"); + curr_field.setAccessible(true); + Field idx_field = Capacitor.class.getDeclaredField("idx"); + idx_field.setAccessible(true); + assertNull(curr_field.get(cap)); + assertEquals(idx_field.get(cap), 0); + + cap.put((byte)'a'); + cap.reset(); + assertNotNull(curr_field.get(cap)); + assertEquals(idx_field.get(cap), 1); + } + + @Test + public void skipTest() throws Exception { + // capacitor can't skip if nothing has been put into it + assertEquals(cap.skip(10), 0); + cap.put((byte)'a'); + // The Capacitor can hold 256 bytes. If we try to skip 100 bytes, + // it should only skip 1 byte, leaving 255 remaining + assertEquals(cap.skip(100), 255); + + // Skipping 200 bytes leaves 0 remaining + assertEquals(cap.skip(200), 0); + } +} diff --git a/cadi/core/src/test/java/org/onap/aaf/cadi/test/JU_CmdLine.java b/cadi/core/src/test/java/org/onap/aaf/cadi/test/JU_CmdLine.java new file mode 100644 index 00000000..5da67ce0 --- /dev/null +++ b/cadi/core/src/test/java/org/onap/aaf/cadi/test/JU_CmdLine.java @@ -0,0 +1,273 @@ +/******************************************************************************* + * ============LICENSE_START==================================================== + * * org.onap.aaf + * * =========================================================================== + * * Copyright © 2017 AT&T Intellectual Property. All rights reserved. + * * =========================================================================== + * * Licensed under the Apache License, Version 2.0 (the "License"); + * * you may not use this file except in compliance with the License. + * * You may obtain a copy of the License at + * * + * * http://www.apache.org/licenses/LICENSE-2.0 + * * + * * Unless required by applicable law or agreed to in writing, software + * * distributed under the License is distributed on an "AS IS" BASIS, + * * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * * See the License for the specific language governing permissions and + * * limitations under the License. + * * ============LICENSE_END==================================================== + * * + * * + ******************************************************************************/ +package org.onap.aaf.cadi.test; + +import static org.mockito.Matchers.*; +import static org.junit.Assert.*; +import static org.hamcrest.CoreMatchers.*; +import org.junit.*; +import org.mockito.*; +import static org.mockito.Mockito.*; + +import java.io.ByteArrayInputStream; +import java.io.ByteArrayOutputStream; +import java.io.File; +import java.io.FileInputStream; +import java.io.IOException; +import java.io.OutputStream; +import java.io.PrintStream; +import java.nio.file.Files; +import java.nio.file.Paths; +import java.util.Properties; + +import org.onap.aaf.cadi.CmdLine; +import org.onap.aaf.cadi.PropAccess; +import org.onap.aaf.cadi.Symm; + +public class JU_CmdLine { + + @Mock + private OutputStream thrower; + + private final ByteArrayOutputStream outContent = new ByteArrayOutputStream(); + + private String password; + private String keyfile; + private String quickBrownFoxPlain = "The quick brown fox jumps over the lazy dog"; + private String quickBrownFoxMD5 = "0x9e107d9d372bb6826bd81d3542a419d6"; + private String quickBrownFoxSHA256 = "0xd7a8fbb307d7809469ca9abcb0082e4f8d5651e46d3cdb762d02d0bf37c9e592"; + private Symm symm; + + @Before + public void setup() throws Exception { + MockitoAnnotations.initMocks(this); + + System.setOut(new PrintStream(outContent)); + + Properties p = new Properties(); + p.setProperty("force_exit", "false"); + + CmdLine.access = new PropAccess(p); + + password = "password"; + keyfile = "test/keyfile"; + + FileInputStream fis = new FileInputStream(keyfile); + try { + symm = Symm.obtain(fis); + } finally { + fis.close(); + } + } + + @After + public void restoreStreams() throws IOException { + System.setOut(System.out); + System.setIn(System.in); + } + + @Test + public void digestTest() throws Exception { + CmdLine.main(new String[]{"digest", password, keyfile}); + String decrypted = symm.depass(outContent.toString()); + assertThat(decrypted, is(password)); + + System.setIn(new ByteArrayInputStream(password.getBytes())); + CmdLine.main(new String[]{"digest", "-i", keyfile}); + decrypted = symm.depass(outContent.toString()); + assertThat(decrypted, is(password)); + } + + @Test + public void regurgitateTest() { + // TODO: We may still want to remove the regurgitate functionality + // from the CmdLine - Ian + fail("Tests not yet implemented"); + } + + @Test + public void encode64Test() throws Exception { + CmdLine.main(new String[]{"encode64", password}); + String decrypted = Symm.base64.decode(outContent.toString()); + assertThat(decrypted, is(password)); + } + + @Test + public void decode64Test() throws Exception { + String encrypted = Symm.base64.encode(password); + CmdLine.main(new String[]{"decode64", encrypted}); + assertThat(outContent.toString(), is(password + "\n")); + } + + @Test + public void encode64urlTest() throws Exception { + CmdLine.main(new String[]{"encode64url", password}); + String decrypted = Symm.base64url.decode(outContent.toString()); + assertThat(decrypted, is(password)); + } + + @Test + public void decode64urlTest() throws Exception { + String encrypted = Symm.base64url.encode(password); + CmdLine.main(new String[]{"decode64url", encrypted}); + assertThat(outContent.toString(), is(password + "\n")); + } + + @Test + public void md5Test() throws Exception { + CmdLine.main(new String[]{"md5", quickBrownFoxPlain}); + assertThat(outContent.toString(), is(quickBrownFoxMD5 + "\n")); + } + + @Test + public void sha256Test() throws Exception { + CmdLine.main(new String[]{"sha256", quickBrownFoxPlain}); + assertThat(outContent.toString(), is(quickBrownFoxSHA256 + "\n")); + + outContent.reset(); + CmdLine.main(new String[]{"sha256", quickBrownFoxPlain, "10"}); + String hash1 = outContent.toString(); + + outContent.reset(); + CmdLine.main(new String[]{"sha256", quickBrownFoxPlain, "10"}); + String hash2 = outContent.toString(); + + outContent.reset(); + CmdLine.main(new String[]{"sha256", quickBrownFoxPlain, "11"}); + String hash3 = outContent.toString(); + + assertThat(hash1, is(hash2)); + assertThat(hash1, is(not(hash3))); + } + + @Test + public void keygenTest() throws Exception { + CmdLine.main(new String[]{"keygen"}); + assertThat(outContent.toString().length(), is(2074)); + + String filePath = "test/output_key"; + CmdLine.main(new String[]{"keygen", filePath}); + File keyfile = new File(filePath); + assertTrue(Files.isReadable(Paths.get(filePath))); + assertFalse(Files.isWritable(Paths.get(filePath))); + assertFalse(Files.isExecutable(Paths.get(filePath))); + keyfile.delete(); + } + + @Test + public void passgenTest() throws Exception { + CmdLine.main(new String[]{"passgen"}); + String output = outContent.toString().trim(); + assertThat(output.length(), is(24)); + assertTrue(containsAny(output, "+!@#$%^&*(){}[]?:;,.")); + assertTrue(containsAny(output, "ABCDEFGHIJKLMNOPQRSTUVWXYZ")); + assertTrue(containsAny(output, "abcdefghijklmnopqrstuvwxyz")); + assertTrue(containsAny(output, "0123456789")); + + int length = 10; + outContent.reset(); + CmdLine.main(new String[]{"passgen", String.valueOf(length)}); + output = outContent.toString().trim(); + assertThat(output.length(), is(length)); + + length = 5; + outContent.reset(); + CmdLine.main(new String[]{"passgen", String.valueOf(length)}); + output = outContent.toString().trim(); + assertThat(output.length(), is(8)); + + // Check that the custom hasRepeats method works + assertTrue(hasRepeats("aa")); + assertTrue(hasRepeats("baa")); + assertTrue(hasRepeats("aab")); + assertTrue(hasRepeats("baab")); + assertFalse(hasRepeats("abc")); + assertFalse(hasRepeats("aba")); + + // Run this a bunch of times for coverage + for (int i = 0; i < 1000; i++) { + outContent.reset(); + CmdLine.main(new String[]{"passgen"}); + output = outContent.toString().trim(); + assertFalse(hasRepeats(output)); + } + } + + @Test + public void urlgenTest() throws Exception { + CmdLine.main(new String[]{"urlgen"}); + String output = outContent.toString().trim(); + assertThat(output.length(), is(24)); + + int length = 5; + outContent.reset(); + CmdLine.main(new String[]{"urlgen", String.valueOf(length)}); + output = outContent.toString().trim(); + assertThat(output.length(), is(5)); + } + + @Test + public void showHelpTest() { + String expected = + "Usage: java -jar ...\n" + + " keygen [] (Generates Key on file, or Std Out)\n" + + " digest [|-i|] (Encrypts Password with \"keyfile\"\n" + + " if passwd = -i, will read StdIin\n" + + " if passwd is blank, will ask securely)\n" + + " passgen (Generate Password of given size)\n" + + " urlgen (Generate URL field of given size)\n" + + " csptest (Tests for CSP compatibility)\n" + + " encode64 (Encodes to Base64)\n" + + " decode64 (Decodes from Base64)\n" + + " encode64url (Encodes to Base64 URL charset)\n" + + " decode64url (Decodes from Base64 URL charset)\n" + + " sha256 (Digest String into SHA256 Hash)\n" + + " md5 (Digest String into MD5 Hash)\n"; + + CmdLine.main(new String[]{}); + + assertThat(outContent.toString(), is(expected)); + } + + private boolean containsAny(String str, String searchChars) { + for (char c : searchChars.toCharArray()) { + if (str.indexOf(c) >= 0) { + return true; + } + } + return false; + } + + private boolean hasRepeats(String str) { + int c = -1; + int last; + for (int i = 0; i < str.length(); i++) { + last = c; + c = str.charAt(i); + if (c == last) { + return true; + } + } + return false; + } + +} diff --git a/cadi/core/src/test/java/org/onap/aaf/cadi/test/JU_Hash.java b/cadi/core/src/test/java/org/onap/aaf/cadi/test/JU_Hash.java new file mode 100644 index 00000000..f5c4d872 --- /dev/null +++ b/cadi/core/src/test/java/org/onap/aaf/cadi/test/JU_Hash.java @@ -0,0 +1,210 @@ +/******************************************************************************* + * ============LICENSE_START==================================================== + * * org.onap.aaf + * * =========================================================================== + * * Copyright © 2017 AT&T Intellectual Property. All rights reserved. + * * =========================================================================== + * * Licensed under the Apache License, Version 2.0 (the "License"); + * * you may not use this file except in compliance with the License. + * * You may obtain a copy of the License at + * * + * * http://www.apache.org/licenses/LICENSE-2.0 + * * + * * Unless required by applicable law or agreed to in writing, software + * * distributed under the License is distributed on an "AS IS" BASIS, + * * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * * See the License for the specific language governing permissions and + * * limitations under the License. + * * ============LICENSE_END==================================================== + * * + * * + ******************************************************************************/ +package org.onap.aaf.cadi.test; + +import org.junit.Test; +import org.onap.aaf.cadi.CadiException; +import org.onap.aaf.cadi.Hash; + +import static org.junit.Assert.*; + +import org.junit.BeforeClass; + +import static org.hamcrest.CoreMatchers.*; + +public class JU_Hash { + // Some common test vectors + private String quickBrownFoxVector = "The quick brown fox jumps over the lazy dog"; + private String quickBrownFoxMD5 = "0x9e107d9d372bb6826bd81d3542a419d6"; + private String quickBrownFoxSHA256 = "0xd7a8fbb307d7809469ca9abcb0082e4f8d5651e46d3cdb762d02d0bf37c9e592"; + + private String emptyVector = ""; + private String emptyMD5 = "0xd41d8cd98f00b204e9800998ecf8427e"; + private String emptySHA256 = "0xe3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855"; + + + private byte[] same1 = "this is a twin".getBytes(); + private byte[] same2 = "this is a twin".getBytes(); + private byte[] different1 = "guvf vf n gjva".getBytes(); + private byte[] different2 = "this is an only child".getBytes(); + + + private String uppersDec = "ABCDEFGHIJKLMNOPQRSTUVWXYZ"; + private String uppersHex1 = "0x4142434445464748494A4B4C4D4E4F505152535455565758595A"; + private String uppersHex2 = "0x4142434445464748494a4b4c4d4e4f505152535455565758595a"; + private String uppersHexNo0x1 = "4142434445464748494a4b4c4d4e4f505152535455565758595a"; + private String uppersHexNo0x2 = "4142434445464748494A4B4C4D4E4F505152535455565758595A"; + + private String lowersDec = "abcdefghijklmnopqrstuvwxyz"; + private String lowersHex = "0x6162636465666768696a6b6c6d6e6f707172737475767778797a"; + private String lowersHexNo0x1 = "6162636465666768696a6b6c6d6e6f707172737475767778797a"; + private String lowersHexNo0x2 = "6162636465666768696A6B6C6D6E6F707172737475767778797A"; + + private String numbersDec = "1234567890"; + private String numbersHex = "0x31323334353637383930"; + private String numbersHexNo0x = "31323334353637383930"; + + @SuppressWarnings("unused") + @BeforeClass + public static void getCoverage() { + // All of this class's methods are static, so we never need to instantiate an object. + // That said, we can't get 100% coverage unless we instantiate one + Hash hash = new Hash(); + } + + @Test + public void hashMD5Test() throws Exception { + byte[] output = Hash.hashMD5(quickBrownFoxVector.getBytes()); + assertEquals(quickBrownFoxMD5, new String(Hash.toHex(output))); + + output = Hash.hashMD5(emptyVector.getBytes()); + assertEquals(emptyMD5, new String(Hash.toHex(output))); + } + + @Test + public void hashMD5WithOffsetTest() throws Exception { + byte[] output = Hash.hashMD5(quickBrownFoxVector.getBytes(), 0, quickBrownFoxVector.length()); + assertEquals(quickBrownFoxMD5, new String(Hash.toHex(output))); + + output = Hash.hashMD5(emptyVector.getBytes(), 0, emptyVector.length()); + assertEquals(emptyMD5, new String(Hash.toHex(output))); + } + + @Test + public void hashMD5AsStringHexTest() throws Exception { + String output = Hash.hashMD5asStringHex(quickBrownFoxVector); + assertEquals(quickBrownFoxMD5, output); + + output = Hash.hashMD5asStringHex(emptyVector); + assertEquals(emptyMD5, output); + } + + @Test + public void hashSHA256Test() throws Exception { + byte[] output = Hash.hashSHA256(quickBrownFoxVector.getBytes()); + assertEquals(quickBrownFoxSHA256, new String(Hash.toHex(output))); + + output = Hash.hashSHA256(emptyVector.getBytes()); + assertEquals(emptySHA256, new String(Hash.toHex(output))); + } + + @Test + public void hashSHA256WithOffsetTest() throws Exception { + byte[] output = Hash.hashSHA256(quickBrownFoxVector.getBytes(), 0, quickBrownFoxVector.length()); + assertEquals(quickBrownFoxSHA256, new String(Hash.toHex(output))); + + output = Hash.hashSHA256(emptyVector.getBytes(), 0, emptyVector.length()); + assertEquals(emptySHA256, new String(Hash.toHex(output))); + } + + @Test + public void hashSHA256AsStringHexTest() throws Exception { + String output = Hash.hashSHA256asStringHex(quickBrownFoxVector); + assertEquals(quickBrownFoxSHA256, output); + + output = Hash.hashSHA256asStringHex(emptyVector); + assertEquals(emptySHA256, output); + } + + @Test + public void hashSaltySHA256AsStringHexTest() throws Exception { + String input = "password"; + String hash1 = Hash.hashSHA256asStringHex(input, 10); + String hash2 = Hash.hashSHA256asStringHex(input, 10); + String hash3 = Hash.hashSHA256asStringHex(input, 11); + + assertEquals(hash1, hash2); + assertThat(hash1, not(equalTo(hash3))); + } + + @Test + public void isEqualTest() throws Exception { + assertTrue(Hash.isEqual(same1, same2)); + assertFalse(Hash.isEqual(same1, different1)); + assertFalse(Hash.isEqual(same1, different2)); + } + + @Test + public void compareToTest() throws Exception { + assertEquals(0, Hash.compareTo(same1, same2)); + // different1 is rot13(same1), so the difference should be 13 + assertEquals(13, Hash.compareTo(same1, different1)); + assertEquals(-78, Hash.compareTo(same1, different2)); + } + + @Test + public void toHexNo0xTest() throws Exception { + assertEquals(uppersHexNo0x1, Hash.toHexNo0x(uppersDec.getBytes())); + assertEquals(lowersHexNo0x1, Hash.toHexNo0x(lowersDec.getBytes())); + assertEquals(numbersHexNo0x, Hash.toHexNo0x(numbersDec.getBytes())); + } + + @Test + public void toHexTest() throws Exception { + assertEquals(uppersHex2, Hash.toHex(uppersDec.getBytes())); + assertEquals(lowersHex, Hash.toHex(lowersDec.getBytes())); + assertEquals(numbersHex, Hash.toHex(numbersDec.getBytes())); + } + + @Test + public void toHexWithOffset() throws Exception { + assertEquals(uppersHex2, Hash.toHex(uppersDec.getBytes(), 0, uppersDec.length())); + assertEquals(lowersHex, Hash.toHex(lowersDec.getBytes(), 0, lowersDec.length())); + assertEquals(numbersHex, Hash.toHex(numbersDec.getBytes(), 0, numbersDec.length())); + } + + @Test + public void fromHexTest() throws Exception { + assertEquals(uppersDec, new String(Hash.fromHex(uppersHex1))); + assertEquals(lowersDec, new String(Hash.fromHex(lowersHex))); + assertEquals(numbersDec, new String(Hash.fromHex(numbersHex))); + + try { + // This string doesn't begin with "0x" + Hash.fromHex("0X65"); + fail("Should have thrown CadiException"); + } catch (CadiException e) { + assertEquals("HexString must start with \"0x\"", e.getMessage()); + } + + try { + // This string has invalid hex characters + Hash.fromHex("0xQ"); + fail("Should have thrown CadiException"); + } catch (CadiException e) { + // 81 is dec(Q) + assertEquals("Invalid char '81' in HexString", e.getMessage()); + } + } + + @Test + public void fromHexNo0xTest() throws Exception { + assertEquals(uppersDec, new String(Hash.fromHexNo0x(uppersHexNo0x1))); + assertEquals(lowersDec, new String(Hash.fromHexNo0x(lowersHexNo0x1))); + assertEquals(uppersDec, new String(Hash.fromHexNo0x(uppersHexNo0x2))); + assertEquals(lowersDec, new String(Hash.fromHexNo0x(lowersHexNo0x2))); + assertEquals(numbersDec, new String(Hash.fromHexNo0x(numbersHexNo0x))); + byte[] output = Hash.fromHexNo0x("ABC"); + assertEquals(new String(new byte[] {(byte)0x0A, (byte)0xB0}), new String(output)); + assertNull(Hash.fromHexNo0x("~~")); + } +} diff --git a/cadi/core/src/test/java/org/onap/aaf/cadi/test/JU_LocatorException.java b/cadi/core/src/test/java/org/onap/aaf/cadi/test/JU_LocatorException.java new file mode 100644 index 00000000..96cf8e51 --- /dev/null +++ b/cadi/core/src/test/java/org/onap/aaf/cadi/test/JU_LocatorException.java @@ -0,0 +1,60 @@ +/******************************************************************************* + * ============LICENSE_START==================================================== + * * org.onap.aaf + * * =========================================================================== + * * Copyright © 2017 AT&T Intellectual Property. All rights reserved. + * * =========================================================================== + * * Licensed under the Apache License, Version 2.0 (the "License"); + * * you may not use this file except in compliance with the License. + * * You may obtain a copy of the License at + * * + * * http://www.apache.org/licenses/LICENSE-2.0 + * * + * * Unless required by applicable law or agreed to in writing, software + * * distributed under the License is distributed on an "AS IS" BASIS, + * * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * * See the License for the specific language governing permissions and + * * limitations under the License. + * * ============LICENSE_END==================================================== + * * + * * + ******************************************************************************/ +package org.onap.aaf.cadi.test; + +import static org.junit.Assert.*; + +import org.junit.Test; +import org.onap.aaf.cadi.LocatorException; + +import static org.hamcrest.CoreMatchers.is; + +public class JU_LocatorException { + @Test + public void stringTest() { + LocatorException exception = new LocatorException("New Exception"); + assertNotNull(exception); + assertThat(exception.getMessage(), is("New Exception")); + } + + @Test + public void throwableTest() { + LocatorException exception = new LocatorException(new Throwable("New Exception")); + assertNotNull(exception); + assertThat(exception.getMessage(), is("java.lang.Throwable: New Exception")); + } + + @Test + public void stringThrowableTest() { + LocatorException exception = new LocatorException("New Exception",new Throwable("New Exception")); + assertNotNull(exception); + assertThat(exception.getMessage(), is("New Exception")); + } + + @Test + public void characterSequenceTest() { + CharSequence testCS = new String("New Exception"); + LocatorException exception = new LocatorException(testCS); + assertNotNull(exception); + assertThat(exception.getMessage(), is("New Exception")); + } +} diff --git a/cadi/core/src/test/java/org/onap/aaf/cadi/test/JU_PropAccess.java b/cadi/core/src/test/java/org/onap/aaf/cadi/test/JU_PropAccess.java new file mode 100644 index 00000000..d74648a4 --- /dev/null +++ b/cadi/core/src/test/java/org/onap/aaf/cadi/test/JU_PropAccess.java @@ -0,0 +1,151 @@ +/******************************************************************************* + * ============LICENSE_START==================================================== + * * org.onap.aaf + * * =========================================================================== + * * Copyright © 2017 AT&T Intellectual Property. All rights reserved. + * * =========================================================================== + * * Licensed under the Apache License, Version 2.0 (the "License"); + * * you may not use this file except in compliance with the License. + * * You may obtain a copy of the License at + * * + * * http://www.apache.org/licenses/LICENSE-2.0 + * * + * * Unless required by applicable law or agreed to in writing, software + * * distributed under the License is distributed on an "AS IS" BASIS, + * * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * * See the License for the specific language governing permissions and + * * limitations under the License. + * * ============LICENSE_END==================================================== + * * + * * + ******************************************************************************/ +package org.onap.aaf.cadi.test; + +import static org.junit.Assert.*; +import org.junit.Test; +import org.onap.aaf.cadi.PropAccess; +import org.onap.aaf.cadi.Access.Level; +import org.onap.aaf.cadi.PropAccess.LogIt; + +import static org.mockito.Mockito.*; +import static org.hamcrest.CoreMatchers.*; + +import java.lang.reflect.Field; + +import java.io.ByteArrayInputStream; +import java.io.PrintStream; +import java.util.Properties; + +@SuppressWarnings("unused") +public class JU_PropAccess { + // Note: We can't actually get coverage of the protected constructor - + // that will be done later, when testing the child class "ServletContextAccess" + + + @Test + public void ConstructorTest() throws Exception { + PropAccess prop = new PropAccess(); + assertThat(prop.getProperties(), is(not(nullValue()))); + } + + @Test + public void noPrintStreamConstructionTest() throws Exception { + // Test for coverage + PropAccess prop = new PropAccess((PrintStream)null, new String[]{"Invalid argument"}); + } + + @Test + public void noLogItConstructionTest() throws Exception { + // Test for coverage + PropAccess prop = new PropAccess((LogIt)null, new String[]{"Invalid argument"}); + } + + @Test + public void propertiesConstructionTest() throws Exception { + // Coverage tests + PropAccess prop = new PropAccess(System.getProperties()); + prop = new PropAccess((PrintStream)null, System.getProperties()); + } + + @Test + public void stringConstructionTest() throws Exception { + Properties testSystemProps = new Properties(System.getProperties()); + testSystemProps.setProperty("cadi_name", "user"); + System.setProperties(testSystemProps); + PropAccess prop = new PropAccess("cadi_keyfile=test/keyfile", "cadi_loglevel=DEBUG", "cadi_prop_files=test/cadi.properties:not_a_file"); + } + + @Test + public void loadTest() throws Exception { + // Coverage tests + Properties props = mock(Properties.class); + when(props.getProperty("cadi_prop_files")).thenReturn("test/cadi.properties").thenReturn(null); + PropAccess pa = new PropAccess(); + Field props_field = PropAccess.class.getDeclaredField("props"); + props_field.setAccessible(true); + props_field.set(pa, props); + ByteArrayInputStream bais = new ByteArrayInputStream(new byte[0]); + pa.load(bais); + } + + @Test + public void specialConversionsTest() throws Exception { + // Coverage tests + Properties testSystemProps = new Properties(System.getProperties()); + testSystemProps.setProperty("java.specification.version", "1.7"); + System.setProperties(testSystemProps); + PropAccess pa = new PropAccess("AFT_LATITUDE=1", "AFT_LONGITUDE=1", "cadi_protocols=TLSv1.2"); + } + + @Test + public void logTest() throws Exception { + // Coverage tests + PropAccess pa = new PropAccess(); + + pa.log(Level.DEBUG); + pa.printf(Level.DEBUG, "not a real format string"); + + pa.setLogLevel(Level.DEBUG); + pa.log(Level.DEBUG); + pa.log(Level.DEBUG, 1, " ", null, ""); + pa.log(Level.DEBUG, "This is a string", "This is another"); + pa.set(new LogIt() { + @Override public void push(Level level, Object ... elements) {} + }); + try { + pa.log(new Exception("This exception was thrown intentionally, please ignore it")); + } catch(Exception e) { + fail("Should have thrown an exception"); + } + } + + @Test + public void classLoaderTest() { + PropAccess pa = new PropAccess(); + assertThat(pa.classLoader(), instanceOf(ClassLoader.class)); + } + + @Test + public void encryptionTest() throws Exception { + PropAccess pa = new PropAccess(); + String plainText = "This is a secret message"; + String secret_message = pa.encrypt(plainText); + String modified = secret_message.substring(4); + // Plenty of assertions to hit all branches + assertThat(pa.decrypt(secret_message, false), is(plainText)); + assertThat(pa.decrypt(null, false), is(nullValue())); + assertThat(pa.decrypt(modified, true), is(plainText)); + assertThat(pa.decrypt(modified, false), is(modified)); + } + + @Test + public void setPropertyTest() { + PropAccess pa = new PropAccess(); + pa.setProperty("test", null); + String prop = "New Property"; + String val ="And it's faithful value"; + pa.setProperty(prop, val); + + assertThat(pa.getProperty(prop), is(val)); + } +} diff --git a/cadi/core/src/test/java/org/onap/aaf/cadi/test/JU_ServletContextAccess.java b/cadi/core/src/test/java/org/onap/aaf/cadi/test/JU_ServletContextAccess.java new file mode 100644 index 00000000..8531e1d1 --- /dev/null +++ b/cadi/core/src/test/java/org/onap/aaf/cadi/test/JU_ServletContextAccess.java @@ -0,0 +1,104 @@ +/******************************************************************************* + * ============LICENSE_START==================================================== + * * org.onap.aaf + * * =========================================================================== + * * Copyright © 2017 AT&T Intellectual Property. All rights reserved. + * * =========================================================================== + * * Licensed under the Apache License, Version 2.0 (the "License"); + * * you may not use this file except in compliance with the License. + * * You may obtain a copy of the License at + * * + * * http://www.apache.org/licenses/LICENSE-2.0 + * * + * * Unless required by applicable law or agreed to in writing, software + * * distributed under the License is distributed on an "AS IS" BASIS, + * * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * * See the License for the specific language governing permissions and + * * limitations under the License. + * * ============LICENSE_END==================================================== + * * + * * + ******************************************************************************/ +package org.onap.aaf.cadi.test; + +import static org.junit.Assert.*; + +import org.junit.Before; +import org.junit.Test; +import org.onap.aaf.cadi.PropAccess; +import org.onap.aaf.cadi.ServletContextAccess; +import org.onap.aaf.cadi.Access.Level; +import org.onap.aaf.cadi.PropAccess.LogIt; + +import static org.mockito.Mockito.*; +import static org.hamcrest.CoreMatchers.*; + +import java.lang.reflect.Field; + +import java.io.ByteArrayInputStream; +import java.io.PrintStream; +import java.util.Enumeration; +import java.util.Properties; +import java.util.StringTokenizer; + +import javax.servlet.FilterConfig; +import javax.servlet.ServletContext; + +@SuppressWarnings("unused") +public class JU_ServletContextAccess { + + private FilterConfig filter_mock; + Enumeration enumeration; + + private class CustomEnumeration implements Enumeration { + private int idx = 0; + private final String[] elements = {"This", "is", "a", "test"}; + @Override + public String nextElement() { + return idx >= elements.length ? null : elements[idx++]; + } + @Override + public boolean hasMoreElements() { + return idx < elements.length; + } + } + + @Before + public void setup() { + enumeration = new CustomEnumeration(); + filter_mock = mock(FilterConfig.class); + when(filter_mock.getInitParameterNames()).thenReturn(enumeration); + } + + @Test + public void ConstructorTest() throws Exception { + ServletContextAccess sca = new ServletContextAccess(filter_mock); + } + + @Test + public void logTest() throws Exception { + ServletContext sc_mock = mock(ServletContext.class); + when(filter_mock.getServletContext()).thenReturn(sc_mock); + ServletContextAccess sca = new ServletContextAccess(filter_mock); + + sca.log(Level.DEBUG); + + sca.setLogLevel(Level.DEBUG); + sca.log(Level.DEBUG); + + try { + sca.log(new Exception("This exception was thrown intentionally, please ignore it")); + } catch(Exception e) { + fail("Should have thrown an exception"); + } + } + + @Test + public void contextTest() { + ServletContext sc_mock = mock(ServletContext.class); + when(filter_mock.getServletContext()).thenReturn(sc_mock); + ServletContextAccess sca = new ServletContextAccess(filter_mock); + assertThat(sca.context(), instanceOf(ServletContext.class)); + } + +} diff --git a/cadi/core/src/test/java/org/onap/aaf/cadi/test/JU_Symm.java b/cadi/core/src/test/java/org/onap/aaf/cadi/test/JU_Symm.java new file mode 100644 index 00000000..34f528f4 --- /dev/null +++ b/cadi/core/src/test/java/org/onap/aaf/cadi/test/JU_Symm.java @@ -0,0 +1,203 @@ +/******************************************************************************* + * ============LICENSE_START==================================================== + * * org.onap.aaf + * * =========================================================================== + * * Copyright © 2017 AT&T Intellectual Property. All rights reserved. + * * =========================================================================== + * * Licensed under the Apache License, Version 2.0 (the "License"); + * * you may not use this file except in compliance with the License. + * * You may obtain a copy of the License at + * * + * * http://www.apache.org/licenses/LICENSE-2.0 + * * + * * Unless required by applicable law or agreed to in writing, software + * * distributed under the License is distributed on an "AS IS" BASIS, + * * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * * See the License for the specific language governing permissions and + * * limitations under the License. + * * ============LICENSE_END==================================================== + * * + * * + ******************************************************************************/ +package org.onap.aaf.cadi.test; + +import java.io.ByteArrayInputStream; +import java.io.ByteArrayOutputStream; +import java.util.Arrays; + +import java.lang.reflect.*; +import org.junit.Before; +import org.junit.Test; +import org.onap.aaf.cadi.CadiException; +import org.onap.aaf.cadi.PropAccess; +import org.onap.aaf.cadi.Symm; + +import static org.hamcrest.CoreMatchers.*; +import static org.junit.Assert.*; +import static org.mockito.Mockito.*; + +public class JU_Symm { + private Symm defaultSymm; + + @Before + public void setup() throws Exception { + defaultSymm = new Symm( + "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/".toCharArray() + ,76, "Use default!" ,true); + } + + @Test + public void constructorTest() throws Exception { + Symm myCustomSymm = new Symm( + "ACEGIKMOQSUWYacegikmoqsuwy02468+/".toCharArray(), 76, "Default", true); + Field convert_field = Symm.class.getDeclaredField("convert"); + convert_field.setAccessible(true); + + Class Unordered_class = Class.forName("org.onap.aaf.cadi.Symm$Unordered"); + assertThat(convert_field.get(myCustomSymm), instanceOf(Unordered_class)); + } + + @SuppressWarnings("unused") + @Test + public void copyTest() throws Exception { + Symm copy = Symm.base64.copy(76); + } + + @SuppressWarnings("deprecation") + @Test + public void deprecatedTest() { + assertEquals(Symm.base64(), Symm.base64); + assertEquals(Symm.base64noSplit(), Symm.base64noSplit); + assertEquals(Symm.base64url(), Symm.base64url); + assertEquals(Symm.baseCrypt(), Symm.encrypt); + } + + @Test + public void encodeDecodeStringTest() throws Exception { + String orig = "hello"; + String b64encrypted = Symm.base64.encode(orig); + assertEquals(Symm.base64.decode(b64encrypted), orig); + + String defaultEnrypted = defaultSymm.encode(orig); + assertEquals(defaultSymm.decode(defaultEnrypted), orig); + } + + @Test + public void encodeDecodeByteArrayTest() throws Exception { + String orig = "hello"; + byte[] b64encrypted = Symm.base64.encode(orig.getBytes()); + assertEquals(new String(Symm.base64.decode(b64encrypted)), orig); + + byte[] empty = null; + assertTrue(Arrays.equals(Symm.base64.encode(empty), new byte[0])); + } + + @Test + public void encodeDecodeStringToStreamTest() throws Exception { + String orig = "I'm a password, really"; + String b64encrypted; + String output; + + ByteArrayOutputStream baosEncrypt = new ByteArrayOutputStream(); + Symm.base64.encode(orig, baosEncrypt); + b64encrypted = new String(baosEncrypt.toByteArray()); + + ByteArrayOutputStream baosDecrypt = new ByteArrayOutputStream(); + Symm.base64.decode(b64encrypted, baosDecrypt); + output = new String(baosDecrypt.toByteArray()); + + assertEquals(orig, output); + } + + @Test + public void encryptDecryptStreamWithPrefixTest() throws Exception { + String orig = "I'm a password, really"; + byte[] b64encrypted; + String output; + + byte[] prefix = "enc:".getBytes(); + + ByteArrayInputStream baisEncrypt = new ByteArrayInputStream(orig.getBytes()); + ByteArrayOutputStream baosEncrypt = new ByteArrayOutputStream(); + Symm.base64.encode(baisEncrypt, baosEncrypt, prefix); + + b64encrypted = baosEncrypt.toByteArray(); + + ByteArrayInputStream baisDecrypt = new ByteArrayInputStream(b64encrypted); + ByteArrayOutputStream baosDecrypt = new ByteArrayOutputStream(); + Symm.base64.decode(baisDecrypt, baosDecrypt, prefix.length); + + output = new String(baosDecrypt.toByteArray()); + assertEquals(orig, output); + } + + @Test + public void randomGenTest() { + // Ian - There really isn't a great way to test for randomness... + String prev = null; + for (int i = 0; i < 10; i++) { + String current = Symm.randomGen(100); + if (current.equals(prev)) { + fail("I don't know how, but you generated the exact same random string twice in a row"); + } + prev = current; + } + assertTrue(true); + } + + @Test + public void obtainTest() throws Exception { + Symm symm = Symm.base64.obtain(); + + String orig ="Another Password, please"; + String encrypted = symm.enpass(orig); + String decrypted = symm.depass(encrypted); + assertEquals(orig, decrypted); + } + + @Test + public void InputStreamObtainTest() throws Exception { + byte[] keygen = Symm.keygen(); + + Symm symm = Symm.obtain(new ByteArrayInputStream(keygen)); + + String orig ="Another Password, please"; + String encrypted = symm.enpass(orig); + String decrypted = symm.depass(encrypted); + assertEquals(orig, decrypted); + } + + @Test + public void StringObtainTest() throws Exception { + byte[] keygen = Symm.keygen(); + + Symm symm = Symm.obtain(new String(keygen)); + + String orig ="Another Password, please"; + String encrypted = symm.enpass(orig); + String decrypted = symm.depass(encrypted); + assertEquals(orig, decrypted); + } + + @Test + public void AccessObtainTest() throws Exception { + PropAccess pa = new PropAccess("cadi_keyfile=test/keyfile"); + Symm symm = Symm.obtain(pa); + String orig ="Another Password, please"; + String encrypted = symm.enpass(orig); + String decrypted = symm.depass(encrypted); + assertEquals(orig, decrypted); + + try { + PropAccess badPa = mock(PropAccess.class); + when(badPa.getProperty("cadi_keyfile", null)).thenReturn("not_a_real_file.txt"); + symm = Symm.obtain(badPa); + fail("Should have thrown an exception"); + } catch (CadiException e) { + assertTrue(e.getMessage().contains("ERROR: ")); + assertTrue(e.getMessage().contains("not_a_real_file.txt")); + assertTrue(e.getMessage().contains(" does not exist!")); + } + } + +} diff --git a/cadi/core/src/test/java/org/onap/aaf/cadi/test/JU_TrustChecker.java b/cadi/core/src/test/java/org/onap/aaf/cadi/test/JU_TrustChecker.java new file mode 100644 index 00000000..511c6ee3 --- /dev/null +++ b/cadi/core/src/test/java/org/onap/aaf/cadi/test/JU_TrustChecker.java @@ -0,0 +1,37 @@ +/******************************************************************************* + * ============LICENSE_START==================================================== + * * org.onap.aaf + * * =========================================================================== + * * Copyright © 2017 AT&T Intellectual Property. All rights reserved. + * * =========================================================================== + * * Licensed under the Apache License, Version 2.0 (the "License"); + * * you may not use this file except in compliance with the License. + * * You may obtain a copy of the License at + * * + * * http://www.apache.org/licenses/LICENSE-2.0 + * * + * * Unless required by applicable law or agreed to in writing, software + * * distributed under the License is distributed on an "AS IS" BASIS, + * * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * * See the License for the specific language governing permissions and + * * limitations under the License. + * * ============LICENSE_END==================================================== + * * + * * + ******************************************************************************/ +package org.onap.aaf.cadi.test; + +import static org.junit.Assert.*; +import static org.hamcrest.CoreMatchers.*; +import org.junit.*; + +import org.onap.aaf.cadi.TrustChecker; + +public class JU_TrustChecker { + + @Test + public void noTrustTests() { + assertThat(TrustChecker.NOTRUST.mayTrust(null, null), is(nullValue())); + TrustChecker.NOTRUST.setLur(null); + } +} diff --git a/cadi/core/src/test/java/org/onap/aaf/cadi/test/JU_User.java b/cadi/core/src/test/java/org/onap/aaf/cadi/test/JU_User.java new file mode 100644 index 00000000..25683249 --- /dev/null +++ b/cadi/core/src/test/java/org/onap/aaf/cadi/test/JU_User.java @@ -0,0 +1,185 @@ +/******************************************************************************* + * ============LICENSE_START==================================================== + * * org.onap.aaf + * * =========================================================================== + * * Copyright © 2017 AT&T Intellectual Property. All rights reserved. + * * =========================================================================== + * * Licensed under the Apache License, Version 2.0 (the "License"); + * * you may not use this file except in compliance with the License. + * * You may obtain a copy of the License at + * * + * * http://www.apache.org/licenses/LICENSE-2.0 + * * + * * Unless required by applicable law or agreed to in writing, software + * * distributed under the License is distributed on an "AS IS" BASIS, + * * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * * See the License for the specific language governing permissions and + * * limitations under the License. + * * ============LICENSE_END==================================================== + * * + * * + ******************************************************************************/ +package org.onap.aaf.cadi.test; + +import static org.junit.Assert.*; + +import org.junit.Test; + + +import static org.hamcrest.CoreMatchers.*; +import static org.mockito.Mockito.when; + +import java.lang.reflect.Field; +import java.security.Principal; +import java.util.ArrayList; +import java.util.HashMap; +import java.util.List; +import java.util.Map; + +import org.junit.Before; +import org.mockito.Mock; +import org.mockito.MockitoAnnotations; +import org.onap.aaf.cadi.Permission; +import org.onap.aaf.cadi.User; +import org.onap.aaf.cadi.lur.LocalPermission; + +public class JU_User { + + private final Long SECOND = 1000L; + private final String name = "Fakey McFake"; + private final String cred = "Fake credentials"; + + private Field perms_field; + private Field count_field; + + @Mock + private Principal principal; + + @Mock + private LocalPermission permission; + @Mock + private LocalPermission permission2; + + @Before + public void setup() throws NoSuchFieldException, SecurityException { + MockitoAnnotations.initMocks(this); + + when(principal.getName()).thenReturn("Principal"); + + when(permission.getKey()).thenReturn("NewKey"); + when(permission.match(permission)).thenReturn(true); + + when(permission2.getKey()).thenReturn("NewKey2"); + when(permission2.match(permission)).thenReturn(false); + + perms_field = User.class.getDeclaredField("perms"); + perms_field.setAccessible(true); + + count_field = User.class.getDeclaredField("count"); + count_field.setAccessible(true); + } + + @Test + public void constructorPrincipalTest() throws IllegalArgumentException, IllegalAccessException { + User user = new User(principal); + assertThat(user.name, is(principal.getName())); + assertThat(user.principal, is(principal)); + assertThat(user.permExpires(), is(Long.MAX_VALUE)); + assertThat((int)count_field.get(user), is(0)); + } + + @Test + public void constructorNameCredTest() throws IllegalArgumentException, IllegalAccessException { + User user = new User(name, cred.getBytes()); + assertThat(user.name, is(name)); + assertThat(user.principal, is(nullValue())); + assertThat(user.permExpires(), is(Long.MAX_VALUE)); + assertThat((int)count_field.get(user), is(0)); + assertThat(user.getCred(), is(cred.getBytes())); + } + + @Test + public void constructorPrincipalIntervalTest() throws IllegalArgumentException, IllegalAccessException { + User user = new User(principal, 61 * SECOND); + Long approxExpiration = System.currentTimeMillis() + 61 * SECOND; + assertThat(user.name, is(principal.getName())); + assertThat(user.principal, is(principal)); + assertTrue(Math.abs(user.permExpires() - approxExpiration) < 10L); + assertThat((int)count_field.get(user), is(0)); + } + + @Test + public void constructorNameCredIntervalTest() throws IllegalArgumentException, IllegalAccessException { + String name = "Fakey McFake"; + User user = new User(name, cred.getBytes(), 61 * SECOND); + Long approxExpiration = System.currentTimeMillis() + 61 * SECOND; + assertThat(user.name, is(name)); + assertThat(user.principal, is(nullValue())); + assertTrue(Math.abs(user.permExpires() - approxExpiration) < 10L); + assertThat((int)count_field.get(user), is(0)); + assertThat(user.getCred(), is(cred.getBytes())); + } + + @Test + public void countCheckTest() throws IllegalArgumentException, IllegalAccessException { + User user = new User(principal); + user.resetCount(); + assertThat((int)count_field.get(user), is(0)); + user.incCount(); + assertThat((int)count_field.get(user), is(1)); + user.incCount(); + assertThat((int)count_field.get(user), is(2)); + user.resetCount(); + assertThat((int)count_field.get(user), is(0)); + } + + @Test + public void permTest() throws InterruptedException, IllegalArgumentException, IllegalAccessException { + User user = new User(principal); + assertThat(user.permExpires(), is(Long.MAX_VALUE)); + user.renewPerm(); + Thread.sleep(1); // Let it expire + assertThat(user.permExpired(), is(true)); + + user = new User(principal,100); + assertTrue(user.noPerms()); + user.add(permission); + assertFalse(user.permsUnloaded()); + assertFalse(user.noPerms()); + user.setNoPerms(); + assertThat(user.permExpired(), is(false)); + assertTrue(user.permsUnloaded()); + assertTrue(user.noPerms()); + perms_field.set(user, null); + assertTrue(user.permsUnloaded()); + assertTrue(user.noPerms()); + } + + @Test + public void addValuesToNewMapTest() { + User user = new User(principal); + Map newMap = new HashMap(); + + assertFalse(user.contains(permission)); + + user.add(newMap, permission); + user.setMap(newMap); + + assertTrue(user.contains(permission)); + + List sink = new ArrayList(); + user.copyPermsTo(sink); + + assertThat(sink.size(), is(1)); + assertTrue(sink.contains(permission)); + + assertThat(user.toString(), is("Principal|:NewKey")); + + user.add(newMap, permission2); + user.setMap(newMap); + assertFalse(user.contains(permission2)); + + assertThat(user.toString(), is("Principal|:NewKey2,NewKey")); + } + +} diff --git a/cadi/core/src/test/java/org/onap/aaf/cadi/test/filter/JU_FCGetTest.java b/cadi/core/src/test/java/org/onap/aaf/cadi/test/filter/JU_FCGetTest.java new file mode 100644 index 00000000..5aa9d79c --- /dev/null +++ b/cadi/core/src/test/java/org/onap/aaf/cadi/test/filter/JU_FCGetTest.java @@ -0,0 +1,103 @@ +/******************************************************************************* + * ============LICENSE_START==================================================== + * * org.onap.aaf + * * =========================================================================== + * * Copyright © 2017 AT&T Intellectual Property. All rights reserved. + * * =========================================================================== + * * Licensed under the Apache License, Version 2.0 (the "License"); + * * you may not use this file except in compliance with the License. + * * You may obtain a copy of the License at + * * + * * http://www.apache.org/licenses/LICENSE-2.0 + * * + * * Unless required by applicable law or agreed to in writing, software + * * distributed under the License is distributed on an "AS IS" BASIS, + * * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * * See the License for the specific language governing permissions and + * * limitations under the License. + * * ============LICENSE_END==================================================== + * * + * * + ******************************************************************************/ +package org.onap.aaf.cadi.test.filter; + +import static org.junit.Assert.*; +import static org.mockito.Mockito.when; + +import javax.servlet.FilterConfig; +import javax.servlet.ServletContext; + +import org.junit.Before; +import org.junit.Test; +import org.mockito.Mock; +import org.mockito.MockitoAnnotations; +import org.onap.aaf.cadi.PropAccess; + +public class JU_FCGetTest { + + @Test + public void netYetTested() { + fail("Tests not yet implemented"); + } + +// @Mock +// private ServletContext context; + +// @Mock +// private FilterConfig config; + +// @Mock +// private PropAccess access = new PropAccess(); + +// @Before +// public void setUp() { +// MockitoAnnotations.initMocks(this); +// } + +// @Test +// public void testGetStringFromDef() { +// PropAccess access = new PropAccess(); + +// FCGet fcGet = new FCGet(access, context, config); + +// String user = fcGet.get("user", "DefaultUser", true); + +// assertEquals(user, "DefaultUser"); +// } + +// @Test +// public void testGetStringFromContext() { +// PropAccess access = new PropAccess(); +// when(context.getInitParameter("user")).thenReturn("ContextUser"); + +// FCGet fcGet = new FCGet(access, context, null); + +// String user = fcGet.get("user", "DefaultUser", true); + +// assertEquals(user,"ContextUser"); +// } + +// @Test +// public void testGetStringFromFilter() { +// PropAccess access = new PropAccess(); +// when(config.getInitParameter("user")).thenReturn("FilterUser"); + +// FCGet fcGet = new FCGet(access, null, config); + +// String user = fcGet.get("user", "DefaultUser", true); + +// assertEquals(user,"FilterUser"); +// } + +// @Test +// public void testGetStringWithNullContextFilter() { + +// when(access.getProperty("user", "DefaultUser")).thenReturn(null); + +// FCGet fcGet = new FCGet(access, null, null); + +// String user = fcGet.get("user", "DefaultUser", true); + +// assertEquals(user,"DefaultUser"); +// } +} diff --git a/cadi/core/src/test/java/org/onap/aaf/cadi/test/lur/JU_ConfigPrincipal.java b/cadi/core/src/test/java/org/onap/aaf/cadi/test/lur/JU_ConfigPrincipal.java new file mode 100644 index 00000000..897744ec --- /dev/null +++ b/cadi/core/src/test/java/org/onap/aaf/cadi/test/lur/JU_ConfigPrincipal.java @@ -0,0 +1,79 @@ +/******************************************************************************* + * ============LICENSE_START==================================================== + * * org.onap.aaf + * * =========================================================================== + * * Copyright © 2017 AT&T Intellectual Property. All rights reserved. + * * =========================================================================== + * * Licensed under the Apache License, Version 2.0 (the "License"); + * * you may not use this file except in compliance with the License. + * * You may obtain a copy of the License at + * * + * * http://www.apache.org/licenses/LICENSE-2.0 + * * + * * Unless required by applicable law or agreed to in writing, software + * * distributed under the License is distributed on an "AS IS" BASIS, + * * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * * See the License for the specific language governing permissions and + * * limitations under the License. + * * ============LICENSE_END==================================================== + * * + * * + ******************************************************************************/ +package org.onap.aaf.cadi.test.lur; + +import org.junit.*; +import static org.junit.Assert.*; +import static org.hamcrest.CoreMatchers.*; +import java.lang.reflect.Field; + +import java.io.IOException; + +import org.onap.aaf.cadi.lur.ConfigPrincipal; + +public class JU_ConfigPrincipal { + + private final String name = "User"; + private final String pass = "pass"; + + // Expected output of base64("User:pass") + private final String b64encoded = "VXNlcjpwYXNz"; + + private Field content_field; + + @Before + public void setup() throws NoSuchFieldException { + content_field = ConfigPrincipal.class.getDeclaredField("content"); + content_field.setAccessible(true); + } + + @Test + public void testConfigPrincipalStringString() throws IOException, IllegalArgumentException, IllegalAccessException { + ConfigPrincipal p = new ConfigPrincipal(name, pass); + + assertThat(p.getName(), is(name)); + assertThat(p.toString(), is(name)); + assertThat(p.getCred(), is(pass.getBytes())); + assertThat(p.getAsBasicAuthHeader(), is("Basic " + b64encoded)); + content_field.set(p, "pass"); + assertThat(p.getAsBasicAuthHeader(), is("Basic " + b64encoded)); + + // One more time for coverage purposes + assertThat(p.getAsBasicAuthHeader(), is("Basic " + b64encoded)); + } + + @Test + public void testConfigPrincipalStringByteArray() throws IOException, IllegalArgumentException, IllegalAccessException { + ConfigPrincipal p = new ConfigPrincipal(name, pass.getBytes()); + + assertThat(p.getName(), is(name)); + assertThat(p.toString(), is(name)); + assertThat(p.getCred(), is(pass.getBytes())); + assertThat(p.getAsBasicAuthHeader(), is("Basic " + b64encoded)); + content_field.set(p, "pass"); + assertThat(p.getAsBasicAuthHeader(), is("Basic " + b64encoded)); + + // One more time for coverage purposes + assertThat(p.getAsBasicAuthHeader(), is("Basic " + b64encoded)); + } + +} diff --git a/cadi/core/src/test/java/org/onap/aaf/cadi/test/lur/JU_LocalLur.java b/cadi/core/src/test/java/org/onap/aaf/cadi/test/lur/JU_LocalLur.java new file mode 100644 index 00000000..8388fa5f --- /dev/null +++ b/cadi/core/src/test/java/org/onap/aaf/cadi/test/lur/JU_LocalLur.java @@ -0,0 +1,103 @@ +/******************************************************************************* + * ============LICENSE_START==================================================== + * * org.onap.aaf + * * =========================================================================== + * * Copyright © 2017 AT&T Intellectual Property. All rights reserved. + * * =========================================================================== + * * Licensed under the Apache License, Version 2.0 (the "License"); + * * you may not use this file except in compliance with the License. + * * You may obtain a copy of the License at + * * + * * http://www.apache.org/licenses/LICENSE-2.0 + * * + * * Unless required by applicable law or agreed to in writing, software + * * distributed under the License is distributed on an "AS IS" BASIS, + * * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * * See the License for the specific language governing permissions and + * * limitations under the License. + * * ============LICENSE_END==================================================== + * * + * * + ******************************************************************************/ +package org.onap.aaf.cadi.test.lur; + +import static junit.framework.Assert.assertEquals; +import static junit.framework.Assert.assertFalse; +import static junit.framework.Assert.assertTrue; + +import java.io.ByteArrayOutputStream; +import java.io.IOException; +import java.security.Principal; +import java.util.ArrayList; +import java.util.List; +import java.util.Set; +import java.util.TreeSet; + +import org.junit.Test; +import org.onap.aaf.cadi.Lur; +import org.onap.aaf.cadi.Permission; +import org.onap.aaf.cadi.PropAccess; +import org.onap.aaf.cadi.Symm; +import org.onap.aaf.cadi.CredVal.Type; +import org.onap.aaf.cadi.config.UsersDump; +import org.onap.aaf.cadi.lur.LocalLur; +import org.onap.aaf.cadi.lur.LocalPermission; + +public class JU_LocalLur { + + @Test + public void test() throws IOException { + Symm symmetric = Symm.baseCrypt().obtain(); + LocalLur up; + ByteArrayOutputStream baos = new ByteArrayOutputStream(); + baos.write(Symm.ENC.getBytes()); + symmetric.enpass("", baos); + PropAccess ta = new PropAccess(); + Lur ml = up = new LocalLur(ta,"myname:groupA,groupB","admin:myname,yourname;suser:hisname,hername,m1234%"+baos.toString()); + + +// Permission admin = new LocalPermission("admin"); +// Permission suser = new LocalPermission("suser"); +// +// // Check User fish +// assertTrue(ml.fish(new JUPrincipal("myname"),admin)); +// assertTrue(ml.fish(new JUPrincipal("hisname"),admin)); +// assertFalse(ml.fish(new JUPrincipal("noname"),admin)); +// assertTrue(ml.fish(new JUPrincipal("itsname"),suser)); +// assertTrue(ml.fish(new JUPrincipal("hername"),suser)); +// assertFalse(ml.fish(new JUPrincipal("myname"),suser)); +// +// // Check validate password +// assertTrue(up.validate("m1234",Type.PASSWORD, "".getBytes())); +// assertFalse(up.validate("m1234",Type.PASSWORD, "badPass".getBytes())); +// + // Check fishAll + Set set = new TreeSet(); + List perms = new ArrayList(); + ml.fishAll(new JUPrincipal("myname"), perms); + for(Permission p : perms) { + set.add(p.getKey()); + } +// assertEquals("[admin, groupA, groupB]",set.toString()); + UsersDump.write(System.out, up); + System.out.flush(); + + } + + // Simplistic Principal for testing purposes + private static class JUPrincipal implements Principal { + private String name; + public JUPrincipal(String name) { + this.name = name; + } +// @Override + public String getName() { + return name; + } + } + + + + + +} diff --git a/cadi/core/src/test/java/org/onap/aaf/cadi/test/lur/JU_LocalPermission.java b/cadi/core/src/test/java/org/onap/aaf/cadi/test/lur/JU_LocalPermission.java new file mode 100644 index 00000000..abc178a8 --- /dev/null +++ b/cadi/core/src/test/java/org/onap/aaf/cadi/test/lur/JU_LocalPermission.java @@ -0,0 +1,71 @@ +/******************************************************************************* + * ============LICENSE_START==================================================== + * * org.onap.aaf + * * =========================================================================== + * * Copyright © 2017 AT&T Intellectual Property. All rights reserved. + * * =========================================================================== + * * Licensed under the Apache License, Version 2.0 (the "License"); + * * you may not use this file except in compliance with the License. + * * You may obtain a copy of the License at + * * + * * http://www.apache.org/licenses/LICENSE-2.0 + * * + * * Unless required by applicable law or agreed to in writing, software + * * distributed under the License is distributed on an "AS IS" BASIS,Z + * * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * * See the License for the specific language governing permissions and + * * limitations under the License. + * * ============LICENSE_END==================================================== + * * + * * + ******************************************************************************/ +package org.onap.aaf.cadi.test.lur; + +import static org.junit.Assert.*; + +import static org.hamcrest.CoreMatchers.*; +import org.junit.*; +import org.mockito.Mock; +import org.mockito.MockitoAnnotations; +import static org.mockito.Mockito.*; + +import org.onap.aaf.cadi.lur.LocalPermission; +import org.onap.aaf.cadi.Permission; + +public class JU_LocalPermission { + + @Mock + Permission perm; + + private LocalPermission localPerm; + private String role = "Fake Role"; + + @Before + public void setup() { + MockitoAnnotations.initMocks(this); + when(perm.getKey()).thenReturn(role); + + localPerm = new LocalPermission(role); + } + + @Test + public void getKeyTest() { + assertThat(localPerm.getKey(), is(role)); + } + + @Test + public void toStringTest() { + assertThat(localPerm.toString(), is(role)); + } + + @Test + public void matchTest() { + assertTrue(localPerm.match(perm)); + } + + @Test + public void permTypeTest() { + assertThat(localPerm.permType(), is("LOCAL")); + } + +} diff --git a/cadi/core/src/test/java/org/onap/aaf/cadi/test/lur/JU_NullLur.java b/cadi/core/src/test/java/org/onap/aaf/cadi/test/lur/JU_NullLur.java new file mode 100644 index 00000000..d5740b3a --- /dev/null +++ b/cadi/core/src/test/java/org/onap/aaf/cadi/test/lur/JU_NullLur.java @@ -0,0 +1,80 @@ +/******************************************************************************* + * ============LICENSE_START==================================================== + * * org.onap.aaf + * * =========================================================================== + * * Copyright © 2017 AT&T Intellectual Property. All rights reserved. + * * =========================================================================== + * * Licensed under the Apache License, Version 2.0 (the "License"); + * * you may not use this file except in compliance with the License. + * * You may obtain a copy of the License at + * * + * * http://www.apache.org/licenses/LICENSE-2.0 + * * + * * Unless required by applicable law or agreed to in writing, software + * * distributed under the License is distributed on an "AS IS" BASIS,Z + * * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * * See the License for the specific language governing permissions and + * * limitations under the License. + * * ============LICENSE_END==================================================== + * * + * * + ******************************************************************************/ +package org.onap.aaf.cadi.test.lur; + +import java.security.Principal; +import java.util.List; + +import static org.hamcrest.CoreMatchers.*; +import static org.junit.Assert.*; +import org.junit.*; +import org.mockito.Mock; +import org.mockito.MockitoAnnotations; +import java.lang.reflect.*; + +import org.onap.aaf.cadi.Permission; +import org.onap.aaf.cadi.lur.NullLur; + +public class JU_NullLur { + + @Mock + Principal p; + + @Mock + Permission perm; + + @Mock + List perms; + + private NullLur nullLur; + + @Before + public void setup() { + MockitoAnnotations.initMocks(this); + + nullLur = new NullLur(); + } + + @Test + public void coverageTests() throws Exception { + + Field nullClass = NullLur.class.getDeclaredField("NULL"); + nullClass.setAccessible(true); + assertThat(((Permission) nullClass.get(NullLur.class)).permType(), is("")); + assertThat(((Permission) nullClass.get(NullLur.class)).getKey(), is("")); + assertFalse(((Permission) nullClass.get(NullLur.class)).match(perm)); + + nullLur.fishAll(p, perms); + nullLur.destroy(); + + assertFalse(nullLur.fish(p, perm)); + assertFalse(nullLur.handlesExclusively(perm)); + assertFalse(nullLur.handles(p)); + assertThat(nullLur.createPerm(""), is(nullClass.get(NullLur.class))); + + StringBuilder sb = new StringBuilder(); + nullLur.clear(p, sb); + assertThat(sb.toString(), is("NullLur\n")); + assertThat(nullLur.toString(), is("NullLur\n")); + } + +} diff --git a/cadi/core/src/test/java/org/onap/aaf/cadi/test/principal/JU_BasicPrincipal.java b/cadi/core/src/test/java/org/onap/aaf/cadi/test/principal/JU_BasicPrincipal.java new file mode 100644 index 00000000..0faaca1a --- /dev/null +++ b/cadi/core/src/test/java/org/onap/aaf/cadi/test/principal/JU_BasicPrincipal.java @@ -0,0 +1,123 @@ +/******************************************************************************* + * ============LICENSE_START==================================================== + * * org.onap.aaf + * * =========================================================================== + * * Copyright © 2017 AT&T Intellectual Property. All rights reserved. + * * =========================================================================== + * * Licensed under the Apache License, Version 2.0 (the "License"); + * * you may not use this file except in compliance with the License. + * * You may obtain a copy of the License at + * * + * * http://www.apache.org/licenses/LICENSE-2.0 + * * + * * Unless required by applicable law or agreed to in writing, software + * * distributed under the License is distributed on an "AS IS" BASIS, + * * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * * See the License for the specific language governing permissions and + * * limitations under the License. + * * ============LICENSE_END==================================================== + * * + * * + ******************************************************************************/ + +package org.onap.aaf.cadi.test.principal; + +import static org.junit.Assert.*; +import static org.hamcrest.CoreMatchers.*; +import static org.mockito.Mockito.*; +import org.junit.*; + +import java.io.IOException; +import java.util.Date; + +import org.onap.aaf.cadi.BasicCred; +import org.onap.aaf.cadi.Symm; +import org.onap.aaf.cadi.principal.BasicPrincipal; +import org.onap.aaf.cadi.principal.StringTagLookup; +import org.onap.aaf.cadi.principal.TaggedPrincipal; +import org.onap.aaf.cadi.principal.TaggedPrincipal.TagLookup; + +public class JU_BasicPrincipal { + + @Test + public void Constructor1Test() throws Exception { + // Test that everything works when the content doesn't contain "Basic" + BasicPrincipal bp = new BasicPrincipal("content", "domain"); + assertThat(bp.getName(), is("content")); + assertThat(bp.getCred(), is(nullValue())); + + // Test sending a user without an implicit domain + String name = "User"; + String password = "password"; + String content = name + ":" + password; + String domain = "exampledomain.com"; + String encrypted = new String(Symm.base64.encode(content.getBytes())); + bp = new BasicPrincipal("Basic " + encrypted, domain); + assertThat(bp.getShortName(), is(name)); + assertThat(bp.getName(), is(name + "@" + domain)); + assertThat(bp.getCred(), is(password.getBytes())); + + // Test sending a user with an implicit domain + String longName = name + "@" + domain + ":" + password; + encrypted = new String(Symm.base64.encode(longName.getBytes())); + bp = new BasicPrincipal("Basic " + encrypted, domain); + assertThat(bp.getShortName(), is(name)); + assertThat(bp.getName(), is(name + "@" + domain)); + assertThat(bp.getCred(), is(password.getBytes())); + + // Check that an exception is throw if no name is given in the content + try { + bp = new BasicPrincipal("Basic " + new String(Symm.base64.encode("no name".getBytes())), ""); + fail("Should have thrown an exception"); + } catch (IOException e) { + assertThat(e.getMessage(), is("Invalid Coding")); + } + } + + @Test + public void Constructor2Test() { + String name = "User"; + String password = "password"; + BasicCred bc = mock(BasicCred.class); + when(bc.getUser()).thenReturn(name); + when(bc.getCred()).thenReturn(password.getBytes()); + + BasicPrincipal bp = new BasicPrincipal(bc, "domain"); + assertThat(bp.getName(), is(name)); + assertThat(bp.getCred(), is(password.getBytes())); + } + + @Test + public void accessorsTest() throws IOException { + String name = "User"; + String password = "password"; + String content = name + ":" + password; + String domain = "exampledomain.com"; + String encrypted = new String(Symm.base64.encode(content.getBytes())); + String bearer = "bearer"; + long created = System.currentTimeMillis(); + BasicPrincipal bp = new BasicPrincipal("Basic " + encrypted, domain); + bp.setBearer(bearer); + + String expected = "Basic Authorization for " + name + "@" + domain + " evaluated on " + new Date(bp.created()).toString(); + assertTrue(Math.abs(bp.created() - created) < 10); + assertThat(bp.toString(), is(expected)); + assertThat(bp.tag(), is("BAth")); + assertThat(bp.personalName(), is(nullValue())); + + // This test hits the abstract class BearerPrincipal + assertThat(bp.getBearer(), is(bearer)); + } + + + @Test + public void coverageTest() throws IOException { + String name = "User"; + String password = "password:with:colons"; + String content = name + ":" + password; + String encrypted = new String(Symm.base64.encode(content.getBytes())); + @SuppressWarnings("unused") + BasicPrincipal bp = new BasicPrincipal("Basic " + encrypted, "domain"); + } + +} diff --git a/cadi/core/src/test/java/org/onap/aaf/cadi/test/principal/JU_CachedBasicPrincipal.java b/cadi/core/src/test/java/org/onap/aaf/cadi/test/principal/JU_CachedBasicPrincipal.java new file mode 100644 index 00000000..39da6c09 --- /dev/null +++ b/cadi/core/src/test/java/org/onap/aaf/cadi/test/principal/JU_CachedBasicPrincipal.java @@ -0,0 +1,125 @@ +/******************************************************************************* + * ============LICENSE_START==================================================== + * * org.onap.aaf + * * =========================================================================== + * * Copyright © 2017 AT&T Intellectual Property. All rights reserved. + * * =========================================================================== + * * Licensed under the Apache License, Version 2.0 (the "License"); + * * you may not use this file except in compliance with the License. + * * You may obtain a copy of the License at + * * + * * http://www.apache.org/licenses/LICENSE-2.0 + * * + * * Unless required by applicable law or agreed to in writing, software + * * distributed under the License is distributed on an "AS IS" BASIS, + * * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * * See the License for the specific language governing permissions and + * * limitations under the License. + * * ============LICENSE_END==================================================== + * * + * * + ******************************************************************************/ + +package org.onap.aaf.cadi.test.principal; + +import static org.junit.Assert.*; +import static org.hamcrest.CoreMatchers.*; +import static org.mockito.Mockito.*; +import org.junit.*; +import org.mockito.Mock; +import org.mockito.MockitoAnnotations; + +import java.io.IOException; +import java.lang.reflect.Field; +import java.util.Date; + +import org.onap.aaf.cadi.BasicCred; +import org.onap.aaf.cadi.CachedPrincipal; +import org.onap.aaf.cadi.CachedPrincipal.Resp; +import org.onap.aaf.cadi.Symm; +import org.onap.aaf.cadi.principal.CachedBasicPrincipal; +import org.onap.aaf.cadi.principal.StringTagLookup; +import org.onap.aaf.cadi.principal.TaggedPrincipal; +import org.onap.aaf.cadi.principal.TaggedPrincipal.TagLookup; +import org.onap.aaf.cadi.taf.HttpTaf; + +public class JU_CachedBasicPrincipal { + private Field creatorField; + private Field timeToLiveField; + + @Mock + private HttpTaf creator; + + private CachedPrincipal.Resp resp; + + @Before + public void setup() throws NoSuchFieldException, SecurityException { + MockitoAnnotations.initMocks(this); + + creatorField = CachedBasicPrincipal.class.getDeclaredField("creator"); + timeToLiveField = CachedBasicPrincipal.class.getDeclaredField("timeToLive"); + + creatorField.setAccessible(true); + timeToLiveField.setAccessible(true); + } + + @Test + public void Constructor1Test() throws IllegalArgumentException, IllegalAccessException { + String name = "User"; + String password = "password"; + BasicCred bc = mock(BasicCred.class); + when(bc.getUser()).thenReturn(name); + when(bc.getCred()).thenReturn(password.getBytes()); + + long timeToLive = 10000L; + long expires = System.currentTimeMillis() + timeToLive; + CachedBasicPrincipal cbp = new CachedBasicPrincipal(creator, bc, "domain", timeToLive); + + assertThat((HttpTaf)creatorField.get(cbp), is(creator)); + assertThat((Long)timeToLiveField.get(cbp), is(timeToLive)); + assertTrue(Math.abs(cbp.expires() - expires) < 10); + } + + @Test + public void Constructor2Test() throws Exception { + String name = "User"; + String password = "password"; + String content = name + ":" + password; + long timeToLive = 10000L; + long expires = System.currentTimeMillis() + timeToLive; + CachedBasicPrincipal cbp = new CachedBasicPrincipal(creator, content, "domain", timeToLive); + + assertThat((HttpTaf)creatorField.get(cbp), is(creator)); + assertThat((Long)timeToLiveField.get(cbp), is(timeToLive)); + assertTrue(Math.abs(cbp.expires() - expires) < 10); + } + + @Test + public void revalidateTest() throws IOException, IllegalArgumentException, IllegalAccessException, InterruptedException { + resp = CachedPrincipal.Resp.REVALIDATED; + when(creator.revalidate((CachedPrincipal)any(), any())).thenReturn(resp); + + String name = "User"; + String password = "password"; + String content = name + ":" + password; + long timeToLive = 10000L; + long expires = System.currentTimeMillis() + timeToLive; + CachedBasicPrincipal cbp = new CachedBasicPrincipal(creator, content, "domain", timeToLive); + + assertTrue(Math.abs(cbp.expires() - expires) < 10); + + Thread.sleep(1); + expires = System.currentTimeMillis() + timeToLive; + assertThat(cbp.revalidate(new Object()), is(resp)); + assertTrue(Math.abs(cbp.expires() - expires) < 10); + + resp = CachedPrincipal.Resp.UNVALIDATED; + when(creator.revalidate((CachedPrincipal)any(), any())).thenReturn(resp); + expires = System.currentTimeMillis() + timeToLive; + cbp = new CachedBasicPrincipal(creator, content, "domain", timeToLive); + + assertThat(cbp.revalidate(new Object()), is(resp)); + assertTrue(Math.abs(cbp.expires() - expires) < 10); + } + +} diff --git a/cadi/core/src/test/java/org/onap/aaf/cadi/test/principal/JU_Kind.java b/cadi/core/src/test/java/org/onap/aaf/cadi/test/principal/JU_Kind.java new file mode 100644 index 00000000..c66539c4 --- /dev/null +++ b/cadi/core/src/test/java/org/onap/aaf/cadi/test/principal/JU_Kind.java @@ -0,0 +1,70 @@ +/******************************************************************************* + * ============LICENSE_START==================================================== + * * org.onap.aaf + * * =========================================================================== + * * Copyright © 2017 AT&T Intellectual Property. All rights reserved. + * * =========================================================================== + * * Licensed under the Apache License, Version 2.0 (the "License"); + * * you may not use this file except in compliance with the License. + * * You may obtain a copy of the License at + * * + * * http://www.apache.org/licenses/LICENSE-2.0 + * * + * * Unless required by applicable law or agreed to in writing, software + * * distributed under the License is distributed on an "AS IS" BASIS, + * * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * * See the License for the specific language governing permissions and + * * limitations under the License. + * * ============LICENSE_END==================================================== + * * + * * + ******************************************************************************/ + +package org.onap.aaf.cadi.test.principal; + +import static org.junit.Assert.*; +import static org.hamcrest.CoreMatchers.*; +import org.junit.*; +import org.mockito.Mock; +import org.mockito.MockitoAnnotations; + +import org.onap.aaf.cadi.principal.BasicPrincipal; +import org.onap.aaf.cadi.principal.Kind; +import org.onap.aaf.cadi.principal.OAuth2FormPrincipal; +import org.onap.aaf.cadi.principal.TrustPrincipal; +import org.onap.aaf.cadi.principal.X509Principal; + +public class JU_Kind { + + @Mock + private TrustPrincipal trust; + + @Mock + private X509Principal x509; + + @Mock + private OAuth2FormPrincipal oauth; + + @Mock + private BasicPrincipal basic; + + @Before + public void setup() throws SecurityException { + MockitoAnnotations.initMocks(this); + } + + @Test + public void getKind() { + assertThat(Kind.getKind(trust), is('U')); + assertThat(Kind.getKind(x509), is('X')); + assertThat(Kind.getKind(oauth), is('O')); + assertThat(Kind.getKind(basic), is('B')); + } + + @Test + public void coverageTest() { + @SuppressWarnings("unused") + Kind kind = new Kind(); + } + +} diff --git a/cadi/core/src/test/java/org/onap/aaf/cadi/test/principal/JU_OAuth2FormPrincipal.java b/cadi/core/src/test/java/org/onap/aaf/cadi/test/principal/JU_OAuth2FormPrincipal.java new file mode 100644 index 00000000..a7c14aa8 --- /dev/null +++ b/cadi/core/src/test/java/org/onap/aaf/cadi/test/principal/JU_OAuth2FormPrincipal.java @@ -0,0 +1,56 @@ +/******************************************************************************* + * ============LICENSE_START==================================================== + * * org.onap.aaf + * * =========================================================================== + * * Copyright © 2017 AT&T Intellectual Property. All rights reserved. + * * =========================================================================== + * * Licensed under the Apache License, Version 2.0 (the "License"); + * * you may not use this file except in compliance with the License. + * * You may obtain a copy of the License at + * * + * * http://www.apache.org/licenses/LICENSE-2.0 + * * + * * Unless required by applicable law or agreed to in writing, software + * * distributed under the License is distributed on an "AS IS" BASIS, + * * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * * See the License for the specific language governing permissions and + * * limitations under the License. + * * ============LICENSE_END==================================================== + * * + * * + ******************************************************************************/ + +package org.onap.aaf.cadi.test.principal; + +import static org.junit.Assert.*; +import static org.hamcrest.CoreMatchers.*; +import org.junit.*; + +import org.onap.aaf.cadi.principal.OAuth2FormPrincipal; + +public class JU_OAuth2FormPrincipal { + + private String username = "user"; + private String id = "id"; + + @Test + public void accessorsTest() { + OAuth2FormPrincipal oauth = new OAuth2FormPrincipal(id, username); + assertThat(oauth.getName(), is(username)); + assertThat(oauth.client_id(), is(id)); + assertThat(oauth.tag(), is("OAuth")); + } + + @Test + public void personalNameTest() { + OAuth2FormPrincipal oauth = new OAuth2FormPrincipal(id, username); + assertThat(oauth.personalName(), is(username + "|" + id)); + + oauth = new OAuth2FormPrincipal(id, null); + assertThat(oauth.personalName(), is(id)); + + oauth = new OAuth2FormPrincipal(id, id); + assertThat(oauth.personalName(), is(id)); + } + +} diff --git a/cadi/core/src/test/java/org/onap/aaf/cadi/test/principal/JU_StringTagLookup.java b/cadi/core/src/test/java/org/onap/aaf/cadi/test/principal/JU_StringTagLookup.java new file mode 100644 index 00000000..ff1f3f8a --- /dev/null +++ b/cadi/core/src/test/java/org/onap/aaf/cadi/test/principal/JU_StringTagLookup.java @@ -0,0 +1,40 @@ +/******************************************************************************* + * ============LICENSE_START==================================================== + * * org.onap.aaf + * * =========================================================================== + * * Copyright © 2017 AT&T Intellectual Property. All rights reserved. + * * =========================================================================== + * * Licensed under the Apache License, Version 2.0 (the "License"); + * * you may not use this file except in compliance with the License. + * * You may obtain a copy of the License at + * * + * * http://www.apache.org/licenses/LICENSE-2.0 + * * + * * Unless required by applicable law or agreed to in writing, software + * * distributed under the License is distributed on an "AS IS" BASIS, + * * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * * See the License for the specific language governing permissions and + * * limitations under the License. + * * ============LICENSE_END==================================================== + * * + * * + ******************************************************************************/ + +package org.onap.aaf.cadi.test.principal; + +import static org.junit.Assert.*; +import static org.hamcrest.CoreMatchers.*; +import org.junit.*; + +import org.onap.aaf.cadi.principal.StringTagLookup; + +public class JU_StringTagLookup { + + @Test + public void accessorsTest() throws Exception { + String tag = "tag"; + StringTagLookup stl = new StringTagLookup(tag); + assertThat(stl.lookup(), is(tag)); + } + +} diff --git a/cadi/core/src/test/java/org/onap/aaf/cadi/test/principal/JU_TaggedPrincipal.java b/cadi/core/src/test/java/org/onap/aaf/cadi/test/principal/JU_TaggedPrincipal.java new file mode 100644 index 00000000..4674db70 --- /dev/null +++ b/cadi/core/src/test/java/org/onap/aaf/cadi/test/principal/JU_TaggedPrincipal.java @@ -0,0 +1,68 @@ +/******************************************************************************* + * ============LICENSE_START==================================================== + * * org.onap.aaf + * * =========================================================================== + * * Copyright © 2017 AT&T Intellectual Property. All rights reserved. + * * =========================================================================== + * * Licensed under the Apache License, Version 2.0 (the "License"); + * * you may not use this file except in compliance with the License. + * * You may obtain a copy of the License at + * * + * * http://www.apache.org/licenses/LICENSE-2.0 + * * + * * Unless required by applicable law or agreed to in writing, software + * * distributed under the License is distributed on an "AS IS" BASIS, + * * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * * See the License for the specific language governing permissions and + * * limitations under the License. + * * ============LICENSE_END==================================================== + * * + * * + ******************************************************************************/ + +package org.onap.aaf.cadi.test.principal; + +import static org.junit.Assert.*; +import static org.hamcrest.CoreMatchers.*; +import org.junit.*; + +import org.onap.aaf.cadi.principal.TaggedPrincipal; +import org.onap.aaf.cadi.principal.TaggedPrincipal.TagLookup; +import org.onap.aaf.cadi.CadiException; +import org.onap.aaf.cadi.principal.StringTagLookup; + +public class JU_TaggedPrincipal { + + private final String name = "stubbedName"; + private final String tag = "tag"; + + private class TaggedPrincipalStub extends TaggedPrincipal { + public TaggedPrincipalStub() { super(); } + public TaggedPrincipalStub(final TagLookup tl) { super(tl); } + @Override public String getName() { return name; } + @Override public String tag() { return null; } + } + + private class WhinyTagLookup implements TagLookup { + public WhinyTagLookup(final String tag) { } + @Override + public String lookup() throws CadiException { + throw new CadiException(); + } + } + + @Test + public void personalNameTest() { + TaggedPrincipal tp = new TaggedPrincipalStub(); + assertThat(tp.personalName(), is(name)); + + StringTagLookup stl = new StringTagLookup(tag); + tp = new TaggedPrincipalStub(stl); + assertThat(tp.personalName(), is(tag)); + + WhinyTagLookup wtl = new WhinyTagLookup(tag); + tp.setTagLookup(wtl); + assertThat(tp.personalName(), is(name)); + } + +} diff --git a/cadi/core/src/test/java/org/onap/aaf/cadi/test/principal/JU_TrustPrincipal.java b/cadi/core/src/test/java/org/onap/aaf/cadi/test/principal/JU_TrustPrincipal.java new file mode 100644 index 00000000..4a7333e2 --- /dev/null +++ b/cadi/core/src/test/java/org/onap/aaf/cadi/test/principal/JU_TrustPrincipal.java @@ -0,0 +1,91 @@ +/******************************************************************************* + * ============LICENSE_START==================================================== + * * org.onap.aaf + * * =========================================================================== + * * Copyright © 2017 AT&T Intellectual Property. All rights reserved. + * * =========================================================================== + * * Licensed under the Apache License, Version 2.0 (the "License"); + * * you may not use this file except in compliance with the License. + * * You may obtain a copy of the License at + * * + * * http://www.apache.org/licenses/LICENSE-2.0 + * * + * * Unless required by applicable law or agreed to in writing, software + * * distributed under the License is distributed on an "AS IS" BASIS, + * * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * * See the License for the specific language governing permissions and + * * limitations under the License. + * * ============LICENSE_END==================================================== + * * + * * + ******************************************************************************/ + +package org.onap.aaf.cadi.test.principal; + +import static org.junit.Assert.*; +import static org.hamcrest.CoreMatchers.*; +import org.junit.*; + +import java.security.Principal; + +import org.onap.aaf.cadi.UserChain; +import org.onap.aaf.cadi.principal.TaggedPrincipal; +import org.onap.aaf.cadi.principal.TrustPrincipal; + +public class JU_TrustPrincipal { + + private final String ucName = "UserChain"; + private final String uc = "This is a UserChain"; + private final String taggedName = "TaggedPrincipal"; + private final String tag = "tag"; + private final String pName = "Principal"; + + private class UserChainPrincipalStub implements Principal, UserChain { + @Override public String userChain() { return uc; } + @Override public String getName() { return ucName; } + } + + private class TaggedPrincipalStub extends TaggedPrincipal { + public TaggedPrincipalStub() { super(); } + @Override public String getName() { return taggedName; } + @Override public String tag() { return tag; } + } + + private class PrincipalStub implements Principal { + @Override public String getName() { return pName; } + } + + @Test + public void userChainConstructorTest() { + UserChainPrincipalStub ucps = new UserChainPrincipalStub(); + TrustPrincipal tp = new TrustPrincipal(ucps, taggedName); + assertThat(tp.getName(), is(taggedName)); + assertThat(tp.userChain(), is(uc)); + assertSame(tp.original(), ucps); + assertThat(tp.tag(), is(uc)); + assertThat(tp.personalName(), is(ucName + '[' + uc + ']')); + } + + @Test + public void taggedPrincipalConstructorTest() { + TaggedPrincipal tagged = new TaggedPrincipalStub(); + TrustPrincipal tp = new TrustPrincipal(tagged, taggedName); + assertThat(tp.getName(), is(taggedName)); + assertThat(tp.userChain(), is(tag)); + assertSame(tp.original(), tagged); + assertThat(tp.tag(), is(tag)); + assertThat(tp.personalName(), is(taggedName + '[' + tag + ']')); + } + + @Test + public void principalConstructorTest() { + Principal principal = new PrincipalStub(); + TrustPrincipal tp = new TrustPrincipal(principal, pName); + assertThat(tp.getName(), is(pName)); + assertThat(tp.userChain(), is(principal.getClass().getSimpleName())); + assertSame(tp.original(), principal); + assertThat(tp.tag(), is(principal.getClass().getSimpleName())); + assertThat(tp.personalName(), is(pName + '[' + principal.getClass().getSimpleName() + ']')); + } + +} diff --git a/cadi/core/src/test/java/org/onap/aaf/cadi/test/principal/JU_UnAuthPrincipal.java b/cadi/core/src/test/java/org/onap/aaf/cadi/test/principal/JU_UnAuthPrincipal.java new file mode 100644 index 00000000..9d694a53 --- /dev/null +++ b/cadi/core/src/test/java/org/onap/aaf/cadi/test/principal/JU_UnAuthPrincipal.java @@ -0,0 +1,41 @@ +/******************************************************************************* + * ============LICENSE_START==================================================== + * * org.onap.aaf + * * =========================================================================== + * * Copyright © 2017 AT&T Intellectual Property. All rights reserved. + * * =========================================================================== + * * Licensed under the Apache License, Version 2.0 (the "License"); + * * you may not use this file except in compliance with the License. + * * You may obtain a copy of the License at + * * + * * http://www.apache.org/licenses/LICENSE-2.0 + * * + * * Unless required by applicable law or agreed to in writing, software + * * distributed under the License is distributed on an "AS IS" BASIS, + * * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * * See the License for the specific language governing permissions and + * * limitations under the License. + * * ============LICENSE_END==================================================== + * * + * * + ******************************************************************************/ + +package org.onap.aaf.cadi.test.principal; + +import static org.junit.Assert.*; +import static org.hamcrest.CoreMatchers.*; +import org.junit.*; + +import org.onap.aaf.cadi.principal.UnAuthPrincipal; + +public class JU_UnAuthPrincipal { + + private final String name = "name"; + + @Test + public void accessorsTest() { + UnAuthPrincipal up = new UnAuthPrincipal(name); + assertThat(up.getName(), is(name)); + } + +} diff --git a/cadi/core/src/test/java/org/onap/aaf/cadi/test/principal/JU_X509Principal.java b/cadi/core/src/test/java/org/onap/aaf/cadi/test/principal/JU_X509Principal.java new file mode 100644 index 00000000..a45ce24e --- /dev/null +++ b/cadi/core/src/test/java/org/onap/aaf/cadi/test/principal/JU_X509Principal.java @@ -0,0 +1,140 @@ +/******************************************************************************* + * ============LICENSE_START==================================================== + * * org.onap.aaf + * * =========================================================================== + * * Copyright © 2017 AT&T Intellectual Property. All rights reserved. + * * =========================================================================== + * * Licensed under the Apache License, Version 2.0 (the "License"); + * * you may not use this file except in compliance with the License. + * * You may obtain a copy of the License at + * * + * * http://www.apache.org/licenses/LICENSE-2.0 + * * + * * Unless required by applicable law or agreed to in writing, software + * * distributed under the License is distributed on an "AS IS" BASIS, + * * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * * See the License for the specific language governing permissions and + * * limitations under the License. + * * ============LICENSE_END==================================================== + * * + * * + ******************************************************************************/ + +package org.onap.aaf.cadi.test.principal; + +import static org.junit.Assert.*; +import static org.hamcrest.CoreMatchers.*; +import static org.mockito.Mockito.*; +import org.junit.*; +import org.mockito.Mock; +import org.mockito.MockitoAnnotations; + +import java.io.IOException; +import java.security.Principal; +import java.security.cert.CertificateEncodingException; +import java.security.cert.X509Certificate; + +import org.onap.aaf.cadi.principal.X509Principal; + +public class JU_X509Principal { + + private final String name = "x509 name"; + private final byte[] cred = "super duper secret password".getBytes(); + + @Mock + X509Certificate cert; + + @Mock + Principal subject; + + @Before + public void setup() throws CertificateEncodingException { + MockitoAnnotations.initMocks(this); + when(cert.getEncoded()).thenReturn(cred); + } + + @Test + public void constructor1Test() throws IOException { + X509Principal x509 = new X509Principal(name, cert); + // Call twice to hit both branches + assertThat(x509.getAsHeader(), is("X509 " + cred)); + assertThat(x509.getAsHeader(), is("X509 " + cred)); + assertThat(x509.toString(), is("X509 Authentication for " + name)); + assertTrue(x509.getCred().equals(cred)); + assertThat(x509.getName(), is(name)); + assertThat(x509.tag(), is("x509")); + } + + @Test + public void constructor2Test() throws IOException { + X509Principal x509 = new X509Principal(name, cert, cred); + // Call twice to hit both branches + assertThat(x509.getAsHeader(), is("X509 " + cred)); + assertThat(x509.toString(), is("X509 Authentication for " + name)); + assertTrue(x509.getCred().equals(cred)); + assertThat(x509.getName(), is(name)); + assertThat(x509.tag(), is("x509")); + } + + @Test + public void constructor3Test() throws IOException { + final String longName = "name@domain"; + when(subject.getName()).thenReturn("OU=" + longName + ",extra"); + when(cert.getSubjectDN()).thenReturn(subject); + X509Principal x509 = new X509Principal(cert, cred); + // Call twice to hit both branches + assertThat(x509.getAsHeader(), is("X509 " + cred)); + assertThat(x509.toString(), is("X509 Authentication for " + longName)); + assertTrue(x509.getCred().equals(cred)); + assertThat(x509.getName(), is(longName)); + + when(subject.getName()).thenReturn(longName + ",extra"); + when(cert.getSubjectDN()).thenReturn(subject); + try { + x509 = new X509Principal(cert, cred); + fail("Should have thrown an Exception"); + } catch(IOException e) { + assertThat(e.getMessage(), is("X509 does not have Identity as CN")); + } + + when(subject.getName()).thenReturn("OU=" + longName); + when(cert.getSubjectDN()).thenReturn(subject); + try { + x509 = new X509Principal(cert, cred); + fail("Should have thrown an Exception"); + } catch(IOException e) { + assertThat(e.getMessage(), is("X509 does not have Identity as CN")); + } + + when(subject.getName()).thenReturn("OU=" + name + ",exta"); + when(cert.getSubjectDN()).thenReturn(subject); + try { + x509 = new X509Principal(cert, cred); + fail("Should have thrown an Exception"); + } catch(IOException e) { + assertThat(e.getMessage(), is("X509 does not have Identity as CN")); + } + + } + + @Test + public void throwsTest() throws CertificateEncodingException { + when(cert.getEncoded()).thenThrow(new CertificateEncodingException()); + X509Principal x509 = new X509Principal(name, cert); + assertThat(x509.getCred(), is(nullValue())); + try { + x509.getAsHeader(); + fail("Should have thrown an Exception"); + } catch (IOException e) { + } + } + + @Test + public void getCredTest() { + X509Principal x509 = new X509Principal(name, cert); + // Call twice to hit both branches + assertTrue(x509.getCred().equals(cred)); + assertTrue(x509.getCred().equals(cred)); + } + +} diff --git a/cadi/core/src/test/java/org/onap/aaf/cadi/test/taf/JU_NullTafRespTest.java b/cadi/core/src/test/java/org/onap/aaf/cadi/test/taf/JU_NullTafRespTest.java new file mode 100644 index 00000000..aabed1ed --- /dev/null +++ b/cadi/core/src/test/java/org/onap/aaf/cadi/test/taf/JU_NullTafRespTest.java @@ -0,0 +1,62 @@ +/******************************************************************************* + * ============LICENSE_START==================================================== + * * org.onap.aaf + * * =========================================================================== + * * Copyright © 2017 AT&T Intellectual Property. All rights reserved. + * * =========================================================================== + * * Licensed under the Apache License, Version 2.0 (the "License"); + * * you may not use this file except in compliance with the License. + * * You may obtain a copy of the License at + * * + * * http://www.apache.org/licenses/LICENSE-2.0 + * * + * * Unless required by applicable law or agreed to in writing, software + * * distributed under the License is distributed on an "AS IS" BASIS, + * * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * * See the License for the specific language governing permissions and + * * limitations under the License. + * * ============LICENSE_END==================================================== + * * + * * + ******************************************************************************/ +package org.onap.aaf.cadi.test.taf; + +import static org.junit.Assert.*; + +import java.io.IOException; + +import org.junit.Before; +import org.junit.Test; +import org.onap.aaf.cadi.Access; +import org.onap.aaf.cadi.taf.TafResp; +import org.onap.aaf.cadi.taf.TafResp.RESP; + +public class JU_NullTafRespTest { + +// @Before +// public void setUp() throws Exception { +// } + +// @Test +// public void test() throws IOException { +// TafResp singleton = NullTafResp.singleton(); +// TafResp singleton1 = NullTafResp.singleton(); + +// assertEquals(singleton, singleton1); + +// assertFalse(singleton.isValid()); + +// assertEquals(singleton.isAuthenticated(), RESP.NO_FURTHER_PROCESSING); + +// assertEquals(singleton.desc(), "All Authentication denied"); + +// assertEquals(singleton.authenticate(), RESP.NO_FURTHER_PROCESSING); + +// assertNull(singleton.getPrincipal()); + +// assertEquals(singleton.getAccess(), Access.NULL); + +// assertEquals(singleton.isFailedAttempt(), true); +// } + +} diff --git a/cadi/core/src/test/java/org/onap/aaf/cadi/test/util/JU_FQI.java b/cadi/core/src/test/java/org/onap/aaf/cadi/test/util/JU_FQI.java new file mode 100644 index 00000000..57177839 --- /dev/null +++ b/cadi/core/src/test/java/org/onap/aaf/cadi/test/util/JU_FQI.java @@ -0,0 +1,44 @@ +/******************************************************************************* + * ============LICENSE_START==================================================== + * * org.onap.aaf + * * =========================================================================== + * * Copyright © 2017 AT&T Intellectual Property. All rights reserved. + * * =========================================================================== + * * Licensed under the Apache License, Version 2.0 (the "License"); + * * you may not use this file except in compliance with the License. + * * You may obtain a copy of the License at + * * + * * http://www.apache.org/licenses/LICENSE-2.0 + * * + * * Unless required by applicable law or agreed to in writing, software + * * distributed under the License is distributed on an "AS IS" BASIS, + * * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * * See the License for the specific language governing permissions and + * * limitations under the License. + * * ============LICENSE_END==================================================== + * * + * * + ******************************************************************************/ + +package org.onap.aaf.cadi.test.util; + +import static org.junit.Assert.*; +import static org.hamcrest.CoreMatchers.*; +import org.junit.*; + +import org.onap.aaf.cadi.util.FQI; + +public class JU_FQI { + + @Test + public void reverseDomainTest() { + assertThat(FQI.reverseDomain("user@att.com"), is("com.att")); + } + + @Test + public void coverageTest() { + @SuppressWarnings("unused") + FQI fqi = new FQI(); + } + +} diff --git a/cadi/core/src/test/java/org/onap/aaf/cadi/test/util/JU_JsonOutputStream.java b/cadi/core/src/test/java/org/onap/aaf/cadi/test/util/JU_JsonOutputStream.java new file mode 100644 index 00000000..d07652a1 --- /dev/null +++ b/cadi/core/src/test/java/org/onap/aaf/cadi/test/util/JU_JsonOutputStream.java @@ -0,0 +1,93 @@ +/******************************************************************************* + * ============LICENSE_START==================================================== + * * org.onap.aaf + * * =========================================================================== + * * Copyright © 2017 AT&T Intellectual Property. All rights reserved. + * * =========================================================================== + * * Licensed under the Apache License, Version 2.0 (the "License"); + * * you may not use this file except in compliance with the License. + * * You may obtain a copy of the License at + * * + * * http://www.apache.org/licenses/LICENSE-2.0 + * * + * * Unless required by applicable law or agreed to in writing, software + * * distributed under the License is distributed on an "AS IS" BASIS, + * * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * * See the License for the specific language governing permissions and + * * limitations under the License. + * * ============LICENSE_END==================================================== + * * + * * + ******************************************************************************/ + +package org.onap.aaf.cadi.test.util; + +import static org.junit.Assert.*; +import static org.hamcrest.CoreMatchers.*; + +import java.io.ByteArrayOutputStream; + +import org.junit.*; + +import java.io.IOException; +import java.lang.reflect.Field; + +import org.onap.aaf.cadi.util.JsonOutputStream; + +public class JU_JsonOutputStream { + + private JsonOutputStream jos; + + @Before + public void setup() { + jos = new JsonOutputStream(new ByteArrayOutputStream()); + } + + @Test + public void constructorTest() { + jos = new JsonOutputStream(System.out); + jos = new JsonOutputStream(System.err); + } + + @Test + public void writeTest() throws IOException { + byte[] json = ("{" + + "name: user," + + "password: pass," + + "contact: {" + + "email: user@att.com," + + "phone: 555-5555" + + "}," + + "list: [" + + "item1," + + "item2" + + "],[],{}," + + "list:" + + "[" + + "item1," + + "item2" + + "]" + + "}").getBytes(); + jos.write(json); + } + + @Test + public void resetIndentTest() throws IllegalArgumentException, IllegalAccessException, NoSuchFieldException, SecurityException { + Field indentField = JsonOutputStream.class.getDeclaredField("indent"); + indentField.setAccessible(true); + + assertThat((int)indentField.get(jos), is(0)); + jos.resetIndent(); + assertThat((int)indentField.get(jos), is(1)); + } + + @Test + public void coverageTest() throws IOException { + jos.flush(); + jos.close(); + + jos = new JsonOutputStream(System.out); + jos.close(); + } + +} diff --git a/cadi/core/src/test/java/org/onap/aaf/cadi/test/util/JU_MaskFormatException.java b/cadi/core/src/test/java/org/onap/aaf/cadi/test/util/JU_MaskFormatException.java new file mode 100644 index 00000000..6a60df68 --- /dev/null +++ b/cadi/core/src/test/java/org/onap/aaf/cadi/test/util/JU_MaskFormatException.java @@ -0,0 +1,44 @@ +/******************************************************************************* + * ============LICENSE_START==================================================== + * * org.onap.aaf + * * =========================================================================== + * * Copyright © 2017 AT&T Intellectual Property. All rights reserved. + * * =========================================================================== + * * Licensed under the Apache License, Version 2.0 (the "License"); + * * you may not use this file except in compliance with the License. + * * You may obtain a copy of the License at + * * + * * http://www.apache.org/licenses/LICENSE-2.0 + * * + * * Unless required by applicable law or agreed to in writing, software + * * distributed under the License is distributed on an "AS IS" BASIS, + * * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * * See the License for the specific language governing permissions and + * * limitations under the License. + * * ============LICENSE_END==================================================== + * * + * * + ******************************************************************************/ + +package org.onap.aaf.cadi.test.util; + +import static org.junit.Assert.*; +import static org.hamcrest.CoreMatchers.*; +import org.junit.*; + +import org.onap.aaf.cadi.util.MaskFormatException; + +public class JU_MaskFormatException { + + @Test + public void throwsTest() { + String errorMessage = "This is a MaskFormatException"; + try { + throw new MaskFormatException(errorMessage); + } catch (Exception e) { + assertThat(e.getMessage(), is(errorMessage)); + assertTrue(e instanceof MaskFormatException); + } + } + +} diff --git a/cadi/core/src/test/java/org/onap/aaf/cadi/test/util/JU_NetMask.java b/cadi/core/src/test/java/org/onap/aaf/cadi/test/util/JU_NetMask.java new file mode 100644 index 00000000..be3b1b32 --- /dev/null +++ b/cadi/core/src/test/java/org/onap/aaf/cadi/test/util/JU_NetMask.java @@ -0,0 +1,65 @@ +/******************************************************************************* + * * org.onap.aaf + * * =========================================================================== + * * Copyright © 2017 AT&T Intellectual Property. All rights reserved. + * * =========================================================================== + * * Licensed under the Apache License, Version 2.0 (the "License"); + * * you may not use this file except in compliance with the License. + * * You may obtain a copy of the License at + * * + * * http://www.apache.org/licenses/LICENSE-2.0 + * * + * * Unless required by applicable law or agreed to in writing, software + * * distributed under the License is distributed on an "AS IS" BASIS, + * * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * * See the License for the specific language governing permissions and + * * limitations under the License. + * * ============LICENSE_END==================================================== + * * + * * + ******************************************************************************/ +package org.onap.aaf.cadi.test.util; + +import static org.junit.Assert.assertEquals; + +import org.junit.Test; +import org.onap.aaf.cadi.util.NetMask; + +public class JU_NetMask { + + @Test + public void deriveTest() { + String test = "test"; + assertEquals(NetMask.derive(test.getBytes()), 0); + } + + @Test + public void deriveTest2() { + String test = "1.2.3.4"; + assertEquals(NetMask.derive(test.getBytes()), 0); + } + + @Test + public void deriveTest3() { + String test = "1.2.4"; + assertEquals(NetMask.derive(test.getBytes()), 0); + } + + @Test + public void deriveTest4() { + String test = "1.3.4"; + assertEquals(NetMask.derive(test.getBytes()), 0); + } + + @Test + public void deriveTest5() { + String test = "2.3.4"; + assertEquals(NetMask.derive(test.getBytes()), 0); + } + + @Test + public void deriveTest6() { + String test = "3.4"; + assertEquals(NetMask.derive(test.getBytes()), 0); + } +} diff --git a/cadi/core/src/test/java/org/onap/aaf/cadi/test/util/JU_Split.java b/cadi/core/src/test/java/org/onap/aaf/cadi/test/util/JU_Split.java new file mode 100644 index 00000000..e375f6c0 --- /dev/null +++ b/cadi/core/src/test/java/org/onap/aaf/cadi/test/util/JU_Split.java @@ -0,0 +1,113 @@ +/******************************************************************************* + * * org.onap.aaf + * * =========================================================================== + * * Copyright © 2017 AT&T Intellectual Property. All rights reserved. + * * =========================================================================== + * * Licensed under the Apache License, Version 2.0 (the "License"); + * * you may not use this file except in compliance with the License. + * * You may obtain a copy of the License at + * * + * * http://www.apache.org/licenses/LICENSE-2.0 + * * + * * Unless required by applicable law or agreed to in writing, software + * * distributed under the License is distributed on an "AS IS" BASIS, + * * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * * See the License for the specific language governing permissions and + * * limitations under the License. + * * ============LICENSE_END==================================================== + * * + * * + ******************************************************************************/ +package org.onap.aaf.cadi.test.util; + +import static org.junit.Assert.*; +import static org.hamcrest.CoreMatchers.*; +import org.junit.*; + +import org.onap.aaf.cadi.util.Split; + +public class JU_Split { + + @Test + public void splitTest() { + String[] output = Split.split('c', "ctestctc", 0, "ctestctc".length()); + assertThat(output.length, is(4)); + assertThat(output[0], is("")); + assertThat(output[1], is("test")); + assertThat(output[2], is("t")); + assertThat(output[3], is("")); + + output = Split.split('c', "ctestctc", 0, 4); + assertThat(output.length, is(2)); + assertThat(output[0], is("")); + assertThat(output[1], is("tes")); + + output = Split.split('c', "test", 0, "test".length()); + assertThat(output.length, is(1)); + assertThat(output[0], is("test")); + + assertThat(Split.split('c', null, 0, 0).length, is(0)); + + // Test with fewer arguments + output = Split.split('c', "ctestctc"); + assertThat(output.length, is(4)); + assertThat(output[0], is("")); + assertThat(output[1], is("test")); + assertThat(output[2], is("t")); + assertThat(output[3], is("")); + } + + @Test + public void splitTrimTest() { + String[] output = Split.splitTrim('c', " cte stc ctc ", 0, " cte stc ctc ".length()); + assertThat(output.length, is(5)); + assertThat(output[0], is("")); + assertThat(output[1], is("te st")); + assertThat(output[2], is("")); + assertThat(output[3], is("t")); + assertThat(output[4], is("")); + + output = Split.splitTrim('c', " cte stc ctc ", 0, 5); + assertThat(output.length, is(2)); + assertThat(output[0], is("")); + assertThat(output[1], is("te")); + + assertThat(Split.splitTrim('c', " te st ", 0, " te st ".length())[0], is("te st")); + + assertThat(Split.splitTrim('c', null, 0, 0).length, is(0)); + + // Test with 2 arguments + output = Split.splitTrim('c', " cte stc ctc "); + assertThat(output.length, is(5)); + assertThat(output[0], is("")); + assertThat(output[1], is("te st")); + assertThat(output[2], is("")); + assertThat(output[3], is("t")); + assertThat(output[4], is("")); + + // Tests with 1 argument + output = Split.splitTrim('c', " cte stc ctc ", 1); + assertThat(output.length, is(1)); + assertThat(output[0], is("cte stc ctc")); + + output = Split.splitTrim('c', "testctest2", 2); + assertThat(output.length, is(2)); + assertThat(output[0], is("test")); + assertThat(output[1], is("test2")); + + output = Split.splitTrim('c', " cte stc ctc ", 4); + assertThat(output.length, is(4)); + assertThat(output[0], is("")); + assertThat(output[1], is("te st")); + assertThat(output[2], is("")); + + assertThat(Split.splitTrim('c', null, 0).length, is(0)); + } + + @Test + public void coverageTest() { + @SuppressWarnings("unused") + Split split = new Split(); + } + +} diff --git a/cadi/core/src/test/java/org/onap/aaf/cadi/test/util/JU_TheConsole.java b/cadi/core/src/test/java/org/onap/aaf/cadi/test/util/JU_TheConsole.java new file mode 100644 index 00000000..f168c7f4 --- /dev/null +++ b/cadi/core/src/test/java/org/onap/aaf/cadi/test/util/JU_TheConsole.java @@ -0,0 +1,34 @@ +/******************************************************************************* + * * org.onap.aaf + * * =========================================================================== + * * Copyright © 2017 AT&T Intellectual Property. All rights reserved. + * * =========================================================================== + * * Licensed under the Apache License, Version 2.0 (the "License"); + * * you may not use this file except in compliance with the License. + * * You may obtain a copy of the License at + * * + * * http://www.apache.org/licenses/LICENSE-2.0 + * * + * * Unless required by applicable law or agreed to in writing, software + * * distributed under the License is distributed on an "AS IS" BASIS, + * * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * * See the License for the specific language governing permissions and + * * limitations under the License. + * * ============LICENSE_END==================================================== + * * + * * + ******************************************************************************/ +package org.onap.aaf.cadi.test.util; + +import static org.junit.Assert.assertEquals; + +import org.junit.Test; +import org.onap.aaf.cadi.util.TheConsole; + +public class JU_TheConsole { + + @Test + public void implemented(){ + assertEquals(TheConsole.implemented(),false); + } +} diff --git a/cadi/core/src/test/java/org/onap/aaf/cadi/test/util/JU_UserChainManip.java b/cadi/core/src/test/java/org/onap/aaf/cadi/test/util/JU_UserChainManip.java new file mode 100644 index 00000000..d335edae --- /dev/null +++ b/cadi/core/src/test/java/org/onap/aaf/cadi/test/util/JU_UserChainManip.java @@ -0,0 +1,66 @@ +/******************************************************************************* + * * org.onap.aaf + * * =========================================================================== + * * Copyright © 2017 AT&T Intellectual Property. All rights reserved. + * * =========================================================================== + * * Licensed under the Apache License, Version 2.0 (the "License"); + * * you may not use this file except in compliance with the License. + * * You may obtain a copy of the License at + * * + * * http://www.apache.org/licenses/LICENSE-2.0 + * * + * * Unless required by applicable law or agreed to in writing, software + * * distributed under the License is distributed on an "AS IS" BASIS, + * * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * * See the License for the specific language governing permissions and + * * limitations under the License. + * * ============LICENSE_END==================================================== + * * + * * + ******************************************************************************/ +package org.onap.aaf.cadi.test.util; + +import static org.junit.Assert.assertEquals; + +import java.util.ArrayList; +import java.util.List; + +import org.junit.Test; +import org.onap.aaf.cadi.UserChain; +import org.onap.aaf.cadi.util.UserChainManip; + +public class JU_UserChainManip { + + @Test + public void build(){ + UserChain.Protocol baseAuth=UserChain.Protocol.BasicAuth; + assertEquals(UserChainManip.build(new StringBuilder(""), "app", "id", baseAuth, true).toString(), "app:id:BasicAuth:AS"); + } + + + @Test + public void idToNS(){ + assertEquals(UserChainManip.idToNS(null), ""); + } + + @Test + public void idToNS1(){ + assertEquals(UserChainManip.idToNS("t@st"), "st"); + } + + @Test + public void test() { + assertEquals("",UserChainManip.idToNS(null)); + assertEquals("",UserChainManip.idToNS("")); + assertEquals("",UserChainManip.idToNS("something")); + assertEquals("",UserChainManip.idToNS("something@@")); + assertEquals("",UserChainManip.idToNS("something@@.")); + assertEquals("com",UserChainManip.idToNS("something@com")); + assertEquals("com.random",UserChainManip.idToNS("something@random.com")); + assertEquals("com.random",UserChainManip.idToNS("@random.com")); + assertEquals("com.random",UserChainManip.idToNS("something@random.com.")); + assertEquals("com.random",UserChainManip.idToNS("something@..random...com...")); + assertEquals("com.random.this",UserChainManip.idToNS("something@this.random.com")); + } + +} diff --git a/cadi/core/src/test/java/org/onap/aaf/cadi/test/util/JU_Vars.java b/cadi/core/src/test/java/org/onap/aaf/cadi/test/util/JU_Vars.java new file mode 100644 index 00000000..345c8ca2 --- /dev/null +++ b/cadi/core/src/test/java/org/onap/aaf/cadi/test/util/JU_Vars.java @@ -0,0 +1,150 @@ +/******************************************************************************* + * * org.onap.aaf + * * =========================================================================== + * * Copyright © 2017 AT&T Intellectual Property. All rights reserved. + * * =========================================================================== + * * Licensed under the Apache License, Version 2.0 (the "License"); + * * you may not use this file except in compliance with the License. + * * You may obtain a copy of the License at + * * + * * http://www.apache.org/licenses/LICENSE-2.0 + * * + * * Unless required by applicable law or agreed to in writing, software + * * distributed under the License is distributed on an "AS IS" BASIS, + * * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * * See the License for the specific language governing permissions and + * * limitations under the License. + * * ============LICENSE_END==================================================== + * * + * * + ******************************************************************************/ +package org.onap.aaf.cadi.test.util; + +import static org.junit.Assert.assertEquals; + +import java.util.ArrayList; +import java.util.List; + +import org.junit.Test; +import org.onap.aaf.cadi.util.Vars; + +public class JU_Vars { + + @Test + public void coverage() { + @SuppressWarnings("unused") + Vars my_nonstatic_object_for_coverage = new Vars(); + } + + @Test + public void convert() { + String test = "test"; + List list = new ArrayList(); + list.add("method"); + assertEquals(Vars.convert(test, list), test); + } + + @Test + public void convertTest1() { + String test = "te%t"; + List list = new ArrayList(); + list.add("method"); + assertEquals(Vars.convert("test", list), "test"); + } + + @Test + public void convertTest2() { + String test = "te%s%t"; + List list = new ArrayList(); + list.add("method"); + assertEquals(Vars.convert("test", list), "test"); + } + + @Test + public void test() { + StringBuilder holder = new StringBuilder(); + String str,bstr; + assertEquals(str = "set %1 to %2",Vars.convert(holder,str, "a","b")); + assertEquals("set a to b",holder.toString()); + assertEquals(str,Vars.convert(null,str, "a","b")); + holder.setLength(0); + assertEquals(str,Vars.convert(holder,bstr="set %s to %s", "a","b")); + assertEquals("set a to b",holder.toString()); + assertEquals(str,Vars.convert(null,bstr, "a","b")); + + holder.setLength(0); + assertEquals(str = "%1=%2",Vars.convert(holder,str, "a","b")); + assertEquals("a=b",holder.toString()); + assertEquals(str,Vars.convert(null,str, "a","b")); + holder.setLength(0); + assertEquals(str,Vars.convert(holder,bstr="%s=%s", "a","b")); + assertEquals("a=b",holder.toString()); + assertEquals(str,Vars.convert(null,bstr, "a","b")); + + holder.setLength(0); + assertEquals(str = "%1%2",Vars.convert(holder,str, "a","b")); + assertEquals("ab",holder.toString()); + assertEquals(str ,Vars.convert(null,str, "a","b")); + holder.setLength(0); + assertEquals(str,Vars.convert(holder,bstr="%s%s", "a","b")); + assertEquals("ab",holder.toString()); + assertEquals(str ,Vars.convert(null,bstr, "a","b")); + + + holder.setLength(0); + assertEquals(str = " %1=%2 ",Vars.convert(holder,str, "a","b")); + assertEquals(" a=b ",holder.toString()); + assertEquals(str ,Vars.convert(null,str, "a","b")); + holder.setLength(0); + assertEquals(str,Vars.convert(holder,bstr = " %s=%s ", "a","b")); + assertEquals(" a=b ",holder.toString()); + assertEquals(str ,Vars.convert(null,bstr, "a","b")); + + holder.setLength(0); + assertEquals(str = " %1%2%10 ",Vars.convert(holder,str, "a","b","c","d","e","f","g","h","i","j")); + assertEquals(" abj ",holder.toString()); + assertEquals(str,Vars.convert(null,str, "a","b","c","d","e","f","g","h","i","j")); + holder.setLength(0); + assertEquals(str=" %1%2%3 ",Vars.convert(holder,bstr = " %s%s%s ", "a","b","c","d","e","f","g","h","i","j")); + assertEquals(" abc ",holder.toString()); + assertEquals(str,Vars.convert(null,bstr, "a","b","c","d","e","f","g","h","i","j")); + + + holder.setLength(0); + assertEquals(str = "set %1 to %2",Vars.convert(holder,str, "Something much","larger")); + assertEquals("set Something much to larger",holder.toString()); + assertEquals(str,Vars.convert(null,str,"Something much","larger")); + holder.setLength(0); + assertEquals(str,Vars.convert(holder,bstr="set %s to %s", "Something much","larger")); + assertEquals("set Something much to larger",holder.toString()); + assertEquals(str,Vars.convert(null,bstr, "Something much","larger")); + + holder.setLength(0); + assertEquals(str = "Text without Vars",Vars.convert(holder,str)); + assertEquals(str,holder.toString()); + assertEquals(str = "Text without Vars",Vars.convert(null,str)); + + + holder.setLength(0); + assertEquals(str = "Not %1 Enough %2 Vars %3",Vars.convert(holder,str, "a","b")); + assertEquals("Not a Enough b Vars ",holder.toString()); + assertEquals(str ,Vars.convert(null,str, "a","b")); + holder.setLength(0); + assertEquals(str,Vars.convert(holder,bstr="Not %s Enough %s Vars %s", "a","b")); + assertEquals("Not a Enough b Vars ",holder.toString()); + assertEquals(str ,Vars.convert(null,bstr, "a","b")); + + holder.setLength(0); + assertEquals(str = "!@#$%^*()-+?/,:;.",Vars.convert(holder,str, "a","b")); + assertEquals(str,holder.toString()); + assertEquals(str ,Vars.convert(null,str, "a","b")); + + holder.setLength(0); + bstr = "%s !@#$%^*()-+?/,:;."; + str = "%1 !@#$%^*()-+?/,:;."; + assertEquals(str,Vars.convert(holder,bstr, "Not Acceptable")); + assertEquals("Not Acceptable !@#$%^*()-+?/,:;.",holder.toString()); + assertEquals(str ,Vars.convert(null,bstr, "Not Acceptable")); + } + +} diff --git a/cadi/core/src/test/java/org/onap/aaf/cadi/test/wsse/JU_WSSE_Read.java b/cadi/core/src/test/java/org/onap/aaf/cadi/test/wsse/JU_WSSE_Read.java new file mode 100644 index 00000000..26dd43b1 --- /dev/null +++ b/cadi/core/src/test/java/org/onap/aaf/cadi/test/wsse/JU_WSSE_Read.java @@ -0,0 +1,189 @@ +/******************************************************************************* + * ============LICENSE_START==================================================== + * * org.onap.aaf + * * =========================================================================== + * * Copyright © 2017 AT&T Intellectual Property. All rights reserved. + * * =========================================================================== + * * Licensed under the Apache License, Version 2.0 (the "License"); + * * you may not use this file except in compliance with the License. + * * You may obtain a copy of the License at + * * + * * http://www.apache.org/licenses/LICENSE-2.0 + * * + * * Unless required by applicable law or agreed to in writing, software + * * distributed under the License is distributed on an "AS IS" BASIS, + * * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * * See the License for the specific language governing permissions and + * * limitations under the License. + * * ============LICENSE_END==================================================== + * * + * * + ******************************************************************************/ +package org.onap.aaf.cadi.test.wsse; + +import static junit.framework.Assert.assertEquals; +import static junit.framework.Assert.assertNotNull; +import static junit.framework.Assert.assertNull; + +import java.io.ByteArrayInputStream; +import java.io.File; +import java.io.FileInputStream; + +import javax.xml.stream.XMLStreamException; + +import org.junit.Test; +import org.onap.aaf.cadi.BasicCred; +import org.onap.aaf.cadi.BufferedServletInputStream; +import org.onap.aaf.cadi.wsse.WSSEParser; + +public class JU_WSSE_Read { + +// @Test +// public void test() { +// try { +// final BasicCred bc = new BasicCred() { + +// private String user; +// private byte[] password; + +// public void setUser(String user) { +// this.user = user; +// } + +// public void setCred(byte[] passwd) { +// this.password = passwd; +// } + +// public String getUser() { +// return user; +// } + +// public byte[] getCred() { +// return password; +// } +// }; + +// WSSEParser wp = new WSSEParser(); + +// FileInputStream fis; +// fis = new FileInputStream("test/example.xml"); +// BufferedServletInputStream is = new BufferedServletInputStream(fis); +// try { +// is.mark(1536); +// try { +// assertNull(wp.parse(bc, is)); +// } finally { +// is.reset(); +// assertEquals(814,is.buffered()); +// } +// String password = new String(bc.getCred()); +// System.out.println("CadiWrap credentials are: " + bc.getUser() + ", " + password); +// assertEquals("some_user", bc.getUser()); +// assertEquals("some_password", password); + +// } finally { +// fis.close(); +// } + +// // CBUS (larger) +// fis = new FileInputStream("test/CBUSevent.xml"); +// is = new BufferedServletInputStream(fis); +// try { +// is.mark(1536); +// try { +// assertNull(wp.parse(bc, is)); +// } finally { +// is.reset(); +// assertEquals(667,is.buffered()); +// } +// String password = new String(bc.getCred()); +// System.out.println("CadiWrap credentials are: " + bc.getUser() + ", " + password); +// assertEquals("none", bc.getUser()); +// assertEquals("none", password); + +// } finally { +// fis.close(); +// } + +// // Closed Stream +// fis = new FileInputStream("test/example.xml"); +// fis.close(); +// bc.setCred(null); +// bc.setUser(null); +// XMLStreamException ex = wp.parse(bc, fis); +// assertNotNull(ex); +// assertNull(bc.getUser()); +// assertNull(bc.getCred()); + + +// fis = new FileInputStream("test/exampleNoSecurity.xml"); +// try { +// bc.setCred(null); +// bc.setUser(null); +// assertNull(wp.parse(bc, fis)); +// assertNull(bc.getUser()); +// assertNull(bc.getCred()); +// } finally { +// fis.close(); +// } + +// fis = new FileInputStream("test/exampleBad1.xml"); +// try { +// bc.setCred(null); +// bc.setUser(null); +// assertNull(wp.parse(bc, fis)); +// assertNull(bc.getUser()); +// assertNull(bc.getCred()); +// } finally { +// fis.close(); +// } + +// XMLStreamException e = wp.parse(bc, new ByteArrayInputStream("Not XML".getBytes())); // empty +// assertNotNull(e); + +// e = wp.parse(bc, new ByteArrayInputStream("".getBytes())); // empty +// assertNotNull(e); + + +// long start, count = 0L; +// int iter = 30000; +// File f = new File("test/CBUSevent.xml"); +// fis = new FileInputStream(f); +// is = new BufferedServletInputStream(fis); +// is.mark(0); +// try { +// while(is.read()>=0); +// } finally { +// fis.close(); +// } + +// for(int i=0;i + + app + + jar + + false + + + + + true + runtime + + + + + + target/classes + + + + diff --git a/cadi/core/test/cadi.properties b/cadi/core/test/cadi.properties new file mode 100644 index 00000000..b84509b2 --- /dev/null +++ b/cadi/core/test/cadi.properties @@ -0,0 +1,60 @@ +#------------------------------------------------------------------------------- +# ============LICENSE_START==================================================== +# * org.onap.aaf +# * =========================================================================== +# * Copyright © 2017 AT&T Intellectual Property. All rights reserved. +# * =========================================================================== +# * Licensed under the Apache License, Version 2.0 (the "License"); +# * you may not use this file except in compliance with the License. +# * You may obtain a copy of the License at +# * +# * http://www.apache.org/licenses/LICENSE-2.0 +# * +# * Unless required by applicable law or agreed to in writing, software +# * distributed under the License is distributed on an "AS IS" BASIS, +# * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# * See the License for the specific language governing permissions and +# * limitations under the License. +# * ============LICENSE_END==================================================== +# * +#------------------------------------------------------------------------------- +############################################################################### +# Copyright (c) 2016 AT&T Intellectual Property. All rights reserved. +############################################################################### +# This is a normal Java Properties File +# Comments are with Pound Signs at beginning of lines, +# and multi-line expression of properties can be obtained by backslash at end of line + +# Certain machines have several possible machine names, and +# the right one may not be reported. This is especially +# important for CSP Authorization, which will only +# function on official AT&T domains. +hostname=veeger.mo.sbc.com + +port=2533 + +# CSP has Production mode (active users) or DEVL mode (for +# Testing purposes... Bogus users) +#csp_domain=DEVL +csp_domain=PROD + +# Report all AUTHN and AUTHZ activity +loglevel=AUDIT + +# +# BasicAuth and other User/Password support +# +# The realm reported on BasicAuth callbacks +basic_realm=spiderman.agile.att.com +users=ks%xiVUs_25_1jqGdJ24hqy43Gi; +groups=aaf:Jd8bb3jslg88b@spiderman.agile.att.com%7sZCPBZ_8iWbslqdjWFIDLgTZlm9ung0ym-G,\ + jg1555,lg2384,rd8227,tp007s,pe3617; + + +# Keyfile (with relative path) for encryption. This file +# should be marked as ReadOnly by Only the running process +# for security's sake +keyfile=conf/keyfile + +# This is here to force property chaining in tests +cadi_prop_files=test/cadi.properties.duplicate diff --git a/cadi/core/test/cadi.properties.duplicate b/cadi/core/test/cadi.properties.duplicate new file mode 100644 index 00000000..03c04d02 --- /dev/null +++ b/cadi/core/test/cadi.properties.duplicate @@ -0,0 +1,58 @@ +#------------------------------------------------------------------------------- +# ============LICENSE_START==================================================== +# * org.onap.aaf +# * =========================================================================== +# * Copyright � 2017 AT&T Intellectual Property. All rights reserved. +# * =========================================================================== +# * Licensed under the Apache License, Version 2.0 (the "License"); +# * you may not use this file except in compliance with the License. +# * You may obtain a copy of the License at +# * +# * http://www.apache.org/licenses/LICENSE-2.0 +# * +# * Unless required by applicable law or agreed to in writing, software +# * distributed under the License is distributed on an "AS IS" BASIS, +# * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# * See the License for the specific language governing permissions and +# * limitations under the License. +# * ============LICENSE_END==================================================== +# * +# * +#------------------------------------------------------------------------------- +############################################################################### +# Copyright (c) 2016 AT&T Intellectual Property. All rights reserved. +############################################################################### +# This is a normal Java Properties File +# Comments are with Pound Signs at beginning of lines, +# and multi-line expression of properties can be obtained by backslash at end of line + +# Certain machines have several possible machine names, and +# the right one may not be reported. This is especially +# important for CSP Authorization, which will only +# function on official AT&T domains. +hostname=veeger.mo.sbc.com + +port=2533 + +# CSP has Production mode (active users) or DEVL mode (for +# Testing purposes... Bogus users) +#csp_domain=DEVL +csp_domain=PROD + +# Report all AUTHN and AUTHZ activity +loglevel=AUDIT + +# +# BasicAuth and other User/Password support +# +# The realm reported on BasicAuth callbacks +basic_realm=spiderman.agile.att.com +users=ks%xiVUs_25_1jqGdJ24hqy43Gi; +groups=aaf:Jd8bb3jslg88b@spiderman.agile.att.com%7sZCPBZ_8iWbslqdjWFIDLgTZlm9ung0ym-G,\ + jg1555,lg2384,rd8227,tp007s,pe3617; + + +# Keyfile (with relative path) for encryption. This file +# should be marked as ReadOnly by Only the running process +# for security's sake +keyfile=conf/keyfile diff --git a/cadi/core/test/keyfile b/cadi/core/test/keyfile new file mode 100644 index 00000000..e84bd616 --- /dev/null +++ b/cadi/core/test/keyfile @@ -0,0 +1,27 @@ +9zgJxUXT1CrzC_A2Z0PdKi3n9l6zmErB26ZlSXCCyloxi3bGqD3lNHC3aFHfgC8-ZwNMuLBM93WY +JV4sEacNodHGjgmAqSVyMHiPTEP4XRrydfjXAvaBIERcU1Yvu4pa4Mq25RXLHt8tIAnToFVbq82n +bjkfdcv2-shgwkEvRiNIdK5TITO8JTvTRWND5MqXc9gnCKkR6Rl5dU5QGIB2SxWOPCvKBBWeUGRO +bSinrjkI-iXabuLOYUaGo6FI_XAU5S9WxvfrDVpBijUAGJW8QZe1oBIo5QmQlx6ONB4ohjEu89ZZ +gTee22MvSNUvaT8IGbj_Zt_TyuCqcdmkVahWp5ffeK2J3bmHActAC2IxXD4yV-sFLB7PW7I8KMA7 +tML3Lcy9ozmYa2E8N8B9uQ0zMHz_TVpPvj5xkVF4_FEKOTD1mkf-JYC1CyzwJS2YWWxO6fqsxIjD +1qB4OJudv4RK6hSxdVrNxc_wchVAGXVD6ulm8UPBGP_wpfItP8BGYwCHlOjUrZofewKB2Aa9Uk9m +oyk309WmPVBeRzZ0vRlXUp8jhKlAPISvv8CBbG-6SuXAszY2qedgd3huYKNreVN-xMZM2hnYbEUW +0sdcqpFqIV039Awfwjn5sZPFW4iT3yWhxib1PwFzwfaXnrwgwbLAda68mRDAWCrsDRu11IiQJqb7 +cjNLYBOGDVhX7jeUyBJUzW-xhl__DsoCZSqP39vFoPtglXHlQNtVqQ8d96mu_QMY5bcuhevI4RQ_ +SD7WcRyAiUztiC4Eb6BYwld0RITdB1-Y43jkZlfA8Ej5Zw8sX_-2J2hKdDPT4KrTYWA5T6wiIJK9 +lxIc39wGHpxQ4kz8gx0VeqRU2hgHVKovuaEvBnwv8JW3qeuowaUmiPi7UuIRwi4pFX5iQv62yrfO +5Z6EXBDVI8Ikq4UTu70vX_bCuXHtvqm97PFh2KXjBHS--iNVQ5GhnDKKv_Fd4naQjCSwTTgtxD4X +ASgLSSETGJ8wAjWHOWUuVT4jUDFIQwunNaH6y2NaDWA0tkO74oYaQIL_-kd9ChGLzGL389v8BV2X +oaw70W9L3-OOtzAz-hACbOtbbMkx2bVMmS8QhjYg-_2bpwSb8NR322pQ9AodFTU4x5HrLoERk2Rw +hRExZP7K-_idMJUGLF9gJFFS01UyBLijyWGyN0teQleXgn6IzZk7dH9roddoe9IacjiV7XfE4i1U +rVNTRKiDdHSX02KGOihs_j-Tf0PYsz0wEeACINA5MafGzc9x2b8yMzBxwPHxRszjL4dymCoLXRI5 +srLsWk2Jwtp9meW8jhkoAi5xUKzLiYIhEohIX3eEEA0O0wuK0fzcMB7IbyTYYazawUKmUXZ94OLu +Fmb-UaAEvU-9U4O3DNfbDN2ELxUHmWaqNqpGl1IV0ZxGrKNZi9Rga9-_vfVGcoVMD7vZOhiZddc9 +WRlom3tQZRx2Sm42baNH8wS34J0KuUYPcjQ-1_GEJxcH0hv6hzSm4is7mUdnyB95g1UohKdQOfaY +tOdHlXbu2zG6SyPaYyQFfQbMPwBn-hx_7bYj9Px-EhYeMpBIP8X98jkd3BlWY4sdWqxsQfAb5pml +cnDRynHag2XxLqttAWSwru_owfeXzmYsPD-PINRu-Csjzlbdhq73amTFN-U8mYA09dlCck2fW8qo +mAXLkVlboVaPuem6WvfSd93ZinsB5Wi5RX6RQxeHeo88cWrJ11Au14J8xFlurcZwdSjO4dsnZj_D +ry0uKWsyNoLogBuDansiNGGO8-1qsyRxVp3zbxOMQmPouN6l0ZfxQdACqX8_4HTD7NMNMnLYjPjC +4YfOUx4pQMdjzno05vuF5zY-UQ3SN7HkmXsF6tVJdt15cmtLFetD5LTbvdRr1eeHWuwD4-aJQx4T +SdOLQ3zHeMnNFsxR_xKsu4AGjcC2-TpGixmA1kJtYBm1WIGoxQ6N4rneEo-82yvKwYst9-DJcV6x +xy1dpJqtx3I7M6DqPVURomeh2czO6UMRPVIQ1ltj4E27_FWFsWC38ZyR4nFimovFLJNCzy2k \ No newline at end of file diff --git a/cadi/oauth-enduser/.gitignore b/cadi/oauth-enduser/.gitignore new file mode 100644 index 00000000..ed10e327 --- /dev/null +++ b/cadi/oauth-enduser/.gitignore @@ -0,0 +1,6 @@ +/target/ +/.DS_Store +/.classpath +/tokens/ +/bin/ +/.project diff --git a/cadi/oauth-enduser/.settings/.gitignore b/cadi/oauth-enduser/.settings/.gitignore new file mode 100644 index 00000000..e2635f07 --- /dev/null +++ b/cadi/oauth-enduser/.settings/.gitignore @@ -0,0 +1,2 @@ +/org.eclipse.jdt.core.prefs +/org.eclipse.m2e.core.prefs diff --git a/cadi/oauth-enduser/cadi.properties b/cadi/oauth-enduser/cadi.properties new file mode 100644 index 00000000..fb497314 --- /dev/null +++ b/cadi/oauth-enduser/cadi.properties @@ -0,0 +1,57 @@ +############################################################ +# Properties for OAuth Example +# Jonathan Gathman +# on 2018-01-30 +# These properties are the BARE essentials for OAuth calling +############################################################ +# aaf_locate is the replacement whenever a URL is set to "AAF_LOCATE_URL" +# at this time, only AAF has this ability. +# +# This is, effectively, the Environment you will use for AAF Location +# TEST ENV +aaf_locate_url=https://aaftest.test.att.com + +# IST ENV +# aaf_locate_url=https://aafist.test.att.com + +# PROD ENV +# aaf_locate_url=https://aaf.it.att.com + +cadi_latitude= + +aaf_url=https://AAF_LOCATE_URL/locate/com.att.aaf.service:2.0 +cadi_keyfile=.jar keygen keyfile. chmod 400 keyfile> + +aaf_id= +aaf_password=enc:.jar digest keyfile> +# aaf_alias= + +# aaf_conn_timeout=6000 +# aaf_timeout=10000 + +# A Sample AAF OAuth Enabled Service +#aaf_oauth2_hello_url=https://AAF_LOCATE_URL/locate/com.att.aaf.hello:2.0/hello +aaf_oauth2_hello_url=http://135.46.170.156:32245/restservices/echo/v1/testCXF/testGet + +# OAuth2 +# AAF OAuth2 Service. +aaf_oauth2_token_url=https://AAF_LOCATE_URL/locate/com.att.aaf.token:2.0/token +aaf_oauth2_introspect_url=https://AAF_LOCATE_URL/locate/com.att.aaf.introspect:2.0/introspect + +#ISAM +aaf_alt_oauth2_domain=isam.att.com +#aaf_alt_oauth2_client_id= +#aaf_alt_oauth2_domain=csp.att.com + +#ISAM TEST +#aaf_alt_oauth2_token_url=https://oauth.stage.elogin.att.com/mga/sps/oauth/oauth20/token +#aaf_alt_oauth2_introspect_url=https://oauthapp.stage.att.com/mga/sps/oauth/oauth20/introspect +#aaf_alt_oauth2_client_secret=enc: + +#ISAM PROD +#aaf_alt_oauth2_token_url=https://oauth.idp.elogin.att.com/mga/sps/oauth/oauth20/token +#aaf_alt_oauth2_introspect_url=https://oa-app.e-access.att.com/mga/sps/oauth/oauth20/introspect +#aaf_alt_oauth2_client_secret=enc: + + diff --git a/cadi/oauth-enduser/pom.xml b/cadi/oauth-enduser/pom.xml new file mode 100644 index 00000000..2423c530 --- /dev/null +++ b/cadi/oauth-enduser/pom.xml @@ -0,0 +1,112 @@ + + + + 4.0.0 + AAF CADI Sample OAuth EndUser + org.onap.aaf.cadi + 1.5.0-SNAPSHOT + aaf-cadi-oauth-enduser + + jar + + + + Jonathan Gathman + jonathan.gathman@att.com + ATT + + Architect + Lead Developer + + + + Gabe Maurer + gabe.maurer@att.com + ATT + + Developer + + + + Ian Howell + ian.howell@att.com + ATT + + Developer + + + + + + + org.onap.aaf.cadi + aaf-cadi-core + 1.5.0-SNAPSHOT + + + org.onap.aaf.cadi + aaf-cadi-aaf + 1.5.0-SNAPSHOT + + + + + + + + org.apache.maven.plugins + maven-compiler-plugin + 2.3.2 + + 1.8 + 1.8 + + + + + org.apache.maven.plugins + 2.4 + maven-jar-plugin + + target + + + + maven-assembly-plugin + 2.4 + + + + org.onap.aaf.cadi.enduser.OAuthExample + + + + src/main/assemble/cadi-oauth-enduser-assemble.xml + + + + + + + + diff --git a/cadi/oauth-enduser/src/.gitignore b/cadi/oauth-enduser/src/.gitignore new file mode 100644 index 00000000..9bb88d37 --- /dev/null +++ b/cadi/oauth-enduser/src/.gitignore @@ -0,0 +1 @@ +/.DS_Store diff --git a/cadi/oauth-enduser/src/main/java/com/att/cadi/enduser/OAuthExample.java b/cadi/oauth-enduser/src/main/java/com/att/cadi/enduser/OAuthExample.java new file mode 100644 index 00000000..9cb4b4af --- /dev/null +++ b/cadi/oauth-enduser/src/main/java/com/att/cadi/enduser/OAuthExample.java @@ -0,0 +1,233 @@ +/** + * ============LICENSE_START==================================================== + * org.onap.aaf + * =========================================================================== + * Copyright (c) 2018 AT&T Intellectual Property. All rights reserved. + * =========================================================================== + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * ============LICENSE_END==================================================== + * + */ + +package com.att.cadi.enduser; + +import java.io.IOException; +import java.net.ConnectException; +import java.security.GeneralSecurityException; +import java.util.Date; +import java.util.GregorianCalendar; + +import org.onap.aaf.cadi.Access.Level; +import org.onap.aaf.cadi.CadiException; +import org.onap.aaf.cadi.LocatorException; +import org.onap.aaf.cadi.PropAccess; +import org.onap.aaf.cadi.client.Future; +import org.onap.aaf.cadi.client.Rcli; +import org.onap.aaf.cadi.client.Result; +import org.onap.aaf.cadi.client.Retryable; +import org.onap.aaf.cadi.config.Config; +import org.onap.aaf.cadi.oauth.TimedToken; +import org.onap.aaf.cadi.oauth.TokenClient; +import org.onap.aaf.cadi.oauth.TokenClientFactory; +import org.onap.aaf.cadi.oauth.TzClient; +import org.onap.aaf.cadi.util.FQI; +import org.onap.aaf.misc.env.APIException; +import org.onap.aaf.misc.env.util.Chrono; + +import aafoauth.v2_0.Introspect; +import aafoauth.v2_0.Token; + + +public class OAuthExample { + private static TokenClientFactory tcf; + private static PropAccess access; + + public final static void main(final String args[]) { + // These Objects are expected to be Long-Lived... Construct once + + // Property Access + // This method will allow you to set "cadi_prop_files" (or any other property) on Command line + access = new PropAccess(args); + + // access = PropAccess(); + // Note: This style will load "cadi_prop_files" from VM Args + + // Token aware Client Factory + try { + tcf = TokenClientFactory.instance(access); + } catch (APIException | GeneralSecurityException | IOException | CadiException e1) { + access.log(e1, "Unable to setup OAuth Client Factory, Fail Fast"); + System.exit(1); + } + + + // Obtain Endpoints for OAuth2 from Properties. Expected is "cadi.properties" file, pointed to by "cadi_prop_files" + String tokenServiceURL = access.getProperty(Config.AAF_OAUTH2_TOKEN_URL); + String tokenIntrospectURL = access.getProperty(Config.AAF_OAUTH2_INTROSPECT_URL); + + + // Get Properties + final String endServicesURL = access.getProperty(Config.AAF_OAUTH2_HELLO_URL); + + final int CALL_TIMEOUT = Integer.parseInt(access.getProperty(Config.AAF_CALL_TIMEOUT,Config.AAF_CALL_TIMEOUT_DEF)); + + try { + ////////////////////////////////////////////////////////////////////// + // Scenario 1: + // Get and use an OAuth Client, which understands Token Management + ////////////////////////////////////////////////////////////////////// + // Create a Token Client, that gets its tokens from expected OAuth Server + // In this example, it is AAF, but it can be the Alternate OAuth + + TokenClient tc = tcf.newClient(tokenServiceURL); // can set your own timeout here (url, timeoutMilliseconds) + // Set your Application (MicroService, whatever) Credentials here + // These are how your Application is known, particularly to the OAuth Server. + // If AAF Token server, then its just the same as your other AAF MechID creds + // If it is the Alternate OAUTH, you'll need THOSE credentials. See that tool's Onboarding procedures. + String client_id = access.getProperty(Config.AAF_APPID); + String client_secret = access.getProperty(Config.AAF_APPPASS); + tc.client_creds(client_id, client_secret); + + // If you are working with Credentials the End User, set username/password as appropriate to the OAuth Server + // tc.password(end_user_id, end_user_password); + // IMPORTANT: + // if you are setting client Credentials, you MAY NOT reuse this Client mid-transaction. You CAN reuse after setting + // tc.clearEndUser(); + // You may want to see "Pooled Client" example, using special CADI utility + + // With AAF, the Scopes you put in are the AAF Namespaces you want access to. Your Token will contain the + // AAF Permissions of the Namespaces (you can put in more than one), the user name (or client_id if no user_name), + // is allowed to see. + + // Here's a trick to get the namespace out of a Fully Qualified AAF Identity (your MechID) + String ns = FQI.reverseDomain(client_id); + System.out.printf("\nNote: The AAF Namespace of FQI (Fully Qualified Identity) %s is %s\n\n",client_id, ns); + + // Now, we can get a Token. Note: for "scope", use AAF Namespaces to get AAF Permissions embedded in + // Note: getToken checks if Token is expired, if so, then refreshes before handing back. + Result rtt = tc.getToken(ns,"org.onap.test"); + + // Note: you can clear a Token's Disk/Memory presence by + // 1) removing the Token from the "token/outgoing" directory on the O/S + // 2) programmatically by calling "clearToken" with exact params as "getToken", when it has the same credentials set + // tc.clearToken("org.onap.aaf","org.onap.test"); + + // Result Object can be queried for success + if(rtt.isOK()) { + TimedToken token = rtt.value; + print(token); // Take a look at what's in a Token + + // Use this Token in your client calls with "Tokenized Client" (TzClient) + // These should NOT be used cross thread. + TzClient helloClient = tcf.newTzClient(endServicesURL); + helloClient.setToken(client_id, token); + + // This client call style, "best" call with "Retryable" inner class covers finding an available Service + // (when Multi-services exist) for the best service, based (currently) on distance. + // + // the "Generic" in Type gives a Return Value for the Code, which you can set on the "best" method + // Note that variables used in the inner class from this part of the code must be "final", see "CALL_TIMEOUT" + String rv = helloClient.best(new Retryable() { + @Override + public String code(Rcli client) throws CadiException, ConnectException, APIException { + Future future = client.read(null,"text/plain"); + // The "future" calling method allows you to do other processing, such as call more than one backend + // client before picking up the result + // If "get" matches the HTTP Code for the method (i.e. read HTTP Return value is 200), then + if(future.get(CALL_TIMEOUT)) { + // Client Returned expected value + return future.value; + } else { + throw new APIException(future.code() + future.body()); + } + } + }); + + // You want to do something with returned value. Here, we say "hello" + System.out.printf("\nPositive Response from Hello: %s\n",rv); + + + ////////////////////////////////////////////////////////////////////// + // Scenario 2: + // As a Service, read Introspection information as proof of Authenticated Authorization + ////////////////////////////////////////////////////////////////////// + // CADI Framework (i.e. CadiFilter) works with the Introspection to drive the J2EE interfaces ( + // i.e. if(isUserInRole("ns.perm|instance|action")) {... + // + // Here, however, is a way to introspect via Java + // + // now, call Introspect (making sure right URLs are set in properties) + // We need a Different Introspect TokenClient, because different Endpoint (and usually different Services) + TokenClient tci = tcf.newClient(tokenIntrospectURL); + tci.client_creds(client_id, client_secret); + Result is = tci.introspect(token.getAccessToken()); + if(is.isOK()) { + // Note that AAF will add JSON set of Permissions as part of "Content:", legitimate extension of OAuth Structure + print(is.value); // do something with Introspect Object + } else { + access.printf(Level.ERROR, "Unable to introspect OAuth Token %s: %d %s\n", + token.getAccessToken(),rtt.code,rtt.error); + } + } else { + access.printf(Level.ERROR, "Unable to obtain OAuth Token: %d %s\n",rtt.code,rtt.error); + } + + } catch (CadiException | LocatorException | APIException | IOException e) { + e.printStackTrace(); + } + } + + ///////////////////////////////////////////////////////////// + // Examples of Object Access + ///////////////////////////////////////////////////////////// + private static void print(Token t) { + GregorianCalendar exp_date = new GregorianCalendar(); + exp_date.add(GregorianCalendar.SECOND, t.getExpiresIn()); + System.out.printf("Access Token\n\tToken:\t\t%s\n\tToken Type:\t%s\n\tExpires In:\t%d (%s)\n\tScope:\t\t%s\n\tRefresh Token:\t%s\n", + t.getAccessToken(), + t.getTokenType(), + t.getExpiresIn(), + Chrono.timeStamp(new Date(System.currentTimeMillis()+(t.getExpiresIn()*1000))), + t.getScope(), + t.getRefreshToken()); + } + + private static void print(Introspect ti) { + if(ti==null || ti.getClientId()==null) { + System.out.println("Empty Introspect"); + return; + } + Date exp = new Date(ti.getExp()*1000); // seconds + System.out.printf("Introspect\n" + + "\tAccessToken:\t%s\n" + + "\tClient-id:\t%s\n" + + "\tClient Type:\t%s\n" + + "\tActive: \t%s\n" + + "\tUserName:\t%s\n" + + "\tExpires: \t%d (%s)\n" + + "\tScope:\t\t%s\n" + + "\tContent:\t\t%s\n", + ti.getAccessToken(), + ti.getClientId(), + ti.getClientType(), + ti.isActive()?Boolean.TRUE.toString():Boolean.FALSE.toString(), + ti.getUsername(), + ti.getExp(), + Chrono.timeStamp(exp), + ti.getScope(), + ti.getContent()==null?"":ti.getContent()); + + System.out.println(); + } + +} diff --git a/cadi/pom.xml b/cadi/pom.xml new file mode 100644 index 00000000..7fecc035 --- /dev/null +++ b/cadi/pom.xml @@ -0,0 +1,383 @@ + + + + 4.0.0 + org.onap.aaf.cadi + parent + AAF CADI Parent (Code, Access, Data, Identity) + 1.5.0-SNAPSHOT + 2015-07-20 + + ONAP + + pom + + + true + UTF-8 + 1.3.0-SNAPSHOT + 2.10-SNAPSHOT + 9.3.9.v20160517 + 1.5.1 + + + + + + + + Jonathan Gathman + jonathan.gathman@att.com + ATT + + Architect + Lead Developer + + + + Gabe Maurer + gabe.maurer@att.com + ATT + + Developer + + + + Ian Howell + ian.howell@att.com + ATT + + Developer + + + + + + + + org.mockito + mockito-all + 1.9.5 + test + + + + org.powermock + powermock-module-junit4 + ${powermock.version} + test + + + org.powermock + powermock-api-mockito + ${powermock.version} + test + + + + junit + junit + 4.10 + test + + + + + + + + core + client + aaf + cass + + oauth-enduser + shiro + + + + + + + + + org.onap.aaf.auth + aaf-auth-client + ${project.authClientVersion} + + + + org.onap.aaf.cadi + aaf-cadi-core + ${project.version} + + + + org.onap.aaf.cadi + aaf-cadi-oauth + ${project.version} + + + + + + org.onap.aaf.cadi + aaf-cadi-core + ${project.version} + tests + + + + org.onap.aaf.cadi + aaf-cadi-jetty + ${project.version} + + + + org.onap.aaf.cadi + aaf-cadi-cass + ${project.version} + + + + org.onap.aaf.cadi + aaf-cadi-aaf + ${project.version} + + + + org.onap.aaf.cadi + aaf-cadi-aaf + ${project.version} + full + + + + org.onap.aaf.cadi + aaf-cadi-client + ${project.version} + + + + org.onap.aaf.misc + aaf-misc-env + ${project.miscVersion} + + + + org.onap.aaf.misc + aaf-misc-rosetta + ${project.miscVersion} + + + + org.onap.aaf.misc + aaf-misc-log4j + ${project.miscVersion} + + + + org.eclipse.jetty + jetty-servlet + ${project.jettyVersion} + + + + org.eclipse.jetty + jetty-io + ${project.jettyVersion} + + + + org.eclipse.jetty + jetty-security + ${project.jettyVersion} + + + + org.eclipse.jetty + jetty-http + ${project.jettyVersion} + + + + org.eclipse.jetty + jetty-util + ${project.jettyVersion} + + + + org.eclipse.jetty + jetty-server + ${project.jettyVersion} + + + + javax.servlet + javax.servlet-api + 3.0.1 + + + + org.slf4j + slf4j-api + 1.7.5 + + + + + + + + + src/test/java + + + + + + true + org.apache.maven.plugins + maven-compiler-plugin + 2.3.2 + + 1.7 + 1.7 + + + + + org.apache.maven.plugins + 2.4 + maven-jar-plugin + + target + + + true + + + + + + + + org.apache.maven.plugins + maven-javadoc-plugin + 2.10 + + org.opendaylight.* + + + + + maven-release-plugin + 2.5.2 + + -s ${mvn.settings} deploy + + + + + maven-assembly-plugin + 2.5.5 + + + + org.apache.maven.plugins + maven-deploy-plugin + 2.8.1 + + false + + + + + + org.apache.maven.plugins + maven-dependency-plugin + 2.10 + + + + + maven-surefire-plugin + 2.17 + + true + + + + + + org.eclipse.m2e + lifecycle-mapping + 1.0.0 + + + + + + + org.codehaus.mojo + + + jaxb2-maven-plugin + + + [1.3,) + + + xjc + + + + + + + + + + + + + + + + + + + + + + nexus + attarch-releases + http://mavencentral.it.att.com:8084/nexus/content/repositories/attarch-releases + + + nexus + attarch-snapshots + http://mavencentral.it.att.com:8084/nexus/content/repositories/attarch-snapshots + + + diff --git a/cadi/shiro/.gitignore b/cadi/shiro/.gitignore new file mode 100644 index 00000000..cb0cea39 --- /dev/null +++ b/cadi/shiro/.gitignore @@ -0,0 +1,5 @@ +/bin/ +/target/ +/.project +/.classpath +/.settings diff --git a/cadi/shiro/pom.xml b/cadi/shiro/pom.xml new file mode 100644 index 00000000..07ff5ab5 --- /dev/null +++ b/cadi/shiro/pom.xml @@ -0,0 +1,78 @@ + + + + + org.onap.aaf.cadi + parent + 1.5.0-SNAPSHOT + .. + + + 4.0.0 + AAF CADI Shiro Plugin + jar + aaf-cadi-shiro + + + + Jonathan Gathman + jonathan.gathman@att.com + ATT + + Architect + Lead Developer + + + + Gabe Maurer + gabe.maurer@att.com + ATT + + Developer + + + + Ian Howell + ian.howell@att.com + ATT + + Developer + + + + + + + org.onap.aaf.cadi + aaf-cadi-aaf + + + org.apache.shiro + shiro-core + 1.3.2 + + + + + + diff --git a/cadi/shiro/src/main/java/org/onap/aaf/cadi/shiro/AAFAuthenticationInfo.java b/cadi/shiro/src/main/java/org/onap/aaf/cadi/shiro/AAFAuthenticationInfo.java new file mode 100644 index 00000000..a1d304bd --- /dev/null +++ b/cadi/shiro/src/main/java/org/onap/aaf/cadi/shiro/AAFAuthenticationInfo.java @@ -0,0 +1,90 @@ +/** + * ============LICENSE_START==================================================== + * org.onap.aaf + * =========================================================================== + * Copyright (c) 2018 AT&T Intellectual Property. All rights reserved. + * =========================================================================== + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * ============LICENSE_END==================================================== + * + */ +package org.onap.aaf.cadi.shiro; + +import java.nio.ByteBuffer; +import java.security.NoSuchAlgorithmException; +import java.security.SecureRandom; + +import org.apache.shiro.authc.AuthenticationInfo; +import org.apache.shiro.authc.AuthenticationToken; +import org.apache.shiro.authc.UsernamePasswordToken; +import org.apache.shiro.subject.PrincipalCollection; +import org.onap.aaf.cadi.Access; +import org.onap.aaf.cadi.Hash; +import org.onap.aaf.cadi.Access.Level; + +public class AAFAuthenticationInfo implements AuthenticationInfo { + private static final long serialVersionUID = -1502704556864321020L; + // We assume that Shiro is doing Memory Only, and this salt is not needed cross process + private final static int salt = new SecureRandom().nextInt(); + + private final AAFPrincipalCollection apc; + private final byte[] hash; + private Access access; + + public AAFAuthenticationInfo(Access access, String username, String password) { + this.access = access; + apc = new AAFPrincipalCollection(username); + hash = getSaltedCred(password); + } + @Override + public byte[] getCredentials() { + access.log(Level.DEBUG, "AAFAuthenticationInfo.getCredentials"); + return hash; + } + + @Override + public PrincipalCollection getPrincipals() { + access.log(Level.DEBUG, "AAFAuthenticationInfo.getPrincipals"); + return apc; + } + + public boolean matches(AuthenticationToken atoken) { + if(atoken instanceof UsernamePasswordToken) { + UsernamePasswordToken upt = (UsernamePasswordToken)atoken; + if(apc.getPrimaryPrincipal().getName().equals(upt.getPrincipal())) { + byte[] newhash = getSaltedCred(new String(upt.getPassword())); + if(newhash.length==hash.length) { + for(int i=0;i pond; + private ArrayList sPerms; + private ArrayList oPerms; + + public AAFAuthorizationInfo(Access access, Principal bait, List pond) { + this.access = access; + this.bait = bait; + this.pond = pond; + sPerms=null; + oPerms=null; + } + + public Principal principal() { + return bait; + } + + @Override + public Collection getObjectPermissions() { + access.log(Level.DEBUG, "AAFAuthorizationInfo.getObjectPermissions"); + synchronized(bait) { + if(oPerms == null) { + oPerms = new ArrayList(); + for(final org.onap.aaf.cadi.Permission p : pond) { + oPerms.add(new AAFShiroPermission(p)); + } + } + } + return oPerms; + } + + @Override + public Collection getRoles() { + access.log(Level.DEBUG, "AAFAuthorizationInfo.getRoles"); + // Until we decide to make Roles available, tie into String based permissions. + return getStringPermissions(); + } + + @Override + public Collection getStringPermissions() { + access.log(Level.DEBUG, "AAFAuthorizationInfo.getStringPermissions"); + synchronized(bait) { + if(sPerms == null) { + sPerms = new ArrayList(); + for(org.onap.aaf.cadi.Permission p : pond) { + sPerms.add(p.getKey()); + } + } + } + return sPerms; + } + +} diff --git a/cadi/shiro/src/main/java/org/onap/aaf/cadi/shiro/AAFPrincipalCollection.java b/cadi/shiro/src/main/java/org/onap/aaf/cadi/shiro/AAFPrincipalCollection.java new file mode 100644 index 00000000..145968de --- /dev/null +++ b/cadi/shiro/src/main/java/org/onap/aaf/cadi/shiro/AAFPrincipalCollection.java @@ -0,0 +1,125 @@ +/** + * ============LICENSE_START==================================================== + * org.onap.aaf + * =========================================================================== + * Copyright (c) 2018 AT&T Intellectual Property. All rights reserved. + * =========================================================================== + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * ============LICENSE_END==================================================== + * + */ +package org.onap.aaf.cadi.shiro; + +import java.security.Principal; +import java.util.ArrayList; +import java.util.Collection; +import java.util.HashSet; +import java.util.Iterator; +import java.util.List; +import java.util.Set; + +import org.apache.shiro.subject.PrincipalCollection; + +public class AAFPrincipalCollection implements PrincipalCollection { + private static final long serialVersionUID = 558246013419818831L; + private static final Set realmSet; + private final Principal principal; + private List list=null; + private Set set=null; + + static { + realmSet = new HashSet(); + realmSet.add(AAFRealm.AAF_REALM); + } + + public AAFPrincipalCollection(Principal p) { + principal = p; + } + + public AAFPrincipalCollection(final String principalName) { + principal = new Principal() { + private final String name = principalName; + @Override + public String getName() { + return name; + } + }; + } + + @Override + public Iterator iterator() { + return null; + } + + @Override + public List asList() { + if(list==null) { + list = new ArrayList(); + } + list.add(principal); + return list; + } + + @Override + public Set asSet() { + if(set==null) { + set = new HashSet(); + } + set.add(principal); + return set; + } + + @SuppressWarnings("unchecked") + @Override + public Collection byType(Class cls) { + Collection coll = new ArrayList(); + if(cls.isAssignableFrom(Principal.class)) { + coll.add((T)principal); + } + return coll; + } + + @Override + public Collection fromRealm(String realm) { + if(AAFRealm.AAF_REALM.equals(realm)) { + return asList(); + } else { + return new ArrayList(); + } + } + + @Override + public Principal getPrimaryPrincipal() { + return principal; + } + + @Override + public Set getRealmNames() { + return realmSet; + } + + @Override + public boolean isEmpty() { + return principal==null; + } + + @SuppressWarnings("unchecked") + @Override + public T oneByType(Class cls) { + if(cls.isAssignableFrom(Principal.class)) { + return (T)principal; + } + return null; + } + +} diff --git a/cadi/shiro/src/main/java/org/onap/aaf/cadi/shiro/AAFRealm.java b/cadi/shiro/src/main/java/org/onap/aaf/cadi/shiro/AAFRealm.java new file mode 100644 index 00000000..006547a9 --- /dev/null +++ b/cadi/shiro/src/main/java/org/onap/aaf/cadi/shiro/AAFRealm.java @@ -0,0 +1,142 @@ +/** + * ============LICENSE_START==================================================== + * org.onap.aaf + * =========================================================================== + * Copyright (c) 2018 AT&T Intellectual Property. All rights reserved. + * =========================================================================== + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * ============LICENSE_END==================================================== + * + */ +package org.onap.aaf.cadi.shiro; + +import java.io.IOException; +import java.security.Principal; +import java.util.ArrayList; +import java.util.HashSet; +import java.util.List; + +import org.apache.shiro.authc.AuthenticationException; +import org.apache.shiro.authc.AuthenticationInfo; +import org.apache.shiro.authc.AuthenticationToken; +import org.apache.shiro.authc.UsernamePasswordToken; +import org.apache.shiro.realm.AuthorizingRealm; +import org.apache.shiro.subject.PrincipalCollection; +import org.onap.aaf.cadi.Access.Level; +import org.onap.aaf.cadi.CadiException; +import org.onap.aaf.cadi.LocatorException; +import org.onap.aaf.cadi.Permission; +import org.onap.aaf.cadi.PropAccess; +import org.onap.aaf.cadi.aaf.v2_0.AAFAuthn; +import org.onap.aaf.cadi.aaf.v2_0.AAFCon; +import org.onap.aaf.cadi.aaf.v2_0.AAFLurPerm; +import org.onap.aaf.cadi.config.Config; +import org.onap.aaf.misc.env.APIException; + +public class AAFRealm extends AuthorizingRealm { + public static final String AAF_REALM = "AAFRealm"; + + private PropAccess access; + private AAFCon acon; + private AAFAuthn authn; + private HashSet> supports; + private AAFLurPerm authz; + + + /** + * + * There appears to be no configuration objects or references available for CADI to start with. + * + */ + public AAFRealm () { + access = new PropAccess(); // pick up cadi_prop_files from VM_Args + String cadi_prop_files = access.getProperty(Config.CADI_PROP_FILES); + if(cadi_prop_files==null) { + String msg = Config.CADI_PROP_FILES + " in VM Args is required to initialize AAFRealm."; + access.log(Level.INIT,msg); + throw new RuntimeException(msg); + } else { + try { + acon = AAFCon.newInstance(access); + authn = acon.newAuthn(); + authz = acon.newLur(authn); + } catch (APIException | CadiException | LocatorException e) { + String msg = "Cannot initiate AAFRealm"; + access.log(Level.INIT,msg,e.getMessage()); + throw new RuntimeException(msg,e); + } + } + supports = new HashSet>(); + supports.add(UsernamePasswordToken.class); + } + + @Override + protected AuthenticationInfo doGetAuthenticationInfo(AuthenticationToken token) throws AuthenticationException { + access.log(Level.DEBUG, "AAFRealm.doGetAuthenticationInfo",token); + + final UsernamePasswordToken upt = (UsernamePasswordToken)token; + String password=new String(upt.getPassword()); + String err; + try { + err = authn.validate(upt.getUsername(),password); + } catch (IOException|CadiException e) { + err = "Credential cannot be validated"; + access.log(e, err); + } + + if(err != null) { + access.log(Level.DEBUG, err); + throw new AuthenticationException(err); + } + + return new AAFAuthenticationInfo( + access, + upt.getUsername(), + password + ); + } + + @Override + protected void assertCredentialsMatch(AuthenticationToken atoken, AuthenticationInfo ai)throws AuthenticationException { + if(ai instanceof AAFAuthenticationInfo) { + if(!((AAFAuthenticationInfo)ai).matches(atoken)) { + throw new AuthenticationException("Credentials do not match"); + } + } else { + throw new AuthenticationException("AuthenticationInfo is not an AAFAuthenticationInfo"); + } + } + + + @Override + protected AAFAuthorizationInfo doGetAuthorizationInfo(PrincipalCollection principals) { + access.log(Level.DEBUG, "AAFRealm.doGetAuthenthorizationInfo"); + Principal bait = (Principal)principals.getPrimaryPrincipal(); + List pond = new ArrayList(); + authz.fishAll(bait,pond); + + return new AAFAuthorizationInfo(access,bait,pond); + + } + + @Override + public boolean supports(AuthenticationToken token) { + return supports.contains(token.getClass()); + } + + @Override + public String getName() { + return AAF_REALM; + } + +} diff --git a/cadi/shiro/src/main/java/org/onap/aaf/cadi/shiro/AAFShiroPermission.java b/cadi/shiro/src/main/java/org/onap/aaf/cadi/shiro/AAFShiroPermission.java new file mode 100644 index 00000000..a348a045 --- /dev/null +++ b/cadi/shiro/src/main/java/org/onap/aaf/cadi/shiro/AAFShiroPermission.java @@ -0,0 +1,45 @@ +/** + * ============LICENSE_START==================================================== + * org.onap.aaf + * =========================================================================== + * Copyright (c) 2018 AT&T Intellectual Property. All rights reserved. + * =========================================================================== + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * ============LICENSE_END==================================================== + * + */ +package org.onap.aaf.cadi.shiro; + +import org.apache.shiro.authz.Permission; + +public class AAFShiroPermission implements Permission { + private org.onap.aaf.cadi.Permission perm; + public AAFShiroPermission(org.onap.aaf.cadi.Permission perm) { + this.perm = perm; + } + @Override + public boolean implies(Permission sp) { + if(sp instanceof AAFShiroPermission) { + if(perm.match(((AAFShiroPermission)sp).perm)){ + return true; + } + } + return false; + } + + @Override + public String toString() { + return perm.toString(); + } + +} diff --git a/cadi/shiro/src/test/java/org/onap/aaf/cadi/shiro/test/JU_AAFRealm.java b/cadi/shiro/src/test/java/org/onap/aaf/cadi/shiro/test/JU_AAFRealm.java new file mode 100644 index 00000000..156e54b4 --- /dev/null +++ b/cadi/shiro/src/test/java/org/onap/aaf/cadi/shiro/test/JU_AAFRealm.java @@ -0,0 +1,92 @@ +/** + * ============LICENSE_START==================================================== + * org.onap.aaf + * =========================================================================== + * Copyright (c) 2018 AT&T Intellectual Property. All rights reserved. + * =========================================================================== + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * ============LICENSE_END==================================================== + * + */ +package org.onap.aaf.cadi.shiro.test; + +import java.util.ArrayList; + +import org.apache.shiro.authc.AuthenticationInfo; +import org.apache.shiro.authc.UsernamePasswordToken; +import org.apache.shiro.authz.AuthorizationInfo; +import org.apache.shiro.authz.Permission; +import org.apache.shiro.subject.PrincipalCollection; +import org.junit.Test; +import org.onap.aaf.cadi.aaf.AAFPermission; +import org.onap.aaf.cadi.config.Config; +import org.onap.aaf.cadi.shiro.AAFRealm; +import org.onap.aaf.cadi.shiro.AAFShiroPermission; + +import junit.framework.Assert; + +public class JU_AAFRealm { + + @Test + public void test() { + // NOTE This is a live test. This JUnit needs to be built with "Mock" + try { + System.setProperty(Config.CADI_PROP_FILES, "/opt/app/osaaf/etc/org.osaaf.common.props"); + TestAAFRealm ar = new TestAAFRealm(); + + UsernamePasswordToken upt = new UsernamePasswordToken("jonathan@people.osaaf.org", "new2You!"); + AuthenticationInfo ani = ar.authn(upt); + + AuthorizationInfo azi = ar.authz(ani.getPrincipals()); + // Change this to something YOU have, Sai... + + testAPerm(true,azi,"org.access","something","*"); + testAPerm(false,azi,"org.accessX","something","*"); + } catch (Throwable t) { + t.printStackTrace(); + Assert.fail(); + } + } + + private void testAPerm(boolean expect,AuthorizationInfo azi, String type, String instance, String action) { + + AAFShiroPermission testPerm = new AAFShiroPermission(new AAFPermission(type,instance,action,new ArrayList())); + + boolean any = false; + for(Permission p : azi.getObjectPermissions()) { + if(p.implies(testPerm)) { + any = true; + } + } + if(expect) { + Assert.assertTrue(any); + } else { + Assert.assertFalse(any); + } + + + } + + /** + * Note, have to create a derived class, because "doGet"... are protected + */ + private class TestAAFRealm extends AAFRealm { + public AuthenticationInfo authn(UsernamePasswordToken upt) { + return doGetAuthenticationInfo(upt); + } + public AuthorizationInfo authz(PrincipalCollection pc) { + return doGetAuthorizationInfo(pc); + } + + } +} -- cgit 1.2.3-korg