From 4b5a7d721d994a49057e9bfb403c7bff1b376660 Mon Sep 17 00:00:00 2001 From: Instrumental Date: Fri, 7 Sep 2018 12:21:34 -0500 Subject: Mass removal of all Tabs (Style Warnings) Issue-ID: AAF-473 Change-Id: Iaf0ef8120882937959bb0065f2f6ba74a021940f Signed-off-by: Instrumental --- .../java/org/onap/aaf/auth/oauth/AAF_OAuth.java | 272 ++++++------ .../org/onap/aaf/auth/oauth/DirectOAuthTAF.java | 316 +++++++------- .../main/java/org/onap/aaf/auth/oauth/OACode.java | 28 +- .../java/org/onap/aaf/auth/oauth/OAuth2Filter.java | 42 +- .../onap/aaf/auth/oauth/OAuth2FormHttpTafResp.java | 54 +-- .../org/onap/aaf/auth/oauth/api/API_Token.java | 76 ++-- .../aaf/auth/oauth/facade/DirectIntrospect.java | 2 +- .../auth/oauth/facade/DirectIntrospectImpl.java | 44 +- .../org/onap/aaf/auth/oauth/facade/OAFacade.java | 34 +- .../onap/aaf/auth/oauth/facade/OAFacade1_0.java | 12 +- .../aaf/auth/oauth/facade/OAFacadeFactory.java | 20 +- .../onap/aaf/auth/oauth/facade/OAFacadeImpl.java | 482 ++++++++++----------- .../org/onap/aaf/auth/oauth/mapper/Mapper.java | 24 +- .../org/onap/aaf/auth/oauth/mapper/Mapper1_0.java | 348 +++++++-------- .../aaf/auth/oauth/mapper/MapperIntrospect.java | 2 +- .../aaf/auth/oauth/mapper/MapperIntrospect1_0.java | 78 ++-- .../aaf/auth/oauth/service/JSONPermLoader.java | 2 +- .../auth/oauth/service/JSONPermLoaderFactory.java | 154 +++---- .../onap/aaf/auth/oauth/service/OAuthService.java | 466 ++++++++++---------- .../org/onap/aaf/auth/oauth/service/OCreds.java | 16 +- 20 files changed, 1236 insertions(+), 1236 deletions(-) (limited to 'auth/auth-oauth/src/main') diff --git a/auth/auth-oauth/src/main/java/org/onap/aaf/auth/oauth/AAF_OAuth.java b/auth/auth-oauth/src/main/java/org/onap/aaf/auth/oauth/AAF_OAuth.java index d73c3be3..3ae80e3c 100644 --- a/auth/auth-oauth/src/main/java/org/onap/aaf/auth/oauth/AAF_OAuth.java +++ b/auth/auth-oauth/src/main/java/org/onap/aaf/auth/oauth/AAF_OAuth.java @@ -66,140 +66,140 @@ import com.datastax.driver.core.Cluster; import aafoauth.v2_0.Introspect; public class AAF_OAuth extends AbsService { - private static final String DOT_OAUTH = ".oauth"; - public Map cacheUser; - public AAFAuthn aafAuthn; - public AAFLurPerm aafLurPerm; - private final OAuthService service; - private OAFacade1_0 facade1_0; - private final Question question; - private TokenPermLoader tpLoader; - private final Cluster cluster; - - /** - * Construct AuthzAPI with all the Context Supporting Routes that Authz needs - * - * @param env - * @param si - * @param dm - * @param decryptor - * @throws APIException - */ - public AAF_OAuth(final AuthzEnv env) throws Exception { - super(env.access(),env); - - String aaf_env = env.getProperty(Config.AAF_ENV); - if(aaf_env==null) { - throw new APIException("aaf_env needs to be set"); - } - - // Initialize Facade for all uses - AuthzTrans trans = env.newTrans(); - cluster = org.onap.aaf.auth.dao.CassAccess.cluster(env,null); - - aafLurPerm = aafCon().newLur(); - // Note: If you need both Authn and Authz construct the following: - aafAuthn = aafCon().newAuthn(aafLurPerm); - - // Start Background Processing - // Question question = - question = new Question(trans, cluster, CassAccess.KEYSPACE, true); - - // Have AAFLocator object Create DirectLocators for Location needs - AbsAAFLocator.setCreator(new DirectLocatorCreator(env, question.locateDAO)); - - - service = new OAuthService(env.access(),trans,question); - facade1_0 = OAFacadeFactory.v1_0(this, trans, service, TYPE.JSON); - StringBuilder sb = new StringBuilder(); - trans.auditTrail(2, sb); - trans.init().log(sb); - - API_Token.init(this, facade1_0); - } - - /** - * Setup XML and JSON implementations for each supported Version type - * - * We do this by taking the Code passed in and creating clones of these with the appropriate Facades and properties - * to do Versions and Content switches - * - */ - public void route(HttpMethods meth, String path, API api, HttpCode> code) throws Exception { - String version = "1.0"; - // Get Correct API Class from Mapper - Class respCls = facade1_0.mapper().getClass(api); - if(respCls==null) throw new Exception("Unknown class associated with " + api.getClass().getName() + ' ' + api.name()); - // setup Application API HTML ContentTypes for JSON and Route - String application = applicationJSON(respCls, version); - if(meth.equals(HttpMethods.POST)) { - route(env,meth,path,code,application,"application/json;version="+version,"application/x-www-form-urlencoded","*/*"); - } else { - route(env,meth,path,code,application,"application/json;version="+version,"*/*"); - } - } - - @Override - public Filter[] _filters(Object ... additionalTafLurs) throws CadiException, LocatorException { - try { - DirectOAuthTAF doat = new DirectOAuthTAF(env,question,facade1_0); - Object[] atl=new Object[additionalTafLurs.length+2]; - atl[0] = doat; - atl[1] = doat.directUserPass(); - - if(additionalTafLurs.length>0) { - System.arraycopy(additionalTafLurs, 0, atl, 2, additionalTafLurs.length); - } - - return new Filter[] { - new AuthzTransFilter(env,aafCon(), - new AAFTrustChecker((Env)env), - atl - )}; - } catch (NumberFormatException | APIException e) { - throw new CadiException("Invalid Property information", e); - } - } - - @SuppressWarnings("unchecked") - @Override - public Registrant[] registrants(final int port) throws CadiException { - return new Registrant[] { - new DirectRegistrar(access,question.locateDAO,app_name,app_version,port), - new DirectRegistrar(access,question.locateDAO,app_name.replace(DOT_OAUTH, ".token"),app_version,port), - new DirectRegistrar(access,question.locateDAO,app_name.replace(DOT_OAUTH, ".introspect"),app_version,port) - - }; - } - - - @Override - public void destroy() { - Cache.stopTimer(); - if(service!=null) { - service.close(); - } - if(cluster!=null) { - cluster.close(); - } - super.destroy(); - } - - // For use in CADI ONLY - public TokenMgr.TokenPermLoader tpLoader() { - return tpLoader; - } - - public static void main(final String[] args) { - try { - Log4JLogIt logIt = new Log4JLogIt(args, "oauth"); - PropAccess propAccess = new PropAccess(logIt,args); - - AAF_OAuth service = new AAF_OAuth(new AuthzEnv(propAccess)); - JettyServiceStarter jss = new JettyServiceStarter(service); - jss.start(); - } catch (Exception e) { - e.printStackTrace(); - } - } + private static final String DOT_OAUTH = ".oauth"; + public Map cacheUser; + public AAFAuthn aafAuthn; + public AAFLurPerm aafLurPerm; + private final OAuthService service; + private OAFacade1_0 facade1_0; + private final Question question; + private TokenPermLoader tpLoader; + private final Cluster cluster; + + /** + * Construct AuthzAPI with all the Context Supporting Routes that Authz needs + * + * @param env + * @param si + * @param dm + * @param decryptor + * @throws APIException + */ + public AAF_OAuth(final AuthzEnv env) throws Exception { + super(env.access(),env); + + String aaf_env = env.getProperty(Config.AAF_ENV); + if(aaf_env==null) { + throw new APIException("aaf_env needs to be set"); + } + + // Initialize Facade for all uses + AuthzTrans trans = env.newTrans(); + cluster = org.onap.aaf.auth.dao.CassAccess.cluster(env,null); + + aafLurPerm = aafCon().newLur(); + // Note: If you need both Authn and Authz construct the following: + aafAuthn = aafCon().newAuthn(aafLurPerm); + + // Start Background Processing + // Question question = + question = new Question(trans, cluster, CassAccess.KEYSPACE, true); + + // Have AAFLocator object Create DirectLocators for Location needs + AbsAAFLocator.setCreator(new DirectLocatorCreator(env, question.locateDAO)); + + + service = new OAuthService(env.access(),trans,question); + facade1_0 = OAFacadeFactory.v1_0(this, trans, service, TYPE.JSON); + StringBuilder sb = new StringBuilder(); + trans.auditTrail(2, sb); + trans.init().log(sb); + + API_Token.init(this, facade1_0); + } + + /** + * Setup XML and JSON implementations for each supported Version type + * + * We do this by taking the Code passed in and creating clones of these with the appropriate Facades and properties + * to do Versions and Content switches + * + */ + public void route(HttpMethods meth, String path, API api, HttpCode> code) throws Exception { + String version = "1.0"; + // Get Correct API Class from Mapper + Class respCls = facade1_0.mapper().getClass(api); + if(respCls==null) throw new Exception("Unknown class associated with " + api.getClass().getName() + ' ' + api.name()); + // setup Application API HTML ContentTypes for JSON and Route + String application = applicationJSON(respCls, version); + if(meth.equals(HttpMethods.POST)) { + route(env,meth,path,code,application,"application/json;version="+version,"application/x-www-form-urlencoded","*/*"); + } else { + route(env,meth,path,code,application,"application/json;version="+version,"*/*"); + } + } + + @Override + public Filter[] _filters(Object ... additionalTafLurs) throws CadiException, LocatorException { + try { + DirectOAuthTAF doat = new DirectOAuthTAF(env,question,facade1_0); + Object[] atl=new Object[additionalTafLurs.length+2]; + atl[0] = doat; + atl[1] = doat.directUserPass(); + + if(additionalTafLurs.length>0) { + System.arraycopy(additionalTafLurs, 0, atl, 2, additionalTafLurs.length); + } + + return new Filter[] { + new AuthzTransFilter(env,aafCon(), + new AAFTrustChecker((Env)env), + atl + )}; + } catch (NumberFormatException | APIException e) { + throw new CadiException("Invalid Property information", e); + } + } + + @SuppressWarnings("unchecked") + @Override + public Registrant[] registrants(final int port) throws CadiException { + return new Registrant[] { + new DirectRegistrar(access,question.locateDAO,app_name,app_version,port), + new DirectRegistrar(access,question.locateDAO,app_name.replace(DOT_OAUTH, ".token"),app_version,port), + new DirectRegistrar(access,question.locateDAO,app_name.replace(DOT_OAUTH, ".introspect"),app_version,port) + + }; + } + + + @Override + public void destroy() { + Cache.stopTimer(); + if(service!=null) { + service.close(); + } + if(cluster!=null) { + cluster.close(); + } + super.destroy(); + } + + // For use in CADI ONLY + public TokenMgr.TokenPermLoader tpLoader() { + return tpLoader; + } + + public static void main(final String[] args) { + try { + Log4JLogIt logIt = new Log4JLogIt(args, "oauth"); + PropAccess propAccess = new PropAccess(logIt,args); + + AAF_OAuth service = new AAF_OAuth(new AuthzEnv(propAccess)); + JettyServiceStarter jss = new JettyServiceStarter(service); + jss.start(); + } catch (Exception e) { + e.printStackTrace(); + } + } } diff --git a/auth/auth-oauth/src/main/java/org/onap/aaf/auth/oauth/DirectOAuthTAF.java b/auth/auth-oauth/src/main/java/org/onap/aaf/auth/oauth/DirectOAuthTAF.java index e602e863..bb882367 100644 --- a/auth/auth-oauth/src/main/java/org/onap/aaf/auth/oauth/DirectOAuthTAF.java +++ b/auth/auth-oauth/src/main/java/org/onap/aaf/auth/oauth/DirectOAuthTAF.java @@ -62,163 +62,163 @@ import org.onap.aaf.misc.env.APIException; import aafoauth.v2_0.Introspect; public class DirectOAuthTAF implements HttpTaf { - private PropAccess access; - private DirectIntrospect oaFacade; - private TokenMgr tkMgr; - private final DirectAAFUserPass directUserPass; - private TokenClient altIntrospectClient; - - public DirectOAuthTAF(AuthzEnv env, Question q, DirectIntrospect facade) throws APIException, CadiException { - access = env.access(); - oaFacade = facade; - tkMgr = TokenMgr.getInstance(access,"dbToken","dbIntrospect"); - String alt_url = access.getProperty(Config.AAF_ALT_OAUTH2_INTROSPECT_URL,null); - TokenClientFactory tcf; - if(alt_url!=null) { - try { - tcf = TokenClientFactory.instance(access); - String[] split = Split.split(',', alt_url); - int timeout = split.length>1?Integer.parseInt(split[1]):3000; - altIntrospectClient = tcf.newClient(split[0], timeout); - altIntrospectClient.client_creds(access.getProperty(Config.AAF_ALT_CLIENT_ID,null), - access.getProperty(Config.AAF_ALT_CLIENT_SECRET,null)); - } catch (GeneralSecurityException | IOException | LocatorException e) { - throw new CadiException(e); - } - } - - directUserPass = new DirectAAFUserPass(env,q); - } - - @Override - public TafResp validate(LifeForm reading, HttpServletRequest req, HttpServletResponse resp) { - String value; - String token; - if((value=req.getHeader("Authorization"))!=null && value.startsWith("Bearer ")) { - token = value.substring(7); - } else { - token = null; - } - - if("application/x-www-form-urlencoded".equals(req.getContentType())) { - Map map = req.getParameterMap(); - String client_id=null,client_secret=null,username=null,password=null; - for(Map.Entry es : map.entrySet()) { - switch(es.getKey()) { - case "client_id": - for(String s : es.getValue()) { - client_id=s; - } - break; - case "client_secret": - for(String s : es.getValue()) { - client_secret=s; - } - break; - case "username": - for(String s : es.getValue()) { - username=s; - } - break; - case "password": - for(String s : es.getValue()) { - password=s; - } - break; - case "token": - if(token!=null) { // Defined as both Bearer and Form Encoded - Error - return new OAuth2HttpTafResp(access, null, "Token Info found as both Bearer Token and Form Info", RESP.FAIL, resp, true); - } - for(String s : es.getValue()) { - token=s; - } - break; - // Ignore others - } - } - - if(client_id==null || client_secret==null) { - return new OAuth2HttpTafResp(access, null, "client_id and client_secret required", RESP.TRY_ANOTHER_TAF, resp, false); - } - - if(token==null) { // No Token to work with, use only Client_ID and Client_Secret - AuthzTrans trans = (AuthzTrans)req.getAttribute(TransFilter.TRANS_TAG); - - if(directUserPass.validate(client_id, Type.PASSWORD, client_secret.getBytes(), trans)) { - // Client_ID is valid - if(username==null) { // Validating just the Client_ID - return new OAuth2FormHttpTafResp(access,new OAuth2FormPrincipal(client_id,client_id),"OAuth client_id authenticated",RESP.IS_AUTHENTICATED,resp,false); - } else { - //TODO - Does a clientID need specific Authorization to pair authentication with user name? At the moment, no. - // username is ok. - if(password!=null) { - if(directUserPass.validate(username, Type.PASSWORD, password.getBytes(), trans)) { - return new OAuth2FormHttpTafResp(access,new OAuth2FormPrincipal(client_id, username),"OAuth username authenticated",RESP.IS_AUTHENTICATED,resp,false); - } else { - return new OAuth2HttpTafResp(access,null,"OAuth username " + username + " not authenticated ",RESP.FAIL,resp,true); - } - } else { // no Password - //TODO Check for Trust Permission, which requires looking up Perms? - return new OAuth2HttpTafResp(access,null,"OAuth username " + username + " not authenticated ",RESP.FAIL,resp,true); - } - } - } else { - return new OAuth2HttpTafResp(access,null,"OAuth client_id " + client_id + " not authenticated ",RESP.FAIL,resp,true); - } - } - } - - // OK, have only a Token to validate - if(token!=null) { - AuthzTrans trans = (AuthzTrans)req.getAttribute(TransFilter.TRANS_TAG); - - try { - Result ri = oaFacade.mappedIntrospect(trans, token); - if(ri.isOK()) { - TokenPerm tp = tkMgr.putIntrospect(ri.value, Hash.hashSHA256(token.getBytes())); - if(tp==null) { - return new OAuth2HttpTafResp(access, null, "TokenPerm persistence failure", RESP.FAIL, resp, false); - } else { - return new OAuth2HttpTafResp(access,new OAuth2Principal(tp,Hash.hashSHA256(token.getBytes())),"Token Authenticated",RESP.IS_AUTHENTICATED,resp,false); - } - } else { - return new OAuth2HttpTafResp(access, null, ri.errorString(), RESP.FAIL, resp, false); - } - } catch (APIException e) { - trans.error().log(e,"Error getting token"); - return new OAuth2HttpTafResp(access, null, "Error getting token: " + e.getMessage(), RESP.TRY_ANOTHER_TAF, resp, false); - } catch (NoSuchAlgorithmException e) { - return new OAuth2HttpTafResp(access, null, "Error in security algorithm: " + e.getMessage(), RESP.TRY_ANOTHER_TAF, resp, false); - } - } - return new OAuth2HttpTafResp(access, null, "No OAuth2 Credentials in OAuthForm", RESP.TRY_ANOTHER_TAF, resp, false); - } - - @Override - public Resp revalidate(CachedPrincipal prin, Object state) { - // TODO Auto-generated method stub - return null; - } - - class ServiceTPL implements TokenPermLoader { - private final AuthzTrans trans; - public ServiceTPL(AuthzTrans atrans) { - trans = atrans; - } - - @Override - public org.onap.aaf.cadi.client.Result load(String accessToken, byte[] cred) throws APIException, CadiException, LocatorException { - Result ri = oaFacade.mappedIntrospect(trans, accessToken); - if(ri.notOK()) { - //TODO what should the status mapping be? - return org.onap.aaf.cadi.client.Result.err(ri.status,ri.errorString()); - } - return org.onap.aaf.cadi.client.Result.ok(200,tkMgr.putIntrospect(ri.value, cred)); - } - } - - public DirectAAFUserPass directUserPass() { - return directUserPass; - } + private PropAccess access; + private DirectIntrospect oaFacade; + private TokenMgr tkMgr; + private final DirectAAFUserPass directUserPass; + private TokenClient altIntrospectClient; + + public DirectOAuthTAF(AuthzEnv env, Question q, DirectIntrospect facade) throws APIException, CadiException { + access = env.access(); + oaFacade = facade; + tkMgr = TokenMgr.getInstance(access,"dbToken","dbIntrospect"); + String alt_url = access.getProperty(Config.AAF_ALT_OAUTH2_INTROSPECT_URL,null); + TokenClientFactory tcf; + if(alt_url!=null) { + try { + tcf = TokenClientFactory.instance(access); + String[] split = Split.split(',', alt_url); + int timeout = split.length>1?Integer.parseInt(split[1]):3000; + altIntrospectClient = tcf.newClient(split[0], timeout); + altIntrospectClient.client_creds(access.getProperty(Config.AAF_ALT_CLIENT_ID,null), + access.getProperty(Config.AAF_ALT_CLIENT_SECRET,null)); + } catch (GeneralSecurityException | IOException | LocatorException e) { + throw new CadiException(e); + } + } + + directUserPass = new DirectAAFUserPass(env,q); + } + + @Override + public TafResp validate(LifeForm reading, HttpServletRequest req, HttpServletResponse resp) { + String value; + String token; + if((value=req.getHeader("Authorization"))!=null && value.startsWith("Bearer ")) { + token = value.substring(7); + } else { + token = null; + } + + if("application/x-www-form-urlencoded".equals(req.getContentType())) { + Map map = req.getParameterMap(); + String client_id=null,client_secret=null,username=null,password=null; + for(Map.Entry es : map.entrySet()) { + switch(es.getKey()) { + case "client_id": + for(String s : es.getValue()) { + client_id=s; + } + break; + case "client_secret": + for(String s : es.getValue()) { + client_secret=s; + } + break; + case "username": + for(String s : es.getValue()) { + username=s; + } + break; + case "password": + for(String s : es.getValue()) { + password=s; + } + break; + case "token": + if(token!=null) { // Defined as both Bearer and Form Encoded - Error + return new OAuth2HttpTafResp(access, null, "Token Info found as both Bearer Token and Form Info", RESP.FAIL, resp, true); + } + for(String s : es.getValue()) { + token=s; + } + break; + // Ignore others + } + } + + if(client_id==null || client_secret==null) { + return new OAuth2HttpTafResp(access, null, "client_id and client_secret required", RESP.TRY_ANOTHER_TAF, resp, false); + } + + if(token==null) { // No Token to work with, use only Client_ID and Client_Secret + AuthzTrans trans = (AuthzTrans)req.getAttribute(TransFilter.TRANS_TAG); + + if(directUserPass.validate(client_id, Type.PASSWORD, client_secret.getBytes(), trans)) { + // Client_ID is valid + if(username==null) { // Validating just the Client_ID + return new OAuth2FormHttpTafResp(access,new OAuth2FormPrincipal(client_id,client_id),"OAuth client_id authenticated",RESP.IS_AUTHENTICATED,resp,false); + } else { + //TODO - Does a clientID need specific Authorization to pair authentication with user name? At the moment, no. + // username is ok. + if(password!=null) { + if(directUserPass.validate(username, Type.PASSWORD, password.getBytes(), trans)) { + return new OAuth2FormHttpTafResp(access,new OAuth2FormPrincipal(client_id, username),"OAuth username authenticated",RESP.IS_AUTHENTICATED,resp,false); + } else { + return new OAuth2HttpTafResp(access,null,"OAuth username " + username + " not authenticated ",RESP.FAIL,resp,true); + } + } else { // no Password + //TODO Check for Trust Permission, which requires looking up Perms? + return new OAuth2HttpTafResp(access,null,"OAuth username " + username + " not authenticated ",RESP.FAIL,resp,true); + } + } + } else { + return new OAuth2HttpTafResp(access,null,"OAuth client_id " + client_id + " not authenticated ",RESP.FAIL,resp,true); + } + } + } + + // OK, have only a Token to validate + if(token!=null) { + AuthzTrans trans = (AuthzTrans)req.getAttribute(TransFilter.TRANS_TAG); + + try { + Result ri = oaFacade.mappedIntrospect(trans, token); + if(ri.isOK()) { + TokenPerm tp = tkMgr.putIntrospect(ri.value, Hash.hashSHA256(token.getBytes())); + if(tp==null) { + return new OAuth2HttpTafResp(access, null, "TokenPerm persistence failure", RESP.FAIL, resp, false); + } else { + return new OAuth2HttpTafResp(access,new OAuth2Principal(tp,Hash.hashSHA256(token.getBytes())),"Token Authenticated",RESP.IS_AUTHENTICATED,resp,false); + } + } else { + return new OAuth2HttpTafResp(access, null, ri.errorString(), RESP.FAIL, resp, false); + } + } catch (APIException e) { + trans.error().log(e,"Error getting token"); + return new OAuth2HttpTafResp(access, null, "Error getting token: " + e.getMessage(), RESP.TRY_ANOTHER_TAF, resp, false); + } catch (NoSuchAlgorithmException e) { + return new OAuth2HttpTafResp(access, null, "Error in security algorithm: " + e.getMessage(), RESP.TRY_ANOTHER_TAF, resp, false); + } + } + return new OAuth2HttpTafResp(access, null, "No OAuth2 Credentials in OAuthForm", RESP.TRY_ANOTHER_TAF, resp, false); + } + + @Override + public Resp revalidate(CachedPrincipal prin, Object state) { + // TODO Auto-generated method stub + return null; + } + + class ServiceTPL implements TokenPermLoader { + private final AuthzTrans trans; + public ServiceTPL(AuthzTrans atrans) { + trans = atrans; + } + + @Override + public org.onap.aaf.cadi.client.Result load(String accessToken, byte[] cred) throws APIException, CadiException, LocatorException { + Result ri = oaFacade.mappedIntrospect(trans, accessToken); + if(ri.notOK()) { + //TODO what should the status mapping be? + return org.onap.aaf.cadi.client.Result.err(ri.status,ri.errorString()); + } + return org.onap.aaf.cadi.client.Result.ok(200,tkMgr.putIntrospect(ri.value, cred)); + } + } + + public DirectAAFUserPass directUserPass() { + return directUserPass; + } } diff --git a/auth/auth-oauth/src/main/java/org/onap/aaf/auth/oauth/OACode.java b/auth/auth-oauth/src/main/java/org/onap/aaf/auth/oauth/OACode.java index f60c689b..a0381c3e 100644 --- a/auth/auth-oauth/src/main/java/org/onap/aaf/auth/oauth/OACode.java +++ b/auth/auth-oauth/src/main/java/org/onap/aaf/auth/oauth/OACode.java @@ -27,19 +27,19 @@ import org.onap.aaf.auth.rserv.HttpCode; import aafoauth.v2_0.Introspect; public abstract class OACode extends HttpCode> implements Cloneable { - public boolean useJSON; + public boolean useJSON; - public OACode(OAFacade facade, String description, boolean useJSON, String ... roles) { - super(facade, description, roles); - this.useJSON = useJSON; - } - - public D clone(OAFacade facade, boolean useJSON) throws Exception { - @SuppressWarnings("unchecked") - D d = (D)clone(); - d.useJSON = useJSON; - d.context = facade; - return d; - } - + public OACode(OAFacade facade, String description, boolean useJSON, String ... roles) { + super(facade, description, roles); + this.useJSON = useJSON; + } + + public D clone(OAFacade facade, boolean useJSON) throws Exception { + @SuppressWarnings("unchecked") + D d = (D)clone(); + d.useJSON = useJSON; + d.context = facade; + return d; + } + } \ No newline at end of file diff --git a/auth/auth-oauth/src/main/java/org/onap/aaf/auth/oauth/OAuth2Filter.java b/auth/auth-oauth/src/main/java/org/onap/aaf/auth/oauth/OAuth2Filter.java index 4442e36f..161f6095 100644 --- a/auth/auth-oauth/src/main/java/org/onap/aaf/auth/oauth/OAuth2Filter.java +++ b/auth/auth-oauth/src/main/java/org/onap/aaf/auth/oauth/OAuth2Filter.java @@ -37,28 +37,28 @@ import org.onap.aaf.cadi.util.Split; public class OAuth2Filter implements Filter { - @Override - public void init(FilterConfig filterConfig) throws ServletException { - } + @Override + public void init(FilterConfig filterConfig) throws ServletException { + } - @Override - public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException { - HttpServletRequest hreq = (HttpServletRequest)request; - Principal p = hreq.getUserPrincipal(); - if(request.getContentType().equals("application/x-www-form-urlencoded")) { - - } else if(p instanceof BearerPrincipal) { - for(String authz : Split.splitTrim(';', hreq.getHeader("Authorization"))) { - if(authz.startsWith("Bearer ")) { - ((BearerPrincipal)p).setBearer(authz.substring(7)); - } - } - } - chain.doFilter(request, response); - } + @Override + public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException { + HttpServletRequest hreq = (HttpServletRequest)request; + Principal p = hreq.getUserPrincipal(); + if(request.getContentType().equals("application/x-www-form-urlencoded")) { + + } else if(p instanceof BearerPrincipal) { + for(String authz : Split.splitTrim(';', hreq.getHeader("Authorization"))) { + if(authz.startsWith("Bearer ")) { + ((BearerPrincipal)p).setBearer(authz.substring(7)); + } + } + } + chain.doFilter(request, response); + } - @Override - public void destroy() { - } + @Override + public void destroy() { + } } diff --git a/auth/auth-oauth/src/main/java/org/onap/aaf/auth/oauth/OAuth2FormHttpTafResp.java b/auth/auth-oauth/src/main/java/org/onap/aaf/auth/oauth/OAuth2FormHttpTafResp.java index 6adb4641..f63daf89 100644 --- a/auth/auth-oauth/src/main/java/org/onap/aaf/auth/oauth/OAuth2FormHttpTafResp.java +++ b/auth/auth-oauth/src/main/java/org/onap/aaf/auth/oauth/OAuth2FormHttpTafResp.java @@ -32,36 +32,36 @@ import org.onap.aaf.cadi.taf.AbsTafResp; import org.onap.aaf.cadi.taf.TafResp; public class OAuth2FormHttpTafResp extends AbsTafResp implements TafResp { - private static final String tafName = DirectOAuthTAF.class.getSimpleName(); - private HttpServletResponse httpResp; - private RESP status; - private final boolean wasFailed; - - public OAuth2FormHttpTafResp(Access access, OAuth2FormPrincipal principal, String desc, RESP status, HttpServletResponse resp, boolean wasFailed) { - super(access,tafName,principal, desc); - httpResp = resp; - this.status = status; - this.wasFailed = wasFailed; - } + private static final String tafName = DirectOAuthTAF.class.getSimpleName(); + private HttpServletResponse httpResp; + private RESP status; + private final boolean wasFailed; + + public OAuth2FormHttpTafResp(Access access, OAuth2FormPrincipal principal, String desc, RESP status, HttpServletResponse resp, boolean wasFailed) { + super(access,tafName,principal, desc); + httpResp = resp; + this.status = status; + this.wasFailed = wasFailed; + } - public OAuth2FormHttpTafResp(Access access, TrustPrincipal principal, String desc, RESP status,HttpServletResponse resp) { - super(access,tafName,principal, desc); - httpResp = resp; - this.status = status; - wasFailed = true; // if Trust Principal added, must be good - } + public OAuth2FormHttpTafResp(Access access, TrustPrincipal principal, String desc, RESP status,HttpServletResponse resp) { + super(access,tafName,principal, desc); + httpResp = resp; + this.status = status; + wasFailed = true; // if Trust Principal added, must be good + } - public RESP authenticate() throws IOException { - httpResp.setStatus(401); // Unauthorized - return RESP.HTTP_REDIRECT_INVOKED; - } + public RESP authenticate() throws IOException { + httpResp.setStatus(401); // Unauthorized + return RESP.HTTP_REDIRECT_INVOKED; + } - public RESP isAuthenticated() { - return status; - } + public RESP isAuthenticated() { + return status; + } - public boolean isFailedAttempt() { - return wasFailed; - } + public boolean isFailedAttempt() { + return wasFailed; + } } diff --git a/auth/auth-oauth/src/main/java/org/onap/aaf/auth/oauth/api/API_Token.java b/auth/auth-oauth/src/main/java/org/onap/aaf/auth/oauth/api/API_Token.java index f2836a7b..f795dfd3 100644 --- a/auth/auth-oauth/src/main/java/org/onap/aaf/auth/oauth/api/API_Token.java +++ b/auth/auth-oauth/src/main/java/org/onap/aaf/auth/oauth/api/API_Token.java @@ -40,43 +40,43 @@ import aafoauth.v2_0.Introspect; * */ public class API_Token { - // Hide Public Constructor - private API_Token() {} - - /** - * Normal Init level APIs - * - * @param authzAPI - * @param facade - * @throws Exception - */ - public static void init(final AAF_OAuth authzAPI, OAFacade facade) throws Exception { - //////// - // Overall APIs - /////// - authzAPI.route(HttpMethods.POST,"/token",API.TOKEN,new OACode(facade,"OAuth Token", true) { - @Override - public void handle(AuthzTrans trans, HttpServletRequest req, HttpServletResponse resp) throws Exception { - Result r = context.createBearerToken(trans,req, resp); - if(r.isOK()) { - resp.setStatus(201/*HttpStatus.CREATED_201*/); - } else { - context.error(trans,resp,r); - } - } - }); - - authzAPI.route(HttpMethods.POST,"/introspect",API.INTROSPECT,new OACode(facade,"AAF Token Information", true) { - @Override - public void handle(AuthzTrans trans, HttpServletRequest req, HttpServletResponse resp) throws Exception { - Result r = context.introspect(trans,req, resp); - if(r.isOK()) { - resp.setStatus(200 /*HttpStatus.OK_200*/); - } else { - context.error(trans,resp,r); - } - } - }); + // Hide Public Constructor + private API_Token() {} + + /** + * Normal Init level APIs + * + * @param authzAPI + * @param facade + * @throws Exception + */ + public static void init(final AAF_OAuth authzAPI, OAFacade facade) throws Exception { + //////// + // Overall APIs + /////// + authzAPI.route(HttpMethods.POST,"/token",API.TOKEN,new OACode(facade,"OAuth Token", true) { + @Override + public void handle(AuthzTrans trans, HttpServletRequest req, HttpServletResponse resp) throws Exception { + Result r = context.createBearerToken(trans,req, resp); + if(r.isOK()) { + resp.setStatus(201/*HttpStatus.CREATED_201*/); + } else { + context.error(trans,resp,r); + } + } + }); + + authzAPI.route(HttpMethods.POST,"/introspect",API.INTROSPECT,new OACode(facade,"AAF Token Information", true) { + @Override + public void handle(AuthzTrans trans, HttpServletRequest req, HttpServletResponse resp) throws Exception { + Result r = context.introspect(trans,req, resp); + if(r.isOK()) { + resp.setStatus(200 /*HttpStatus.OK_200*/); + } else { + context.error(trans,resp,r); + } + } + }); - } + } } diff --git a/auth/auth-oauth/src/main/java/org/onap/aaf/auth/oauth/facade/DirectIntrospect.java b/auth/auth-oauth/src/main/java/org/onap/aaf/auth/oauth/facade/DirectIntrospect.java index 91423cef..6aec5feb 100644 --- a/auth/auth-oauth/src/main/java/org/onap/aaf/auth/oauth/facade/DirectIntrospect.java +++ b/auth/auth-oauth/src/main/java/org/onap/aaf/auth/oauth/facade/DirectIntrospect.java @@ -25,5 +25,5 @@ import org.onap.aaf.auth.env.AuthzTrans; import org.onap.aaf.auth.layer.Result; public interface DirectIntrospect { - Result mappedIntrospect(AuthzTrans trans, String token); + Result mappedIntrospect(AuthzTrans trans, String token); } diff --git a/auth/auth-oauth/src/main/java/org/onap/aaf/auth/oauth/facade/DirectIntrospectImpl.java b/auth/auth-oauth/src/main/java/org/onap/aaf/auth/oauth/facade/DirectIntrospectImpl.java index 91431c34..2935ea3d 100644 --- a/auth/auth-oauth/src/main/java/org/onap/aaf/auth/oauth/facade/DirectIntrospectImpl.java +++ b/auth/auth-oauth/src/main/java/org/onap/aaf/auth/oauth/facade/DirectIntrospectImpl.java @@ -29,29 +29,29 @@ import org.onap.aaf.auth.oauth.mapper.MapperIntrospect; import org.onap.aaf.auth.oauth.service.OAuthService; public class DirectIntrospectImpl extends FacadeImpl implements DirectIntrospect { - protected OAuthService service; - private MapperIntrospect mapper; + protected OAuthService service; + private MapperIntrospect mapper; - public DirectIntrospectImpl(OAuthService service, MapperIntrospect mapper) { - this.service = service; - this.mapper = mapper; - } + public DirectIntrospectImpl(OAuthService service, MapperIntrospect mapper) { + this.service = service; + this.mapper = mapper; + } - /* (non-Javadoc) - * @see org.onap.aaf.auth.oauth.facade.OAFacade#mappedIntrospect(org.onap.aaf.auth.env.test.AuthzTrans, java.lang.String) - */ - @Override - public Result mappedIntrospect(AuthzTrans trans, String token) { - Result rti; - Result rs = service.introspect(trans,token); - if(rs.notOK()) { - rti = Result.err(rs); - } else if(rs.isEmpty()) { - rti = Result.err(Result.ERR_NotFound,"No Token %s found",token); - } else { - rti = mapper.introspect(rs); - } - return rti; - } + /* (non-Javadoc) + * @see org.onap.aaf.auth.oauth.facade.OAFacade#mappedIntrospect(org.onap.aaf.auth.env.test.AuthzTrans, java.lang.String) + */ + @Override + public Result mappedIntrospect(AuthzTrans trans, String token) { + Result rti; + Result rs = service.introspect(trans,token); + if(rs.notOK()) { + rti = Result.err(rs); + } else if(rs.isEmpty()) { + rti = Result.err(Result.ERR_NotFound,"No Token %s found",token); + } else { + rti = mapper.introspect(rs); + } + return rti; + } } diff --git a/auth/auth-oauth/src/main/java/org/onap/aaf/auth/oauth/facade/OAFacade.java b/auth/auth-oauth/src/main/java/org/onap/aaf/auth/oauth/facade/OAFacade.java index 52ff38b7..c0bb8e7e 100644 --- a/auth/auth-oauth/src/main/java/org/onap/aaf/auth/oauth/facade/OAFacade.java +++ b/auth/auth-oauth/src/main/java/org/onap/aaf/auth/oauth/facade/OAFacade.java @@ -37,27 +37,27 @@ import org.onap.aaf.auth.oauth.service.OAuthService; public interface OAFacade { ///////////////////// STANDARD ELEMENTS ////////////////// - /** - * @param trans - * @param response - * @param result - */ - public void error(AuthzTrans trans, HttpServletResponse response, Result result); + /** + * @param trans + * @param response + * @param result + */ + public void error(AuthzTrans trans, HttpServletResponse response, Result result); - /** - * - * @param trans - * @param response - * @param status - */ - public void error(AuthzTrans trans, HttpServletResponse response, int status, String msg, String ... detail); + /** + * + * @param trans + * @param response + * @param status + */ + public void error(AuthzTrans trans, HttpServletResponse response, int status, String msg, String ... detail); - public Result createBearerToken(AuthzTrans trans, HttpServletRequest req, HttpServletResponse resp); + public Result createBearerToken(AuthzTrans trans, HttpServletRequest req, HttpServletResponse resp); - public Result introspect(AuthzTrans trans, HttpServletRequest req, HttpServletResponse resp); + public Result introspect(AuthzTrans trans, HttpServletRequest req, HttpServletResponse resp); - public OAuthService service(); - + public OAuthService service(); + ///////////////////// STANDARD ELEMENTS ////////////////// diff --git a/auth/auth-oauth/src/main/java/org/onap/aaf/auth/oauth/facade/OAFacade1_0.java b/auth/auth-oauth/src/main/java/org/onap/aaf/auth/oauth/facade/OAFacade1_0.java index 204a104a..b0776d94 100644 --- a/auth/auth-oauth/src/main/java/org/onap/aaf/auth/oauth/facade/OAFacade1_0.java +++ b/auth/auth-oauth/src/main/java/org/onap/aaf/auth/oauth/facade/OAFacade1_0.java @@ -37,11 +37,11 @@ import aafoauth.v2_0.TokenRequest; * */ public class OAFacade1_0 extends OAFacadeImpl { - public OAFacade1_0(AAF_OAuth api, - OAuthService service, - Mapper mapper, - Data.TYPE type) throws APIException { - super(api, service, mapper, type); - } + public OAFacade1_0(AAF_OAuth api, + OAuthService service, + Mapper mapper, + Data.TYPE type) throws APIException { + super(api, service, mapper, type); + } } diff --git a/auth/auth-oauth/src/main/java/org/onap/aaf/auth/oauth/facade/OAFacadeFactory.java b/auth/auth-oauth/src/main/java/org/onap/aaf/auth/oauth/facade/OAFacadeFactory.java index ff586007..11b7217e 100644 --- a/auth/auth-oauth/src/main/java/org/onap/aaf/auth/oauth/facade/OAFacadeFactory.java +++ b/auth/auth-oauth/src/main/java/org/onap/aaf/auth/oauth/facade/OAFacadeFactory.java @@ -33,15 +33,15 @@ import aafoauth.v2_0.Introspect; public class OAFacadeFactory { - public static OAFacade1_0 v1_0(AAF_OAuth certman, AuthzTrans trans, OAuthService service, Data.TYPE type) throws APIException { - return new OAFacade1_0( - certman, - service, - new Mapper1_0(), - type); - } + public static OAFacade1_0 v1_0(AAF_OAuth certman, AuthzTrans trans, OAuthService service, Data.TYPE type) throws APIException { + return new OAFacade1_0( + certman, + service, + new Mapper1_0(), + type); + } - public static DirectIntrospect directV1_0(OAuthService service) { - return new DirectIntrospectImpl(service, new MapperIntrospect1_0()); - } + public static DirectIntrospect directV1_0(OAuthService service) { + return new DirectIntrospectImpl(service, new MapperIntrospect1_0()); + } } diff --git a/auth/auth-oauth/src/main/java/org/onap/aaf/auth/oauth/facade/OAFacadeImpl.java b/auth/auth-oauth/src/main/java/org/onap/aaf/auth/oauth/facade/OAFacadeImpl.java index ee35b8bf..cd1d7df1 100644 --- a/auth/auth-oauth/src/main/java/org/onap/aaf/auth/oauth/facade/OAFacadeImpl.java +++ b/auth/auth-oauth/src/main/java/org/onap/aaf/auth/oauth/facade/OAFacadeImpl.java @@ -69,7 +69,7 @@ import aaf.v2_0.Perms; * 1) Interact with the Service Implementation (which might be supported by various kinds of Backend Storage) * 2) Validate incoming data (if applicable) * 3) Convert the Service response into the right Format, and mark the Content Type - * a) In the future, we may support multiple Response Formats, aka JSON or XML, based on User Request. + * a) In the future, we may support multiple Response Formats, aka JSON or XML, based on User Request. * 4) Log Service info, warnings and exceptions as necessary * 5) When asked by the API layer, this will create and write Error content to the OutputStream * @@ -80,254 +80,254 @@ import aaf.v2_0.Perms; * */ public abstract class OAFacadeImpl - extends DirectIntrospectImpl implements OAFacade { - private static final String INVALID_INPUT = "Invalid Input"; - private final RosettaDF tokenDF; - private final RosettaDF tokenReqDF; - private final RosettaDF introspectDF; - private final RosettaDF errDF; - public final RosettaDF permsDF; - private final Mapper mapper; - - public OAFacadeImpl(AAF_OAuth api, - OAuthService service, - Mapper mapper, - Data.TYPE dataType) throws APIException { - super(service, mapper); - this.mapper = mapper; - AuthzEnv env = api.env; - (tokenReqDF = env.newDataFactory(mapper.getClass(API.TOKEN_REQ))).in(dataType).out(dataType); - (tokenDF = env.newDataFactory(mapper.getClass(API.TOKEN))).in(dataType).out(dataType); - (introspectDF = env.newDataFactory(mapper.getClass(API.INTROSPECT))).in(dataType).out(dataType); - (permsDF = env.newDataFactory(Perms.class)).in(dataType).out(dataType); - (errDF = env.newDataFactory(mapper.getClass(API.ERROR))).in(dataType).out(dataType); - } - - /////////////////////////// - // Tokens - /////////////////////////// - public static final String CREATE_TOKEN = "createToken"; - public static final String INTROSPECT = "introspect"; - - /* (non-Javadoc) - * @see org.onap.aaf.auth.oauth.facade.OAFacade#getToken(org.onap.aaf.auth.env.test.AuthzTrans, javax.servlet.http.HttpServletResponse, org.onap.aaf.auth.oauth.service.OAuthAPI) - */ - @Override - public Result createBearerToken(AuthzTrans trans, HttpServletRequest req, HttpServletResponse resp) { - TimeTaken tt = trans.start(CREATE_TOKEN, Env.SUB|Env.ALWAYS); - try { - TOKEN_REQ request; - try { - request = mapper.tokenReqFromParams(req); - if(request==null) { - Data rd = tokenReqDF.newData().load(req.getInputStream()); - if(Question.willSpecialLog(trans, trans.user())) { - Question.logEncryptTrace(trans,rd.asString()); - } - request = rd.asObject(); - } - } catch(APIException e) { - trans.error().log(INVALID_INPUT,IN,CREATE_TOKEN); - return Result.err(Status.ERR_BadData,INVALID_INPUT); - } + extends DirectIntrospectImpl implements OAFacade { + private static final String INVALID_INPUT = "Invalid Input"; + private final RosettaDF tokenDF; + private final RosettaDF tokenReqDF; + private final RosettaDF introspectDF; + private final RosettaDF errDF; + public final RosettaDF permsDF; + private final Mapper mapper; + + public OAFacadeImpl(AAF_OAuth api, + OAuthService service, + Mapper mapper, + Data.TYPE dataType) throws APIException { + super(service, mapper); + this.mapper = mapper; + AuthzEnv env = api.env; + (tokenReqDF = env.newDataFactory(mapper.getClass(API.TOKEN_REQ))).in(dataType).out(dataType); + (tokenDF = env.newDataFactory(mapper.getClass(API.TOKEN))).in(dataType).out(dataType); + (introspectDF = env.newDataFactory(mapper.getClass(API.INTROSPECT))).in(dataType).out(dataType); + (permsDF = env.newDataFactory(Perms.class)).in(dataType).out(dataType); + (errDF = env.newDataFactory(mapper.getClass(API.ERROR))).in(dataType).out(dataType); + } + + /////////////////////////// + // Tokens + /////////////////////////// + public static final String CREATE_TOKEN = "createToken"; + public static final String INTROSPECT = "introspect"; + + /* (non-Javadoc) + * @see org.onap.aaf.auth.oauth.facade.OAFacade#getToken(org.onap.aaf.auth.env.test.AuthzTrans, javax.servlet.http.HttpServletResponse, org.onap.aaf.auth.oauth.service.OAuthAPI) + */ + @Override + public Result createBearerToken(AuthzTrans trans, HttpServletRequest req, HttpServletResponse resp) { + TimeTaken tt = trans.start(CREATE_TOKEN, Env.SUB|Env.ALWAYS); + try { + TOKEN_REQ request; + try { + request = mapper.tokenReqFromParams(req); + if(request==null) { + Data rd = tokenReqDF.newData().load(req.getInputStream()); + if(Question.willSpecialLog(trans, trans.user())) { + Question.logEncryptTrace(trans,rd.asString()); + } + request = rd.asObject(); + } + } catch(APIException e) { + trans.error().log(INVALID_INPUT,IN,CREATE_TOKEN); + return Result.err(Status.ERR_BadData,INVALID_INPUT); + } - // Already validated for Oauth2FormPrincipal -// Result rv = service.validate(trans,mapper.credsFromReq(request)); -// if(rv.notOK()) { -// return rv; -// } - Holder hgt = new Holder(GRANT_TYPE.unknown); - Result rs = service.createToken(trans,req,mapper.clientTokenReq(request,hgt),hgt); - Result rp; - if(rs.isOKhasData()) { - rp = mapper.tokenFromData(rs); - } else { - rp = Result.err(rs); - } - switch(rp.status) { - case OK: - RosettaData data = tokenDF.newData(trans).load(rp.value); - if(Question.willSpecialLog(trans, trans.user())) { - Question.logEncryptTrace(trans,data.asString()); - } - data.to(resp.getOutputStream()); - resp.getOutputStream().print('\n'); - setContentType(resp,tokenDF.getOutType()); - return Result.ok(); - default: - return Result.err(rp); - } - } catch (Exception e) { - trans.error().log(e,IN,CREATE_TOKEN); - return Result.err(e); - } finally { - tt.done(); - } + // Already validated for Oauth2FormPrincipal +// Result rv = service.validate(trans,mapper.credsFromReq(request)); +// if(rv.notOK()) { +// return rv; +// } + Holder hgt = new Holder(GRANT_TYPE.unknown); + Result rs = service.createToken(trans,req,mapper.clientTokenReq(request,hgt),hgt); + Result rp; + if(rs.isOKhasData()) { + rp = mapper.tokenFromData(rs); + } else { + rp = Result.err(rs); + } + switch(rp.status) { + case OK: + RosettaData data = tokenDF.newData(trans).load(rp.value); + if(Question.willSpecialLog(trans, trans.user())) { + Question.logEncryptTrace(trans,data.asString()); + } + data.to(resp.getOutputStream()); + resp.getOutputStream().print('\n'); + setContentType(resp,tokenDF.getOutType()); + return Result.ok(); + default: + return Result.err(rp); + } + } catch (Exception e) { + trans.error().log(e,IN,CREATE_TOKEN); + return Result.err(e); + } finally { + tt.done(); + } - } + } /* (non-Javadoc) - * @see org.onap.aaf.auth.oauth.facade.OAFacade#Introspect(org.onap.aaf.auth.env.test.AuthzTrans, javax.servlet.http.HttpServletRequest, javax.servlet.http.HttpServletResponse) - */ - @Override - public Result introspect(AuthzTrans trans, HttpServletRequest req, HttpServletResponse resp) { - TimeTaken tt = trans.start(INTROSPECT, Env.SUB|Env.ALWAYS); - try { - Principal p = req.getUserPrincipal(); - String token=null; - if(p != null) { - if(p instanceof OAuth2Principal) { - RosettaData data = introspectDF.newData(trans).load(mapper.fromPrincipal((OAuth2Principal)p)); - if(Question.willSpecialLog(trans, trans.user())) { - Question.logEncryptTrace(trans,data.asString()); - } - data.to(resp.getOutputStream()); - resp.getOutputStream().print('\n'); - setContentType(resp,tokenDF.getOutType()); - return Result.ok(); - } else if(p instanceof OAuth2FormPrincipal) { - token = req.getParameter("token"); - } - } - - if(token==null) { - token = req.getParameter("access_token"); - if(token==null || token.isEmpty()) { - token = req.getHeader("Authorization"); - if(token != null && token.startsWith("Bearer ")) { - token = token.substring(7); - } else { - token = req.getParameter("token"); - if(token==null) { - return Result.err(Result.ERR_Security,"token is required"); - } - } - } - } + * @see org.onap.aaf.auth.oauth.facade.OAFacade#Introspect(org.onap.aaf.auth.env.test.AuthzTrans, javax.servlet.http.HttpServletRequest, javax.servlet.http.HttpServletResponse) + */ + @Override + public Result introspect(AuthzTrans trans, HttpServletRequest req, HttpServletResponse resp) { + TimeTaken tt = trans.start(INTROSPECT, Env.SUB|Env.ALWAYS); + try { + Principal p = req.getUserPrincipal(); + String token=null; + if(p != null) { + if(p instanceof OAuth2Principal) { + RosettaData data = introspectDF.newData(trans).load(mapper.fromPrincipal((OAuth2Principal)p)); + if(Question.willSpecialLog(trans, trans.user())) { + Question.logEncryptTrace(trans,data.asString()); + } + data.to(resp.getOutputStream()); + resp.getOutputStream().print('\n'); + setContentType(resp,tokenDF.getOutType()); + return Result.ok(); + } else if(p instanceof OAuth2FormPrincipal) { + token = req.getParameter("token"); + } + } + + if(token==null) { + token = req.getParameter("access_token"); + if(token==null || token.isEmpty()) { + token = req.getHeader("Authorization"); + if(token != null && token.startsWith("Bearer ")) { + token = token.substring(7); + } else { + token = req.getParameter("token"); + if(token==null) { + return Result.err(Result.ERR_Security,"token is required"); + } + } + } + } - Result rti = mappedIntrospect(trans,token); - switch(rti.status) { - case OK: - RosettaData data = introspectDF.newData(trans).load(rti.value); - if(Question.willSpecialLog(trans, trans.user())) { - Question.logEncryptTrace(trans,data.asString()); - } - data.to(resp.getOutputStream()); - resp.getOutputStream().print('\n'); - setContentType(resp,tokenDF.getOutType()); - return Result.ok(); - default: - return Result.err(rti); - } - } catch (Exception e) { - trans.error().log(e,IN,INTROSPECT); - return Result.err(e); - } finally { - tt.done(); - } - } - + Result rti = mappedIntrospect(trans,token); + switch(rti.status) { + case OK: + RosettaData data = introspectDF.newData(trans).load(rti.value); + if(Question.willSpecialLog(trans, trans.user())) { + Question.logEncryptTrace(trans,data.asString()); + } + data.to(resp.getOutputStream()); + resp.getOutputStream().print('\n'); + setContentType(resp,tokenDF.getOutType()); + return Result.ok(); + default: + return Result.err(rti); + } + } catch (Exception e) { + trans.error().log(e,IN,INTROSPECT); + return Result.err(e); + } finally { + tt.done(); + } + } + - /* (non-Javadoc) - * @see com.att.authz.facade.AuthzFacade#error(org.onap.aaf.auth.env.test.AuthzTrans, javax.servlet.http.HttpServletResponse, int) - * - * Note: Conforms to AT&T TSS RESTful Error Structure - */ - @Override - public void error(AuthzTrans trans, HttpServletResponse response, Result result) { - error(trans, response, result.status, - result.details==null?"":result.details.trim(), - result.variables==null?new String[0]:result.variables); - } - - @Override - public void error(AuthzTrans trans, HttpServletResponse response, int status, final String _msg, final String ... _detail) { - String msgId; - String prefix; - boolean hidemsg=false; - switch(status) { - case 202: - case ERR_ActionNotCompleted: - msgId = "SVC1202"; - prefix = "Accepted, Action not complete"; - response.setStatus(/*httpstatus=*/202); - break; + /* (non-Javadoc) + * @see com.att.authz.facade.AuthzFacade#error(org.onap.aaf.auth.env.test.AuthzTrans, javax.servlet.http.HttpServletResponse, int) + * + * Note: Conforms to AT&T TSS RESTful Error Structure + */ + @Override + public void error(AuthzTrans trans, HttpServletResponse response, Result result) { + error(trans, response, result.status, + result.details==null?"":result.details.trim(), + result.variables==null?new String[0]:result.variables); + } + + @Override + public void error(AuthzTrans trans, HttpServletResponse response, int status, final String _msg, final String ... _detail) { + String msgId; + String prefix; + boolean hidemsg=false; + switch(status) { + case 202: + case ERR_ActionNotCompleted: + msgId = "SVC1202"; + prefix = "Accepted, Action not complete"; + response.setStatus(/*httpstatus=*/202); + break; - case 403: - case ERR_Policy: - case ERR_Security: - case ERR_Denied: - msgId = "SVC1403"; - prefix = "Forbidden"; - response.setStatus(/*httpstatus=*/403); - break; - - case 404: - case ERR_NotFound: - msgId = "SVC1404"; - prefix = "Not Found"; - response.setStatus(/*httpstatus=*/404); - break; + case 403: + case ERR_Policy: + case ERR_Security: + case ERR_Denied: + msgId = "SVC1403"; + prefix = "Forbidden"; + response.setStatus(/*httpstatus=*/403); + break; + + case 404: + case ERR_NotFound: + msgId = "SVC1404"; + prefix = "Not Found"; + response.setStatus(/*httpstatus=*/404); + break; - case 406: - case ERR_BadData: - msgId="SVC1406"; - prefix = "Not Acceptable"; - response.setStatus(/*httpstatus=*/406); - break; - - case 409: - case ERR_ConflictAlreadyExists: - msgId = "SVC1409"; - prefix = "Conflict Already Exists"; - response.setStatus(/*httpstatus=*/409); - break; - - case 501: - case ERR_NotImplemented: - msgId = "SVC1501"; - prefix = "Not Implemented"; - response.setStatus(/*httpstatus=*/501); - break; - + case 406: + case ERR_BadData: + msgId="SVC1406"; + prefix = "Not Acceptable"; + response.setStatus(/*httpstatus=*/406); + break; + + case 409: + case ERR_ConflictAlreadyExists: + msgId = "SVC1409"; + prefix = "Conflict Already Exists"; + response.setStatus(/*httpstatus=*/409); + break; + + case 501: + case ERR_NotImplemented: + msgId = "SVC1501"; + prefix = "Not Implemented"; + response.setStatus(/*httpstatus=*/501); + break; + - default: - msgId = "SVC1500"; - prefix = "General Service Error"; - response.setStatus(/*httpstatus=*/500); - hidemsg=true; - break; - } + default: + msgId = "SVC1500"; + prefix = "General Service Error"; + response.setStatus(/*httpstatus=*/500); + hidemsg=true; + break; + } - try { - StringBuilder holder = new StringBuilder(); - ERROR em = mapper.errorFromMessage(holder, msgId,prefix + ": " + _msg,_detail); - trans.checkpoint( - "ErrResp [" + - msgId + - "] " + - holder.toString(), - Env.ALWAYS); - if(hidemsg) { - holder.setLength(0); - em = mapper.errorFromMessage(holder, msgId, "Server had an issue processing this request"); - } - errDF.newData(trans).load(em).to(response.getOutputStream()); - - } catch (Exception e) { - trans.error().log(e,"unable to send response for",_msg); - } - } - - public Mapper mapper() { - return mapper; - } - - /* (non-Javadoc) - * @see org.onap.aaf.auth.oauth.facade.OAFacade#service() - */ - @Override - public OAuthService service() { - return service; - } + try { + StringBuilder holder = new StringBuilder(); + ERROR em = mapper.errorFromMessage(holder, msgId,prefix + ": " + _msg,_detail); + trans.checkpoint( + "ErrResp [" + + msgId + + "] " + + holder.toString(), + Env.ALWAYS); + if(hidemsg) { + holder.setLength(0); + em = mapper.errorFromMessage(holder, msgId, "Server had an issue processing this request"); + } + errDF.newData(trans).load(em).to(response.getOutputStream()); + + } catch (Exception e) { + trans.error().log(e,"unable to send response for",_msg); + } + } + + public Mapper mapper() { + return mapper; + } + + /* (non-Javadoc) + * @see org.onap.aaf.auth.oauth.facade.OAFacade#service() + */ + @Override + public OAuthService service() { + return service; + } } \ No newline at end of file diff --git a/auth/auth-oauth/src/main/java/org/onap/aaf/auth/oauth/mapper/Mapper.java b/auth/auth-oauth/src/main/java/org/onap/aaf/auth/oauth/mapper/Mapper.java index 55100e21..8e1c52e6 100644 --- a/auth/auth-oauth/src/main/java/org/onap/aaf/auth/oauth/mapper/Mapper.java +++ b/auth/auth-oauth/src/main/java/org/onap/aaf/auth/oauth/mapper/Mapper.java @@ -31,17 +31,17 @@ import org.onap.aaf.cadi.client.Holder; import org.onap.aaf.cadi.oauth.OAuth2Principal; public interface Mapper extends MapperIntrospect -{ - public enum API{TOKEN_REQ, TOKEN,INTROSPECT, ERROR,VOID}; - - public Class getClass(API api); - public A newInstance(API api); +{ + public enum API{TOKEN_REQ, TOKEN,INTROSPECT, ERROR,VOID}; + + public Class getClass(API api); + public A newInstance(API api); - public ERROR errorFromMessage(StringBuilder holder, String msgID, String text, String... detail); - public TOKEN_REQ tokenReqFromParams(HttpServletRequest req); - public OCreds credsFromReq(TOKEN_REQ tokReq); - - public OAuthTokenDAO.Data clientTokenReq(TOKEN_REQ tokReq, Holder hgt); - public Result tokenFromData(Result rs); - public INTROSPECT fromPrincipal(OAuth2Principal p); + public ERROR errorFromMessage(StringBuilder holder, String msgID, String text, String... detail); + public TOKEN_REQ tokenReqFromParams(HttpServletRequest req); + public OCreds credsFromReq(TOKEN_REQ tokReq); + + public OAuthTokenDAO.Data clientTokenReq(TOKEN_REQ tokReq, Holder hgt); + public Result tokenFromData(Result rs); + public INTROSPECT fromPrincipal(OAuth2Principal p); } diff --git a/auth/auth-oauth/src/main/java/org/onap/aaf/auth/oauth/mapper/Mapper1_0.java b/auth/auth-oauth/src/main/java/org/onap/aaf/auth/oauth/mapper/Mapper1_0.java index 688a03ce..4be079e4 100644 --- a/auth/auth-oauth/src/main/java/org/onap/aaf/auth/oauth/mapper/Mapper1_0.java +++ b/auth/auth-oauth/src/main/java/org/onap/aaf/auth/oauth/mapper/Mapper1_0.java @@ -46,179 +46,179 @@ import aafoauth.v2_0.TokenRequest; public class Mapper1_0 extends MapperIntrospect1_0 implements Mapper { - @Override - public Class getClass(API api) { - switch(api) { - case TOKEN_REQ: return TokenRequest.class; - case TOKEN: return Token.class; - case INTROSPECT: return Introspect.class; - case ERROR: return Error.class; - case VOID: return Void.class; - } - return null; - } - - @SuppressWarnings("unchecked") - @Override - public A newInstance(API api) { - switch(api) { - case TOKEN_REQ: return (A)new TokenRequest(); - case TOKEN: return (A)new Token(); - case INTROSPECT: return (A)new Introspect(); - case ERROR: return (A)new Error(); - case VOID: return null; - } - return null; - } - - ////////////// Mapping Functions ///////////// - @Override - public Error errorFromMessage(StringBuilder holder, String msgID, String text, String... var) { - Error err = new Error(); - err.setMessageId(msgID); - // AT&T Restful Error Format requires numbers "%" placements - err.setText(Vars.convert(holder, text, var)); - for(String s : var) { - err.getVariables().add(s); - } - return err; - } - - @Override - public TokenRequest tokenReqFromParams(HttpServletRequest req) { - TokenRequest tr = new TokenRequest(); - boolean data = false; - Map map = req.getParameterMap(); - for(Entry es : map.entrySet()) { - switch(es.getKey()) { - case "client_id": - if(es.getValue().length==1) { - tr.setClientId(es.getValue()[0]); - data = true; - } - break; - case "client_secret": - if(es.getValue().length==1) { - tr.setClientSecret(es.getValue()[0]); - data = true; - } - break; - case "username": - if(es.getValue().length==1) { - tr.setUsername(es.getValue()[0]); - data = true; - } - break; - case "password": - if(es.getValue().length==1) { - tr.setPassword(es.getValue()[0]); - data = true; - } - break; - case "scope": - if(es.getValue().length==1) { - tr.setScope(es.getValue()[0]); - data = true; - } - break; - case "grant_type": - if(es.getValue().length==1) { - tr.setGrantType(es.getValue()[0]); - data = true; - } - break; - case "refresh_token": - if(es.getValue().length==1) { - tr.setRefreshToken(es.getValue()[0]); - data = true; - } - break; - - } - } - return data?tr:null; - } - - - - /* (non-Javadoc) - * @see org.onap.aaf.auth.oauth.mapper.Mapper#credsFromReq(javax.servlet.http.HttpServletRequest) - */ - @Override - public OCreds credsFromReq(TokenRequest tokReq) { - return new OCreds(tokReq.getClientId(),tokReq.getClientSecret(), - tokReq.getUsername(),tokReq.getPassword()); - } - - /* (non-Javadoc) - * @see org.onap.aaf.auth.oauth.mapper.Mapper#tokenReq(java.lang.Object) - */ - @Override - public Data clientTokenReq(TokenRequest tokReq, Holder hgt) { - OAuthTokenDAO.Data tdd = new OAuthTokenDAO.Data(); - tdd.client_id = tokReq.getClientId(); - tdd.user = tokReq.getUsername(); - if(tokReq.getRefreshToken()!=null) { - tdd.refresh=tokReq.getRefreshToken(); - } - - for(GRANT_TYPE ttt : GRANT_TYPE.values()) { - if(ttt.name().equals(tokReq.getGrantType())) { - hgt.set(ttt); - break; - } - } - - switch(hgt.get()) { - case client_credentials: - case password: - case refresh_token: - tdd.type = CLIENT_TYPE.confidential.ordinal(); - break; - default: - tdd.type = CLIENT_TYPE.unknown.ordinal(); - break; - } - String scopes=tokReq.getScope(); - if(scopes!=null) { - Set ss = tdd.scopes(true); - for(String s: Split.split(' ', tokReq.getScope())) { - ss.add(s); - } - } - - tdd.state = tokReq.getState(); - return tdd; - } - - @Override - public Result tokenFromData(Result rd) { - if(rd.notOK()) { - return Result.err(rd); - } - Data d = rd.value; - Token token = new Token(); - if(OAuthService.TOKEN_TYPE.values().length>d.type) { - token.setTokenType(OAuthService.TOKEN_TYPE.values()[d.type].name()); - } else { - token.setTokenType("Invalid"); - } - token.setAccessToken(d.id); - token.setRefreshToken(d.refresh); - token.setExpiresIn((int)(d.exp_sec-(System.currentTimeMillis())/1000)); - token.setScope(getScopes(d.scopes(false))); - token.setState(d.state); - return Result.ok(token); - } - - - - /* (non-Javadoc) - * @see org.onap.aaf.auth.oauth.mapper.Mapper#fromPrincipal(org.onap.aaf.cadi.oauth.OAuth2Principal) - */ - @Override - public Introspect fromPrincipal(OAuth2Principal p) { - return p.tokenPerm().getIntrospect(); - } + @Override + public Class getClass(API api) { + switch(api) { + case TOKEN_REQ: return TokenRequest.class; + case TOKEN: return Token.class; + case INTROSPECT: return Introspect.class; + case ERROR: return Error.class; + case VOID: return Void.class; + } + return null; + } + + @SuppressWarnings("unchecked") + @Override + public A newInstance(API api) { + switch(api) { + case TOKEN_REQ: return (A)new TokenRequest(); + case TOKEN: return (A)new Token(); + case INTROSPECT: return (A)new Introspect(); + case ERROR: return (A)new Error(); + case VOID: return null; + } + return null; + } + + ////////////// Mapping Functions ///////////// + @Override + public Error errorFromMessage(StringBuilder holder, String msgID, String text, String... var) { + Error err = new Error(); + err.setMessageId(msgID); + // AT&T Restful Error Format requires numbers "%" placements + err.setText(Vars.convert(holder, text, var)); + for(String s : var) { + err.getVariables().add(s); + } + return err; + } + + @Override + public TokenRequest tokenReqFromParams(HttpServletRequest req) { + TokenRequest tr = new TokenRequest(); + boolean data = false; + Map map = req.getParameterMap(); + for(Entry es : map.entrySet()) { + switch(es.getKey()) { + case "client_id": + if(es.getValue().length==1) { + tr.setClientId(es.getValue()[0]); + data = true; + } + break; + case "client_secret": + if(es.getValue().length==1) { + tr.setClientSecret(es.getValue()[0]); + data = true; + } + break; + case "username": + if(es.getValue().length==1) { + tr.setUsername(es.getValue()[0]); + data = true; + } + break; + case "password": + if(es.getValue().length==1) { + tr.setPassword(es.getValue()[0]); + data = true; + } + break; + case "scope": + if(es.getValue().length==1) { + tr.setScope(es.getValue()[0]); + data = true; + } + break; + case "grant_type": + if(es.getValue().length==1) { + tr.setGrantType(es.getValue()[0]); + data = true; + } + break; + case "refresh_token": + if(es.getValue().length==1) { + tr.setRefreshToken(es.getValue()[0]); + data = true; + } + break; + + } + } + return data?tr:null; + } + + + + /* (non-Javadoc) + * @see org.onap.aaf.auth.oauth.mapper.Mapper#credsFromReq(javax.servlet.http.HttpServletRequest) + */ + @Override + public OCreds credsFromReq(TokenRequest tokReq) { + return new OCreds(tokReq.getClientId(),tokReq.getClientSecret(), + tokReq.getUsername(),tokReq.getPassword()); + } + + /* (non-Javadoc) + * @see org.onap.aaf.auth.oauth.mapper.Mapper#tokenReq(java.lang.Object) + */ + @Override + public Data clientTokenReq(TokenRequest tokReq, Holder hgt) { + OAuthTokenDAO.Data tdd = new OAuthTokenDAO.Data(); + tdd.client_id = tokReq.getClientId(); + tdd.user = tokReq.getUsername(); + if(tokReq.getRefreshToken()!=null) { + tdd.refresh=tokReq.getRefreshToken(); + } + + for(GRANT_TYPE ttt : GRANT_TYPE.values()) { + if(ttt.name().equals(tokReq.getGrantType())) { + hgt.set(ttt); + break; + } + } + + switch(hgt.get()) { + case client_credentials: + case password: + case refresh_token: + tdd.type = CLIENT_TYPE.confidential.ordinal(); + break; + default: + tdd.type = CLIENT_TYPE.unknown.ordinal(); + break; + } + String scopes=tokReq.getScope(); + if(scopes!=null) { + Set ss = tdd.scopes(true); + for(String s: Split.split(' ', tokReq.getScope())) { + ss.add(s); + } + } + + tdd.state = tokReq.getState(); + return tdd; + } + + @Override + public Result tokenFromData(Result rd) { + if(rd.notOK()) { + return Result.err(rd); + } + Data d = rd.value; + Token token = new Token(); + if(OAuthService.TOKEN_TYPE.values().length>d.type) { + token.setTokenType(OAuthService.TOKEN_TYPE.values()[d.type].name()); + } else { + token.setTokenType("Invalid"); + } + token.setAccessToken(d.id); + token.setRefreshToken(d.refresh); + token.setExpiresIn((int)(d.exp_sec-(System.currentTimeMillis())/1000)); + token.setScope(getScopes(d.scopes(false))); + token.setState(d.state); + return Result.ok(token); + } + + + + /* (non-Javadoc) + * @see org.onap.aaf.auth.oauth.mapper.Mapper#fromPrincipal(org.onap.aaf.cadi.oauth.OAuth2Principal) + */ + @Override + public Introspect fromPrincipal(OAuth2Principal p) { + return p.tokenPerm().getIntrospect(); + } } \ No newline at end of file diff --git a/auth/auth-oauth/src/main/java/org/onap/aaf/auth/oauth/mapper/MapperIntrospect.java b/auth/auth-oauth/src/main/java/org/onap/aaf/auth/oauth/mapper/MapperIntrospect.java index bf558799..27f40ecf 100644 --- a/auth/auth-oauth/src/main/java/org/onap/aaf/auth/oauth/mapper/MapperIntrospect.java +++ b/auth/auth-oauth/src/main/java/org/onap/aaf/auth/oauth/mapper/MapperIntrospect.java @@ -25,5 +25,5 @@ import org.onap.aaf.auth.dao.cass.OAuthTokenDAO; import org.onap.aaf.auth.layer.Result; public interface MapperIntrospect { - public Result introspect(Result rs); + public Result introspect(Result rs); } diff --git a/auth/auth-oauth/src/main/java/org/onap/aaf/auth/oauth/mapper/MapperIntrospect1_0.java b/auth/auth-oauth/src/main/java/org/onap/aaf/auth/oauth/mapper/MapperIntrospect1_0.java index 00a94fdf..ac015c81 100644 --- a/auth/auth-oauth/src/main/java/org/onap/aaf/auth/oauth/mapper/MapperIntrospect1_0.java +++ b/auth/auth-oauth/src/main/java/org/onap/aaf/auth/oauth/mapper/MapperIntrospect1_0.java @@ -31,44 +31,44 @@ import aafoauth.v2_0.Introspect; public class MapperIntrospect1_0 implements MapperIntrospect { - public Result introspect(Result rs) { - if(rs.isOKhasData()) { - Data data = rs.value; - Introspect ti = new Introspect(); - ti.setAccessToken(data.id); - ti.setActive(data.active); - ti.setClientId(data.client_id); - for(CLIENT_TYPE ct : CLIENT_TYPE.values()) { - if(data.type==ct.ordinal()) { - ti.setClientType(ct.name()); - break; - } - } - if(ti.getClientType()==null) { - ti.setClientType(CLIENT_TYPE.unknown.name()); - } - ti.setActive(data.active); - ti.setScope(getScopes(data.scopes(false))); - ti.setContent(data.content); - ti.setUsername(data.user); - ti.setExp(data.exp_sec); // want seconds from Jan 1, 1970 - return Result.ok(ti); - } - return Result.err(rs); - } - - protected static String getScopes(Set scopes) { - StringBuilder sb = new StringBuilder(); - boolean start = true; - for(String s : scopes) { - if(start) { - start = false; - } else { - sb.append(' '); - } - sb.append(s); - } - return sb.toString(); - } + public Result introspect(Result rs) { + if(rs.isOKhasData()) { + Data data = rs.value; + Introspect ti = new Introspect(); + ti.setAccessToken(data.id); + ti.setActive(data.active); + ti.setClientId(data.client_id); + for(CLIENT_TYPE ct : CLIENT_TYPE.values()) { + if(data.type==ct.ordinal()) { + ti.setClientType(ct.name()); + break; + } + } + if(ti.getClientType()==null) { + ti.setClientType(CLIENT_TYPE.unknown.name()); + } + ti.setActive(data.active); + ti.setScope(getScopes(data.scopes(false))); + ti.setContent(data.content); + ti.setUsername(data.user); + ti.setExp(data.exp_sec); // want seconds from Jan 1, 1970 + return Result.ok(ti); + } + return Result.err(rs); + } + + protected static String getScopes(Set scopes) { + StringBuilder sb = new StringBuilder(); + boolean start = true; + for(String s : scopes) { + if(start) { + start = false; + } else { + sb.append(' '); + } + sb.append(s); + } + return sb.toString(); + } } diff --git a/auth/auth-oauth/src/main/java/org/onap/aaf/auth/oauth/service/JSONPermLoader.java b/auth/auth-oauth/src/main/java/org/onap/aaf/auth/oauth/service/JSONPermLoader.java index bf04472b..51120870 100644 --- a/auth/auth-oauth/src/main/java/org/onap/aaf/auth/oauth/service/JSONPermLoader.java +++ b/auth/auth-oauth/src/main/java/org/onap/aaf/auth/oauth/service/JSONPermLoader.java @@ -29,6 +29,6 @@ import org.onap.aaf.cadi.CadiException; import org.onap.aaf.misc.env.APIException; public interface JSONPermLoader { - public Result loadJSONPerms(AuthzTrans trans, String user, Set scopes) throws APIException, CadiException; + public Result loadJSONPerms(AuthzTrans trans, String user, Set scopes) throws APIException, CadiException; } diff --git a/auth/auth-oauth/src/main/java/org/onap/aaf/auth/oauth/service/JSONPermLoaderFactory.java b/auth/auth-oauth/src/main/java/org/onap/aaf/auth/oauth/service/JSONPermLoaderFactory.java index f4400869..886b06c5 100644 --- a/auth/auth-oauth/src/main/java/org/onap/aaf/auth/oauth/service/JSONPermLoaderFactory.java +++ b/auth/auth-oauth/src/main/java/org/onap/aaf/auth/oauth/service/JSONPermLoaderFactory.java @@ -38,82 +38,82 @@ import org.onap.aaf.misc.env.Env; import org.onap.aaf.misc.env.TimeTaken; public class JSONPermLoaderFactory { - /** - * Load JSON Perms from AAF Service (Remotely) - * @param aafcon - * @param timeout - * @return - */ - public static JSONPermLoader remote(final AAFCon aafcon, final int timeout) { - return new JSONPermLoader() { - public Result loadJSONPerms(AuthzTrans trans, String user, Set scopes) throws APIException, CadiException { - Rcli c = aafcon.clientAs(Config.AAF_DEFAULT_VERSION,trans.getUserPrincipal()); - StringBuilder pathinfo = new StringBuilder("/authz/perms/user/"); - pathinfo.append(user); - pathinfo.append("?scopes="); - boolean first = true; - for(String s : scopes) { - if(first) { - first = false; - } else { - pathinfo.append(':'); - } - pathinfo.append(s); - } - TimeTaken tt = trans.start("Call AAF Service", Env.REMOTE); - try { - Future fs = c.read(pathinfo.toString(), "application/Perms+json;charset=utf-8;version=2.0"); - if(fs.get(timeout)) { - return Result.ok(fs.body()); - } else if(fs.code()==404) { - return Result.err(Result.ERR_NotFound,fs.body()); - } else { - return Result.err(Result.ERR_Backend,"Error accessing AAF %s: %s",Integer.toString(fs.code()),fs.body()); - } - } finally { - tt.done(); - } - } - }; - } - public static JSONPermLoader direct(final Question question) { - return new JSONPermLoader() { - public Result loadJSONPerms(AuthzTrans trans, String user, Set scopes) throws APIException, CadiException { - TimeTaken tt = trans.start("Cached DB Perm lookup", Env.SUB); - Result> pd; - try { - pd = question.getPermsByUser(trans, user, false); - } finally { - tt.done(); - } - if(pd.notOK()) { - return Result.err(pd); - } - // Since we know it is - StringBuilder sb = new StringBuilder("{\"perm\":["); - boolean first = true; - for(PermDAO.Data d : pd.value) { - if(scopes.contains(d.ns)) { - if(first) { - first = false; - } else { - sb.append(','); - } - sb.append("{\"ns\":\""); - sb.append(d.ns); - sb.append("\",\"type\":\""); - sb.append(d.type); - sb.append("\",\"instance\":\""); - sb.append(d.instance); - sb.append("\",\"action\":\""); - sb.append(d.action); - sb.append("\"}"); - } - } - sb.append("]}"); - return Result.ok(sb.toString()); - } - }; - } + /** + * Load JSON Perms from AAF Service (Remotely) + * @param aafcon + * @param timeout + * @return + */ + public static JSONPermLoader remote(final AAFCon aafcon, final int timeout) { + return new JSONPermLoader() { + public Result loadJSONPerms(AuthzTrans trans, String user, Set scopes) throws APIException, CadiException { + Rcli c = aafcon.clientAs(Config.AAF_DEFAULT_VERSION,trans.getUserPrincipal()); + StringBuilder pathinfo = new StringBuilder("/authz/perms/user/"); + pathinfo.append(user); + pathinfo.append("?scopes="); + boolean first = true; + for(String s : scopes) { + if(first) { + first = false; + } else { + pathinfo.append(':'); + } + pathinfo.append(s); + } + TimeTaken tt = trans.start("Call AAF Service", Env.REMOTE); + try { + Future fs = c.read(pathinfo.toString(), "application/Perms+json;charset=utf-8;version=2.0"); + if(fs.get(timeout)) { + return Result.ok(fs.body()); + } else if(fs.code()==404) { + return Result.err(Result.ERR_NotFound,fs.body()); + } else { + return Result.err(Result.ERR_Backend,"Error accessing AAF %s: %s",Integer.toString(fs.code()),fs.body()); + } + } finally { + tt.done(); + } + } + }; + } + public static JSONPermLoader direct(final Question question) { + return new JSONPermLoader() { + public Result loadJSONPerms(AuthzTrans trans, String user, Set scopes) throws APIException, CadiException { + TimeTaken tt = trans.start("Cached DB Perm lookup", Env.SUB); + Result> pd; + try { + pd = question.getPermsByUser(trans, user, false); + } finally { + tt.done(); + } + if(pd.notOK()) { + return Result.err(pd); + } + // Since we know it is + StringBuilder sb = new StringBuilder("{\"perm\":["); + boolean first = true; + for(PermDAO.Data d : pd.value) { + if(scopes.contains(d.ns)) { + if(first) { + first = false; + } else { + sb.append(','); + } + sb.append("{\"ns\":\""); + sb.append(d.ns); + sb.append("\",\"type\":\""); + sb.append(d.type); + sb.append("\",\"instance\":\""); + sb.append(d.instance); + sb.append("\",\"action\":\""); + sb.append(d.action); + sb.append("\"}"); + } + } + sb.append("]}"); + return Result.ok(sb.toString()); + } + }; + } } diff --git a/auth/auth-oauth/src/main/java/org/onap/aaf/auth/oauth/service/OAuthService.java b/auth/auth-oauth/src/main/java/org/onap/aaf/auth/oauth/service/OAuthService.java index 0064e224..1d926a74 100644 --- a/auth/auth-oauth/src/main/java/org/onap/aaf/auth/oauth/service/OAuthService.java +++ b/auth/auth-oauth/src/main/java/org/onap/aaf/auth/oauth/service/OAuthService.java @@ -54,248 +54,248 @@ import org.onap.aaf.misc.env.APIException; import aafoauth.v2_0.Introspect; public class OAuthService { - - private static final int TOK_EXP = 60*60*1000; // 1 hour, millis. + + private static final int TOK_EXP = 60*60*1000; // 1 hour, millis. - public enum TOKEN_TYPE {unknown,bearer,refresh} - public enum GRANT_TYPE {unknown,password,client_credentials,refresh_token}; - public enum CLIENT_TYPE {unknown,confidential}; - - // Additional Expires - private final DAO[] daos; - public final OAuthTokenDAO tokenDAO; - private final DirectAAFUserPass directUserPass; - private final TokenClientFactory tcf; - private TokenClient altIntrospectClient; - private String altDomain; - private final JSONPermLoader permLoader; + public enum TOKEN_TYPE {unknown,bearer,refresh} + public enum GRANT_TYPE {unknown,password,client_credentials,refresh_token}; + public enum CLIENT_TYPE {unknown,confidential}; + + // Additional Expires + private final DAO[] daos; + public final OAuthTokenDAO tokenDAO; + private final DirectAAFUserPass directUserPass; + private final TokenClientFactory tcf; + private TokenClient altIntrospectClient; + private String altDomain; + private final JSONPermLoader permLoader; - // If we add more CAs, may want to parameterize + // If we add more CAs, may want to parameterize - @SuppressWarnings("unchecked") - public OAuthService(final Access access, final AuthzTrans trans, final Question q) throws APIException, IOException { - permLoader = JSONPermLoaderFactory.direct(q); - tokenDAO = new OAuthTokenDAO(trans, q.historyDAO); - daos =(DAO[]) new DAO[] { - tokenDAO - }; - try { - String alt_url = access.getProperty(Config.AAF_ALT_OAUTH2_INTROSPECT_URL,null); - if(alt_url!=null) { - tcf = TokenClientFactory.instance(access); - String[] split = Split.split(',', alt_url); - int timeout = split.length>1?Integer.parseInt(split[1]):3000; - altIntrospectClient = tcf.newClient(split[0], timeout); - altIntrospectClient.client_creds(access.getProperty(Config.AAF_ALT_CLIENT_ID,null), - access.getProperty(Config.AAF_ALT_CLIENT_SECRET,null)); - altDomain = '@'+access.getProperty(Config.AAF_ALT_OAUTH2_DOMAIN,null); - } else { - tcf = null; - } - directUserPass = new DirectAAFUserPass(trans.env(), q); - } catch (GeneralSecurityException | CadiException | LocatorException e) { - throw new APIException("Could not construct TokenClientFactory",e); - } - - } + @SuppressWarnings("unchecked") + public OAuthService(final Access access, final AuthzTrans trans, final Question q) throws APIException, IOException { + permLoader = JSONPermLoaderFactory.direct(q); + tokenDAO = new OAuthTokenDAO(trans, q.historyDAO); + daos =(DAO[]) new DAO[] { + tokenDAO + }; + try { + String alt_url = access.getProperty(Config.AAF_ALT_OAUTH2_INTROSPECT_URL,null); + if(alt_url!=null) { + tcf = TokenClientFactory.instance(access); + String[] split = Split.split(',', alt_url); + int timeout = split.length>1?Integer.parseInt(split[1]):3000; + altIntrospectClient = tcf.newClient(split[0], timeout); + altIntrospectClient.client_creds(access.getProperty(Config.AAF_ALT_CLIENT_ID,null), + access.getProperty(Config.AAF_ALT_CLIENT_SECRET,null)); + altDomain = '@'+access.getProperty(Config.AAF_ALT_OAUTH2_DOMAIN,null); + } else { + tcf = null; + } + directUserPass = new DirectAAFUserPass(trans.env(), q); + } catch (GeneralSecurityException | CadiException | LocatorException e) { + throw new APIException("Could not construct TokenClientFactory",e); + } + + } - public Result validate(AuthzTrans trans, OCreds creds) { - if(directUserPass.validate(creds.username, Type.PASSWORD, creds.password, trans)) { - return Result.ok(); - } else { - return Result.err(Result.ERR_Security, "Invalid Credential for ",creds.username); - } - } + public Result validate(AuthzTrans trans, OCreds creds) { + if(directUserPass.validate(creds.username, Type.PASSWORD, creds.password, trans)) { + return Result.ok(); + } else { + return Result.err(Result.ERR_Security, "Invalid Credential for ",creds.username); + } + } - public Result createToken(AuthzTrans trans, HttpServletRequest req, OAuthTokenDAO.Data odd, Holder hgt) { - switch(hgt.get()) { - case client_credentials: - case password: - return createBearerToken(trans, odd); - case refresh_token: - return refreshBearerToken(trans, odd); - default: - return Result.err(Result.ERR_BadData, "Unknown Grant Type"); - } - } - - private Result createBearerToken(AuthzTrans trans, OAuthTokenDAO.Data odd) { - if(odd.user==null) { - odd.user = trans.user(); - } - odd.id = AAFToken.toToken(UUID.randomUUID()); - odd.refresh = AAFToken.toToken(UUID.randomUUID()); - odd.active = true; - long exp; - odd.expires = new Date(exp=(System.currentTimeMillis()+TOK_EXP)); - odd.exp_sec = exp/1000; - odd.req_ip = trans.ip(); - - try { - Result rd = loadToken(trans, odd); - if(rd.notOK()) { - return rd; - } - } catch (APIException | CadiException e) { - return Result.err(e); - } - return tokenDAO.create(trans, odd); - } - - private Result loadToken(AuthzTrans trans, Data odd) throws APIException, CadiException { - Result rs = permLoader.loadJSONPerms(trans,odd.user,odd.scopes(false)); - if(rs.isOK()) { - odd.content = rs.value; - odd.type = TOKEN_TYPE.bearer.ordinal(); - return Result.ok(odd); - } else if(rs.status == Result.ERR_NotFound || rs.status==Status.ERR_UserRoleNotFound) { - odd.type = TOKEN_TYPE.bearer.ordinal(); - return Result.ok(odd); - } else { - return Result.err(Result.ERR_Backend,"Error accessing AAF Info: %s",rs.errorString()); - } - } - - + public Result createToken(AuthzTrans trans, HttpServletRequest req, OAuthTokenDAO.Data odd, Holder hgt) { + switch(hgt.get()) { + case client_credentials: + case password: + return createBearerToken(trans, odd); + case refresh_token: + return refreshBearerToken(trans, odd); + default: + return Result.err(Result.ERR_BadData, "Unknown Grant Type"); + } + } + + private Result createBearerToken(AuthzTrans trans, OAuthTokenDAO.Data odd) { + if(odd.user==null) { + odd.user = trans.user(); + } + odd.id = AAFToken.toToken(UUID.randomUUID()); + odd.refresh = AAFToken.toToken(UUID.randomUUID()); + odd.active = true; + long exp; + odd.expires = new Date(exp=(System.currentTimeMillis()+TOK_EXP)); + odd.exp_sec = exp/1000; + odd.req_ip = trans.ip(); + + try { + Result rd = loadToken(trans, odd); + if(rd.notOK()) { + return rd; + } + } catch (APIException | CadiException e) { + return Result.err(e); + } + return tokenDAO.create(trans, odd); + } + + private Result loadToken(AuthzTrans trans, Data odd) throws APIException, CadiException { + Result rs = permLoader.loadJSONPerms(trans,odd.user,odd.scopes(false)); + if(rs.isOK()) { + odd.content = rs.value; + odd.type = TOKEN_TYPE.bearer.ordinal(); + return Result.ok(odd); + } else if(rs.status == Result.ERR_NotFound || rs.status==Status.ERR_UserRoleNotFound) { + odd.type = TOKEN_TYPE.bearer.ordinal(); + return Result.ok(odd); + } else { + return Result.err(Result.ERR_Backend,"Error accessing AAF Info: %s",rs.errorString()); + } + } + + - private Result refreshBearerToken(AuthzTrans trans, Data odd) { - Result> rld = tokenDAO.readByUser(trans, trans.user()); - if(rld.notOK()) { - return Result.err(rld); - } - if(rld.isEmpty()) { - return Result.err(Result.ERR_NotFound,"Data not Found for %1 %2",trans.user(),odd.refresh==null?"":odd.refresh.toString()); - } - Data token = null; - for(Data d : rld.value) { - if(d.refresh.equals(odd.refresh)) { - token = d; - boolean scopesNE = false; - Set scopes = odd.scopes(false); - if(scopes.size()>0) { // only check if Scopes listed, RFC 6749, Section 6 - if(scopesNE=!(scopes.size() == d.scopes(false).size())) { - for(String s : odd.scopes(false)) { - if(!d.scopes(false).contains(s)) { - scopesNE=true; - break; - } - } - } - if(scopesNE) { - return Result.err(Result.ERR_BadData,"Requested Scopes do not match existing Token"); - } - } - break; - } - } - - if(token==null) { - trans.audit().printf("Duplicate Refresh Token (%s) attempted for %s. Possible Replay Attack",odd.refresh.toString(),trans.user()); - return Result.err(Result.ERR_Security,"Invalid Refresh Token"); - } else { - // Got the Result - Data deleteMe = new Data(); - deleteMe.id = token.id; - token.id = AAFToken.toToken(UUID.randomUUID()); - token.client_id = trans.user(); - token.refresh = AAFToken.toToken(UUID.randomUUID()); - long exp; - token.expires = new Date(exp=(System.currentTimeMillis()+TOK_EXP)); - token.exp_sec = exp/1000; - token.req_ip = trans.ip(); - Result rd = tokenDAO.create(trans, token); - if(rd.notOK()) { - return Result.err(rd); - } - Result rv = tokenDAO.delete(trans, deleteMe,false); - if(rv.notOK()) { - trans.error().log("Unable to delete token", token); - } - } - return Result.ok(token); - } + private Result refreshBearerToken(AuthzTrans trans, Data odd) { + Result> rld = tokenDAO.readByUser(trans, trans.user()); + if(rld.notOK()) { + return Result.err(rld); + } + if(rld.isEmpty()) { + return Result.err(Result.ERR_NotFound,"Data not Found for %1 %2",trans.user(),odd.refresh==null?"":odd.refresh.toString()); + } + Data token = null; + for(Data d : rld.value) { + if(d.refresh.equals(odd.refresh)) { + token = d; + boolean scopesNE = false; + Set scopes = odd.scopes(false); + if(scopes.size()>0) { // only check if Scopes listed, RFC 6749, Section 6 + if(scopesNE=!(scopes.size() == d.scopes(false).size())) { + for(String s : odd.scopes(false)) { + if(!d.scopes(false).contains(s)) { + scopesNE=true; + break; + } + } + } + if(scopesNE) { + return Result.err(Result.ERR_BadData,"Requested Scopes do not match existing Token"); + } + } + break; + } + } + + if(token==null) { + trans.audit().printf("Duplicate Refresh Token (%s) attempted for %s. Possible Replay Attack",odd.refresh.toString(),trans.user()); + return Result.err(Result.ERR_Security,"Invalid Refresh Token"); + } else { + // Got the Result + Data deleteMe = new Data(); + deleteMe.id = token.id; + token.id = AAFToken.toToken(UUID.randomUUID()); + token.client_id = trans.user(); + token.refresh = AAFToken.toToken(UUID.randomUUID()); + long exp; + token.expires = new Date(exp=(System.currentTimeMillis()+TOK_EXP)); + token.exp_sec = exp/1000; + token.req_ip = trans.ip(); + Result rd = tokenDAO.create(trans, token); + if(rd.notOK()) { + return Result.err(rd); + } + Result rv = tokenDAO.delete(trans, deleteMe,false); + if(rv.notOK()) { + trans.error().log("Unable to delete token", token); + } + } + return Result.ok(token); + } - public Result introspect(AuthzTrans trans, String token) { - Result> rld; - try { - UUID uuid = AAFToken.fromToken(token); - if(uuid==null) { // not an AAF Token - // Attempt to get Alternative Token - if(altIntrospectClient!=null) { - org.onap.aaf.cadi.client.Result rai = altIntrospectClient.introspect(token); - if(rai.isOK()) { - Introspect in = rai.value; - if(in.getExp()==null) { - trans.audit().printf("Alt OAuth sent back inactive, empty token: requesting_id,%s,access_token=%s,ip=%s\n",trans.user(),token,trans.ip()); - } - long expires = in.getExp()*1000; - if(in.isActive() && expires>System.currentTimeMillis()) { - // We have a good Token, modify to be Fully Qualified - String fqid = in.getUsername()+altDomain; - // read contents - rld = tokenDAO.read(trans, token); - if(rld.isOKhasData()) { - Data td = rld.value.get(0); - in.setContent(td.content); - } else { - Data td = new Data(); - td.id = token; - td.client_id = in.getClientId(); - td.user = fqid; - td.active=true; - td.type = TOKEN_TYPE.bearer.ordinal(); - td.expires = new Date(expires); - td.exp_sec = in.getExp(); - Set scopes = td.scopes(true); - if(in.getScope()!=null) { - for(String s : Split.split(' ', in.getScope())) { - scopes.add(s); - } - } - // td.state = nothing to add at this point - td.req_ip = trans.ip(); - trans.checkpoint(td.user + ':' + td.client_id + ", " + td.id); - return loadToken(trans, td); - } - } -// System.out.println(rai.value.getClientId()); - } else { - trans.audit().printf("Alt OAuth rejects: requesting_id,%s,access_token=%s,ip=%s,code=%d,error=%s\n",trans.user(),token,trans.ip(),rai.code,rai.error); - } - } else { - trans.audit().printf("Bad Token: requesting_id,%s,access_token=%s,ip=%s\n",trans.user(),token,trans.ip()); - } - return Result.err(Result.ERR_Denied,"Bad Token"); - } else { - return dbIntrospect(trans,token); - } - } catch (CadiException | APIException | LocatorException e) { - return Result.err(e); - } - } + public Result introspect(AuthzTrans trans, String token) { + Result> rld; + try { + UUID uuid = AAFToken.fromToken(token); + if(uuid==null) { // not an AAF Token + // Attempt to get Alternative Token + if(altIntrospectClient!=null) { + org.onap.aaf.cadi.client.Result rai = altIntrospectClient.introspect(token); + if(rai.isOK()) { + Introspect in = rai.value; + if(in.getExp()==null) { + trans.audit().printf("Alt OAuth sent back inactive, empty token: requesting_id,%s,access_token=%s,ip=%s\n",trans.user(),token,trans.ip()); + } + long expires = in.getExp()*1000; + if(in.isActive() && expires>System.currentTimeMillis()) { + // We have a good Token, modify to be Fully Qualified + String fqid = in.getUsername()+altDomain; + // read contents + rld = tokenDAO.read(trans, token); + if(rld.isOKhasData()) { + Data td = rld.value.get(0); + in.setContent(td.content); + } else { + Data td = new Data(); + td.id = token; + td.client_id = in.getClientId(); + td.user = fqid; + td.active=true; + td.type = TOKEN_TYPE.bearer.ordinal(); + td.expires = new Date(expires); + td.exp_sec = in.getExp(); + Set scopes = td.scopes(true); + if(in.getScope()!=null) { + for(String s : Split.split(' ', in.getScope())) { + scopes.add(s); + } + } + // td.state = nothing to add at this point + td.req_ip = trans.ip(); + trans.checkpoint(td.user + ':' + td.client_id + ", " + td.id); + return loadToken(trans, td); + } + } +// System.out.println(rai.value.getClientId()); + } else { + trans.audit().printf("Alt OAuth rejects: requesting_id,%s,access_token=%s,ip=%s,code=%d,error=%s\n",trans.user(),token,trans.ip(),rai.code,rai.error); + } + } else { + trans.audit().printf("Bad Token: requesting_id,%s,access_token=%s,ip=%s\n",trans.user(),token,trans.ip()); + } + return Result.err(Result.ERR_Denied,"Bad Token"); + } else { + return dbIntrospect(trans,token); + } + } catch (CadiException | APIException | LocatorException e) { + return Result.err(e); + } + } - public Result dbIntrospect(final AuthzTrans trans, final String token) { - Result> rld = tokenDAO.read(trans, token); - if(rld.notOKorIsEmpty()) { - return Result.err(rld); - } - OAuthTokenDAO.Data odd = rld.value.get(0); - trans.checkpoint(odd.user + ':' + odd.client_id + ", " + odd.id); - if(odd.active) { - if(odd.expires.before(trans.now())) { - return Result.err(Result.ERR_Policy,"Token %1 has expired",token); - } - return Result.ok(rld.value.get(0)); // ok keyed on id/token. - } else { - return Result.err(Result.ERR_Denied,"Token %1 is inactive",token); - } - } + public Result dbIntrospect(final AuthzTrans trans, final String token) { + Result> rld = tokenDAO.read(trans, token); + if(rld.notOKorIsEmpty()) { + return Result.err(rld); + } + OAuthTokenDAO.Data odd = rld.value.get(0); + trans.checkpoint(odd.user + ':' + odd.client_id + ", " + odd.id); + if(odd.active) { + if(odd.expires.before(trans.now())) { + return Result.err(Result.ERR_Policy,"Token %1 has expired",token); + } + return Result.ok(rld.value.get(0)); // ok keyed on id/token. + } else { + return Result.err(Result.ERR_Denied,"Token %1 is inactive",token); + } + } - public void close() { - for(DAO dao : daos) { - dao.close(NullTrans.singleton()); - } - } + public void close() { + for(DAO dao : daos) { + dao.close(NullTrans.singleton()); + } + } } diff --git a/auth/auth-oauth/src/main/java/org/onap/aaf/auth/oauth/service/OCreds.java b/auth/auth-oauth/src/main/java/org/onap/aaf/auth/oauth/service/OCreds.java index becb746a..af15d4c2 100644 --- a/auth/auth-oauth/src/main/java/org/onap/aaf/auth/oauth/service/OCreds.java +++ b/auth/auth-oauth/src/main/java/org/onap/aaf/auth/oauth/service/OCreds.java @@ -22,12 +22,12 @@ package org.onap.aaf.auth.oauth.service; public class OCreds { - public final String client_id, username; - public final byte[] client_secret, password; - public OCreds(String client_id, String client_secret, String username, String password) { - this.client_id = client_id; - this.client_secret = client_secret==null?null:client_secret.getBytes(); - this.username = username; - this.password = password==null?null:password.getBytes(); - } + public final String client_id, username; + public final byte[] client_secret, password; + public OCreds(String client_id, String client_secret, String username, String password) { + this.client_id = client_id; + this.client_secret = client_secret==null?null:client_secret.getBytes(); + this.username = username; + this.password = password==null?null:password.getBytes(); + } } -- cgit 1.2.3-korg